none
Azure AD/Office 365/Local AD Sync

    Question

  • Hi - I have setup Azure AD to sync with our local AD. We also have O365 email. One quirk we have is the local AD is on http://subdomain.domainb.com and the 0365 on http://domaina.com - the 365 (domaina.com) domain is not associated with the local domain at this point (although would make sense to add for single point of logon) - so this was all fine sync worked as expected and I saw that every user now has two accounts in Azure AD and 0365 with the different email/user ID. However *one* user it seemed to merge the two accounts together. His 0365 mailbox is now attached to his localAD synced account. At this stage I wasn't wanting this nor expecting it. Is there anyway I can seperate them back and why would have it happened?
    Tuesday, April 25, 2017 2:26 PM

All replies

  • We provide Azure AD Connect tool to sync On premise AD with Azure AD. We would be interested to know how did you sync Azure AD with On premise AD?
    Refer to - https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad

     *one* user it seemed to merge the two accounts together. His 0365 mailbox is now attached to his localAD synced account.
    Not clear, could you elaborate more on this?


    Thursday, April 27, 2017 10:09 AM
    Moderator
  • Hi Sadiqh,

    I used the Azure AD Connect tool - installed on our on premise DC.

    This brought all users into Azure along with all users already in O365

    So we had duplicates for everyone.. i.e.

    user@office365domain.com

    user@onpremisedomain.com

    However just *one* of the users it set his office365/azure user account to user@onpremisedomain.com meaning his office365 login changed to that of the local domain.  Why would this happen on just one user and how can I put him back to login to 365 with his office365domain.com address?


    • Edited by TomF99 Tuesday, May 02, 2017 9:06 AM
    Tuesday, May 02, 2017 9:01 AM

  • If you sync an on-premises AD user from on-premises AD to Azure AD, Azure AD will perform the following:

    1. Hard-match: Look for an existing AAD user whose source anchor value matches the on-premises AD object. Customer can manually stamp the source anchor value by hand to force a hard-match.
    Reference: https://blogs.technet.microsoft.com/praveenkumar/2014/04/11/how-to-do-hard-match-in-dirsync/

    2. Soft-match: Look for an existing AAD user whose UPN or primary SMTP address matches the on-premises AD object. Once soft-match succeeds, the source anchor of the on-premises AD object is stamped on the AAD user object. Next time, they will be hard-matched. This is true even if the soft-match properties change subsequently.
    Reference: https://support.microsoft.com/en-us/help/2641663/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization

    3. Create a new AAD object.

    Once an on-premises AD object is matched to an Azure AD object, there is no easy way to separate them. The only supported mechanism is to turn off directory synchronization on the Azure AD tenant, which will convert all “on-premises mastered” objects to “cloud-mastered” objects. At which point, you can clear the source anchor value stamped on the Azure AD object. Then you can re-enable Directory Synchronization again. It can take hours if not days to disable and re-enable directory synchronization. Hence, it is often times not feasible for larger customers.

    Tuesday, May 09, 2017 4:23 AM
    Moderator