0

Alumni & Office 365: Breaking the AADConnect link

Share this content:
LinkedIn
Facebook
RSS

I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn’t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I’d write it up as a blog post.

This solution allows an Office 365 account to automatically transition from “Synchronized” to “Cloud managed”. It was designed for a university where:

  • Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and
  • Alumni accounts should remain active in Office 365 but disabled on-prem – therefore we want to stop syncing them with AADConnect following graduation.

Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered – this just focuses on the change in management source.

It should also be noted that this solution has been in production for over a year.

Desired Outcome – Student

Student accounts are managed on-prem and synchronised to Office 354 by AADConnect. An different PowerShell-based process (not pictured) detects the account and assigns the standard license type.

alumni_student-state

Desired Outcome – Alumni

Alumni on-prem accounts are disabled, however the Office 365 account is a lifelong account and remains enabled, with the last synchronized password, and the Alumni license package.

alumni_alumni-state

Transition Process

Following the student’s graduation the on-prem account is disabled an moved into a different OU (by the FIM Sync Service). This OU is outside AADConnect’s scope, so it interprets this as a Delete, triggering a deletion of the Office 365 account.

alumni_graduation1

As the Office 365 account is only soft deleted up to a grace period, we can promptly un-delete it, at the same time flaging it as “Alumni”. When the account is restored it comes back as “Cloud managed” and not synchronized.

alumni_graduation2

Here are the PowerShell commands used in restoring the account and changing the license type:

Get-MsolUser -ReturnDeletedUsers –All

Foreach:

Restore-MsolUser -UserPrincipalName $user.UserPrincipalName -AutoReconcileProxyConflicts -NewUserPrincipalName $user.UserPrincipalName

Set-MsolUser -UserPrincipalName $user.UserPrincipalName -Department “Alumni”

Set-MsolUserLicense …

Re-enrolment

The solution also works fine for re-enrolment. If a student returns their AD account is re-activated and moved back to the Student OU. This brings it back into the scope of AADConnect and flags it as a synchronized account. AADConnect uses the ImmutableID on the Office 365 account, matching it to the objectGUID of the re-enabled AD account to make the join.

alumni_reenrol

Carol Wapshere

I’ve been working in the IT industry for rather a lot of years now, starting in sys admin then moving through project work and consultancy, eventually coming across MIIS 2003 in 2005 while working on an email migration project in London. After a few years in Switzerland I am now back in Australia, based in Canberra, working for UNIFY Solutions. I have been awarded the MVP for ILM/FIM every year since 2009.

Leave a Reply

Your email address will not be published. Required fields are marked *