Fixing SharePoint User ID Mismatch Issue with PowerShell

There is a known problem in SharePoint called “User ID Mismatch”. It happens if a user account is deleted from the directory, and then a new account is created with the same UPN (e.g. rehired person or a person with common name like John Smith). In other words – re-used user name in the directory generates SharePoint User ID Mismatch issue. Symptoms are: a user requests access to the site, site owner approves request, but user still cannot open the site and gets “Access denied” errors.

SharePoint User ID Mismatch Issue Explained

The reason behind it is that SharePoint keeps users data in it’s own database, including not only UPN, but also local AD SID and Entra Id UPN. So when a re-used UPN tries to access the site – SharePoint does not allow access, and this makes sense as we do not know if the user is the same person (rehired) or different (same name). Rehired person might be re-hired with a different role. Different person with the same name definitely should not get access to the site for automatically. So access needs to be re-provided. And that is where the actual issue appears. Once a site owner approves new user’s request to the site – Microsoft does dot update user in the UIL to the new user. So for the site owner it looks like access has been provided, but in fact it’s not. So Microsoft instead of fixing it in the product – developed a separate “fix”. What needs to be done is to remove user from the UIL. That is it. Once the old user id is removed from the site – a new user id added should not have access issues.

One more note. Deleting user from UIL does not actually clears everything related to the user. User information stays in a hidden databases (e.g. if you go to document history on the site – you still should be able to see user name etc.).

Even more gotchas. Every user or group on the site has “site user id” – it’s an integer number, e.g. first user/group added to site would have id:1. So deleting and re-adding the same user would keep user site id. In the case with the re-used UPN it’d be different number.

Solutions to fix the SharePoint User ID Mismatch Issue

So there are 3 possible solutions:

by admin, via Microsoft 365 Admin Center, using Diagnostics tools
by site owner or admin, via site settings and “MembershipGroupId=0” trick
by site owner or admin, with PowerShell

Fixing the SharePoint User ID Mismatch Issue with Microsoft Diagnostic

So Microsoft knows about the User Id Mismatch issue and offers the following solutions:

SharePoint Admin: run the “Site User Mismatch” diagnostic
“The diagnostic performs a large range of validations for internal users and guests who try to access SharePoint and OneDrive sites“
SharePoint Admin: run the “Check User Access” diagnostic
“The diagnostic performs a large range of verifications for internal users and guests who try to access SharePoint and OneDrive sites“

I wish my users do not have such issues, as it is pretty awful experience when user request access to the site, site owner approves it, but user still cannot access the site, so user requests access again, owner approves it again and so on… So I’m asking myself:

What exactly Microsoft’s diagnostics do?
All Microsoft’s fixes are for one specific site, but usually user has access to many sites, so is there a way to fix the issue “everywhere” at once?
Can we be proactive here – fix the issue before user submit a ticket

Let us try to go deeper into the issue and find some more consistent solution.

Diag: Site User ID mismatch

When you run this, it asks for a site Url and UPN, then it says:

We found a SharePoint site user with a mismatched ID.

The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site.

Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site.

This action will remove the user from the site, including any permissions they have been previously granted.

We found a SharePoint site user with a mismatched ID.
The user with the mismatched ID will need to first be removed and then the SharePoint site will need to be re-shared with them. If you would like, we can attempt to remove the user with the mismatched ID from the SharePoint site.

Once the user with the mismatched ID has been successfully removed, follow Share a Site to provide the user with the appropriate permissions within the site.

This action will remove the user from the site, including any permissions they have been previously granted.

Diag: Check SharePoint User Access

This diag does the same:

Let us run it.

Success!
Now that the user with the mismatched ID has been removed, you may need to Share a Site with them; depending on the permissions set for your organization and for the specific site.

Diag: Check SharePoint User Access
Success!
Now that the user with the mismatched ID has been removed, you may need to Share a Site with them; depending on the permissions set for your organization and for the specific site.

Actually Microsoft not only removes user from UIL, but adds a new one (without permissions).

Fixing the SharePoint User ID Mismatch Issue with Site Settings

This option is available for site owners or site collection admins, but only in cases there are not many site users. If you have thousands user in the site – it might be difficult to find a user in the UIL.

Site owner or admin – navigate to Site Settings -> Site Permissions -> Advanced Permissions -> Select any group, then update group id number in the browser address bar (Url) to “0”, so it’ll look like:
https://domain.sharepoint.com/teams/mySite/_layouts/15/people.aspx?MembershipGroupId=0
then find the user in the list and delete it (Actions -> Delete User from site collection).

