This is often needed in the following scenarios
- The Office 365 account was previously connected to a different AD account
- There was a duplicate account in Office 365
Prerequisites
-
You will need administrative access to a domain controller
-
You will need to connect to the Microsoft Graph PowerShell Module with the following scopes:
Connect-MgGraph -Scopes "User.ReadWrite.All"
Process
Here are the steps to resolve
-
Move the user out of a synced OU
-
Run an Azure AD Sync / Entra ID Sync
-
Log in to Microsoft Graph
-
Get a list of deleted users
$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user" [array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get $DeletedUsers.value | Select-Object displayName,mail,id -
Note the ID of the deleted user, then run the following command
- Be VERY careful to ensure you remove the correct account!
- This will purge the mailbox contents!
Remove-MgDirectoryDeletedItem -DirectoryObjectId "ID GOES HERE" -
Get the AD user’s ImmutableID
-
Log into an AD server
-
Run the following commands
$guid = (get-Aduser <username>).ObjectGuid $immutableID = [System.Convert]::ToBase64String($guid.tobytearray()) $immutableID -
Note the Immutable ID
-
-
Update the Immutable ID with Microsoft Graph
- Log into MS Graph
- Run the following command, substitute $immutableID for the value we obtained in AD
Update-MgUser -UserID [email protected] -OnPremisesImmutableId $immutableID -
Move the account back into the synced OU and run a sync
The accounts should be linked in Office 365 now