How to Sync Microsoft Entra ID User with On-Premises AD User (2024)

Microsoft Entra Connect is an excellent tool that syncs AD on-premises objects to Microsoft Entra ID. But what if the user object is created in the cloud directly, and there is no AD on-premises object? Microsoft Entra Connect will not create the user in AD on-premises. Deleting the cloud user and recreating it on-premises is a way, but what if the user uses the account with Exchange Online, Teams, SharePoint, and more services? In this article, we will look at how to sync a Microsoft Entra ID user with an on-premises AD user without deleting the Microsoft Entra ID user.

Table of contents

  • Correct way to create AD objects on-premises
  • Check AD object sync status
  • Soft match Microsoft Entra ID user with On-Premises AD user
    • Step 1. Create on-premises AD user object
    • Step 2. Force Microsoft Entra Connect sync
    • Step 3. Check Microsoft Entra Connect synchronization service
    • Step 4. Verify AD object sync status
    • Step 5. Verify objectGUID and OnPremisesImmutableID attribute
    • Step 6. Make cloud mailbox visible in Exchange on-premises
  • Hard match Microsoft Entra ID user with On-Premises AD user
  • Conclusion

Correct way to create AD objects on-premises

It’s essential to create the AD objects on-premises when you have a Hybrid environment. That’s because the Microsoft Entra Connect software will sync the on-premises AD objects to Microsoft Entra ID. Not doing this will cause problems for the account. Also, it will not give precise reports when you want to check on-premises AD objects.

See below articles on how to create AD cloud objects from on-premises:

  • Create Office 365 mailbox in Exchange Hybrid
  • Create Office 365 shared mailbox in Exchange Hybrid
  • Create Office 365 resource mailbox in Exchange Hybrid
  • Bulk create Office 365 mailboxes in Exchange Hybrid

Check AD object sync status

Suppose the AD on-premises object is not present, and the user is created in the cloud. The user already uses the account and has data in the Exchange Online mailbox. Not only there but also in Sharepoint, Teams, and more.

To check the user sync status, follow these steps:

  1. Sign in to Microsoft 365 admin center
  2. Expand Users and click on Active users
  3. Enable the Sync status column
  4. Search the user
  5. Find sync status

The sync status will show one of the following:

  • In cloud
  • Synced from on-premises

The screen below shows that the user Carol Baker is in the cloud and not synced from AD on-premises. However, the other two users are synced from on-premises.

How to Sync Microsoft Entra ID User with On-Premises AD User (1)

So, how do we change the object in the cloud to synced from on-premises? Let’s look at how to sync the Microsoft Entra ID user to on-premises AD in the next step.

Soft match Microsoft Entra ID user with On-Premises AD user

To soft match a Microsoft Entra ID user with an on-premises AD user, follow these steps:

Step 1. Create on-premises AD user object

It’s essential to create an AD object identical to the cloud object:

  1. User logon name (UserPrincipalName)
  2. E-mail
  3. ProxyAddresses

Create an on-premises AD user object and fill in the details. Ensure that you fill in the user logon name identically to the cloud object.

Note: The password will reset to the one you create in AD on-premises. So, it’s good to inform the user before you apply the change. Then, the user can reset the password later.

How to Sync Microsoft Entra ID User with On-Premises AD User (2)

Fill in the E-mail identical to the cloud object.

How to Sync Microsoft Entra ID User with On-Premises AD User (3)

Fill in the proxyaddresses.

If the user has aliases, add them. Remember that SMTP (capital letters) is the primary email address and that smtp (small letters) are aliases.

How to Sync Microsoft Entra ID User with On-Premises AD User (4)

Step 2. Force Microsoft Entra Connect sync

Sign in to the Microsoft Entra Connect server and force a delta sync with PowerShell.

Start-ADSyncSyncCycle -PolicyType Delta

Step 3. Check Microsoft Entra Connect synchronization service

Start the Microsoft Entra Connect Synchronization Service Manager on the Microsoft Entra Connect server. Verify that it adds and syncs the on-premises AD user object with the Microsoft Entra ID user and that there are no errors.

How to Sync Microsoft Entra ID User with On-Premises AD User (5)

Click on the Distinguished Name.

How to Sync Microsoft Entra ID User with On-Premises AD User (6)

Verify that it adds the AD object and look closely at the sourceAnchor (this is the on-premises Immutable ID) attribute value because you will verify it in the next step.

How to Sync Microsoft Entra ID User with On-Premises AD User (7)

Step 4. Verify AD object sync status

It’s good to give the Microsoft Entra Connect synchronization service a little time (5-10 minutes) before you jump into Microsoft 365 admin center and check the sync status.

The Microsoft 365 admin center shows the sync status as synced from on-premises.

How to Sync Microsoft Entra ID User with On-Premises AD User (8)

Step 5. Verify objectGUID and OnPremisesImmutableID attribute

Another way is to compare the on-premises AD attribute objectGUID with the Microsoft Entra ID attribute OnPremisesImmutableId. They need to match identically.

Note: The on-premises AD object values are GUIDs, whereas Microsoft Entra ID is a base64 encoded text string. So you have to convert the base64 to GUID or the other way around to compare the values.

Run PowerShell as an administrator on the on-premises server, and run the Get-ADUser cmdlet to get the AD user objectGUID.

