In this example, I have 5 existing Azure AD User accounts. <\/strong><\/p>\n\n\n I’ve created the same users in my on-premises AD and I want to sync them with the existing Azure accounts. <\/p>\n\n\n There are two options to match on-prem AD users with existing Azure AD Users. <\/p>\n\n\n\n Next, I’ll walk through both examples. <\/p>\n\n\n\n You will need to modify the following three attributes for each on-prem user account. <\/p>\n\n\n\n Tip: <\/strong> The AD Pro Toolkit<\/a> allows you to easily bulk modify\/update user attributes. See the example at the end of this article for more details.<\/p>\n\n<\/div><\/div>\n\n\n The on-prem AD account’s UserPrinicpalName needs to match the Azure account’s Username. <\/p>\n\n\n\n For example the Azure user Adam Anderson username is adam.anderson@activedirectorypro.com.<\/p>\n\n\n\n My on-prem AD account must match this. <\/p>\n\n\n\n Click the account tab and check the user logon name. <\/p>\n\n\n\n It matches. <\/p>\n\n\n\n The on-prem user account email must match the Azure account. Click on the General tab and check the E-mail field. <\/p>\n\n\n\n The on-prem account must have the primary proxyaddress set. <\/p>\n\n\n\n Click on the attribute editor tab then click on proxyAddresses. Add the primary SMTP address using capital SMTP. <\/p>\n\n\n\n When you have those 3 account settings configured move to step 4. <\/p>\n\n\n\n Force an Azure AD sync<\/a> with the below command. <\/p>\n\n\n\n Open the Azure Synchronization Service Manager and verify it added or modified the user. <\/p>\n\n\n\n You can click on adds and then the distinguished name to view more properties. <\/p>\n\n\n\n Hopefully, the Azure account will now say synced with on-premises. <\/strong><\/p>\n\n\n\n Wow, it actually worked. My Adam Anderson account is now showing synced from on-premises. <\/p>\n\n\n\n Sometimes it works and sometimes it doesn’t. I’ve followed these exact steps before with no luck. I even contacted Microsoft support and they said sometimes it does not work and the only solution is to use hard match. <\/p>\n\n\n\n If a soft match does not work then you will need to use a hard match. <\/p>\n\n\n\n A hard match sets the Azure immutableID to the same value as the on-prem objectGUID. <\/p>\n\n\n\n Even though this method will hard code the immutableID you should still make sure the local AD is using the same userPrincipalName<\/strong> and email address<\/strong> as the cloud account. <\/p>\n\n\n\n Run the following PowerShell command to get the objectGuid of the local AD account. <\/p>\n\n\n\n Example for user alva.wood. <\/p>\n\n\n\n The local value is a GUID string and needs to be converted to a base64 encoded string to use in Azure. Take the objectGuid value from step 1 and use it to convert the value. <\/p>\n\n\n\n Connect to Azure AD using PowerShell. <\/p>\n\n\n\n Check current ImmutableId.<\/p>\n\n\n\n This user’s ImmutableID is blank. No problem, it may be blank or have a value. <\/p>\n\n\n\n Run this command using the base64 string value from step 2. <\/p>\n\n\n\n Now let’s verify the immutableID has been set on the account. <\/p>\n\n\n\n Looks good. <\/p>\n\n\n\n At this point, we have linked the local AD account and Azure AD account together using the immutableID (local accounts objectGuid to Azure AD account immutableID). <\/p>\n\n\n\n The last step is to run an Azure AD Connect Sync and see if the Azure AD Account changes to synced from on on-prem.<\/p>\n\n\n\n On your Azure AD Connect<\/a> server run a delta sync. <\/p>\n\n\n\n Wait about 5 minutes and then check the Azure account if it is now synced with on-prem account. <\/p>\n\n\n\n Success! The on-prem account is now synced up with the Azure account. <\/p>\n\n\n\n As you can see the hard match takes multiple manual steps, this will be a pain to do for many accounts. <\/p>\n\n\n\n You can easily modify on-prem AD accounts using the AD Pro Toolkit. <\/p>\n\n\n\n For example, I have 47 users in my Marketing OU and they are missing the email address and the proxyAddresses need to match the Azure account. <\/p>\n\n\n\n Using the AD Pro Toolkit I can easily bulk update these attributes. <\/p>\n\n\n\n Now I can use the export users tool to quickly view the userPrincipalName, email, and proxyAddresses attributes for all my