Azure AD Connect - procedure to change source of anchor from ObjectSID to Ms-DS-ConsistencyGUID

Question

Hello,

We are an organization of + 1000 users with ADs (domain and subdomains) linked to Azure AD via Azure Ad Connect.

Currently the anchor source is ObjectSID, UPN = mail and Hybrid Exchange.

We would like to change it to MS-DS-ConsistencyGUID in order to be able to move objects easily between ADs without impacting the Azure AD accounts.

We have found documentation about changing the anchor source for ObjectGUID attributes to MS-DS-ConsistencyGUID but not much for attributes other than ObjectGUID.

I have read and tested several ideas but nothing is 100% risk free.

For you, what is the best procedure to change this anchor source without loss of connection/identification for the end user (on Office 365 for example)?

Answer 1

It isn't possible to change the sourceAnchor designation without reinstalling AAD Connect, except when doing the predefined path of ObjectGUID to mS-DS-ConsistencyGUID.

To accomplish this with zero risk, it won't be a simple task, unfortunately. As Alfredo said, your best bet here is to open a support case via portal.azure.com and someone can walk through the options with you.

Answer 2

@G.W to better address your scenario please create a support request.

Answer 3

I also asked the question here = https://techcommunity.microsoft.com/t5/azure-architecture/azure-ad-connect-procedure-to-change-source-of-anchor-from/m-p/1782331

Answer 4

Thank you for your answers.
Indeed, it is not possible to change the source without reinstalling the Azure Ad connect on another server.
I therefore opted for another solution to migrate my users by changing the immutable IDs by scripting.