u/Salt-Marionberry1674

Hey everyone,

We're migrating users from AD-synced to cloud-only in Entra with Okta as our federated IdP (we just moved to cloud mailboxes which is why we can do this now).

Okta sends the ImmutableId as the SAML NameID to Entra at login. Even if we change this to email/UPN, Entra still can't find the user and throws AADSTS51004.

We learned the hard way that clearing onPremisesImmutableId via Graph API breaks login immediately, and you can't write it back because Graph blocks writes on federated domain users.

What we tried:

1. Move the user's AD object to an unsynced OU -> user gets soft-deleted
2. Restore the user
3. Clear onPremisesImmutableId via Graph API
4. OnPremisesSyncEnabled flips to False
5. User is now unanchored from AD - but login is completely broken
6. Can't write ImmutableId back via Graph (federated domain restriction)
7. Can't fix it from Okta side either even though the correct ImmutableId exists in the Okta user profile

We also have an Okta AD Agent in place if that changes anything.

What's the clean way people have done this at scale?

Thanks