Azure AD – Source Anchor
What is Azure AD – Source Anchor?
The sourceAnchor is an attribute that is unchangeable for the life time of the user object. It is the primary attribute / key linking the on-premises user object with the user object in Azure AD.
Which Attribute to use as sourceAnchor?
Since the attribute cannot be changed, you must plan for a good attribute to use. A good candidate is objectGUID. This attribute is not changed, unless the user account is moved between forests/domains. In a multi-forest environment where you move accounts between forests, another attribute must be used, such as an attribute with the employeeID.
Which Attributes not to use as sourceAnchor?
Avoid attributes that would change when a person marries or change assignments. You cannot use attributes with an @-sign, so email and userPrincipalName cannot be used. The attribute is also case-sensitive so when you move an object between forests, make sure to preserve the upper/lower case. Binary attributes are base64-encoded, but other attribute types remain in its unencoded state. In federation scenarios and some Azure AD interfaces, this attribute is also known as immutableID. More information about the source anchor can be found in the design concepts.
Different options for configuring sourceAnchor in Azure AD Connect
| Setting | Description |
| Let Azure manage the source anchor for me | Select this option if you want Azure AD to pick the attribute for you. If you select this option, Azure AD Connect wizard applies the sourceAnchor attribute selection logic described in article section Azure AD Connect: Design concepts – Using msDS-ConsistencyGuid as sourceAnchor. The wizard informs you which attribute has been picked as the Source Anchor attribute after Custom installation completes. |
| A specific attribute | Select this option if you wish to specify an existing AD attribute as the sourceAnchor attribute. |
How to Modify the sourceAnchor for existing deployment of Azure AD Connect?
To start you can launch the AzureAD Connect application and select configure sourceAcnhor and click next.
From the configure Source Anchor menu, you will notice that sourceAnchor is already configured to use objectGUID as the source attribute.
However, Microsoft recommends that this should be upgraded to ms-DS-ConsistencyGuid.
Using msDS-ConsistencyGuid as sourceAnchor
By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects. There are scenarios where you need to specify the sourceAnchor value. If the scenarios are applicable to you, you must use a configurable AD attribute (for example, msDS-ConsistencyGuid) as the sourceAnchor attribute.
Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of msDS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:
- Use msDS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.
- For any given on-premises AD User object whose msDS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the msDS-ConsistencyGuid attribute in on-premises Active Directory. After the msDS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.
How to enable the ConsistencyGuid feature
If Azure AD Connect is installed using express mode, Azure AD Connect will automatically determine the appropriate AD attribute to use for the sourceAnchor using the following logic:
- First, the Azure AD Connect wizard queries your Azure AD tenant to retrieve the AD attribute used as the sourceAnchor attribute in the previous Azure AD Connect installation (if any). If this information is available, Azure AD Connect uses the same AD attribute.
Click on Next on the configure Source Anchor menu to update the sourceAnchor attributes.
From the message on the completed screen, we can see that Azure AD is now configured to use AD attribute mS-DS-ConsistencyGuid as the source anchor attribute.
#ThatLazyAdmin
Thank you so much your explanation has been very helpful for me. I was tasked with upgrading our current Azure AD Connect and got a recommendation to switch our current source anchor configuration to Azure managed source anchor. Your explanation is much simpler and clearer to me.
Thank you so much and keep doing what you’re doing. Your name is quite a contrast though. Lol