In order to test Office 365 SMTP relay you will have to create a user with an Exchange online license. After the email is activated for this user you can test this user for relay with the following powershell.
First connect to Microsoft Online service with this user that you’ll be using for relaying.
$msolcred = Get-Credential
Next edit the following powershell with the user’s e-mail and the recipient’s too
This test is known as Client SMTP submission you can also use a different method for multiple devices where you can configure them all to point to a single server (IIS) in a method known as IIS for relay with Office 365 however, all the methods what involve office 365 (Only) for relay will require a user with Exchange online license assigned to it.
The use of this command is not recommended for security reasons in particular for not supporting the modern protocols. use it on your own risk and make sure the user assigned to this service has no privilege’s or not any Office 365 feature admin or power user.
The Threatpost.com and other cyber security news published articles claiming that A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company has announced.
Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question is used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).
A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.
In my last post about Skype for Business / Office 365 Skype for Business Online/Teams migration article I discussed the steps of how to create a hybrid environment between Skype for Business on-premises and went through the troubleshooting of each issue I have been through. In this article I am going to discuss the migration of users from on-premises to the cloud through UI and PowerShell.
Migrating users
This article will assume that you are planning to migrate users from Skype for Business Frontend 2015 Server and that you already have a hybrid configuration in place. If so then you’re going to fulfill the following prerequisites:
To check the currently installed PowerShell run the following cmdlet
$PSVersionTable
After you Download and install PowerShell 5.1 you might need to restart the server. In which case the PowerShell will show that it is updated to the required version.
After Installing the Skype Online Connector Module, We will be able to connect right after launching PowerShell
To do so type:
Import-Module SkypeOnlineConnector
Connecting to Office 365 (Teams Online or Skype for Business Online)
The process of connecting to Office 365 Online PowerShell sounds easy but with MFA enforced in your environment you’ll have a nightmare mix of errors when you try so.
I have came through a lot of errors trying to force the use of PowerShell with MFA user authentication but eventually came to realize that Microsoft still does not support MFA for some cmdlets like Move-CsUser for instance.
So In short, to connect you’ll need to have a global or Teams admin user with MFA disabled to do so.
To create a new Skype Online Session enter:
– Make sure you start the regular PowerShell as admin and not Skype for Business Management Shell.
If you run these commands from SfB Management Shell you’ll get an error
So first, We will import the Skype Online connector Module
Import-Module SkypeOnlineConnector
Then get the OverRidePowershell URI using the command:
Get-CsOnlinePowerShellEndPoint
Next, We will connect and authenticate to our tenant using the following cmdlet
Moving User back to On-premises (From Office 365 to SfB 2015 )
On Frontend Server Launch PowerShell as Administrator then:
A- Import-Module MicrosoftTeams
B- Connect-MicrosoftTeams
After you connect you’ll get the following result:
Now that you’re connected to your tenant, Try to create a Skype for Business session with the following commands
C- $sfbsession = New-CsOnlineSession
D- Import-PsSession $Sfbsession
You should get the following result
Type the following command to move the user back to On-premises environment:
Now last and most important note is that since I am using Skype for Business 2015 Server, I have to use the parameter -UseOAuth which uses modern authentication.
When you have your on-premises user enabled for dialin you will probably get the following error if you try to migrate them to Skype for Business online or teams.
Move-Csuser :: HostedMisrat ion fault: Error=(511), Description=(The user could not be moved because he or she is enabled for dial-in conferencing on-premises, but has not been an assigned an Audio Conferencing license in Office 365. Users must be licensed before they can be moved to Teams or Skype for Business Online.)
If you are sure do want to use migrate this user without an Audio Conferencing license, specify the
“BypassAudioConferencingCheck” switch. ) At line: 1 char: 1
The Solution is to either provide an audio conferencing license or as it is showing in the error itself as it says use the switch -BypassAudioConferencingCheck to ignore that.
Error 2:
When trying to import the session, I got the following error
the runspace state is not valid for this operation for PowerShell Online.
Solution: To overcome this problem you’ll need to use the overridePowershellUri Parameter in the New-CsOnlineSession in order to connect to Skype online powershell.
To get your tenant’s PowerShell URI use the cmdlet Get-CsOnlinePowerShellEndPoint
What you need to use is the AbsoluteUri
Error 3:
When you try to import the SkypeOnlineConnector module and then run the New-CsOnlineSession cmdlet from Skype for Business Management Shell you’ll get the following error after authenticating.
