Office 365 – objectGUID to ImmutableID

3 comments

The ImmutableID is the default key linking objects between your on-premise Active Directory and Office 365.  This key is generated by converting the on-premise objectGUID into a Base64 encoded string. There are various scenarios where you will need to convert an objectGUID to an ImmutableID or vice-versa.  You can use online resources such as https://guid-convert.appspot.com however this site could be offline, or you may want to script a process.  PowerShell makes it relatively easy to convert between the two formats as per the examples below:

$objectGUID  = 'a15df3dc-4416-414b-8b7d-5fbdcb5743c1'
$ImmutableID = '3PNdoRZES0GLfV+9y1dDwQ=='

Write-Host "Convert objectGUID $objectGUID to ImmutableID " -NoNewline
[system.convert]::ToBase64String(([GUID]$objectGUID).ToByteArray())

Write-Host "Convert ImmutableID $ImmutableID to objectGUID " -NoNewline
([GUID][System.Convert]::FromBase64String($ImmutableID)).Guid

To take this a step further we can export a list of all Active Directory users including their UserPrincipalName, objectGUID & the calculated ImmutableID using the following PowerShell command:

Get-ADUser -Filter * -Properties objectGUID | Select-Object UserPrincipalName, objectGUID, @{Name = 'ImmutableID'; Expression = { [system.convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } }

We can also export a similar list of Office 365 accounts with the ImmutableID converted back to an objectGUID using the following PowerShell commands:

Connect-MsolService
Get-MsolUser -All | Select-Object UserPrincipalName, @{Name = 'objectGUID'; Expression = { [GUID][System.Convert]::FromBase64String($_.ImmutableID) } }, ImmutableID

The output of both commands will be similar to the following example:

UserPrincipalName              objectGUID                             ImmutableID
-----------------              ----------                             -----------
example.user1@domain.com       a15df3dc-4416-414b-8b7d-5fbdcb5743c1   3PNdoRZES0GLfV+9y1dDwQ==
example.user2@domain.com       a15df3dc-4416-414b-8b7d-5fbade8217c5   3PNdoRZES0GLfV+63oIXxQ==

The returned values can either be stored in a variable or exported to a CSV file by using the Export-CSV cmdlet.

You could also take the commands and convert them into a function that can be used within your own script, the following is a basic example:

Function Convert-ImmutableID (
    [Parameter(Mandatory = $true)]
    $ImmutableID) { 
    ([GUID][System.Convert]::FromBase64String($ImmutableID)).Guid
}

Function Convert-ObjectGUID (
    [Parameter(Mandatory = $true)]
    $ObjectGUID) { 
    [system.convert]::ToBase64String(([GUID]$ObjectGUID).ToByteArray())
}

Convert-ImmutableID -ImmutableID 'h9RUd8MfBkKelc4BLxWG5Q=='

Convert-ObjectGUID -objectGUID '7754d487-1fc3-4206-9e95-ce012f1586e5'
Share this page:
tagged with , ,

3 comments

  • Jon Klein
    December 9, 2020 18:47

    Your code doesn’t seem to work for me and I’m not sure what the issue is.
    I was trying out your Write-Host portion for converting an objectGUID to ImmutableID.
    objectGUID: 60f7e936-f65f-4f51-af3c-f2594f67ec67
    expected result: Nun3YF/2UU+vPPJZT2fsZw==
    code result: “Convert objectGUID 60f7e936-f65f-4f51-af3c-f2594f67ec67 to ImmutableID [system.convert]::ToBase64String 54 233 247 96 95 246 81 79 175 60 242 89 79 103 236 103”

    Seems like it’s not treating the [system.convert]::ToBase64String() portion like a command. What did I miss?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.