Azure AD: how to update user's ImmutableId without AzureAD module nor MSOnline module

Question

I am AD and Azure AD Administrator. I want to sync an existing Azure AD account with a newly created on-premises AD account in an environment where: OnPremisesImmutableId is empty for all Azure AD accounts. Azure AD Connect currently uses objectGUID for synchronization. The Azure AD account was created independently, and now needs to be linked to an on-premises AD account. and updating [immutableid] in user object using Azure AD module is the only way I could find, but Azure AD module cannot be run in Windows 2022 server. My goal is to sync an existing Azure AD account with a newly created on-premises AD account using objectGUID for syncID. Any suggestions would be appreciated.

Answer 1

Take a look at this link here:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant?source=recommendations

The above applies to when you have an existing tenant.

If the ImmutableID is not null , you have to convert its value and set it on ms-dsconsystencyGUID in AD on-premise user account.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Answer 2

Hi @Anonymous

You should Hard match method by converting the Immutable value of each user and put it in the ms-ConsistencyGUID attribute in his on-prem account in active directory.

Below a command to convert Immutable ID to msds-consistencyGUID:

$immutable = Get-MgUser -UserId ******@azure.skrubbeltrang.com -Property UserPrincipalName,OnPremisesImmutableId | select -ExpandProperty OnPremisesImmutableId
$msdsConsistencyGUI =  [Convert]::ToBase64String([guid]::New($immutable).ToByteArray())

---

Please don't forget to accept helpful answer

---

Answer 3

Use one of the methods here: https://www.michev.info/blog/post/6129/how-to-hard-match-entra-id-users-via-the-graph-api-or-the-graph-sdk-for-powershell