0

I'm currently setting up AD Connect to sync my users from AD to AzureAD and vice versa.

Maybe I did not understand the whole thing correctly. In my mind, what AD Conncet Synchronisation does is the following (very basic explanation, I know it does a lot more, but in essence):

  • If I add or change something on a User in local AD, it updates the corresponding Azure AD User
  • If I add or change something on a Azure AD User, it updates the corresponding local AD user.

So basically it should connect the two ADs

Anyhow, I set up a Test OU in local AD and currently only sync this OU. In this OU there is a User that already exists in Azure AD (same UPN, same ProxyAddresses). In my mind what should happen is that they basically get "connected" and the Azure AD Users properties get updated with the local AD Users properties.

However, the sync tool, when trying to export the Azure AD Users, always throws the following error.

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:mail@domain.com]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: b2b7b30e-dc56-4e2a-ad3d-17c89226eb51 ExtraErrorDetails: [{"Key":"ObjectId","Value":["bcc86eef-4fcc-453c-a513-ac0ba12f834f"]},{"Key":"ObjectIdInConflict","Value":["f501c6e5-4e4f-4d19-bbcb-5925a71c7cac"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:mail@domain.com"]}]

According to the following link when you set up the same UPN and ProxyAddresses it should soft-match the local AD user to the Azure AD User and those 2 get connected.

As soon as I remove the ProxyAddress property from my local AD user the Sync works, however, it creates a completely new Azure AD User which I don't want.

How can I connect my local AD and Azure AD User instead of creating a new Azure AD User?

Edit: SourceAnchor is userPrincipalName. Here's my exported AD Connect configuration:

