On-premises sync enabled set to No

Question

I have one new user that "On-premises sync enabled" is set to No. Using Azure AD Connect vs 2.3.20.0 on W2019. Inbound Synchronization says Projections. In from AD - User Join - Inbound - Provision - False.

How do I fix this to user sync to Entra/Azure?

Answer 1

7. Reinstall or Repair Azure AD Connect

If the issue persists:

• Download the latest version of Azure AD Connect from Microsoft.
• Upgrade or reinstall Azure AD Connect.
• Re-run the Azure AD Connect Configuration Wizard.

---

Final Check: Verify the User in Entra ID

After syncing, verify the user in Microsoft Entra ID:

1. Go to Microsoft Entra Admin Center
2. Navigate to "Users" → "All Users"
3. Search for the username.
4. Check if "On-premises sync enabled" is now set to Yes.

---

Conclusion

Try these steps in order:

1. Ensure the user is in Active Directory and enabled.
2. Verify the user is in the correct OU for sync.
3. Check Azure AD Connect sync rules.
4. Manually trigger sync with PowerShell.
5. Check synchronization logs in Azure AD Connect.
6. Force a full synchronization.
7. Repair or reinstall Azure AD Connect if necessary. 7. Reinstall or Repair Azure AD Connect If the issue persists:
   • Download the latest version of Azure AD Connect from Microsoft.
   • Upgrade or reinstall Azure AD Connect.
   • Re-run the Azure AD Connect Configuration Wizard.
   Final Check: Verify the User in Entra ID After syncing, verify the user in Microsoft Entra ID:
   1. Go to Microsoft Entra Admin Center
   2. Navigate to "Users" → "All Users"
   3. Search for the username.
   4. Check if "On-premises sync enabled" is now set to Yes.
   Conclusion Try these steps in order:
   1. Ensure the user is in Active Directory and enabled.
   2. Verify the user is in the correct OU for sync.
   3. Check Azure AD Connect sync rules.
   4. Manually trigger sync with PowerShell.
   5. Check synchronization logs in Azure AD Connect.
   6. Force a full synchronization.
   7. Repair or reinstall Azure AD Connect if necessary.

Answer 2

Step-by-Step Troubleshooting & Fixing the Sync Issue

1. Check if the User is in the Scope of Synchronization

Run the following PowerShell command on the Azure AD Connect Server to check if the user is included:

powershell
KopyalaDüzenle
Get-ADUser -Filter {UserPrincipalName -eq "******@yourdomain.com"} -Properties * | Select-Object DistinguishedName, Enabled

• Ensure the user exists in AD.
• Ensure the account is Enabled.

If the user is disabled, enable it in Active Directory Users and Computers (ADUC).

---

2. Confirm the User is in the Correct Organizational Unit (OU)

• Open Azure AD Connect → Configure Directory Partitions.
• Ensure the OU containing the user is selected for synchronization.
• If it's unchecked, select it and force a full sync (Step 6 below).

---

3. Verify Synchronization Rules in Azure AD Connect

Run this PowerShell command on the Azure AD Connect server to check sync rules:

powershell
KopyalaDüzenle
(Get-ADSyncRule | Where-Object {$_.Name -like "*User Join*"}).Description

• If the User Join - Inbound - Provision rule is False, Azure AD Connect isn't provisioning the user.
• This could mean a filtering rule is preventing the sync. Step-by-Step Troubleshooting & Fixing the Sync Issue 1. Check if the User is in the Scope of Synchronization Run the following PowerShell command on the Azure AD Connect Server to check if the user is included:

    powershell
    KopyalaDüzenle
    Get-ADUser -Filter {UserPrincipalName -eq "******@yourdomain.com"} -Properties * | Select-Object DistinguishedName, Enabled
  

  • Ensure the user exists in AD.
  • Ensure the account is Enabled.
  If the user is disabled, enable it in Active Directory Users and Computers (ADUC). 2. Confirm the User is in the Correct Organizational Unit (OU)
  • Open Azure AD Connect → Configure Directory Partitions.
  • Ensure the OU containing the user is selected for synchronization.
  • If it's unchecked, select it and force a full sync (Step 6 below).
  3. Verify Synchronization Rules in Azure AD Connect Run this PowerShell command on the Azure AD Connect server to check sync rules:

    powershell
    KopyalaDüzenle
    (Get-ADSyncRule | Where-Object {$_.Name -like "*User Join*"}).Description
  

  • If the User Join - Inbound - Provision rule is False, Azure AD Connect isn't provisioning the user.
  • This could mean a filtering rule is preventing the sync.

Answer 3

4. Force User Provisioning with Initial Synchronization

Run the following PowerShell command to force the sync:

powershell
KopyalaDüzenle
Start-ADSyncSyncCycle -PolicyType Initial

Then, check the synchronization status:

powershell
KopyalaDüzenle
(Get-ADSyncConnectorRunStatus).Status

• If it says "Success", wait a few minutes and check Entra ID.
• If errors appear, proceed to the next step.

---

5. Check Azure AD Connect Synchronization Logs

On the Azure AD Connect Server, check the logs:

• Open Synchronization Service Manager (miisclient.exe).
• Go to Operations and find the latest Inbound Sync.
• Click Projections → Look for any error messages.

If there are errors, they may indicate:

• A duplicate user exists in Entra ID (check for soft-deleted users in the Entra ID Recycle Bin).
• The on-premises user is missing an attribute required for synchronization.

---

6. Run a Full Synchronization

If all previous steps fail, try a full sync:

powershell
KopyalaDüzenle
Start-ADSyncSyncCycle -PolicyType Initial

If the user still doesn’t sync, run:

powershell
KopyalaDüzenle
Set-ADSyncScheduler -SyncCycleEnabled $false
Stop-Service ADSync
Start-Service ADSync
Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle -PolicyType Initial
4. Force User Provisioning with Initial Synchronization
Run the following 

Then, check the synchronization status:



5. Check Azure AD Connect Synchronization Logs
On the 

If there are 


6. Run a Full Synchronization
If all previous steps fail, try a 

If the user still doesn’t sync, run: