How to Hard Match Office 365 Identities to On-Premise Users

Download Sample M365 Risk Assessment
Akins IT • January 8, 2020

When migrating from on-premise exchange to Office 365, IT administrators can experience failure when attempting to soft match identities. Soft matching (also known as "SMTP matching") can fail for many reasons, the common one being because Office 365 detects that the email is already associated with another object. In the case of a soft match failure, a hard match must be performed. The solution to this is to stamp the online identities immutable ID with the GUID from the on-premise user, which can be done on-premise on the Active Directory server.



This is a simple PowerShell solution to hard match an on-premise GUID to an immutable ID for an online user. This ensures that all on-premise identities are correctly matched and linked to the Office 365 identities, which allows for full Office 365 write-back functionality in an organization's environment.

Provided below is the step-by-step guide on how to carry out this solution:

  1. Remove on-premise Identity from syncing with O365
  2. Remove on-premise Identity from O365 and Remove from Recycle bin
  3. Launch Powershell and run the following Commands
  4. Set-ExecutionPolicy RemoteSigned
  5. $credential = Get-Credential
  6. Input admin credentials for Office 365 and run the following command
  7. Import-Module MsOnline
  8. Connect-MsolService -Credential $credential
  9. Run “$ADGuidUser = Get-ADUser -Filter * | Select Name,ObjectGUID | Sort-Object Name | Out-GridView”
  10. Select the on-premise user from the Grid
  11. Run “$UserimmutableID = [System.Convert]::ToBase64String($ADGuidUser.ObjectGUID.tobytearray())” in powershell to convert GUID to the immutable ID format
  12. Run $OnlineUser = Get-MsolUser | Select UserPrincipalName,DisplayName,ProxyAddresses,ImmutableID | Sort-Object DisplayName | Out-GridView -Title "Select The Office 365 Online User To HardLink The AD User To" -PassThru”
  13. Select the Online identity to match on-premise identity
  14. Run “Set-MSOLuser -UserPrincipalName $OnlineUser.UserPrincipalName -ImmutableID $UserimmutableID”
  15. Set the Online identity with the new immutable ID
  16. Run “Set-MSOLuser -UserPrincipalName $OnlineUser.UserPrincipalName -ImmutableID $UserimmutableID”
  17. Check the immutable id matches
  18. Run the following two lines and confirm IDs Match
    “Write-Host "AD Immutable ID Used" $UserimmutableID”
    “Write-Host "Office365 UserLinked" $Office365UserQuery.ImmutableId”
CONTACT US TO LEARN MORE ABOUT THIS TOPIC OR TO SCHEDULE A CALL

Improve Productivity with Copilot and Akins IT

By Shawn Akins December 13, 2024
Unleashing Productivity: Maximizing Potential with Copilot for Microsoft 365 and Akins IT

Collaborate Securely with Akins IT

By Shawn Akins November 25, 2024
Security Insights

Navigating the End of the Microsoft Enterprise Agreement: What It Means for Our Customers

By Shawn Akins November 13, 2024
One of the most impactful changes is the upcoming end of the Microsoft Enterprise Agreement (EA) framework, set to take effect on January 1, 2025.
More Posts