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
Troubleshooting details
If you contact your administrator, send this info to them. Copy info to clipboard
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Solution:
Run the cmdlets from Windows PowerShell as admin not Skype for Business Management shell.
Error 4
Get-CsOnlinePowerShellAccessInformation : Unable to get response from https://admin4a.online.lync.com/OcsPowershellOAuth. At C:\Program Files\Common Files\Skype for Business Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:160 char:20 + … pAuthInfo = Get-CsOnlinePowerShellAccessInformation -PowerShellEndpoi … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-CsOnlinePowerShellAccessInformation], Exception + FullyQualifiedErrorId : System.Exception,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellAccessInformationCmdlet
Error 5
Move-CsUser [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): y move-csuser : The underlying connection was closed: An unexpected error occurred on a send. At line:1 char:1 + move-csuser -identity user@domain.com -target D2-POOL01.clou … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=user …domain,DC=net:OCSADUser) [Move-CsUser], WebException + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Solution:
1- Make sure you have the proper Powershell version.
2- Make sure you enable TLS1.2 as default, for a quick solution use this PowerShell script
3- Use MFA enabled account by following these steps to login and move user.
A- Import-Module MicrosoftTeams
B- Connect-MicrosoftTeams
After you connect you’ll get the following result:
Now that you’re connected to your tenant, Try to create a Skype for Business session with the following commands
C- $sfbsession = New-CsOnlineSession
D- Import-PsSession $Sfbsession
You should get the following result
Now last and most important note is that since I am using Skype for Business 2015 Server, I have to use the parameter -UseOAuth which uses modern authentication.
I got a client requesting to integrate Skype for Business 2015 with Microsoft Teams. Skype for Business 2015 is installed on Windows Server 2012 R2 which has PowerShell 4.0
I already installed PowerShell 5.1 and restarted the server in question.
When I tried to install the Microsoft Teams PowerShell Module to integrate Skype for Business with Teams I got the following error:
Error
PS C:\Users\Admin> Install-Module MicrosoftTeams
NuGet provider is required to continue
PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or
‘C:\Users\Admin\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the
NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want
PowerShellGet to install and import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y
WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409′ to ”.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider
‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package
has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ … $null = PackageManagement\Install-PackageProvider -Name $script:N …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-Pac kageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackagePro vider
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name
‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ … $null = PackageManagement\Import-PackageProvider -Name $script:Nu …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProv ider
More Details:
Although I have PowerShell 5.1 module installed but still it seems problems wont go away. It’s part of Microsoft’s main requirement to have Windows PowerShell 5.1 and to import the Microsoft Teams Module for an easy installation and integration with Teams as it leverages the Module MicrosoftTeamsto make things easy.
When looking at the details of the error, it seems as if PowerShell is trying to connect to a particular link to download and install the NuGet Provider which is part of installing the MicrosoftTeams Module.
The error below can be noticed to be the cause.
Resolution:
After doing some digging it turns out that since April 2020 Microsoft has disabled the use of TLS Version 1.0 and 1.1 so people who are working on old Windows Server edition or any application servers that utilize these protocols will now have to force PowerShell or any other app to use the TLS 1.2 Version.
In order to fix this, You will need to run the following Script on your PowerShell as an Admin
Installing Microsoft Azure Threat Protection (ATP) on Linux Devices
While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.
Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.
How to Install?
After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.
Prerequisites:
Configure the Linux software repository for Ubuntu and Debian
Application Installation
Download the onboarding Package
Client Config
1-Configure the Linux software repository for Ubuntu and Debian
You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.
After successfully installing all the libraries, I will go ahead and install the application
2- Application Installation
From the Linux client Terminal using sudo power user run the following script
sudo apt-get install mdatp
Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard
3- Download the onboarding Package
Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.
The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.
The file is 9kb python in size
Copy the file to your Linux Desktop
4- Client Config
From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter
Note: python must be installed on this linux dervice.
Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py
This will run pretty quick and will assign your Linux server/client with your Organization ID.
To see the Organization ID type:
mdatp –health orgId
Few minutes later you’ll be able to see the installation completion and the status through this command
Check if WDATP is functioning as expected
mdatp –health healthy
Check if WDATP agent is enabled
mdatp –health realTimeProtectionEnabled
Let’s check on our ATP portal and see if the machine is showing there.
Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.
Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.
When it occurs:
If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.
