Ask a new question

Switch Office 365 federation provider

Hi,

We're switching domain federation provider from "other" to on-prem AD.

However, while testing Azure AD Connect, we ran into syncing problems, where the O365 user ImmutableID is different than the one Azure AD Connect provides.

What would be the best option here? Seem it's not even possible to change ImmutableID on an already federated user.

I found some threads suggesting that changing the UPN of the O365 user, clearing the ImmutableID and then change the UPN back would work, but I'm not sure what that might break on our users.

Is disconnecting the domain from federation altogether an option? As in, disconnecting the domain, clearing the ImmutableID on all users, sync with AD and then turn federation back with the new federation settings?


Answer
Answer

Hi Robin,

 

Yes, it will be good enough if you can make sure every attributes in the cloud can match with on-prem ones.

 

A more precise method you can try is to check which attributes will be synced from your local AD to AAD and manage the attributes accordingly. To check it, open AAD Connect Server > open Sync service Manager > Metaverse Search > Scope by Object Type: All > click Search on the right side > double click one of the pilot users > under Attributes tab you can see there are multiple attributes will be synced for the user > check the ones whose Sync Rule is In from AD, all these attributes are taken from local AD which will overwrite your online ones --- they all have influences to the functions of the user account in the cloud.

 

Regards,

Leo

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated October 1, 2021 Views 264 Applies to: