Share via

I have created a user in AD and created same user in Azure AD and set the immutable ID from MS-DS-Consistency-Guid. But the user status in M365 portal still shows 'In-cloud' even after running delta sync. Am I doing something wrong?

Ammu Shiri K 21 Reputation points
2021-06-13T16:42:44.857+00:00

I created a new user in on-premise AD and then set the object GUID value in MS-DS-Consistency-Guid attribute. After that I created a user in Microsoft 365 by running 'New-MsolUser' powershell command along with Immutable ID (After converting GUID value using Convert.ToBase64String(guid.ToByteArray())). The user is successfully created in Microsoft 365 portal. but the Sync status shows as 'In-cloud'. I have run delta sync multiple times, but the status is still not 'Synced from on-premise'. Am I doing something wrong?

Would creating the user with 'New-AzureADUser' help?
Would a full sync help?
Could this is be possible because the Immutable ID attribute is different from 'MS-DS-Consistency-Guid'?

It would be useful if you could list possible reasons and troubleshooting for me to check.

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-06-16T13:48:07.297+00:00

    Hello @Ammu Shiri K ,

    Thanks for reaching out.

    Are you getting any export error from AzureAD connect server? Ideally, when ImmutableID of cloud account and On-premises object's objectGUID match then it should merge them without any issue.

    You could use below PowerShell cmdlet to verify, if valid format being used to convert also make sure you have right version of Azure AD Connect (version 1.1.524.0 and after) which facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor/ImmutableID attribute

    ObjectGUID to Base64ImmutableID:
    [Convert]::ToBase64String([guid]::New("bb4f2862-67a6-46df-beba-4e2e8cb7a7c5").ToByteArray())

    Base64ImmutableID to ObjectGUID:
    Guid

    Use following cmdlet to get ObjectGUID of user form local AD, Get-ADUser <username>

    There are three different attributes used for matching: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID. A match on userPrincipalName and proxyAddresses is known as a soft match. A match on sourceAnchor is known as hard match.

    I would recommend you to use Soft-match method by using UserPrincipalName which is easier way of doing it, all you need to make sure UPN of user object in Azure AD and On-premises match exactly with this way you don't have to set Immutable ID manually for cloud account.

    Steps:

    • For cloud user, set null value to immutableId attribute by running below command and remove user object out of synch scope ( out of sync OU (Organization Unit)) from On-premises then wait for next delta sync to complet/run sync manually. Set-MsolUser -UserPrincipalName <upn> -ImmutableId ""
    • Once delta sync has completed, then move user object back to sync scope and run delta sync again.
    • Login to O365 portal, now you must see object status as "Synced from on-premise"

    Note: Azure AD Connect will not match on-premises user objects with Azure AD objects that have an admin role. For workaround, refer this article

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.