How to do Hard match in AD connect

There are 2 types of matching we do during Dirsync

1. Soft Match
2. Hard Match

Here we will see how to do Hard Match in Dirsync.

Here are the broad level steps that we do to implement Dirsync between on-prem and cloud

• Get the Immutable ID
• Run delta sync on AD connect

Connect to the machine where we have AD installed. Open a cmd prompt with administrator credentials and run the below command

ldifde -f export.txt -r "(Userprincipalname=*)" -l "objectGuid, userPrincipalName"

This command will give us an output file export.txt that has all the user principal names and Immutable IDs of all objects that have UPN.

The output looks like this for each object

----------------------------------------------------
dn: CN=2013 OU=DirSynced OU DC=prakum DC=msftonlinerepro DC=com
changetype: add
objectGUID:: g8Pclm4vok+vFWtMERklmg==
userPrincipalName: 2013@prakum.msftonlinerepro.com
----------------------------------------------------

Now whichever object we want to do a hard match we just have to search for the object using UPN in the above text file and note down the corresponding objectGUID for that object.

We can use the objectGUID in the below command to set the immutable ID in the cloud for the object as below

Set-MsolUser -UserPrincipalName User@domain.com -ImmutableId g8Pclm4vok+vFWtMERklmg==  

Here User@domain.com is the UPN of the user who is in the cloud and we want to sync the on-premise user to sync to.

Please go to the AD connect server and open PowerShell and run the following commands to force a sync

Import-Module ADSync

Start-ADSyncSyncCycle -PolicyType Delta

Note: Due to replication and delay in on-prem and cloud we might have to wait for some time and force Dirsync a couple of times.