How to clear all immutable IDs for a clean Entra Connect install

Question

How to clear all immutable IDs for a clean Entra Connect install

Don Jones 0

I have a customer that previously had Dir Sync installed years ago. They then discontinued with dir sync when a vendor that was provisioning their accounts in local AD started provisioning their accounts in Azure as well. Now that vendor is gone and they wish to use Entra Connect to sync their local AD to Entra/Azure. I would like to remove all immutable IDs in their Entra tenant for all user and group objects and allow Entra Connect to do a soft match using the email address. What is recommended in this scenario?

Thanks

2 answers

Your answer

Answer 1

Thameur-BOURBITA 36,261 Moderator

Hi

if you want migrate dirsync to entra connect you don’t need to cleanup immutableID.

immutableID is calculated based on msds-consistencyGuid in on premise AD. Since the value of msds-consistencyGUid will not be modified during the upgrade to entra connect , you don’t need to cleanup immutableID and the hard match will be able to relink entra ID account with on premise AD account.

I invite you to read the following link for details about the migration from Dirsync to entra connect server:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-dirsync-upgrade-get-started

Please don’t forget to accept helpful answer

Don Jones 0 Reputation points

2023-12-28T19:20:21.04+00:00

Thank you for the response. The issue is that DirSync has not been used for several years and this is a school district where many accounts have come and gone over that time. I would like to start the sync cleanly and not worry about any issues that may arise due to dirsync not being used for quite some time. The last time I did this, I was able to remove all immutable IDs from the accounts in Azure and allowed a soft-match to work. It has been few years since I did that and was not sure if the renamed Azure to Entra has changed where that option is not viable any longer.

Thanks again
Thameur-BOURBITA 36,261 Reputation points Moderator

2023-12-29T11:10:51.15+00:00

@Don Jones •

A synced account in ENtra ID cannot be modied from Entra ID directly, it can only modified from active directory

If you want remove ImmutableID you should start by disable the Directory synchronisation then remove ImmutableID , after that wait 3 days before enable it and deploy your new Entra connect server.

A link will help you to remove immutable ID:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/convert-ad-synced-users-to-office-365-users/m-p/3776422

In my point of view, the simplest is to delete all synced accounts in entra ID then reinstall the entra connect server which will create new accounts or restore deleted account and match it with user account in on-premise active directory based on hard or soft match

Please don't forget to accept helpful answer
Don Jones 0 Reputation points

2023-12-29T16:39:30.2433333+00:00

Thanks for the advice and the link. There are approximately 40,000 accounts and so I need to just remove the immutable ID and then will install Entra Connect. Thanks again.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

How to clear all immutable IDs for a clean Entra Connect install

2 answers

Your answer