Immutable Id at the destination cannot be updated

Purpose

For Microsoft 365 provisioning and federation to function properly, the Immutable ID and User Principal Name (UPN) must match at both ends. Mismatches can occur for various reasons and must be resolved to re-establish proper account synchronization.

Common Scenarios Requiring Account Re-Matching:

1. • The Practice Protect account was removed and needs to be recreated and matched to the corresponding Microsoft 365 account.

   • A specific attribute for a previously deleted account needs to be synchronized with Microsoft 365.

   • The Microsoft 365 user was originally synchronized with a different Active Directory environment.

   • A staff member who left the organization has returned, requiring their account to be re-matched to their Microsoft 365 profile.

By addressing these mismatches, you can restore seamless synchronization and ensure continued access to Microsoft 365 services.

Prerequisites

• Microsoft 365 Account with Global Admin Access
• Microsoft Graph PowerShell Module. You can install it here.
• Immutable ID of the Practice Protect Account

Instructions

1. Login to Practice Protect and switch to Admin Portal
2. Go to Apps & Widgets > Web Apps. Find and open the app Office 365 (Type:Web – WS-Fed + Provisioning)
   
   
   
3. Go to Advanced and click Test.
   
   
   
4. Enter the username of the user that needs to update the Immutable ID and click Next.
   
   
   
   
5. On the result window, head on to SSO Token and find the Immutable ID > Attribute Value (ex. P6gekenxxxxxx==)
   
   
   Note: You can use find function in the browser and search for the ImmutableID word (Ctrl + f) 
6. Copy the Immutable ID and keep it for later use. 
7. Open Powershell on your computer and run the command below:
   

   Connect-MgGraph -Scopes "User.ReadWrite.All"

   This is used to establish a connection to Microsoft Graph, allowing access to services like Entra ID and Exchange Online depending on the permissions granted.
   
   
8. A prompt to log in will appear. Please sign in using your Microsoft 365 Admin credentials and ensure that you check the box to grant the required permissions. This is necessary to allow access via Microsoft Graph
   
   
9. Change the user’s UserPrincipalName with the .onmicrosoft.com domain using the below command. Note: replace [email protected] and [email protected] with your correct UserPrincipalName
   

   Update-MgUser -UserId [email protected] -UserPrincipalName [email protected] 

   
   
10. Set the Immutable ID of the user to Null (blank value) with the command below:
    

    Update-MgUser -UserId [email protected] -OnPremisesImmutableId "$null"

    
    
11. Set the right Immutable ID you gathered on Step 6 to the user with the below command:
    

    Update-MgUser -UserId [email protected] -OnPremisesImmutableId "enter_the_immutableid_here"

    
    
12. Revert the user’s UserPrincipalName to the original one with this command:

    Update-MgUser -UserId y[email protected] -UserPrincipalName [email protected]

    
    
13. To verify that you set the Immutable ID correctly, run the below command:
    

    Get-MgUser -UserId [email protected] -Property OnPremisesImmutableId | select OnPremisesImmutableId, UserPrincipalName

    
    
14. Return to Practice Protect Admin Portal. Go to Users under Core Services.
15. Tick the box of the user and click the Action button
16. Choose Sync All Apps.
    
17. Proceed to Settings > Users > Outbound Provisioning and click View Synchronization Job Status and Reports
    
    
    
    
18. Check the job sync history for a successful sync.
    
19. The account should now be able to login to Microsoft 365 using the Practice Protect credentials