Hard matching for Groups?


  • Hi,

    I am planning a move of a 2000+ user 365 tenant from one on-prem AD to a new on-prem AD.  I have created scripts to convert and set ImmutableID from the new AD to do hard matching for users object. This works well in test environment as hard matching for users is well documented.

    However, I also need to do hard matching for 600+ groups and have not found a way to do this. I have searched to the end of the internet to no avail....

    Can anyone help on how I can achieve this?

    Any help is appreciated.




    Tuesday, May 2, 2017 7:17 PM


All replies

  • The process for groups is the same as for users. The attribute is called sourceAnchor (the same as for users) in the sync engine. You need to copy the objectGUID for the groups to a spare attribute in your new AD and change the sync rules in Connect so it is using this attribute as the sourceAnchor.

    Wednesday, May 3, 2017 10:04 AM
  • Thank you for your reply. I have been tinkering with the anchor attribute, but the Miis client is not the most explanatory GUI have come across, so I apologize for asking for more help.

    Are you referring to the "Configure Anchors" setting under Properties for the Azure AD connector?

    I have tried to change the anchor to extensionattribute1 but when clicking OK, I get the following error:

    If I remove Contacts from the sync job, it starts complaining about device so I am obviously doing something wrong?

    Again, your help is very appreciated!

    Wednesday, May 3, 2017 5:56 PM
  • The attribute name is called sourceAnchor. The process involves setting msDS-consistencyGUID. There are some blog posts about your scenario on the Internet, for example:

    You might find more by searching for "msds consistency GUID" on the internet. It is not a process documented by Microsoft at present.

    • Marked as answer by asbton Tuesday, May 9, 2017 8:56 AM
    Thursday, May 4, 2017 6:21 AM
  • Thanks, the article from Jorge was spot on

    One comment I would like to make if others are trying the same procedure is that the value for the msDS-SourceAttribute (or for other chosen string attribute) must be converted to Base64 format for it to work. This was not documented in an otherwise excellent blog post..

    Your help was highly appreciated!

    Tuesday, May 9, 2017 9:02 AM
  • @asbton, Appreciate your comments here.

    Wednesday, May 10, 2017 7:33 AM