Recreate a Deleted User in AD and Sync to Office365

Scenario

You have Directory Synchronization configured in your domain and on occasion you need to delete a synced user in AD then recreate the account.

Here are the steps required in order to enable successful synchronization of the recreated AD account to Office 365.

 

Step 1

Delete the user account from AD and perform a sync in order to also remove the user from O365.  The cloud account will move to the Deleted users area in O365

 

Step 2

In Office365 restore the user from “Deleted Users” area.  After it has been restored the user will show up as “in cloud” vs. “synced with Active Directory”

 

Step 3

Recreate the account in AD.  Ensure that you have filled in the Email section and the Proxy Address for Primary mail account via user object properties and Attribute Editor tab.

 

Now for the nifty part…Hard Matching using the AD user ObjectGuid

 

Step 4

Open the AD user object properties and Attribute Editor tab.  Search for Distinguished name and copy the path.

ldifde -d “CN=Someone,OU=Users,DC=someplace,DC=com” -f c:\User.txt

 

Step 5

Open the text file you created in Step 4 and copy the user’s ObjectGUID  EG: 5WyOPyLejk2wiSyVaLQSGw==

 

Step 6

Open PowerShell and update the Cloud users ImmutableID with the ObjectGuid of the AD domain user you copied in Step 5

Set-MsolUser –UserPrincipalName [email protected] -ImmutableId “5WyOPyLejk2wiSyVaLQSGw==”

 

Step 7

In PowerShell check that the new ImmutableID has been applied

Get-MsolUser –UserPrincipalName [email protected] | FT name,ImmutableID

 

Step 8

Run a synchronization and confirm successful sync.  The cloud user will again become “synced with Active Directory”

22 responses to “Recreate a Deleted User in AD and Sync to Office365

  1. Hi,
    This is a very informative blog. Thanks for such a lovely post.

    I also found another post that is on the same topic. Please follow the link below to know more about the restoration of deleted users in Office 365.

    Restore a User in Office 365

  2. Stephanie,

    After searching for hours on Microsoft library documentation and trying different methods, I couldn’t find a solution. Thankfully, I found your documentation, very well explained, which actually helped me to fix my problem.

    Thank you.

  3. If you get the error below like I did:

    Set-MsolUser : You must provide a required property: Parameter name:
    FederatedUser.SourceAnchor

    To solve the issue:

    1, Connect PowerShell to Office 365.

    2, Change the user’s suffix to the default onmicrosoft.com by using the example below:

    Set-MsolUserPrincipalName -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]

    3, You can then use the Set-MsolUser to modify the ImmutableId.

    4, After the changes are done, change the user’s suffix back to the custom domain by using the example below:

    Set-MsolUserPrincipalName -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]

    Cheers

    1. Todd, Thank you so much for these extra steps. It has saved delay in making a mailbox live once again after it was mistakenly marked for deletion.

      Also, thanks to Stephanie for this page and comments. 🙂

      Gratitude

  4. I have no words to thank you. You just saved my ass haha
    All the best and thank you so much.

  5. Hi

    Thanks for the post. Here is a question for you:

    Will this work if you recreate the account on a different domain other than the original were it was created?

    Thank

  6. Hi,
    So my environment is like:
    1. Create master account in AD
    2. Create mailbox and linked it to master account
    3. Migrate it

    So when i delete resource account, master account remains there. I tried this suggestion the user is showing synced with AD in cloud but on prem after re-creating that mailbox it is still showing as LINKED. Any idea how to handle it in such environment.

  7. Thank you! I was searching for a long time and finally came across this. It did the trick perfectly.

  8. This worked perfectly, thank you!

    We have an 6 year old tenant and recently went from cloud-only to adding an on-prem server with an AD. There were a few accounts, which simply refused to sync, even though the proxy-addresses and UPN were good.

    with this little push AAD linked both together.

  9. Amazing. I looked everywhere and tried many things. This was spot on, easy to follow and best of all – WORKED !!!

    Thank you TONS!

Comments are closed.