How to do Hard match in Dirsync?


There are 2 types of matching we do during Dirsync

  1. Soft Match
  2. Hard Match

 

In this post we will see how to do Hard Match in Dirsync.

Post writing this post my colleague and friend Elvin pointed out that there was another easier way to find Immutable ID. I have covered that in the next post.

Click the above link to know more

Here are the broad level steps that we do to implement Dirsync between on-prem and cloud

  • Get the ObjectGuid from the onpremise for the user
  • Rearrange the ObjectGuid
  • Convert the ObjectGuid to an ImmutableID
  • Update the cloud user with the Immutable ID
  • Run Dirsync

 

 

Get the ObjectGuid from the onpremise for the user

  • Go to Adsiedit.msc
  • Right click ADSI Edit and say Connect to and select "Default naming context"
  • Double click the Domain partition and navigate to the OU the concerned user is present and select the user properties
  • Copy the value of ObjectGuid to a notepad

 

Rearrange the ObjectGuid as shown below

ObjectGuid  :                                                                         44 31 E2 46 77 83 3E 48 A8 7E B6 76 9D B6 2E ED

Group the GUID as shown here:                                        44 31 E2 46 77 83 3E 48 A8 7E B6 76 9D B6 2E ED

Rearrange Hexa bits within the group as done Here:    46 E2 31 44 83 77 48 3E A8 7E  B6 76 9D B6 2E ED

Write the rearranged Bits as shown here :                      46E23144-8377-483E-A87E-B6769DB62EED

Convert the ObjectGuid to an ImmutableID

Now that we have the object Guid in the format we want  download the script from the link below that converts Object Guid to Immutable ID and vice versa

http://gallery.technet.microsoft.com/office/Covert-DirSyncMS-Online-5f3563b1/description

Right click on the downloaded Script and click properties and say Unblock

 

Now open a Windows powershell navigate to the place where the Script was saved

Invoke the script and pass the Guid ID we got from the above step

PS C:\Users\praveen\Desktop\CAP\Immutable ID> .\GUID2ImmutableID.ps1

Value provided not in GUID or ImmutableID format.

Please Supply the value you want converted

Examples:

To convert a GUID to an Immutable ID: GUID2ImmutableID.ps1 '748b2d72-706b-42f8-8b25-82fd8733860f'

To convert an ImmutableID to a GUID: GUID2ImmutableID.ps1 'ci2LdGtw+EKLJYL9hzOGDw=='

 

PS C:\Users\praveen\Desktop\CAP\Immutable ID> .\GUID2ImmutableID.ps1 46E23144-8377-483E-A87E-B6769DB62EED

ImmutableID

-----------------

RDHiRneDPkiofrZ2nbYu7Q==

 

 

 

Update the cloud user with the Immutable ID

Now open Windows Azure Powershell for Office 365  and run the below command

Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId RDHiRneDPkiofrZ2nbYu7Q==

 

Here  User@domain.com is the UPN of the user who is in cloud and we want to sync the on-premise user to sync to.

 

Run Dirsync

Now force an Dirsync to connect the users 

Note: Due to replication and delay in onprem and cloud we might have to wait for some time and force Dirsync couple of times.

Comments (28)

  1. Yes, we can do that. I found out a workaround that helps to do for all users with help of my friend. Will write a post on that soon.

  2. John says:

    Good one praveen

  3. Dan_IT says:

    Awesome Praveen. This helped me a lot

  4. Shivam11 says:

    great stuff Praveen.

  5. vamdev says:

    it worked but how we can do it for multiple users at a time, like first creating csvde file and importing using powershell..??

  6. Anonymous says:

    In my previous post I wrote about how we can do Hard Match of objects in on-premise to the corresponding

  7. Raymond says:

    Great stuff Praveen! Please share with us the workaround to hard match for multiple users, looking forward for your new post 🙂

  8. David Gipe says:

    Another simple way to find a "one off" objectGUID is via Active Directory Users and Computers:
    1. Enable Advanced Features
    2. Open the user ID’s properties
    3. Open the Attribute Editor tab
    4. Filter by attributes with values
    5. Find and copy the objectGUID from the list

  9. Kassem says:

    how it works for mail contacts as well ? is it possible ?

