In some cases, if soft matching didn’t work we have to manually tag the immutable ID so that we can manage the account on-premise. I.e. Change the source of the authority manually so that cloud user can be managed from an on-premise AD using directory synchronization.
Hard matching can only be used when a user is initially created in the cloud. Once soft matching is done, the cloud user is bound to AD with an immutable ID instead of a primary email (SMTP) address.
A cloud user’s primary email (SMTP) address cannot update at the time of a soft matching process as the primary email (SMTP) address is the attribute used to link the on-premise AD user to the cloud user.
Start hard matching
Check the user sync status. We have a user testhardmatch@….sh.group.
Now get the immutable ID of the user from on-premise AD/Exchange Powershell.
Please run the following command from Powershell.
Get-ADUser testhardmatch | Select-Object UserPrincipalName, objectGUID, @{Name = 'ImmutableID'; Expression = { [system.convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } }
Select allOpen in new window
Connect to MSOL service and run the following command with the Immutable ID which copied from the output of the above command. In our case, zxfO6vF1mEG6ZufFSlzl0g== is the immutable ID.
Set-MsolUser -UserPrincipalName testhardmatch@....sh.group -ImmutableId zxfO6vF1mEG6ZufFSlzl0g==
Then run a delta sync from your ADSync/ADConnect server using the following command.
Start-ADSyncSyncCycle -PolicyType Delta
Now you can see the user sync status is changed from In cloud to Synced from on-Premises.
You can see the user testhardmatch@……sh.com is synced from on-premise.
You are done with hard matching.
Aanvullend PDF document;