Office365 - change ADSync domain

Jakob Digranes
Jakob Digranes used Ask the Experts™
I've got this working before - but not quite like this. Done this:
* migrated from old.domain to new.domain on-premise
* disabled dirsync in office365.tenant
* stoppet dirsync on old.domain
* installed dirsync in new.domain

But - in Office365 user have this UserPrincipalName:
username@old.domain and ImmutableID: 1234abcd

in new.domain ObjectGUID is not migrated and username is username@new.domain

How can we match users in new.domain on-prem with Office365? any experiences?
* we've looked into changing source anchor. Pros and cons?
* anyway to matchin without changing immutableID?
* if we change immutable ID - what consequences? only service in office365 is sharepoint
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT Training Specialist
The ImmutableID is only used for referencing the on-prem account.  You will have to remove it if you want to link the Office 365 user to a new AD account.

You can remove the Immutable ID and then perform a sync, but the on-prem accounts and Office 365 accounts must have either the same primary mail address, or the same UPN/Login.  So you will need to have the new domain added to the tenant, add new smtp address for all the users in Office, set the new ones to the Primary SMTP, and make sure the on-prem account also has the new domain listed as the primary smtp in the ProxyAddresses attributes.  Here is a YouTube video on the subject:
Most Valuable Expert 2015
Distinguished Expert 2018
You can match the Immutable IDs, the so-called "hard match":

In order to use soft-match, you have to clear the ImmutableID, so either way you are changing it.


Hi Adam .... yeah - we thought of that as one solution; but as I asked. What are the consequences in Office365 when changing immutable ID. Read somewhere that file permissions in OneDrive is locked towards ImmutableID
Adam DrayerIT Training Specialist


I have never heard of that. I can see it being the ObjectID in Azure. But that's a different attribute.  That attribute is the unique ID for the Azure user, similar to the ObjectGUID on-prem.  The ImmutableID is is just for linking identities.  As far as I am aware the only consequence of changing or removing the ImmutableID would be that the Office 365 user is no longer linked to the on-premise account.  But if there is concern, you should test it on a few users first.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial