Today I had the problem again that my customer created his first 100 users as cloud only users without Azure AD Connect sync in place.
He has now realized that it would make sense to synchronize his local AD and not create and maintain everything manually on both sides (on premises AD and Azure AD).
Now, if you would just sync the users, Azure AD Connect would probably create a new user instead of merging the existing cloud user with the synced on premises user.
But why? There are two options that affect whether users are merged.
First the soft match. Here is checked whether the UPN AND the SMTP address are identical. If so, the on premises and the cloud account will be merged.
Second the hard match. Here is checked whether both accounts have the same immutableID. On premises the immutableID is the objectGUID base64 coded. And online there is a attribute called immutableID. If there ID matches on both side, the cloud account and the synced on premises account will be merged.
To be on the safe side, I always set the immutableID via PowerShell in such a scenario.
Here is a simle PowerShell script, that searches for cloud only users and matches the UPN with the on Premises user. If the UPN matches it sets the immutable id on the Azure AD user object.
# Use Testmode if value equals $true. Do nothing but show what will happen.
$testMode = $true
# Check if requirded Modules are installed. This works on Windows Server only.
if ( -not (Get-Module -ListAvailable -Name ActiveDirectory)) {
Write-Host "OnPremises Active Directory Module does not exists. Installing.... "
Install-WindowsFeature -name RSAT-AD-PowerShell
}
if ( -not (Get-PackageProvider -Name NuGet)) {
Write-Host "NuGet Package Provider is required. Installing.... "
Install-PackageProvider NuGet -Force -ForceBootstrap
}
if ( -not (Get-Module -ListAvailable -Name AzureAD)) {
Write-Host "Azure Active Directory Module does not exists. Installing.... "
Install-Module AzureAD -Force
}
# Connect zu AzureAD if connection does not already exist
if ( -not ($azureConnection)){
$azureConnection = Connect-AzureAD
}
# Read Online and OnPremises User
$onlineUsers = Get-AzureADUser -All $true | ? {($_.dirsyncenabled -ne $true) -and ($_.userprincipalname -notlike "*#EXT#*")}
$onPremisesUsers = Get-ADUser -Filter *
# Check if user already has immutableID if not set it
foreach ($onlineUser in $onlineUsers){
if ($onPremisesUsers.userprincipalname -contains $onlineuser.UserPrincipalName){
$user = $onlineuser.UserPrincipalName
$onPremisesUser = $onPremisesUsers | ? {$_.userprincipalname -contains $onlineuser.UserPrincipalName}
$immutableID = [System.Convert]::ToBase64String($onPremisesUser.ObjectGUID.tobytearray())
if ($onlineuser.ImmutableId -eq $immutableID){
echo "User $user already has immutableID set."
}else{
echo "Setting ImmutableID for user $user with ID: $immutableID"
if (-not ($testMode)){
Set-AzureADUser -ObjectId $user -ImmutableId $immutableID
}
}
}
}
Schreibe einen Kommentar