diff --git a/docs/identity/hybrid/connect/how-to-connect-health-diagnose-sync-errors.md b/docs/identity/hybrid/connect/how-to-connect-health-diagnose-sync-errors.md index d8364b52f57..9710ab1e780 100644 --- a/docs/identity/hybrid/connect/how-to-connect-health-diagnose-sync-errors.md +++ b/docs/identity/hybrid/connect/how-to-connect-health-diagnose-sync-errors.md @@ -32,11 +32,11 @@ For example, this image indicates that two users have a conflict of their **User ![Diagnose sync error common scenario](./media/how-to-connect-health-diagnose-sync-errors/IIdFixCommonCase.png) ### Orphaned object scenario -Occasionally, you might find that an existing user loses the **Source Anchor**. The deletion of the source object happened in on-premises Active Directory. But the change of deletion signal never got synchronized to Microsoft Entra ID. This loss happens for reasons like sync engine issues or domain migration. When the same object gets restored or recreated, logically, an existing user should be the user to sync from the **Source Anchor**. +Occasionally, you might find that an existing user loses the **Source Anchor**. This loss happens for reasons like sync engine issues or domain migration. When the same object gets restored or recreated, logically, an existing user should be the user to sync from the **Source Anchor**. Occasionally, a 2nd Entra entity for this user may be created by mistake. Resolving this centers around re-linking the proper Entra account. -When an existing user is a cloud-only object, you can also see the conflicting user synchronized to Microsoft Entra ID. The user can't be matched in sync to the existing object. There's no direct way to remap the **Source Anchor**. See more about the [existing knowledge base](https://support.microsoft.com/help/2647098). +When an existing user is a cloud-only object and an Active Directory account exists separately, you may also see conflicts syncing. Two independent accounts can be forced to sync via calculation of the Source Anchor and updating the Entra account via MSOL/graph - however this process is complicated and the user logon name, domain suffix, smtp address must match. The user's onmicrosoft alias must be added to the AD's ProxyAddresses as smtp:user@domain.onmicrosoft.com (lowercase). The Source Anchor can be calculated with the account GUID in PowerShell with `[Convert]::ToBase64String([guid]::New("paste GUID here").ToByteArray())` and set to Entra with `Set-MSOLUser -userprincipalname “365 account username” -immutableid “source anchor output”`. See more about the [existing knowledge base](https://support.microsoft.com/help/2647098). -As an example, the existing object in Microsoft Entra ID preserves the license of Joe. A newly synchronized object with a different **Source Anchor** occurs in a duplicated attribute state in Microsoft Entra ID. Changes for Joe in on-premises Active Directory won't be applied to Joe’s original user (existing object) in Microsoft Entra ID. +As an example, the existing object in Microsoft Entra ID preserves the license of Joe. A newly synchronized object with a different **Source Anchor** occurs in a duplicated attribute state in Microsoft Entra ID. Changes for Joe in on-premises Active Directory won't be applied to Joe’s original user (existing object) in Microsoft Entra ID unless these are forced to anchor. ![Diagnose sync error orphaned object scenario](./media/how-to-connect-health-diagnose-sync-errors/IIdFixOrphanedCase.png)