{"id":2936,"date":"2016-10-31T00:16:19","date_gmt":"2016-10-31T00:16:19","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=2936"},"modified":"2023-01-08T23:46:16","modified_gmt":"2023-01-08T23:46:16","slug":"breaking-the-aadconnect-link-an-alumni-example","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example","title":{"rendered":"Breaking the AADConnect link &#8211; an Alumni example"},"content":{"rendered":"<p>I presented this at the <a href=\"https:\/\/www.themimteam.com\/fim-team-user-group\/\">MIM Team User Group<\/a> meeting last week, but was having some computer issues and apparently people couldn&#8217;t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I&#8217;d write it up as a blog post.<\/p>\n<p>This solution allows an Office 365 account to automatically transition from &#8220;Synchronized&#8221; to &#8220;Cloud managed&#8221;. It was designed for a university where:<\/p>\n<ul>\n<li>Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and<\/li>\n<li>Alumni accounts should remain active in Office 365 but disabled on-prem &#8211; therefore we want to stop syncing them with AADConnect following graduation.<\/li>\n<\/ul>\n<p>Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered &#8211; this just focuses on the change in management source.<\/p>\n<p>It should also be noted that this solution has been in production for over a year.<\/p>\n<p><!--more--><\/p>\n<h3>Desired Outcome &#8211; Student<\/h3>\n<p>Student accounts are managed on-prem and synchronised to Office 354 by AADConnect. A different PowerShell-based process (not pictured) detects the account and assigns the standard license type.<\/p>\n<p><a href=\"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example\/alumni_student-state\" rel=\"attachment wp-att-2941\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2941\" src=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Student-State.jpg\" alt=\"alumni_student-state\" width=\"716\" height=\"167\" srcset=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Student-State.jpg 1448w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Student-State-300x70.jpg 300w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Student-State-768x179.jpg 768w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Student-State-1024x239.jpg 1024w\" sizes=\"auto, (max-width: 716px) 100vw, 716px\" \/><\/a><\/p>\n<h3>Desired Outcome &#8211; Alumni<\/h3>\n<p>Alumni on-prem accounts are disabled, however the Office 365 account is a lifelong account and remains enabled, with the last synchronized password, and the Alumni license package.<\/p>\n<p><a href=\"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example\/alumni_alumni-state\" rel=\"attachment wp-att-2937\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2937\" src=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Alumni-State.jpg\" alt=\"alumni_alumni-state\" width=\"702\" height=\"180\" srcset=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Alumni-State.jpg 1453w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Alumni-State-300x77.jpg 300w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Alumni-State-768x197.jpg 768w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Alumni-State-1024x263.jpg 1024w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/a><\/p>\n<h3>Transition Process<\/h3>\n<p>Following the student&#8217;s graduation the on-prem account is disabled an moved into a different OU (by the FIM Sync Service). This OU is outside AADConnect&#8217;s scope, so it interprets this as a Delete, triggering a deletion of the Office 365 account.<\/p>\n<p><a href=\"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example\/alumni_graduation1\" rel=\"attachment wp-att-2938\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2938\" src=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation1.jpg\" alt=\"alumni_graduation1\" width=\"775\" height=\"172\" srcset=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation1.jpg 1425w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation1-300x66.jpg 300w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation1-768x170.jpg 768w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation1-1024x226.jpg 1024w\" sizes=\"auto, (max-width: 775px) 100vw, 775px\" \/><\/a><\/p>\n<p>As the Office 365 account is only soft deleted up to a grace period, we can promptly un-delete it, at the same time flaging it as &#8220;Alumni&#8221;. When the account is restored it comes back as &#8220;Cloud managed&#8221; and not synchronized.<\/p>\n<p><a href=\"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example\/alumni_graduation2\" rel=\"attachment wp-att-2939\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2939\" src=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation2.jpg\" alt=\"alumni_graduation2\" width=\"785\" height=\"191\" srcset=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation2.jpg 1445w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation2-300x73.jpg 300w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation2-768x188.jpg 768w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Graduation2-1024x250.jpg 1024w\" sizes=\"auto, (max-width: 785px) 100vw, 785px\" \/><\/a><\/p>\n<p>Here are the PowerShell commands used in restoring the account and changing the license type:<\/p>\n<p style=\"padding-left: 30px;\">Get-MsolUser -ReturnDeletedUsers -All<\/p>\n<p style=\"padding-left: 30px;\">Foreach:<\/p>\n<p style=\"padding-left: 60px;\">Restore-MsolUser -UserPrincipalName $user.UserPrincipalName -AutoReconcileProxyConflicts -NewUserPrincipalName $user.UserPrincipalName<\/p>\n<p style=\"padding-left: 60px;\">Set-MsolUser -UserPrincipalName $user.UserPrincipalName -Department &#8220;Alumni&#8221;<\/p>\n<h3>Re-enrolment<\/h3>\n<p>The solution also works fine for re-enrolment. If a student returns their AD account is re-activated and moved back to the Student OU. This brings it back into the scope of AADConnect and flags it as a synchronized account. AADConnect uses the ImmutableID on the Office 365 account, matching it to the objectGUID of the re-enabled AD account to make the join.<\/p>\n<p><a href=\"https:\/\/www.wapshere.com\/missmiis\/breaking-the-aadconnect-link-an-alumni-example\/alumni_reenrol\" rel=\"attachment wp-att-2940\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-2940\" src=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Reenrol.jpg\" alt=\"alumni_reenrol\" width=\"731\" height=\"172\" srcset=\"https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Reenrol.jpg 1392w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Reenrol-300x71.jpg 300w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Reenrol-768x181.jpg 768w, https:\/\/www.wapshere.com\/missmiis\/wp-content\/uploads\/2016\/10\/Alumni_Reenrol-1024x241.jpg 1024w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn&#8217;t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I&#8217;d write it up as a blog post. This solution allows an Office 365&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[44,58,23],"tags":[],"class_list":["post-2936","post","type-post","status-publish","format-standard","hentry","category-cloud","category-fim-sync-service","category-powershell"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-Lm","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=2936"}],"version-history":[{"count":7,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2936\/revisions"}],"predecessor-version":[{"id":3314,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2936\/revisions\/3314"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=2936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=2936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=2936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}