Just a quick post today to show how to rectify a Null ImmutableID with a user profile in O365 after you've implemented AD Connect from an on-premise Active Directory.
We implemented a new server for client recently with a new domain and setup AD Connect to replicate the on-premise user passwords to Azure AD. Everything seemed to work as expected until we noticed one user wouldn't replicate and show that he was a directory synced user.
I thought that's weird, all other users from the on-premise AD had replicated except this one, which of course had to be the CEO of the company. Always has to affect the most important user doesn't it? 🙂
So how do you fix it? We discovered that the users ImmutableID was null therefore was unable to replicate. How this happened I'm not sure, but the following is the process we used to rectify it. Open PowerShell as an administrator and carry out the following:
Connect-MSOLService
Now input your O365 tenant administrator username and password:
Once you've successfully logged on run the following command. Just replace the email address [email protected] with the users email address you're having issues with:
Get-MSOLUser -UserPrincipalName [email protected] | fl UserPrincipalName, ImmutableID
It should return an empty ImmutableID like in the following example:
UserPrincipalName : [email protected]
ImmutableId :
Now we need to find the ObjectGUID from the on-premise AD by running the following command to create a text file with all the AD users:
ldifde -f users.txt
The file users.txt will be created in your current working directory. Now open the users.txt file and search for the affected user that you're having the issue with and locate their ObjectGUID. In my case it was:
objectGUID:: uSbo00O5O0WDHSwQP51j+w==
We’re now going to update the Azure AD ImmutableID to reflect the on-premise ObjectGUID. Execute the following in your PowerShell instance:
Set-MSOLUser -UserPrincipalName [email protected] | fl UserPrincipalName, ImmutableID
uSbo00O5O0WDHSwQP51j+w==
It should return the following values:
UserPrincipalName : [email protected]
ImmutableId : uSbo00O5O0WDHSwQP51j+w==
Notice that it has returned the same value as the on-premise ObjectGUID which is what we want. Now run a Ad Connect Sync using the following syntax:
Start-ADSyncSyncCycle -PolicyType Initial
Your user should now be listed a directory synced. Consider yourself a superstar!!
If you've found this useful, you may want to sign up to our newsletter where you'll receive notices on when we post new articles and helpful "how tos". Just fill out your details below and we'll do the rest…