Sometimes, as you are deploying ADFS, DirSync, Hybrid etc... you might decide that you want to test ADFS with your tenant before you have DirSync in place (maybe you're waiting on a server, or a firewall rule etc..).  

This bit of code below allows you to create a cloud user and populate the ImmutableID value from a on-premises user account.

Just run the script and provide the sAMAccountName of the on-premises object along with the UPN of the cloud object.

# Update Cloud User with on-prem account ImmutableID for testing SSO

# Update-ManagedCloudUserWithOnPremUserObjectGuidAsImmutableID.ps1

param

(

[Parameter(Position=0, Mandatory = $true, HelpMessage="Identify the SAMaccountName for the source on-prem user whose ObjectGUID you want to use")]

[String] $OnPremUser,

[Parameter(Position=1, Mandatory = $true, HelpMessage="Identify the Tenant user UserPrincipalName where you want to apply the new ImmutableID.")]

[String] $TenantUPN

)

# Connect to MSOnline

if(!(get-module -name MSOnline)){import-module MSOnline}

Connect-MsolService

if(!(get-msoluser -userprincipalname $tenantUPN)){Write-host -fore red "UPN provided cannot be located in tenant.";exit}

$searchbase = [DirectoryServices.DirectorySearcher] "(samaccountname=$OnPremUser)"

$user = $searchbase.FindAll()|foreach-object {$_.GetDirectoryEntry()}

$userguid = [Guid]($user.Properties["objectGUID"][0])

$immutableID = [System.Convert]::ToBase64String($userguid.ToByteArray())

write-host $immutableID

set-msolUser -userprincipalname $TenantUPN -immutableID $ImmutableID