Update sourceAnchor in Entra Connect for Seamless Integration

There could be several reasons that you would need to change the sourceAnchor in Entra Connect (formerly Azure AD Connect), such as an old installation that still uses objectGuid instead of ms-Ds-ConsistencyGuid, or maybe you need to change sourceAnchor to be an attribute that you manage, like employeeID or something similar.

This blog will address a way to change sourceAnchor. Note that if you search Microsoft’s documentation, it will tell you that this can’t be done. It can be done using this process, which is similar to moving Entra Connect from one domain to another (this blog reinstalls Entra Connect in the same domain and on the same server).

Please note that this method is completely unsupported by Microsoft and Windows Management Experts. Use this process at your own risk. Test extensively in non-production environments prior to attempting this change in production.

Also note that if you use Entra ID self-service password reset and have password writeback enabled, once you disable the Azure AD Sync service in step 1, passwords will no longer flow between on-prem Active Directory and Entra ID. Password reset will start working again once Entra Connect is reinstalled and sync enabled in step <>. Password changes are not queued while Entra Connect is disabled, so those changes will be lost to the other directory.

Why Change the sourceAnchor in Entra Connect

First, some background on Entra Connect. The sourceAnchor in Entra Connect acts as sort of a primary key. It’s stored in Entra Connect’s metaverse and is the application’s way of linking an on-prem account in Active Directory (AD) with a synced cloud account in Entra ID. sourceAnchor is based on attribute in AD that is set when installing Entra Connect.

How sourceAnchor is Managed and its Impact

In default installations, sourceAnchor is based on the ms-Ds-ConsistencyGuid attribute of an object, which is in-turn based on the objectGuid attribute. The first time an account enters Entra Connect’s scope, if ms-Ds-ConsistencyGuid is not set, Entra Connect reads the objectGuid attribute, converts it to ms-Ds-ConsistencyGuid’s format, and writes it into ms-Ds-ConsistencyGuid. It then takes ms-Ds-ConsistencyGuid and generates the sourceAnchor value and writes it into it’s metaverse. When Entra Connect creates the Entra ID account, it sets the ImmutableID attribute of the account to the value of sourceAnchor.

Challenges with using ms-Ds-ConsistencyGuid as sourceAnchor

Because Entra Connect manages ms-Ds-ConsistencyGuid, this may not be the right attribute to use for sourceAnchor, especially if you have a lot of accounts that come and go and are recreated. Each time the account is recreated, the ms-Ds-ConsistencyGuid and sourceAnchor will be different, so Entra Connect and Entra ID will see these as different identities. One immediate issue you will see is that the account is given a new Exchange mailbox and new OneDrive, rather than being given the old one with that user’s mail and data. You may intend for this to happen, or you may not.

Managing the sourceAnchor attribute may work better for you if you have another value that is kept consistent as accounts come and go from your environment.

Step-by-Step Process for Updating sourceAnchor in Entra Connect

Because of how this change works and the steps required, I don’t believe it’s necessary to back up the existing values of ms-Ds-ConsistencyGuid, ImmutableID, or sourceAnchor, so I’m not including those steps or how to do it in my process. I will, however, note where you should if you choose to.

As of this writing, the shortcuts in Windows are still called Azure AD Connect, rather than Entra Connect. I suspect that will change eventually, so look for both if you don’t immediately see Azure AD Connect in your Start Menu.

Step 1 – Entra Connect Readiness

First, we need to export Entra Connect’s configuration so that we can use it later.

1. Launch the Azure AD Connect
2. Click Configure.
3. Select View or export current configuration and click Next.
4. Click the Export Settings
5. Save the export to a location on the server where you can find it. I always suggest the desktop because it’s easy to find.
6. Open the export file in the text editor of your choice.
7. Find the azureSourceAnchorAttribute line and change its value to the attribute that will be your new sourceAnchor. This should be near the top of the file in a section called identityMappingPolicy. In this screenshot, I went with employeeID.

1. Save and exit the file.

Next, stop and disable the Entra Connect services.

1. Launch Services.msc.
2. Disable the following services:Microsoft Azure AD Connect Agent UpdaterMicrosoft Azure AD SyncMicrosoft Entra Connect Health Agent
3. Close Services.

If you want to backup the sourceAnchor value from Entra Connect, now would be the time to do that.

Click here to Read More