Update User Guid to Match Existing User in Microsoft 365 Azure Ad

Let’s see what to do when azure ADSync synchronize you on Premise AD user to azure to @domain.onmicrosoft.com. In most cases it was done when i have already existing user username@mydomain.tld. Fortunately this is fixable problem. So what to do?

First of all you will need to find ObjectGUID of users which you want update. This can be retrieved form you local AD. But not that one you can find in MMC if you check users atribute. This format is not accepted with Azure AD, so there is another way to obtain it. We use tool called LDIFDE.

This tool can export/inport data from/to Active Directory. You can find more about it here https://support.microsoft.com/en-us/help/555636.

So let’s export users data to txt file by following command

Getting ObectGuid

1ldifde -d “DistinguishedName of the user” -f “c:\temp\exporteduser.txt”

1# output
2uSNChanged: 129668
3name: Emma Wolf
4objectGUID:: WhJMX8r25UigMnvHO/u3Ew==
5userAccountControl: 512
6badPwdCount: 0

So and this is right format which we will need to set up to account in Azure AD in case of sinchronization. But first you will need remove existing account.

Updating our Azure AD user

You will need to connect to office 365 via Powershell. So if you dont have MSOnline extension install it

1Install-Module MSOnline

Connect to Your Office 365

1Connect-MsolService

Update Guid to your existing user

1set-msoluser -userprincipalname emma@yourdomain.com -ImmutableID xxx

If there exists user which already using this id you will getting error on output so at first you will need remove existing user with this id.

Stop synchronization betweehn AD and Azure AD (by opening azure AD configuration)

To get existing user use:

1 Get-MsolUser -All | Where-Object {$_.ImmutableID -eq "WhJMX8r25UigMnvHO/u3Ew=="}

If user was deleted is perhaps in recycle Bin and is not returned in output so use following command to show it

1Get-MsolUser -All -ReturnDeletedUsers | Where-Object {$_.ImmutableID -eq “WhJMX8r25UigMnvHO/u3Ew==”}

This command give you same result but for deleted users.

OK. Now remove this user

1Remove-MsolUser -UserPrincipalName "emma@domain.onmicrosoft.com" -Force

and remove him from recycle bin

1Remove-MsolUser -UserPrincipalName "emma@domain.onmicrosoft.com" -RemoveFromRecycleBin

Thats all. Now close ADSync config screen and wait until synchronization si conplete or in powershell run ` Start-ADSyncSyncCycle'.

#Guide #Notes #Microsoft #Wiki #Azure