1. What is the ImmutableID property?
In this lab we take a look at the special ImmutableID property of the Microsoft Online user accounts.
This property is used when we synchronize on-prem AD accounts to the cloud. The ImmutableID shows the hybrid system which on-prem account belongs to which Azure AD user account, technically what account is the mirror in the cloud of the on-prem synced accounts.
This matching-process is accomplished by taking the object GUID of the on-prem user account, Base64 encoding it and that value is stored in the matching Azure user account under the ImmutableID property. It's that simple, and that's why we are able to connect any synced on-prem accounts to virtually any existing cloud accounts, as we please.
2. Example
We use Alice's account as our example. First, checking the objectGUID of the on-prem AD account we see the globally unique identifier of the user account is "874bcd2b-148d-47ca-b309-91df64f05bf5".
Now we convert that value with the widely used Base64 algorithm, and see if that is matching the ImmutableID property of her Azure AD account:
# Convert ObjectGUID of Alice's user account to ImmutableID: Base64 encode # Manually: $GUID = ([GUID]"874bcd2b-148d-47ca-b309-91df64f05bf5").tobytearray() # Or Query actual on-prem AD: $GUID = (Get-ADUser alice).ObjectGuid.tobytearray() # Convert: [system.convert]::ToBase64String($GUID) # Convert ImmutableID (Base64 encoded string) to GUID # Manually: $immutableID = "K81Lh40UykezCZHfZPBb9Q==" # Or Query live Azure AD: $immutableID = (Get-MsolUser -UserPrincipalName alice@alwayshotcafe.com).ImmutableId # Convert: [GUID]([system.convert]::FromBase64String($immutableID))
As we see the object GUID of the original user account converts exactly to the ImmutableID value in the cloud and vice-versa!
3. Manipulate Connections by changing the ImmutableID
In our test scenario, we sync all of our on-prem users to the cloud. Alice however has already had her own mailbox in the cloud before and she wants to use that mailbox with her on-prem account from now on:
Our trick is simple: we put Alice's synced user account in a non-syncing OU on-prem, and initiate a sync cycle that will put her account in a soft-deleted state in the cloud.
Then, we assign the ImmutableID from that account (that is the Base64 encoded equivalent of the on-prem account GUID) to the cloud account, which is called Alice.Cloud@alwayshotcafe2020.onmicrosoft.com here.
Note: we need to either remove the soft-deleted account from the system for good, or null out it's ImmutableID property, as the Azure AD will not allow us to set the same ImmutableID on two separate accounts! No duplicates allowed for obvious reasons.
ONLY REMOVE THE ACCOUNT if you are sure it has no important data stored in any of it's associated services, like OneDrive files, EOL mailbox, etc, as those will be gone forever when purging the MSOL user account from the Azure AD system!
# OPTION1 - Detach the cloud account # Set Alice's original immutable ID on her existing cloud-managed account: $immutableID = "K81Lh40UykezCZHfZPBb9Q==" Get-MsolUser -UserPrincipalName Alice.Cloud@alwayshotcafe2020.onmicrosoft.com | Set-MsolUser -ImmutableId $immutableID # OPTION2 - Irreversible!!! # Remove Alice's un-synced, soft-deleted account as it still has the ImmutableID (anchor) set Get-MsolUser -UserPrincipalName Alice@alwayshotcafe.com -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
Next, we put back the on-prem account to a syncing OU, and sync it again. The process should connect the on-prem account to the existing cloud account seamlessly.
After syncing the UPN changed from Alice.Cloud@alwayshotcafe2020.onmicrosoft.com to Alice@Alwayshotcafe.com, just as we wanted.
4. Verification
Checking Alice's mailbox before and after, we see it has the same content so our mission has been successful!
Comments