Forum Discussion
Problems setting up Azure AD Connect
You need to look at the Export flows. In general, the question you need to answer here is whether you see a new/duplicate account provisioned for the same user in O365? And, whether there are "quarantined" objects due to the duplicate attribute resiliency feature: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-duplicate-attribute-resiliency
For general info, objects are being matched between AD and AAD on objectGUID first, and if that fails on the PrimarySMTPAddress (so-called hard-match and soft-match mechanisms). The later will only work if the ImmutableID is empty. Neither one will work if there are errors/quarantined object due to duplicate attributes. Matching UPNs will not "link" the two objects, but you can force the matching process using the articles I linked to above.
One other thing, you should not mess with the objectIdentifier/sourceAnchor, unless you have some specific configurations in place. It's not clear to me why you have chosen to use the mail attribute and not leave the default.
Hello!
Thanks for all the replys.
Do you think it would be easier for me to just reinstall Azure AD Connect, but just use express settings?
If i understood this correct, it goes for ImmutableID first, if ImmutableID doesnt match it just stops?
But if immutableID is empty- it checks for a soft-match?
The OU im syncing has 3 accounts.
Account A - This account actually got synced to Office365
Account B - Does not get synced to O365
Account C - Does not get synced to O365
All 3 accounts has In-Cloud accounts in O365
Hey,
Im currently installing it with express settings :)
For starters i want to define which users by a group that get synced.
Since this is just a testing-phase.
Appreciate all the help im getting :)
- Great! Let us know how it goes!!
Adam Hey!
It went great, now it syncs like it should.
I have some questions though.
In order to change a persons SMTP-address, is it by default the ProxyAddresses attribute- or do i have to configure Azure AD Connect to sync that attribute aswell?
With the express settings, is it using hard- or softmatch?
As i have around 80 other users to convert from in-cloud to "Synced with local AD"
- I haven't tried doing it the way you are going about it, but is the ImmutableID now present on both on-prem and cloud identity? If that's the case, you should be able to change SMTP-address locally and it would sync to the cloud.
There is a feature called group-writeback but you'll need premium license for that!
Here you can find a script that creates objects from your 365 tenant in your ad! Needs a little sweaking though..
- Yes exaxtly! It seems to also add the members as well!
Correct, just edit out the users And contacts As of right now its working really good.
However, in-cloud we have alot of distribution groups.
Is there a quick way to export- then import these groups, with the members to the local AD?
Then use Hard/softmatch to pair them together?
Hey,
Thanks!
Took a look at that script, i understand some of it.
I would like to just remove some parts in order to only sync the groups.
From what i understood, the script is for Users, contacts & groups
