McCloud Cloud

Mastering Microsoft 365 & Azure

How to change ImmutableID for a DircSynced User.

,

During a running project, we were facing a problem with a provisioning of an AzureAD-User and his mailbox. During first Dir-Sync user got a provisioning error and could not be modified or used. We have removed the On-Prem AD user object, in hope that we can simply restore the use in the cloud. After we have deleted On-Prem User object, our Cloud-Object were just stuck in the cloud is was waiting for a successful synchronization for a very long time. So we have created a new user with another UPN and Email-Address, but the old E-mail address was still in use. So we needed to release the old E-mail address from the broken Cloud-Object and add it to the new “Hybrid-User”

In this article I am going to explain:

  • How to change ImmutableID for a directory synchronized user
  • How to resolve synchronization conflict
Table of content

What is ImmutableID?

ImmutableID is an attribute on an AzureAD-User, or MSOL-User. This attribute is an unique identifier to match an On-Premise ADUser with a AzureAD user.

Standard configuration of AzureAD-Connect is using immutableID as a source anchor attribute to match Cloud and Local identity.

How is immutableID generated?

ImmutableID is a “Base64” encoded identity of local objectGUID of an ADUser-object.

So ImmutableID is simply the On-Prem objectGUID of an ADUser.

#ObjectGUID to ImmutableID
$aduser = Get-ADUser UserForestDemouser76 -Properties *

 $immutableid = [Convert]::ToBase64String([guid]::New($aduser.ObjectGUID).ToByteArray())

mS-DS-ConsistancyGUID is the On-Prem Counterpart for ImmutableID and is also generated from ADUser objectGUID

 $aduser = Get-ADUser UserForestDemouser76 -Properties *

 $msdsconsistancyguid = $aduser.ObjectGUID.ToByteArray()

How to change ImmutableID?

  1. Login to you tenant with Global Administrator permissions, by using Connect-AzureAD command which is a part of AzureAD powershell module

If you are using a PIM role like User-Administrator you will get this error.

So you simply need Global Administrator permissions and not a PIM role.

2. Change UPN of your Cloud-User-Object to a *.microsoftonline.com (only for federated users)

Get-MsolUser -UserPrincipalName UserForest.Demouser76@onpremto.cloud | Set-MsolUser -UserPrincipalName 'UserForest.Demouser76@fromonpremtocloud.onmicrosoft.com'

3. Use Set-ADUser -ImmutableID command to change ImmutableID

How to resolve synchronization conflict?

  1. Generate immutableID from the right objectGUID as mentioned above.
  2. Connect to AzureAD with Global Administrator permissions
  3. Change the immutableID by running Set-AzureADUser -immutableID command
Get-AzureADUser -SearchString 'UserForest.Demouser76' | Set-AzureADUser -ImmutableId $immutableid

ImmutableID is now recovered and you can

Start-AADSyncCycle -policytype Delta

I hope you have enjoyed this demystification article.

If you have any questions just leave me a feedback.

Leave a Reply

Your email address will not be published. Required fields are marked *