Restore Deleted AD/Office 365 User in AD Connect Environment

Restore Deleted AD/Office 365 User in AD Connect Environment

In this post, we will walk through the process of restoring a deleted user in an environment that leverages Directory Sync/Azure AD Connect. The process isn’t overly intensive – It entails restoring the deleted user in Office 365, restoring the Active Directory account, and performing a hard match between the on-prem and cloud account. In our case, we will restore the Active Directory object from Veeam as the environment did not have the AD recycle bin enabled.

Restore Deleted User in Microsoft 365

To begin, navigate to the Microsoft 365 Admin Center. Under Users, select Deleted Users.

Microsoft 365 Deleted User

Select the pertinent user and click Restore.

Restore 365 User

Next, choose to auto-generate or manually create a password. When finished, select Restore.

365 Restore Password

Looking at the restored user, we can see they are Active and their Sync status is In Cloud.

Restore Sync In Cloud

Next, we will restore the user in Active Directory.

Restore Active Directory User from Veeam

As mentioned early, this environment didn’t have the Active Directory Recycling bin enabled. Therefore, we will restore the AD object from Veeam.

To begin, log into the Veeam console and locate your Active Directory server from Disk Backups. Right-click the server and select Microsoft Active Directory Objects from the Restore Application Items option.

Veeam Restore AD Object

Next, select the restore point where the AD user was still active.

Veeam AD Restore Point

Enter a Restore Reason.

AD Restore Reason

Review the restore settings. Once you click Finish, the restore point will be mounted.

AD Restore Summary

After the point has mounted, locate the pertinent user from the Active Directory database. Right-click the user and choose the location for restore. In our case, we are going to restore the object directly back to the AD server.

Veeam Restore to DC

Verify the restore was successful.

Veeam Restore Success

Now that the user has been restored, we will match the AD account with the cloud account, so there is no mismatch during the next synchronization.

Hard Match Users with AD Connect

Navigate to Active Directory and locate the recently restored user. First, verify their e-mail is populated.

AD E-mail Attribute

Next, from the Attribute Editor tab, locate and copy the distinguishedName value.

AD distinguishedName

Once we have the distinguishedName, we will use LDIFDE commands to export the users objectGUID. Open PowerShell and run the below command. Paste the distinguishedName value in between the parentheses.

Ldifde -d “paste distinguishedName here” -f C:\User1.txt

LDIFDE Export

After the command has completed, open the output text file and locate the objectGUID.

AD ObjectGUID

Navigate back to Powershell and run the Connect-MsolService command to connect to Azure Active Directory. Once connected, run the Set-MsolUser command to set the recently exported objectGUID as the ImmutableID for the user.

Set-MsolUser -UserPrincipalName name@domain.com -ImmutableID “paste ObjectGUID here”

Set-MsolUser ImmutableID

Lastly, run we will run an Azure AD Connect manual sync to connect the accounts.

Start-ADSyncSyncCycle -PolicyType Delta

ADSync Delta

Now, when we look at the account in 365, the Sync Status shows Synced with Active Directory.

Synced with AD

Comments are closed.