When provisioning with Nerdio Manager for MSP, the first configuration component is centered on Identity Management (IdM). There are many instances where a traditional Domain Controller with AD Connect was the method for IdM and synchronization with Azure Active Directory. As partners move forward with native or PaaS services in Azure the appeal of moving off a traditional Domain Controller is going to increase.
As with any account and tenant in M365, the users and their User Principle Names (UPN) will be one of two statuses, In Cloud or Synced. For those accounts that are synced, that is the account under the management of the Domain Controller. When that UPN is synced for the first time, the immutable ID is written with a unique ID to serve as the key between the Domain Controller and AAD. Once written the UPN status would go from In Cloud to Synced.
With that understanding and the desire to move away from a Domain controller to Azure Active Directory Domain services, those UPNs need to be moved back to In Cloud Status in order to allow for a new IdM provider to become the authority in the NMM account. To do this the immutable ID needs to be made Null (valueless) which will make the account status In Cloud (or Synced = No)
A small PowerShell script is all that is needed to nullify the immutable ID.
_______
$custDomain = "*company.com"
$syncedUsers = Get-MSOLUser | Where {($_.userprincipalname -like $custDomain) -and ($_.ImmutableID -ne $null)}
foreach ($user in $syncedusers){
Set-MSOLUser -Userprincipalname $user.userprincipalname -immutableid "$null"
}
_______
The first line is setting the variable $custDomain with the domain name of the tenant - i.e. "*contoso.com"
The second line is defining and separating the currently synced users from In Cloud users. There is no need to process an account that is not currently being synced. Only the values that are not equal to null are the UPNs that will need to be processed (-ne $null).
The return for the $syncedUsers is a list of all the UPNs that satisfy the conditions of the Get-MSOLUser. The third line is just parsing through that list in order until it reaches the end of the list. Every time it starts with a new user from the list it will run the Set-MSOLUser command to nullify the immutable ID field (-immutableid "$null").
With all of that understanding there is a specific order to follow to avoid running into or creating issues. While this particular post was focused on clearing of immutable IDs, there are other important topics that have certainly been addressed in other sites (both Microsoft and Nerdio)
- Stop and disable the sync services on the Domain Controller
- Disable sync in the M365 tenant ( link )
- Clear the immutable IDs on the accounts that were prior synced (this article)
- Add/create the Azure AD DS service to the Subscription and Resource Group ( link )
Comments (0 comments)