When managing users across both on-premises Active Directory (AD) and Azure Active Directory (AAD), it's essential to maintain consistency between the two environments. The Immutable ID is a unique identifier that ensures a user’s cloud identity (in AAD) matches their on-premises identity (in AD). This synchronization is crucial when:
By correctly matching the Immutable ID between Azure AD and on-premises AD, you can maintain data integrity and seamless access for the user across both environments.
Ensure the following PowerShell modules are installed:
Active Directory Module
Azure AD Module
Use the following PowerShell command to get the Immutable ID of the Azure AD user:
Get-AzureADUser -ObjectId "user@example.com" | Select-Object ImmutableId
This command will output the Immutable ID for the user.
To retrieve the corresponding Immutable ID from the on-prem AD user, use the following commands:
$guid = (Get-ADUser -Identity "username").ObjectGUID
$immutableID = [System.Convert]::ToBase64String($guid.ToByteArray())
$immutableID
This converts the on-prem AD user's ObjectGUID into a base64-encoded string, which is the format used for the Immutable ID in Azure AD.
To update the Azure AD user with the on-prem AD Immutable ID, run the following command:
Set-AzureADUser -ObjectId "user@example.com" -ImmutableId "base64ImmutableID"
Replace "user@example.com" with the user's Azure AD Object ID and "base64ImmutableID" with the Base64 string obtained from the previous step.
Wait for the next scheduled synchronization, or force a synchronization using the following command on your Azure AD Connect server:
Start-ADSyncSyncCycle -PolicyType Delta
By following these steps, you can ensure that the on-premises AD user is correctly matched with the Azure AD user, preserving all cloud data and settings.