question

AmmuShiriK-4326 avatar image
0 Votes"
AmmuShiriK-4326 asked sikumars answered

I have created a user in AD and created same user in Azure AD and set the immutable ID from MS-DS-Consistency-Guid. But the user status in M365 portal still shows 'In-cloud' even after running delta sync. Am I doing something wrong?

I created a new user in on-premise AD and then set the object GUID value in MS-DS-Consistency-Guid attribute. After that I created a user in Microsoft 365 by running 'New-MsolUser' powershell command along with Immutable ID (After converting GUID value using Convert.ToBase64String(guid.ToByteArray())). The user is successfully created in Microsoft 365 portal. but the Sync status shows as 'In-cloud'. I have run delta sync multiple times, but the status is still not 'Synced from on-premise'. Am I doing something wrong?

Would creating the user with 'New-AzureADUser' help?
Would a full sync help?
Could this is be possible because the Immutable ID attribute is different from 'MS-DS-Consistency-Guid'?

It would be useful if you could list possible reasons and troubleshooting for me to check.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
1 Vote"
sikumars answered

Hello @AmmuShiriK-4326 ,

Thanks for reaching out.

Are you getting any export error from AzureAD connect server? Ideally, when ImmutableID of cloud account and On-premises object's objectGUID match then it should merge them without any issue.

You could use below PowerShell cmdlet to verify, if valid format being used to convert also make sure you have right version of Azure AD Connect (version 1.1.524.0 and after) which facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor/ImmutableID attribute

ObjectGUID to Base64ImmutableID:
[Convert]::ToBase64String([guid]::New("bb4f2862-67a6-46df-beba-4e2e8cb7a7c5").ToByteArray())

Base64ImmutableID to ObjectGUID:
[Guid]([Convert]::FromBase64String("YihPu6Zn30a+uk4ujLenxQ=="))

Use following cmdlet to get ObjectGUID of user form local AD, Get-ADUser <username>

There are three different attributes used for matching: userPrincipalName, proxyAddresses, and sourceAnchor/immutableID. A match on userPrincipalName and proxyAddresses is known as a soft match. A match on sourceAnchor is known as hard match.

I would recommend you to use Soft-match method by using UserPrincipalName which is easier way of doing it, all you need to make sure UPN of user object in Azure AD and On-premises match exactly with this way you don't have to set Immutable ID manually for cloud account.

Steps:
- For cloud user, set null value to immutableId attribute by running below command and remove user object out of synch scope ( out of sync OU (Organization Unit)) from On-premises then wait for next delta sync to complet/run sync manually. Set-MsolUser -UserPrincipalName <upn> -ImmutableId ""
- Once delta sync has completed, then move user object back to sync scope and run delta sync again.
- Login to O365 portal, now you must see object status as "Synced from on-premise"

Note: Azure AD Connect will not match on-premises user objects with Azure AD objects that have an admin role. For workaround, refer this article

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.