{
  "policyMetadata": {
    "author": "DOMAIN\\ADMIN",
    "timeCreated": "2022-09-09 08:15:59Z",
    "azureADConnectVersion": "2.1.16.0",
    "policySchemaVersion": "1.0.0.0"
  },
  "deploymentMetadata": {
    "hostName": "server.fqdn",
    "serviceAccount": "NT SERVICE\\ADSync",
    "serviceAccountType": "VirtualServiceAccount",
    "databaseType": "SqlExpress"
  },
  "authenticationPolicy": [
    "PasswordHashSynchronization",
    "DesktopSingleSignOn"
  ],
  "selfServicePasswordReset": true,
  "identityMappingPolicy": {
    "azureSourceAnchorAttribute": "mS-DS-ConsistencyGuid",
    "userPrincipalNameAttribute": "userPrincipalName",
    "userMatchingPolicy": "AlwaysProvision"
  },
  "azureDirectoryPolicy": {
    "administrator": "xy@tenant.onmicrosoft.com",
    "tenantId": "xxx",
    "exportDeletionLimit": "500",
    "standardSynchronizationRules": [
      {
        "Name": "In from AAD - User Join",
        "uniqueIdentifier": "5dac9e96-6e4b-4a54-a96e-b5cf2c91222a",
        "immutableTag": "Microsoft.InfromAADUserJoin.005",
        "precedence": 116
      },
      {
        "Name": "In from AAD - Contact Join",
        "uniqueIdentifier": "45b565c5-fed4-4078-8d06-735a166cfbd9",
        "immutableTag": "Microsoft.InfromAADContactJoin.004",
        "precedence": 117
      },
      {
        "Name": "In from AAD - Group Join",
        "uniqueIdentifier": "ef5e0557-4133-4ce6-8318-7f8fd5606506",
        "immutableTag": "Microsoft.InfromAADGroupJoin.004",
        "precedence": 118
      },
      {
        "Name": "In from AAD - User NGCKey",
        "uniqueIdentifier": "f2ab76f5-a87b-4151-8713-af7b86468f41",
        "immutableTag": "Microsoft.InfromAADUserNGCKey.001",
        "precedence": 119
      },
      {
        "Name": "Out to AAD - User Join",
        "uniqueIdentifier": "20bbc6da-1bf6-4ea3-be56-963faa6c8526",
        "immutableTag": "Microsoft.OuttoAADUserJoin.010",
        "precedence": 120
      },
      {
        "Name": "Out to AAD - User Identity",
        "uniqueIdentifier": "bafcffa3-2508-47af-9008-773ed175e07b",
        "immutableTag": "Microsoft.OuttoAADUserIdentity.006",
        "precedence": 121
      },
      {
        "Name": "Out to AAD - User ExchangeOnline",
        "uniqueIdentifier": "c8ffa191-c9c5-48d1-8fd6-28075b5e484b",
        "immutableTag": "Microsoft.OuttoAADUserExchangeOnline.008",
        "precedence": 122
      },
      {
        "Name": "Out to AAD - User DynamicsCRM",
        "uniqueIdentifier": "4389a50e-fc8f-4a72-bc7e-e1c400e1de23",
        "immutableTag": "Microsoft.OuttoAADUserDynamicsCRM.004",
        "precedence": 123
      },
      {
        "Name": "Out to AAD - User Intune",
        "uniqueIdentifier": "6e3b2ac7-6058-489b-aa43-bebb228274ca",
        "immutableTag": "Microsoft.OuttoAADUserIntune.004",
        "precedence": 124
      },
      {
        "Name": "Out to AAD - User LyncOnline",
        "uniqueIdentifier": "93a9d9da-cd33-4394-8a21-cc157c3b8ce0",
        "immutableTag": "Microsoft.OuttoAADUserLyncOnline.004",
        "precedence": 125
      },
      {
        "Name": "Out to AAD - User SharePointOnline",
        "uniqueIdentifier": "510b3932-3039-41cc-8749-a7ffa38b2f8b",
        "immutableTag": "Microsoft.OuttoAADUserSharePointOnline.004",
        "precedence": 126
      },
      {
        "Name": "Out to AAD - User AzureRMS",
        "uniqueIdentifier": "d9ae0f12-93e3-4359-a8ec-48552bf91d5c",
        "immutableTag": "Microsoft.OuttoAADUserAzureRMS.004",
        "precedence": 127
      },
      {
        "Name": "Out to AAD - Contact Join",
        "uniqueIdentifier": "8a110e5a-5888-426e-85e8-d90d3952d68e",
        "immutableTag": "Microsoft.OuttoAADContactJoin.003",
        "precedence": 128
      },
      {
        "Name": "Out to AAD - Contact Identity",
        "uniqueIdentifier": "8ba9bd1e-b2c4-4650-bb3b-7ab888450e15",
        "immutableTag": "Microsoft.OuttoAADContactIdentity.003",
        "precedence": 129
      },
      {
        "Name": "Out to AAD - Contact ExchangeOnline",
        "uniqueIdentifier": "08a877ce-1139-4277-95ff-eee6a23e416b",
        "immutableTag": "Microsoft.OuttoAADContactExchangeOnline.006",
        "precedence": 130
      },
      {
        "Name": "Out to AAD - Contact DynamicsCRM",
        "uniqueIdentifier": "ab487dfa-2ab3-4cdb-863a-1c956826a156",
        "immutableTag": "Microsoft.OuttoAADContactDynamicsCRM.004",
        "precedence": 131
      },
      {
        "Name": "Out to AAD - Contact Intune",
        "uniqueIdentifier": "7fab8e44-4675-452b-9894-5919681fe90f",
        "immutableTag": "Microsoft.OuttoAADContactIntune.003",
        "precedence": 132
      },
      {
        "Name": "Out to AAD - Contact LyncOnline",
