If you have ever configured Office 365 and AD Connect in order to configure Hybrid environment, you know that is a pretty easy process. Simply follow AD Connect wizard and job will be done very quickly. By default, AD Connect will use UPN and and match or create user in Office 365.
Behind the scene, objectGUID attribute from local user will be converted and added as ImmutableID as Office 365 user attribute. Basically, that is not so important for us, except if you need to change source AD. Even though is that so rarely, sometimes you can have problem with user synchronization. Few days ago, I had this problem because Office 365 users were previously synchronized with old one AD and after synchronization AD Connect disabled.
Fortunately, problem can be solved easily. You need to list objectGUID attribute from local user, convert to ImmutableID and change that attribute to Office 365 user manually. Then, you can establish AD Connect from new source without problems.
Gettting the ObjectGuid from local user:
- Go to ADSI Edit
- Connect to “Default naming context”
- Open Domain partition and to the concerned user
- Copy the value of ObjectGuid to a notepad and re-arrange HEX value from 44 31 E2 46 77 83 3E 48 A8 7E B6 76 9D B6 2E ED to 46E23144-8377-483E-A87E-B6769DB62EED
Converting the ObjectGuid to an ImmutableID
Download converting script from technet gallery, “unblock” script and run command:
PS C:\WINDOWS\system32> .\GUID2ImmutableID.ps1 46E23144-8377-483E-A87E-B6769DB62EED ImmutableID ----------- RDHiRneDPkiofrZ2nbYu7Q==
Now, you are ready to change ImmutableID attribute to Office 365 user with one simply PowerShell command:
Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId RDHiRneDPkiofrZ2nbYu7Q==
When you change ImmutableID, start synchronization again and problem should be solved.
Another way to solve this issue is setting ImmutableID to $NULL wtih command
Set-MSOLUser -UserPrincipalName email@example.com -ImmutableID "$null"