Assigning Users an ImmutableID

Users who were not synced from Active Direcotry to Microsoft Entra ID will not have ImmutableID attribute set.

The ImmutableID is required for federation and is used during Single Sign-On (SSO) in conjunction with the User Principal Name (UPN). You can manually create the ImmutableID based upon the users ObjectID attribute. Before starting you will need the AzureAD PowerShell module installed to perform the following steps.

Steps

  1. Open up the AzureAD Powershell module and run the connect-msol cmdlet and login


  2. Display the user's existing ObjectID attribute by running the following command replacing <username> with the user's email being used as their username:
    Get-Msoluser -UserPrincipalName <username> | fl *objectID

    For our example, we get "7b5728f4-5a04-4734-a367-6b6be0c7abd3". Save the results as you will need this ID to put into the user's Forcepoint ONE SSE Object GUID attribute field later on.

  3. To convert the ObjectID to an ImmutableID you will need to convert the ObjectID to a Base64 GUID.
    1. First define a variable to equal the ObjectID you found in step 2 above. For example:
      • $old = "7b5728f4-5a04-4734-a367-6b6be0c7abd3"
    2. Next run the following command to convert to Base64. Replace $old with the name of your variable that you created.
      • [system.convert]::ToBase64String(([GUID]($old)).tobytearray())
    3. You will see an output similar to below:
      • 9ChXewRaNEejZ2tr4Mer0w==
  4. Update the user record in Office365. The following cmdlet uses the UPN of the Office365 user and sets the ImmutableID field.
    • Set-MsolUser -UserPrincipalName guid@bgs-support.info -ImmutableId 9ChXewRaNEejZ2tr4Mer0w==
  5. Verify that the users’ ImmutableID has been set (piping the command to fl shows all attributes of the user)
    • Get-MsolUser -UserPrincipalName bgsdemo@bgs-support.net | fl
  6. Open the Forcepoint ONE SSE Admin Portal, go to the Users and Groups and set the users Object-GUID field with the ObjectID we found in step 2 above and save:


  7. Once you are done you can now move the user back to the federated domain.