Ran in to an issue where someone was migrating domains to a new domain and needed to re-set up Azure AD Connect.
Did some pre-planning and exported all users including their ImmutableID’s
$msolcred = get-credential connect-msolservice -credential $msolcred (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled Get-MsolUser |export-csv -path C:\temp\Tenant.csv
Disable Dir Sync by running the following
Set-MsolDirSyncEnabled –EnableDirSync $false
You can check to make sure it’s set to false by running. Every article I’ve seen says this may take up to 72 hours however it appeared to being almost instantaneous.
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
Now you need to find the user in question that isn’t matching correctly and if an extra cloud account was created remove that account and then remove it from the recycle bin in Office 365. Azure AD Connect should do a soft match based on User Principal Name and Primary Proxy address however sometimes this doesn’t work.
Remove-MsolUser -UserPrincipalName username@emaildomainname.com -RemoveFromRecycleBin
Verify that the account is removed by running
Get-MsolUser -ReturnDeletedUsers
Running the following command will take the active directory object GUID and convert it to a value that can be used as an ImmutableID for the Office 365 account.
$credential = Get-Credential Connect-MsolService -Credential $credential $ADUser = "username" $365User = "username@emaildomainname.com" $guid =(Get-ADUser $ADUser).Objectguid $immutableID=[system.convert]::ToBase64String($guid.tobytearray()) Set-msolUser -UserprincipalName "$365User" -immutableID "$null" Set-MsolUser -UserPrincipalName "$365User" -ImmutableId $immutableID
Re-enable Dir sync
Set-MsolDirSyncEnabled –EnableDirSync $true
Make sure the the AD Sync service is started and run
Import-Module DirSync Start-ADSyncSyncCycle -PolicyType Delta