        "uniqueIdentifier": "f3e668e1-622e-4a12-ba47-eb2b65e00902",
        "immutableTag": "Microsoft.OuttoAADContactLyncOnline.006",
        "precedence": 133
      },
      {
        "Name": "Out to AAD - Contact SharePointOnline",
        "uniqueIdentifier": "7f3a8ae9-e30a-4f6e-aec9-880e2d617b43",
        "immutableTag": "Microsoft.OuttoAADContactSharePointOnline.003",
        "precedence": 134
      },
      {
        "Name": "Out to AAD - Contact AzureRMS",
        "uniqueIdentifier": "b326bb9d-0450-433f-b209-b040db5b3946",
        "immutableTag": "Microsoft.OuttoAADContactAzureRMS.003",
        "precedence": 135
      },
      {
        "Name": "Out to AAD - Group Join",
        "uniqueIdentifier": "bdd76fad-6835-45ca-a264-0ae92e4969f9",
        "immutableTag": "Microsoft.OuttoAADGroupJoin.009",
        "precedence": 136
      },
      {
        "Name": "Out to AAD - Group Writeup Member Limit",
        "uniqueIdentifier": "e161bdb8-8427-4735-8cb5-ced71c2b08fc",
        "immutableTag": "Microsoft.OuttoAADGroupWriteupMemberLimit.003",
        "precedence": 137
      },
      {
        "Name": "Out to AAD - Group Identity",
        "uniqueIdentifier": "1fda3330-9c4f-4e72-9863-06a57b02f61b",
        "immutableTag": "Microsoft.OuttoAADGroupIdentity.005",
        "precedence": 138
      },
      {
        "Name": "Out to AAD - Group ExchangeOnline",
        "uniqueIdentifier": "c047f7a6-db47-47de-8f53-0630879b8c20",
        "immutableTag": "Microsoft.OuttoAADGroupExchangeOnline.006",
        "precedence": 139
      },
      {
        "Name": "Out to AAD - Group DynamicsCRM",
        "uniqueIdentifier": "4456c09e-6b0b-47d6-ab5b-9dd8649d7a5b",
        "immutableTag": "Microsoft.OuttoAADGroupDynamicsCRM.004",
        "precedence": 140
      },
      {
        "Name": "Out to AAD - Group Intune",
        "uniqueIdentifier": "3ee358a6-6cc3-4c13-8bf4-3a80b1cf34d0",
        "immutableTag": "Microsoft.OuttoAADGroupIntune.004",
        "precedence": 141
      },
      {
        "Name": "Out to AAD - Group LyncOnline",
        "uniqueIdentifier": "33a32e40-1111-4123-b60e-1513ce084d8b",
        "immutableTag": "Microsoft.OuttoAADGroupLyncOnline.004",
        "precedence": 142
      },
      {
        "Name": "Out to AAD - Group SharePointOnline",
        "uniqueIdentifier": "f3338173-678f-43c7-b8aa-afd1516d58db",
        "immutableTag": "Microsoft.OuttoAADGroupSharePointOnline.004",
        "precedence": 143
      },
      {
        "Name": "Out to AAD - Group AzureRMS",
        "uniqueIdentifier": "be8ef687-abd2-4d14-88b2-95f4065bca23",
        "immutableTag": "Microsoft.OuttoAADGroupAzureRMS.004",
        "precedence": 144
      },
      {
        "Name": "Out to AAD - User OfficeProPlus",
        "uniqueIdentifier": "4b993ef9-912d-409b-894d-c71936317d00",
        "immutableTag": "Microsoft.OuttoAADUserOfficeProPlus.004",
        "precedence": 145
      },
      {
        "Name": "In from AAD - Device Common",
        "uniqueIdentifier": "b1ba74be-1cdf-45bf-9b7f-8ec165657536",
        "immutableTag": "Microsoft.InfromAADDeviceCommon.004",
        "precedence": 147
      },
      {
        "Name": "Out to AAD - Device Join SOAInAD",
        "uniqueIdentifier": "7d6edc6f-3ded-4d36-8f7e-37285bce0ac3",
        "immutableTag": "Microsoft.OuttoAADJoinSOAInAD.008",
        "precedence": 149
      }
    ]
  },
  "onpremisesDirectoryPolicy": [
    {
      "friendlyName": "FQDN",
      "uniqueIdentifier": "bfae4a2c-cf49-4add-936f-eb1d294f5c9d",
      "fullyQualifiedDomainName": "FQDN",
      "onPremisesDirectoryAccount": "FQDN\\MSOL_fda726098513",
      "partitionFilters": [
        {
          "fullyQualifiedDomainName": "FQDN",
          "distinguishedName": "DC=prefix,DC=domain,DC=tld",
          "containerInclusions": [
            "OU=AzConTest,OU=OU2,OU=OU3,DC=prefix,DC=domain,DC=tld"
          ],
          "containerExclusions": [
            "CN=LostAndFound,DC=prefix,DC=domain,DC=tld",
            "DC=prefix,DC=domain,DC=tld"
          ]
        }
      ],
      "standardSynchronizationRules": [
        {
          "Name": "In from AD - User Join",
          "uniqueIdentifier": "e3428571-8759-4331-a79f-dad06f6b7781",
          "immutableTag": "Microsoft.InfromADUserJoin.006",
          "precedence": 100
        },
        {
          "Name": "In from AD - InetOrgPerson Join",
          "uniqueIdentifier": "5b884743-5011-46a4-b1c8-299f49ec1909",
          "immutableTag": "Microsoft.InfromADInetOrgPersonJoin.004",
          "precedence": 101
        },
        {
          "Name": "In from AD - User AccountEnabled",
          "uniqueIdentifier": "61edc9f9-394b-4285-966e-eae2bad1c5d1",
