Set-MsolDirSyncFeature

Sets identity synchronization features for a tenant.

Syntax

Set-MsolDirSyncFeature
   -Feature <String>
   -Enable <Boolean>
   [-Force]
   [-TenantId <Guid>]
   [<CommonParameters>]

Description

The Set-MsolDirSyncFeature cmdlet sets identity synchronization features for a tenant.

You can use the following synchronization features with this cmdlet:

  • EnableSoftMatchOnUpn: Soft match is the process used to link an object being synced from on-premises for the first time with one that already exists in the cloud. When this feature is enabled, soft match will first be attempted using the standard logic, based on the primary SMTP address. If a match isn't found based on primary SMTP, then a match will be attempted based on UserPrincipalName. Once this feature is enabled, it can't be disabled.

  • PasswordSync

  • SynchronizeUpnForManagedUsers: Allows for the synchronization of UserPrincipalName updates from on-premises for managed (non-federated) users that have been assigned a license. These updates will be blocked if this feature isn't enabled. Once this feature is enabled, it can't be disabled.

  • BlockSoftMatch: When this feature is enabled, it will block the soft match feature. Customers are encouraged to enable this feature and keep it enabled until soft matching is required again for their tenancy. This flag should be enabled again after any soft matching has completed and is no longer needed.

  • BlockCloudObjectTakeoverThroughHardMatch: When this feature is enabled, and

    • an object is synced for which an object with a matching source anchor already exists in Azure AD and,
    • that object in Azure AD doesn't have DirSyncEnabled set to "true", then

    the default behavior would be to hard match the cloud object with the on premises object and set the DirSyncEnabled flag of the Cloud object to "true".
    When enabling this feature, the cloud object is no longer matched and the DirSyncEnabled flag isn't set to "true". Instead, an error is thrown: Error Code: InvalidHardMatch, Error Message: Another cloud created object with the same source anchor already exists in Azure Active Directory.

Enabling some of these features, such as EnableSoftMatchOnUpn and SynchronizationUpnForManagedUsers, is a permanent operation. You can't disable these features once they're enabled.

Examples

Example 1: Enable a feature for the tenant

PS C:\> Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $True

This command enables the SoftMatchOnUpn feature for the tenant.

Example 2: Block Soft Matching for the tenant

PS C:\> Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $True

This command enables the BlockSoftMatch feature for the tenant - effectively blocking the Soft Matching feature in the tenant

Example 3: Block Cloud object takeover through Hard Matching for the tenant

PS C:\> Set-MsolDirSyncFeature -Feature BlockCloudObjectTakeoverThroughHardMatch -Enable $True

This command enables the BlockCloudObjectTakeoverThroughHardMatch feature for the tenant - effectively blocking the Hard Match object takeover.

Parameters

-Enable

Indicates whether the specified feature will be turned on for the company.

Type:Boolean
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False

-Feature

Specifies the directory synchronization features to turn on or off.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False

-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-TenantId

Specifies the unique ID of the tenant to perform the operation on. If you do not specify this parameter the cmdlet will use the ID of the current user. This parameter is only applicable to partner users.

Type:Guid
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False