office365 notes (2015 edition)

i think i’ve previously noted this, but i will do so again. office365 does not really allow you to alter a federated user and in some scenarios this can be frustrating.

to retrieve the immutableid of an office365 user: get-msoluser -userprincipalname [upn] | fl

to blank out the immutable id of a user:
set-msoluser -userprincipalname [upn] -immutableid “$null”
note: user will have to be a cloud user for this to succeed
i imagine this command could be ran in bulk like so:
get-msoluser -all | set-msoluser -immutableid “$null”
^this works but the below is more targeted:
get-msoluser -domainname mydomain.edu -all | set-msoluser -immutableid “$null”

disabling directory synchronization in office365 converts all users to cloud users but does not appear to clear immutableids. the solution for clearing a single user’s immutableid and resolving their sync errors is to rename their office365 UPN to the onmicrosoft.com name and use the set-msoluser command above then change the UPN back to the federated name and run an aadsync delta.

info on domain migration:
http://365lab.net/2014/01/26/office-365-migrating-dirsync-to-new-ad-domain/
http://blog.kloud.com.au/2014/05/12/moving-dirsync-between-active-directory-forests/

disabling password expiration for office365 service accounts:
set-msoluser -userprincipalname [user@domain.onmicrosoft.com] -passwordneverexpires $true

AADsync:
microsoft has tried to make the installation of aadsync (microsoftazureadconnectiontool install) incredibly simple. which is great in a lot of a ways and bad in just a few. the bad is that the default wizard does not really give you any customized install options. it takes a one size fits all approach. this means that the wizard will automatically install sql express and set up a database. microsoft only guarantees that sql express will support syncing up to 100,000 accounts. sql server should be used when surpassing this amount.

to install aadsync and use full sql server the installation must ran be from the CLI. first run microsoftazureadconnectiontool.exe and immediately close it after it finishes extracting files. if you agree to a EULA or anything else then you’ve gone too far and the install wizard has started (which means sql express was installed). this part was kind of tricky because it wasn’t that clear in the documentation.
to start to install from the CLI:
c:\program files\microsoft azure ad connection tool\
directorysynctool.exe /sqlserver [sqlserver FQDN] /serviceaccountdomain [DOMAIN] /serviceaccountname [AD account] /serviceaccountpassword [AD password]
note: the domain is in the netbios format

manually running a sync
c:\program files\microsoft azure ad sync\bin\directorysyncclientcmd.exe delta

the automated sync that takes place every 3 hours is visible in the windows task scheduler as “Azure AD Sync Scheduler”. in my case this task was disabled by default. the first sync should be the “initial” type.

restore office365 users in bulk: get-msoluser -returndeletedusers -all | restore-msoluser
trying to restore users in bulk via the office365 web console is ridiculously inefficient.

deleted office365 users hang around for 30 days which is usually a pretty good thing. when you’re trying to fix a really messed up sync user though it can get in the way. the quickest solution is always to delete the office365 user and let a new one be provisioned/synced to AD (assuming this is an acceptable approach for the particular user). before provisioning a new office365 user, i find it best to permanently delete the old user and sometimes you don’t want to wait the 30 days. assuming the user has already been deleted, the following command will speed up the cleanup process: get-msoluser -returndeletedusers -userprincipalname [UPN] | remove-msoluser -removefromrecyclebin -force
sources:
http://jaapwesselius.com/2014/12/10/purge-deleted-users-in-office-365/
http://365command.com/justins-tech-tip-of-the-week-purging-and-removing-deleted-users-and-mailboxes-from-office-365/

in aadsync if a connector is being retired it’s important to delete the connector and its connector space. otherwise lots of sync errors will occur and possibly deletes in office365. the downside to this is if there are a lot of metaverse objects related to the connector (lets say 100K) then the deletion process will take a very long time – 10 hours+. the connector space (not the connector itself) should be cleared out for the office365 connector as well and then a complete import should take place with office365 and local AD connectors. then run a full sync cycle (initial).

info on aadsync:
http://www.msexchange.org/blogs/walther/news/aadsync-forcingmanual-syncs.html
https://blogs.perficient.com/microsoft/2015/03/office-365-azure-ad-sync-did-you-know/
http://blogs.technet.com/b/educloud/archive/2015/02/10/how-to-install-aad-sync-on-a-full-sql-server.aspx
http://blog.kloud.com.au/2014/10/21/azure-active-directory-synchronization-services-how-to-install-backup-restore-with-full-sql/
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx?f=255&MSPPError=-2147217396

This entry was written by resinblade , posted on Saturday July 18 2015at 09:07 pm , filed under IT . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Comments are closed.