"Unable to update the specified properties for objects that have originated within an external service."

Question

"Unable to update the specified properties for objects that have originated within an external service."

Chinmayi Bose 0

Hello,

Our users are located in Azure AD. Some of the older accounts were synchronized from our old on-prem AD. The sync has since been deactivated and the users have been converted to Cloud-only users.

The past days we've been trying to update the onPremisesExtensionAttributes through the Graph-API. It works very well for users that we created in Azure AD. But recently we found that it doesn't work with the old sync-ed users.

All users are displayed as Cloud-only users. onPremisesSyncEnabled, and onPremisesLastSyncDateTime were cleared and are null except onPremisesImmutableId has a value.

I understand we can update through ExchangeOnlinePowerShell v2 other than GraphAPI but we use Google Suite.

Is there anyway to update the attribute using PowerShell commands?

Any help is appreciated. Thanks in advance.

Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-08T08:24:20.96+00:00

Hello Chinmayi Bose,

As per description, we understand that your old synced users are converted to cloud-only users.

Now, when you try to update onPremisesExtensionAttributes, it is not working only for the users who are previously synced from on-prem as onPremisesImmutableId has a value.

We need to remove/change the immutable ID from on-prem, so that it will replicate to cloud. Here the user is cloud only, so it is not possible to remove immutable ID from entra ID.

Please cofirm if you have tried the below Powershell command to remove Immutable ID for a specific user?

*Update-MgUser -UserId *****@domain.com -OnPremisesImmutableId $null
Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-09T10:27:08.5966667+00:00

Hello Chinmayi Bose ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-12T07:58:37.7966667+00:00

Hello Chinmayi Bose ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-12T10:31:03.93+00:00

Hello Chinmayi Bose ,

We haven’t heard back from you yet, so just checking in to see if the issue has been resolved. If you’re still experiencing issues, feel free to provide more details, and we’ll do our best to assist further.
SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-13T09:41:47.3966667+00:00

Hello Chinmayi Bose ,

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know.
Chinmayi Bose 0 Reputation points

2025-05-13T11:19:41.15+00:00

Hi Venkata,

Thank you for the update.

I tried to update the ImmutableID to Null. I get the error as below:

Update-MgUser_UpdateExpanded: Invalid value specified for property 'onPremisesImmutableId' of resource 'User'.

Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-05-13T11:14:23

Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : cb1ab514-1a6a-4b41-910c-93317f758a85 client-request-id : 9dd5ac75-8337-4aa3-95bb-95138e29342d x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF0000CCC9"}} x-ms-resource-unit : 1 Date : Tue, 13 May 2025 11:14:22 GM

Also could you help me to extract all the AzureAD users with Immutable ID. I tried the below but it did not return any value.

Get-MgUser -All | ForEach-Object { Write-Host "User: $($.UserPrincipalName)" Write-Host "Immutable ID: $($.OnPremisesImmutableId)"

Thank you in advance.

Chinmayi Bose 0

I am trying to run the command in Terminal using pwsh. Below is the version. Just to confirm if this is the supported version. (PSVersion  7.4.7)

I am also trying to run Azure AD module to get the result using this module, but getting the below error.

Import-Module AzureAD 
Import-Module: Could not load file or assembly 'System.Windows.Forms'. The system cannot find the file specified.

1 answer

Your answer

Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-08T08:24:20.96+00:00

Hello Chinmayi Bose,

As per description, we understand that your old synced users are converted to cloud-only users.

Now, when you try to update onPremisesExtensionAttributes, it is not working only for the users who are previously synced from on-prem as onPremisesImmutableId has a value.

We need to remove/change the immutable ID from on-prem, so that it will replicate to cloud. Here the user is cloud only, so it is not possible to remove immutable ID from entra ID.

Please cofirm if you have tried the below Powershell command to remove Immutable ID for a specific user?

*Update-MgUser -UserId *****@domain.com -OnPremisesImmutableId $null
Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-09T10:27:08.5966667+00:00

Hello Chinmayi Bose ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator

2025-05-12T07:58:37.7966667+00:00

Hello Chinmayi Bose ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-12T10:31:03.93+00:00

Hello Chinmayi Bose ,

We haven’t heard back from you yet, so just checking in to see if the issue has been resolved. If you’re still experiencing issues, feel free to provide more details, and we’ll do our best to assist further.
SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-13T09:41:47.3966667+00:00

Hello Chinmayi Bose ,

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know.
Chinmayi Bose 0 Reputation points

2025-05-13T11:19:41.15+00:00

Hi Venkata,

Thank you for the update.

I tried to update the ImmutableID to Null. I get the error as below:

Update-MgUser_UpdateExpanded: Invalid value specified for property 'onPremisesImmutableId' of resource 'User'.

Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-05-13T11:14:23

Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : cb1ab514-1a6a-4b41-910c-93317f758a85 client-request-id : 9dd5ac75-8337-4aa3-95bb-95138e29342d x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF0000CCC9"}} x-ms-resource-unit : 1 Date : Tue, 13 May 2025 11:14:22 GM

Also could you help me to extract all the AzureAD users with Immutable ID. I tried the below but it did not return any value.

