1

Whereas this article says a deleted AD user only needs to be restored from the recycle bin for its Azure AD object to aslo be restored. For us, when an AD user object is undeleted, Azure AD Connect thinks it must provision (create anew) an Azure AD object, throwing the error, "InvalidHardMatch: Another cloud created object with the same source anchor already exists in Azure Active", when it finds the matching object in Azure AD in the recycle bin. I have also tried restoring the AAD object both before and after restoring the AD object.

When the AAD object is permanently deleted, the AD account will synchronize successfully.

With a new AAD object, I would rebuild their AAD account, then copy the contents of their original mailbox to the new mailbox. However, the user's original mailbox is permanently deleted by Exchange when their original ExchangeGuid is synced from AD.

What is the proper way to restore a deleted Azure AD Hybrid User account? If it should be as simple as restoring the AD object, could our Azure Connect be misconfigured?

1/22/2023: It is looking as though this may be a problem specific to our environment. If someone would please confirm that a deleted AD account only needs to be undeleted for Azure Connect to restore and sync the corresponding Azure AD object, I will close this question.

Nathan Hartley
  • 1,720

1 Answers1

1

You must do Hard Match Microsoft 365 Identities to your On-Premises User: Provided below is the step-by-step guide on how to carry out this solution:

  1. Remove on-premise Identity from syncing with O365

  2. Remove on-premise Identity from O365 and Remove from Recycle bin

  3. Launch Powershell and run the following Commands

    a. Set-ExecutionPolicy RemoteSigned

    b. $credential = Get-Credential

  4. Input admin credentials for Office 365 and run the following command Import-Module MsOnline

  5. Connect-MsolService -Credential $credential

  6. Run $ADGuidUser = Get-ADUser -Filter * | Select Name,ObjectGUID | Sort-Object Name | Out-GridView

  7. Select the on-premise user from the Grid

  8. Run $UserimmutableID = [System.Convert]::ToBase64String($ADGuidUser.ObjectGUID.tobytearray()) in powershell to convert GUID to the immutable ID format

  9. Run $OnlineUser = Get-MsolUser | Select UserPrincipalName,DisplayName,ProxyAddresses,ImmutableID | Sort-Object DisplayName | Out-GridView -Title "Select The Office 365 Online User To HardLink The AD User To" -PassThru

  10. Select the Online identity to match on-premise identity

  11. Run Set-MSOLuser -UserPrincipalName $OnlineUser.UserPrincipalName -ImmutableID $UserimmutableID

  12. Set the Online identity with the new immutable ID

  13. Run Set-MSOLuser -UserPrincipalName $OnlineUser.UserPrincipalName -ImmutableID $UserimmutableID

  14. Check the immutable id matches

  15. Run the following two lines and confirm IDs Match

    Write-Host "AD Immutable ID Used" $UserimmutableID

    Write-Host "Office365 UserLinked" $Office365UserQuery.ImmutableId

Source: https://www.akinsit.com/how-to-hard-match-office-365-identities-to-on-premise-users

Hope this helps!

SoySolisCarlos
  • 190