Breaking the AADConnect link – an Alumni example

Posted on by Carol

I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn’t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I’d write it up as a blog post.

This solution allows an Office 365 account to automatically transition from “Synchronized” to “Cloud managed”. It was designed for a university where:

  • Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and
  • Alumni accounts should remain active in Office 365 but disabled on-prem – therefore we want to stop syncing them with AADConnect following graduation.

Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered – this just focuses on the change in management source.

It should also be noted that this solution has been in production for over a year.

Desired Outcome – Student

Student accounts are managed on-prem and synchronised to Office 354 by AADConnect. A different PowerShell-based process (not pictured) detects the account and assigns the standard license type.

alumni_student-state

Desired Outcome – Alumni

Alumni on-prem accounts are disabled, however the Office 365 account is a lifelong account and remains enabled, with the last synchronized password, and the Alumni license package.

alumni_alumni-state

Transition Process

Following the student’s graduation the on-prem account is disabled an moved into a different OU (by the FIM Sync Service). This OU is outside AADConnect’s scope, so it interprets this as a Delete, triggering a deletion of the Office 365 account.

alumni_graduation1

As the Office 365 account is only soft deleted up to a grace period, we can promptly un-delete it, at the same time flaging it as “Alumni”. When the account is restored it comes back as “Cloud managed” and not synchronized.

alumni_graduation2

Here are the PowerShell commands used in restoring the account and changing the license type:

Get-MsolUser -ReturnDeletedUsers -All

Foreach:

Restore-MsolUser -UserPrincipalName $user.UserPrincipalName -AutoReconcileProxyConflicts -NewUserPrincipalName $user.UserPrincipalName

Set-MsolUser -UserPrincipalName $user.UserPrincipalName -Department “Alumni”

Re-enrolment

The solution also works fine for re-enrolment. If a student returns their AD account is re-activated and moved back to the Student OU. This brings it back into the scope of AADConnect and flags it as a synchronized account. AADConnect uses the ImmutableID on the Office 365 account, matching it to the objectGUID of the re-enabled AD account to make the join.

alumni_reenrol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.

2 Replies to “Breaking the AADConnect link – an Alumni example”

  1. Please can you advise how we’d go about re-enrolment when the AD user has been deleted and a new account with the same username but different ObjectID has been created?
    This is a great guide thank you.
    Adam

  2. What a wonderfully simple method of achieving something that appears to be so incredibly difficult! Thank you!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*