Forum Discussion

Martin Andersson's avatar
Martin Andersson
Brass Contributor
Oct 09, 2018
Solved

Problems setting up Azure AD Connect

Hello!

 

Ive recently installed Azure AD Connect on one of our DCs.

Ive started out with an testing OU with 1 user.

This user also existed in Office365/AzureAD as "In-cloud" user.

 

I made the user a member of a group called Office365 Sync

I forced the sync- and the user is now synced with on-prem AD

 

However, i moved my own account into this testing OU, made myself a member of "Office365 Sync"

Forced the sync.

My In-Cloud account isnt being converted to a "Synced with local AD" account.

 

Ive matched the mailattribute and proxyaddress.

 

This is my first time setting this up.

 

Basically, the problem is the soft-matchning, i want my Office365 In-cloud to become a "Synced with local AD" account

Azure AD
office 365
  • VasilMichev's avatar
    VasilMichev
    Oct 09, 2018

    You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-attribute-resiliency

     

    For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.

     

    One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.

      • Adam Ochs's avatar
        Adam Ochs
        Steel Contributor
        Oct 09, 2018

        The default value that syncs an account in the cloud to an account in your AD is your email address.

         

        When you setup AADC you have to option to change your "source anchor" which is what would be used to identify accounts, but that should not change the original matching.

         

        Did you do a full sync or a delta sync? Make sure you try a full sync, then look at the logs to ensure it is syncing two objects.


        Start-AdSyncSyncCycle -Policytype Full

         

        Adam

Resources