Steps:
- Move the user to a non-sync OU (e.g. lost and found folder) in AD on premises and run a sync through PowerShell as an admin on the AD Connect server using Start-ADSyncSyncCycle -PolicyType Delta
- It will then move the user to deleted users in Office 365.
- We need to connect to PowerShell as an admin with below commands:
- Install-Module MSOnline (If you don’t have the module already installed)
- Connect-MSOLService (use 0365 global admin credentials)
- Then run the below command: (for the user which shows in deleted user)
- Remove-MsolUser -UserPrincipalName user@domain.com -RemoveFromRecycleBin
- Once the user is permanently deleted from office 365, navigate to AD on-prem user account who is present in the non-sync OU (from step 1 above), right click > properties > attribute editor > Distinguish name
- Copy and paste the Distinguish name in the below command:
- ldifde -f c:\Output\userdump.txt -d "DN of user (from step 5 above)" on DC command prompt
- (create output folder in c drive before running the command)
- Collect the object GUID of the user from output.
- Then once again connect to Connect-MSOLService on PowerShell as an admin
- Run the below command after adding the Object ID in the immutable ID section:
- Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId g8Pclm4vok+vFWtMERklmg==
- This will update office 365 user's Immutable ID as ad user's object GUID.
-
Then run the sync from PowerShell on AD server using Start-ADSyncSyncCycle -PolicyType Delta and check in the Office 365 portal.