I use the Google SAML App for SSO and user provisioning into Office365 (o365) using Google Authentication as IDP (Identity provider). In order to provide SSO, domains have to be federated. See this blog post for details.
For some unexplained reason many accounts on o365 were hard deleted and the Google SAML App was not able to add them back due to provisioning errors from MS o365. The only way that I could get the synchronization back was to add the missing user accounts back into o365. Doing this from the admin panel is not allowed once the domain is federated – the only way to do this is using powerShell cmdlets. In the rest of the post I will detail how I used a powerShell script to add user accounts on a federated domain using a CSV file.
Prepare a CSV file
containing all the users. This can be generated either manually, LDAP export, or , as in my case, using a custom SQL in configurable reports in Moodle as explained in this blogpost.
The file should have the column headings as follows (it could have other contact details as needed):
UserPrincipalName, ImmutableId, DisplayName, Password, FirstName, LastName, Department, MobilePhone, Title, OfficeNumber, UsageLocation
UPN and Immutableid must be the same for a federated domain. UsageLocation is 2 letter country code used for licensing purposes and must be filled in appropriately based on your issued license.
Run a powershell script
Open a Windows powershell and make sure that it can run o365 commands such as Get-Msoluser etc. Also ensure that you can run scripts. Just Google this topic on how to.
Authenticate to o365 using:
Connect-MsolService
Don’t use your admin account on your federated domain, because of SSO. Use an admin account on the onmicrosoft.com domain. For example, mydomain.onmicrosoft.com
In the powerShell window run The powerShell script below. This will check if user already exists and only creates a new user account if user doesn’t already exist.
# This powershell script creates new users from a CSV file## get all csv users into an object and iterate over eachImport-Csv 'C:\madhupowershellscripts\csv\o365newusers.csv' | ForEach-Object {$user = $_."UserPrincipalName"##get user object based on UPN$userobj = Get-MsolUser -UserPrincipalName $user -ErrorAction SilentlyContinue## check to see if this userobject existsIf ($userobj -ne $Null) {## This user already exists, skip account creation$UserExists = $trueWrite-Host "User already exists : " $_.UserPrincipalName} else {## This user object does not exist in system, create a new user account$UserExists = $falseWrite-Host "User DOES NOT exist, creating new o365 user account : " $_.UserPrincipalNameNew-Msoluser -UserPrincipalName $_.UserPrincipalName -ImmutableId $_.UserPrincipalName -UsageLocation "IN" -DisplayName $_.DisplayName -Password $_.Password -FirstName $_.FirstName -LastName $_.LastName -Department $_.Department -MobilePhone $_.MobilePhone -Title $_.JobTitle -Office $_.OfficeNumber -ForceChangePassword $true -ErrorVariable errorVariable}}
This can take a long time if you have many users in the CSV file so be patient.
Of course as usual, you need to assign licenses to these new accounts.