[Introduction]
We’re introducing a security update to Microsoft Entra Connect and Cloud Sync to better protect privileged cloud‑managed accounts. Today, when Entra Connect or Cloud Sync adds new objects from Active Directory, the service attempts a “hard match” by comparing the object’s sourceAnchor to the onPremisesImmutableId of existing cloud accounts. If there’s a match, the service takes over the source of authority (SoA) and updates the cloud object using the attributes from Active Directory.
Beginning in early June 2026, Microsoft Entra ID will block hard‑match attempts that target cloud‑managed users who hold Microsoft Entra roles. This change helps prevent attackers from taking over privileged accounts by manipulating on‑premises attributes.
[When this will happen]
General Availability (Worldwide, DoD, GCC, and GCCH): We will begin rolling out in early June 2026 and expect to complete by early July 2026.
[How this affects your organization]
Who is affected
- Organizations using Microsoft Entra Connect Sync or Cloud Sync
- Admins who rely on hard‑matching to manage lifecycles for cloud‑managed accounts that hold Microsoft Entra roles
What will happen
- Hard‑match operations targeting cloud‑managed users with Microsoft Entra roles will be blocked starting in early June 2026.
- Entra Connect Sync or Cloud Sync will no longer take over SoA for a cloud‑managed user who has onPremisesImmutableId (sourceAnchor) set and holds a Microsoft Entra role.
- Hard‑match for users without Entra roles is unchanged.
- Soft‑match behavior and ongoing sync for previously hard‑matched objects are unchanged.
[What you can do to prepare]
If your environment relies on hard‑matching accounts that hold Microsoft Entra roles, you may encounter an InvalidHardMatch error after this change takes effect.
Recommended actions:
- Review any automation or workflows that hard‑match privileged or administrative accounts.
- Validate lifecycle processes for accounts that hold Microsoft Entra roles to ensure they don’t depend on hard‑match.
- If you receive an InvalidHardMatch error after June 1, 2026, follow mitigation guidance in Microsoft Entra ID documentation.
- Update internal documentation and notify identity operations teams as needed.
Learn more:
- Microsoft Entra Connect security update to block hard match for users with Microsoft Entra roles
- Existing Admin Role Conflict - Understanding errors during Microsoft Entra synchronization | Hybrid | Microsoft Entra ID | Microsoft Learn
- Hard-match vs soft-match - Microsoft Entra Connect: When you have an existing tenant | Hybrid | Microsoft Entra ID | Microsoft Learn
- InvalidHardMatch - Understanding errors during Microsoft Entra synchronization | Hybrid | Microsoft Entra ID | Microsoft Learn
- Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Learn
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.
