Users are not synching well from on-premise to Entra connect(Azure) and can't apply soft matching

Question

I have an Office 365 with its services including the Azure, and I have an on-premise server with a Windows server and applied an AD with the same domain as the one on our office 365.

I want to sync between the users from on-premise to Azure, so when make a new user in the on-premise with the same alias/email as the one in Azure (for sync between each other as one user) after I make the user, the user created a new one with the same name but different alias.

so I have an issue with applying the soft matching I tried a lot of instructions but still have an issue.

Answer 1

Hi @Abdulhamid Al-Bukhamseen

If the soft match is not working , in this case you have to use Hard match.

If the ImmutableID is not null , you have to convert its value and set it on ms-dsconsystencyGUID in AD on-premise user account.

---

Please don't forget to accept helpful answer which helps users to know the answer solved the author's problem.

Answer 2

Certainly! Let's address the issue with soft matching for user synchronization between your on-premises Active Directory (AD) and Azure AD.

Soft Matching is a crucial process that ensures user objects are correctly aligned between the two environments. It occurs when an on-premises AD user object is matched to an Azure AD user object based on specific criteria. Here's how it works:

1. UserPrincipalName (UPN) Matching:
   • Soft matching happens when the userPrincipalName (UPN) attributes match.
   • The UPN attribute for the on-premises user object should match the e-mail address denoted with SMTP: in the proxyAddresses attribute of the Azure AD user object.
2. Immutable ID (ObjectID/ObjectGUID):
   • In both AD and Azure AD, every object has an immutable ID (a unique attribute that persists for the lifetime of the user object).
   • In Azure AD, the immutable ID attribute is ObjectId, while in AD, it's objectGUID.
   • These values represent object uniqueness and allow changes to the UPN or other attributes without affecting group memberships, roles, and other assignments.
3. Azure AD Connect Configuration:
   • When configuring Azure AD Connect, you can choose the source anchor attribute:
     • Let Azure AD manage the source anchor: Azure AD Connect automatically selects mS-DS-ConsistencyGUID as the source anchor attribute for user objects.
     • Choose a specific attribute: You can manually select an attribute that meets certain criteria (e.g., globally unique, not exceeding 60 characters, etc.).
4. Avoiding Destructive Changes:
   • Azure AD Connect synchronizes in a way that existing Azure AD users (cloud-mastered) remain in the directory.
   • New user objects from Active Directory are created in the cloud without overwriting existing ones.
5. Troubleshooting:
   • If you're still facing issues, consider checking the following:
     • Ensure the UPN and proxyAddresses match.
     • Verify that the source anchor attribute is correctly configured.
     • Review any custom rules or transformations in Azure AD Connect.

Remember that soft matching helps maintain integrity and consistency across both environments. If you encounter further difficulties, consider seeking additional support or consulting Microsoft documentation on Azure AD Connect¹².

Feel free to provide more details or ask specific questions, and I'll assist further! 😊

Source: Conversation with Bing, 4/2/2024

(1) Explained: User Hard Matching and Soft Matching in Azure AD Connect .... https://dirteam.com/sander/2020/03/27/explained-user-hard-matching-and-soft-matching-in-azure-ad-connect/.

(2) Hybrid Identity: Getting Users Aligned - Microsoft Community Hub. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/hybrid-identity-getting-users-aligned/ba-p/2274690.

(3) How to Sync On-Prem AD With Existing Azure AD Users. https://activedirectorypro.com/sync-on-prem-ad-with-existing-azure-ad-users/.

Answer 3

@Abdulhamid Al-Bukhamseen

Thank you for posting this in Microsoft Q&A.

You can follow below steps to resolve this issue,

To fix this issue, you will have to match the on-premises object with Azure AD object.

If your Azure AD object has "Immutable ID" set in Azure, then you can follow below instructions.

Follow below steps to fix the issue,

• Open Windows PowerShell as administrator in any machine.
• Run command "Connect-Msolservice" (Enter global admin credentials)
• Now run command "Set-MsolDirSyncEnabled -EnableDirSync $false"
• Now run command "Set-MsolUser -UserPrincipalName <UPN of user in Azure AD >-ImmutableId "$null""
• Now once you set the Immutable ID value as Null, in On-premises DC you will have to move the user accounts to non-sync OU (OU's which are not syncing to Azure AD using AD connect)
• Now this will delete the user entry from AD connect.
• Once this is done, login to Azure AD portal and make sure you remove any roles which are assigned to users in Azure AD. As per below document AD connect will not link the on-premise account with Azure AD account if there is any admin role assigned to user account in Azure AD. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#existing-admin-role-conflict
• Now enable sync in Azure AD tenant using command ""Set-MsolDirSyncEnabled -EnableDirSync $true""
• Now move the use account to sync scope OU in On-premise DC. 
• Initiate a delta sync in AD connect server by running command in AD connect server as, Start-ADSYncSyncCycle -PolicyType Delta

Let us know if you are still seeing this issue so that we can work on this issue offline.

Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.