193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
How to Split SharePoint Document Libraries to Simplify Synching
Sun, Apr 30th 2017 9
Using SharePoint with OneDrive as a File Server (for Ex-Domino Admins and Traditionalists)
Mon, Apr 24th 2017 11
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 2
Tue, Apr 4th 2017 14
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 1
Fri, Mar 31st 2017 5
How to Set up Rooms Properly in Office 365 - Part 2 (Extending Booking Time)
Tue, Mar 21st 2017 10
How to use PowerShell to Change the Email Address of Office 365 Groups
Fri, Mar 10th 2017 8
How to Set up Rooms Properly in Office 365
Tue, Feb 21st 2017 7
Top 10
How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+
Wed, Feb 22nd 2012 35
How to Use Microsoft Outlook with Your IBM Verse (in the cloud) Mail
Sun, Oct 9th 2016 29
How to Create a Good Email Signature and Use it in IBM Verse
Mon, Apr 18th 2016 16
How to do Bullets and Numbering in IBM Notes
Tue, Feb 4th 2014 15
How to set IBM Verse as your Default Email Client
Thu, Jun 9th 2016 15
Restarting Agent Manager on Domino 9.0.1 may crash your server....
Wed, Feb 18th 2015 14
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 2
Tue, Apr 4th 2017 14
Fixing Word 2016 Crashes when Opening Older Documents with Macros on Windows 7
Tue, Nov 15th 2016 13
Getting your Head around the IBM Connections ID
Tue, Feb 23rd 2016 12
Chrome Remote Desktop - A Better VPN and RDP Solution
Mon, Mar 21st 2016 11


Solving Some Azure Active Directory User Synchronisation Issues on Office 365
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

We started moving over to Office 365 quite a while before we decided to ditch Notes mail and move to Outlook. It was also my plan to get rid of our internal active directory server and rely solely on the cloud for authentication. 

As it turned out, management wanted to keep the AD server a little longer, so we've had to synchronise our onsite accounts with the Office 365 ones. The synchronisation processes immediately created duplicates (and sometimes triplicates) of users. 

The journey to resolve this issue was time consuming and data destructive, so I thought I'd let everyone know how to fast-track it.


What Causes the Problems

Microsoft's Office 365 users have unique ID's much like the objects in the Active Directory. When you create a user from scratch on Office 365, you create them with a unique ID. While there are tools that will let you change these unique IDs, we've found that they generally do more damage than good.

Deleted people are another part of the problem, If you delete someone and then let the system recreate them, it will happily recreate them but won't set their ID properly. This is because their ID isn't unique. It's still in the person "recycle bin". To truly delete someone, you need to use the PowerShell command line.

Backing Up First

Before I jump into the whole process, you need to make sure that you back up things. Deleting users is fairly data-destructive.


  1. If your users have anything on OneDrive, take a local copy of it all.
  2. If your users have data in Sharepoint or Yammer, backup what you can.
  3. Transfer Ownership of Groups in Yammer and Sharepoint very carefully - don't delete all the Admins at once because you may have trouble getting them back. 
  4. Backup any Outlook mail they may have to a PST file (they'll lose mail)
  5. Make a note of any licences they have. 
  6. Do whatever you need to about OneNote 

Getting into Microsoft Azure Active Directory

You have to have Microsoft Azure Active Directory Module for Windows PowerShell installed.
Note that this is different from PowerShell and it's different from the AD Module for Powershell. It's hard to find the right version of the right software - at the time of writing, you need version 2.

In case you're interested in other Azure AD commands, here's a handy reference.

The first command is to connect to the Azure AD;

Connect-MsolService

You'll be prompted to login (so hopefully you'll use a user who has Global Administrator access).


Next, you will want look at the records of users...

get-msoluser -UserPrincipalName jsmith@mycompany.com |fl

This command line will show you jsmith's record.  Things to look for in the text include;

ProxyAddresses        : {SMTP:jsmith@mycompany.com
ImmutableId           : Pjo+HQRGtXm9GsUXzYYRqQ==
DisplayName           : John Smith
SignInName            : jsmith@mycompany.com
UserPrincipalName     : jsmith@mycompany.com

We found that our Proxy Addresses didn't start with SMTP: and that our Immutable IDs often had people's names (eg: jsmith) in them, instead of the ID.

