This article will help you to perform a hard match of an AD user with a cloud user when a soft match fails.
Hard matching.
In some cases, if soft matching didn't work we have to manually tag the immutable ID so that we can manage the account on-premise. I.e. Change the source of the authority manually so that cloud user can be managed from an on-premise AD using directory synchronization.
Hard matching can only be used when a user is initially created in the cloud. Once soft matching is done, the cloud user is bound to AD with an immutable ID instead of a primary email (SMTP) address.
A cloud user’s primary email (SMTP) address cannot update at the time of a soft matching process as the primary email (SMTP) address is the attribute used to link the on-premise AD user to the cloud user.
Start hard matching
Check the user sync status. We have a user
testhardmatch@....sh.group.
Now get the immutable ID of the user from on-premise AD/Exchange Powershell.
Please run the following command from Powershell.
Get-ADUser testhardmatch | Select-Object UserPrincipalName, objectGUID, @{Name = 'ImmutableID'; Expression = { [system.convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } }
Connect to MSOL service and run the following command with the Immutable ID which copied from the output of the above command. In our case,
zxfO6vF1mEG6ZufFSlzl0g== is the immutable ID.
Set-MsolUser -UserPrincipalName testhardmatch@....sh.group -ImmutableId zxfO6vF1mEG6ZufFSlzl0g==
Then run a delta sync from your ADSync/ADConnect server using the following command.
Start-ADSyncSyncCycle -PolicyType Delta
Now you can see the user sync status is changed from
In cloud to
Synced from on-Premises.
You can see the user
testhardmatch@......sh.com is synced from on-premise.
You are done with hard matching.
Thanks for reading my article.
Please find the soft matching article URL below.
SMTP soft matching
Comments (0)