How to link you another on-premise user to Azure AD object using immutableID(Hard Match)

Hello,

Now, with office 365 in Hybrid Mode we need to be able to addresse old scenario like:

User1 left the company and User2 need to be reconnected to user1 Office 365 User (onedrive,Mailbox,sharepoint,…)

User1 has been deleted and you want to reconnect a new User(User2) to the Office 365 User

User1 has been moved from domain1 to Domain2, for administrative reason a new User (User2) has been created in Domain2.

In order to address these scenarios but also the need to disconnect an office 365 user to on-premise user and reconnect another on-premise user in a Hybrid Environment,  we can use the following procedure called Hard Match:

Some additionnal information, in this list of scenario we are making the following assumptions:

  1. User1 and User2 are in the Same AD Forest, this is important because that s means the User will have two diferent ObjectGUID
  2. AD Connect version is matter now because the Hard Match may not work with every version of AD Connect.  Please check  AD Connect Fixes & Improvements
  3. AD Connect is used as Directory synchronization between On-premise AD and Azure AD (Ofice 365)
  4. AD Connect is using the ObjectGUID as SourceAnchor (ImmutableID)
  5.  the environment is running Exchange 2013 RU11

Now, please find the step by step to disconnect and reconnect an user to Office 365 using Hard Match:

  1.  Information regarding User and environment:
    • User1 will be Source\User1
      • User1 UPN: User1@company.com
      • Source User1 has a Remote Mailbox (Office 365 Mailbox)
    • User2 will be Destination\User2
      • is not sync to Cloud
  2. Update Source\User1 Attributes:
    • Mail
    • TargetAddress
    • UPN: in this Procedure User2 will use the User1 UPN because PrimaryEmail Address has to match will the UPN. FYI we can only have one User1@company.com as UPN in this forest. so the UPN will have to be changed. So we will change User1@company.com to #User1@company.com so this UPN can be assign to Destination\User2.
    • ProxyAddresses: Save the ProxyAddresses Attribute then clear.
  3. Disable Source\User1 Remote Mailbox
  4. remove Source\User1 from AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
    • Wait for a Delta sync Cycle to be completed
  5. Disable Source User
  6. Restore MSOL User (Source\User1:User1@company.com )
    • Restore MSOL User(User1@company.com)
    • Set Restored MSOL User (User1@company.com) with immutableID to Null
    • Calculate Destination User (Destination\User2) ImmutableID
    • Set ImmutableID of MSOL User (User1@company.com) to ImmutableID of Destination User (Destination\User2)
    • Change MSOL User UPN to  User1@company.onmicrosoft.com
    • Delete MSOL User (User1@company.onmicrosoft.com)
  7. Update Destination\User2 Attributes
    • Update Destination User2 to match Source\User1 Attributes
    • Update Destination\User2 UPN to User1@company.com ( Please be sure to wait for AD Replication to occur, or it will failed if it found a user with same UPN in the forest)
    • Enable Destination User
  8. Add Destination\User2 to AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
  9. Enable Remote mailbox for Destination\User2
    • Enable Remote Mailbox for Destination\User2
    • Reattach the Archive mailbox to Office 365 mailbox (if previously attach to Source\User1)
    • Assign the ProxyAddress previously set for Source\User1
    • Update TargetAddress
  10. When complete wait for AD Connect Sync Cycle ( I will recommand to run at least 2 cycle, some time the hard Match is not working at the first Sync)

Important Information, while using this procedure you need to be aware between step 3 and Step 10, the mailbox is disabled so NDR will be receive if you try to send a mail to Office 365 mailbox. so the downtine will be :

  1.  1 AD Connect Sync Cycle for Step 3 to wait for:
    • Wait for Delta Sync, Default setting: 30 min
    • Wait for Delta Sync Cycle to completed (running time): Less than 30 min
  2. 2 AD Connect Sync Cycle for Step 10 to wait for

So with the default configuration of AD Connect, the Maximum downtine if you are not able to start a Delta Sync will be  3 hours.

 

This Article will be updated with Powershell CMDLets.

 

How to calculate immutableID using Powersell

I have been writting script for onboarding and I have faced some issue, involving ImmutableID. the ImmutableID is the unique identifier create by your directory synchronization. it s a conversion of the ObjectGUID Attribute of your object.

So please find how to calculate the immutableID  based:

First I you have to retreive the Object GUID using :

$User = Get-ADuser $UserSamAccount -Properties * -server $DC

$ImmutableID = [system.convert]::ToBase64String(([GUID]($User.ObjectGUID)).tobytearray())

 

 

How to search a CorrelationID of ADFS login Page error in your AD FS Servers event Log

Hello,

very often when I troubleshoot ADFS login page error, I need to match the CorrelationID with error on AD FS Server.

the quick way to find the CorrelationID(ActivityID) in the ADFS Server event log using Event viewer is:

  1. Event viewer
  2. Go to Event : Application and Services Logs\AD FS\Admin
  3. Right Click on Admin, then click on Find
  4. you can then type the CorrelationID provide by the failing usercorrelationid_find

How to Check if your Server ADFS environment is using SQL or WID

Please find a powershell CMDLet will help to find out if your AD FS environment is using SQL or WID:

Get-WmiObject -class SecurityTokenService -namespace root/ADFS | select-object ConfigurationDatabaseConnectionString

  • For WID, we are expecting:

ConfigurationDatabaseConnectionString
————————————-
Data Source=np:\\.\pipe\
microsoft##WID\tsql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

  • For SQL we expecting:

ConfigurationDatabaseConnectionString
————————————-
Data Source=\\.\pipe\
mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

How to Find(identify) your Primary AD FS Server 3.0 using powershell

Hello,

While providing Support & troubleshooting is very important to know which server is the primary so you can make the appropriate change of the right server.

To find your primary server you can use the following CMDLet:

 

From the Primary ADFS Server (where you can make AD FS configuration Change )

Get-AdfsSyncProperties

 primary-adfs-3-0-get-adfssyncproperties

From the secondary ADFS Server:

Get-AdfsSyncProperties

secondary-adfs-server-get-adfssyncproperties

Or

Get-AdfsProperties

 secondary-adfs-server-get-adfsproperties-error

In both case you will get the server which is hosting the primary node

How AD FS is authentication an office 365 workload – Step by step Design

Hello,

I have been working for something with AD FS, and I have faced serveral issue while I m configuring AD FS Servers. In order to help you understand the concept behind AD FS. Please find Step by Step Schema I have created .

schema-ad-fs-claims-authentication