How do I hard match on premise groups with Azure AD groups?

IPSO Joe 5 Reputation points
2023-01-25T20:39:16.0333333+00:00

We've recently changed domains and moved into a new forest. We're running server 2022 and the latest version of Azure AD. I have Azure AD connect configured to sync using mS-DS-consistencyGuid. When syncing the users, I had to do a hard match, converting the on premise objectGUID for each user to base64 and writing it to the Azure AD immutable ID attribute. That was simple enough. When it comes to the on premise groups, in powershell, I can't write to the immutable ID/ Source Anchor attribute. Everything I've read has either been for an older version of Azure or suggested that all I need to do is set up sync to use mS-DS-consistencyGuid.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,330 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,496 Reputation points
    2023-01-25T23:50:05.7966667+00:00

    Hi,

    Did you try to copy the GUID of the old on-premise group in the attribut ms-ds-consistency-guid of new on-premise group ?

    You can also convert immutable ID of the azure group using the powershell command below and copy it in MS-DS-Consistency-Guid

    $ms-DS-Consistency-GUID = [GUID]([system.convert]::FromBase64String($base64))

    Please don't forget to mark helpful answer as accepted