There are a few things to keep in mind when we use ADConnect in order to synchronize Active Directory user accounts to o365 users. Especially when those AD users already exist as users on the o365.

The first synchronization

The first time that ADConnect will perform synchronization needs to match AD users to o365 users. By default, that first time, the matching is done using the email address and it is called “SMTP matching“. The email address of the user in AD must be the primary email address of the user in the o365.

If, for some reason, we DO NOT want this type of matching then we can define the matching using UPNs. With the following o365 PowerShell script.


Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $ true

Next synchronizations

Once the first synchronization is done, then after that, the subsequent synchronizations are based on the match between the user’s objectGUID in AD and the user’s ImmutableId in the o365. That is, after the first synchronization, the user’s objectGUID in AD is written to the user’s ImmutableId at o365.

Email Address

Keep in mind that the primary email address of the o365 is not updated during synchronization. That is, if we have changed the email address to AD, ADConnect does not transfer that change.

If the o365 user has more than one email address then we need to write these addresses in the proxyAddresses attribute of AD, using the ADSIEdit. The format is SMPT: for the primary address of the o365 and smpt: for the rest. SMPT with capital letters for the primary address and smpt with small letter for the rest of addresses.

Users already exist in o365 prior to first synchronization

Another issue that we need to take care of is when we have the following scenario: the client already uses the o365 and there are users who use desktop email clients, like Outlook or Thunderbird, in addition to the web email client.

In this case, to see their emails on the desktop email client, they must have given the o365 password to the settings of that desktop email client.

However, the next time the ADConnect sync is executed, the AD password will be transferred to o365, if it differs from that in o365. As a result the user’s desktop email client will stop from working because the password is no longer valid.

So, when we have a synchronization between a new AD and a pre-existing o365, we inform users of that issue with the password, and we take our measures before any synchronization runs.