When you federate a Microsoft Entra ID domain, you will not be able to manually create users to that domain, as newly created accounts require an immutable ID. An immutable ID is not set when manually creating accounts in Entra ID.
Some third-party Entra ID provisioning services will automatically apply an immutable ID to users that it creates.
If however, you do not have access to a user creation service that you can use to create users in a different domain within your tenant, utilise the script below and then migrate the users to the domain that has been federated with MyLogin as the "brand name" IdP.
You will first need to connect to MgGraph and invoke some permissions with the following command - If the MgGraph module is already installed on your Powershell you'll only need to use the second line:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"
Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOURDOMAIN.com" -and $_.ImmutableId -like "" } | foreach { Update-MgUser -UserId $_.Id -OnPremisesImmutableId (New-Guid).guid;}
Once users have had their immutable IDs updated and have been migrated to the federated domain. You will need to update their UPN to contain the same domain name as the federated domain, so that they can be matched in the MyLogin UI, as only users with a UPN containing the domain name that you have selected for MyLogin to view users from will be visible to the platform. To do this you can use the script below.
Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOUROLDDOMAIN.com" } | foreach { Update-MgUser -UserId $_.Id -NewUserPrincipalName $_.UserPrincipalName.Replace('@YOUROLDDOMAIN.com', '@YOURNEWDOMAIN.com')}
Comments
0 commentsPlease sign in to leave a comment.