Fixing SharePoint User ID Mismatch Issue with PowerShell

Leave a reply

There is a known problem in SharePoint called “User ID Mismatch”. It happens when if a user account is deleted from the Entra Id, and then a new account is created with the same UPN (e.g. rehired person or a person with common name like John Smith). As a result – a user experiences inconsistency like gets “Access denied” errors.

Microsoft knows about the User Id Mismatch issue and offers the following solutions

  • SharePoint Admin: run the “Site User Mismatch” diagnostic
    The diagnostic performs a large range of validations for internal users and guests who try to access SharePoint and OneDrive sites
  • SharePoint Admin: run the “Check User Access” diagnostic
    “The diagnostic performs a large range of verifications for internal users and guests who try to access SharePoint and OneDrive sites
  • Site Admin: remove account from the UserInfo list
    via admin page “/_layouts/15/people.aspx?MembershipGroupId=0”,
    or PowerShell “Remove-SPOUser”

I wish my users do not have such issues, as it is pretty awful experience when user request access to the site, site owner approves it, but user still cannot access the site, so user requests access again, owner approves it again and so on… So I’m asking myself:

  • What exactly Microsoft’s diagnostics do?
  • All Microsoft’s fixes are for one specific site, but usually user has access to many sites, so is there a way to fix the issue “everywhere” at once?
  • Can we be proactive here – fix the issue before user submit a ticket

Let us try to go deeper into the issue and find some more consistent solution.

Diag: Site User ID mismatch

When you run this, it asks for a site Url and UPN, then it says:

We found a SharePoint site user with a mismatched ID.

The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site.

Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site.

This action will remove the user from the site, including any permissions they have been previously granted.

We found a SharePoint site user with a mismatched ID. The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site. Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site. This action will remove the user from the site, including any permissions they have been previously granted.

Diag: Check SharePoint User Access

This diag does the same:

Diag: Check SharePoint User Access We found a SharePoint site user with a mismatched ID. The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site. Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site. This action will remove the user from the site, including any permissions they have been previously granted.

Let us run it.

Success!
Now that the user with the mismatched ID has been removed, you may need to Share a Site with them; depending on the permissions set for your organization and for the specific site.

Diag: Check SharePoint User Access Success! Now that the user with the mismatched ID has been removed, you may need to Share a Site with them; depending on the permissions set for your organization and for the specific site.

Actually Microsoft not only removes user from UIL, but adds a new one (without permissions).

Detecting and Fixing the issue with PowerShell

You can use PowerShell to detect if the issue with user’s permissions is actually user id mismatch issue and Fix the issue. Specifically I will use PnP.PowerShell module v 3.1. Here is what you’d do:

# 
# Script to detect and fix UserId mismatch issue
$upn = "John.Smith@$orgname.onmicrosoft.com"
# 1. get user object from Entra Id 
$adUser = Get-PnPAzureADUser -Connection $connectionAdmin -Identity $upn
$adUser | fl

# 2. Get user profile properties from SharePoint User Profiles Service
$UserProp = Get-PnPUserProfileProperty -Connection $connectionAdmin -Account $upn
$UserProp | fl

# 3. Get user object from specific site collection
$siteUrl = "https://$orgname.sharepoint.com/teams/UserIDMismatchTest03"
$connectionToSite = Connect-PnPOnline -ReturnConnection -Url $siteUrl -ClientId $ClientId -Thumbprint $Thumbprint -Tenant $tenantId
$connectionToSite.Url
$siteUser = Get-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Includes AadObjectId
$siteUser | fl
$siteUser.AadObjectId | fl
$siteUser.UserId | fl

# compare object - they should match
# if something is not matched - delete the user object from site UIL and add the user again to the site (not providing permissions)
# Fix the issue by removing the user and re-adding
Remove-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Force
Get-PnPUser -Connection $connectionToSite 
$web = Get-PnPWeb -Connection $connectionToSite
$web.EnsureUser("i:0#.f|membership|$upn")

Fix the issue “everywhere” at once

The issue is scoped with a specific site (site collection). The above PowerShell-based solution and all Microsoft’s fixes are designed for one specific site, but in real life what is happening is the “old id user” had access to many sites, and “new id user” have access to many sites, so after a several “access denied” issues a user might be confused and ask SharePoint admins to fix the issue “everywhere” at once (e.g. a senior leader you do not want to bother with “please provide us list of site Url you are having issues with”.

So how to we fix the User Id Mismatch Issue on all sites for a specific user?

Solution 1:

  • Get list of all tenant sites
  • For every site – check if the user is in the UIL
  • If yes – check if this is a User Id Mismatch case
  • If yes – remove the user from UIL

This is a complete solution, i.e. it should fix not only issues a user currently having but also all future issues in tenant for the same user. But this is a “heavy” solution, i.e. should work well for small companies, but might be not feasible for enterprises.

Solution 2

  • Get audit log – filter by user and “AccessDenied” pages
  • Select sites where user hit “AccessDenied” page – make a unique list of such sites
  • For every site – check if this is a User Id Mismatch case
  • If yes – remove the user id from site’s UIL

This solution should work faster – but does not guarantee that it fixed all future issues, i.e. it is possible user will have more User Id Mismatch issues in the future, which is frustrating…

Fix the user id mismatch issue proactively and everywhere

The Solution 1 above fixes the issue “everywhere” at once, but still we assume user already hit the issue and submitted a ticket. Can we make it proactive? Can we fix the issue before user hit “Access Denied” page because of user Id mismatch?

Apparently, we need to know – at the moment we are creating a new user in Entra Id – if the Id was used before or not… If yes – did the user have access to SharePoint or not. TBC…

References

I’m sharing my code samples at GitHub: Detect and Fix User Id Mismatch issue with PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *