AAD Connect (DirSync) Hard-Matching

September 14, 2017 | by iaur | posted as Active Directory, Azure AD

Scenario

• You have an MSOL user to match with its Active Directory (AD) object
• Your alias changes in your AD is not occur in Admin Center
• You have issue following DirSync soft matching but not working

Steps

Firstly, AAD Connect (DirSync) Hard-Matching is a steps in getting the immutableID based from the AD objectID and manually setting it to the MSOL user.

For instance, we will use the made up object below to apply AAD Connect (DirSync) Hard-Matching steps.

In addition, determine if your sourceAnchor setup to be using ObjectID.

The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableId and the two names are used interchangeable.

• Remove / move away the AD user from synced OU
• Go to Admin Portal > Restore the deleted user so that it will show in the active user as an In-Cloud user
• Run the following cmdlets below on a regular PowerShell on your AD

# Import AD Module

Import-Module ActiveDirectory

# Check if the user is identifiable

Get-ADUser -Identity "UserName_or_SamAccountName"

# Convert and encapsulate the ObjectGuid to and ImmutableID
# UserName is the same SamAccountName

$guid = (get-Aduser UserName).ObjectGuid

$immutableID = [System.Convert]::ToBase64String($guid.tobytearray())

• Connect to O365 Online

Connect-MSOLService

Set-MSOLuser -UserPrincipalName clouduserUPN -ImmutableID $immutableID

• Move the affected AD users back from the OU “NotSynced” to a synced OU
  1. Open Active Directory Users and Computers
  2. After that, move the users from NotSynced to a synced OU
  3. Lastly, run delta sync in Windows Powershell (or Azure AD Powershell)

# Open PowerShell from your AD server

Start-ADSyncSyncCycle -Policytype Delta

• Finally, verify in the Office 365 Admin Portal if duplicates are gone and users are in the format.

user@domain.com (synced with AD)

Reference

• https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/duplicate-attributes-prevent-dirsync#method-2-map-an-existing-on-premises-user-to-an-azure-ad-user
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
• https://docs.microsoft.com/en-us/archive/blogs/praveenkumar/how-to-do-hard-match-in-dirsync
• https://docs.microsoft.com/en-us/archive/blogs/praveenkumar/how-to-do-hard-match-part-2
• https://cryptii.com/pipes/base64-to-hex