Dec 08 2020
- last edited on
Jan 14 2022
Hi all, we recently migrated from old onprem AD to new onprem AD. We had Azure AD Connect sync in the old domain. We disabled it, cleared immutableid on cloud identities and configured sync on the new onprem AD domain. We did not enable sync of all identities at once on the new domain, but rather doing it stages. And then somebody turned on sync on the old domain again, so that some mail enabled security groups and user objects became synchronized again, but with the old domain. Then the old domain was disconnected from the network. Now some of the objects cannot be soft-matched or edited, because they are linked to the old domain. We no longer have access to the old domain and cannot decomission the old AAD Connect properly. How can we remove the link between AAD users/groups and the old domain? Regards- Ruslan
Dec 22 2020 03:43 AM
@Pontus Själanderhard-match is impossible in this case.
For affected user objects it is impossible because immutableid on cloud object is not "$null" and does not "translate" to the objectid of the account in the new onprem-domain.
For groups hard-matching is impossible in this case of a new on-prem domain. Soft-matching does not work either - instead of matching the objects, azuread connect just creates a new group without email attributes..
The best solution here would be if AzureAD supported converting hybrid/synced objects to cloud objects in the cloud interface.
The solution I will use is disabling the sync, doing the cleanup and then reactivating the sync. Downsides with this will be that I have to activate password sync, deactivate azure ad sync - this will create a window where onprem changes will not be synced to AzureAD, and lastly I am a bit worried how all the Hybrid AzureAD joined machines will react to deactivating and activating the sync again..