Oct 14 2020 11:27 PM - edited Oct 14 2020 11:36 PM
Hello,
We are an organization of + 1000 users with ADs (domain and subdomains) linked to Azure AD via Azure Ad Connect.
Currently the anchor source is ObjectSID, UPN = mail and Hybrid Exchange.
We would like to change it to MS-DS-ConsistencyGUID in order to be able to move objects easily between ADs without impacting the Azure AD accounts. (Or find a tested procedure)
We have found documentation about changing the anchor source for ObjectGUID attributes to MS-DS-ConsistencyGUID but not much for attributes other than ObjectGUID.
I have read and tested several ideas but nothing is 100% risk free.
For you, what is the best procedure to change this anchor source without loss of connection/identification for the end user (on Office 365 for example)?
BTW = Soft Delete is not an option unless we have no choice
Dec 04 2020 09:26 AM
The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.
The sourceAnchor attribute can only be set during initial installation. If you rerun the installation wizard, this option is read-only. If you need to change this setting, then you must uninstall and reinstall. If the value for sourceAnchor is changed after the object has been exported to Azure AD, then Azure AD Connect sync throws an error and does not allow any more changes on that object before the issue has been fixed and the sourceAnchor is changed back in the source directory.
Please refer to MSDocument for details.
May 17 2021 12:07 PM
Jun 10 2021 08:25 AM
@Gaet_W Can you explain how you did this re-match with a script? We have talked to MS in the past about changing the Source Anchor and they were unable to come up with any ideas other than rebuilding the entire Azure AD environment.
Oct 19 2021 07:41 AM
Could you share how you did this? @Gaet_W
Oct 26 2021 09:45 AM - edited Oct 26 2021 09:49 AM
@Gaet_W We did this previously because we were using extenstionAttribute1 because of multiple domains and trying to keep the source anchor consistent across multiple domains.
When we contacted MS about this, we got the following procedure (copied straight from the email we got back). It will require a full disconnect of AADConnect.
There is no downtime using this method. Just a temporary desync of objects for a weekend.
There is a risk of some passwords becoming unsynced as people reset or change passwords, but we mitigated this by requiring anyone who had a password change near our maintenance window to update it before we started. We also had a process to allow people to access both on-prem resources and office 365 if they did need a password reset.
Oct 26 2021 09:46 AM
Oct 26 2021 11:12 PM
Oct 26 2021 11:28 PM
Aug 31 2022 05:20 AM