Hard matching accounts

In some cases, if soft matching didn’t work we have to manually tag the immutable ID so that we can manage the account on-premise. I.e. Change the source of the authority manually so that cloud user can be managed from an on-premise AD using directory synchronization.

Hard matching can only be used when a user is initially created in the cloud. Once soft matching is done, the cloud user is bound to AD with an immutable ID instead of a primary email (SMTP) address.

A cloud user’s primary email (SMTP) address cannot update at the time of a soft matching process as the primary email (SMTP) address is the attribute used to link the on-premise AD user to the cloud user.

Start hard matching
Check the user sync status. We have a user testhardmatch@….sh.group.
Hard Matching Accounts 1
Now get the immutable ID of the user from on-premise AD/Exchange Powershell.

Please run the following command from Powershell.

Get-ADUser testhardmatch | Select-Object UserPrincipalName, objectGUID, @{Name = 'ImmutableID'; Expression = { [system.convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } }

Select allOpen in new window

Hard Matching Accounts 2

Connect to MSOL service and run the following command with the Immutable ID which copied from the output of the above command. In our case, zxfO6vF1mEG6ZufFSlzl0g== is the immutable ID.

Set-MsolUser -UserPrincipalName testhardmatch@....sh.group -ImmutableId zxfO6vF1mEG6ZufFSlzl0g==

Hard Matching Accounts 3

Then run a delta sync from your ADSync/ADConnect server using the following command.

Start-ADSyncSyncCycle -PolicyType Delta

Hard Matching Accounts 4

Now you can see the user sync status is changed from In cloud to Synced from on-Premises.
You can see the user testhardmatch@……sh.com is synced from on-premise.

Hard Matching Accounts 5

You are done with hard matching.

 

Aanvullend PDF document;

Hard Match AAD Account