Here is what Microsoft says: remove account from the UserInfo list

Detecting and Fixing the issue with PowerShell

You can use PowerShell to detect if the issue with user’s permissions is actually user id mismatch issue and Fix the issue. Specifically I will use PnP.PowerShell module v 3.1. Here is what you’d do:

# this script 
# 1) detects if there is a User id Mismatch Issue on the site
# 2) if yes - deletes User Id from the site and adds it again (with no permissions)
# NB! removing User from the UIL also removes all user's permissions, so user needs to request permissions again - but this time it should work
# NB! dew to nature of user id mismatch issue - these could be two different users - removing user's permissions is OK

# parameters
# specify User email and site url here:
$userEmail = "John.Smith.qerdgfq@$orgname.onmicrosoft.com"
$userEmail = "John.Smith@$orgname.onmicrosoft.com"
$siteUrl = "https://$orgname.sharepoint.com/teams/UserIDMismatchTest01"
$siteUrl = "https://$orgname.sharepoint.com/sites/UserIDMismatchTest02"
$siteUrl = "https://$orgname.sharepoint.com/teams/UserIDMismatchTest03"

# end of parameters section
# 

# authenticate
$connectionAdmin.Url

# let's find a user in entra id:
# try to get user by email (in most cases email equals upn)
$adUser = Get-PnPAzureADUser -Connection $connectionAdmin -Identity $userEmail
if ($adUser) {
    # Found user in entra id
} else {
    # otherwise (in case upn -ne email) let us try to find user by email
    $filter = "Mail eq '" + $userEmail + "'"
    $adUser = Get-PnPAzureADUser -Connection $connectionAdmin -Filter $filter    
}

if ($adUser) {
    $upn = $adUser.UserPrincipalName
    Write-Host "Found user in entra id: " $adUser.DisplayName
    if ($adUser.AccountEnabled) {        
    } else {
        Write-Host "Note that user's account entra id is disabled." 
    }
} else {
    Write-Host "Could not find user in entra id." -ForegroundColor Yellow
    Write-Host "Please double-check email specified: " $userEmail -ForegroundColor Yellow
    exit 1
}

# now we need to pull user profile from UPSA
$userProps = $null
$userProps = Get-PnPUserProfileProperty -Connection $connectionAdmin -Account $upn
if ($userProps) {
    Write-Host "Found user in SharePoint User Profiles Service: " $userProps["AccountName"]
} else {
    Write-Host "Could not find user in SharePoint User Profiles Service." -ForegroundColor Yellow
    exit 1
}

# let's connect to site
$connectionToSite = Connect-PnPOnline -ReturnConnection -ClientId $ClientId -Thumbprint $Thumbprint -Tenant $tenantId -Url $siteUrl 
if ($?) {
} else {
    Write-Host "Could not connect to site:" $siteUrl -ForegroundColor Yellow
    exit 1
}

# let's get site
$site = Get-PnPSite -Connection $connectionToSite
if ($?) {
    Write-Host "Connected to site:" $siteUrl 
} else {
    Write-Host "Could not connect to site:" $siteUrl -ForegroundColor Yellow
    exit 1
}

#  let's get site user
# Get-PnPUser -Connection $connectionToSite 
$siteUser = $null
$siteUser = Get-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Includes AadObjectId
if ($siteUser) {
    Write-Host "Found user in the site: " $siteUser.Title
} else {
    Write-Host "Could not find user in the site: " $siteUser.Title
}


# now we detect if there is a user id mismatch issue
# normally user id and sid should be the same in all 3 user objects from entra id, upsa and site
$userIdMismatch = $false

# compare SID from site and UPSA
$upsaSID = ($UserProp["SID"].split("|") | Select-Object -Last 1).split("@") | Select-Object -First 1
if($upsaSID -eq $siteUser.UserId.NameId) {
} else {
    Write-Host "SID mismatch found." -ForegroundColor Yellow
    Write-Host "SID from User Profile:" $upsaSID
    Write-Host "SID from Site User   :" $siteUser.UserId.NameId
    $userIdMismatch = $true
}

# compare User Id from site and UPSA
if ($UserProp["msOnline-ObjectId"] -eq $siteUser.AadObjectId.NameId) {
} else {
    Write-Host "User directory object Id mismatch found." -ForegroundColor Yellow
    Write-Host "User Id from User Profile:" $UserProp["msOnline-ObjectId"]
    Write-Host "User Id from Site User   :" $siteUser.AadObjectId.NameId
    $userIdMismatch = $true
}

# compare User Id from site and directory
if ($adUser.Id -eq $siteUser.AadObjectId.NameId) {
} else {
    Write-Host "User directory object Id mismatch found." -ForegroundColor Yellow
    Write-Host "User Id from Directory:" $adUser.Id
    Write-Host "User Id from Site User:" $siteUser.AadObjectId.NameId
    $userIdMismatch = $true
}

if ($userIdMismatch) {
    Write-Host "The User Id Mismatch Issue was found on the site for the user."
    Write-Host "We'll remove User from the UIL which also removes all user's permissions."
    Write-Host "User will need to request permissions again - but this time it should work."
} else {
    Write-Host "We did not find User Id Mismatch Issue on the site." -ForegroundColor Green
    Exit
}