Get-ADUser "Carol.Baker" | Format-List UserPrincipalName,objectGUID

Or you can search on UserPrincipalName.

Get-ADUser -Filter { UserPrincipalName -eq "Carol.Baker@exoip.com" } | Format-List UserPrincipalName, objectGUID

The objectGUID value is 4dd814df-55e1-4889-a3bf-377605396b45.

UserPrincipalName : Carol.Baker@exoip.comobjectGUID : 4dd814df-55e1-4889-a3bf-377605396b45

Run PowerShell as administrator and Connect to Microsoft Graph PowerShell.

Connect-MgGraph -Scopes "User.ReadWrite.All"

Run the Get-MgUser cmdlet to get the Microsoft Entra ID user OnPremisesImmutableId attribute.

Get-MgUser -UserId "Carol.Baker@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The OnPremisesImmutableID value is 3xTYTeFViUijvzd2BTlrRQ==.

UserPrincipalName : Carol.Baker@exoip.comOnPremisesImmutableId : 3xTYTeFViUijvzd2BTlrRQ==

Copy the OnPremisesImmutableID value and paste it into the command below to convert the base64 string to GUID.

[GUID][system.convert]::FromBase64String("3xTYTeFViUijvzd2BTlrRQ==")

The output appears.

Guid----4dd814df-55e1-4889-a3bf-377605396b45

Suppose you want to convert the GUID to base64 string, copy the GUID value, and paste it into the command below.

[Convert]::ToBase64String([guid]::New("4dd814df-55e1-4889-a3bf-377605396b45").ToByteArray())

The output appears.

3xTYTeFViUijvzd2BTlrRQ==

The on-premises AD object and Microsoft Entra ID object are the same.

Step 6. Make cloud mailbox visible in Exchange on-premises

Ensure you make the cloud mailbox visible in Exchange on-premises by following the article Office 365 mailbox not showing in Exchange Hybrid on-premises.

How to Sync Microsoft Entra ID User with On-Premises AD User (9)

Hard match Microsoft Entra ID user with On-Premises AD user

To hard match a Microsoft Entra ID user with an on-premises AD user, follow these steps:

  1. Run PowerShell as an administrator on the on-premises server, and run the Get-ADUser cmdlet to get the AD user objectGUID.
Get-ADUser "Carol.Baker" | Format-List UserPrincipalName,objectGUID

You can also search for UserPrincipalName.

Get-ADUser -Filter { UserPrincipalName -eq "Carol.Baker@exoip.com" } | Format-List UserPrincipalName, objectGUID

The objectGUID value is 4dd814df-55e1-4889-a3bf-377605396b45.

UserPrincipalName : Carol.Baker@exoip.comobjectGUID : 4dd814df-55e1-4889-a3bf-377605396b45
  1. Copy the GUID and paste it into the command below to convert the GUID to a base64 string.
[Convert]::ToBase64String([guid]::New("4dd814df-55e1-4889-a3bf-377605396b45").ToByteArray())

The output appears.

3xTYTeFViUijvzd2BTlrRQ==
  1. Run PowerShell as administrator and Connect to Microsoft Graph PowerShell.
Connect-MgGraph -Scopes "User.ReadWrite.All"
  1. Run the Get-MgUser cmdlet to get the Microsoft Entra ID user OnPremisesImmutableId attribute.
Get-MgUser -UserId "Carol.Baker@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The OnPremisesImmutableID value will be an empty value, which means it was never matched with an on-premises AD user.

UserPrincipalName : Carol.Baker@exoip.comOnPremisesImmutableId :
  1. Run the Update-MgUser cmdlet to update the Microsoft Entra ID user with the on-premises Immutable ID that you got from the previous step.
Update-MgUser -UserId "Carol.Baker@exoip.com" -OnPremisesImmutableId "3xTYTeFViUijvzd2BTlrRQ=="
  1. Verify with the Get-MgUser cmdlet that the on-premises Immutable ID is successfully set.
Get-MgUser -UserId "Carol.Baker@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The output below appears.

UserPrincipalName : Carol.Baker@exoip.comOnPremisesImmutableId : 3xTYTeFViUijvzd2BTlrRQ==
  1. Sign in to the Microsoft Entra Connect server and force a delta sync with PowerShell.
Start-ADSyncSyncCycle -PolicyType Delta
  1. Start the Microsoft Entra Connect Synchronization Service Manager on the Microsoft Entra Connect server. Verify that it updates and syncs the on-premises AD user object with the Microsoft Entra ID user and that there are no errors.
  2. Give the Microsoft Entra Connect synchronization service a little time (5-10 minutes) and sign in to Microsoft 365 admin center to check the sync status.
  3. The Microsoft 365 admin center shows the sync status as synced from on-premises.

That’s it!

Read more: Find Microsoft Entra Connect accounts »

Conclusion

You learned how to sync a missing on-premises AD user with a Microsoft Entra ID user. Create the on-premises AD object and sync it with Microsoft Entra Connect. Ensure there are no errors and verify the GUID and OnPremisesImmutableId attribute match. By doing this, there is no need to delete and recreate the AD object on-premises and sync it to Microsoft Entra ID. That will take time, and you must export and import all the settings.

Did you enjoy this article? You may also like Upgrade Microsoft Entra Connect. Don’t forget to follow us and share this article.

How to Sync Microsoft Entra ID User with On-Premises AD User (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 5565

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.