currently we are migrating users from multiple source AD forests to one target AD forest while already using Office 365. The workflow has been as follows:
Configure Azure AD Connect sync rules for filtering objects by extensionattribute15 (contains 'Office365')
Set attribute for objects in the source AD forest that should be synced
Migrated mailboxes from on-prem Exchange to Exchange Online
Migrated user objects from source AD forest to target AD forest via ADMT
The source anchor is ms-DS-ConsistencyGUID which is the same for source AD and target AD user.
So there should be a match between source, target and cloud user.
Then we prepared to shut down the source AD forest and cleared the extensionattribute15 - sync still works.
After that we ran into some minor issues with duplicate proxy addresses with some users and therefore temporarily removed sync for the affected target AD users by clearing the extensionattribute15 and re-added it after a sync.
But then, the cloud user was not matched to the target AD user anymore.
Instead, a new cloud user was created creating more duplicate issues.
We then had to remove the sync again, modify the immutable ID of the cloud user to match the objectGUID of the target AD user (matched the source AD user as the initial sync was done with the source AD forest) and sync again.
Voilà, the match worked again!
But this behaviour is strange because we chose ms-DS-ConsistencyGUID to be the source anchor, not the objectGUID.
ConsistencyGUID is the same for source and target so we wonder now why this happened.
Can anyone give us a hint if we are missing something or have to configure anything else to get this working?
We want to avoid modifying all immutable IDs as this will cause massive downtime for users and extensive work for us.