I'm having trouble setting the OnPremisesImmutableId attribute to null for users in Azure. I've looked everywhere and noticed that many others have faced similar issues, often resolving them using Invoke-MgGraphRequest or changing the UPN to an onmicrosoft.com account first. However, none of those methods are working for me.
I'm connecting with the following permissions: Connect-MgGraph -Scopes "User.ReadWrite.All", "Domain.ReadWrite.All", "Directory.AccessAsUser.All".
When I try to execute either of these commands, I get an error saying "Property value is required but is empty or missing":
1. `Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/[email protected]" -Body @{OnPremisesImmutableId = $null}`
2. `Clear-ADSyncToolsOnPremisesAttribute -Identity "[email protected]" -onPremisesImmutableId`
I've also attempted setting the UPN to an onmicrosoft.com address first but I'm still encountering the same issue. I'm trying to delete these local users, but they're tied to Azure accounts that are linked to Exchange Online shared mailboxes. Any suggestions on how to resolve this?
4 Answers
Have you tried wrapping the $null in quotes? That’s the method I used before: Set-MsolUser -UserPrincipalName [email protected] -ImmutableId "$null". That worked for me in a similar situation! Here’s a thread I made about it: [Old Thread Link](https://www.reddit.com/r/sysadmin/comments/10q3dsv/adsync_deletingcloudonlyobjectnotallowed_fixed/).
I think this attribute might have been made read-only recently. If you want to transfer the mailbox service to the cloud, you’ll likely need to delete the user account and wait for it to finalize the deletion, then you can restore the account. It’s a bit of a hassle, but it could be necessary to unlink those Azure accounts from local ones.
Just to add, when you do delete and restore the account, make sure to let it sync twice. If you skip this, you could run into syncing errors that throw everything off.
You could also use the Update-MgUser cmdlet: `Update-MgUser -UserId -OnPremisesImmutableId $null`. This should reset that attribute to null for the user you specify. If you have to do this in bulk, there are scripts available to help you with that too.
Actually, from what I’ve read, you can't use Update-MgUser to change the immutableID. It seems like the command you're trying to use is the right one, but it might just be rejecting null values.
You definitely need to use the Invoke-MgGraphMethod with a PATCH request to change that attribute. I can share some code later when I get back to my office, so hang tight!
I haven't seen any specific updates about that attribute becoming read-only. Do you have a reference for that? If I delete the account and restore it, won’t that just bring back the AD and sync again? I thought setting the OnPremisesImmutableId to null was the standard way to stop syncing users.