I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn’t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I’d write it up as a blog post.
This solution allows an Office 365 account to automatically transition from “Synchronized” to “Cloud managed”. It was designed for a university where:
- Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and
- Alumni accounts should remain active in Office 365 but disabled on-prem – therefore we want to stop syncing them with AADConnect following graduation.
Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered – this just focuses on the change in management source.
It should also be noted that this solution has been in production for over a year.
Desired Outcome – Student
Student accounts are managed on-prem and synchronised to Office 354 by AADConnect. A different PowerShell-based process (not pictured) detects the account and assigns the standard license type.
Desired Outcome – Alumni
Alumni on-prem accounts are disabled, however the Office 365 account is a lifelong account and remains enabled, with the last synchronized password, and the Alumni license package.
Following the student’s graduation the on-prem account is disabled an moved into a different OU (by the FIM Sync Service). This OU is outside AADConnect’s scope, so it interprets this as a Delete, triggering a deletion of the Office 365 account.
As the Office 365 account is only soft deleted up to a grace period, we can promptly un-delete it, at the same time flaging it as “Alumni”. When the account is restored it comes back as “Cloud managed” and not synchronized.
Here are the PowerShell commands used in restoring the account and changing the license type:
Get-MsolUser -ReturnDeletedUsers -All
Restore-MsolUser -UserPrincipalName $user.UserPrincipalName -AutoReconcileProxyConflicts -NewUserPrincipalName $user.UserPrincipalName
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -Department “Alumni”
The solution also works fine for re-enrolment. If a student returns their AD account is re-activated and moved back to the Student OU. This brings it back into the scope of AADConnect and flags it as a synchronized account. AADConnect uses the ImmutableID on the Office 365 account, matching it to the objectGUID of the re-enabled AD account to make the join.
2 Replies to “Breaking the AADConnect link – an Alumni example”
Please can you advise how we’d go about re-enrolment when the AD user has been deleted and a new account with the same username but different ObjectID has been created?
This is a great guide thank you.
What a wonderfully simple method of achieving something that appears to be so incredibly difficult! Thank you!!!!