why local domain AD user does not sync with the Azure AD user with same UPN

Francisco Fernandes 0 Reputation points
2024-04-07T22:43:19.2866667+00:00

we have recently syncrohnized the the local AD users and groups to Azure AD tenant. Most of the users are synced but one user in the local AD user scope does not sync with the existing Azure AD user with same UPN which was already existing but the sync is creating another user in Azure AD with the default Domain and not the custom domain with the UPN suffix same as Local AD domain.

I tried removing the user from the local AD sync scope then the user on the Azure AD which additional created in the Azure AD with default Domain goes to the deleted users folder in Azure AD. Then I remove it permanently and move back the local AD user to the sync scope but still a new user is created in the Azure AD. The Azure AD connect is v2.0 How can ensure that the local AD user sync to the existing user with custom domain with same upn suffix as the upn suffix in the local ad user ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,887 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,537 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,011 Reputation points Microsoft Employee
    2024-04-08T05:53:49.7233333+00:00

    Hi @Francisco Fernandes , I understand that you're having issue with AD Connect creating a new user in Azure AD when it should pick up an existing user as "soft-match".

    Soft-match requires any of these to be the same between on-prem AD and Azure AD:

    1. UPN (userPrincipalName)
    2. Primary email address (proxyAddresses attribute, the value with SMTP:)

    The match is only evaluated for new objects coming from Connect. If you change an existing object so it matches any of these attributes, then you see an error instead.

    If Microsoft Entra ID finds an object where the attribute values are the same as the new incoming object from Microsoft Entra Connect, then it takes over the object in Microsoft Entra ID and the previously cloud-managed object is converted to on-premises managed. All attributes in Microsoft Entra ID with a value in on-premises AD are overwritten with the respective on-premises value.

    Warning: Since all attributes in Microsoft Entra ID are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Microsoft Entra ID / Microsoft 365 not present in AD DS.

    Please check that you have both UPN and Primary email address match between on-prem AD user and Azure AD user.

    Reference: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

  2. Jing Zhou 2,240 Reputation points Microsoft Vendor
    2024-04-10T05:29:10.8166667+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    To further resolve this issue, you can try Azure AD Connect tool to sync the AD user and see if issue still persists.

    If it still fails please kindly try to check the AAD connect log and see if there's any insights

     

    Hope this answer can help you well.

     

    Best regards,

    Jill Zhou

    0 comments