Hard match AAD accounts

Cloud-only accounts that have previously had an on-premises account associated with them may still have an immutableId property set on their AAD user. This is a unique value that identifies an on-premises AD account by base64-encoding an AD account’s objectGuid. If immutableId is already set, no other account can be synced under the same UPN or email address, both unintentionally as a result of username or email clashing, or intentionally to fix unsynced accounts like Microsoft recommends.

The immutableId value normally cannot be set by any AAD/Office 365/Microsoft 365 web interfaces, toolkits, or cmdlets; but Microsoft Graph can for some reason. You can assign it like so:

Update-MgUser -UserId 'myuser@contoso.com' -OnPremisesImmutableId ([Convert]::ToBase64String([guid]::New((Get-ADUser myuser123).objectGuid).ToByteArray()))



Left-click: follow link, Right-click: select node, Scroll: zoom