I had a client who swapped usernames with another user.  The problems started showing up in Outlook where settings from the previous account-holder were showing up, described by both users as ‘weirdness’.

The problem was source anchors for the account was a direct link between the AD Object and the UPN in Office 365.  In AD the usernames were swapped, and TargetAddress, ProxyAddresses, etc., all updated, but when the synchronization to Office 365 happened the original tenant address (from a Hybrid Exchange Migration no doubt) was username@tenant.onmicrosoft.com, and it REFUSED to update.  It showed as an alias in the online account, but was set as primary, and could not be removed.

Here’s the process to fix this:

  1. Remove the user(s) from the Synchronization and force a Delta sync
    Start-ADSyncSyncCycle -PolicyType delta
  2. Recover the user from Deleted Users in Office 365 – this converts the account to Cloud status (no longer linked to AD)
  3. Confirm the user is now showing up in Active Users as as a Cloud user
  4. Obtain the objectGuid and userPrincipalName from AD using this command (in an elevated command window):
    ldifde -f C:\Export\export.txt -r “(Userprincipalname=*)” -l “objectGuid, userPrincipalName”
  5. Locate the user account using the userPrincipalName and copy/paste the objectGuid and userPrincipalName to a new Notepad window
  6. In an Elevated PowerShell window, log into the tenant
    Connect-MsolService 
  7. Now replace the ImmutableId of the converted Cloud user to match the one you pulled from AD:
    Set-MsolUser -UserPrincipalName <userPrincipalName pulled from AD> -ImmutableId <objectGuid pulled from AD>
  8. Once the ImmutableID is updated you should update the Cloud user
    1. In the Office 365 Admin go to Users –> Active Users –> User Name
    2. In the User account fly-out – click on Manage email aliases
    3. Remove the alias that was originally stuck and could not be removed
  9. Back in AD add the user back to the synchronization and perform an Initial Sync
    Start-ADSyncSyncCycle -PolicyType Initial
  10. Wait for the synchronization to occur and refresh your Office 365 Active Users screen until the user account shows as being synchronized with AD

The user will now be updated to reflect the values of Active Directory and accept future edits in Active Directory.

Outlook’s AutoDiscover should also pick up the changes and the ‘weirdness’ reported should disappear.

NOTE: One thing I did find was the initial and following delta synchronizations did not actually update the user from Cloud to AD Synchronized status.  However, making a minor modification to the account, such as adding an alias to proxyAddresses, did trigger the status change.  Once changed, I just removed the extra alias and synchronized again.

NOTE: I also discovered that it can take a little while for minor changes to show up in the Office 365 console.  It took over 5 minutes of refreshing the screen to get the offending source anchor alias I wanted to remove to even show up after the account was converted from AD to Cloud status.  Just be patient.  It will get there.  Eventually.