M365 Sync Issue - On-Prem/M365 Account Sync Issue

Created by Brandon Willson, Modified on Thu, Aug 7 at 1:10 PM by Brandon Willson

Must perform a hard match on the two accounts.
Retrieve immutable ID from on-prem account and move it out of the M365 synced OU (AzureAD Synced) in ad and do a Delta sync. This removes the on-prem account from M365.
Fully delete the account in M365 azure out of the "Deleted" accounts folder.
Set M365 cloud account's immutable ID to that of the on-prem account.
Put account back in the M365 Azure synced OU and perform another Delta sync.
Both accounts then matched up. Chris may need to reset his passwords, but the error is gone and accounts are matched up.

Hard match instructions below. On-prem account MUST be unsynced from M365 Azure before updating immutable ID on M365 Azure account.

4. Get user On-Premises Immutable ID

Before you can set the on-premises Immutable ID of the cloud user, you need to get the on-premises user Object GUID and convert it to a Base64 string.

Note: The on-premises object values are GUIDs, whereas Microsoft Entra ID is a base64 encoded text string. So, you have to convert the GUID to Base64 string.

Get the cloud user Object GUID.

Get-ADUser Peter.Blake | Format-Table objectGuid

The PowerShell output shows the below results.

objectGuid : 876031de-bfb1-4f8b-9cb0-1c67a6094d3eT

Convert the Object GUID to Base64 string.

[Convert]::ToBase64String([guid]::New("876031de-bfb1-4f8b-9cb0-1c67a6094d3e").ToByteArray())

The PowerShell output shows the Immutable ID.

3jFgh7G/i0+csBxnpglNPg==

5. Set On-Premises Immutable ID on cloud user

Get the on-premises Immutable ID from the cloud user with the Get-MgUser cmdlet.

Get-MgUser -UserId "Peter.Blake@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The PowerShell output result shows an empty OnPremisesImmutableId, which is normal.

Note: The OnPremisesImmutableId is most likely empty, or it has a different value.

UserPrincipalName     : Peter.Blake@exoip.com OnPremisesImmutableId :

You need to add the string value to the -OnPremisesImmutableId parameter in the PowerShell command below.

Update-MgUser -UserId "Peter.Blake@exoip.com" -OnPremisesImmutableId "3jFgh7G/i0+csBxnpglNPg=="

6. Verify On-Premises Immutable ID property on cloud user

To verify, you can use the Get-MgUser cmdlet to get the user OnPremisesImmutableId.

Get-MgUser -UserId "Peter.Blake@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The PowerShell output shows the below results.

UserPrincipalName     : Peter.Blake@exoip.com OnPremisesImmutableId : 3jFgh7G/i0+csBxnpglNPg==

Note: The on-premises password takes presence and is now being used. The password from the cloud can no longer be used.

7. Force sync Microsoft Entra Connect (Delta Sync)

Wait for the Microsoft Entra Connect Sync to run, or you can Force sync Microsoft Entra Connect with PowerShell.