Sync issues with o365 user provisioning using Google SAML App

I use the Google SAML App for SSO and user provisioning into Office365 (o365) using Google Authentication as IDP (Identity provider). In order to provide SSO, domains have to be federated. See this blog post for details.

For some unexplained reason many accounts on o365 were hard deleted and the Google SAML App was not able to add them back due to provisioning errors from MS o365. The only way that I could get the synchronization back was to add the missing user accounts back into o365. Doing this from the admin panel is not allowed once the domain is federated – the only way to do this is using powerShell cmdlets.  In the rest of the post I will detail how I used a powerShell script to add user accounts on a federated domain using a CSV file.

Prepare a CSV file

containing all the users. This can be generated either manually, LDAP export, or , as in my case, using a custom SQL in configurable reports in Moodle as explained in this blogpost.

The file should have the column headings as follows (it could have other contact details as needed):

UserPrincipalName, ImmutableId, DisplayName, Password, FirstName, LastName, Department, MobilePhone, Title, OfficeNumber, UsageLocation

UPN and Immutableid must be the same for a federated domain. UsageLocation is 2 letter country code used for licensing purposes and must be filled in appropriately based on your issued license.

Run a powershell script

Open a Windows powershell and make sure that it can run o365 commands such as Get-Msoluser etc. Also ensure that you can run scripts. Just Google this topic on how to.

Authenticate to o365 using:


Don’t use your admin account on your federated domain,  because of SSO. Use an admin account on the domain. For example,

In the powerShell window run The powerShell script below. This will check if user already exists and only creates a new user account if user doesn’t already exist.

# This powershell script creates new users from a CSV file
# get all csv users into an object and iterate over each
Import-Csv 'C:\madhupowershellscripts\csv\o365newusers.csv' | ForEach-Object {
$user = $_."UserPrincipalName"
#get user object based on UPN
$userobj = Get-MsolUser -UserPrincipalName $user -ErrorAction SilentlyContinue
# check to see if this userobject exists
If ($userobj -ne $Null) {
# This user already exists, skip account creation
$UserExists = $true
Write-Host "User already exists : " $_.UserPrincipalName
} else {
# This user object does not exist in system, create a new user account
$UserExists = $false
Write-Host "User DOES NOT exist, creating new o365 user account : " $_.UserPrincipalName
New-Msoluser -UserPrincipalName $_.UserPrincipalName -ImmutableId $_.UserPrincipalName -UsageLocation "IN" -DisplayName $_.DisplayName -Password $_.Password -FirstName $_.FirstName -LastName $_.LastName -Department $_.Department -MobilePhone $_.MobilePhone -Title $_.JobTitle -Office $_.OfficeNumber -ForceChangePassword $true -ErrorVariable errorVariable

This can take a long time if you have many users in the CSV file so be patient.

Of course as usual, you need to assign licenses to these new accounts.

Posted in G-Suite, Office 365 Education and tagged .