Summary


Users will come and go, stay for years or just for days. Occasionally they leave for only a short time and in other instances mistakes are made while maintaining Active Directory objects. This guide will help you avoid or correct any sync issues caused by this.




Guide


The first thing that happens is we are sent the new state of the user and it updates our systems. Exactly what happens next depends on your classifications: the user may meet a different classification rule, or not meet any.


If they meet a different classification the user may find their SharePoint drives have changed, and possibly even their licence(s) depending on your settings. To fix this, ensure the users' object is changed to meet the rules for their correct classification, wether it is their OU, group membership, email domain, etc. The classification rules can be checked by an Admin by logging into our Admin Portal: https://portal.iamcloud.net.


Much more disruptive is if the user no longer meets any of your classification rules and thus becomes a Declassified User. This will remove them from our system, leaving them only in the unclassified list viewable in the admin portal above. What else happens depends on a choice you made during on-boarding, though like anything on our systems this choice can be changed at any point, though this particular choice involves stopping part of our systems so we will only implement the change after-hours in order to minimise disruption.


The choice was whether we disable or delete declassified users.


If you chose for us to disable them: no problem. The user will only have had their access blocked on Office 365. Once the user meets the classification requirements again our system will re-enable them. Though occasionally we may need to perform a slightly different sync between ourselves and Office 365 to ensure the join is correct. This is mostly for the next situation though.


If you chose for us to delete disabled users then the first thing you should be aware of is: users deleted from Office 365 only remain in the recycle bin for 30 days. After that, not even Microsoft can restore the lost data in most cases. So if this is the case: do not hesitate to contact us.


If you just change the users' object so that it is now re-classified, our system will usually create a new account rather than restoring the old. This is a security feature to avoid situations where you create a new user with similar details to one deleted not long ago, and our system pulling the deleted account out of the recycle bin and the new user having the old one's files and emails. To avoid this our system uses the ImmutableID of the object on Office 365, but when deleted from our system it will sometimes create a new ImmutableID when re-created. It is a simple fix on our side, as long as you have taken one step first: restore the user from the recycle bin in Office 365.

In certain situations, if our system still has the unique Immutable ID that the object has in 365, it will take the user from the recycle bin, but this usually only happens if it i corrected before certain automatic syncs run, so should not be relied upon.

Once the user has been restored on Office 365, our systems may still create a new ImmutableID when the user is restored. So to avoid it deleting the user and creating a new one, or to avoid sync errors, speak to us. We will temporarily disable the sync to Office 365 while you make the user meet the classification rules again. Once they have gone through our systems, we will do a sequence of syncs between us and Office 365 to resolve any ImmutableID mismatches, then turn your Office 365 sync back on.




Alternate

If you have already changed the user and our system has created a new user to replace the old one: we can still fix it. The new user will need to be deleted via PowerShell, then the old restored from the recycle bin. Then we will be able to do the sync sequence to fix the issues as before. However do note that the new user will only be able to be deleted using PowerShell.



In both situations: let us know the details as quickly as possible and we will work with you to restore your users. Just remember the 30 days and don't wait too long.