Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Office 365 Hybrid: Conflicting User in Entra

            Modified on Wed, 19 Nov at 8:15 PM

            Problem:

            Local AD user is syncing with the wrong Entra cloud user. For example:

            Local AD user: user1@acme.com

            Entra wrong user (hybrid): user1@acme.net

            Entra correct user (cloud only): user1@acme.com


            First you need to go into the Entra User Admin, and delete the Entra user. Then go into the Deleted Users and delete the user from there too. This is the user that was in the cloud, but had no mailbox, no license, etc.


            Then you can run this script to copy the Immutable ID from the Local AD user into the correct Entra user that is previously cloud only.


            First make shall the PowerShell Graph API is installed:

            Install-Module Microsoft.Graph.Users


            Then this script does the work:


            # 1. Connect to Microsoft Graph
# We need User.ReadWrite.All to modify the ImmutableId
Connect-MgGraph -Scopes "User.ReadWrite.All"

# --- VARIABLES ---
$ADUsername = "user1"
$CloudUPN   = "user1@acme.com"
# -----------------

# 2. Get the On-Premise User Object (Requires Active Directory Module)
$onPremUser = Get-ADUser -Identity $ADUsername
if (-not $onPremUser) {
    Write-Error "AD User $ADUsername not found."
    return
}

# 3. Convert AD GUID to ImmutableId (Base64 String)
# This conversion logic remains exactly the same for Graph as it was for MSOnline
$ImmutableId = [System.Convert]::ToBase64String($onPremUser.ObjectGUID.ToByteArray())
Write-Host "Calculated ImmutableId: $ImmutableId" -ForegroundColor Cyan

# 4. Retrieve the Cloud User to verify status
$cloudUser = Get-MgUser -UserId $CloudUPN -Property Id, OnPremisesImmutableId, UserPrincipalName

if ($cloudUser.OnPremisesImmutableId) {
    Write-Warning "User $CloudUPN already has an ImmutableID set: $($cloudUser.OnPremisesImmutableId)"
    Write-Warning "You cannot overwrite this unless you clear it first (or the user is already synced)."
}
else {
    # 5. Perform the Hard Match
    try {
        # Note: The attribute name in Graph is OnPremisesImmutableId
        Update-MgUser -UserId $CloudUPN -OnPremisesImmutableId $ImmutableId -ErrorAction Stop
        
        Write-Host "SUCCESS: Linked AD User '$ADUsername' to Cloud User '$CloudUPN'" -ForegroundColor Green
        Write-Host "Action: Run 'Start-ADSyncSyncCycle -PolicyType Delta' on your connect server now." -ForegroundColor Gray
    }
    catch {
        Write-Error "Failed to update user. Graph Error: $_"
        
        # Tip: Sometimes the SDK cmdlet is finicky with this specific attribute. 
        # If the above fails, this 'Invoke-MgGraphRequest' method is the failsafe:
        # Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/users/$CloudUPN" -Body @{ onPremisesImmutableId = $ImmutableId }
    }
}




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0