There is a known problem in SharePoint called “User ID Mismatch”. It happens if a user account is deleted from the directory, and then a new account is created with the same UPN (e.g. rehired person or a person with common name like John Smith). In other words – re-used user name in the directory generates SharePoint User ID Mismatch issue. Symptoms are: a user requests access to the site, site owner approves request, but user still cannot open the site and gets “Access denied” errors.
SharePoint User ID Mismatch Issue Explained
The reason behind it is that SharePoint keeps users data in it’s own database, including not only UPN, but also local AD SID and Entra Id UPN. So when a re-used UPN tries to access the site – SharePoint does not allow access, and this makes sense as we do not know if the user is the same person (rehired) or different (same name). Rehired person might be re-hired with a different role. Different person with the same name definitely should not get access to the site for automatically. So access needs to be re-provided. And that is where the actual issue appears. Once a site owner approves new user’s request to the site – Microsoft does dot update user in the UIL to the new user. So for the site owner it looks like access has been provided, but in fact it’s not. So Microsoft instead of fixing it in the product – developed a separate “fix”. What needs to be done is to remove user from the UIL. That is it. Once the old user id is removed from the site – a new user id added should not have access issues.
One more note. Deleting user from UIL does not actually clears everything related to the user. User information stays in a hidden databases (e.g. if you go to document history on the site – you still should be able to see user name etc.).
Even more gotchas. Every user or group on the site has “site user id” – it’s an integer number, e.g. first user/group added to site would have id:1. So deleting and re-adding the same user would keep user site id. In the case with the re-used UPN it’d be different number.
Solutions to fix the SharePoint User ID Mismatch Issue
So there are 3 possible solutions:
- by admin, via Microsoft 365 Admin Center, using Diagnostics tools
- by site owner or admin, via site settings and “MembershipGroupId=0” trick
- by site owner or admin, with PowerShell
Fixing the SharePoint User ID Mismatch Issue with Microsoft Diagnostic
So Microsoft knows about the User Id Mismatch issue and offers the following solutions:
- SharePoint Admin: run the “Site User Mismatch” diagnostic
“The diagnostic performs a large range of validations for internal users and guests who try to access SharePoint and OneDrive sites“ - SharePoint Admin: run the “Check User Access” diagnostic
“The diagnostic performs a large range of verifications for internal users and guests who try to access SharePoint and OneDrive sites“
I wish my users do not have such issues, as it is pretty awful experience when user request access to the site, site owner approves it, but user still cannot access the site, so user requests access again, owner approves it again and so on… So I’m asking myself:
- What exactly Microsoft’s diagnostics do?
- All Microsoft’s fixes are for one specific site, but usually user has access to many sites, so is there a way to fix the issue “everywhere” at once?
- Can we be proactive here – fix the issue before user submit a ticket
Let us try to go deeper into the issue and find some more consistent solution.
Diag: Site User ID mismatch
When you run this, it asks for a site Url and UPN, then it says:
We found a SharePoint site user with a mismatched ID.
The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site.
Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site.
This action will remove the user from the site, including any permissions they have been previously granted.

Diag: Check SharePoint User Access
This diag does the same:

Let us run it.
Success!
Now that the user with the mismatched ID has been removed, you may need to Share a Site with them; depending on the permissions set for your organization and for the specific site.

Actually Microsoft not only removes user from UIL, but adds a new one (without permissions).
Fixing the SharePoint User ID Mismatch Issue with Site Settings
This option is available for site owners or site collection admins, but only in cases there are not many site users. If you have thousands user in the site – it might be difficult to find a user in the UIL.
Site owner or admin – navigate to Site Settings -> Site Permissions -> Advanced Permissions -> Select any group, then update group id number in the browser address bar (Url) to “0”, so it’ll look like:
https://domain.sharepoint.com/teams/mySite/_layouts/15/people.aspx?MembershipGroupId=0
then find the user in the list and delete it (Actions -> Delete User from site collection).
