If you have already performed an [[Entra Sync]] and now have two users, delete the newly created duplicate using the following pair of [[PowerShell]] commands: ```PowerShell Remove-MsolUser -UserPrincipalName '[email protected]' ``` ```PowerShell Remove-MsolUser -UserPrincipalName '[email protected]' -RemoveFromRecycleBin ``` Set the username field on the archive mailbox to a non-federated domain, i.e. - `[email protected]` You must now clear the ImmutableID using the following [[PowerShell]] commands: ``` ```PowerShell $RequiredScopes = ("User.ReadWrite.All","Domain.ReadWrite.All", "Directory.AccessAsUser.All") Connect-MgGraph -Scopes $RequiredScopes Get-MgUser -UserId [email protected] -Property OnPremisesImmutableId,UserPrincipalName,Id | Format-List UserPrincipalName,OnPremisesImmutableId,Id Invoke-MgGraphRequest -Method PATCH -Uri "[https://graph.microsoft.com/v1.0/Users/[Id]" -Body @{OnPremisesImmutableId = $null} ``` Finally verify the command worked by fetching the OnPremisesImmutableId again using the command: ```PowerShell Get-MgUser -UserId [email protected] -Property OnPremisesImmutableId,UserPrincipalName,Id | Format-List UserPrincipalName,OnPremisesImmutableId,Id ``` If everything else was done right, you'll now have an Azure account with a blank OnPremisesImmutableID! This has bugged me for years, and it took me stumbling upon a script on rm.com that specifies ALL the permission scopes you need to request for this to work. From [\/u/buck-futter](https://www.reddit.com/r/PowerShell/comments/wmlbc7/set_immutable_id_to_null_in_microsoft_graph_module/ktle4pl/) on reddit. # Other Resources https://entralab.io/fix-deletingcloudonlyobjectnotallowed-sync-error/ https://old.reddit.com/r/PowerShell/comments/1e9gn7m/change_immutableid_to_null/m3hzi0x/