question

MohammedRayyan-0374 avatar image
0 Votes"
MohammedRayyan-0374 asked MohammedRayyan-0374 commented

Connecting Azure AD with on-premise active directory using Azure Ad connect , possiblity of user duplication

If the current tenant containing office 365 users is synchronized with on premise active directory , there is a possibility in duplication of on premise users with office 365 users in azure ad ?

In case scenario: if there is already user xyz@abc.com in azure ad directory , if it synchronized ,it takes on prem active directory user ie xyz@abc.local and register as xyz@abc.onmicrosoft.com will there be a duplication in users , as there will be two users after sync xyz@abc.com and xyz@abc.onmicrosoft.com?

azure-active-directoryazure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered MohammedRayyan-0374 commented

It will do a soft match:
When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and tries to find an existing object to match. There are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID. A match on userPrincipalName and proxyAddresses is known as a soft match. A match on sourceAnchor is known as hard match. For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant#sync-with-existing-users-in-azure-ad


P.S. You can't use a .local for the on-prem UPNs. They have to be a valid domain suffix registered in Azure.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply Mr Andy.
The soft match replaces the current Azure active directory users with the on prem active directory users. Making them to loose their password in azure. Moreover the Microsoft is not recommending this approach.

Could you please recommend the perfect solution for connecting and using on prem active directory with azure services ? How about creating a new tenant , keeping the 365 users separate from on prem ?

0 Votes 0 ·
AndyDavid avatar image AndyDavid MohammedRayyan-6914 ·

Where does it say Microsoft doesnt recommend this?

0 Votes 0 ·

In the given documentation link it states "Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory."
Is there any better solution to have users only for azure file share authentication? keeping it separate from Office 365 users. Could you help me out with this one .

0 Votes 0 ·

Could you please help me out with session as its a critical and risky configuration. Your assist is appreciated .

Thanks

0 Votes 0 ·