Set Immutable ID to $Null, Soft-Match/Hard-Match in O365

The presence of the ImmutableID value present shows a link to an on-premises active directory user account who may or may not have a mailbox at On-Premise Exchange Server. If that user is syncing to office 365, the Immutable ID value would definitely be present in the cloud.

Now if you have to convert a Sync with AD User to an In Cloud User by moving that user to Non-Syncing Organizational Unit at on-prem, and run the sync using AAD Connect which will delete the user from Office 365, then finally Restore the user from Deleted users in Office 365 Admin Center and give him a new password, finally converting Sync with AD user to an In Cloud user.

After conversion from Sync with AD to In-Cloud User, the Immutable ID attribute would still be the same and doesn’t become Null.  Now if you will try to soft-match this In-Cloud User with any new user having same UPN at On-Premise, you will find a new user created with Upn having some numbers after it and it won’t actually soft-match that user as there is Immutable ID attribute present In-Cloud User.

Powershell Script to check the ImmutableID attribute in cloud:

Open Powershell with Run as Administrator Mode:

Connect-Msoluser    (Enter Global Admin Credentials of Office 365)
Get-msoluser -UserPrincipalName [email protected] | Select ImmutableID

We need to delete the user with UPN & numbers and also clear the ImmutableID from In-cloud User for Soft-Match to take place. Before running the Sync from AAD Connect, ensure the user In-Cloud should have same User Principal Name as the user present at On-Premise.

Clearing the ImmutableID is done using the Powershell command:

Set-MSOLUser -UserPrincipalName [email protected] -ImmutableID "$null"

Note: Run the above command with the quotes ” “, else Immutable ID would not be cleared.

Deleting the newly created Sync with AD User with UPN & Numbers:

Remove-msoluser -RemoveFromRecycleBin [email protected]
Remove-msoluser -UserPrincipalName [email protected] -RemoveFromRecycleBin -Force

Finally run the AAD Connect Sync and it will not perform the Soft-Match with the user [email protected] and the same In-Cloud User will become Sync with AD User.

Still facing issues with soft-match, follow the hard-match process.

Hard Match Process:

Make the On-Prem User’s ObjectGuid (from Ldife) and Synced with AD User Immutable Id same

Get the Object Guid Value of all users from Local Active Directory Users & Computers:

Open Powershell with Run as Administrator Mode:

ldifde -f objectguid.txt -r "(Userprincipalname=*)" -l "objectGuid, userPrincipalName"

The above command will export Objectguid values of all users in C:\ in Objectguid.txt notepad file.

Open the notepad file and search the user using his User’s Principal Name field in the file. Copy his objectGUID value in notepad.

Connect Powershell with Office 365:

Connect-msoluser  (Enter Global Admin Creds of Office 365)
Set-MsolUser -UserPrincipalName [email protected] -ImmutableID De7ppAsUlkup05KZVqXtUATd

Note: De7ppAsUlkup05KZVqXtUATd is the Object Guid value from On-Prem AD from ldifde command. We forcefully set the user object guid value to an In-Cloud User and re-run the Sync.

After performing the above step, an In-Cloud user will hard-match with an On-Premise user and finally it will Sync with AD User in the Office 365.

Thanks a ton for reading my above blog. If you have any comments, suggestions, or feedback please spare a second to post it.

Must check:

a)  Get Pluralsight Premium Account for free

b)  Create bulk users from .csv in AD using Powershell

c) Outlook connects to O365 Mailbox bypassing Autodiscover.

d)  Create Skillshare Premium Account.

e) Create Lynda Premium Account.

f) Create Pluralsight Premium Account. 

Subscribe Us

Total Page Visits: 12236 - Today Page Visits: 1

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.