<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Handling Immutable ID Issues in Okta for Microsoft 365 Assignments
Sep 3, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article addresses an issue where users assigned to Microsoft 365 are missing immutable IDs in Okta, which can prevent these users from logging into Microsoft 365 via the Okta dashboard. This problem often arises after making profile changes for users. A solution is provided to prevent and mitigate such issues in the future.

Applies To
  • Okta administrators managing user access to Microsoft 365
  • Single Sign-On (SSO)
Cause

The loss of immutable IDs in Okta after profile changes, specifically for users assigned to Microsoft 365, leads to login failure for these users. The absence of immutable IDs will likely occur when the immutable ID mapping fails to find a value from an Active Directory instance and defaults to a null value.
 

Solution

The out-of-the-box expression for the immutable ID during Office 365 integration is: 

hasDirectoryUser()?findDirectoryUser().externalId:null


User Profile Mappings 

This sets the value to null if no value is found from a directory integration. However, the application's backend logic substitutes the user's App ID as the immutable ID when a user is newly assigned to the application.

Instead of relying on this default behavior, it is recommended to use the expression documented in Okta's support article

hasDirectoryUser()?findDirectoryUser().externalId:user.getInternalProperty("id")


User Profile Mappings 

This expression ensures the immutable ID is set to the Okta User's Profile ID (a static value that never changes) if no value is retrieved from a directory integration.

However, be aware of the following considerations when using the new expression for the immutable ID mapping:

  1. Users already assigned to the application will not have their immutable ID updated to their Okta User Profile ID, as the immutable ID is only applied during user creation and cannot be updated later.

  2. If an existing user is unassigned and re-assigned to the application, their immutable ID might change on the Okta side, leading to the login issue observed. In such cases, the immutable ID on the Microsoft side would need to be updated using PowerShell.


This approach mitigates the loss of immutable IDs in Okta after profile changes, ensuring uninterrupted access to Microsoft 365 for users.
 

Related References 

 

Recommended content

Still looking for help?
Loading
Handling Immutable ID Issues in Okta for Microsoft 365 Assignments