Set or clear immutable ID
Posted On April 1, 2019
Below are the 2 options to reset or change the immutable ID. These are sometimes required when you want to sync your users, or when you receive a sync error.
Calculate and set immutable ID (Recommended)
This method is the best way to make sure that AD Connect gets a proper sync. We are going to connect to the on-premise AD, and calculate and set the immutable ID in Azure AD / Office 365. So first we connect to Active Directory.
Now, lets grab the GUID of the user and create the ImmutableId
$userUPN = "email@example.com"
$guid = [guid]((Get-ADUser -LdapFilter "(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
Now connect to Office 365:
The last command will be used to write the ImmutableId to the AAD / Office 365 user:
Get-MsolUser -UserPrincipalName $userUPN | Set-MsolUser -ImmutableId $immutableId
Clear immutable ID in Office 365 (Not advised)
The easy way is to clear the immutable ID in Azure AD/ Office 365. This will let AD Connect think that the account has never been synchronized and will sync it based on a soft match. However I wouldn’t recommend it. But if you ever need to do it, here is the commands to do it.
Clear ImmutableId for only 1 user:
Get-MsolUser -UserPrincipalName firstname.lastname@example.org | Set-MsolUser -ImmutableId $null
Clear ImmutableId for all users:
Get-MsolUser -All | Set-MsolUser -ImmutableId $null