question

vafran avatar image
0 Votes"
vafran asked ·

Disabled Dirsync and re-enable with Set-MsolDirSyncEnabled

hello,



We are syncing from onpremises AD the accounts with ADCONNECT and password ash ync.

I have some orphaned objectos in Azure AD. Last Thursday at around 12:30 PM I disabled dirsync with cmdlel "Set-MsolDirSyncEnabled -EnableDirsync $false " to be able to remove the objectos, and then re-enable it.

Now I doubt if this was a good idea....

  • First point is that it is still in "PendingDisable" state, I know it can take up to 72 hours, but still...

  • Secondly, now I am not so sure what will happend with accounts, for what I had read previously in order for accounts to vonvert to cloud only it is necessary to change immutableID to $null, but is this still a thing or will all accounts be converted to CloudOnly after the change completes? If that is so, when I enable it back, will the accounts happily sync again or will I get duplicate accounts for everyone?



azure-active-directoryazure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobvandenBroek-8832 avatar image
0 Votes"
RobvandenBroek-8832 answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
2 Votes"
JaiVerma-7010 answered ·

The connection between on premise and cloud account is based on two attributes

  • Hard match

    Where AD UPN + ObjectGUID/msds-consistencyGUID == AAD UPN + ImmutableID(SourceAnchor)

  • Soft Match

    Where AD UPN +proxyAddress = AAD UPN + proxyAddress

What I understand from your description, that you have broken the hard match. In this case, soft match must work and AAD should not create duplicate accounts. You mentioned that you have some orphan objects in AAD and you did to remove orphan objects.

Did you try steps mentioned here - https://support.microsoft.com/en-us/help/2709902/object-deletions-aren-t-synchronized-to-azure-ad-when-using-the-azure

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply!
.
So far I did not change anything. Regarding immutable id it was just a question, I did not do any changes, and I do not intend to.

The sync attribute is ObjectGUID/msds-consistencyGUID. So I understand hard match is not broken.

0 Votes 0 ·
vafran avatar image
1 Vote"
vafran answered ·

Thanks mate. O365 support executed a diagnostic that fixed the issue. As soon as they did that objects started converting to cloud only. Then I could delete de orphaned object, enable sync again and all objects switched back to windows ad.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.