What is the ImmutableID

If you are working with Azure AD and you are synchronizing objects from your on-premises directory services (Active Directory) to Azure Active Directory using FIM or Azure AD Connect, then you might need to troubleshoot some synchronization issues from time to time. It is very important to understand how objects are represented in your AD and on Azure AD and how important for you to know what the ImmutableID means.

There are three stores of objects in this synchronization infrastructure:

1. Object exists originally in Active Directory.
2. Object is synced and stored in Azure AAD Connect (the store called metaverse).
3. Object is finally stored in Azure AD.

During setting up the synchronization to Azure AD, you will be asked to choose an attribute to represents objects in your local Active Directory. This attribute should be immutable and not changed during the life-cycle of the whole ongoing sync to Azure AD. Usually, people go with the ObjectGUID. Nevertheless, there are some situations, like forest migrations, where ObjectGUID might change. Check this article for an example.

Let us suppose you chose to have ObjectGUID when you set up the synchronization to AzureAD. Now, let us go through the synchronization phases and see how an object is represented across the three stores.

While the object is represented in Active Directory using ObjectGUID, when it is synced to Azure AAD Connect, The objectGUID is converted  to base-64 format and stored in AAD Connect metaverse in a new attribute called (sourceAnchor). This attribute only exists in the AAD Connect metaverse.

Now, when the object is synced from the AAD Connect metaverse to Azure AD, the sourceAnchor value of that object will be copied to a the corresponding object in Azure AD in new attribute called ImmutableID .

Let us say that a user called John exist in your AD, his objectGUID is something like this:

The user objectGUID is converted  to base-64 and stored in AAD Coonect metaverse as (sourceAnchor) , and in Azure AD as ImmutableID :

Azure AD GUID to Azure AD ImmutableID converter

So sometime you want a tool that converts from objectGUID to ImmutableID  and the other way. So I created a simple desktop application, that you click on , and use it to easily convert between Azure ImmutableID  and AD objectGUID. The application is so small (500k) as you can see below:

Just double click it and the app will open:

Now you can simply enter an AD GUID and it will compute the ImmutableID :

Or you can enter an Azure ImmutableID  and it will compute the object GUID in your AD:

Download the Tool

You can download the APP from here. The tool requires that you have .NET on your machine.

Blog Post Notification

Be the first to get notification when key blog post articles are released. No marketing material.

SUBSCRIBE!

You have Successfully Subscribed!