There could be several reasons that you would need to change the sourceAnchor in Entra Connect (formerly Azure AD Connect), such as an old installation that still uses objectGuid instead of ms-Ds-ConsistencyGuid, or maybe you need to change sourceAnchor to be an attribute that you manage, like employeeID or something similar.

This blog will address a way to change sourceAnchor. Note that if you search Microsoft’s documentation, it will tell you that this can’t be done. It can be done using this process, which is similar to moving Entra Connect from one domain to another (this blog reinstalls Entra Connect in the same domain and on the same server).

Please note that this method is completely unsupported by Microsoft and Windows Management Experts. Use this process at your own risk. Test extensively in non-production environments prior to attempting this change in production.

Also note that if you use Entra ID self-service password reset and have password writeback enabled, once you disable the Azure AD Sync service in step 1, passwords will no longer flow between on-prem Active Directory and Entra ID. Password reset will start working again once Entra Connect is reinstalled and sync enabled in step <>. Password changes are not queued while Entra Connect is disabled, so those changes will be lost to the other directory.

Why Change the sourceAnchor in Entra Connect

First, some background on Entra Connect. The sourceAnchor in Entra Connect acts as sort of a primary key. It’s stored in Entra Connect’s metaverse and is the application’s way of linking an on-prem account in Active Directory (AD) with a synced cloud account in Entra ID. sourceAnchor is based on attribute in AD that is set when installing Entra Connect.

How sourceAnchor is Managed and its Impact

In default installations, sourceAnchor is based on the ms-Ds-ConsistencyGuid attribute of an object, which is in-turn based on the objectGuid attribute. The first time an account enters Entra Connect’s scope, if ms-Ds-ConsistencyGuid is not set, Entra Connect reads the objectGuid attribute, converts it to ms-Ds-ConsistencyGuid’s format, and writes it into ms-Ds-ConsistencyGuid. It then takes ms-Ds-ConsistencyGuid and generates the sourceAnchor value and writes it into it’s metaverse. When Entra Connect creates the Entra ID account, it sets the ImmutableID attribute of the account to the value of sourceAnchor.

Challenges with using ms-Ds-ConsistencyGuid as sourceAnchor

Because Entra Connect manages ms-Ds-ConsistencyGuid, this may not be the right attribute to use for sourceAnchor, especially if you have a lot of accounts that come and go and are recreated. Each time the account is recreated, the ms-Ds-ConsistencyGuid and sourceAnchor will be different, so Entra Connect and Entra ID will see these as different identities. One immediate issue you will see is that the account is given a new Exchange mailbox and new OneDrive, rather than being given the old one with that user’s mail and data. You may intend for this to happen, or you may not.

Managing the sourceAnchor attribute may work better for you if you have another value that is kept consistent as accounts come and go from your environment.

Step-by-Step Process for Updating sourceAnchor in Entra Connect

Because of how this change works and the steps required, I don’t believe it’s necessary to back up the existing values of ms-Ds-ConsistencyGuid, ImmutableID, or sourceAnchor, so I’m not including those steps or how to do it in my process. I will, however, note where you should if you choose to.

As of this writing, the shortcuts in Windows are still called Azure AD Connect, rather than Entra Connect. I suspect that will change eventually, so look for both if you don’t immediately see Azure AD Connect in your Start Menu.

Step 1 – Entra Connect Readiness

First, we need to export Entra Connect’s configuration so that we can use it later.

1. Launch the Azure AD Connect
2. Click Configure.
3. Select View or export current configuration and click Next.
4. Click the Export Settings
5. Save the export to a location on the server where you can find it. I always suggest the desktop because it’s easy to find.
6. Open the export file in the text editor of your choice.
7. Find the azureSourceAnchorAttribute line and change its value to the attribute that will be your new sourceAnchor. This should be near the top of the file in a section called identityMappingPolicy. In this screenshot, I went with employeeID.

8. Save and exit the file.

Next, stop and disable the Entra Connect services.

1. Launch Services.msc.
2. Disable the following services:
   1. Microsoft Azure AD Connect Agent Updater
   2. Microsoft Azure AD Sync
   3. Microsoft Entra Connect Health Agent
3. Close Services.

If you want to backup the sourceAnchor value from Entra Connect, now would be the time to do that.

Step 2 – Entra ID Readiness

NOTE: Before running the following PowerShell commands, you may first need to install the MSOnline PowerShell module by running install-module MSOnline from an administrator PowerShell session.

Disable directory sync for your Entra ID tenant.

1. Open PowerShell.
2. Run: Connect-MsolService
3. Run: Set-MsolDirSyncEnabled -EnableDirSync $false

At this point, if you want to back up the values in ms-Ds-ConsistencyGuid and ImmutableID, now would be the time to start that process.

At this point, you will need to wait for all accounts in your tenant to convert from synced accounts to cloud-only accounts. This took about three hours in my tenant with approximately 50,000 user accounts and 1,000 groups.

You can check the progress of this conversation by running the following PowerShell script. It will loop every 5 minutes and tell you how many accounts are synced accounts and how many are cloud only.

connect-azuread

do {
sleep -s 270
$date = get-date -format "MM/dd/yyyy hh:mm tt"
$users = get-azureaduser -all:$true | select userprincipalname,dirsyncenabled

$synced = ($users | where-object -FilterScript {$_.DirSyncEnabled -eq $true}).count
$cloud = ($users | where-object -FilterScript {$_.DirSyncEnabled -eq $null}).count 

write-host "`n"
write-host $date -ForegroundColor cyan
write-host "Synced Count: $synced" -ForegroundColor yellow
write-host "Cloud Count: $cloud" -ForegroundColor green
}
until ($synced -eq 0)

$c_date = get-date -format "MM/dd/yyyy hh:mm tt"
write-host "`n"
write-host "completed at $c_date" -ForegroundColor Cyan

Once this hits zero, you are ready to proceed.

