Sourceanchor binary options
Basically what you have is the attribute flow below:. Be aware that even in a domain migration within the same forest, some third-party migration tools actually provision a new user object as part of their sync process and thus would generate a new objectGUID.
Keep in mind that these can be very disruptive operations and not something I would plan to do unless all other alternatives have been exhausted. Disabling Directory Synchronization in your tenant can take 72 hours and is not something I would ever consider if you need to change only a few objects. Among the attributes that can be used as the sourceAnchor are the Exchange custom extension attributes.
The actual attribute here is not as critical as much as the value we populate it with and how we use it. Since objectGUID is guaranteed to be unique, we can still use that to initially populate our selected sourceAnchor attribute. In the above configuration, the on-premises objectGUID changes but the sourceAnchor in the metaverse and the ImmutableID in the cloud are never changed; they still contain the base version of the original objectGUID.
Important to note here is that the default objectGUID is used by the claims issuance rules when you create the relying party trust for Office If you use the above process to change your sourceAnchor from objectGUID to some other attribute, you need to update this claim rule. Paul Williams has a series of articles covering similar aspects in relation to the FIM MA and Office , check out these for some additional reading:.
Leave a comment below or follow me on Twitter JoePalarchio for additional posts and information on Office Catch up on my past articles here: One question about the diagram…. Yes, the attribute needs to be maintained but it can just be added into the provision process like every other task mailbox enablement, licensing, etc. The sourceAnchor attribute is case-sensitive. But you should not have two different objects with only a difference in case. If you have a single forest on-premises, then the attribute you should use is objectGUID.
This is also the attribute used when you use express settings in Azure AD Connect and also the attribute used by DirSync. If you have multiple forests and do not move users between forests and domains, then objectGUID is a good attribute to use even in this case. If you move users between forests and domains, then you must find an attribute that does not change or can be moved with the users during the move. A recommended approach is to introduce a synthetic attribute.
An attribute that could hold something that looks like a GUID would be suitable. During object creation, a new GUID is created and stamped on the user. When you move the object, make sure to also copy the content of this value. Another solution is to pick an existing attribute you know does not change.
Commonly used attributes include employeeID. If you consider an attribute that contains letters, make sure there is no chance the case upper case vs. Bad attributes that should not be used include those attributes with the name of the user. In a marriage or divorce, the name is expected to change, which is not allowed for this attribute. This is also one reason why attributes such as userPrincipalName , mail , and targetAddress are not even possible to select in the Azure AD Connect installation wizard.
Those attributes also contain the " " character, which is not allowed in the sourceAnchor. The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.
By default, Azure AD Connect version 1. You cannot specify its value when creating on-premises AD objects. As explained in section sourceAnchor , there are scenarios where you need to specify the sourceAnchor value. If the scenarios are applicable to you, you must use a configurable AD attribute for example, msDS-ConsistencyGuid as the sourceAnchor attribute. Azure AD Connect version 1. When using this feature, Azure AD Connect automatically configures the synchronization rules to:.
ObjectGUID is used for other object types. You can enable the use of ConsistencyGuid as sourceAnchor during new installation. This section covers both Express and Custom installation in details.
Only newer versions of Azure AD Connect 1. Older versions of Azure AD Connect do not. If information about the sourceAnchor attribute used isn't available, the wizard checks the state of the msDS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn't configured on any object in the directory, the wizard uses the msDS-ConsistencyGuid as the sourceAnchor attribute. If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute Once the sourceAnchor attribute is decided, the wizard stores the information in your Azure AD tenant.
The information will be used by future installation of Azure AD Connect. Once Express installation completes, the wizard informs you which attribute has been picked as the Source Anchor attribute. If the attribute isn't configured on any object in the directory, Azure AD Connect concludes that no other application is currently using the attribute and is safe to use it as the Source Anchor attribute.
Click Next to continue. In the Ready to Configure screen, click Configure to make the configuration change. Once the configuration completes, the wizard indicates that msDS-ConsistencyGuid is now being used as the Source Anchor attribute. During the analysis step 4 , if the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by another application and returns an error as illustrated in the diagram below.
This error can also occur if you have previously enabled the ConsistencyGuid feature on your primary Azure AD Connect server and you are trying to do the same on your staging server. To do so, run the following command in command prompt:. The wizard returns the following warning after installation completes:. Suppose you have deployed Azure AD Connect with the ConsistencyGuid feature enabled, and now you would like to add another directory to the deployment.
If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and returns an error as illustrated in the diagram below. If you are certain that the attribute isn't used by existing applications, you need to contact Support for information on how to suppress the error.
While integrating your on-premises directory with Azure AD, it is important to understand how the synchronization settings can affect the way user authenticates. However, when you synchronize your users, you must choose the attribute to be used for value of userPrincipalName carefully.