Office 365 – Hard Linking Azure AD Connect Users to Office 365 Accounts

Wow, now talk about a niche issue!

You’ve setup Microsoft Azure Active Directory Connect, to sync the usernames/passwords with your Office 365 accounts. However, some of the O365 accounts were already in use when you created your Active Directory domain.

There are two major reasons to do this:

  1. Your staff user accounts are linked with their Office 365 account — one password synced between accounts, change one, you change the other.
  2. Your users don’t have to activate their Office 365 ProPlus every time on a terminal server, this requires Password Syncing + Seamless Single Sign-On (a checkbox really…).
    1. This previously used to require Active Directory Federated Services, a god-awful nightmare of configuration and server setup that doesn’t make sense for a small business.

During the initial setup of Azure AD Connect, it will auto-sync, creating some users that are very close in name, but completely different in account (GUID). Your goal is to get the Local Active Directory account to be directly linked to the Office 365 account (with email and other goodies already active that you don’t want to lose).

 

The process of using Powershell to directly tap into O365 and link the two accounts is called Hard-Linking. There is also Soft-Linking, which only happens when a local AD user is first created, or when AD Connect is initially setup — the email field in Active Directory is matched to the email field in Office 365. There is an IDFix tool provided by Microsoft, in my experience it’s worthless. If both accounts are already live, you have to do hard-linking.

For starters, add the UPN (User Principle Name) suffix of your O365 domain. For example, if your internal AD domain is: cn.company.com, but your O365 domain is company.com, go into Active Directory Sites & Trusts > Right-Click Server > Properties > Add UPN Suffix: company.com.

This will give you the option in Active Directory Users and Computers to change your account names from user@cn.company.com, or even main\user, into an email address format: user@company.com. Edit the properties of any account you want synced to match your email domain.

 

The goal is to take the Active Directory Object GUID, and over-write the O365 Immuatable ID with the AD GUID. This will force them to link on their next Delta sync (generally 2-10 minutes). However, you can’t have a single GUID on two different accounts… So you have to blow away one of the 365 accounts — the duplicate that was unnecessarily created.

This gets slightly messy, and sort of dangerous — make damn sure you know what you are deleting through Powershell! Screw up and *poof* goes a user’s O365 email and file storage.

 

The code:

#Dan Kruse
#October 6th 2017
#How to hard-link a mismatched Active Directory Account to an Office 365 account.
#Run this on Powershell on the Active Directory Server running Azure AD Connect.

#Allow Remote Scripts To Run 
Set-ExecutionPolicy RemoteSigned

#Store Office 365 Global Admin Creds and connect to MS online 
$credential = Get-Credential 
#You will be prompted to enter a login, use a 365 Global Admin account.
Import-Module MsOnline 
Connect-MsolService -Credential $credential

#After adding the UPN Suffix of the email domain, change the user's Account Tab in Active Directory to match their email (e.g. jsmith@company.com)

#Obtain the ObjectGUID of the Active Directory account and load it into a variable
$guid = (Get-ADUser -Identity johns).ObjectGUID
$immutableid=[System.Convert]::ToBase64String($guid.tobytearray())

#Attempt to write the GUID to the valid 365 Account, it should fail...
Set-MsolUser -UserPrincipalName jsmith@company.com -ImmutableId $immutableid

#If/When you get a uniqueness violation/SourceAnchor
#Make **absolutely sure** this user doesn't have any email (Exchange Online Plan 1) license associated with them.... For duplicate accounts ONLY
#Delete the empty/unnecessary O365 account recently created by the sync.
Remove-MsolUser -UserPrincipalName johns@cn.companyname.com

#The GUID is still active until you purge the user from the Office 365 recycle bin, this perma-deletes the account, no going back.
Remove-MsolUser -UserPrincipalName johns@cn.companyname.com -RemoveFromRecycleBin

#Now Hard-Link the user with the Set-MsolUser command from before (again, this time it should go through with no message, just a successful command run)
(Previous Set-MsolUser command above)

#Sync Active Directory to O365, deletions are immediate, password syncs are 2-10 minutes.
Start-ADSyncSyncCycle -PolicyType Delta

 

Leave a Reply

Your email address will not be published. Required fields are marked *