Share via

Disabling the synchronized user flag for an Entra ID account

ritmo2k 811 Reputation points
2023-11-25T23:47:54.97+00:00

There are several articles that detail methods to resolve broken associations between on-premise Active Directory accounts and Entra ID accounts, such as https://chrisbrown.au/techblog/immutableid-azure-ad/.

How do you disable the synchronized state for a given account to allow the immutable ID to be cleared?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2023-11-27T11:36:53.3733333+00:00

    @ritmo2k

    Thank you for posting this in Microsoft Q&A.

    As I understand you are trying to stop sync for one of the user in your environment and make the immutable ID as null.

    This can be achieved by moving the user in on-premises to non-sync OU. Run sync post moving the object to non-sync OU. After this in Azure AD this user will be moved to deleted container. You can manually go to deleted users in Azure AD and restore the user.

    This step will only change the "on-premises synchronization" status from "Yes" to "No". You will still be able to see the value stamped under "Immutable ID" attribute.

    To clear this value, you can run below commands in PowerShell

    • Open Windows PowerShell as administrator.
    • Run command Install-Module AzureAD
    • Once it installs the module, you can run below commands.
    • Connect-AzureAD (Enter global admin credentials once it prompts)
    • Run command "Set-AzureADUser -ObjectId "UPN of user object" -ImmutableId null"
    • Above command will change the immutable ID value to Null.
    • You can confirm it by running command "Get-AzureADUser -ObjectId "UPN of user object" | fl"

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,511 Reputation points
    2023-11-26T12:57:56.6433333+00:00

    Hi Ritmo,

    In both AD and AAD, every object has an immutable ID – a unique attribute that persists for the lifetime of the user object. The immutable ID attribute in AAD is ObjectId; in AD it is objectGUID. So the way is to move the user to out of scope of the sync and wait or force for the replication however you can also check this thread and it has more detailed info on the way to clear the ID. https://stackoverflow.com/questions/42805114/how-to-set-immutable-id-of-an-msoluser-to-null-value-using-powershell#:%7E:text=Set%20immutableid%20to%20null%3A%20Set-MsolUser%20-UserPrincipalName%20gw17edwardlt501edwar%40%3Cmanaged%20domain%3E,immutable%20id%3A%20set-msolUser%20-userprincipalname%20gw17edwardlt501edwar%40%3Cmanaged%20domain%3E%20-immutableID%20f33fc1d2-73bd-4957-995f-37c83d349ef3

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.