![]() ![]() Other objects than usersįor mail-enabled groups and contacts, you can soft-match based on proxyAddresses. This article shows how to disable Soft Matching. We advise customers to disable soft matching unless they need it to take over cloud only accounts. We have added a configuration option to disable the Soft Matching feature in Azure AD Connect. A soft match is only evaluated by Azure AD. A hard match is evaluated both by Connect and by Azure AD. The match can then be evaluated by the client (Azure AD Connect), which is a lot faster than doing the same in Azure AD. An object with a sourceAnchor is sent to Connect during initial install. If you have lost your server with Azure AD Connect, you can reinstall a new instance without losing any data. The difference is in a disaster recovery situation. Hard-match vs Soft-matchįor a new installation of Connect, there is no practical difference between a soft- and a hard-match. Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory. All attributes in Azure AD with a value in on-premises AD are overwritten with the on-premises value. The previously cloud-managed object is flagged as on-premises managed. If Azure AD finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Azure AD, then the object in Azure AD is taken over by Connect. If you change an existing object so it is matching any of these attributes, then you see an error instead. The match is only evaluated for new objects coming from Connect. For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation. ![]() A match on sourceAnchor is known as hard match. A match on userPrincipalName or proxyAddresses is known as a soft match. There are three attributes used for this process: userPrincipalName, proxyAddresses, and sourceAnchor/ immutableID. When you install Azure AD Connect and you start synchronizing, the Azure AD sync service (in Azure AD) does a check on every new object and tries to find an existing object to match. If you started to manage users in Azure AD that are also in on-premises AD and later want to use Connect, then there are some additional concerns you need to consider. You would manage some users on-premises and some in Azure AD. The accounting workers have an on-premises AD account, but the sales workers do not, they have an account in Azure AD. ![]() A common scenario for this configuration is an organization with a mix of accounting workers and sales workers. You can manage some users on-premises and other in the cloud. Each object has a flag indicating where the object is managed. For one single object, you cannot manage some attributes on-premises and some other attributes in Azure AD. The basicsĪn object in Azure AD is either mastered in the cloud (Azure AD) or on-premises. But if you have started with an Azure AD tenant, populated it with users and other objects, and now want to use Connect, then this topic is for you. Most of the topics for how to use Azure AD Connect assumes you start with a new Azure AD tenant and that there are no users or other objects there. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |