Some Notes on the Machines

Well, it’s all new again, and this time the old methods are reported as being deprecated at the end of June. Here’s a starting synopsis:

To connect:

Connect-MgGraph -Scope User.Read.All 

(or User.ReadWrite.All)

To get user info:

Get-MgUser -UserID username@domain.com

To change immutable ID to “a”:

Update-MgUser -UserID username@domain.com -OnPremisesImmutableId "a"

One cannot change ImmutableID to $null, but it can be changed, so an AD/AZ ‘hard match’ is probably still possible. Have not verified yet.

A customer had several of these errors being reported in Azure AD Connect. They were all users which had been converted to cloud-only. Several solutions are on Microsoft and related sites, none worked except this on the domain controller which has AAC:

1. Open administrative Powershell
2. To stop synchronization: set-adsyncscheduler -synccycleenabled $false
3. In the AAC Synchronization Service Manager, click Connectors
4. Right-click on the AD connector, click delete, choose “Deleted connector space only”, click OK
5. Do the same for the Azure connector
6. To restart synchronization: set-adsyncscheduler -synccycleenabled $true
7. In services.msc, restart “Microsoft Azure AD Sync”
8. Reinitialize sync: Start-ADSyncSyncCycle -PolicyType Initial

Here is how to add Send As permissions for a user, to a distribution list, in Powershell.

1. First, connect to the 365 tenant.

Install modules if needed:

Set-Executionpolicy Bypass -Scope Process 
Install-Module PowerShellGet -Force -AllowClobber
Install-Module ExchangeOnlineManagement -Force -AllowClobber

Connect to the tenant:

Connect-ExchangeOnline -UserPrincipalName adminuser@domain.com

2. Then make the setting:

Add-RecipientPermission -Identity distgroup@domain.com -Trustee user@domain.com -AccessRights SendAs

Here is a newest method as of right now. There was a warning seen when using a previous method, stating that previous methods will no longer be available fairly soon.

Set-Executionpolicy Bypass -Scope Process 
Install-Module PowerShellGet -Force -AllowClobber
Install-Module ExchangeOnlineManagement -Force -AllowClobber

and then, changing the below appropriately:

Connect-ExchangeOnline -UserPrincipalName adminuser@domain.com

Sometimes, when one logs into https://portal.office.com, the link/button for downloading is not present at the upper-right corner. One thing to try is this, right after login:

https://portal.office.com/account/?ref=MeControl

If that doesn’t get you to downloads, try these steps:

Click on ID ball at the upper right to pull down menu
Click on View Account
Click on Subscriptions at lower left
Click on Apps & devices near lower left

This is a skeleton, Powershell. Needs prerequisite setup added.

$Cred = Get-Credential
Connect-MSolService -Credential $Cred
Install-Module MSOnline
Get-MsolUser -ReturnDeletedUsers
# The list of users/mailboxes marked 'deleted', is visible, if there are any.

# Do the next step ONLY if you are certain. There is no going back after this.
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

It’s by registry entry. Create these as DWORDs and set them to value 1:

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
HKCU\SOFTWARE\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

Version overview:

docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

There are a few different places to turn this off. To turn two of them off:

1. First log into the tenant, and browse here: aad.portal.azure.com
2. Then click on “Azure Active Directory” on the left pane.
3. Click on “Password reset” on the middle pane (might need to scroll down). The Properties of “Password reset” will be visible. In the right pane, choose None, and click Save.
4. With “Password reset” still visible, click “Registration” in the middle pane.
5. Under “Require users to register when signing in?”, choose No, and click Save.

There are a few others, and there may well be more in the future.

There are many ways of doing this. Here is one way to bring everything into a single consistent behavior, a landing place from which you can vary slightly at need.

This presumes that you have Azure/AD sync installed and working in general, and yielding errors in the Synchronization Service window for one or more users. Make sure that you don’t have duplicate email addresses in AD, that could be bad.

The first steps are in Active Directory Users and Computers.

