@Chris Csanyi At the initial provisioning, we match userPrincipalName (AAD) to Username (Salesforce). We then establish a link based on the ID value – specifically, it’s linking the primary key from the source directory of AAD (aka the sourceAnchor) with the primary key from the target directory of Salesforce (aka the targetAnchor). Once that link is established, it will persist across any attribute changes except to the primary keys themselves.
Now to break this link, we need to use below graph call to clear state and restart provisioning. Clicking “Clear state and restart” from the Azure AD portal doesn't pass resetScope value as Full and doesn't break this link.
Go to https://developer.microsoft.com/en-us/graph/graph-explorer/preview and sign-in with Global Admin account by clicking on the "Sign in to Graph Explorer" button on the left.
POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
Body:
{
"criteria": {
"resetScope": "Full"
}
}
Note: In the above call, {id} needs to be replaced with Object ID of the Salesforce Enterprise App and {jobId} with synchronization job id that you will find under provisioning blade as highlighted below:
This will start initial sync cycle and if UPN (AAD) to Username (SF) match is not already there, it will create a new user in Salesforce.
-----------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.