O365 – reverting hard matching migration using ImmutableID

Oct 17 2018

This is a very obscure problem, so I’m recording this more for my own reference in future rather than expecting anyone else to have the same issue!

The issue occurs when a migration from a hybrid exchange domain to another domain which uses AD Sync has been completed in the following manner:

filter/delete user in current domain
AD Sync soft deletes mailbox
Create user in new domain (in a filtered OU that won’t be synchronised)
Obtain new account GUID and convert to immutableID string (base64)
Undelete mailbox (mailbox becomes cloud mailbox)
Assign ImmutableID to mailbox (from the target account)
Move target account to a synchronised OU then allow AD sync to hard match the accounts
For some reason, there is a need to reverse this migration. So filter/delete user in new domain
AD Sync soft deletes mailbox
Re-create or unfilter user in old hybrid domain
Obtain account GUID and convert to immutableID string (base64)
Undelete mailbox (mailbox becomes cloud mailbox)
Assign ImmutableID to mailbox (from the original account) using the command

[cc lang="powershell"]Set-MsolUser -UserPrincipalName "UPN" -ImmutableId "ImmutableID"[/cc]

1	[cc lang="powershell"]Set-MsolUser -UserPrincipalName "UPN" -ImmutableId "ImmutableID"[/cc]

At this point the following error is received:

<span class="has-inline-color has-vivid-red-color">Set-MsolUser : Uniqueness violation. Property: SourceAnchor.</span>

1	<span class="has-inline-color has-vivid-red-color">Set-MsolUser : Uniqueness violation. Property: SourceAnchor.</span>

<span class="has-inline-color has-vivid-red-color">At line:1 char:1</span>

1	<span class="has-inline-color has-vivid-red-color">At line:1 char:1</span>

<span class="has-inline-color has-vivid-red-color">+Set-MsolUser -UserPrincipalName user@domain.com  -Immutableid</span>

1	<span class="has-inline-color has-vivid-red-color">+Set-MsolUser -UserPrincipalName user@domain.com -Immutableid</span>

The fix is to run…

[cc lang="powershell"]Get-MsolUser -ReturnDeletedUsers | select-object UserPrincipalName,Immutableid,objected[/cc]

1	[cc lang="powershell"]Get-MsolUser -ReturnDeletedUsers \| select-object UserPrincipalName,Immutableid,objected[/cc]

Find the user with the ImmutableID matching the one you are trying to assign

[cc lang="powershell"]Remove-MsolUser -objectID "objectID" -RemoveFromRecycleBin[/cc]

1	[cc lang="powershell"]Remove-MsolUser -objectID "objectID" -RemoveFromRecycleBin[/cc]

Then you should be able to run

[cc lang="powershell"]Set-MsolUser -UserPrincipalName "UPN" -ImmutableId ""[/cc]

1	[cc lang="powershell"]Set-MsolUser -UserPrincipalName "UPN" -ImmutableId ""[/cc]

…if you still have a problem, find the user’s objectID with

[cc lang="powershell"]Get-MsolUser -userprincipalname "UPN" | select-object UserPrincipalName,Objectid[/cc]

1	[cc lang="powershell"]Get-MsolUser -userprincipalname "UPN" \| select-object UserPrincipalName,Objectid[/cc]

And run…

[cc lang="powershell"]Set-MsolUser -objectid "objectID" -ImmutableId ""[/cc]

1	[cc lang="powershell"]Set-MsolUser -objectid "objectID" -ImmutableId ""[/cc]