Set or clear immutable ID
Below are the 2 options to reset or change the immutable ID. These are sometimes required when you want to sync your users, or when you receive a sync error.
Calculate and set immutable ID (Recommended)
This method is the best way to make sure that AD Connect gets a proper sync. We are going to connect to the on-premise AD, and calculate and set the immutable ID in Azure AD / Office 365. So first we connect to Active Directory.
Import-Module ActiveDirectory
Now, lets grab the GUID of the user and create the ImmutableId
$userUPN = "testuser@2azure.nl"
$guid = [guid]((Get-ADUser -LdapFilter "(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
Now connect to Office 365:
Connect-MsolService
The last command will be used to write the ImmutableId to the AAD / Office 365 user:
Get-MsolUser -UserPrincipalName $userUPN | Set-MsolUser -ImmutableId $immutableId
Clear immutable ID in Office 365 (Not advised)
The easy way is to clear the immutable ID in Azure AD/ Office 365. This will let AD Connect think that the account has never been synchronized and will sync it based on a soft match. However I wouldn’t recommend it. But if you ever need to do it, here is the commands to do it.
Clear ImmutableId for only 1 user:
Get-MsolUser -UserPrincipalName testuser@2azure.nl | Set-MsolUser -ImmutableId $null
Clear ImmutableId for all users:
Get-MsolUser -All | Set-MsolUser -ImmutableId $null
Many thanks expressing this particular write-up and rendering it public
It was very helpfull, thank you very much
After disabling old Active directory connect and wanting to sync users from new AD this saved my bacon, thanks alot!