{"id":3204,"date":"2026-04-08T12:33:08","date_gmt":"2026-04-08T12:33:08","guid":{"rendered":"https:\/\/modern-workplace.uk\/?p=3204"},"modified":"2026-04-08T12:33:10","modified_gmt":"2026-04-08T12:33:10","slug":"microsoft-entra-connect-the-june-and-july-changes-no-migration-plan-should-ignore-hard-match-hardening","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=3204","title":{"rendered":"Microsoft Entra Connect: The June and July Changes No Migration Plan Should Ignore. Hard Match Hardening."},"content":{"rendered":"\n

<\/p>\n\n\n\n

With hybrid identity environments still representing the majority of Microsoft 365 deployments, the trust relationship between on-premises Active Directory and Entra ID is a critical security boundary. Microsoft is now enforcing changes around a technique called hard matching <\/strong>in Entra Connect. Enforcement comes in two phases, in June and July 2026, and the second deadline is the one most likely to cause operational problems for teams that haven’t prepared for it.<\/p>\n\n\n\n

\n\n\n\n

Background: Hard Matching and How It Gets Abused<\/strong><\/p>\n\n\n\n

Hard matching is designed for one specific scenario: a user already exists in Entra ID as a cloud-only account, and you want to bring that user under the control of on-premises Active Directory sync.
The classic case is a company that started in the cloud. An admin created users directly in Entra ID, assigned licences and roles, and everyone has been working in Microsoft 365 for months. The company then introduces Active Directory, and wants those existing cloud users to become synced hybrid identities rather than cloud-only accounts.<\/p>\n\n\n\n

Without hard matching, Entra Connect would have no way to link the two. It would see an AD object on the left and a cloud object on the right with nothing connecting them, and would simply create a duplicate account.
Hard matching solves this by using a shared attribute as a bridge. An admin stamps the AD user object with a sourceAnchor value that exactly matches the onPremisesImmutableId already set on the cloud user. When Entra Connect runs its next sync cycle, it finds the match and links the two objects instead of creating a new one. From that point, Active Directory becomes the Source of Authority. The cloud account keeps its existing roles and history, but AD is now in charge.
<\/p>\n\n\n\n

The abuse case (SyncJacking) follows the same mechanism. If an attacker controls an on-premises AD object and can write to its sourceAnchor attribute, they can set it to match the onPremisesImmutableId of any cloud-managed Entra ID user, including a Global Administrator. The next sync cycle performs a legitimate hard match, AD takes over Source of Authority of that privileged account, and the attacker controls it through AD without ever touching Entra ID directly. Semperis named this technique SyncJacking, disclosed it in 2022, and MSRC formally confirmed it as an Important privilege escalation vulnerability in May 2025.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n
\n\n\n\n

What Microsoft Is Actually Changing<\/strong>
There are two separate enforcement phases.
Phase 1: June 1, 2026
Entra ID will block any attempt by Entra Connect Sync or Cloud Sync to hard-match an incoming AD object to an existing cloud-managed user who holds any Entra ID role. If the target cloud account has onPremisesImmutableId already set and carries a role assignment, the sync operation will be blocked.
Phase 2: July 1, 2026
The broader change: Entra Connect will no longer be able to modify the OnPremisesObjectIdentifier attribute after it has already been set on a synced user object. This prevents re-mapping an already-synced user to a different on-premises identity. This enforcement is service-side, meaning it applies regardless of the Entra Connect version in your environment.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Both phases return the same error when blocked:
Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.<\/em><\/p>\n\n\n\n

\n\n\n\n

An Issue Often Not Addressed<\/strong><\/p>\n\n\n\n

The July enforcement has broader implications for anyone running AD forest migrations, tenant-to-tenant migrations, or any workflow involving re-anchoring a synced identity.
There are important details to note:<\/p>\n\n\n\n

The July enforcement applies to all synced identities where a remap of OnPremisesObjectIdentifier is attempted, not only privileged users
It prevents setting OnPremisesObjectIdentifier to any value other than null, including what would previously have been a legitimate re-anchor operation. Soft match behaviour is not affected.<\/p>\n\n\n\n


Hard match takeover remains supported where the target cloud object has not already been mapped to a synced identity (where OnPremisesObjectIdentifier is currently empty). If you have a migration project in flight or planned for later this year, this timeline needs to be in your delivery schedule.<\/p>\n\n\n\n

\n\n\n\n

What You Need to Do Before June 1<\/strong><\/p>\n\n\n\n

1. Upgrade Entra Connect to a supported version<\/em><\/p>\n\n\n\n

Microsoft requires version 2.5.79.0 or later. This version is expected to become mandatory for continued sync operation by September 30, 2026. Verify the specific deadline against your Message Center notifications (MC1262584 and MC1263280), as Microsoft staggers enforcement by tenant.<\/p>\n\n\n\n

The installer is available exclusively from the Entra admin center under Microsoft Entra Connect, not from the Download Centre.<\/p>\n\n\n\n