          "immutableTag": "Microsoft.InfromADUserAccountEnabled.008",
          "precedence": 102
        },
        {
          "Name": "In from AD - InetOrgPerson AccountEnabled",
          "uniqueIdentifier": "8dde5041-391d-415d-912a-1a492b87c0a3",
          "immutableTag": "Microsoft.InfromADInetOrgPersonAccountEnabled.006",
          "precedence": 103
        },
        {
          "Name": "In from AD - User Common from Exchange",
          "uniqueIdentifier": "1a0726e1-5be7-41c7-8d1a-f3703f939da7",
          "immutableTag": "Microsoft.InfromADUserCommonfromExchange.006",
          "precedence": 104
        },
        {
          "Name": "In from AD - InetOrgPerson Common from Exchange",
          "uniqueIdentifier": "ed60d659-8896-473b-8996-7bb27a882d3e",
          "immutableTag": "Microsoft.InfromADInetOrgPersonCommonfromExchange.006",
          "precedence": 105
        },
        {
          "Name": "In from AD - User Common",
          "uniqueIdentifier": "51aebaf8-574f-48e7-a3d1-e1dd1505ccee",
          "immutableTag": "Microsoft.InfromADUserCommon.009",
          "precedence": 106
        },
        {
          "Name": "In from AD - InetOrgPerson Common",
          "uniqueIdentifier": "95af2b43-5638-490b-b82b-bbb22448370b",
          "immutableTag": "Microsoft.InfromADInetOrgPersonCommon.008",
          "precedence": 107
        },
        {
          "Name": "In from AD - User Exchange",
          "uniqueIdentifier": "65586d4b-f50b-4c9f-b4df-9dcfdc3aa406",
          "immutableTag": "Microsoft.InfromADUserExchange.004",
          "precedence": 108
        },
        {
          "Name": "In from AD - InetOrgPerson Exchange",
          "uniqueIdentifier": "cc461f23-4203-4d2f-bcde-e1c859d8b22c",
          "immutableTag": "Microsoft.InfromADInetOrgPersonExchange.003",
          "precedence": 109
        },
        {
          "Name": "In from AD - Group Join",
          "uniqueIdentifier": "24ff4605-cacf-46a0-8e41-5cdcd5666cd9",
          "immutableTag": "Microsoft.InfromADGroupJoin.006",
          "precedence": 110
        },
        {
          "Name": "In from AD - Group Exchange",
          "uniqueIdentifier": "a26f6c6e-6747-46bd-bb63-aad745b66f26",
          "immutableTag": "Microsoft.InfromADGroupExchange.004",
          "precedence": 111
        },
        {
          "Name": "In from AD - Group Common",
          "uniqueIdentifier": "d0887028-0625-46f5-9f4f-790b2f4f9e57",
          "immutableTag": "Microsoft.InfromADGroupCommon.008",
          "precedence": 112
        },
        {
          "Name": "In from AD - Contact Join",
          "uniqueIdentifier": "a6ade885-fb70-4d02-8e57-faca781ad815",
          "immutableTag": "Microsoft.InfromADContactJoin.004",
          "precedence": 113
        },
        {
          "Name": "In from AD - Contact Common",
          "uniqueIdentifier": "21d5aa3e-cc7f-4981-bd4f-fafd71ab583c",
          "immutableTag": "Microsoft.InfromADContactCommon.006",
          "precedence": 114
        },
        {
          "Name": "In from AD - ForeignSecurityPrincipal Join User",
          "uniqueIdentifier": "58a761d3-9319-4dc8-a55c-820775e509a2",
          "immutableTag": "Microsoft.InfromADForeignSecurityPrincipalJoinUser.001",
          "precedence": 115
        },
        {
          "Name": "Out to AD - User Join SOAInAD",
          "uniqueIdentifier": "435cf548-3952-447b-b9d2-2b1372ee5f65",
          "immutableTag": "Microsoft.OuttoADUserJoinSOAInAD.004",
          "precedence": 146
        },
        {
          "Name": "In from AD - Computer Join",
          "uniqueIdentifier": "834193e7-7f81-4289-9c36-5bc99e990dc5",
          "immutableTag": "Microsoft.InfromADComputerJoin.006",
          "precedence": 148
        },
        {
          "Name": "In from AD - Device Common",
          "uniqueIdentifier": "43618d59-1136-4174-9c50-110d1159286c",
          "immutableTag": "Microsoft.InfromADDeviceCommon.002",
          "precedence": 150
        },
        {
          "Name": "Out to AD - User NGCKey",
          "uniqueIdentifier": "ae1ccd37-2976-4d3a-b922-836cb58c5987",
          "immutableTag": "Microsoft.OuttoADUserNGCKey.001",
          "precedence": 151
        },
        {
          "Name": "Out to AD - Device STKKey",
          "uniqueIdentifier": "08929880-7415-4c00-816c-c321a1659279",
          "immutableTag": "Microsoft.OuttoADDeviceSTKKey.001",
          "precedence": 152
        },
        {
          "Name": "Out to AD - User ImmutableId",
          "uniqueIdentifier": "034d8c62-fca9-4bb0-ba21-74b0c8e353b2",
          "immutableTag": "Microsoft.OuttoADUserImmutableId.003",
          "precedence": 153
        }
      ]
    }
  ]
}
Balthazar
  • 161
  • 4

