Migrate from ObjectGUID to ms-DS-ConsistencyGuid in Workspace ONE
Depending on the customer situation, they might need to change from ObjectGUID to ms-DS-ConsistencyGuid as their source anchor in Azure AD which impact the immutable attribute.
In Workspace ONE, you need to specify the Immutable attribute so UEM can retrieve the right user when doing Azure AD join.
So it might be necessary to change it.
ms-DS-ConsistencyGuid
ms-DS-ConsistencyGuid is a writable attribute with the same format as ObjectGUID (i.e: Binary type), it is used to have common point for the sync to the cloud as ObjectGUID is not writable and might change in case of Active Directory migration
Azure AD Connect
Customers migrating from ObjectGUID to ms-DS-ConsistencyGuid need to fill ms-DS-ConsistencyGuid with the right ObjectGuid previously used as part of the Azure AD connect sync. Once that’s done make sure that the Azure Ad connect synchrnoization works correctly.
Workspace ONE UEM change
To change the “Immutable ID Mapping Attribute”, go to System > Enterprise Integration > Directory Services, scroll down to the Azure Active Directory section and change from objectGUID to ms-DS-ConsistencyGuid and click Save at the bottom of the page.
Changing “Immutable ID Mapping Attribute” for Azure AD connection from ObjectGUID to ms-DS-ConsistencyGuid as no impact
It requires a sync on the ACC to make sure that the attribute are updated properly., go to the User tab in Directory Services, click on Advanced then click on Sync Attributes
You can also see the attribute when editing a user in the console in the General tab.
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.