During a running project, we were facing a problem with a provisioning of an AzureAD-User and his mailbox. During first Dir-Sync user got a provisioning error and could not be modified or used. We have removed the On-Prem AD user object, in hope that we can simply restore the use in the cloud. After we have deleted On-Prem User object, our Cloud-Object were just stuck in the cloud is was waiting for a successful synchronization for a very long time. So we have created a new user with another UPN and Email-Address, but the old E-mail address was still in use. So we needed to release the old E-mail address from the broken Cloud-Object and add it to the new “Hybrid-User”
In this article I am going to explain:
- How to change ImmutableID for a directory synchronized user
- How to resolve synchronization conflict
Page navigation
What is ImmutableID?
ImmutableID is an attribute on an AzureAD-User, or MSOL-User. This attribute is an unique identifier to match an On-Premise ADUser with a AzureAD user.
Standard configuration of AzureAD-Connect is using immutableID as a source anchor attribute to match Cloud and Local identity.
How is immutableID generated?
ImmutableID is a “Base64” encoded identity of local objectGUID of an ADUser-object.
So ImmutableID is simply the On-Prem objectGUID of an ADUser.
#ObjectGUID to ImmutableID
$aduser = Get-ADUser UserForestDemouser76 -Properties *
$immutableid = [Convert]::ToBase64String([guid]::New($aduser.ObjectGUID).ToByteArray()) 
mS-DS-ConsistancyGUID is the On-Prem Counterpart for ImmutableID and is also generated from ADUser objectGUID
#ObjectGUID to ms-DS-ConsistancyGUID
$aduser = Get-ADUser UserForestDemouser76 -Properties *
$msdsconsistancyguid = $aduser.ObjectGUID.ToByteArray() 
How to change ImmutableID?
1. Login to you tenant with Global Administrator permissions, by using Connect-AzureAD command which is a part of AzureAD powershell module
If you are using a PIM role like User-Administrator you will get this error.
So you simply need Global Administrator permissions and not a PIM role.
2. Change UPN of your Cloud-User-Object to a *.microsoftonline.com (only for federated users)
Get-MsolUser -UserPrincipalName UserForest.Demouser76@onpremto.cloud |Set-MsolUser -UserPrincipalName 'UserForest.Demouser76@fromonpremtocloud.onmicrosoft.com'
3. Use Set-ADUser -ImmutableID command to change ImmutableID
How to resolve synchronization conflict?
1. Generate immutableID from the right objectGUID as mentioned above.
2. Connect to AzureAD with Global Administrator permissions
3. Change the immutableID by running Set-AzureADUser -immutableID command
Get-AzureADUser -SearchString 'UserForest.Demouser76' | Set-AzureADUser -ImmutableId $immutableid 
ImmutableID is now recovered and you can
Start-AADSyncCycle -policytype Delta