deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Added important note to solve #3421

Browse Source
This commit is contained in:
Jose Ortega 2019-05-20 23:50:41 -05:00
parent 30ab9bb02e
commit 090686b47b
1 changed files with 211 additions and 208 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

419
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -41,6 +41,9 @@ Use this three-phased approach for configuring device registration.
> >
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction) > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
>[!IMPORTANT]
> To use Hybrid Identity with Azure Active Directory (HIAAD) and device WriteBack features you must use the in-built GUI with the [latest updates for ADConnect.](https://www.microsoft.com/download/details.aspx?id=47594)
## Configure Azure for Device Registration ## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
@ -117,8 +120,8 @@ If your AD FS farm is not already configured for Device Authentication (you can
![Device Registration](images/hybridct/device2.png) ![Device Registration](images/hybridct/device2.png)
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
`Import-module activedirectory` `Import-module activedirectory`
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>" ` `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>" `
3. On the pop-up window click **Yes**. 3. On the pop-up window click **Yes**.
@ -143,7 +146,7 @@ The above PSH creates the following objects:
### Create Service Connection Point (SCP) in Active Directory ### Create Service Connection Point (SCP) in Active Directory
If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
1. Open Windows PowerShell and execute the following: 1. Open Windows PowerShell and execute the following:
`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" `
> [!NOTE] > [!NOTE]
@ -159,7 +162,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
3. Run the following PowerShell command 3. Run the following PowerShell command
`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred `
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
@ -170,7 +173,7 @@ To ensure AD DS objects and containers are in the correct state for write back o
1. Open Windows PowerShell and execute the following: 1. Open Windows PowerShell and execute the following:
`PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name] ` `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name] `
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format
@ -223,100 +226,100 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
@RuleName = "Issue account type for domain-joined computers" @RuleName = "Issue account type for domain-joined computers"
c:[ c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ" Value = "DJ"
); );
#### Issue objectGUID of the computer account on-premises #### Issue objectGUID of the computer account on-premises
**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
@RuleName = "Issue object GUID for domain-joined computers" @RuleName = "Issue object GUID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
store = "Active Directory", store = "Active Directory",
types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
); );
#### Issue objectSID of the computer account on-premises #### Issue objectSID of the computer account on-premises
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
@RuleName = "Issue objectSID for domain-joined computers" @RuleName = "Issue objectSID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue(claim = c2); => issue(claim = c2);
#### Issue issuerID for computer when multiple verified domain names in Azure AD #### Issue issuerID for computer when multiple verified domain names in Azure AD
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
@RuleName = "Issue account type with the value User when its not a computer" @RuleName = "Issue account type with the value User when its not a computer"
NOT EXISTS( NOT EXISTS(
[ [
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ" Value == "DJ"
] ]
) )
=> add( => add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User" Value = "User"
); );
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID" @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[ c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN" Type == "http://schemas.xmlsoap.org/claims/UPN"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User" Value == "User"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace( Value = regexreplace(
c1.Value, c1.Value,
".+@(?<domain>.+)", ".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/" "http://${domain}/adfs/services/trust/"
) )
); );
@RuleName = "Issue issuerID for domain-joined computers" @RuleName = "Issue issuerID for domain-joined computers"
c:[ c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http://<verified-domain-name>/adfs/services/trust/" Value = "http://<verified-domain-name>/adfs/services/trust/"
); );
In the claim above, In the claim above,
@ -331,138 +334,138 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
@RuleName = "Issue ImmutableID for computers" @RuleName = "Issue ImmutableID for computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
store = "Active Directory", store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
); );
#### Helper script to create the AD FS issuance transform rules #### Helper script to create the AD FS issuance transform rules
The following script helps you with the creation of the issuance transform rules described above. The following script helps you with the creation of the issuance transform rules described above.
$multipleVerifiedDomainNames = $false $multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false $immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
$rule1 = '@RuleName = "Issue account type for domain-joined computers" $rule1 = '@RuleName = "Issue account type for domain-joined computers"
c:[ c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ" Value = "DJ"
);' );'
$rule2 = '@RuleName = "Issue object GUID for domain-joined computers" $rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
store = "Active Directory", store = "Active Directory",
types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
);' );'
$rule3 = '@RuleName = "Issue objectSID for domain-joined computers" $rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue(claim = c2);' => issue(claim = c2);'
$rule4 = '' $rule4 = ''
if ($multipleVerifiedDomainNames -eq $true) { if ($multipleVerifiedDomainNames -eq $true) {
$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS( NOT EXISTS(
[ [
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ" Value == "DJ"
] ]
) )
=> add( => add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User" Value = "User"
); );
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID" @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[ c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN" Type == "http://schemas.xmlsoap.org/claims/UPN"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User" Value == "User"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace( Value = regexreplace(
c1.Value, c1.Value,
".+@(?<domain>.+)", ".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/" "http://${domain}/adfs/services/trust/"
) )
); );
@RuleName = "Issue issuerID for domain-joined computers" @RuleName = "Issue issuerID for domain-joined computers"
c:[ c:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
);' );'
} }
$rule5 = '' $rule5 = ''
if ($immutableIDAlreadyIssuedforUsers -eq $true) { if ($immutableIDAlreadyIssuedforUsers -eq $true) {
$rule5 = '@RuleName = "Issue ImmutableID for computers" $rule5 = '@RuleName = "Issue ImmutableID for computers"
c1:[ c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$", Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
&& &&
c2:[ c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
] ]
=> issue( => issue(
store = "Active Directory", store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = ";objectguid;{0}", query = ";objectguid;{0}",
param = c2.Value param = c2.Value
);' );'
} }
$existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules
@ -479,8 +482,8 @@ The following script helps you with the creation of the issuance transform rules
- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/")); => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.