Remove ImmutableID and Reconnect to a New On-Prem Account

Posted on by Dani Luxenburger

Skip to Step by step guide: Click here!

Introduction

In hybrid Azure AD/Active Directory environments, cloud user accounts are linked to their on-prem counterparts through the ImmutableID attribute. This value uniquely binds an Azure AD user to its Active Directory object, ensuring synchronization via Entra Connect (formerly AAD Connect).

However, situations may arise where you need to reconnect a cloud-only Azure AD account to a new on-premises AD account. This could happen after account cleanup, migration, or recreating a user in Active Directory.

If the ImmutableID is not cleared, synchronization will fail because Azure AD still expects the old object.

This guide explains:

  • What ImmutableID is and why it matters
  • How to remove it using the AzureAD PowerShell module
  • How to create a new on-prem account and link it back
  • Best practices and troubleshooting tips

What Is ImmutableID?

  • Definition: The ImmutableID attribute in Azure AD is a base64 representation of the on-prem objectGUID.
  • Purpose: It ensures a stable, unique link between Azure AD and Active Directory objects.
  • Problem: If the on-prem object is deleted or recreated, the objectGUID changes—breaking the link.

Clearing the ImmutableID allows Azure AD to accept a new on-prem user with the same User Principal Name (UPN) during the next synchronization cycle.

Don’t want to do is fully manually? Download the Script at the bottom of the post. In case scripts don’t work you can contact me on [email protected]
This methode will also allow you to delete a cloud user that is synced to the on prem AD with a broken ADSync.

Step-by-Step: Remove ImmutableID with AzureAD Module

Step 1: Install and Connect to AzureAD

Install-Module AzureAD -Force
Connect-AzureAD

Sign in with an Azure AD Global Administrator account.

Step 2: Check the Current ImmutableID

Get-AzureADUser -ObjectId "[email protected]" | Select-Object DisplayName, UserPrincipalName, ImmutableId

This shows if the user currently has an ImmutableID value set.

Step 3: Clear the ImmutableID

# Direct by UPN
Set-AzureADUser -ObjectId "[email protected]" -ImmutableId ""

# Or resolve ObjectId first (recommended)
$user = Get-AzureADUser -Filter "userPrincipalName eq '[email protected]'"
Set-AzureADUser -ObjectId $user.ObjectId -ImmutableId ""

Step 4: Verify the ImmutableID Was Removed

Get-AzureADUser -ObjectId "[email protected]" | Select-Object UserPrincipalName, ImmutableId

If successful, the ImmutableId field should now be blank.

Step 5: Create or Match the On-Prem AD User

The new AD account must have the same UPN as the Azure AD user. Example:

New-ADUser -Name "John Doe" -SamAccountName johndoe `
  -UserPrincipalName [email protected] `
  -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) `
  -Enabled $true

Step 6: Run a Synchronization Cycle

On the server running Entra Connect (AAD Connect):

Start-ADSyncSyncCycle -PolicyType Delta

For major changes, you may prefer:

Start-ADSyncSyncCycle -PolicyType Initial

The next sync will re-link the Azure AD account to the on-prem user.

Old Methode using MSOnline

open Powershell as an Admin

To start we need to install MSOnline module.

Install-Module -Name MSOnline

Conect to MSOnline using the following the command.

Connect-MsolService

you will now be promted to login using the admin credentials of Azure.

After logging in you can look up if a user has an InmutableID with the command below.

Get-MsolUser -UserPrincipalName [email protected] | fl

If you need to clear the ImutableID you will have to use the following command.

Set-MsolUser -UserPrincipalName [email protected] -ImmutableId “$null”

When the ImutableID is cleared you can create an Onprem user. This user must have the same UPN as the cloud user.

When the new user is created and you have the Active directory Synchronization Tool you can now use the command.

Start-ADSyncSyncCycle

Example Scenario

After: Cloud user links successfully to new AD object and hybrid sign-in works again

Before: Cloud user has a stale ImmutableID referencing a deleted AD account → sync fails.

Action: Clear ImmutableID, create new on-prem user with same UPN, run sync.

Best Practices

  • Always backup ImmutableID values before clearing (audit log).
  • Use empty string "" with Set-AzureADUser (never $null).
  • Test changes on a single account before bulk operations.
  • Document each change for compliance purposes.
  • Run an Initial sync after major user cleanups to avoid conflicts.

Conclusion

The ImmutableID is critical for hybrid identity management in Azure AD. When accounts are recreated on-prem, clearing the ImmutableID ensures proper re-linking during synchronization. By following this guide with the AzureAD PowerShell module, you can safely remove ImmutableID values, reconnect users, and maintain seamless hybrid identity.

Script Outdated. Still using MSOL

Script – Remove ImutableID and connect to a new onprem account (473 downloads )

Script

Source: Microsoft Learn

Downloads? Click here!