Convert AzureAD ImutableID to MsDsConsistencyGUID

Posted on by

Convert AzureAD ImutableID to MsDsConsistencyGUID

Hello,

When working with AADConnect, Active Directory & Azure AD, you may have to perform some hard matches to solve some weird issues, or for restoration purposes.

Some time ago, I wrote an article that perform hard matches the other way around, and based on the old “source anchor” (ObjectGUID). My old post is still relevant today, you just need to adapt the source anchor if you are using MsDsConsistencyGuid instead of ObjectGUID.

Today we’ll see how to change the AD account corresponding to an Office 365 account by modifying the local Active Directory instead of modifying AzureAD. This can be helpful in a multi-forest deployment for example.

Convert AzureAD ImutableID to MsDsConsistencyGUID with PowerShell

function ConvertFrom-ImutableIDToMsConsistencyGuid {
     Param(
         [String]$ImutableID
     )
     [GUID][System.Convert]::FromBase64String($ImutableID)
}
 $AzureADUserUPN = 'test@itfordummies.net'
$ADUser = 'test'
$ImutableID = Get-MsolUser -UserPrincipalName $AzureADUserUPN | Select-Object -ExpandProperty ImmutableId
$MsDsConsistencyGuid = ConvertFrom-ImutableIDToMsConsistencyGuid -ImutableID $ImutableID
Set-ADUser -Identity $ADUser -Add @{'mS-DS-ConsistencyGuid' = [GUID]$MsDsConsistencyGuid}

You will need to clear the attribute “MsDsConsistencyGuid” on the “old” AD account:

Set-ADUser -Identity old -Clear 'mS-DS-ConsistencyGuid'

Note: This PowerShell snippet require the ActiveDirectory PowerShell module and the MSOnline PowerShell Module. You can also use the AzureAD PowerShell Module if you use “Get-AzureADUser” instead of “Get-MsolUser” to retrieve the AzureAD ImutableId.

Hereunder the code based on AzureAD PowerShell module:

function ConvertFrom-ImutableIDToMsConsistencyGuid {
    Param(
        [String]$ImutableID
    )
    
    [GUID][System.Convert]::FromBase64String($ImutableID)
}
$AzureADUserUPN = 'test@itfordummies.net'
$ADUser = 'test'
$ImutableID = Get-AzureADUser -ObjectId $AzureADUserUPN | Select-Object -ExpandProperty ImmutableId
$MsDsConsistencyGuid = ConvertFrom-ImutableIDToMsConsistencyGuid -ImutableID $ImutableID
Set-ADUser -Identity $ADUser -Add @{'mS-DS-ConsistencyGuid' = [GUID]$MsDsConsistencyGuid}

Of course, you’ll need to use the “connect” cmdlet of the module before you can use the “get”:

  • Connect-MsolService
  • Connect-AzureAD

Since PowerShell 3 you do not need to import the PowerShell module before using the cmdlet inside. To install the modules, you can use

  • Find-Module AzureAD | Install-Module -Scope CurrentUser
  • Find-Module MSOnline | Install-Module -Scope CurrentUser

One thought on “Convert AzureAD ImutableID to MsDsConsistencyGUID

  1. Yeah! This convert script saved me!
    I was migrating from a multi-tenant environment to an own env. for the customer. Then, when I broke up the old sync and wanted to build up the new one, the accounts did not match…

    With the script “Convert AzureAD ImutableID to MsDsConsistencyGUID with PowerShell” I could match both the ImutableID with the onprem Ms-ds-consistencyGUID!

    After this, all went well and the Azure AD account converted automatically to Windows Server AD instead of Azure.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.