users,<\/p>\n\n\n To learn more about updating user attributes see the resources below. <\/p>\n\n\n\n In this guide, I showed you how to sync on-premises AD Users with existing Azure AD Users. I prefer to use a soft match but unfortunately, it doesn’t always work and you have to do a hard match. No matter which option you use to sync the accounts it is important that the email, proxyaddresses, and userprinciapName match between on-prem AD and Azure AD. <\/p>\n","protected":false},"excerpt":{"rendered":" Do you have existing Azure AD Users using Office 365 and you need to sync them with on-premises Active Directory? In this guide, I’ll walk through how to sync on-premises AD Users with existing Azure AD Users. Table of contents: In this example, I have 5 existing Azure AD User accounts. I’ve created the same … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":42140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1835],"tags":[],"_links":{"self":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/41530"}],"collection":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/comments?post=41530"}],"version-history":[{"count":3,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/41530\/revisions"}],"predecessor-version":[{"id":42522,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/41530\/revisions\/42522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media\/42140"}],"wp:attachment":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media?parent=41530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/categories?post=41530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/tags?post=41530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-1a-1024x241.png\")
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-2.png\")
Soft-match vs Hard-match<\/h2>\n\n\n\n
\n
\n
\n
Sync on-premises users with Azure using Soft Match<\/h2>\n\n\n\n
\n
Step 1. Set UserPrincipalName<\/h3>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-3.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-4.png\")
<\/figure>\n\n\n\nStep 2. Set E-mail<\/h3>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-5.png\")
<\/figure>\n\n\n\nStep 3. Set ProxyAddresses<\/h3>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-6.png\")
<\/figure>\n\n\n\nStep 4. Force Azure AD Sync<\/h3>\n\n\n\n
Start-ADSyncSyncCycle -PolicyType Delta<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-8.png\")
<\/figure>\n\n\n\nStep 5. Check Azure Object Sync Status<\/h3>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-on-prem-ad-with-azure-ad-9-1024x272.png\")
<\/figure>\n\n\n\nSync on-premises users with Azure using Hard Match<\/h2>\n\n\n\n
Step 1: Get Local AD Account ObjectGUID<\/h3>\n\n\n\n
Get-ADUser username | fl objectGuid<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-objectguid.webp\")
<\/figure>\n\n\n\nStep 2. Convert to base 64 string<\/h3>\n\n\n\n
[Convert]::ToBase64String([guid]::New(\"d8d3db91-b03f-4dcc-9544-54c84c1ff050\").ToByteArray())<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-bas64-string.webp\")
<\/figure>\n\n\n\nStep 3. Set Immutable ID on the Azuere account<\/h3>\n\n\n\n
Connect-MsolService<\/code><\/pre>\n\n\n\nGet-Msoluser -UserPrincipalName Alva.Wood@activedirectorypro.com | Select-Object ImmutableId<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-3-1024x158.webp\")
<\/figure>\n\n\n\nStep 4. Set new immutableID for Azure account<\/h3>\n\n\n\n
Set-MsolUser -UserPrincipalName alva.wood@activedirectorypro.com -ImmutableId kdvT2D+wzE2VRFTITB\/wUA==<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-4-1024x105.webp\")
<\/a><\/figure>\n\n\n\nGet-Msoluser -UserPrincipalName Alva.Wood@activedirectorypro.com | Select-Object ImmutableId<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-5-1024x116.webp\")
<\/a><\/figure>\n\n\n\nStep 5. Run a delta sync<\/h3>\n\n\n\n
Start-ADSyncSyncCycle -PolicyType Delta<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/hard-match-azure-6-1024x255.webp\")
<\/a><\/figure>\n\n\n\nBulk Modify UserPrincipalName, Email and ProxyAddresses<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/syn-ad-local-azure-email-1024x639.webp\")
<\/a>![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/sync-ad-local-azure-email-2-1024x639.webp\")
<\/a>\n
Conclusion<\/h2>\n\n\n\n