Remove Immutable Id Powershell
Working with user identities across cloud and on-premises environments often involves managing unique identifiers that link accounts together. One such attribute is the Immutable ID, which is commonly used when synchronizing identities from on-premises directories to (formerly ). While this attribute helps maintain consistency, there are times when administrators may need to remove an Immutable ID using . Knowing how to remove this property properly can help solve synchronization issues or prepare an account for reconfiguration without creating duplicate objects.
Understanding the Immutable ID
The Immutable ID is an attribute stored on cloud user accounts to match them with their corresponding on-premises accounts during directory synchronization. It ensures that user identities remain consistent even if their usernames or other properties change. This attribute is automatically set during the initial sync from on-premises using .
In certain cases, you might need to remove this Immutable ID. Typical scenarios include
- Recreating an on-premises user account after accidental deletion
- Moving a user from a federated domain to a managed domain
- Resolving mismatched or duplicate user objects in the cloud
- Breaking the link between on-premises and cloud accounts
Removing the Immutable ID allows the cloud user to be treated as a standalone object again, no longer tied to the on-premises directory.
Prerequisites for Using PowerShell
Before removing an Immutable ID, it is important to prepare your environment correctly. You will need access to the or the older module, both of which allow administrators to manage cloud identities. Additionally, you must sign in with an account that has sufficient privileges, such as a Global Administrator or User Administrator role in Microsoft Entra ID.
Make sure that
- You have installed the required PowerShell module
- You can connect successfully to your Microsoft tenant
- You have identified the correct user whose Immutable ID you want to remove
Once your environment is ready, you can safely execute the command to clear the attribute.
Using PowerShell to Remove the Immutable ID
Removing the Immutable ID is a straightforward process if you use the correct cmdlet. The general idea is to set the ImmutableId attribute on the user account to a null or empty value. In the older MSOnline module, this is done using theSet-MsolUsercmdlet, while the newer Microsoft Graph PowerShell usesUpdate-MgUser. The result is the same it unlinks the user from any synchronized identity.
Steps with MSOnline Module
If you are still using the MSOnline module, follow these steps
- Connect to the MSOnline service using
Connect-MsolServiceand your admin credentials. - Locate the user by their User Principal Name (UPN) or Object ID.
- Run
Set-MsolUser -UserPrincipalName <user@domain.com> -ImmutableId $nullto clear the attribute.
After this command runs successfully, the user’s Immutable ID will be removed, and they will no longer be linked to an on-premises object.
Steps with Microsoft Graph PowerShell
For administrators using the Microsoft Graph PowerShell module, the process is slightly different but just as simple
- Connect using
Connect-MgGraphand choose the required scopes, such asUser.ReadWrite.All. - Use
Get-MgUser -UserId <user@domain.com>to confirm the correct user account. - Run
Update-MgUser -UserId <user@domain.com> -OnPremisesImmutableId $nullto remove the attribute.
This approach is the recommended method moving forward since the MSOnline module is being deprecated.
Verifying That the Immutable ID Has Been Removed
After running the PowerShell command, you should verify that the attribute has been cleared. You can do this by querying the user’s properties again using either module. If the command returns an empty or null value for the Immutable ID field, then the removal was successful. This step is crucial to confirm that the cloud identity is no longer linked to any on-premises object.
It is also a good practice to allow some time for directory changes to propagate throughout the system before making additional modifications to the account.
Common Issues When Removing the Immutable ID
While the removal process is usually smooth, some common issues may occur
- Insufficient privilegesMake sure you are using an account with the appropriate admin role.
- Sync still activeIf the account is still syncing from on-premises, the Immutable ID may be re-populated. Temporarily stop synchronization if necessary.
- Incorrect user identifierDouble-check the UPN or Object ID you are targeting.
- Module conflictsHaving both MSOnline and Graph modules installed may cause confusion; stick to one method.
Understanding these potential problems will help you troubleshoot quickly if something does not work as expected.
Best Practices Before and After Removal
When planning to remove an Immutable ID, it is helpful to follow some best practices to maintain a clean identity environment
- Always back up user details and export account information before making changes.
- Communicate with other administrators to avoid overlapping changes on the same account.
- Document the reason for removing the Immutable ID for future reference.
- After removal, monitor the account to ensure no duplicate objects are created during the next sync.
These habits can prevent unexpected issues and ensure smooth management of user identities across hybrid environments.
What Happens After Removing the Immutable ID
Once the Immutable ID is removed, the cloud user becomes a standalone account and will no longer be matched with an on-premises account during synchronization. If you later want to link this account back to an on-premises object, you will need to set a new Immutable ID that matches the on-premises user’s ObjectGUID. This can be done by converting the GUID to a Base64 string and applying it with PowerShell.
Until then, the user can be fully managed in the cloud without interference from on-premises directory synchronization. This is useful when permanently moving a user to the cloud or resolving duplicate account conflicts.
Removing an Immutable ID with PowerShell is an essential skill for administrators managing hybrid identity environments. It allows you to unlink cloud users from on-premises directories, resolve conflicts, and reset accounts without deleting them entirely. By preparing your environment, using the correct PowerShell commands, and verifying the results, you can safely remove this attribute whenever needed. With careful planning and best practices, managing Immutable IDs can become a straightforward and reliable part of your identity administration workflow.