WAP Server
In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.
Investigation and Solution:
After investigating the WAP proxy it seems it had couple of problems:
1- Could not resolve ADFS server name on WAP Server.
In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.
2- The Web Application Proxy Service would not start.
The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.
Event Viewer Errors
There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.
The one which mostly got my attention was the 224:
The federation server proxy configuration could not be updated with the latest configuration on the federation service.
Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.
Resolution:
From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.
Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.
Dir Cert:\localmachine\my
This should show the certificates you have got on your store.
Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust
If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.
Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.
New PowerShell with MFA support
If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .
Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there. Check details in this link
As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.
How to Install it?
The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).
To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.
Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All
After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:
You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.
This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.
I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.
Symptoms
On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:
Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.
At line:1 char:1
Trying to update the database from 1 to 2,3 will also fail with the following error:
Invoke-AdfsFarmBehaviorLevelRaise
Error:
Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.
Troubleshooting:
If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String
As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.
After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.
After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?
Solution
Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).
I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.
So, To start (Prerequisites):
The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:
– Azure AD Premium P1 or Higher
– Office 365 E3 or Higher.
– EMS or Higher.
How does it work?
In order for you to get this to work you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?
IF Online
If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.
Office365-E3 will also be created the same way and users of License type E3 will be added to it.
If On-Premises
If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.
In my case I have created those groups in the following manner:
After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type
Start-ADSyncSyncCycle -PolicyType delta
What If I have users already assigned with License?
If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.
I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.
Export Users and their license from Office 365
First of all we’ll connect to Office 365 MSOL Service using Online Powershell
So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.
There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.
So I will keep the following (Remove Spacing between License Type)
DisplayName
UsageLocation
LicenseType
SignInName
UserPrincipalName
The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.
Find and Replace can easily remove and clean these values for you.
After cleaning the column, this is how it looks
This should be useful for us now along with the PowerShell to add the users to their relevant groups.
On Active Directory from an elevated PowerShell
Run PowerShell ISE from a privileged account and copy + paste this script in ISE,
$ImportedUsers = Import-csv "C:\Users\AD\Desktop\ExportlicenseUsage.csv"
Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = "E3-Office365"
$E1 = "E1-Office365"
$EMS = "EMS-Office365"
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName
$AllUsers = Get-ADUser -Filter * -Properties *
Foreach ($User in $AllUsers)
{
$UPN = $User.UserPrincipalName
if($user.UserPrincipalName -eq $ImportedUPN -and $License -match "EMS")
{
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) "User has EMS License and has been added to the Group EMS" -ForegroundColor DarkGreen -BackgroundColor White
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "STANDARDPACK")
{
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) "User has E1 License and has been added to the Group E1" -ForegroundColor black -BackgroundColor green
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "ENTERPRISEPACK")
{
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) "User has E3 License and has been added to the Group E3" -ForegroundColor Blue -BackgroundColor White
}
}
}
Enabling Group Based License from Azure Portal
After this script finishes, I can open Azure Portal
From Azure Active Directory > Licenses > All Products
I will choose the license which I want to assign to a group of which I have created on my on-premises AD
Click on the License (Office 365 E1) and choose Assign from top menu
Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)
Here, The group has been assigned
Click assign and you should be done
We will do the same for E3 Users
NOTE
From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.
Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.
I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.
Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.
How to Create a Cloud user from Exchange On-premises?
From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.
Second option – Using Powershell
It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI
The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.
The Real Question now is: How to Sync Cloud User to On-premises AD ?
If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.
There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:
Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’. –> Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’.
So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?
Solution:
To sync the user from the Cloud to on-premises you will need to follow these steps :
1- Create an on-premises Mailbox where the following attributes would be matching the cloud user
UserPrincipalname
ProxyAddresses
SamAccountName
Alias
2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)
You can look which of these OU are provisioned by Starting AD Connect Sync Manager
By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.
Below, You can see the user has been successfully synchronized to the cloud without any issue.
Now we’ll see it from the portal to confirm the user is synced with AD
Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.
Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.
From AD run CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .
From Notepad checking the user we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==
To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online PowerShell
Connect to Exchange Online’s powershell using your Online ECP.
Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.
Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.
Once you’re connect you can use the following cmdlet to get the user’s properties.
You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to match the on-premises user’s ImmutableID.
Once done, Go and force ADConnect to sync the user and you’ll see if the problem has been resolved. The command for changing the Immutableid is as follows: