Cannot delete onPremisesImmutableId

Question

Cannot delete onPremisesImmutableId

Priscillano Ramon Mariano III 90

I'm attempting to delete the on-premises attributes of objects that I've migrated from on-premises AD to Cloud.

I'm using the cmdlets for ADSyncTools found here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-clear-on-premises-attributes.

The cmdlet itself is as below:
Clear-ADSyncToolsOnPremisesAttribute -Identity '*****@domain.com' -onPremisesImmutableId*

It is returning the error as shown in the image attached. This is the same error I get if I use Graph.
I am running ADSyncTools through PowerShell 7 and I am assuming this is targeting the cloud object, not the on-premises object.

Anonymous

2025-04-10T11:17:59.02+00:00

@Priscillano Ramon Mariano III ,

Unfortunately, this information cannot be cleared using PowerShell or Graph. You can create an Azure AD Support ticket requesting to clear all On-Premises Attributes from previously synchronized users on your tenant. Support Team will contact product team with your tenant information and help you achieve this.

Related thread: https://learn.microsoft.com/en-us/answers/questions/1058618/leftover-items-from-azure-ad-sync

It's possible to request deletion of these attributes from Microsoft support through ticket but only if dirsync is turned off.

So, if you're converting users to cloud only by deleting and restoring from Entra ID keep in mind that it's not officially supported way to do so.

What needs to be done is turning of dirsync, that's the proper way of converting users to cloud only. But in this case, it will happen for all users, so you can't convert users to cloud only one by one. it has to be all or none.

I hope this clarifies things.
Priscillano Ramon Mariano III 90 Reputation points

2025-04-10T11:58:46.3633333+00:00

Then why do the cmdlets in the article I linked say this is possible to do?

It literally is example number 1.
Anonymous

2025-04-10T14:14:02.7166667+00:00

Hello

This will only work with the condition "These attributes can only be updated in Entra ID for native Cloud-Only users or for previously synced users that have been converted to Cloud-Only users after turning off synchronization in Entra ID"

Please make sure the user you're running this against is a cloud-only user.

1 answer

Your answer

Anonymous

2025-04-10T11:17:59.02+00:00

@Priscillano Ramon Mariano III ,

Unfortunately, this information cannot be cleared using PowerShell or Graph. You can create an Azure AD Support ticket requesting to clear all On-Premises Attributes from previously synchronized users on your tenant. Support Team will contact product team with your tenant information and help you achieve this.

Related thread: https://learn.microsoft.com/en-us/answers/questions/1058618/leftover-items-from-azure-ad-sync

It's possible to request deletion of these attributes from Microsoft support through ticket but only if dirsync is turned off.

So, if you're converting users to cloud only by deleting and restoring from Entra ID keep in mind that it's not officially supported way to do so.

What needs to be done is turning of dirsync, that's the proper way of converting users to cloud only. But in this case, it will happen for all users, so you can't convert users to cloud only one by one. it has to be all or none.

I hope this clarifies things.
Priscillano Ramon Mariano III 90 Reputation points

2025-04-10T11:58:46.3633333+00:00

Then why do the cmdlets in the article I linked say this is possible to do?

It literally is example number 1.
Anonymous

2025-04-10T14:14:02.7166667+00:00

Hello

This will only work with the condition "These attributes can only be updated in Entra ID for native Cloud-Only users or for previously synced users that have been converted to Cloud-Only users after turning off synchronization in Entra ID"

Please make sure the user you're running this against is a cloud-only user.

Answer 1

Givary-MSFT 35,786 Microsoft Employee Moderator

@Priscillano Ramon Mariano III Thank you for your feedback, we did a quick repro on the above ask, we turned off the directory synchronization by the following the steps defined here

Note: Disabling Directory synchronization, deactivation may require up to 72 hours.

Once the sync is disabled, steps mentioned in this doc - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-clear-on-premises-attributes will help to clear the on-premises attributes.

We tested this approach in our lab environment, and it worked as expected. If the issue still persists on your end, please feel free to share the requested details (as mentioned by my colleague in the private message), so we can connect offline and assist you further.

Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator

2025-04-14T14:49:51.3333333+00:00

@Priscillano Ramon Mariano III Just checking in to see if the steps above helped. If not, we can connect offline to work through the issue together

Share via

Cannot delete onPremisesImmutableId

1 answer

Your answer