Migrate from ObjectGUID to ms-DS-ConsistencyGuid in Workspace ONE

Depending on the customer situation, they might need to change from ObjectGUID to ms-DS-ConsistencyGuid as their source anchor in Azure AD which impact the immutable attribute.

In Workspace ONE, you need to specify the Immutable attribute so UEM can retrieve the right user when doing Azure AD join.

So it might be necessary to change it.

ms-DS-ConsistencyGuid

ms-DS-ConsistencyGuid is a writable attribute with the same format as ObjectGUID (i.e: Binary type), it is used to have common point for the sync to the cloud as ObjectGUID is not writable and might change in case of Active Directory migration

Azure AD Connect

Customers migrating from ObjectGUID to ms-DS-ConsistencyGuid need to fill ms-DS-ConsistencyGuid with the right ObjectGuid previously used as part of the Azure AD connect sync. Once that’s done make sure that the Azure Ad connect synchrnoization works correctly.

Workspace ONE UEM change

To change the “Immutable ID Mapping Attribute”, go to System > Enterprise Integration > Directory Services, scroll down to the Azure Active Directory section and change from objectGUID to ms-DS-ConsistencyGuid and click Save at the bottom of the page.

Changing “Immutable ID Mapping Attribute” for Azure AD connection from ObjectGUID to ms-DS-ConsistencyGuid as no impact

It requires a sync on the ACC to make sure that the attribute are updated properly., go to the User tab in Directory Services, click on Advanced then click on Sync Attributes

You can also see the attribute when editing a user in the console in the General tab.

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP