How to migrate Azure AD synced user from synced onpremis user account to another

Copper Contributor

Hi community,

Looking for some assistance on the best way to approach the below scenario..

We have an Azure tenant where 3 on-prem AD's sync to in 3 different regions.

One of our users is finished up in our AUS region and moving to the UK, the user has an AUS on-prem AD account which syncs to Azure.
In Azure and O365 he has groups, emails, OneDrive, etc which he is wanting to keep. As we're in a transition period from hybrid to Cloud we're not fully at the stage yet where we can have cloud only users as the laptops they log into are domain joined, so this means he will need to be created in the UK on-prem AD.
How do we ensure his UK on-prem AD object syncs to the Azure AD object and he retains everything?

Wanting to remove Azure/O365 from an on-prem synced user and associate it with another on-prem AD user to ensure all groups, OneDrive, emails etc are kept.

Hope that makes sense.. 

5 Replies

Hi @peter1640,


The process you're looking for is hard-matching a user with Azure AD Connect. First you need to disconnect the on-prem account in the AUS AD from Azure AD. This can be done by simply move the on-prem user account to an OU that's not synced to Azure AD. Then you need to take the following steps:

  1. Make sure you have the necessary permissions to manage users in Azure Active Directory (Azure AD) and to perform a hard match.

  2. Identify the user you want to hard-match in Azure AD.

  3. Once you have identified the user, you will need to find the newly created matching on-premises user account in your local Active Directory in the UK. 

  4. Once you have identified the matching on-premises user account, you will need to update the user's ImmutableID attribute in Azure AD to match the objectGUID of the on-premises user account. This can be done through PowerShell (Set-AzureADUser email address removed for privacy reasons -ImmutableId "ObjectGuid from on-prem account") 

  5. After updating the ImmutableID attribute, you will need to run a Delta Import sync in Azure AD Connect. This will perform the hard match and link the Azure AD user account with the on-premises user account.

  6. Verify that the hard match was successful by checking the user's properties in the Azure AD portal and in Active Directory Users and Computers. The user's account should be linked and the user should be able to sign in to both on-premises and cloud resources using the same set of credentials.

Note: It is important to ensure that the user's on-premises and Azure AD accounts have the same user principal name (UPN) and that the UPN is set to the user's email address. This will ensure that the user can sign in to both on-premises and cloud resources using the same set of credentials.


Let me know if you have any additional questions.





Hi Ruud,

Many thanks for taking the time to reply, will touch base with my European colleagues and give the below a go, will need to make some UPN adjustments my end as the naming convention has since changed and this user was setup with a legacy naming convention.



Hi @peter1640,


No problem, happy to help. Let me know when you have additional questions.




you are assuming they are using onprem ObjectGuid as source anchor. which is not necessarily the case, they might be using ms-ds-consistencyguid instead (or even something else).
I would instead go for soft matching, that is clear immutableid on azuread account and activate sync for the new onprem account afterwards. this might be safer as it is source anchor agnostic.