[English] Change ImmutableID in Azure Active Directoy (AAD/O365) for a Synced and Federated User


If for some reason, on a synced and federated environment where the source anchor is the immutableID, and that attribute needs to be changed for a user(s), e.g. object migrated/moved to a new forest, next, there are some steps of a possible approach that can be used to achieve that:
1 – Create a new OU (e.g. OU=tempOU,DC=contoso,DC=com) in Active Directory and move temporarily the user(s) that you need to change the immutableID.

2 – Go to Sync Console, select containers for Active Directory management agent, and filter out the OU.

3 – Run a full sync in order to soft delete the user(s) in the OU and temporarily disable sync.

4 – Run the following in (Azure Active Directory/O365) PowerShell:
Connect-MsolService (Insert AAD/O365 Admin credentials)
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=tempOU,DC=contoso,DC=com" | select UserPrincipalName | Export-Csv "C:\AADtemp.csv"
$upnsuffix = "@contoso.onmicrosoft.com"

#THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT
#WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
#TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
Import-Csv "C:\AADtemp.csv" | ForEach-Object {
$upn = $_."UserPrincipalName"
$user = $upn.IndexOf("@")
$upnpreffix = $upn.Substring(0,$user)
$upntemp = "$upnpreffix" + "$upnsuffix"
Restore-MsolUser -UserPrincipalName $upn
Set-MsolUserPrincipalName -UserPrincipalName $upn -NewUserPrincipalName $upntemp
Set-Msoluser -UserPrincipalName $upntemp -ImmutableID "$Null"
$id=(Get-ADUser -Filter {UserPrincipalName -like $upn } -Properties ObjectGUID | select ObjectGUID | foreach {[system.convert]::ToBase64String(([GUID]($_.ObjectGUID)).tobytearray())})
Set-MSOLUser –UserPrincipalName $upntemp –ImmutableID $id
Set-MsolUserPrincipalName -UserPrincipalName $upntemp -NewUserPrincipalName $upn  
}

The above PowerShell cmdlets should first run and be tested on a very small set of test user accounts before executing in any production environment.

5 – Move the users in Active Directory back to their original OU's, enable sync and run full sync so hard match of the objects can occur.

Comments (1)

Skip to main content