Immutable Id at the destination cannot be updated

Purpose

For Microsoft 365 provisioning and federation to function properly, the Immutable ID and User Principal Name (UPN) must match at both ends. Mismatches can occur for various reasons and must be resolved to re-establish proper account synchronization.

Common Scenarios Requiring Account Re-Matching:

1. • The Practice Protect account was removed and needs to be recreated and matched to the corresponding Microsoft 365 account.

   • A specific attribute for a previously deleted account needs to be synchronized with Microsoft 365.

   • The Microsoft 365 user was originally synchronized with a different Active Directory environment.

   • A staff member who left the organization has returned, requiring their account to be re-matched to their Microsoft 365 profile.

By addressing these mismatches, you can restore seamless synchronization and ensure continued access to Microsoft 365 services.

Prerequisites

• Microsoft 365 Account with Global Admin Access
• Microsoft Graph PowerShell Module. You can install it here.
• Immutable ID of the Practice Protect Account

Instructions

1. Login to Practice Protect and switch to Admin Portal
2. Go to Apps & Widgets > Web Apps. Find and open the app Office 365 (Type:Web – WS-Fed + Provisioning)
   
   
   
3. Go to Advanced and click Test.
   
   
   
4. Enter the username of the user that needs to update the Immutable ID and click Next.
   
   
   
   
5. On the result window, head on to SSO Token and find the Immutable ID > Attribute Value (ex. P6gekenxxxxxx==)
   
   
   Note: You can use find function in the browser and search for the ImmutableID word (Ctrl + f) 
6. Copy the Immutable ID and keep it for later use. 
7. Open Powershell on your computer and run the command below:
   

   Connect-MgGraph -Scopes "User.ReadWrite.All"

   This is used to establish a connection to Microsoft Graph, allowing access to services like Entra ID and Exchange Online depending on the permissions granted.
   
   
8. A prompt to log in will appear. Please sign in using your Microsoft 365 Admin credentials and ensure that you check the box to grant the required permissions. This is necessary to allow access via Microsoft Graph
   
   
9. Change the user’s UserPrincipalName with the .onmicrosoft.com domain using the below command. Note: replace yourusername@domain.com and yourusername@domain.onmcirosoft.com with your correct UserPrincipalName
   

   Update-MgUser -UserId yourusername@domain.com -UserPrincipalName yourusername@domain.onmicrosoft.com 

   
   
10. Set the right Immutable ID you gathered on Step 6 to the user with the below command:
    

    Update-MgUser -UserId yourusername@domain.onmicrosoft.com -OnPremisesImmutableId "enter_the_immutableid_here"

    
    
11. Revert the user’s UserPrincipalName to the original one with this command:

    Update-MgUser -UserId yourusername@domain.onmicrosoft.com -UserPrincipalName yourusername@domain.com

    
    
12. To verify that you set the Immutable ID correctly, run the below command:
    

    Get-MgUser -UserId yourusername@domain.onmicrosoft.com -Property OnPremisesImmutableId,UserPrincipalName | Select-Object OnPremisesImmutableId, UserPrincipalName

    
    
13. Return to Practice Protect Admin Portal. Go to Users under Core Services.
14. Tick the box of the user and click the Action button
15. Choose Sync All Apps.
    
16. Proceed to Settings > Users > Outbound Provisioning and click View Synchronization Job Status and Reports
    
    
    
    
17. Check the job sync history for a successful sync.
    
18. The account should now be able to login to Microsoft 365 using the Practice Protect credentials