How to link you another on-premise user to Azure AD object using immutableID(Hard Match)

Hello,

Now, with office 365 in Hybrid Mode we need to be able to addresse old scenario like:

User1 left the company and User2 need to be reconnected to user1 Office 365 User (onedrive,Mailbox,sharepoint,…)

User1 has been deleted and you want to reconnect a new User(User2) to the Office 365 User

User1 has been moved from domain1 to Domain2, for administrative reason a new User (User2) has been created in Domain2.

In order to address these scenarios but also the need to disconnect an office 365 user to on-premise user and reconnect another on-premise user in a Hybrid Environment,  we can use the following procedure called Hard Match:

Some additionnal information, in this list of scenario we are making the following assumptions:

  1. User1 and User2 are in the Same AD Forest, this is important because that s means the User will have two diferent ObjectGUID
  2. AD Connect version is matter now because the Hard Match may not work with every version of AD Connect.  Please check  AD Connect Fixes & Improvements
  3. AD Connect is used as Directory synchronization between On-premise AD and Azure AD (Ofice 365)
  4. AD Connect is using the ObjectGUID as SourceAnchor (ImmutableID)
  5.  the environment is running Exchange 2013 RU11

Now, please find the step by step to disconnect and reconnect an user to Office 365 using Hard Match:

  1.  Information regarding User and environment:
    • User1 will be Source\User1
      • User1 UPN: User1@company.com
      • Source User1 has a Remote Mailbox (Office 365 Mailbox)
    • User2 will be Destination\User2
      • is not sync to Cloud
  2. Update Source\User1 Attributes:
    • Mail
    • TargetAddress
    • UPN: in this Procedure User2 will use the User1 UPN because PrimaryEmail Address has to match will the UPN. FYI we can only have one User1@company.com as UPN in this forest. so the UPN will have to be changed. So we will change User1@company.com to #User1@company.com so this UPN can be assign to Destination\User2.
    • ProxyAddresses: Save the ProxyAddresses Attribute then clear.
  3. Disable Source\User1 Remote Mailbox
  4. remove Source\User1 from AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
    • Wait for a Delta sync Cycle to be completed
  5. Disable Source User
  6. Restore MSOL User (Source\User1:User1@company.com )
    • Restore MSOL User(User1@company.com)
    • Set Restored MSOL User (User1@company.com) with immutableID to Null
    • Calculate Destination User (Destination\User2) ImmutableID
    • Set ImmutableID of MSOL User (User1@company.com) to ImmutableID of Destination User (Destination\User2)
    • Change MSOL User UPN to  User1@company.onmicrosoft.com
    • Delete MSOL User (User1@company.onmicrosoft.com)
  7. Update Destination\User2 Attributes
    • Update Destination User2 to match Source\User1 Attributes
    • Update Destination\User2 UPN to User1@company.com ( Please be sure to wait for AD Replication to occur, or it will failed if it found a user with same UPN in the forest)
    • Enable Destination User
  8. Add Destination\User2 to AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
  9. Enable Remote mailbox for Destination\User2
    • Enable Remote Mailbox for Destination\User2
    • Reattach the Archive mailbox to Office 365 mailbox (if previously attach to Source\User1)
    • Assign the ProxyAddress previously set for Source\User1
    • Update TargetAddress
  10. When complete wait for AD Connect Sync Cycle ( I will recommand to run at least 2 cycle, some time the hard Match is not working at the first Sync)

Important Information, while using this procedure you need to be aware between step 3 and Step 10, the mailbox is disabled so NDR will be receive if you try to send a mail to Office 365 mailbox. so the downtine will be :

  1.  1 AD Connect Sync Cycle for Step 3 to wait for:
    • Wait for Delta Sync, Default setting: 30 min
    • Wait for Delta Sync Cycle to completed (running time): Less than 30 min
  2. 2 AD Connect Sync Cycle for Step 10 to wait for

So with the default configuration of AD Connect, the Maximum downtine if you are not able to start a Delta Sync will be  3 hours.

 

This Article will be updated with Powershell CMDLets.