1 Answers1

0

Let's start with the basics:

If I add or change something on a Azure AD User, it updates the corresponding local AD user.

This is completely wrong. Synchronization is one-way, from AD to AAD.
There are some exceptions (notably password writeback), but in the vast majority of cases you'll find that you just cannot make changes in AAD to synchronized objects; you'll just get an error stating that the object is synchronized and thus you can't modify it directly and should instead make changes in AD and have them replicated by ADConnect.

That said, soft matching should work; if you create a new user account in AD with the same UPN and primary email address as an existing AAD user, the synchronization process should match them and take over the AAD object turning it into a synchronized object. But this can fail for several reasons.

Please add details about the ADConnect configuration; the most important one is the attribute used as source anchor.

Also, make sure to create a new user account in AD when you are trying to match it to an existing AAD user; this includes:

  • don't change attributes on an existing AD user to match an AAD user
  • don't move an existing user into the synchronized OU

Objects that are already present in AD when synchronization begins are discovered and identified by ADConnect even if they are not actually synchronized (yet), and if you try to synchronize them later ADConnect will not perform a soft match on them.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Hi, thanks for your answer. I updated my question with the config and the source anchor. I don't get the last part. when I include more OUs, ADConnect won't soft match them anymore? Also - what if I already changed some attributes on the existing AD User? I changed the proxyAddresses to match the AAD – Balthazar Sep 09 '22 at 08:23
  • and why do I need to create a new user account in AD? can't i just keep my AD Users, mi AAD Users and soft match them? – Balthazar Sep 09 '22 at 08:30
  • ADConnect discovers and inventories all users in AD, assigning each of them a unique ID; if you *later* try to soft match them to existing AAD users, this won't work because ADConnect already marked them as different. You need new user accounts (i.e. never before seen by ADConnect) for soft match to work. – Massimo Sep 12 '22 at 08:17
  • The other option is using a hard match. This require manual editing of the ObjectGUID attribute. – Massimo Sep 12 '22 at 08:20