# This generally affects users federated to azuread from gsuite who's email address has changed - You'll still have sync errors
# but at least the user can still log in.

# This works in Powershell 7.x on mac as well as windows
# Requires `Install-Module Microsoft.Graph`

# Who are we modifying
$email = "user@host.com"

# Fix the user
Connect-MgGraph -Scopes "User.ReadWrite.All"
$targetDomain = @(Get-MgDomain | Where-Object {$_.AuthenticationType -eq "Managed" -and $_.id -like "*onmicrosoft.com"})[0]
$tempEmail = $email.split('@')[0] + "@" + $targetDomain.Id
$targetUser = Get-MgUser -UserId $email 
Update-MgUser -UserId $targetUser.id -UserPrincipalName $tempEmail
Update-MgUser -UserId $targetUser.id -OnPremisesImmutableId $email
Update-MgUser -UserId $targetUser.id -UserPrincipalName $email