Understanding the Options: Soft Match vs. Hard Match

The process of syncing on-premises AD with Azure AD primarily revolves around two methods: the Soft Match and the Hard Match.

1. Soft Match: This method is typically easier to implement, especially when dealing with a large number of users. It involves matching userPrincipalName (email) and proxyAddress between on-premises AD and Azure AD.

2. Hard Match: This approach is more intricate, requiring a match on the immutable ID. It is less straightforward, especially when dealing with multiple users.

Implementing Soft Match: A Step-by-Step Approach

To execute a Soft Match, the following steps are crucial:

1. Set UserPrincipalName: Ensure that the UserPrincipalName in the on-prem AD account matches the Azure account’s username.

2. Set Email: The email address of the on-prem user account must align with that of the Azure account.

3. Set ProxyAddresses: The primary proxy address in the on-prem account must be set appropriately.

4. Force Azure AD Sync: Utilize the Start-ADSyncSyncCycle -PolicyType Delta command to force a sync with Azure AD.

5. Check Azure Object Sync Status: Verify that the Azure account reflects the synced status with the on-premises account.

Executing Hard Match: Ensuring a More Robust Synchronization

In cases where Soft Match fails, the Hard Match method becomes necessary:

1. Get Local AD Account ObjectGUID: Use PowerShell to retrieve the objectGuid of the local AD account.

2. Convert to Base64 String: Convert the local GUID to a base64 encoded string for Azure use.

3. Set Immutable ID on Azure Account: Use PowerShell commands to set the new immutable ID in the Azure account.

4. Run Azure AD Connect Sync: Finalize the process by running an Azure AD Connect Sync to check if the Azure AD account changes to synced status from on-prem.

Bulk Modifications: Streamlining the Process

For managing multiple user accounts, tools like the AD Pro Toolkit can be used to bulk modify attributes like UserPrincipalName, Email, and ProxyAddresses, significantly simplifying the process for large organizations.

Conclusion: Ensuring Seamless Identity Synchronization

Synchronizing on-premises AD Users with existing Azure AD Users requires careful consideration of the method (Soft Match or Hard Match) and meticulous execution of the steps involved. Regardless of the method chosen, it’s essential to ensure that the email, proxy addresses, and userPrincipalName match between on-prem AD and Azure AD. Additionally, it’s important to note that synchronization is typically one-way, from on-premises AD to Azure AD, but can be configured for bidirectional sync under specific conditions.

This synchronization not only improves the user experience by providing a single identity across environments but also enhances security and management efficiency. By following the outlined steps and utilizing the right tools, IT professionals can achieve a successful integration of their on-premises AD environment with Azure AD.

—

Sources:

1. Active Directory Pro: [How to Sync On-Prem AD With Existing Azure AD Users](https://activedirectorypro.com/sync-on-prem-ad-with-existing-azure-ad-users/)

2. Microsoft Azure: [Integrate on-premises AD with Azure](https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad)

3. CodeTwo: [How to sync local AD to Azure AD with Azure AD Connect tool](https://www.codetwo.com/admins-blog/sync-on-premises-ad-with-azure-ad-via-azure-ad-connect/)