Remove ImutableID and connect to a new onprem account.

Posted on by Dani Luxenburger

Required accounts:

Azure Admin account | Local admin account | domain admin account

Don’t want to do is fully manually? Download the Script at the bottom of the post. In case scripts don’t work you can contact me on [email protected]
This methode will also allow you to delete a cloud user that is synced to the on prem AD with a broken ADSync.

open Powershell as an Admin

To get started we need to install the AzureAD module (if it’s not installed already):

Install-Module -Name AzureAD

Connect to AzureAD using the following command:

Connect-AzureAD

You will now be prompted to log in using the admin credentials of Azure.

After logging in, you can look up if a user exists and view details (including ImmutableId) with the command below:

Get-AzureADUser -ObjectId [email protected]

If you need to clear the ImutableID you will have to use the following command.

Set-AzureADUser -ObjectId [email protected] -ImmutableId $null

When the ImutableID is cleared you can create an Onprem user. This user must have the same UPN as the cloud user.

When the new user is created and you have the Active directory Synchronization Tool you can now use the command.

Start-ADSyncSyncCycle

If you want to delete the user you can do this by using the following command.

Remove-AzureADUser -ObjectId [email protected]

Old Methode using MSOnline

open Powershell as an Admin

To start we need to install MSOnline module.

Install-Module -Name MSOnline

Conect to MSOnline using the following the command.

Connect-MsolService

you will now be promted to login using the admin credentials of Azure.

After logging in you can look up if a user has an InmutableID with the command below.

Get-MsolUser -UserPrincipalName [email protected] | fl

If you need to clear the ImutableID you will have to use the following command.

Set-MsolUser -UserPrincipalName [email protected] -ImmutableId “$null”

When the ImutableID is cleared you can create an Onprem user. This user must have the same UPN as the cloud user.

When the new user is created and you have the Active directory Synchronization Tool you can now use the command.

Start-ADSyncSyncCycle

Script Outdated. Still using MSOL

Script – Remove ImutableID and connect to a new onprem account (245 downloads )

Script