1. Set the user’s email correctly in his/her AD object, in “E-mail” under General.
2. Set proxyAddresses in the Attribute Editor. The primary email address has to be the same, and in proxyAddresses has to be of the format “SMTP:email@domain.com”. There can be others in proxyAddresses but smtp must be lowercase. Also in proxyAddresses, set mailNickname blank.
3. Under Account, either the user login name plus the dropdown domain is to be the same as the above, or it is to be a valid login according to the O365 console. If the dropdown domain list is local only, you can add the Internet domain list in Active Directory Domains and Trusts, with a right-click on the root level in the left pane of that window, and then an add of one or more alternative UPN suffixes. Then restart ADUC and the domain(s) you just added will be available in the dropdown.

Now we do some other things.

4. Run Azure/AD sync, this is CMD, do it as administrator:

repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Delta"

5. If you see errors in the Synchronization Service window, you’ll need something called a “hard match”, which changes enough to connect the AD user with the Azure user. Here’s a script for it, in Powershell. You’ll need to run it as administrator on a domain controller, and it will ask you to log into the O365 tenant. Items of note:

• This uses something called UPN, UserPrincipalName. While Azure’s UPN is the O365 “primary email address”, Active Directory’s UPN is the double item under Profile in AD, the username plus the domain dropdown.
• If you use this approach, the Office 365 login is changed to be the same as the AD login — which is a good thing in the net result, it keeps things very consistent and predictable.
• Once the hard match is complete, you can change anything on the AD side and it will mirror up to Azure.

############################################
# Active Directory / Office 365 Hard Match #
############################################

$ADUPN = 'active_directory_user@companynetwork.com'
$AzureUPN = 'azure_user@companynetwork.com'

'############################################'
'# Active Directory / Office 365 Hard Match #'
'############################################'
''

'Initiating prep for hard match.'
"Active Directory : $ADUPN"
"Azure AD :         $AzureUPN"
''

# Sets TLS version.  Necessary for some platforms.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$reportStatus = ''
$currentOp = ''
function ShowProgress {
	param( [string]$reportStatus, [string]$currentOp )

	Write-Progress -Activity "Hard Match" -Status $reportStatus -PercentComplete -1 -CurrentOperation $currentOp
	# Write-Progress is not compatible with some remote shell methods.

}

Function PrepareModule {
	param( [string]$ModuleName )

	If (Get-Module -ListAvailable -Name $ModuleName)
		{ Update-Module $ModuleName }
	Else
		{ Install-Module $ModuleName }
	}

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force > $null

'Preparing Powershell environment...'

ShowProgress("Preparing Powershell environment...","Setting up to use Powershell Gallery...")

ShowProgress("Preparing Powershell environment:","Setting up to use page provider NuGet...")
Install-PackageProvider -Name NuGet -Force | Out-Null

# This appears to set PSGallery nicely when need be
Register-PSRepository -Default -InstallationPolicy Trusted 2> $null
Set-PSRepository -InstallationPolicy Trusted -Name PSGallery

ShowProgress("Preparing Powershell environment...","Checking/preparing module NuGet...")
PrepareModule("NuGet")
ShowProgress("Preparing Powershell environment...","Checking/preparing module AzureAD...")
PrepareModule("AzureAD")

''
'Setting up hard match...'
''

'Connect to AzureAD:'
Connect-AzureAD

''
'Turn off AZ/AD Sync...'
''

Set-ADSyncScheduler -SyncCycleEnabled $false

"Now get original Azure ImmutableID for $AzureUPN ..."
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$OriginalAzureImmutableID = $AzureUser.ImmutableID
"Extracted Azure ImmutableID: $OriginalAzureImmutableID"
""
""
"And now extract AD GUID for $ADUPN ..."
ldifde -f export.txt -r "(Userprincipalname=$ADUPN)" -l *
$ADGUID = (-split (type export.txt | select-string "ObjectGUID"))[1]

''
"Extracted AD GUID: $ADGUID"
""
""
'Set AD GUID as Azure ImmutableID...'
Set-AzureADuser -ObjectID $AzureUser.ObjectID -ImmutableID $ADGUID

''
'New Azure ImmutableID retrieved as confirmation:'
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$AzureUser.ImmutableID

''
'Finally, turn on AZ/AD Sync again...'

Set-ADSyncScheduler -SyncCycleEnabled $true

'Done!'