Next, you need to clear the ImmutableID attribute from all accounts in Entra ID. To do that, run this PowerShell script. There will be a progress bar with this script. In my tenant, this took another three hours to run.

connect-msolservice

$users = get-msoluser -all | where-object -filterscript {$_.ImmutableId -ne $null} | select userprincipalname,ImmutableId

$count = 0
$total = $users.count

ForEach ($user in $users) {

# set counts for progress bar
$count = $count + 1
$percent = $count/$total
$percent_readable = $percent.tostring("P")
$percent_bar = $percent * 100

# display progress bar
write-progress "processing $count of $total - $percent_readable complete." -PercentComplete $percent_bar

set-msoluser -UserPrincipalName $user.UserPrincipalName -ImmutableId "$null" }

Step 3 – Reinstall Entra Connect

Now we need to reinstall Entra Connect so that we can use the new sourceAnchor.

First, use Control Panel > Programs and Features to uninstall Entra Connect. Look for the application Microsoft Entra Connect Sync. When the uninstall wizard launches, make sure that the box for Also uninstall support components is checked and just click Remove.

After this is uninstall is complete, if there are other applications with Microsoft Entra Connect or Microsoft Azure AD Connect in the name, feel free to uninstall those as well.

Now reinstall Entra Connect. I recommend installing the same version, even if it’s not the latest version. You can upgrade to the latest version later. If you unsure of the version you had installed, you can open the export file from step 1 and look at the line for azureADConnectVersion.

1. Launch the Entra Connect
2. When the Microsoft Entra Connect Sync configuration wizard launches, agree to the license terms and privacy notice and click Next.
3. Click Customize.
4. Check the box for Import synchronization settings.
5. Browse for and select the export file from step 1 in the SETTINGS LOCATION box.

6. Click Install.
7. It may take a few minutes to install. Once it completes, go through the rest of the wizard, stopping on last screen – Configure.
8. On the Configure screen, I recommend unchecking Start the synchronization process when the configuration completes.

This will give you an opportunity to confirm that the sourceAnchor is set to your new attribute and confirm any other customizations in your Entra Connect configuration (such as custom sync rules) prior to running a sync.

You can keep Enable staging mode selected or not depending on your process for deploying Entra Connect. In addition to being able to confirm your new sourceAnchor attribute and any customizations, staging mode gives you an opportunity to look at Entra Connect’s metaverse and check some of the data prior to actually syncing anything to Entra ID.

9. Click Configure to start the Entra Connect configuration process. This process will take several minutes.
10. Click Exit.

Step 4 – Confirm Change to sourceAnchor

Now that Entra Connect is reinstalled, you should check to confirm that sourceAnchor is changed. If you elected to start the synchronization immediately in the previous section, you can skip this step altogether since your changes are already running.

1. Launch the Azure AD Connect
2. Click Configure.
3. Select View or export current configuration and click Next.
4. Under Synchronization Settings, confirm that sourceAnchor is your new attribute.

If this sourceAnchor is set correctly, you can enable the synchronization.

1. Click Previous or re-launch the Azure AD Connect application if you closed it.
2. Select Customize synchronization options and click Next.
3. Walk through the wizard until you get to the Configure
4. Check the box for Start the synchronization process when configuration completes.
5. Click Configure.

The initial full sync will now kick off. You can follow the progress by launching the Synchronization Service application. At this point, the sync service will soft match accounts in AD and Entra ID using userPrincipalName. It will set sourceAnchor in the Entra Connect metaverse based on your new attribute, then ImmutiableID in Entra ID based on sourceAnchor. This initial sync may take a while depending on the number of accounts in your tenant.

Step 5 – System Cleanup and Verification

Only do this step if your original sourceAnchor was ms-Ds-ConsistencyGuid or another attribute that is no longer in use. This step will clear the previous attribute to clean up the previous installation. This step is optional and can be completed any time after the initial full sync completes, even days or weeks later.

Do NOT do this step if sourceAnchor was previously set to objectGuid.

Run this PowerShell script to clean up the previous attribute. If the attribute was something other than ms-Ds-ConsistencyGuid, replace all instances of ms-Ds-ConsistencyGuid with the name of the previous attribute.

$ad_users = get-aduser -filter 'mS-DS-ConsistencyGuid -like "*"' -Properties 'mS-DS-ConsistencyGuid'

$count = 0
$total = $ad_users.count

ForEach ($user in $ad_users) {

# set counts for progress bar
$count = $count + 1
$percent = $count/$total
$percent_readable = $percent.tostring("P")
$percent_bar = $percent * 100

# display progress bar
write-progress "processing $count of $total - $percent_readable complete." -PercentComplete $percent_bar

set-aduser $user -clear 'mS-DS-ConsistencyGuid'
}

At this point, I recommend running another full sync of Entra Connect and check again for any errors. There shouldn’t be, but this is always a good final step. You can kick off a full sync by opening PowerShell on your Entra Connect server and running Start-ADSyncSyncCycle -PolicyType Initial.

Final Thoughts

Hopefully this blog post can help you change the sourceAnchor of your Entra Connect application if you need to take better control of it. It’s not as scary as it looks and worked pretty well for me.

Remember this this method is not supported by Microsoft or by Windows Management Experts. Proceed with caution and always test thoroughly in a pre-production environment. If you need assistance, please contact WME and reference this blog post.

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.

Windows Management Experts

Now a Microsoft Solutions Partner for: 

✓ Data & AI 

✓ Digital and App Innovation 

✓ Infrastructure 

✓ Security 

 The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.