{"id":15624,"date":"2026-03-27T09:02:05","date_gmt":"2026-03-27T00:02:05","guid":{"rendered":"https:\/\/m365jp.net\/?p=15624"},"modified":"2026-03-27T09:06:32","modified_gmt":"2026-03-27T00:06:32","slug":"mc1262584-upcoming-change-microsoft-entra-connect-security-update-to-block-hard-match-for-users-with-microsoft-entra-roles","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-03-27-mc1262584-upcoming-change-microsoft-entra-connect-security-update-to-block-hard-match-for-users-with-microsoft-entra-roles","title":{"rendered":"MC1262584 | Upcoming change \u2013 Microsoft Entra Connect security update to block hard match for users with Microsoft Entra roles"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1262584 | Upcoming change \u2013 Microsoft Entra Connect security update to block hard match for users with Microsoft Entra roles<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>03\/26\/2026 23:43:18<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>03\/26\/2026 23:39:47<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>08\/02\/2026 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Action Required By Date<\/th>\n<td>2026-05-31T07:00:00Z<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p><b>[Introduction]<\/b><\/p>\n<p>We\u2019re introducing a <b>security update<\/b> to <b>Microsoft Entra Connect and Cloud Sync<\/b> to better protect privileged cloud\u2011managed accounts. Today, when Entra Connect or Cloud Sync adds new objects from<b> Active Directory<\/b>, the service attempts a<b>   \u201chard match\u201d<\/b> by comparing the object\u2019s <b>sourceAnchor<\/b> to the <b>onPremisesImmutableId  <\/b>of existing cloud accounts. If there\u2019s a match, the service takes over the source of authority (SoA) and updates the cloud object using the attributes from Active Directory.<\/p>\n<p>Beginning in early June 2026, Microsoft Entra ID will block hard\u2011match attempts that target cloud\u2011managed users who hold Microsoft Entra roles. This change helps prevent attackers from taking over privileged accounts by manipulating on\u2011premises attributes.<\/p>\n<p><b>[When this will happen]<\/b><\/p>\n<p><b>General Availability (Worldwide, DoD, GCC, and GCCH): <\/b>We will begin rolling out in  <b>early June 2026<\/b> and expect to complete by <b>early July 2026<\/b>.&nbsp;<\/p>\n<p><b>[How this affects your organization]<\/b><\/p>\n<p><i>Who is affected<\/i><\/p>\n<ul>\n<li>Organizations using Microsoft Entra Connect Sync or Cloud Sync<\/li>\n<li>Admins who rely on hard\u2011matching to manage lifecycles for cloud\u2011managed accounts that hold Microsoft Entra roles<\/li>\n<\/ul>\n<p><i>What will happen<\/i><\/p>\n<ul>\n<li><b>Hard\u2011match operations targeting cloud\u2011managed users with Microsoft Entra roles  <\/b>will be <b>blocked starting in early June 2026<\/b>.<\/li>\n<li>Entra Connect Sync or Cloud Sync will no longer take over SoA for a cloud\u2011managed user who has  <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/hybrid\/connect\/plan-connect-design-concepts#sourceanchor\" target=\"_blank\">  onPremisesImmutableId (sourceAnchor)<\/a><b>&nbsp;<\/b>set and holds a Microsoft Entra role.<\/li>\n<li>Hard\u2011match for users without Entra roles is unchanged.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/hybrid\/connect\/how-to-connect-install-existing-tenant?source=recommendations#hard-match-vs-soft-match\" target=\"_blank\">Soft\u2011match<\/a> behavior and ongoing sync for previously hard\u2011matched objects are unchanged.<\/li>\n<\/ul>\n<p><b>[What you can do to prepare]<\/b><\/p>\n<p>If your environment relies on hard\u2011matching accounts that hold <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/role-based-access-control\/permissions-reference\" target=\"_blank\">  Microsoft Entra roles<\/a>, you may encounter an<font color=\"#c7254e\" face=\"Menlo, Monaco, Consolas, Courier New, monospace\">&nbsp;<\/font><b>InvalidHardMatch<\/b> error after this change takes effect.<\/p>\n<p>Recommended actions:<\/p>\n<ul>\n<li>Review any automation or workflows that hard\u2011match privileged or administrative accounts.<\/li>\n<li>Validate lifecycle processes for accounts that hold Microsoft Entra roles to ensure they don\u2019t depend on hard\u2011match.<\/li>\n<li>If you receive an<b> InvalidHardMatch <\/b>error after June 1, 2026, follow mitigation guidance in Microsoft Entra ID documentation.<\/li>\n<li>Update internal documentation and notify identity operations teams as needed.<\/li>\n<\/ul>\n<p><b>Learn more:<\/b><\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/fundamentals\/whats-new#upcoming-change--microsoft-entra-connect-security-update-to-block-hard-match-for-users-with-microsoft-entra-roles\" target=\"_blank\">Microsoft Entra Connect security update to block hard match   for users with Microsoft Entra roles<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/hybrid\/connect\/tshoot-connect-sync-errors#existing-admin-role-conflict\" target=\"_blank\">Existing Admin Role Conflict &#8211; Understanding errors during Microsoft Entra synchronization | Hybrid | Microsoft Entra   ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/hybrid\/connect\/how-to-connect-install-existing-tenant?source=recommendations#hard-match-vs-soft-match\" target=\"_blank\">Hard-match vs soft-match &#8211; Microsoft Entra Connect: When you have an existing tenant   | Hybrid | Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/hybrid\/connect\/tshoot-connect-sync-errors#invalidhardmatch\" target=\"_blank\">InvalidHardMatch &#8211; Understanding errors during Microsoft Entra synchronization | Hybrid | Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/role-based-access-control\/permissions-reference\" target=\"_blank\">Microsoft Entra built-in roles | Role-based access control | Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<\/ul>\n<p><b>[Compliance considerations]<\/b><\/p>\n<p>No compliance considerations identified. Review as appropriate for your organization.<\/p>\n<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1262584 | Upcoming change \u2013 Microsoft Entra Connect security update to block hard match for users with Micro [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15624","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=15624"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/15624\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=15624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=15624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=15624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}