HELP - Office 365 connector clarifications



Sorry again for return to this topic.

I have made some posts here and here

I want accomplish sso with office 365 connector, but as i assume more ppl are in my shoes, i have a local domain and and office 365 domain that alredy exists, so i do have users in one side and on the other.

As my office365 domain is marked as primary and i have other domain that i can use, i verified that one before run the wizard, so my office365 domains list are, and, my univention server that exist from a previous ad takeover have de domain.local

After run the wizard the was federated and that finish with success, but now i can not understand what i’m doing wrong or how should i use to avoid the issues i’m getting.

1 - Creating a new.user in UCS with o365 template, gives me an o365 as principalname.
I would like i’m able to choose the domain that user should use (as i have two domains) assuming that can not be done… i can manage and went to o365 portal and add a new smtp address to that user so he can get email to

2 - Existents users if i went and check the o365 option in ucs, the problem is bigger, because even the user.old exists in o365 as what ucs is doing is create a so what to me should be the same user so i can use SSO, i’m getting a new user and a new license consumed in o365

In the previous posts someone apoint me to create a new domain un ucs mail module, but i don’t use ucs mail, so i never had that module, however i try and play a bit with /usr/share/pyshared/univention/office365/ and i hardcoded some code to change principalname to replace to and that appears to work well and solve the issue (at least for create new users with for existing users i’m getting error

LISTENER ( ERROR ) : o365: Another object with the same value for property userPrincipalName already exists.

Other test that i try was in o365 in the add an aliases like and then in ucs active the o365 user, but i get the same error

Improvement if make sense:
The module should list all the verified domains in o365 and let user choose the domain when creating the user.

So if someone have the oportunity to clarify me how is this module is supposed to work, or what i’m doing wrong is very welcome, is my understading that i don’t want accomplish nothing to fancy… but maybe i’m very wrong…

If that is that cause, can someone give me some advices how to accomplish that?


Some more feedback…

After more hardcoded and viewing the listner.log i found more information here and here and after some try catch i think i can identify the problems , if someone in univention can do that.

So by hardcoded the and force the principalname to be instead the new users area created as i pretend, but for old users i get the immutable error, after the reading i see that none of the old o365 users have and immutable so i try to put the immutable from the log and try after, and everythink went ok, even when i change the hardcoded for the domain the changes (deactive, active, change information) went ok.

So i’m not none expert on this subject, but i hope this can help univention team to produce the necessary changes to the connector script.

As it is i cannot uset it because i don’t want 100% sure that the hardcoded i introduced fine all the other ways.

Please someone on univention team can introduce some kind of ucr varible and adjust the code so it complets the userprincipalname with that domain in the variable??

Other thing that could be a good improvements is a script that can output all the immutableid of ucs users so we can via powershell setting that immutableid for existings users in o365, doing this we can solve the problem with existing users syncs