[Introduction]

Microsoft is strengthening security in Microsoft Entra Connect Sync to prevent user account takeover through hard match abuse. These updates improve the integrity of identity mapping between on-premises Active Directory and Microsoft Entra ID and expand audit visibility for administrators.

[When this will happen]

• Enforcement of this change will begin on July 1, 2026.
• General Availability (Worldwide, DoD, GCC, GCC High): Rollout begins in early July 2026 and completes by late September 2026.

[How this affects your organization]

Who is affected

Organizations that use Microsoft Entra Connect Sync to synchronize user identities from on-premises Active Directory to Microsoft Entra ID

What will happen

How hard match works:

When Microsoft Entra Connect adds new objects from Active Directory, it compares the object’s sourceAnchor value with the OnPremisesImmutableId of an existing cloud-managed user. If these values match, a hard match occurs and the cloud object is taken over by Microsoft Entra Connect Sync.

Security hardening changes:

• Microsoft Entra will block Entra Connect from updating OnPremisesObjectIdentifier once it has been mapped to a synced user object.
• This prevents unauthorized remapping of an existing cloud user to a different on‑premises identity.
• Blocked operations will return:

“Hard match operation blocked due to security hardening. Review OnPremisesObjectIdentifier mapping.”

• Audit logs will now include changes to:
  • OnPremisesObjectIdentifier
  • DirSyncEnabled
• A new Microsoft Graph API will support controlled recovery scenarios that require legitimate remapping.
• No changes occur to user experience unless a remapping attempt is blocked.

[What you can do to prepare]

• Review updated Entra Connect security hardening guidance.
• Use audit logs to identify users where OnPremisesObjectIdentifier has recently changed and remediate before enforcement.
• Test the new Microsoft Graph API–based recovery flow for legitimate remapping scenarios.
• Update internal operations documentation and notify identity management teams.

Learn more: 

• General Availability – Microsoft Entra Connect security hardening to prevent user account takeover – Microsoft Entra releases and announcements | Fundamentals | Microsoft Entra | Microsoft Learn
• Hard-match vs soft-match – Microsoft Entra Connect: When you have an existing tenant | Hybrid | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Microsoft Entra audit log categories and activities | Monitoring and health | Microsoft Entra ID | Microsoft Entra | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.