Share via

Create Azure User via Graph with immutableID

Brian Hofmeister 0 Reputation points
2023-06-29T15:14:45.07+00:00

Morning all!

I'm trying to create an Azure user via Graph and we are federated so an immutableID is required. I understand how to do this but my question is... how do I generate an immutableID that I can send to graph when creating the user? Folks say it needs to be base64 encoded from the objects GUID but I don't have an object GUID until after the user is created so I have a chicken/egg scenario here.

Thanks for your help!

Brian

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
    2023-06-30T05:53:19.2066667+00:00

    Hello @Brian Hofmeister

    Thank you for reaching out. I would like to confirm that Cloud Only users are not intended to have Immutable ID. ImmutableID attribute also usually referred as SourceAnchor is used to identify an object as being the same object in on-premises AD and in Azure AD.

    • This attribute is auto-populated when an object is sync'd from On-Prem AD to Azure AD.
    • This process uses “objectGUID” specified on user in on-Prem Active Directory.
    • The user object in the Azure AD will have the base-64 version of the On-Prem AD user's objectGUID stamped as the ImmutableID.
    • Basically, what you have is the attribute flow as shown below:

    User's image

    More details on following documents:

    This attribute is used for the following scenarios:

    • When a new sync engine server is built, or rebuilt after a disaster recovery scenario, this attribute links existing objects in Azure AD with objects on-premises.
    • If you move from a cloud-only identity to a synchronized identity model, then this attribute allows objects to "hard match" existing objects in Azure AD with on-premises objects.
    • If you use federation, then this attribute together with the userPrincipalName is used in the claim to uniquely identify a user.

    Additionally, I see you mentioned you are using Federated domain and want to publish ImmutableId on Azure AD User. I would like to confirm that federated domain cannot be assigned to cloud only user and it is bydesign. Additionally, ImmutableId cannot be published on cloud-only user. More details are explained on following document: You can't assign a federated domain to a user in the Microsoft 365 Admin Center

    I hope this helps to resolve your query. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.