Matching an Office 365 Azure Cloud user Identity with an On-premise Active Directory User Object.

Recently I came across a situation with our Office 365 tenant deployment where a cloud user was created before we configured and ran Azure ADSync at the on premise Active Directory. Please note that we already had a matching on premise Active Directory user object with similar attributes. This resulted in an error after attempting to synchronize my on premise Active Directory with Office 365.Since Office 365 tools seem to be evolving very quickly, I’ll go ahead and list the tools I’m using at this time. My chosen deployment model is the Synchronized Identity model. The links are subject to change by Microsoft at anytime:

a) Microsoft Azure Active Directory Sync Services .Allows you to onboard to Azure Active Directory and Office 365.
b) IdFix DirSync Error Remediation Tool. This tool is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.
c) Microsoft Online Services Sign-In Assistant for IT Professionals RTW. This tool provides end user sign-in capabilities to Microsoft Online Services, such as Office 365.
d) Azure Active Directory Module for Windows PowerShell (64-bit version). As of this post, the 32 bit version of this tool has been discontinued by Microsoft.

Below is a screenshot of the error :

adsyncerror

The error is a result of having a duplicate cloud and on premise AD object with matching attributes. To resolve the problem, I had to set the duplicate cloud identity with an immutableID value that matches the ObjectGuid of the on premise user object. The immutableID value can be retrieved by converting the Objectguid value of the matching on premise Active Directory user object.

1) Connect to the Office 365 online Service using the following PowerShell cmdlet:

Connect-MsolService

2) Get the ObjectGuid property for the on premise AD user and assign it to a $guid PowerShell variable:

adsyncerror00

3) Use the ToBase64String() method of the System.Convert class to convert the ObjectGuid value to the ImmutableID value:

$immutableid=[System.Convert]::ToBase64String($guid.tobytearray())

adsyncerror01

4) Use the new Immutable ID value to set the cloud property of the duplicate cloud identity:

Set-MsolUser -UserPrincipalName philip.snyder@genesysconsults.net -ImmutableId $immutableid

5) Manually run the ADSync tool . Navigate to the ADSync installation folder and run the cmd line tool: DirectorySyncClientCmd

6) Verify the cloud identity to make sure the status of the user has changed to “Synced with Active Directory” .

Usually, cloud identities that do not have an immutable id value are not synchronized with the on premise Active Directory.

Advertisements
This entry was posted in Azure Windows PowerShell, Office 365 and tagged , , , , , . Bookmark the permalink.

3 Responses to Matching an Office 365 Azure Cloud user Identity with an On-premise Active Directory User Object.

  1. Pingback: Configuring Hybrid Configuration on Exchange Server 2010 SP3 for Migration to Office 365 (Exchange Online). | chinny chukwudozie,it pro

  2. jbernec says:

    I checked it out. Good stuff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s