How to Hard Match a User in Office 365

How to Hard Match a User in Office 365

In some cases, you may find that your Office 365 user account is not matched correctly with an on-premises AD user.

The main giveaway is the cloud icon in the sync status column in Microsoft 365 Admin Center.

This icon indicates it’s a cloud-only user account:

Cloud only user in Office 365

Alternatively, you can check the OnPremisesSyncEnabled attribute of the MgUser object (which is empty):

PS C:\> (Get-MgUser -UserId lene.hau@azure.skrubbeltrang.com -Property OnPremisesSyncEnabled).OnPremisesSyncEnabled
PS C:\>

Hard Match AD and Cloud User with ImmutableId

To hard match your on-premises AD user and the cloud user, you must set the ImmutableId attribute of the cloud user.

But before you do that, check the status of both objects:

  • What should be the userPrincipalName?
  • What should be the mail address(es)?

It’s highly recommended that both user objects agree on these attributes.

Mismatching userPrincipalName and/or mail addresses can cause problems down the road and complicate future troubleshooting.

The ImmutableId on the cloud user must match the objectGuid on the AD user.

To ensure great pay rates for Microsoft consultants(!), Microsoft decided to format the ImmutableId as the Base64 encoded value of the objectGuid (more about this here).

Retrieve and convert the objectGuid from the on-premises AD user like so:

PS C:\> Get-ADUser Lene.Hau | fl objectGuid

objectGuid : d749534e-9f86-44a7-b572-6be7b53b2ca9

PS C:\> [Convert]::ToBase64String([guid]::New("d749534e-9f86-44a7-b572-6be7b53b2ca9").ToByteArray())
TlNJ14afp0S1cmvntTssqQ==

And finally, perform the hard matching of the AD and cloud accounts using the following command:

PS C:\> Update-MgUser -UserId lene.hau@azure.skrubbeltrang.com -OnPremisesImmutableId TlNJ14afp0S1cmvntTssqQ==

Proper Matching and Proper Management

Even though your AD and cloud users are correctly matched, you may find it cumbersome to manage your hybrid environment.

Hybrid Office 365 introduces a lot of different web consoles and fragmented attribute authority (some attributes are managed in AD and some in Office 365).

On top of this, you probably find yourself stuck with Exchange on-premises – despite having moved all mailboxes to the cloud.

With Easy365Manager, all of this pain goes away.

Easy365Manager is a snap-in for AD Users & Computers.

With Easy365Manager, you can manage Office 365 mailboxes and licenses directly from AD Users & Computers.

Even complex tasks, like calendar delegation and Outlook automapping of shared mailboxes, are available from the intuitive graphical user interface:

Download a fully-functional 30-day trial now.

Download and installation only take a couple of minutes and there are no changes to your AD or infrastructure.