The SMTP thing can be fixed but if your immutable ID is wrong, you really need to look at destroying the profile record and recreating. We've found that all of the records we destroyed have recreated properly but that the ones where we've just changed the proxy still have some glitches. I'd personally recommend removing everything.

Deleting People from the AD

You'll find that you simply can't delete a person in the Office 365 AD, particularly if they're synched from a local server. The GUI just won't work. You need to delete via command line.

Make sure that you check which licences they have been assigned because you'll want to reallocate them back.

remove-msoluser -UserPrincipalName jsmith@mycompany.com

Deleting a user is not enough though. You have to knock them out of the trash, otherwise they'll reside there for 60 days and prevent recreation via the AD synch process.

Even if your user wasn't having issues with their immutableID, they could still be having problems with Synch and email because of similarly named deleted people.

Before you delete, make sure that you've backed everything up. Emptying the trash is permanent and there's no recovery.The empty trash command is more or less the same as the delete command but with an extra switch (-RemoveFromRecycleBin)

remove-msoluser -UserPrincipalName jsmith@mycompany.com -RemoveFromRecycleBin

Wait for AD Synchronisation

In our case, AD synchronisation is set to 30 minutes. You can check via the front page of the admin centre. You might have to click More and then Refresh to get things to display properly because Office 365 doesn't always automatically refresh person lists or time displayed on the screen.

Once the next synchronisation has run, you should see the record appearing.

Some Fixes on the Local AD Record

We also had to do a couple of fixes on our local AD record, particularly making sure that the ProxyAddresses start with SMTP.

To do this;

  1. Go to your local Active Directory Server.
  2. Open users and Groups and get to our users.
  3. Edit the User Record.
  4. Go to the Attribute Editor Tab
  5. Find ProxyAddresses and double-click on it.
  6. If the address is something like: jsmith@mycompany.com then click on it and click REMOVE
  7. Then type  SMTP:jsmith@mycompany.com and click Add.
  8. If you need two, you might also want to type smtp:jsmith@mycompany.onmicrosoft.com
  9. (note the first/main SMTP is capitalised and the second is lowercase ... yes, seriously).


Reassigning Licensing and Finishing Up

Back in the Office 365 GUI, you'll want to go back into the person's user record when they appear.
Reselect their country
Re-add their licences.

You'll probably want to re-check their outlook settings but you can't because you have to wait for it to be finished being setup.

Repeat the process for all other users. Note that there are options for wildcard deletions and mass trash emptying. I haven't covered them here because the command line was fast enough for me and I don't really want to be responsible for someone trashing their entire Azure AD.

A big thanks to the amazing Microsoft support team in Shanghai who figured out some of the more technical parts of this process and walked me through them. 

---------------------
http://dominogavin.blogspot.com/2017/02/solving-some-azure-active-directory.html
Feb 18, 2017
7 hits



