Forum Discussion
Azure AD Connect stale object cleanup
Hi all, we recently migrated from old onprem AD to new onprem AD. We had Azure AD Connect sync in the old domain. We disabled it, cleared immutableid on cloud identities and configured sync on the ne...
RNalivaika
Have you tried to hard match an end-users account?
That might solve the issue, so the object in-cloud is matched with the correct AD-Account with the new on-prem active directory that is currently syncing
Pontus Själanderhard-match is impossible in this case.
For affected user objects it is impossible because immutableid on cloud object is not "$null" and does not "translate" to the objectid of the account in the new onprem-domain.
For groups hard-matching is impossible in this case of a new on-prem domain. Soft-matching does not work either - instead of matching the objects, azuread connect just creates a new group without email attributes..
The best solution here would be if AzureAD supported converting hybrid/synced objects to cloud objects in the cloud interface.
The solution I will use is disabling the sync, doing the cleanup and then reactivating the sync. Downsides with this will be that I have to activate password sync, deactivate azure ad sync - this will create a window where onprem changes will not be synced to AzureAD, and lastly I am a bit worried how all the Hybrid AzureAD joined machines will react to deactivating and activating the sync again..
