In a default hybrid integration between on-premises Active Directory and Azure AD, the Azure AD Connect Server links the user objects with the following attributes:
- On-premises AD user: ObjectGuid
- Azure AD user: ImmutableId
However, if you compare these two objects, it all looks a bit strange!
This is the output for the user object in on-premises AD:
PS C:\> Get-ADUser tycho.brahe | fl userPrincipalName,objectGuid userPrincipalName : tycho.brahe@easy365manager.com objectGuid : f7cc07d7-7c15-447d-876d-c01b0e5a9e38
This is the output for the user object in Azure AD:
PS C:\> Get-MsolUser -UserPrincipalName "tycho.brahe@easy365manager.com" | fl userPrincipalName,ImmutableId UserPrincipalName : tycho.brahe@easy365manager.com ImmutableId : 1wfM9xV8fUSHbcAbDlqeOA==
What’s up with this?
The thing is that the value is represented in the on-premises AD as a GUID and in Azure AD as a base64 encoded text string.
So, in order to verify if two objects are properly linked you must convert the guid to base64 or the other way around.
Convert ObjectGuid to ImmutableId
To convert a guid string to a base 64 string in PowerShell use the following command:
[Convert]::ToBase64String([guid]::New("f7cc07d7-7c15-447d-876d-c01b0e5a9e38").ToByteArray())
This will generate output similar to this:
PS C:\> [Convert]::ToBase64String([guid]::New("f7cc07d7-7c15-447d-876d-c01b0e5a9e38").ToByteArray()) 1wfM9xV8fUSHbcAbDlqeOA==
Convert ImmutableId to ObjectGuid
To convert a base64 string to a guid in PowerShell use this simple command:
[Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA=="))
The output will look similar to this:
PS C:\> [Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA==")) Guid ---- f7cc07d7-7c15-447d-876d-c01b0e5a9e38
Perhaps Microsoft was inspired by the Enigma coding machine of World War II when they designed this? At least now you know how to break the code… đ
How to Manage Office 365 From AD Users & Computers
Easy365Manager is a small snap-in for Active Directory Users & Computers that allows you to manage Office 365 licenses and mailboxes directly in AD user properties.
As an example, check out how easy it is to enable an Office 365 mailbox by assigning an Office 365 license:

Easy365Manager can be installed and configured on any machine with AD Users & Computers in just a few minutes and is a real time saver.
You can even remove your last on-premises Exchange Server.
For a complete list of features, read this.
Download the fully functional 30-day trial here.