Problem:

A user was deleted in UCS. In office365 the user is locked, loses his groups and is renamed to ZZZ_Deleted.

The restored user is a new one in office365 and not reconnected.

Solution:

First you can try to reconnect with script attached in Bug 48641
Direkt Link to the attachement
https://forge.univention.org/bugzilla/attachment.cgi?id=11019

You may get an API error using the “-m” option:

"ApiError: Property immutableId is invalid"

It’s not possible to change the immutableid via API, so you have to change it manually.
In a Windows Powershell execute the following:

## Caution! The immutableid cannot be set via script when domain is federated, so we have to briefly change it to a managed domain
## its not tested what this will cause . users will not be able to login until federation is done again, but its unclear if current sessions are ended, or if connected devices will have to reconnect

Connect-MsolService
Set-MsolDomainAuthentication -DomainName "office365.dev-univention.de" -Authentication Managed

# maybe wait a minute, otherwise powershell error may occur
# quote marks around "$null" are essential!

Set-MSOLUser -UserPrincipalName <azureuser-UPN> -ImmutableID "$null"

# Now activate federation with the .bat script that was given for the initial setup by the o365 wizard

After following all the steps in the Windows Powershell, you can now connect the users with the script from the bugreport:

./o365_connect_azure_to_ucs_user -c o365domain -p <azureuser-UPN> -u <useruser-uid> -a -m