# Next, we'll ask for confirmation then delete user id from site and add it back

$confirmation = Read-Host "Please confirm (y/n)"
if ($confirmation.ToLower() -eq "y") {
} else {
    Write-Host "User deletion was not confirmed. The Issue is not fixed." 
    Read-Host "Press any key to exit"
    Exit
}

# Fix the issue by removing the user and re-adding
# remove
Remove-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Force
if ($?) {
    Write-Host "Successfully removed user from site." 
} else {
    Write-Host "Something went wrong... Could not remove user from site."  -ForegroundColor Yellow
    exit 1
}
# add
$web = Get-PnPWeb -Connection $connectionToSite
$web.EnsureUser("i:0#.f|membership|$upn") 

# Validate
$newSiteUser = Get-PnPUser -Connection $connectionToSite -Identity ("i:0#.f|membership|$upn") -Includes AadObjectId
if ($newSiteUser) {
} else {
    Write-Host "Something went wrong... Just added user was not found on the site..."  -ForegroundColor Yellow
    Exit 1
}
if ($newSiteUser.Id -ne $siteUser.Id) {
    Write-Host "Added user to the site with no permissions."
} else {
    Write-Host "Something went wrong... Just added user got the same site user Id..."  -ForegroundColor Yellow
    Exit 1
}

Write-Host "Finished."
Read-Host "Press any key to exit"
Exit

Fix the issue “everywhere” at once

The issue is scoped with a specific site (site collection). The above PowerShell-based solution and all Microsoft’s fixes are designed for one specific site, but in real life what is happening is the “old id user” had access to many sites, and “new id user” has access to many sites, so after a several “access denied” issues a user might be confused and ask SharePoint admins to fix the issue “everywhere” (ideally – yes, we should not bother users with “please provide us list of site Url you are having issues with”… or saying to user “please create a new ticket when you hit the same issue again” also does not sound nice).

So how to we fix the User Id Mismatch Issue on all sites for a specific user? I can see 3 approaches

Reactive – once we got a “user id mismatch” ticket – we can fix the issue for a site we got ticket for, and then try to find all sites with the user id mismatch issue for the same user
Proactive – we’d fix the issue before the user hit Access Denied error due to User Id Mismatch issue. For this we need somehow
- detect – at the moment of creating a user in directory – if it is a reused Id – if yes – try to find all sites previous user had access to and remove previous user from the site UIL
- at the moment of user termination (deleting account from directory) also remove user from all sites user had access to

In all cases above we’d need somehow to get list of all sites user had access to… How?

3-rd party tools

There are 3-rd party tools (e.g. SysKit Point) with a “Get report on all permissions provided to a specific user” functionality. This is tricky. If the tool relies on UPN only – we have data we need but the report itself is incorrect (e.g. this report gives us sites with a user id mismatch issue).

If the 3-rd party tool is aware of a user id mismatch issue – it will generate a correct report of resources user has access to, but this report would not include user id mismatch sites.

Solution No 1 (brute force):

Get list of all tenant sites
For every site – check if the user is in the UIL
If yes – check if this is a User Id Mismatch case
If yes – remove the user from UIL

This is a complete solution, i.e. it should fix the issue for all sites, so in case of reused user id we should not have issues for any tenant site for the same user. But this is a really “heavy” solution, i.e. might work well for small companies, but might be not feasible for enterprises.

So how do we get a list of sites a user had access to without scanning all tenant sites?

Solution No 2 (audit log)

Get audit log and filter it by user, get list of sites
- reactively we might also select only “AccessDenied” pages
Make a unique list of accessed sites
For every site – check if this is a User Id Mismatch case
If yes – remove the user id from site’s UIL

This solution should work faster – but we might miss sites here – as audit log is kept for 90 days by default – so we might get list of latest accessed affected sites but we cannot be confident we solved all future issues.

Solution No 3 (MS Graph API)

We can use Microsoft Graph API to get groups that the user is a direct member of. So we’d get a list of group-based sites. There might be also non-group-based sites (e.g. communication sites or channel sites)… Also there might be public teams…

The other idea here is to use MS Graph People API to retrieve a collection of person objects based on their relevance to the user, which is determined by the user’s communication and collaboration patterns, and business relationships. Then we’d expand out search by getting list of sites these people own.

We can use search to find all files, documents, pages, list items user authored…

References

I’m sharing my code samples at GitHub: Detect and Fix User Id Mismatch issue with PowerShell

Vlad's SharePoint blog

Microsoft 365 Copilot, Teams, Azure, Search, PowerShell, Automation, Governance