Prepare for Identity Synchronization
Plan your hybrid identity strategy, clean up Active Directory with IdFix, and prepare your on-premises environment for directory synchronization.
Why hybrid identity still matters
Most organisations don’t start cloud-only. They have years of Active Directory history — and that history needs to come along for the ride.
Think of identity synchronization like moving house. Before you load the truck, you sort your belongings: throw out the junk (stale accounts), fix what’s broken (invalid characters), and label everything clearly (UPN alignment). That’s what preparation looks like — and doing it badly means unpacking chaos at the new house.
This module covers what to do BEFORE you turn on sync. The cleanup and planning that prevents 90% of sync issues.
The preparation checklist
Marcus is preparing Oakwood Financial’s 10-year-old Active Directory for synchronization. Here’s his systematic approach:
Step 1: Audit the directory
| Check | What to Look For | Why It Matters |
|---|---|---|
| Stale accounts | Disabled users, accounts with no logon for 90+ days | Syncing stale accounts wastes Entra licences and creates security risk |
| Duplicate attributes | Multiple users with the same proxyAddress or UPN | Sync will fail or create conflicts |
| Invalid characters | Special characters in display names, email addresses | Entra has stricter character rules than AD |
| Orphaned objects | Groups with no members, empty OUs | Unnecessary clutter in the cloud directory |
| UPN suffixes | Are UPNs routable (e.g., @oakwood.com.au) or non-routable (e.g., @oakwood.local)? | Non-routable UPNs can’t be used for M365 sign-in |
Step 2: Run IdFix
IdFix is a free Microsoft tool that scans your on-premises AD and identifies objects that will cause synchronization errors.
What IdFix catches:
| Error Type | Example | Impact If Not Fixed |
|---|---|---|
| Character | Display name contains control characters | Object won’t sync |
| Format | Email address missing @domain.com | Mail attribute won’t sync |
| Duplicate | Two users with same proxyAddress | Sync conflict — one object skipped |
| TopLevelDomain | UPN uses .local suffix | User can’t sign in to M365 |
| Blank | Missing required attributes | Object may sync with incomplete data |
How to use IdFix:
- Download from
https://microsoft.github.io/idfix/ - Run on a domain-joined computer with AD read access
- Review the results — each error has a suggested action (Edit, Remove, Complete)
- Apply fixes — either directly in IdFix (which can write changes to AD) or manually in ADUC/PowerShell for more control
- Re-run IdFix until zero errors
Exam tip: IdFix is read-only by default
IdFix can suggest and apply fixes, but best practice is to review suggestions manually and make changes in Active Directory Users and Computers (ADUC) or PowerShell. The exam may ask: “Marcus runs IdFix and it reports 50 errors. What should he do?” The answer is review each error, fix in AD, then re-run IdFix — NOT blindly accept all suggestions.
Step 3: Plan the UPN strategy
The User Principal Name (UPN) in AD becomes the sign-in identity in M365. If your AD uses non-routable UPN suffixes (like .local), you must fix this before sync.
| Current UPN | Problem | Solution |
|---|---|---|
marcus@oakwood.local | .local is not a public domain | Add oakwood.com.au as an alternate UPN suffix in AD, update user UPNs |
marcus@oakwood.com.au | Already routable and verified in M365 | No change needed |
m.chen@oakwood.com.au | Routable but doesn’t match desired email format | Update UPN or configure email alias separately |
Adding an alternate UPN suffix:
- Open Active Directory Domains and Trusts
- Right-click the top node > Properties
- Add the verified M365 domain as an alternate UPN suffix
- Update each user’s UPN to use the new suffix
Step 4: Verify network requirements
The sync server (for Connect Sync) needs:
| Requirement | Detail |
|---|---|
| Outbound HTTPS (443) | To Microsoft Entra endpoints |
| No inbound ports | Sync is always outbound-initiated |
| Internet access | Direct or via proxy (no SSL inspection on M365 traffic) |
| AD connectivity | Read access to all OUs being synced |
| DNS resolution | Must resolve both internal AD domains and public M365 endpoints |
Step 5: Plan OU filtering
You don’t have to sync the entire directory. Marcus decides:
- Sync: Users OU, Groups OU, Contacts OU
- Exclude: Service accounts OU, Test accounts OU, Legacy systems OU
OU-based filtering is configured during sync tool setup and is the most common filtering method.
Deep dive: Other filtering methods
Beyond OU-based filtering, both sync tools support:
- Domain-based filtering — sync specific AD domains (useful in multi-domain forests)
- Attribute-based filtering — sync only objects matching certain attributes (e.g., department = “Active”)
- Group-based filtering — sync only members of a specific group (Connect Sync only, limited to 50,000 objects)
The exam may present scenarios where you need to choose the right filtering method. OU-based is the default and most commonly tested answer.
Key concepts to remember
Knowledge check
Marcus runs IdFix on Oakwood Financial's Active Directory and finds 200 errors, including duplicate proxyAddresses and users with .local UPN suffixes. What should Marcus do FIRST?
Dev is consulting for a client whose AD uses `user@company.local` as the UPN suffix. The client has verified `company.com` in Microsoft 365. What must Dev do before enabling sync?
🎬 Video coming soon
Next up: Implement Connect Sync and Cloud Sync — choosing and deploying the right synchronization engine.