AD User mismatch Azure AD User – Duplicate Anchor

Need to match an Active Directory User with an allready created Azure Active Directory User?

Standard practice is soft-match where UserPrincipalName and Email are matching. Which requires Domain to be verified in Azure AD and if the AD Forest Name isn’t the same, we need to add the Domain as an Alternate UPN Suffix:


And for the email, we might not allways have an email address in Azure AD. Just because that requires Exchange Online License without Hybrid or Stage Coexistence configured, and we don’t want mailboxes in Exchange Online when we wan’t to do Hybrid Exchange later. Or the Customer only wants to use CRM Online for example.

Well, that is a problem, because we can’t soft-match users with only UPN. But there is a trick we can use to create a hard-match, which is where update the User Object in Azure AD With the SourceAnchor from the User Object in AD. This is called the ImmuteableID in Azure and ObjectGUID in AD.

Prior to this we will see DirSync/AADSync/AADConnect/FIM Reporting a Duplicate Anchor:

We cannot change this in Active Directory, but we can in Azure AD, so with a tiny PowerShell Script we can hard-match them:

$cn = “Bob Builder”

#Get the AD User ObjectGUID
$guid = (get-aduser -f {cn -eq $cn} -pr objectguid).objectguid

#Get the AD User UPN (matching the Azure AD User Object UPN)
$upn = (get-aduser -f {cn -eq $cn}).userprincipalname

#Convert the ObjectGUID into a ImmuteableID
$ImmutableID = [System.Convert]::ToBase64String($guid.ToByteArray())

#Set the ImmuteableID to the Azure AD User Object
set-msolUser -userprincipalname $upn -immutableID $ImmutableID

Then Run the Synchronization again, which will create another Duplicate Anchor Error, but the job is done, so the next time it will work as intended.

Good Luck 🙂

Leave a Reply


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts