locked
Azure AD Connect & Existing O365 User Accounts RRS feed

  • Question

  • Hello,

    I've set Azure AD Connect up today with a view to providing our on premise user base with the ability to log into Teams with a single username and password. Teams is a new product that the business has decided to adopt company wide.

    Long story short, we've been using Office 365 for a few years purely to license and download Office apps locally to pc's and have 350 or so users in the Azure AD/O365 tenant that were manually created as and when they needed Office.

    I now want to be able to sync the same on prem AD users with their counterpart Azure AD user accounts to provide a seamless username and password experience for Teams.

    Testing today with Azure AD Connect has proven that new users (that don't exisit in Azure AD) are created successfully and their on prem AD account and password is synced successfully.

    The problem I have is that existing AD users are not synced, and new duplicate "onmicrosoft.com" accounts are created in the cloud instead.

    Can some provide guidance on how best to address this issue?

    I've read an article that talks about defining "soft" and "hard" sync attirbutes (below) but it remains unclear to me on how to change the sync behaviour in AD Connect

    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant

    Can anyone assist with this please?

    Thanks


    Matt


    • Edited by Matt_Pollock Tuesday, March 3, 2020 6:46 PM spelling
    Tuesday, March 3, 2020 6:46 PM

Answers

  • Many thanks for the reply.

    Apologies for the late reply, for some reason I had no email notification that there had been any replies.

    I followed the same process as you had described, in a fashion, by using the following article.

    https://www.itpromentor.com/soft-vs-hard-match/

    Using the scripts provided I was able to force a match on all of the existing O365 accounts. Then I enabled AD sync for the OU's I needed to have new accounts created in O365. Everything seems to be working perfectly one week on.


    Matt

    • Marked as answer by Matt_Pollock Friday, March 13, 2020 9:59 AM
    Friday, March 13, 2020 9:58 AM

All replies

  • Hi Matt,

    According to this documentation, there are a few things you should notice:

    1. The difference between a soft-match and a hard-match is in a disaster recovery situation, that the hard-match “sourceAnchor” allows an object to be sent to Azure AD Connect during initial install. It has little impact on the normal synchronization processes.

    2. All attributes in Azure AD are going to be overwritten by the on-premises value if it finds a match. This progress is managed by Azure AD Connect and there is no setting to interfere with.

    3. Azure AD Connect will not match on-premises user objects with objects that have an admin role in Azure AD.

    My guess is that the on-premises AD accounts have been modified so that they cannot match the existing ones in Azure AD, either with these three attributes or they are assigned with admin roles.

    I suggest you remove the existing user accounts and keep the duplicate ones in Azure AD. Re-assign the admin roles after.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Wednesday, March 4, 2020 9:31 AM
  • Hi,

    Please remember to update this thread if you have any progress.

    Thank you for your understanding.

    Best regards,

    Chelsea Wu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, March 9, 2020 1:28 AM
  • Hello Matt,

    This is what you need to do:

    1. Remove the users duplicate users from office 365, remove from recycle bin.

    2. Get the GUID of the user from AD (Get-Aduser username | fl *guid*)

    3. Convert the GUID to immutable ID using the script https://gallery.technet.microsoft.com/scriptcenter/Azure-GUID-to-ImmutableID-d27c5b12

    4. Now stamp the GUID to the online user (Set-MsolUser -Userprincipalname user@domain.com -ImmutableID "Immutable id from step 3"

    5. Run delta sync.

    This is hard matching.

    You can try soft match, by simply deleting the duplicate users from Office 365 and matching the actual office 365 users UPN with the AD UPN.

    Regards,

    Shashank Vinchu

    Monday, March 9, 2020 6:41 AM
  • Many thanks for the reply.

    Apologies for the late reply, for some reason I had no email notification that there had been any replies.

    I followed the same process as you had described, in a fashion, by using the following article.

    https://www.itpromentor.com/soft-vs-hard-match/

    Using the scripts provided I was able to force a match on all of the existing O365 accounts. Then I enabled AD sync for the OU's I needed to have new accounts created in O365. Everything seems to be working perfectly one week on.


    Matt

    • Marked as answer by Matt_Pollock Friday, March 13, 2020 9:59 AM
    Friday, March 13, 2020 9:58 AM