Recreate a Deleted User in AD and Sync to Office365

Scenario

You have Directory Synchronization configured in your domain and on occasion you need to delete a synced user in AD then recreate the account.

Here are the steps required in order to enable successful synchronization of the recreated AD account to Office 365.

 

Step 1

Delete the user account from AD and perform a sync in order to also remove the user from O365.  The cloud account will move to the Deleted users area in O365

 

Step 2

In Office365 restore the user from “Deleted Users” area.  After it has been restored the user will show up as “in cloud” vs. “synced with Active Directory”

 

Step 3

Recreate the account in AD.  Ensure that you have filled in the Email section and the Proxy Address for Primary mail account via user object properties and Attribute Editor tab.

 

Now for the nifty part…Hard Matching using the AD user ObjectGuid

 

Step 4

Open the AD user object properties and Attribute Editor tab.  Search for Distinguished name and copy the path.

ldifde -d "CN=Someone,OU=Users,DC=someplace,DC=com" -f c:\User.txt

 

Step 5

Open the text file you created in Step 4 and copy the user’s ObjectGUID  EG: 5WyOPyLejk2wiSyVaLQSGw==

 

Step 6

Open PowerShell and update the Cloud users ImmutableID with the ObjectGuid of the AD domain user you copied in Step 5

Set-MsolUser –UserPrincipalName someone@someplace.com -ImmutableId "5WyOPyLejk2wiSyVaLQSGw==”

 

Step 7

In PowerShell check that the new ImmutableID has been applied

Get-MsolUser –UserPrincipalName someone@someplace.com | FT name,ImmutableID

 

Step 8

Run a synchronization and confirm successful sync.  The cloud user will again become “synced with Active Directory”

21 responses to “Recreate a Deleted User in AD and Sync to Office365

  1. Stephanie,

    After searching for hours on Microsoft library documentation and trying different methods, I couldn’t find a solution. Thankfully, I found your documentation, very well explained, which actually helped me to fix my problem.

    Thank you.

  2. If you get the error below like I did:

    Set-MsolUser : You must provide a required property: Parameter name:
    FederatedUser.SourceAnchor

    To solve the issue:

    1, Connect PowerShell to Office 365.

    2, Change the user’s suffix to the default onmicrosoft.com by using the example below:

    Set-MsolUserPrincipalName -UserPrincipalName address@domain.com -NewUserPrincipalName address@domain.mail.onmicrosoft.com

    3, You can then use the Set-MsolUser to modify the ImmutableId.

    4, After the changes are done, change the user’s suffix back to the custom domain by using the example below:

    Set-MsolUserPrincipalName -UserPrincipalName address@domain.mail.onmicrosoft.com -NewUserPrincipalName address@domain.com

    Cheers

  3. Hi

    Thanks for the post. Here is a question for you:

    Will this work if you recreate the account on a different domain other than the original were it was created?

    Thank

  4. Hi,
    So my environment is like:
    1. Create master account in AD
    2. Create mailbox and linked it to master account
    3. Migrate it

    So when i delete resource account, master account remains there. I tried this suggestion the user is showing synced with AD in cloud but on prem after re-creating that mailbox it is still showing as LINKED. Any idea how to handle it in such environment.

  5. This worked perfectly, thank you!

    We have an 6 year old tenant and recently went from cloud-only to adding an on-prem server with an AD. There were a few accounts, which simply refused to sync, even though the proxy-addresses and UPN were good.

    with this little push AAD linked both together.

Leave a Reply

Your email address will not be published. Required fields are marked *