This article addresses a scenario where a user is a member of a distribution group in Active Directory (AD) but does not appear in the members of the corresponding distribution list in Microsoft Office 365 (M365 / O365). Universal Sync is enabled, and other users are synchronized without issue.

• Microsoft Office 365 (M365 / O365)
• Provisioning
• Universal Sync

The External Id of the user from Active Directory does not match the corresponding user's Immutable ID in Office 365:

The following steps can be used to update the user's Immutable ID in Microsoft Office 365 to match the user's External Id:

1. Access the Okta Admin Console.
2. Navigate to Applications > Applications > Microsoft Office 365 > Provisioning > To App.
3. Disable the Deactivate Users option.
4. Unassign the affected user from the Microsoft Office 365 app in Okta.
5. In Microsoft Graph Explorer, use the Update user API to move the affected user to an unfederated domain:

6. Use the Update User API again to update the unfederated user's Immutable ID:

7. Using the Update User API, move the unfederated user back to the federated domain:

8. Assign the Microsoft Office 365 app in Okta to the affected user.
9. Remove the affected user from the distribution group in Active Directory, and perform a full import in Okta.
10. Add the affected user back to the distribution group in Active Directory, and perform another full import in Okta.
11. Re-enable the Deactivate Users option in the Okta Admin Console under Applications > Applications > Microsoft Office 365 > Provisioning > To App.

Related References

• Graph Explorer
• Update user Graph API