Hard Matching on Prem users with Azure AD Users

When implementing Azure AD Sync in an existing Office 365 tenant with populated users it is sometimes necessary to hard match users to ensure that On-Prem users are not created as new users in Office 365.

Typically I will install AD Sync and try soft matching first (where email address and upn name are matched. If duplicates get created, pause AD-Sync, Delete the newly created users from Office 365. Purge them from the recycle bin:

Connect-MsolService
Get-MsolUser -ReturnDeletedUsers
Remove-MsolUser -UserPrincipalName EMAILADDRESSHERE -RemoveFromRecycleBin

Once the user(s) have been deleted you can match them by their immutableID. Run this in PowerShell on the Domain Controller.

$credential = Get-Credential
Connect-MsolService -Credential $credential
$ADUser = "username" 
$365User = "username@emaildomainname.com"
$guid =(Get-ADUser $ADUser).Objectguid
$immutableID=[system.convert]::ToBase64String($guid.tobytearray())
Set-MsolUser -UserPrincipalName "$365User" -ImmutableId $immutableID

Assistance greatly appreciated from: https://www.itpromentor.com/soft-vs-hard-match/ and https://practical365.com/exchange-server/permanently-remove-deleted-users-office-365/