A user is missing from a group in Azure AD Connect for Office 365

Applies to: Exchange Online

Symptoms


A user is missing from a group in Azure Active Directory (Azure AD) for Microsoft Office 365.

Resolution



There are two Windows Azure Active Directory modules to administer Azure AD through PowerShell. Both are supported currently. 

To fix this issue, follow these steps: 

  1. Confirm that the object exists in the Azure AD by using the Azure AD PowerShell module. For example, run one of the following cmdlets: 
     

    Get-MsolGroup -SearchString <EmailAddress or DisplayName>

    Get-AzureADGroup -SearchString <Mail or DisplayName>

  2. If the missing user object is present in Azure AD. Confirm that the object has values of the UserPrincipalName, TargetAddress and MailNickname attributes.

  3. Confirm that the missing user exists in Azure AD. For example, run one of the following cmdlets:
     

    Get-MsolUser -SearchString <UserPrinicipalName or DisplayName>

    Get-AzureADUser -SearchString <UserPrinicipalName or DisplayName>

  4. Confirm there is a recipient object present in Exchange Online by using the Get-User cmdlet.
     
    1. If a recipient object is not present in Exchange, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online by using the ObjectId parameter (which will be in the form XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX). To obtain the ObjectId parameter result, run the following cmdlet:

      Get-MsolUser -UserPrincipalName John@contoso.com | fl *object*
    2. If a user is not displayed as a recipient type of UserMailbox or MailUser, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online by using the UserPrincipalName attribute. Please provide this value, as it may differ from your PrimarySMTPAddress attribute value.

  5. Confirm that there are no validation or sync errors. For example, run the following cmdlet:

    Get-MsolGroup -SearchString <EmailAddress or DisplayName> | fl ValidationStatus,*error*
     

    Note The ValidationStatus parameter is only viewable by using the Get-MsolUser cmdlet.

    If the ValidationStatus is not healthy, the following article may help display more detailed information about the error.

    You see validation errors for users in the Office 365 portal or in the Azure Active Directory Module for Windows PowerShell

  6. Compare the membership counts between Azure and Exchange Online. You must have the ObjectID of the group to run the commands in Azure AD. This can be found by using the Get-MsolGroup or Get-AzureADGroup cmdlet. Then, this ObjectId parameter can be used in the commands to obtain the members. For example:
     

    Get-MsolGroupMember -GroupObjectId ObjectID

    Get-AzureADGroupMember -ObjectId ObjectID

    Compare to the information from Exchange. For example:

    Get-DistributionGroupMember SMTPAddress
  7. If a user is listed in Azure AD but missing from Exchange Online, ask Microsoft to submit the group object for a forward sync from Azure AD to Exchange Onlinefor the group, and then confirm that the sync is completed if the user is added. Provide the Azure ObjectID parameter, which is now needed to run the forward sync.

    Get-MsolUser -SearchString <UserPrinicipalName or DisplayName> | fl ObjectID