Share via

soft match not working

Chuck Frost 41 Reputation points
2024-10-03T23:34:24.2133333+00:00

I have an on prem user with the same userPrincipalName, proxyAddress as a cloud user.

Error: Unable to update this object because the ProxyAddresses value SMTP:FFlintstone@SlateRockandGravel.com associated with this object may already be associated with another object in your local directory services. To resolve this conflict, first determine which object should be using the conflicting value. Then, update or remove the conflicting value from the other object(s).

I think the problem is Azure sync is trying to add a new user with the duplicate proxy address instead of connecting to the user already on the cloud. Is it possible soft match is disabled and if so, how can it be enabled?IDFix displays this warning and as the proxyaddresses "are not marked for replication" no errors are displayed

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,187 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
    2024-10-07T08:58:28.7866667+00:00

    @Chuck Frost

    Thank you for posting this in Microsoft Q&A.

    As I understand softmatch is not working for you even though you have UPN and ProxyAddress as same value for both on-premises and Entra ID user.

    You can check below information and confirm if all holds good,

    Usually, this feature is on by default for newly created Microsoft Entra directories.

    • You can see if this feature is enabled for you by running:
    • Open PowerShell as administrator on sync server and run below command.
    • Connect-MgGraph -Scopes "OnPremDirectorySynchronization.Read.All"

    $DirectorySync = Get-MgDirectoryOnPremiseSynchronization

    • $DirectorySync.Features.SynchronizeUpnForManagedUsersEnabled

    If this feature isn't enabled for your Microsoft Entra directory, then you can enable it by running below commands:

    • Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"

    $SyncUpnManagedUsers = @{ SynchronizeUpnForManagedUsersEnabled = "true" }

    Update-MgDirectoryOnPremiseSynchronization -Features $SyncUpnManagedUsers -OnPremisesDirectorySynchronizationId $DirectorySync.Id

    Soft match will only work for user account which is managed (not federated) and the user account should not be licensed.

    Apart from this you can pull the user properties of Entra ID user using PowerShell and make sure that the immutable ID of the user is with empty value.

    • Open PowerShell as administrator (Enter Global admin credentials)
    • Run command Install-Module Microsoft.Graph -Force
    • Connect-MgGraph -Scopes "User.Read.All"
    • Get-MgUser -UserId "cloud object ID"
    • In the output confirm if the value of property "OnPremisesImmutableId" is blank.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.