Forum Discussion

RNalivaika's avatar
RNalivaika
Iron Contributor
Jan 15, 2021
Solved

Azure AD connect group soft match

Hi all, we have migrated to a new onprem AD forest recently, but kept the same O365 tenant.

Soft matching of user accounts between new AD and O365 went just fine. 

But we are facing some issues when matching cloud distribution lists and email enabled security groups with onprem objects.

Insted of matching the groups, O365 just creates a new group with company.onmicrosoft.com smtp address. Any ideas ?

Azure AD Connect Health shows an error saying that there are duplicate attributes - SMTP proxyaddress.. but SMTP has to be the same on onprem and Cloud object in order for soft matching to work...

I have done this kind of group soft matching a few times before and it worked fine, but not in this case...

R-

4 Replies

  • dgITCO's avatar
    dgITCO
    Copper Contributor
    For whoever might come to this thread this is what helped me: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-migrate-groups

    1. Move the group out of sync scope, so the duplicate in Azure get's deleted (Wait for sync!)
    2. Fix the group according to the link with the old onprem group "objectGUID" to new onprem group "mS-DS-ConsistencyGuid"
    3. Move the group back into sync scope and wait for sync.

    Cheers, Dom
  • catmur-fed's avatar
    catmur-fed
    Copper Contributor
    Would love to know if you managed to solve this?
    Tracking the same issue here https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dirservices-mso_o365b/aad-connect-sync-issue-after-changing-domains/5b3fd134-8297-44cb-81eb-c50a8fbdd71f?messageId=d16fbc0a-5ca3-49c7-9b92-52cbe220055e

Resources