AD User mismatch Azure AD User – Duplicate Anchor


Need to match an Active Directory User with an allready created Azure Active Directory User?

Standard practice is soft-match where UserPrincipalName and Email are matching. Which requires Domain to be verified in Azure AD and if the AD Forest Name isn’t the same, we need to add the Domain as an Alternate UPN Suffix:


And for the email, we might not allways have an email address in Azure AD. Just because that requires Exchange Online License without Hybrid or Stage Coexistence configured, and we don’t want mailboxes in Exchange Online when we wan’t to do Hybrid Exchange later. Or the Customer only wants to use CRM Online for example.

Well, that is a problem, because we can’t soft-match users with only UPN. But there is a trick we can use to create a hard-match, which is where update the User Object in Azure AD With the SourceAnchor from the User Object in AD. This is called the ImmuteableID in Azure and ObjectGUID in AD.

Prior to this we will see DirSync/AADSync/AADConnect/FIM Reporting a Duplicate Anchor:

We cannot change this in Active Directory, but we can in Azure AD, so with a tiny PowerShell Script we can hard-match them:

Then Run the Synchronization again, which will create another Duplicate Anchor Error, but the job is done, so the next time it will work as intended.

Good Luck :)

Leave a Comment