Immutable Id at the destination cannot be updated

Purpose

For Office 365 Provisioning and Federation to work correctly, the Immutable ID and UPN must match at both ends. This can be mismatch for a range of reasons and needs to be re-matched.

Some Reasons For Re-Matching Accounts: 

• Practice Protect Account was removed and now needs to be created and matched back to Office 365 Account
• You need to sync a certain attribute for a deleted Account to Office 365
• Office 365 User was previously synced with another Active Directory
• Staff Member Left and has returned. 

Prerequisites

• Administrator Access to your Office 365 Account (Needed to Create Service Account – i.e. practiceprotect@cbpaccountants.onmicrosoft.com) You can follow the following guide Create Practice Protect Service Account.
• AzureAD PowerShell Module. You can install here.
• Immutable Id of the Practice Protect Account to Link to.

Instructions

1. Under Core Services Click on Users 
2. Find the User you need to re-sync and open. (create user if you haven’t already)
3. Under Actions click Sync All Apps.
4. Go to Settings – Users – Outbound Provisioning – View Sync Job Status.
5. Look for the User Name you just tried to Sync and Open the Job.
6. You should see the error “The Immutable Id at the destination cannot be updated”
7. Copy the Immutable ID listed in the failed sync and keep aside. 
8. Open PowerShell and connect to AzureAD “Connect-AzureAD”
9. Run the following command changing the Email address to the account you require. Get-AzureADUser -ObjectId “andy.dufresne@cbpaccountants.com”
10. Copy the ObjectId from the result
11. Now run the following command to re-link the ImmutableID of the account, using the ImmutableID from step 7 and ObjectID from step 10.  Set-AzureADUser -ObjectId 2a49b136-8390-4d74-be7a-587687ee60b6 -ImmutableId NrFJKpCDdE2+elh3h+5vtb==
12. Confirm the  ImmutableID has now been re-matched by running the following. Get-AzureADUser -ObjectId “andy.dufresne@cbpaccountants.com” | select ImmutableID
13. Now confirm the UPN at both Practice Protect and Office 365 also match. If they match go to the next step. If they do not you can run the following command to match the UPN to what is shown at Practice Protect. Set-AzureADUser -ObjectId 2a49b136-8390-4d74-be7a-587687ee60b6 -UserPrincipalName “andy.dufresne@cbpaccountants.com”
14. Now back in Practice Protect, click on the user again and Sync All Apps for that User again.
15. Check the new Job Sync as per step 4 and confirm no sync issues.
16. The account should now be able to login into Office 365 again using the new Practice Protect linked account.
17. If changing a single attribute for a deleted user. You can now make the change and sync again. Once the change is reflected in Office 365 you can remove the temporary account in Practice Protect.