AAD Connect - Powershell Script to clear or reset Azure ImmutableID on 2000+ objects?

David Thompson 1 Reputation point
2020-08-06T16:36:54.66+00:00

We are moving from 3rd party Federation provider to on-premise AAD Connect service for 2 x on-prem domains. Every object synced previously by the Federation partner has a different value for ImmutableID in AAD than on-prem value. Before we can run first sync from AAD Connect we need to change the Azure ImmutableID for approx. 2000 objects to match the on-prem values for hard match.

I understand we have to move each Azure user/group from Federated domain to Managed domain before we can change the ImmutableID, and then we can clear or reset on move back to the Federated domain, and have done this successfully for several individual users.

I have a CSV with the correct ImmutableIDs and UPNs for all affected users, but need a script to do this efficiently for the remaining objects.

Hope someone can assist.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,676 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,326 Reputation points
    2020-08-06T19:01:00.133+00:00

    You might try the Microsoft Graph preview powershell module. Like this assuming the CSV file contains both ImmutableId and Id fields. 

    Connect-Graph -Scopes "User.ReadWrite.All"
Get-Content -Path {csv file path}|ConvertFrom-Csv|foreach{ Update-MgUser -OnPremisesImmutableId $_.ImmutableId -UserId $_.Id}

    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments
  2. David Thompson 1 Reputation point
    2020-08-07T08:38:54.027+00:00

    Ok thanks but when I try that I got an error:

    Update-MgUser -OnPremisesImmutableId BoIXHkBlM064in432nqicA== -UserId abc@Company portal .com

    Update-MgUser_UpdateExpanded: One or more properties contains invalid values.

    I tried changing permissions to User.ManageIdentities.All but same error. I find if I change UPN from Federated to Managed it works ok, but I was hoping to avoid that step, but...

    this eventually worked for me - prep a CSV with UPN1 (user@*mydomain.com), UPN2 (user@*.onmicrosoft.com), ImmutableId

    Get-Content -Path {csv file path}| ConvertFrom-Csv | foreach { Update-MgUser -UserId $_.UPN1 -UserPrincipalName $_.UPN2 -OnPremisesImmutableId $_.ImmutableId }  

 # Same CSV  

Get-Content -Path {csv file path}| ConvertFrom-Csv | foreach { Update-MgUser -UserId $_.UPN2 -UserPrincipalName $_.UPN1 }

    So, step 1, move from Fed to Managed domain and overwrite new ImmutableId; step 2 immediately move back to Fed domain.

    I'm sure some PS guru could do this in one line?

    Thanks for pointing me in the right direction.

  3. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,326 Reputation points
    2020-08-07T21:09:00.543+00:00

    Get-Content -Path {csv file path}| ConvertFrom-Csv | foreach { Update-MgUser -UserId $_.UPN1 -UserPrincipalName $_.UPN2 -OnPremisesImmutableId $_.ImmutableId; Update-MgUser -UserId $_.UPN2 -UserPrincipalName $_.UPN1 }

    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments
  4. David Thompson 1 Reputation point
    2020-08-10T16:42:17.643+00:00

    Ok, just a semi-colon. Let me try that and confirm it works, thanks.

    0 comments