Background and Intro
Office 365 has an excellent method for providing a common identity for cloud and on-premise resources. Why would an IT administrator want to manage two separate accounts with different passwords, attributes, and group membership? Thankfully, Office 365 has DirSync (now Azure AD Connect, but DirSync sounds so much cooler, and I will forever call it that) to integrate the on-prem Active Directory with Office 365, backed by Azure AD.
Hopefully in this day and age, and now that we’ve reached the end of life for Server 2003, you have an Active Directory environment living on at least a 2008r2 functional level with AD Recycling Bin enabled. Right? Unfortunately in the not-so-perfect world we live in, there are still legacy applications and other roadblocks that keep organizations from making this jump.
Who hasn’t made the mistake of deleting a user account in a non-recycle-bin-enabled environment? And who wants to do an authoritative restore or tombstone animation? Why not just re-create the AD object? Oh, they’re sync’d with O365 and have a cloud mailbox as well…
So, how can we create a brand new user account in AD and re-map their cloud mailbox to the account? Or the AD object somehow got corrupted and we need to delete and re-create from scratch. But, again, they have an Office 365 mailbox tied to their sync’d user account. At first glance, it looks like the user and their mailbox gets thrown into oblivion, but it instead gets converted to a cloud-only account within the Deleted Users section in your Office 365 admin portal.
So go ahead and restore this object. Notice that it becomes a cloud-only object. So we’ve saved the mailbox, but we obviously want it to map back to our new AD user. Next, create the new user object in AD with the appropriate email and SMTP: value in the ProxyAddresses attribute.
Matching the ObjectGuid
So now we need to grab the AD user’s ObjectGuid. This is the value that is used to match the on-prem user account with the cloud object. Run the following to grab the ObjectGuid for the user and export it to a text file, replacing the CN, OU, and DC values where needed in the DN:
ldifde -d “CN=User1,OU=Users,DC=domain,DC=com” -f c:\User1.txt
Open PowerShell and mimic the Cloud users ImmutableID with the AD ObjectGuid
Set-MsolUser –UserPrincipalName email@example.com -ImmutableId “someGuid=”
Run a DirSync and verify
Now run your DirSync – you should now see that the O365 user shows “Synced with Active Directory” and the user’s original mailbox is mapped to the new user account!