![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 31%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 4%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Hello Mark Lane,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I will try to clarify your doubts and will try to give you some workarounds. So, this issue occurs when soft match or hard match between Entra ID and Active Directory fails:
Soft Match links users by comparing UserPrincipalName or ProxyAddresses.
Hard Match links users by comparing ImmutableId (mS-DS-ConsistencyGuid in AD).
If the existing Entra user already has an ImmutableId value (set previously), the sync would reject the match and create a duplicate .onmicrosoft.com account with DirSyncEnabled = True, while the intended user stays cloud-only (DirSyncEnabled = False)
Will recommend you to check some points as What are the UserPrincipalName and Primary SMTP address values for both users? Does the cloud (primary) user show DirSyncEnabled = False in Entra Admin Center? Does the .onmicrosoft.com user exist in the synced OU in Active Directory? Which attribute is configured as the sourceAnchor in Entra Connect (check via PowerShell)? Are there duplicate proxyAddresses or userPrincipalName values between these two accounts?
Because all these help determine if you can perform a soft match (via UPN/email match) or need a manual hard match (via ImmutableId alignment).
Till then will propose you both the workarounds to try as below:
Soft Match: In Active Directory Users and Computers, ensure the userPrincipalName and ProxyAddresses match exactly the cloud user's attributes.
Delete the .onmicrosoft.com duplicate user from Entra ID.
Force a delta sync on the Entra Connect server: for e.g.
Start-ADSyncSyncCycle -PolicyType Delta
The connector will now soft match the on-prem user with the existing cloud account.
All the steps and more understanding: https://free.blessedness.top/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features
Hard Match (Manual Alignment):
Get the ImmutableId of the desired Entra cloud user:
Get-MgUser -UserId ******@domain.com | Select-Object ImmutableId
Convert the on-prem AD user’s ObjectGUID to Base64 and set it as the ImmutableId in Entra:
$guid = (Get-ADUser user@domain.local).ObjectGuid $immutable = [System.Convert]::ToBase64String($guid.ToByteArray()) Set-MsolUser -UserPrincipalName "******@domain.com" -ImmutableId $immutable
Run a delta sync again and verify that On-premises sync enabled now appears on the correct primary account.
Once matched successfully, delete the orphaned .onmicrosoft.com account permanently.
NOTE: Deleting the duplicate user should only happen after confirming no licenses or data are tied to it.
Reference: https://free.blessedness.top/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors
https://free.blessedness.top/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features
Hope this helps! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well. If you need more info, feel free to ask in the comments. Happy to help!
Regards,
Monalisha