Here is what Microsoft says: remove account from the UserInfo list
Detecting and Fixing the issue with PowerShell
You can use PowerShell to detect if the issue with user’s permissions is actually user id mismatch issue and Fix the issue. Specifically I will use PnP.PowerShell module v 3.1. Here is what you’d do:
# this script
# 1) detects if there is a User id Mismatch Issue on the site
# 2) if yes - deletes User Id from the site and adds it again (with no permissions)
# NB! removing User from the UIL also removes all user's permissions, so user needs to request permissions again - but this time it should work
# NB! dew to nature of user id mismatch issue - these could be two different users - removing user's permissions is OK
# parameters
# specify User email and site url here:
$userEmail = "John.Smith.qerdgfq@$orgname.onmicrosoft.com"
$userEmail = "John.Smith@$orgname.onmicrosoft.com"
$siteUrl = "https://$orgname.sharepoint.com/teams/UserIDMismatchTest01"
$siteUrl = "https://$orgname.sharepoint.com/sites/UserIDMismatchTest02"
$siteUrl = "https://$orgname.sharepoint.com/teams/UserIDMismatchTest03"
# end of parameters section
#
# authenticate
$connectionAdmin.Url
# let's find a user in entra id:
# try to get user by email (in most cases email equals upn)
$adUser = Get-PnPAzureADUser -Connection $connectionAdmin -Identity $userEmail
if ($adUser) {
# Found user in entra id
} else {
# otherwise (in case upn -ne email) let us try to find user by email
$filter = "Mail eq '" + $userEmail + "'"
$adUser = Get-PnPAzureADUser -Connection $connectionAdmin -Filter $filter
}
if ($adUser) {
$upn = $adUser.UserPrincipalName
Write-Host "Found user in entra id: " $adUser.DisplayName
if ($adUser.AccountEnabled) {
} else {
Write-Host "Note that user's account entra id is disabled."
}
} else {
Write-Host "Could not find user in entra id." -ForegroundColor Yellow
Write-Host "Please double-check email specified: " $userEmail -ForegroundColor Yellow
exit 1
}
# now we need to pull user profile from UPSA
$userProps = $null
$userProps = Get-PnPUserProfileProperty -Connection $connectionAdmin -Account $upn
if ($userProps) {
Write-Host "Found user in SharePoint User Profiles Service: " $userProps["AccountName"]
} else {
Write-Host "Could not find user in SharePoint User Profiles Service." -ForegroundColor Yellow
exit 1
}
# let's connect to site
$connectionToSite = Connect-PnPOnline -ReturnConnection -ClientId $ClientId -Thumbprint $Thumbprint -Tenant $tenantId -Url $siteUrl
if ($?) {
} else {
Write-Host "Could not connect to site:" $siteUrl -ForegroundColor Yellow
exit 1
}
# let's get site
$site = Get-PnPSite -Connection $connectionToSite
if ($?) {
Write-Host "Connected to site:" $siteUrl
} else {
Write-Host "Could not connect to site:" $siteUrl -ForegroundColor Yellow
exit 1
}
# let's get site user
# Get-PnPUser -Connection $connectionToSite
$siteUser = $null
$siteUser = Get-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Includes AadObjectId
if ($siteUser) {
Write-Host "Found user in the site: " $siteUser.Title
} else {
Write-Host "Could not find user in the site: " $siteUser.Title
}
# now we detect if there is a user id mismatch issue
# normally user id and sid should be the same in all 3 user objects from entra id, upsa and site
$userIdMismatch = $false
# compare SID from site and UPSA
$upsaSID = ($UserProp["SID"].split("|") | Select-Object -Last 1).split("@") | Select-Object -First 1
if($upsaSID -eq $siteUser.UserId.NameId) {
} else {
Write-Host "SID mismatch found." -ForegroundColor Yellow
Write-Host "SID from User Profile:" $upsaSID
Write-Host "SID from Site User :" $siteUser.UserId.NameId
$userIdMismatch = $true
}
# compare User Id from site and UPSA
if ($UserProp["msOnline-ObjectId"] -eq $siteUser.AadObjectId.NameId) {
} else {
Write-Host "User directory object Id mismatch found." -ForegroundColor Yellow
Write-Host "User Id from User Profile:" $UserProp["msOnline-ObjectId"]
Write-Host "User Id from Site User :" $siteUser.AadObjectId.NameId
$userIdMismatch = $true
}
# compare User Id from site and directory
if ($adUser.Id -eq $siteUser.AadObjectId.NameId) {
} else {
Write-Host "User directory object Id mismatch found." -ForegroundColor Yellow
Write-Host "User Id from Directory:" $adUser.Id
Write-Host "User Id from Site User:" $siteUser.AadObjectId.NameId
$userIdMismatch = $true
}
if ($userIdMismatch) {
Write-Host "The User Id Mismatch Issue was found on the site for the user."
