Forum Discussion
Azure AD Connect stale object cleanup
RNalivaika
Have you tried to hard match an end-users account?
That might solve the issue, so the object in-cloud is matched with the correct AD-Account with the new on-prem active directory that is currently syncing
Pontus Själanderhard-match is impossible in this case.
For affected user objects it is impossible because immutableid on cloud object is not "$null" and does not "translate" to the objectid of the account in the new onprem-domain.
For groups hard-matching is impossible in this case of a new on-prem domain. Soft-matching does not work either - instead of matching the objects, azuread connect just creates a new group without email attributes..
The best solution here would be if AzureAD supported converting hybrid/synced objects to cloud objects in the cloud interface.
The solution I will use is disabling the sync, doing the cleanup and then reactivating the sync. Downsides with this will be that I have to activate password sync, deactivate azure ad sync - this will create a window where onprem changes will not be synced to AzureAD, and lastly I am a bit worried how all the Hybrid AzureAD joined machines will react to deactivating and activating the sync again..
