Provides a Microsoft® PowerShell® script which will unfederate the Microsoft 365™ domain and clear the OnPremisesImmutableId property of all the users in the domain to facilitate direct sign in to Microsoft 365.

You are using this article in conjunction with the article TEC3229605, see Other Useful Articles section below.

The computer must have:

• Microsoft Graph PowerShell SDK

In Microsoft Edge:

1. Right-click the disk icon and select 'Open link'.
2. In the dialog box that appears, select 'Save as'. When the Save As window is displayed and prompts for a location to save the download to, browse to the folder where you want to save it and click Save.
3. When the download has finished, click Close.
4. Extract the file to a location of your choice.

In Google Chrome:

1. Right-click the disk icon and select 'Save link as'.
2. When the Save As window is displayed and prompts for a location to save the download to, browse to the folder where you want to save it and click Save.
3. When the download has finished, click Close.
4. Extract the file to a location of your choice.

1. Please check that you have working credentials for a Microsoft 365 global administrator account, with a username on your initial 'onmicrosoft.com' domain, e.g. JSmith@SchoolA.onmicrosoft.com. 
   Important: You may inadvertently lock yourself out of your tenancy if you unfederate using a global administrator on your federated domain.
2. Open a new PowerShell window and change the folder location to where you extracted the script file.
3. Run the script file.
4. When prompted, enter the Microsoft 365 domain name you wish to unfederate.
5. When prompted, enter your Microsoft 365 global administrator credentials. If the details entered are correct, the script will unfederate your Microsoft 365 domain, and clear the Immutable IDs of all users in the domain.  For 1000 users, this will take approximately 20 minutes.
6. Wait until the script runs to completion.
7. Once completed, you will see the message:
   *******************************************************************************************************************
   Unfederation completed successfully.  No users on <domain> have an OnPremisesImmutableId.
   
   Please wait a further 60 minutes to allow Microsoft to fully process the domain conversion.
   Users will then be able to sign in to Microsoft 365 and Office after you have assigned a password to their Microsoft 365 user account.
   
   Please refer to Microsoft online support for further help on resetting user passwords and how users can sign in.
   *******************************************************************************************************************
   
8. If your domain is already unfederated, you will get the message: "Domain <domain> is not federated. Do you still want to proceed with clearing user OnPremisesImmutableId? Please enter y/n."

The script may fail to remove the OnPremisesImmutableId of a user, reporting that the affected account is a local account and not a cloud account.

This can occur when the domain is not fully federated to RM Unify at the time you ran the script and the affected M365 account was originally created in M365 by synchronisation with AD, e.g. previous use of Azure AD Connect. Microsoft may prevent removal of the OnPremisesImmutableId on M365 accounts it believes are still linked to your AD.

To successfully remove the OnPremisesImmutableId, you must convert the affected M365 account to a cloud account and re-run the script. There are multiple ways to do this depending on your own setup. Please refer to your network support provider or Microsoft for further advice.