Hard-matching on-prem AD users to AzureAD/Office 365 users with administrative roles

Hard-matching on-prem AD users to AzureAD/Office 365 users with administrative roles

ADConnect does not allow soft-matching of user accounts which have administrative roles in AzureAD/Office 365 and will create new/separate accounts if you try and sync them up from on-premises Active Directory. There is a workaround however which involves hard matching the accounts using the on-premises objectGUID property.

Run the following command in PowerShell (replace the svc_spo with part or all of the username of the account you’re looking for):

ldifde -f C:\users\username\desktop\user-export.txt -r "(Userprincipalname=svc_spo*)" -l "objectguid,userPrincipalName"

  1. Open then user-export.txt file and you’ll be able to see the objectGUID of the account
  2. Now return to PowerShell and run “Connect-MsolService” and login with an account that has the global administrator role

Run the following command against the account that you’re lookin to sync your on-prem account to in AzureAD/Office 365. This will confirm you’ve got the right account

Get-MsolUser -UserPrincipalName svc_sponlinebackup@domain.onmicrosoft.com

Now copy the “objectGUID” from the export you took earlier and return to PowerShell and run the following command:

Set-MsolUser -UserPrincipalName svc_sponlinebackup@domain.onmicrosoft.com -ImmutableId hAi`2`h`1`u`u`O8wTt/Ig==

Return to the AzureAD connect server and run another Delta sync to Office 365 and you should see the two accounts are now merged1Start-AdSyncSyncCycle Delta

If you run into any issues, here are some things you can check:

An account has already been created with the objectGUID in AzureAD/Office 365. The following command will give you the account name.

Get-MsolUser | Where-Object {$_.ImmutableId -eq "zxG`O`O`d`i`MtgkOsuvKA=="} | select UserPrincipalName

The account existed but has since been soft-deleted from AzureAD/Office 365. The following command will show you whether any accounts exist in the soft-deleted status and you can then run the second command to remove the account.

Get-MsolUser -ReturnDeletedUsers

Remove-MsolUser -UserPrincipalName svc_sponlinebackup@domain.com.au -RemoveFromRecycleBin