User Not Syncing to Office 365
Scenario:
User Not Syncing to Office 365.
Are you using AD Connect to synchronize your users in Azure AD? Every time there is a change on a user, AD Connect will synchronize the changes based on the cycle that you have configured. Some times there are errors that you receive and need to fix them in order for the users to be synchronized correctly. In this post we will look only into a specific synchronization issue. When you have multiple domains, sometimes their is a need to change the domain of user from company1.com to company2.com. When there is such a change, some times you may receive the below error:
Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.
The message can be misleading. It tells you to update the value in your local directory, but actually the specific value has by changed on purpose. The aim is to replicate the change in Azure Active Directory. So lets see what we can do to fix the issue using a small PowerShell script.
Let see in more details
Our script has one parameter only, that is mandatory. The parameter is the user that is affected and the value that can accept is the Logon Name of the user without the domain. The main idea is to get the new information from OnPrem Active Directory. After we will check that the information in Azure Active Directory is different and then fix the issue. The first thing that we will do is to import Active Directory module so our commands will be available. Then we need to define our temporary domain that will be used later to fix our issue.
OnPrem Active Directory Information
We need to collect the new information from OnPrem Active Directory so we will be able to perform the changes. We will find the user and we will keep only DisplayName and UserPrincipalName and save them in two separate variables. After we have the OnPrem information, we will need also the Azure Active Directory information so we will be able to perform a comparison and update the UserPrincipalName.
Connect Azure Active Directory
There are two modules that you can use to connect to Azure Active Directory. One is the MSOnline, which is considered version 1 by Microsoft. The second module, which is considered version 2, is called AzureAD. In this script we are using MSOnline, so you need to make sure that is already installed in you system before you run the script. So the first thing that we will do, in order to be able to get the information from Azure, is to connect to it. We save our cloud admin credentials, using the below that will be appeared on your screen. Those credentials will be used to connect to AzureAD. After we are connected, we will try to find the UserPrincipalName in Azure Active Directory and save it in another variable. As you are able to see below, we keep some string variables so we will be able to use them at a later point.
Perform the checks
Now that we have all variables ready we need to perform a check. We need to check if the old UserPrincipalName and the new one are different. As sometimes you maybe confused on the error, we do not want to perform the change on a user that UserPrincipalName is correct and the issue is something else. So if the two UserPrincipalNames are the same, the script will show a red error informing you that and then will exit the script.
If the two UserPrincipalNames are different the script will proceed to perform the change. Before the change another message will appear and provide you the old and new UserPrincipalNames to ensure and accept with the change. To accept the change, you need to answer “y” or “n”. It accepts only those two so you enter anything else it will keep asking you to enter “y” or “n” by showing the below message.
Perform the change
If the administrator will answer “n” the script will exit. If the administrator is “y” then the script will set the UserPrincipalName of the user in Azure Active Directory to a temporary one. The temporary one is the one that you have set before, at the beginning of the script. After the UserPrincipalName will be changed succefully to the temporary one, a number will be appreared on the screen. This means that the changed was succesful. The the script will perform another change from the temporary UserPrincipalName to the new one. The new one is the same with OnPrem Active Directory. When the change has been completed, a green message will appear on the screen informing the administrator and the script will exit.
You can download the script here or copy it from below.
Hope you like it. If you have any questions or anything else please let me know in the comments below.
Related Links:
- Import-Module – Microsoft Docs
- Get-ADUser – Microsoft Docs
- Connect-MsolService (MSOnline) | Microsoft Docs
- Get-MsolUser (MSOnline) | Microsoft Docs
- Write-Host – Microsoft Docs
- Read-Host – Microsoft Docs
- Set-MsolUserPrincipalName (MSOnline) | Microsoft Docs
Solution / Script:
<#
.SYNOPSIS
Name: Set-CorrectUPN.ps1
The purpose of this script is to fix the synchronization error,
coming from Azure AD for incorrect UserPrincipalName
.DESCRIPTION
This is a simple script to fix the error received from Azure AD that a user
is not able to be synchronized due to incorrect UserPrincipalName after ther domain
of the user has been changed in OnPrem Active Directory.
.RELATED LINKS
Home
.PARAMETER User
This is the only parameter that is needed to provide the name of the user that you
want to fix the synchronization error. The parameter is mandatory.
.NOTES
Version: 1.1
Update 07-03-2018 - Updated method of get the information from Azure AD
with faster one.
Release Date: 06-03-2018
Author: Stephanos Constantinou
.EXAMPLE
Run the Set-CorrectUPN script to perform the change
Set-CorrectUPN -User User1
#>
Param(
[Parameter(Mandatory=$true)][string]$User
)
Import-Module ActiveDirectory
$TempDomain = "@company.onmicrosoft.com"
$UserInfo = Get-ADUser $User -Properties DisplayName,UserPrincipalName
$DisplayName = $UserInfo.DisplayName
$NewUPN = $UserInfo.UserPrincipalName
$LiveCred = $host.ui.PromptForCredential("Need Credentials", "Provide Cloud Admin Username and Password.","","")
Connect-MsolService -Credential $LiveCred
$OldUPN = (Get-MsolUser -SearchString "$User").UserPrincipalName
$TempUPN = $User + $TempDomain
$Info = @"
Do you want to change UserPrincipalName for $DisplayName ?
Old UPN: $OldUPN
New UPN: $NewUPN
"@
$UPNCheck = @"
WARNING: Old UPN and New UPN are the same.
There is no need to run the script.
Exiting script...
"@
$WrongAnswer = @"
You have entered a wrong answer.
Please enter y [YES] or n [NO]
"@
$Confirmation = @"
UserPrincipalName of $DisplayName has been changed from $OldUPN to $NewUPN
"@
If ($OldUPN -eq $NewUPN){
Write-Host $UPNCheck -ForegroundColor Red
Break}
else{
Write-Host $Info
do{
$Answer = Read-Host "Do you want to continue with the change: "
If (($Answer -eq "n") -or ($Answer -eq "y")){
$userinput = "correct"}
else{
$userinput = "wrong"
Write-Host $WrongAnswer}
} while ($userinput -eq "wrong")
if ($Answer -eq "y"){
Set-MsolUserPrincipalName -UserPrincipalName $OldUPN -NewUserPrincipalName $TempUPN
Set-MsolUserPrincipalName -UserPrincipalName $TempUPN -NewUserPrincipalName $NewUPN
Write-Host -ForegroundColor Green}}
Leave a Reply