Immutable Id at the destination cannot be updated

Contents

Purpose

For Microsoft 365 provisioning and federation to function properly, the Immutable ID and User Principal Name (UPN) must match at both ends. Mismatches can occur for various reasons and must be resolved to re-establish proper account synchronization.

Common Scenarios Requiring Account Re-Matching:

- The Practice Protect account was removed and needs to be recreated and matched to the corresponding Microsoft 365 account.
- A specific attribute for a previously deleted account needs to be synchronized with Microsoft 365.
- The Microsoft 365 user was originally synchronized with a different Active Directory environment.
- A staff member who left the organization has returned, requiring their account to be re-matched to their Microsoft 365 profile.

By addressing these mismatches, you can restore seamless synchronization and ensure continued access to Microsoft 365 services.

Prerequisites

Microsoft 365 Account with Global Admin Access
MSOnline PowerShell Module. You can install it here.
Immutable ID of the Practice Protect Account

Instructions

Login to Practice Protect and switch to Admin Portal
Go to Apps & Widgets > Web Apps. Find and open the app Office 365 (Type:Web – WS-Fed + Provisioning)
Go to Advanced and click Test.
Enter the username of the user that needs to update the Immutable ID and click Next.
On the result window, head on to SSO Token and find the Immutable ID > Attribute Value (ex. P6gekenxxxxxx==)

Note: You can use find function in the browser and search for the ImmutableID word (Ctrl + f)
Copy the Immutable ID and keep it for later use.
Open Powershell on your computer and run the command below:
```
Connect-MsolService
```
This is used to establish a connection to Microsoft Online Services, such as Entra ID and Exchange Online.
A prompt to login will pop up. Supply with Microsoft 365 Admin credentials
Change the user’s UserPrincipalName with the .onmicrosoft.com domain using the below command. Note: replace [email protected] and [email protected] with your correct UserPrincipalName
```
Set-MsolUserPrincipalName -UserPrincipalName "[email protected]" -NewUserPrincipalName "[email protected]"
```
Set the Immutable ID of the user to Null (blank value) with the command below:
```
Set-MsolUser -UserPrincipalName "[email protected]" -ImmutableId "$null"
```

Set the right Immutable ID you gathered on Step 6 to the user with the below command:

Set-MsolUser -UserPrincipalName "[email protected]" -ImmutableId entertheimmutableidhere

Revert the user’s UserPrincipalName to the original one with this command:

Set-MsolUserPrincipalName -UserPrincipalName "[email protected]" -NewUserPrincipalName "[email protected]"

To verify that you set the Immutable ID correctly, run the below command:

get-msoluser -userprincipalname "[email protected]" | Select ImmutableID, UserPrincipalName

Return to Practice Protect Admin Portal. Go to Users under Core Services.
Tick the box of the user and click the Action button
Choose Sync All Apps.
Proceed to Settings > Users > Outbound Provisioning and click View Synchronization Job Status and Reports
Check the job sync history for a successful sync.
The account should now be able to login to Microsoft 365 using the Practice Protect credentials