Issue with synching AD users to Entra.

Matthew Miller 25 Reputation points
2024-05-09T12:10:31.7866667+00:00

Hello - I have created two users in Microsoft 365 whose UPN and SMTP addresses match that of two user objects (UPN and ProxyAddress attributes) in my on-premises AD. The M365 users have the appropriate Entra licenses applied and appear in Azure AD with the correct attributes. I have installed Microsoft Entra Connect on the Domain Controller and enabled soft match on UPN. However, when the synch ran it created two new users in M365 with a different UPN instead of merging the on-prem and Azure objects together. In Azure health I can see the sync errors are occurring on the UPN attribute. I am not sure where to turn here as the conflict Azure AD Health is pointing to is the value upon which the objects should be linked. Has anyone else run into this problem before and or can someone provide insight into what is going on?

-Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,526 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Marcin Policht 28,395 Reputation points MVP
    2024-05-09T12:50:58.4066667+00:00

    Confirm that the UPNs of the corresponding accounts are the same. For more troubleshooting techniques, refer to https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#invalidsoftmatch


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

  2. akinbade abiola 20,545 Reputation points
    2024-05-09T14:23:20.61+00:00

    Hello,

    Thanks for your question

    Based on your question you seem to have conflict on UPN/SMTP hence the duplicate users.

    When Microsoft Entra ID can't find any object with an ImmutableId that matches the SouceAnchor value, it tries to use the incoming object's userPrincipalName or primary ProxyAddress to find a match in what it’s known as *”soft-match.” The soft match tries to match objects already present and managed in Microsoft Entra ID with the new incoming objects being added or updated that represent the same entity on-premises. If Microsoft Entra ID isn't able to find a hard-match or soft-match for the incoming object, it provisions a new object in Microsoft Entra ID directory.

    I would recommend the following:

    Please let me know if this helps solve the issue, otherwise you can also please provide details of the Connect health conflict and affected user specific errors so we can look further.


  3. akinbade abiola 20,545 Reputation points
    2024-05-09T14:56:47.37+00:00

    Hello Matthew Miller

    thanks for your response.

    if the user has an on-premises admin role, it wont sync.To fix this, please follow the steps in screenshot below:. NB this is gotten from here:

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant

    User's image

    Please let me know if you have further questions

    You can mark it 'Accept Answer' if this helped.


  4. Sandeep G-MSFT 20,241 Reputation points Microsoft Employee
    2024-05-14T05:55:47.4733333+00:00

    @Matthew Miller

    Thank you for posting this in Microsoft Q&A.

    As per your description above I see that you are unable to do soft match for 2 accounts from on-premises to Azure.

    I also understand that both these accounts in Azure AD has admin roles assigned.

    By default, Microsoft Entra Connect isn't allowed to soft match a user object from on-premises AD with a user object in Microsoft Entra ID that has an administrative role assigned to it. THIS IS BY DESIGN BEHAVIOUR.

    You can also refer below article,

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#description-7

    To resolve the issue that you are facing, remove Admin roles for both users in Azure portal. Now delete newly created accounts in Azure AD manually. trigger a delta sync Entra connect server.

    The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user now no longer has an admin role.

    Do let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.