Use Powershell to correct ADSync AzureAD AzureAD Connect syncing issues from on‐prem Active Directory to Azure Active Directory - OnTheKnows/A GitHub Wiki

If you get an error "AttributeValueMustBeUnique" or "Attribute Value Must Be Unique" when trying to use the synchronization service manager on a domain controller or other server that is syncing the on-prem passwords with Azure Active Directory, where the sync isn't working because it hasn't connected in a long time or other issues, use these three commands to establish and correct the ImmutableID Immutable ID.

Command: get-aduser beth | fl userprincipalname,objectguid

Result userprincipalname : [email protected] objectguid : 60a***-c4d9--9497-*****

Command: [Convert]::ToBase64String([guid]::New("{insert objectguid from above without the brackets}").ToByteArray())

Result **********************{ImmutableID}

Command: set-azaduser -objectid [email protected] -onpremisesimmutableid **********************{ImmutableID}

Information obtained from:

https://www.easy365manager.com/how-to-convert-immutableid-to-objectguid-and-back/ https://www.reddit.com/r/PowerShell/comments/jiksqq/unable_to_change_immutable_id_with_msol_service/

You will need to use from Powershell 7 Install-Module AzureAD Import-Module AzureAD Connect-AzAccount

Ended up with a permission issue with msDS-KeyCredentialLink on a specific account. Ended up enabling inheritance in permissions and this resolved the issue.

https://learn.microsoft.com/en-us/answers/questions/961420/msds-keycredentiallink-exported-back-to-ad This was after trying this: https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/user-prov-sync/troubleshoot-permission-issue-sync-service-manager