none
AADConnect and Office 365 problem

    Question

  • Here's my problem.  We provide Office 365 for our students.  We have a local AD that we sync with Azure AD via AADConnect.  That's how we provision Office 365 for those accounts.  A couple days ago we did some work on our local AD infrastructure.  Part of that work was to remove all of the users from our local AD and repopulate it with slightly different names for our users (e.g. instead of using "Alan McCain" for the CN, we added some numbers to make sure they're all unique (Alan McCain - 12345)).  All other information, including the samAccountName stayed the same.  We have an Identity Management system that we use as our main identity store that feeds users and group to AD.  

    So now when the AADConnect systems runs a synchronization cycle, it thinks we have 5000+ users to delete.  I assume it's using the Object ID to match users between our local AD and Azure AD and now it sees they are different.  What will happen to the Office 365 accounts if I allow the deletions to occur and then resync the users?  We're not using the Exchange component of O365, just the office apps and Onedrive.  Will people lose any documents they've stored in Onedrive?  Will they have a completely new account?  

    Thanks for your time.

    Alan

    Sunday, March 5, 2017 8:01 PM

All replies

  • If you allow the sync, it will delete the user accounts and provision new ones. Users will not have access to the content associated with the old account as the match is indeed by ObjectGUID.

    Possible workarounds are to do a hard-match, that is making sure that the cloud and On-Prem objectGUIDs match: http://blogs.technet.com/b/praveenkumar/archive/2014/04/12/how-to-do-hard-match-in-dirsync.aspx

    Soft-match can also work, but you have to stop DirSync and clear the ImmutableIDs first: http://support.microsoft.com/kb/2641663

    Monday, March 6, 2017 7:45 AM
  • Changing the CN shouldn't have changed the objectGUID.  Are you certain that you didn't move the users out of sync scope or have some other filter configured in AAD Connect that is de-scoping the users?
    Monday, March 6, 2017 9:57 AM
  • You're exactly right.  In hindsight, we should have just renamed the users in AD instead of deleting and recreating the user objects from our main identity store.  We use AD for just a handful of applications in our network, but this morning we're realizing what a bad idea that was. :(  I'll be working on matching GUIDs today to solve the Office 365 dilemma.
    Monday, March 6, 2017 2:16 PM