If you work in an hybrid environment with Active Directory being synchronized with Entra ID using either Entra ID Connect or Cloud Sync, you probably already the best practice and recommendation to use cloud-based account only when assigning administration privileges.
This helps mitigating potential account compromission to be extended to other environment and elevated privileges.
Unfortunately, many directory synchronization implementation still use Active Directory as source of truth for managing privileged accounts, leading to potential Active Directory and on-premises environment compromission when the synced-cloud account is compromised.
To reduce/remove this risk, Microsoft is introducing in June 1st, 2026 a block for hard-match in Entra ID Connect / Cloud Sync for syncing cloud privileged accounts with Active Directory.
Starting this date, Entra ID will block any attempt for synchronization new user object from Active Directory to be matched with an Entra ID account.
Privileged roles can be easily identified in Entra ID portal from the Roles and admins blade as they are marked with the tag Privileged (or you can read this article Microsoft Entra built-in roles | Azure Docs)
This is how it is going to work:
- If a cloud managed user already has onPremisesImmutableId (sourceAnchor) set and is assigned a privileged role, Microsoft Entra Connect Sync or Cloud Sync will no longer be able to take over the Source of Authority of that user by hard-matching with an incoming user object from Active Directory.
- Hard match operations for non-privileged accounts aren’t affected.
- Soft match behavior isn’t affected.
You will be identify if there is any issue using the Microsoft Entra Connect Health\Sync Errors blade (Microsoft Entra Connect Health – Microsoft Entra admin center) report with the Existing Admin Role Conflict
