Share via

InvalidHardMatch error in 2000+ accounts because of excluded 'mail' attribute

Marcel Sic 20 Reputation points
2024-03-18T12:55:36.7+00:00

Hello, we have around 1300 users in our on-premise AD which are sharing mail addresses. When I tried to synchronize these accounts to Azure, I got Duplicate Attribute error, of course. I can't change mail addresses for these accounts so I excluded 'mail' attribute from synchronization in Azure AD connect app. Now I have 2000+ accounts with Sync errors with InvalidHardMatch error. it's probably because of the missing 'mail' attribute. Could you give me some advice on how to solve this problem? Is it possible to change the attribute for hard match from 'mail' to some other attribute or is there some better solution? Thank you

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,245 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 23,216 Reputation points Microsoft Employee
    2024-03-18T18:54:16.7566667+00:00

    Hi @Marcel Sic , the InvalidHardMatch error occurs when Azure AD Connect is unable to match an on-premises object with an existing object in Azure AD. This can happen when the sourceAnchor attribute, which is used for hard matching, is not unique for the object.

    In your case, since you have excluded the mail attribute from synchronization, the sourceAnchor attribute may not be unique for some objects, resulting in the InvalidHardMatch error.

    To resolve this issue, you can consider using a different attribute for hard matching. The objectGUID attribute is a good candidate for hard matching, as it is unique for each object in Active Directory. You can configure Azure AD Connect to use the objectGUID attribute for hard matching by following these steps:

    1. Open the Azure AD Connect configuration wizard.
    2. On the "Configure synchronization options" page, select "Customize synchronization options" and click "Next".
    3. On the "Optional features" page, select "Directory extensions" and click "Next".
    4. On the "Configure directory extensions" page, select "Source Anchor" and click "Next".
    5. On the "Configure source anchor" page, select "Use an attribute to create the source anchor" and select "objectGUID" from the dropdown list.
    6. Click "Next" to complete the configuration wizard.

    After configuring Azure AD Connect to use the objectGUID attribute for hard matching, you should perform a full synchronization to ensure that all objects are matched correctly.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James