If you have ever configured Office 365 and AD Connect in order to configure Hybrid environment, you know that is a pretty easy process. Simply follow AD Connect wizard and job will be done very quickly. By default, AD Connect will use UPN and and match or create user in Office 365.

Behind the scene, objectGUID attribute from local user will be converted and added as ImmutableID as Office 365 user attribute. Basically, that is not so important for us, except if you need to change source AD. Even though is that so rarely, sometimes you can have problem with user synchronization. Few days ago, I had this problem because Office 365 users were previously synchronized with old one AD and after synchronization AD Connect disabled.

Fortunately, problem can be solved easily. You need to list objectGUID attribute from local user, convert to ImmutableID and change that attribute to Office 365 user manually. Then, you can establish AD Connect from new source without problems.

Gettting the ObjectGuid from local user:

  • Go to ADSI Edit
  • Connect to “Default naming context”
  • Open Domain partition and to the concerned user
  • Copy the value of ObjectGuid to a notepad and re-arrange HEX value from 44 31 E2 46 77 83 3E 48 A8 7E B6 76 9D B6 2E ED to 46E23144-8377-483E-A87E-B6769DB62EED

Converting the ObjectGuid to an ImmutableID

Download converting script from technet gallery, “unblock” script and run command:

PS C:\WINDOWS\system32> .\GUID2ImmutableID.ps1 46E23144-8377-483E-A87E-B6769DB62EED


Now, you are ready to change ImmutableID attribute to Office 365 user with one simply PowerShell command:

Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId RDHiRneDPkiofrZ2nbYu7Q==


When you change ImmutableID, start synchronization again and problem should be solved.



Another way to solve this issue is setting ImmutableID to $NULL wtih command

Set-MSOLUser -UserPrincipalName user@domain.com -ImmutableID "$null"



Please follow and like us:

2 thoughts on “Problem with objectGUID and ImmutableID”

  1. Hi,

    I noticed in your PowerShell commands above that the ID in ImmutableID is capitalized in one while in the other it is ImmutableId. Does this make a difference (case-sensitive?) or is it not case-sensitive and either can be used. Thanks!

    1. Hello,

      Parameter switch -ImmutableID is not capitalized. That was only typo 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.