src/Private/ConvertTo-ImmutableId.ps1

function ConvertTo-ImmutableId {
    <#
    .SYNOPSIS
        Converts an on-premises objectGUID to the default Entra Connect ImmutableId.
    .DESCRIPTION
        The default Entra Connect (Azure AD Connect) sourceAnchor / immutableId is the
        Base64 encoding of the AD objectGUID's raw byte array. This lets us correlate an
        on-prem account to its synced cloud user even when UPNs differ.

        Returns $null for an empty/invalid GUID so callers can fall back to UPN matching.
    #>

    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipeline)] [object] $ObjectGuid
    )
    process {
        if (-not $ObjectGuid) { return $null }
        try {
            $guid = if ($ObjectGuid -is [guid]) { $ObjectGuid } else { [guid]::Parse([string]$ObjectGuid) }
            return [System.Convert]::ToBase64String($guid.ToByteArray())
        }
        catch {
            return $null
        }
    }
}