Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization


View products that this article applies to.

INTRODUCTION

In some scenarios, you may have to transfer the source of authority for a user account when that account was originally authored by using Office 365 management tools. These tools include the Office 365 portal, Microsoft Azure Active Directory Module for Windows PowerShell, and so on. You can transfer the source of authority so that the account can be managed through an on-premises Active Directory Domain Services (AD DS) user account by using directory synchronization.

This article discusses how this transfer of the source of authority is affected by "SMTP matching," a process that uses the primary Simple Mail Transfer Protocol (SMTP) address to match the on-premises user account to the Office 365 user account.

↑ Back to the top


MORE INFORMATION

SMTP matching limitations

The SMTP matching process has the following technical limitations:
 
  • SMTP matching can be run on user accounts that have a Microsoft Exchange Online email address. For mail-enabled groups and contacts, SMTP matching (Soft match) is supported based on proxy addresses. For detailed information, refer to the "Hard-match vs Soft-match" section of the following Microsoft Azure article: 

    Azure AD Connect: When you have an existent tenant

    Note This doesn't mean the user must be licensed for Exchange Online. This means that a mailbox that has a primary email address must exist in Exchange Online for SMTP matching to work correctly.
  • SMTP matching can be used only one time for user accounts that were originally authored by using Office 365 management tools. After that, the Office 365 user account is bound to the on-premises user by an immutable identity value instead of a primary SMTP address.
  • The cloud user’s primary SMTP address can't be updated during the SMTP matching process because the primary SMTP address is the value that is used to link the on-premises user to the cloud user.
  • SMTP addresses are considered unique values. Make sure that no two users have the same SMTP address. Otherwise, the sync will fail and you may receive an error message that resembles the following:
    Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:john@contoso.com;]. Correct or remove the duplicate values in your local directory.

How to use SMTP matching to match an on-premises user to a cloud identity

To use SMTP matching to match an on-premises user to an Office 365 user account for directory synchronization, follow these steps:
  1. Obtain the primary SMTP address of the target Office 365 user account. To do this, follow these steps:
    1. Sign in to the Office 365 portal as a global admin.
    2. Click Admin, and then click Exchange to open the Exchange admin center.
    3. In the Exchange admin center, locate and then double-click the user account that you want.
    4. Click email address, and then note the primary SMTP address of the user account.
  2. Start Active Directory Users and Computers, and then create a user account in the on-premises domain that matches the target Office 365 user account. For more information about how to do this, go to the following Microsoft TechNet website:
  3. Set the primary SMTP address of the new user account to match the primary SMTP address that you noted in step 1D.

    To do this by using Exchange Management tools, go to the following Microsoft websites: If Exchange isn't installed on-premises, you can manage the SMTP address value by using Active Directory Users and Computers:
    1. Right-click the user object, and then click Properties.
    2. On the general tab, update the E-mail field, and then click OK.
  4. Synchronize the object with Office 365. To do this, run a force sync on the server that is running Azure AD Connect by using the following cmdlet:
    Start-ADSyncSyncCycle -PolicyType Delta
    For more information, see Azure AD Connect sync: Scheduler

↑ Back to the top


Still need help? Go to Microsoft Community.

↑ Back to the top


Keywords: o365, vkbportal231, o365a, dirsync, o365e, yespartner, uacrossref, o15, o365062013, mop, o365tstools, o365m, vkbportal339, azuread, exo, vkbportal226, vkbportal250, suptop, kb, o365com

↑ Back to the top

Article Info
Article ID : 2641663
Revision : 14
Created on : 8/20/2020
Published on : 8/21/2020
Exists online : False
Views : 558