This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 11%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Hi all, we have migrated to a new onprem AD forest recently, but kept the same O365 tenant.
Soft matching of user accounts between new AD and O365 went just fine.
But we are facing some issues when matching cloud distribution lists and email enabled security groups with onprem objects.
Insted of matching the groups, O365 just creates a new group with company.onmicrosoft.com smtp address. Any ideas ?
Azure AD Connect Health shows an error saying that there are duplicate attributes - SMTP proxyaddress.. but SMTP has to be the same on onprem and Cloud object in order for soft matching to work...
I have done this kind of group soft matching a few times before and it worked fine, but not in this case...
R-
Hi, we are investigating your issue and will update you shortly!
Best,
James
Hello James, thanks for your reply. let me know if you need more details regarding the issue. Regards Ruslan
@James Hamil any updates on this?
R.
@Abhijeet-MSFT thank you for trying to help. I got this finally resolved by using hard-match instead.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi @Ruslan Nalivaika , this can happen if the group objects were updated with matching SMTP address after AD Connect had already evaluated them/ a sync was already run. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant#sync-with-existing-users-in-azure-ad
Another possible cause could be if default sync rules have been modified. Customer can also try to use the preview feature and look at the complete flow without creating a new object. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing
@Abhijeet-MSFT no, just creating a new group, setting a matching SMTP address and then activating for sync to Azure AD still results in soft maching not happening.
Sync rules have not been modifying, running with default rules.
ok. Can you try with preview of one such group. This will tell you why the match did not happen.
@Abhijeet-MSFT What do you mean?
@Ruslan Nalivaika , there is a feature in ad connect that allows you to create the object journey to Azure AD without actually syncing the object to Azure AD. I would request you to use that and understand the object journey. It will tell you if it merged with an object, if not, why it did not and what sync rule was responsible for this. You can refer https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-object-not-syncing for more details.
@Abhijeet-MSFT Ok, so I create a new group in onprem AD. I will not synchronize it to AzureAD just yet, that is MetaverseAttribute - cloudFiltered has initial value True.
I open Connectors, select onprem ADDS and run Search Connector Space. I find this new group and click Preview... no error messages here.
Anything else I need to check before activating the group for sync to AzureAD (setting Metaverse Attribute - cloudFiltered to false) ?
@Abhijeet-MSFT
so I tried syncing and smtp maching this new AD group to existing Azure AD group.
Seeing the same error message about duplicate smtp addresses still, but nothing else useful. Do you have any tips?
Hi @Ruslan Nalivaika , I apologize but I would suggest you to create a support ticket as this will require extensive troubleshooting.