Get-MgUser -All | ForEach-Object { Write-Host "User: $($.UserPrincipalName)" Write-Host "Immutable ID: $($.OnPremisesImmutableId)"

Thank you in advance.
Chinmayi Bose 0 Reputation points

2025-05-13T11:32:45.4933333+00:00

I am trying to run the command in Terminal using pwsh. Below is the version. Just to confirm if this is the supported version. (PSVersion 7.4.7) I am also trying to run Azure AD module to get the result using this module, but getting the below error. Import-Module AzureAD Import-Module: Could not load file or assembly 'System.Windows.Forms'. The system cannot find the file specified.

Answer 1

SrideviM 3,575 Microsoft External Staff Moderator

Hello Chinmayi Bose ,

I understand you're trying to update onPremisesExtensionAttributes for users who were previously synced from on-prem AD. Even though sync is off, the update fails because onPremisesImmutableId is still set. This makes the user appear as hybrid, so certain fields stay read-only.

To remove it properly, Microsoft recommends the ADSyncTools PowerShell module. You can use the following commands to install and explore the available options, refer this Microsoft Article:

[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12
Install-Module ADSyncTools
Import-Module ADSyncTools
Get-Command *onpremises* -Module ADSyncTools

User's image

Connect to Microsoft Graph with the required permissions and view users who still have on-prem attributes, including those who were synced:

Connect-MgGraph -Scopes "User.ReadWrite.All"
Get-ADSyncToolsOnPremisesAttribute -IncludeSyncedUsers

User's image

To clear only the onPremisesImmutableId for a specific user:

Clear-ADSyncToolsOnPremisesAttribute -Identity "******@domain.com" -onPremisesImmutableId

To clear all on-prem attributes for the user:

Clear-ADSyncToolsOnPremisesAttribute -Identity "******@domain.com" -All

As an alternative, if the user is no longer syncing, you can use a direct Graph API call:

Connect-MgGraph -Scopes "User.ReadWrite.All"
Invoke-MgGraphRequest -Method PATCH `
  -Uri "https://graph.microsoft.com/v1.0/users/******@domain.com" `
  -Body @{ onPremisesImmutableId = $null }

To find users who still have the onPremisesImmutableId, you can run:

Get-MgUser -All -Select "Id,UserPrincipalName,onPremisesImmutableId" |
Where-Object { $_.onPremisesImmutableId -ne $null } |
Select-Object UserPrincipalName, onPremisesImmutableId

User's image

Regarding the error with the AzureAD module, it happens because that module is not supported in PowerShell 7. It was designed for Windows PowerShell 5.1. You can refer to this MS article for more details.

Since you're already using the Microsoft Graph module, you're on the right path and there's no need to switch.

Let me know if you have any further questions. Happy to assist.

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

User's image

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-15T00:42:17.84+00:00

Hello Chinmayi Bose ,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions. If you have any further query do let us know.
Chinmayi Bose 0 Reputation points

2025-05-15T08:55:46.4633333+00:00

Hi @SrideviM ,

Thank you for your response!

We are syncing the user attributes from Workday to Azure AD. I have removed the ImmutableID for a user and performed the provisioning from Enterprise Application > Workday to AzureAD user Provisioning> Provisioning.

I am now receiving the below error:

"Error code

AzureActiveDirectoryCannotUpdateObjectsOriginatedInExternalService

Error message

Unable to update the specified properties for objects that have originated within an external service"

We do not have any on-premises attribute against that user after we cleared yesterday.

Thanks in advance!
SrideviM 3,575 Reputation points Microsoft External Staff Moderator

2025-05-15T09:27:14.39+00:00

Hello Chinmayi Bose ,

Thank you for the update.

Since the onPremisesImmutableId has been cleared and there are no remaining on-prem attributes, the error you're seeing now during provisioning from Workday is likely caused by how certain attributes are being handled during the sync.

Microsoft Entra can still block updates if the provisioning system attempts to write to restricted attributes such as onPremisesExtensionAttributes, proxyAddresses, or other system-managed fields. When provisioning tries to modify these, it can trigger the "Unable to update the specified properties for objects that have originated within an external service" error.

It would be helpful to review your attribute mappings in the Workday provisioning configuration and check if any of the mapped attributes are targeting restricted fields. Also, the provisioning logs will show which specific property is causing the failure and can help identify the issue more precisely.

Regarding the provisioning part, I’d recommend posting it as a separate question in the forum. This will help us and other community members track it more effectively and provide a focused response.

Please feel free to tag me once the new question is posted, and I’ll be happy to assist you further!
Chinmayi Bose 0 Reputation points

2025-05-15T12:44:29.4633333+00:00

The reason we are using the extension attribute in the first place is the EmployeeType is not supported for creating Dynamic rules with in AzureAD.

The attribute mappings in Workday and AzureAD is fine because it is provisioning for other employees.

Anyways, thank you for your help with this and I will create a separate forum for provisioning log error.

Share via

"Unable to update the specified properties for objects that have originated within an external service."

1 answer

Your answer