Share via

Problem syncing a user account from AD Onpremise to Azure AD using Azure AD Connect

Irvan 20 Reputation points
2023-04-10T06:14:20.1966667+00:00

I have a problem with syncing a user account from AD Onpremise to Azure AD using Azure AD Connect. Initially this user account has been successfully synchronized and the user has used it for email and drive. Some time ago this account was removed from AD Onpremise and Azure AD. One day later this user account was created with the same username in AD Onpremise. Because I still need the email data in the user account mailbox, I also restore the account from Deleted Users in Azure AD. The problem that arises is when the user account is synchronized from AD Onpremise to Azure AD, there is a conflict because Azure AD Connect Health reads that Azure AD already has that account. So that the account cannot sync properly from AD Onpremise to Azure AD, such as the groups that the account is a member of so it doesn't sync properly.

Is it because the source anchor is different? What should I do to solve this? Please help and advice.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2023-04-10T08:58:40.14+00:00

    Yes, it's because of the different source anchor/object ID. You have two ways of remedying this. First, you can use the so-called hard-match method, basically overwriting the sourceanchor value. As you have the value exposed in the error message above, you can simply copy it:

    $immutableId = "nCp..."

    then set it on the cloud user:

    Set-MsolUser -UserPrincipalName ******@domain.com -ImmutableId $immutableId

    For the sake of completeness, here's how to calculate the ImmutableId based off of user's ObjectId:

    Get-ADUser -Filter * | select UserPrincipalName,ObjectGUID,@{n="ImmutableID";e={[System.Convert]::ToBase64String($_.ObjectGUID.tobytearray())} }

    Alternatively, you can use the soft-match method as detailed here: https://support.microsoft.com/en-us/topic/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization-75673b94-e1b8-8a9e-c413-ee5a2a1a6a78

    For soft-match to work however, you need to first clear the immutableId value. So we're back to running the Set-MsolUser cmdlet:

    Set-MsolUser -UserPrincipalName ******@domain.com -ImmutableId "$null"

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.