  10. Hi,
    Thanks for your blog indeed.

    I was inspired to create desktop tool that converts from ObjectGUID in AD to ImmutableID in Azure and vise versa
    http://ammarhasayen.com/2015/08/20/azure-guid-to-immutableid-and-vise-versa-desktop-app/

    Thanks

  11. Shiraz says:

    Hi Praveen… i tried the method but I get the message ‘set-msoluser : Uniqueness violation. Property: SourceAnchor’

  12. Dr Sylvester Benson says:

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON)
    ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.

  13. Anchal Arora says:

    Nice Article Praveen !!

  14. anonymouscommenter says:

    There are 2 types of matching we do during Dirsync
    Soft Match
    Hard Match

    In this post we will see how to do Hard Match in Dirsync.
    Post writing this post my colleague and friend Elvin pointed out that there was another easier way to find Immutable

  15. karteek says:

    Hi praveen i am following the above steps but i am getting bellow mentioned error. Can you please help me.

    Set-MsolUser : Unable to update parameter. Parameter name: SourceAnchor.
    At line:1 char:1
    + Set-MsolUser -UserPrincipalName test@test.com -ImmutableId MJhaBp/MjU6ZUa9rEL …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online
    .Administration.Automation.SetUser

  16. Birendra Pal says:

    I appreciate for this enlightening post.

  17. MpDay says:

    @Shiraz: about the message ‘set-msoluser : Uniqueness violation. Property: SourceAnchor’.

    Yes, I had that error too, but after investigating the deleted user was still in the Deleted Users folder. I created this user multiple times, and when I checked the Deleted Users folder, the user was there 5 times. I deleted ALL users from the Deleted Users
    folder, and then it worked.

    1. Jumrat says:

      Remove-Msoluser -Userprincipalname abc@domain.com -RemoveFromRecyclebin

    2. Thiago Beier says:

      guys, here I have something weird happening
      all users had been created in office 365 first after 3 years the company decided to sync on-premises ADDS with office 365
      11 users enabled only 1 is having this issue related here
      at the portal we have the same pattern
      user01@company.onmicrosoft.com
      user01@mycompany.com
      user02@company.onmicrosoft.com
      user02@mycompany.com but the user related has its user user03@company.onmicrosoft.com unlicensed and user03@mycompany.com unfortunately this user doesn’t math with the on-premise one (same upn, proxyadressses)
      I have found 3 users in the recyble bin at the portal and one of them user03@company.onmicrosoft.com had the immutableid related to anchor and I deleted all of them and runned th e sync again (I moved the user03 from the SYNCED ou to the default users and moved him back after an Initial sync) to clean his data from metaverse but when I run the sync again same error

      ECMA2 MA export run caused an error.

      Error Name: AttributeValueMustBeUnique
      Error Detail: Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [OnPremiseSecurityIdentifier System.Byte[];]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

  18. João da Palma Tavares says:

    Important: The “Sync Type” only changes from “in Cloud” to “Synced with Active Directory” if you change the password for the user in the AD.
    Best regards,
    João.

    1. Savio Fernandes says:

      Hi Praveen,

      I have a scenario for which I need your guidance as to whether soft matching or hard matching should be selected.

      The scenario is my customer has 2 different forest and had created cloud identities initially. Now after 3 years I had suggested them to have synced users by using dirsync. What is the high level work involved in this activity so as to match and sync from o365 to AD.

      Regards,
      Savio
      Presales Architect

  19. Raghav Raju says:

    Hi Praveen –

    Good article composed. However I was wondering if this could be done in bulk for multiple users at once?

    Scenario: On-premises AD exists with users on it, Office365 is running with same users, but Directory Synchronisation has not occurred yet. Now we are going to add, verify the onprem domain at office365 and then need to hardsync all the users at once. I am talking about around 400 users in this situation. let me know the best possible solution. Thanks in advance.

Skip to main content