Note:
For a clearer view and better understanding, I have uploaded the images to the following URL: Please open the link to get a more comprehensive picture of the process.
1. Understand Account Creation in Office 365:
- Azure AD to Office 365 to Exchange Online and other services.
- Exchange Online to Azure AD (e.g., Shared Mailboxes).
- On-premises Local AD to Azure AD through a Dir Sync Agent like Azure AD Connect.
- Note the difference between Soft-Matching (SMTP match) and Hard Matching.
2. Soft-Matching Overview:
- Azure AD account has a primary SMTP address that you likely don’t want to change.
- To link the cloud account to an on-prem account, stamp the same primary SMTP to the on-prem account and run a directory sync.
3. Hard-Matching Overview:
- Required when a synced account fails to sync from the local AD, causing the account to enter a soft-deleted state and disconnect from the AD account.
- Needed to convert a cloud-only account into a synced account.
4. Steps to Perform Hard-Matching:
Recreate the User on Local AD:
- Recreate the user inside a Non-Syncing OU to avoid creating a duplicate copy in Azure AD. https://prnt.sc/ZWh1JiRVVLAR
- Ensure the local AD user has the same UPN as the cloud user under the ‘General’ tab. https://prnt.sc/72Z1zSxjUP7w
Export the ObjectGUID:
- Launch PowerShell on your local AD server.
- Run the command: ldifde -f export.txt -r “(Userprincipalname=user@domain.com*)” -l “objectGuid, userprincipalname” (replace user@domain.com with the local AD UPN of the user). https://prnt.sc/O_-ptxI5Vu2p
- Open the exported data using Notepad and copy the ObjectGUID value. https://prnt.sc/O_-ptxI5Vu2p
Restore the User on Azure AD:
- Restore the user from deleted users on Azure AD if the user is still in the deleted folder (converts the account to a cloud-only account). https://prnt.sc/K6iXCupEkn_S
- Run the command on the MSOnline PowerShell module: Connect-MsolService.
If MSOnline PowerShell module is not installed, run: Install-Module -Name MSOnline. https://prnt.sc/K6oB3OfBNLEX - Get the cloud user details: Get-MsolUser -userprincipalname 102764537@domain.com| fl https://prnt.sc/sWgHFeJhKlVO
Set the Immutable ID:
- Set the immutable ID of the cloud account to match the Local AD account using the exported ObjectGUID:
- Set-MsolUser -UserprincipalName 102764537@domain.com -Immutableid I1zIu8wH9UqYZt4Vazg== (replace user@domain.com with the UPN of the cloud user). https://prnt.sc/Tol-_MgVxDHM
Sync the Accounts:
- Move the cloud account into deleted users again.
- Move the AD account back to a syncing OU. https://prnt.sc/vjGjlffFpMkB
- Run a delta sync: Start-ADSyncSyncCycle -PolicyType Delta on the local AD PowerShell. https://prnt.sc/tk8zDliML0aS
- Allow a sync for about 10 minutes.
- If the account doesn’t restore automatically, go to the deleted user’s folder on Azure AD and restore the account. https://prnt.sc/fTzr2Qo1OKl-
Verify the Sync:
- Ensure the user has a YES under the on-premises sync column.
- Verify the new immutable ID of the cloud account matches that of the Local AD account.
Leave a Reply