Skip to main content

Azure AD Connect is an excellent tool that syncs AD on-premises objects to Azure AD. What if the user object is created in the cloud directly, and there is no AD on-premises object? Azure AD Connect will not create the user in AD on-premises. Deleting the cloud user and recreating it on-premises is a way, but what if the user uses the account with Exchange Online, Teams, SharePoint, and more services? In this article, we will look at how to sync Azure AD user to on-premises AD without deleting the Azure AD user.

Correct way to create AD objects on-premises

It’s essential to create the AD objects on-premises when you have a Hybrid environment. That’s because the Azure AD Connect software will sync the on-premises AD objects to Azure AD. Not doing this will cause problems for the account. Not only that, it will not give precise reports when you want to check AD objects.

See below articles on how to create AD cloud objects from on-premises:

  • Create Office 365 mailbox in Exchange Hybrid
  • Create Office 365 shared mailbox in Exchange Hybrid
  • Create Office 365 resource mailbox in Exchange Hybrid
  • Bulk create Office 365 mailboxes in Exchange Hybrid

Check AD object sync status

Suppose the AD on-premises object is not present, and the user is created in the cloud. The user already uses the account and has data in the Exchange Online mailbox. Not only there but also in Sharepoint, Teams, and more.

To check the user sync status, follow these steps:

  1. Sign in to Microsoft 365 admin center
  2. Expand Users and click on Active users
  3. Enable the Sync status column
  4. Search the user
  5. Find sync status

The sync status will show one of the following:

  • In cloud
  • Synced from on-premises

The below screen shows that the user Carol Baker is in the cloud and not synced from AD on-premises. However, the other two users are synced from on-premises.

So how do we change the object in the cloud to synced from on-premises? Let’s look at how to sync the Azure AD user to on-premises AD in the next step.

How to sync Azure AD user to on-premises AD

To sync an Azure AD user to on-premises AD, follow these steps:

Step 1. Create on-premises AD user object

It’s essential to create an AD object identical to the cloud object:

  1. User logon name (UserPrincipalName)
  2. E-mail
  3. ProxyAddresses

Create an on-premises AD user object and fill in the details. Ensure that you fill in the user logon name identically to the cloud object.

Note: The password will reset to the one you create in AD on-premises. So it’s good to inform the user before you apply the change. Then, the user can reset the password later.

Sync Azure AD user to on-premises AD new object

Fill in the E-mail identical to the cloud object.

Sync Azure AD user to on-premises AD email

Fill in the proxyaddresses.

If the user has aliases, add them. Remember that SMTP (capital letters) is the primary email address and that smtp (small letters) are aliases.

Sync Azure AD user to on-premises AD proxyaddresses

Step 2. Force Azure AD sync

Sign in to the Azure AD Connect server and force a delta sync with PowerShell.

Start-ADSyncSyncCycle -PolicyType Delta

Step 3. Check Azure AD Connect synchronization service

Start the Azure AD Connect Synchronization Service Manager on the Azure AD Connect server. Verify that it adds the on-premises AD user object to Azure AD and that there are no errors.

Sync Azure AD user to on-premises AD sync

Click on the Distinguished Name.

Sync Azure AD user to on-premises AD sync object

Verify that it adds the AD object and look closely at the sourceAnchor attribute value because you will verify it in the next step.

Sync Azure AD user to on-premises AD sync export

Step 4. Verify AD object sync status

It’s good to give the Azure AD Connect synchronization service a little time (5-10 minutes) before you jump into Microsoft 365 admin center and check the sync status.

The Microsoft 365 admin center shows the sync status as synced from on-premises.

Sync status synced from on-premises

Step 5. Verify objectGUID and OnPremisesImmutableID attribute

Another way is to compare the on-premises AD attribute objectGUID with the Microsoft Entra ID attribute OnPremisesImmutableId. They need to match identically.

Note: The on-premises AD object values are GUIDs, whereas Microsoft Entra ID is a base64 encoded text string. So you have to convert the base64 to GUID or the other way around to compare the values.

Run PowerShell as administrator and run the Get-ADUser cmdlet to get the ad user objectGUID.

Get-ADUser "Carol.Baker" | fl UserPrincipalName,objectGUID

Or you can search on UserPrincipalName.

Get-ADUser -Filter { UserPrincipalName -eq "Carol.Baker@exoip.com" } | fl UserPrincipalName, objectGUID

The objectGUID is 4dd814df-55e1-4889-a3bf-377605396b45.

UserPrincipalName : Carol.Baker@exoip.com
objectGUID        : 4dd814df-55e1-4889-a3bf-377605396b45

Run PowerShell as administrator and connect to Microsoft Graph PowerShell

Connect-MgGraph -Scopes "User.ReadWrite.All"

Run the Get-MgUser cmdlet to get the Microsoft Entra ID user OnPremisesImmutableId.

Get-MgUser -UserId "Carol.Baker@exoip.com" -Property OnPremisesImmutableId, UserPrincipalName | fl UserPrincipalName, OnPremisesImmutableId

The OnPremisesImmutableID is 3xTYTeFViUijvzd2BTlrRQ==.

UserPrincipalName     : Carol.Baker@exoip.com
OnPremisesImmutableId : 3xTYTeFViUijvzd2BTlrRQ==

Copy the OnPremisesImmutableID and paste it into the below command to convert the base64 string to GUID.

[GUID][system.convert]::FromBase64String("3xTYTeFViUijvzd2BTlrRQ==")

The output will appear.

Guid
----
4dd814df-55e1-4889-a3bf-377605396b45

Suppose you want to convert the GUID to base64 string, copy the GUID and paste it into the below command.

[Convert]::ToBase64String([guid]::New("4dd814df-55e1-4889-a3bf-377605396b45").ToByteArray())

The output will appear.

3xTYTeFViUijvzd2BTlrRQ==
Sync Azure AD user to on-premises AD Exchange

Leave a Reply