Recent Blog Posts
9
How to Split SharePoint Document Libraries to Simplify Synching
Sun, Apr 30th 2017 10:54p   Gavin Bollard
In my last post, I talked about how you need to split your SharePoint document libraries into smaller chunks in order to synch them. In this post, I'm going to assume that you made the same mistake that I made and put too many documents into the one document library. In my case, I have an IT Team SharePoint site which holds all of our IT documents. It makes sense to keep all our IT documents together. For the most part, the site doesn't need to be synched anywhere because it's mostly a stora
11
Using SharePoint with OneDrive as a File Server (for Ex-Domino Admins and Traditionalists)
Mon, Apr 24th 2017 6:33a   Gavin Bollard
Over the past few months, I've been looking at a whole range of options to do with file storage on the basis that Microsoft's OneDrive simply doesn't do what we need. The whole time of course, I've been unable to shake the feeling that Microsoft should be offering something that already covers this space. After all, file sharing is one of the major "tentpoles" in most Windows networks. As it turns out, SharePoint is the answer to this - and it works well if it's playing nicely with OneD
14
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 2
Tue, Apr 4th 2017 6:14a   Gavin Bollard
Last time on Real World Computing, I talked about migrating mail from IBM Notes and Verse to Microsoft Office 365. Now it's time for Part 2. Mail RoutingWe did routing in two parts. Initially we had MX records for both IBM and Microsoft with Microsoft having the higher number (which means lower priority). After the cutover date we switched the priorities so that Microsoft Office 365 had the higher priority. One of the cool things about Microsoft’s setup is that they give you two domains, o
5
Migrating Mail from IBM Notes and Verse to Microsoft Outlook on Office 365 - Part 1
Fri, Mar 31st 2017 11:05p   Gavin Bollard
It was always just a matter of time. Eventually we were going to have to make the jump from IBM to Microsoft. It's not that IBMs software isn't good. It's very good. It's simply that IBM is the Beta to Microsoft's VHS. Technically the IBM product line is far superior but on the surface, IBMs poor UI will never match the incredible pull of Microsoft's polished Office 365 offerings. We're just finishing a mail migration from IBM Notes/Verse to Microsoft Outlook, which we did entirely in-ho
10
How to Set up Rooms Properly in Office 365 - Part 2 (Extending Booking Time)
Tue, Mar 21st 2017 4:01p   Gavin Bollard
Following on from Part 1 where I talked about how to get rooms to show up in the room list, here's the next step where we extend the booking time from the default of 180 days. Why is there a limit?In most circumstances, a limit makes perfect sense. It stops employees from booking meeting rooms for years in advance and then leaving the company. In our case, it's actually fairly common to book the meeting schedule up to about 18 months into the future - so the 180 day (6 month) limit is quite r
8
How to use PowerShell to Change the Email Address of Office 365 Groups
Fri, Mar 10th 2017 9:34p   Gavin Bollard
One of the odd things about Office 365 is how much you have to resort to PowerShell to get things done. That's currently the case with the Office365 Groups, a recently introduced type of group that works particularly well across all of the Office365 applications. I've been setting a few things up with Office365 groups lately and I've had two instances where I needed to do some renames. Once was when the people who asked for the group changed their mind about the name and the other was when
7
How to Set up Rooms Properly in Office 365
Tue, Feb 21st 2017 7:53a   Gavin Bollard
You'd think that setting rooms up in Office 365 would be a simple matter of going to the Office 365 Admin console, expanding Resources, clicking on Rooms and Equipment and then using the Add Button This works but it doesn't do everything. If you want your rooms to appear in the Room List (and to show available times), you'll have to use PowerShell to put them there. Finding AnswersSo... I spent a while trying to find the answers without a whole lot of luck. I think that coming from the No
7
Solving Some Azure Active Directory User Synchronisation Issues on Office 365
Sat, Feb 18th 2017 10:46p   Gavin Bollard
We started moving over to Office 365 quite a while before we decided to ditch Notes mail and move to Outlook. It was also my plan to get rid of our internal active directory server and rely solely on the cloud for authentication. As it turned out, management wanted to keep the AD server a little longer, so we've had to synchronise our onsite accounts with the Office 365 ones. The synchronisation processes immediately created duplicates (and sometimes triplicates) of users. The journey to re
4
OneDrive to Rule them all ... or perhaps not.
Mon, Feb 6th 2017 12:02p   Gavin Bollard
Microsoft OneDrive is great! It's easy to use too and has some really great integration into Office 2016 - which means that when you go to save or open files, instead of displaying a file dialog, it renders the folder names right into the panel. Sadly the sharepoint integration in Office 2016 is still dialog-based. On the surface, it looks like a great files storage solution but as it turns out, just like Tolkien's OneRing, beneath that shiny surface, OneDrive is mostly evil. At work, we'
7
Getting Contacts (Not Users) out of Your Notes/Domino NAB and into Office 365 Contacts
Sun, Jan 22nd 2017 7:19a   Gavin Bollard
Recently we've been undertaking a task to move from IBM Domino to Office 365 with particular emphasis on the mail system. One of the first big tasks is to move all of our corporate contacts from the Domino NAB over to the Contacts area of office 365. Corporate ContactsCorporate contacts, in this sense are contacts which are shared by the entire organisation. I'm not talking about actual users who will have an Office 365 licence with your company or about personal contacts, who would normally




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition