Managing user identities in hybrid environments often involves resolving sync issues between on-premises Active Directory and Azure AD. One key troubleshooting task is updating or resetting the ImmutableID (also called OnPremisesImmutableId). This guide provides a step-by-step breakdown of essential Microsoft Graph PowerShell commands.
🛠 How to Install Microsoft Graph SDK
✅ 1. Open as Administrator
Search for , right-click, and select “Run as Administrator”.
🧩 2. Install the SDK Using
Run the following command:
Install-Module Microsoft.Graph -Scope AllUsers
🔒 If prompted to trust the repository (PSGallery), type Y and press Enter.
✅ Optional: Install Specific Modules Only (Advanced)
If you want to install only specific Graph modules (like Users, Groups, or Identity), you can install them individually:
Install-Module Microsoft.Graph.Users
Install-Module Microsoft.Graph.Identity.DirectoryManagement
🔍 3. Verify the Installation
After installation, run:
Get-Module Microsoft.Graph* -ListAvailable
You should see a list of installed Microsoft Graph modules.
1. Connect to Microsoft Graph
Connect-MgGraph
Why: Establishes a session with Microsoft Graph API, which is required for managing users in Microsoft 365/Azure AD.
🔐 For full access:
Connect-MgGraph -Scopes “User.ReadWrite.All”, “Directory.ReadWrite.All”, “Directory.AccessAsUser.All”
✍️ 2. Set the OnPremisesImmutableId
Update-MgUser -UserPrincipalName Welcome21.Doe@contoso.com -OnPremisesImmutableId “0Nf0Uj5XXk+qZ/6ZhBCypA==”
Replace UPN and Immutable ID. Its is been Done for Hard Match.
Why: Manually sets the ImmutableID used by Azure AD to link the user to their on-prem AD identity.
🗑️ 3. Clear the ImmutableID (Unlink from On-Prem)
Update-MgUser -UserPrincipalName Welcome21.Doe@M365x91864288.onmicrosoft.com -OnPremisesImmutableId $null
🆚 Old method (deprecated):
Set-MsolUser -UserPrincipalName Welcome21.Doe@M365x91864288.onmicrosoft.com -ImmutableId $null
Why: Used to disconnect the cloud account from its on-prem identity. Often necessary before merging accounts or re-linking.
🔁 4. Start Azure AD Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
Why: Immediately pushes local AD changes to Azure AD. Essential after modifying ImmutableID.
🔍 5. Get User Info with Microsoft Graph
Option 1: Basic query
Get-MgUser -UserPrincipalName Welcome34.Smith@M365x91864288.onmicrosoft.com
Why: Displays user object and sync status.
✅ Option 2: Formatted view with Get-MgUserByUserPrincipalName
Get-MgUserByUserPrincipalName -UserPrincipalName abc@milanday.com | fl
Why: Returns detailed user properties in a **formatted list** (`fl` = `Format-List`) view. Excellent for verifying ImmutableID and sync state.
🛠️ 6. Find Permissions Needed for Graph Commands
Find-MgGraphCommand -Command Get-MgUser | Select -First 1 -ExpandProperty Permissions
Why: Quickly shows which **Graph API permissions** are required to run specific commands.
🧽 7. Clean Your Console (Optional)
clear
Why: Clears window for improved visibility when working with multiple outputs.
✅ Summary
Whether you’re fixing sync problems or managing cloud-only users in a hybrid environment, these Microsoft Graph commands offer a modern, secure way to manage identities. Transitioning from legacy `MSOnline` commands to **Microsoft Graph SDK** ensures future-proof and compliant administration.
🔑 Takeaways:
- Always start with `Connect-MgGraph`.
- Use `Update-MgUser` or `Get-MgUserByUserPrincipalName` for granular identity management.
- Replace `Set-MsolUser` with Graph SDK equivalents.
- Use `Start-ADSyncSyncCycle` after ImmutableID changes
Leave a Reply