2. Enable the hard match takeover block<\/em><\/p>\n\n\n\n

Connect-Entra -Scopes 'OnPremDirectorySynchronization.ReadWrite.All'\nSet-EntraDirSyncFeature -Feature BlockCloudObjectTakeoverThroughHardMatch -Enabled $true<\/em><\/code><\/pre>\n\n\n\n
Verify with:<\/p>\n\n\n\n
Get-EntraDirSyncFeature<\/code><\/pre>\n\n\n\n
Confirm BlockCloudObjectTakeoverThroughHardMatch<\/code> shows True<\/code> in the Enabled<\/code> column.<\/p>\n\n\n\n
3. Audit privileged cloud-managed accounts<\/em><\/p>\n\n\n\n
Identify cloud-managed accounts that hold Entra ID roles and have onPremisesImmutableId<\/code> populated. Query Microsoft Graph:<\/p>\n\n\n\n
GET https:\/\/graph.microsoft.com\/v1.0\/users?$filter=onPremisesImmutableId ne null&$select=displayName,userPrincipalName,onPremisesImmutableId<\/code><\/pre>\n\n\n\n
Cross-reference against role assignments:<\/p>\n\n\n\n
GET https:\/\/graph.microsoft.com\/v1.0\/roleManagement\/directory\/roleAssignments?$expand=principal<\/code><\/pre>\n\n\n\n
Any account appearing in both results needs review before June 1.<\/p>\n\n\n\n
\n\n\n\n
What You Need to Do Before July 1<\/strong><\/p>\n\n\n\n
4. Review audit logs for recent OnPremisesObjectIdentifier changes<\/em><\/p>\n\n\n\n
In the Entra admin centre, go to Monitoring \u2192 Audit logs and filter by Category: UserManagement and Activity: Update user. Look for modifications to OnPremisesObjectIdentifier<\/code> or DirSyncEnabled<\/code>. If you are routing logs to Sentinel:<\/p>\n\n\n\n
AuditLogs\n| where OperationName == \"Update user\"\n| where TargetResources[0].modifiedProperties contains \"OnPremisesObjectIdentifier\"\n    or TargetResources[0].modifiedProperties contains \"DirSyncEnabled\"\n| project TimeGenerated, InitiatedBy, TargetResources<\/code><\/pre>\n\n\n\n
Unexpected modifications here should be treated as an indicator of compromise until proven otherwise.<\/p>\n\n\n\n
5. Update migration runbooks<\/em><\/p>\n\n\n\n
Any workflow that assumes the ability to remap OnPremisesObjectIdentifier<\/code> will fail after July 1. The supported recovery path is below.<\/p>\n\n\n\n
\n\n\n\n
Legitimate Recovery: The Graph API Path<\/strong><\/p>\n\n\n\n
To re-anchor a user after enforcement, clear OnPremisesObjectIdentifier<\/code> first, which makes the account eligible for a fresh hard match:<\/p>\n\n\n\n
PATCH https:\/\/graph.microsoft.com\/beta\/users\/<UserId>\nContent-Type: application\/json\n\n{\n  \"onPremisesObjectIdentifier\": null\n}<\/code><\/pre>\n\n\n\n
There are several caveats to this approach:<\/p>\n\n\n\n
    \n
  • The caller must hold the Global Administrator or Hybrid Identity Administrator role<\/li>\n\n\n\n
  • The required Graph permission is User.ReadWrite.All<\/code><\/li>\n\n\n\n
  • The API only permits setting the value to null<\/li>\n\n\n\n
  • For accounts with role assignments, all Entra ID roles must be temporarily removed before the hard match operation, then reassigned after sync completes<\/li>\n<\/ul>\n\n\n\n
    Build the role removal and reassignment into your migration runbooks now. Discovering this requirement mid-cutover is not a pleasant experience.<\/p>\n\n\n\n
    \n\n\n\n
    Conclusion<\/strong><\/p>\n\n\n\n
    The privileged account block on June 1 is the immediate priority. The July 1 remapping restriction is the one more likely to cause unexpected failures in migration projects, precisely because it affects a wider scope of objects and has received far less attention.<\/p>\n\n\n\n
    The checklist: upgrade Connect, enable BlockCloudObjectTakeoverThroughHardMatch<\/code>, audit privileged accounts with populated onPremisesImmutableId<\/code>, review audit logs, and update migration runbooks to account for the Graph API recovery flow.<\/p>\n\n\n\n
    This is something to keep in mind particularly if you are mid-way through an AD consolidation or tenant migration project, the window to complete hard match operations without hitting enforcement is shorter than it might appear.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Microsoft is enforcing two rounds of Entra Connect security hardening in June and July 2026. If you have an AD migration or re-anchoring project planned for this year, the July deadline is the one most likely to catch you off guard. This article covers the SyncJacking background, what both enforcement phases actually block, and the specific steps to take before each deadline, including the DirSync feature flag, audit log queries, and the Graph API recovery path for legitimate migration scenarios.<\/p>\n","protected":false},"author":1,"featured_media":3206,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[850,753,867],"tags":[431,950,947,948,862,845,942,945,946,951,759,846,949,944,943],"class_list":["post-3204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-850","category-microsoft365","category-microsoft-entra","tag-active-directory","tag-ad-migration","tag-cloud-sync","tag-directory-synchronization","tag-entra-connect","tag-entra-id","tag-hard-match","tag-hybrid-identity","tag-hybrid-identity-administrator","tag-identity-security","tag-microsoft-365","tag-microsoft-entra","tag-onpremisesimmutableid","tag-security-hardening","tag-syncjacking"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3204"}],"version-history":[{"count":1,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3204\/revisions"}],"predecessor-version":[{"id":3208,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3204\/revisions\/3208"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/3206"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}