Write-Host "We'll remove User from the UIL which also removes all user's permissions."
Write-Host "User will need to request permissions again - but this time it should work."
} else {
Write-Host "We did not find User Id Mismatch Issue on the site." -ForegroundColor Green
Exit
}
# Next, we'll ask for confirmation then delete user id from site and add it back
$confirmation = Read-Host "Please confirm (y/n)"
if ($confirmation.ToLower() -eq "y") {
} else {
Write-Host "User deletion was not confirmed. The Issue is not fixed."
Read-Host "Press any key to exit"
Exit
}
# Fix the issue by removing the user and re-adding
# remove
Remove-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Force
if ($?) {
Write-Host "Successfully removed user from site."
} else {
Write-Host "Something went wrong... Could not remove user from site." -ForegroundColor Yellow
exit 1
}
# add
$web = Get-PnPWeb -Connection $connectionToSite
$web.EnsureUser("i:0#.f|membership|$upn")
# Validate
$newSiteUser = Get-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Includes AadObjectId
if ($newSiteUser) {
} else {
Write-Host "Something went wrong... Just added user was not found on the site..." -ForegroundColor Yellow
Exit 1
}
if ($newSiteUser.Id -ne $siteUser.Id) {
Write-Host "Added user to the site with no permissions."
} else {
Write-Host "Something went wrong... Just added user got the same site user Id..." -ForegroundColor Yellow
Exit 1
}
Write-Host "Finished."
Read-Host "Press any key to exit"
Exit
Fix the issue “everywhere” at once
The issue is scoped with a specific site (site collection). The above PowerShell-based solution and all Microsoft’s fixes are designed for one specific site, but in real life what is happening is the “old id user” had access to many sites, and “new id user” have access to many sites, so after a several “access denied” issues a user might be confused and ask SharePoint admins to fix the issue “everywhere” at once (e.g. a senior leader you do not want to bother with “please provide us list of site Url you are having issues with”.
So how to we fix the User Id Mismatch Issue on all sites for a specific user?
Solution 1:
- Get list of all tenant sites
- For every site – check if the user is in the UIL
- If yes – check if this is a User Id Mismatch case
- If yes – remove the user from UIL
This is a complete solution, i.e. it should fix not only issues a user currently having but also all future issues in tenant for the same user. But this is a “heavy” solution, i.e. should work well for small companies, but might be not feasible for enterprises.
Solution 2
- Get audit log – filter by user and “AccessDenied” pages
- Select sites where user hit “AccessDenied” page – make a unique list of such sites
- For every site – check if this is a User Id Mismatch case
- If yes – remove the user id from site’s UIL
This solution should work faster – but does not guarantee that it fixed all future issues, i.e. it is possible user will have more User Id Mismatch issues in the future, which is frustrating…
Fix the user id mismatch issue proactively and everywhere
The Solution 1 above fixes the issue “everywhere” at once, but still we assume user already hit the issue and submitted a ticket. Can we make it proactive? Can we fix the issue before user hit “Access Denied” page because of user Id mismatch?
Apparently, we need to know – at the moment we are creating a new user in Entra Id – if the Id was used before or not… If yes – did the user have access to SharePoint or not. TBC…
References
I’m sharing my code samples at GitHub: Detect and Fix User Id Mismatch issue with PowerShell