How To Convert ImmutableId To ObjectGuid And Back

Immutableid to objectid conversion

In a default hybrid integration between on-premises Active Directory and Azure AD, the Azure AD Connect Server links the user objects with the following attributes:

  • On-premises AD user: ObjectGuid
  • Azure AD user: ImmutableId

However, if you compare these two objects, it all looks a bit strange!

This is the output for the user object in on-premises AD:

PS C:\> Get-ADUser tycho.brahe | fl userPrincipalName,objectGuid
 
userPrincipalName : tycho.brahe@easy365manager.com
objectGuid        : f7cc07d7-7c15-447d-876d-c01b0e5a9e38

This is the output for the user object in Azure AD:

PS C:\> Get-MsolUser -UserPrincipalName "tycho.brahe@easy365manager.com" | fl userPrincipalName,ImmutableId
 
UserPrincipalName : tycho.brahe@easy365manager.com
ImmutableId       : 1wfM9xV8fUSHbcAbDlqeOA==

What’s up with this?

The thing is that the value is represented in the on-premises AD as a GUID and in Azure AD as a base64 encoded text string.

So, in order to verify if two objects are properly linked you must convert the guid to base64 or the other way around.

Convert ObjectGuid to ImmutableId

To convert a guid string to a base 64 string in PowerShell use the following command:

 [Convert]::ToBase64String([guid]::New("f7cc07d7-7c15-447d-876d-c01b0e5a9e38").ToByteArray())

This will generate output similar to this:

PS C:\> [Convert]::ToBase64String([guid]::New("f7cc07d7-7c15-447d-876d-c01b0e5a9e38").ToByteArray())
1wfM9xV8fUSHbcAbDlqeOA==

Convert ImmutableId to ObjectGuid

To convert a base64 string to a guid in PowerShell use this simple command:

[Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA=="))

The output will look similar to this:

PS C:\> [Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA=="))
Guid
----
f7cc07d7-7c15-447d-876d-c01b0e5a9e38

Perhaps Microsoft was inspired by the Enigma coding machine of World War II when they designed this? At least now you know how to break the code… 😉

How to Manage Office 365 From AD Users & Computers

Easy365Manager is a small snap-in for Active Directory Users & Computers that allows you to manage Office 365 licenses and mailboxes directly in AD user properties.

As an example, check out how easy it is to enable an Office 365 mailbox by assigning an Office 365 license:

Create an Office 365 mailbox using Easy365Manager

Easy365Manager can be installed and configured on any machine with AD Users & Computers in just a few minutes and is a real time saver.

You can even remove your last on-premises Exchange Server.

For a complete list of features, read this.

Download the fully functional 30-day trial here.