Share via

Synchronizing On-Prem AD with Microsoft Entra ID and Handling Duplicate Users

Vic Brown 20 Reputation points
2025-04-29T14:53:57.9866667+00:00

There is an On-Premise Active Directory with users A, B, and C, alongside Microsoft Entra containing users A, B, C, D, E, and F. The environments are unsynchronized, but there is a goal to use Microsoft Entra Cloud Sync for synchronization.

Concerns have been raised regarding the synchronization process, particularly if duplicate objects are identified. According to the documentation, if duplicate attribute values are found, the On-Prem AD object's attributes will override those in Entra ID.

If Microsoft Entra ID finds an object where the attribute values are the same as the new incoming object from Microsoft Entra Connect, then it takes over the object in Microsoft Entra ID and the previously cloud-managed object is converted to on-premises managed. All attributes in Microsoft Entra ID with a value in on-premises AD are overwritten with the respective on-premises value.

The main inquiry is about the impact on users A, B, and C, especially regarding existing licenses assigned for services like Exchange Online, OneDrive, and M365. Will these users still have access to their emails and files after the synchronization?

Additionally, there is a concern about ensuring that local AD users can still use their workstations and that all users retain access to their emails and files if the sync process does not complete successfully.

Any insights or clarifications would be appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,687 questions
0 comments
Accepted answer
  1. Vasil Michev 118.3K Reputation points MVP Moderator
    2025-04-29T15:21:19.5933333+00:00

    Yes, the "matched" users will continue to have access to all Microsoft 365 services. The process can potentially overwrite attributes that are relevant to some services (i.e. the set of email addresses assigned to the user), but does not directly affect any content the user has access to, be it in his mailbox, OneDrive, SharePoint Online and so on.

    Still, it is always a good idea to review and compare the attribute values between your AD and Entra ID users in order to avoid surprises. For example, if the user's UPN changes, this will affect how the login to M365 services, so you definitely want to inform the user.

    As for your local AD users, there should be no issues. The synchronization process is one-way only, from AD to Entra ID. There are only a handful of properties that can be written back, and those require additional configuration (optional features) to be enabled.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.