In order to allow Identity Manager to create, update, and delete identities in both the local Active Directory and Azure AD the Azure AD Connect configuration must be set to use the msDS-ConsistencyGUID as the source anchor in Active Directory.
- This is not the default value for most deployments of Azure AD Connect, most deployments will use the ObjectGUID value.
Administrators with an existing deployment of Azure AD Connect using the msDS-ConsistencyGUID may follow the setup instructions:
Identity Manager 9.1 - Administration Guide for Connecting to Azure Active Directory (oneidentity.com)Administrators using the ObjectGUID for AAD Connect will need to carefully consider the value of changing as there may be issues.
Azure AD Connect: Troubleshoot Source Anchor Issues during Installation - Microsoft Entra | Microsoft LearnAzure AD Connect: Design concepts - Microsoft Entra | Microsoft LearnIf changing the source anchor is not possible, then identities will need to be created in the local Active Directory, Azure AD Connect performs the synchronization and creation of identities in the cloud. As described in the setup documentation.