Forum Discussion
Solved
Azure AD connect group soft match
Hi all, we have migrated to a new onprem AD forest recently, but kept the same O365 tenant.
Soft matching of user accounts between new AD and O365 went just fine.
But we are facing some issues when matching cloud distribution lists and email enabled security groups with onprem objects.
Insted of matching the groups, O365 just creates a new group with company.onmicrosoft.com smtp address. Any ideas ?
Azure AD Connect Health shows an error saying that there are duplicate attributes - SMTP proxyaddress.. but SMTP has to be the same on onprem and Cloud object in order for soft matching to work...
I have done this kind of group soft matching a few times before and it worked fine, but not in this case...
R-
catmur-fed I solved the issue by resorting to hard-match instead.
I had also tried solving the issue with MS Support, but they were basically saying the same as you report in the thread, so that lead nowhere.
The solution was to change source anchor to mS-DS-ConsistencyGuid on AzureAD Connect setup, populate matching immutableID on onprem groups and then run sync.
you can take a look at this article for reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#changing-the-sourceanchor-attribute
there was another article regarding group hard-maching but i cannot find it, i will maybe try later.
Cheers
4 Replies
- For whoever might come to this thread this is what helped me: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-migrate-groups
1. Move the group out of sync scope, so the duplicate in Azure get's deleted (Wait for sync!)
2. Fix the group according to the link with the old onprem group "objectGUID" to new onprem group "mS-DS-ConsistencyGuid"
3. Move the group back into sync scope and wait for sync.
Cheers, Dom - Would love to know if you managed to solve this?
Tracking the same issue here https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dirservices-mso_o365b/aad-connect-sync-issue-after-changing-domains/5b3fd134-8297-44cb-81eb-c50a8fbdd71f?messageId=d16fbc0a-5ca3-49c7-9b92-52cbe220055ecatmur-fed I solved the issue by resorting to hard-match instead.
I had also tried solving the issue with MS Support, but they were basically saying the same as you report in the thread, so that lead nowhere.
The solution was to change source anchor to mS-DS-ConsistencyGuid on AzureAD Connect setup, populate matching immutableID on onprem groups and then run sync.
you can take a look at this article for reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#changing-the-sourceanchor-attribute
there was another article regarding group hard-maching but i cannot find it, i will maybe try later.
Cheers
Thanks RNalivaika - I might give that a try later today.
