The first synchronization
The first time that ADConnect will perform synchronization needs to match AD users to o365 users. By default, that first time, the matching is done using the email address and it is called “SMTP matching“. The email address of the user in AD must be the primary email address of the user in the o365.
If, for some reason, we DO NOT want this type of matching then we can define the matching using UPNs. With the following o365 PowerShell script.
Once the first synchronization is done, then after that, the subsequent synchronizations are based on the match between the user’s objectGUID in AD and the user’s ImmutableId in the o365. That is, after the first synchronization, the user’s objectGUID in AD is written to the user’s ImmutableId at o365.
Keep in mind that the primary email address of the o365 is not updated during synchronization. That is, if we have changed the email address to AD, ADConnect does not transfer that change.
If the o365 user has more than one email address then we need to write these addresses in the proxyAddresses attribute of AD, using the ADSIEdit. The format is
SMPT: email@example.com for the primary address of the o365 and
smpt: firstname.lastname@example.org for the rest. SMPT with capital letters for the primary address and smpt with small letter for the rest of addresses.
Users already exist in o365 prior to first synchronization
Another issue that we need to take care of is when we have the following scenario: the client already uses the o365 and there are users who use desktop email clients, like Outlook or Thunderbird, in addition to the web email client.
In this case, to see their emails on the desktop email client, they must have given the o365 password to the settings of that desktop email client.
However, the next time the ADConnect sync is executed, the AD password will be transferred to o365, if it differs from that in o365. As a result the user’s desktop email client will stop from working because the password is no longer valid.
So, when we have a synchronization between a new AD and a pre-existing o365, we inform users of that issue with the password, and we take our measures before any synchronization runs.