Set-EntraDirSyncFeature
Used to set identity synchronization features for a tenant.
Syntax
Set-EntraDirSyncFeature
-Feature <String>
-Enabled <Boolean>
[-TenantId <String>]
[-Force]
[<CommonParameters>] Description
The Set-EntraDirSyncFeature cmdlet sets identity synchronization features for a tenant.
In delegated scenarios, the signed-in user must have either a supported Microsoft Entra role or a custom role with the necessary permissions. The minimum roles required for this operation are:
- Global Administrator
Note: You can use the following synchronization features with this cmdlet:
EnableSoftMatchOnUpn: Soft match is the process used to link an object being synced from on-premises for the first time with one that already exists in the cloud. When this feature is enabled, soft match is attempted using the standard logic, based on the primary SMTP address. If a match isn't found based on primary SMTP, then a match is attempted based on UserPrincipalName. Once this feature is enabled, it can't be disabled.PasswordSync: Used to indicate on-premise password synchronization.SynchronizeUpnForManagedUsers: Allows for the synchronization of UserPrincipalName updates from on-premises for managed (nonfederated) users that are assigned a license. These updates are blocked if this feature isn't enabled. Once this feature is enabled, it can't be disabled.BlockSoftMatch: When this feature is enabled, it blocks the soft match feature. Customers are encouraged to enable this feature and keep it enabled until soft matching is required again for their tenancy. This flag should be enabled again after any soft matching is completed and is no longer needed.BlockCloudObjectTakeoverThroughHardMatch: Used to block cloud object takeover via source anchor hard match.
Enabling features like EnableSoftMatchOnUpn and SynchronizationUpnForManagedUsers is permanent and cannot be undone.
Examples
Example 1: Enable a feature for the tenant
Connect-Entra -Scopes 'OnPremDirectorySynchronization.ReadWrite.All'
Set-EntraDirSyncFeature -Feature 'BlockCloudObjectTakeoverThroughHardMatch' -Enable $trueThis command enables the SoftMatchOnUpn feature for the tenant.
-Featurespecifies the directory synchronization feature to turn on or off.-Enablespecifies whether the specified features are turned on for the company.-ForceForces the command to run without asking for user confirmation.
Example 2: Block Soft Matching for the tenant
Connect-Entra -Scopes 'OnPremDirectorySynchronization.ReadWrite.All'
Set-EntraDirSyncFeature -Feature 'BlockSoftMatch' -Enable $trueThis command enables the BlockSoftMatch feature for the tenant - effectively blocking the Soft Matching feature in the tenant.
-Featurespecifies the directory synchronization feature to turn on or off.-Enablespecifies whether the specified features are turned on for the company.
Example 3: Block Cloud object takeover through Hard Matching for the tenant
Connect-Entra -Scopes 'OnPremDirectorySynchronization.ReadWrite.All'
Set-EntraDirSyncFeature -Feature 'BlockCloudObjectTakeoverThroughHardMatch' -Enable $true -TenantId $tenantID -Force $trueThis command enables the BlockCloudObjectTakeoverThroughHardMatch feature for the tenant - effectively blocking the Hard Match object takeover.
-Featurespecifies the directory synchronization feature to turn on or off.-Enablespecifies whether the specified features are turned on for the company.-TenantIdSpecifies the unique ID of the tenant.
Parameters
-Enable
Indicates whether the specified features are turned on for the company.
| Type: | System.Boolean |
| Position: | Named |
| Default value: | False |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Feature
The DirSync feature to turn on or off.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TenantId
The unique ID of the tenant on which to perform the operation. If not provided, the operation defaults to the tenant of the current user. This parameter is applicable only to partner users.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Notes
- For additional details see Update onPremisesDirectorySynchronization.
- For the feature list see the onPremisesDirectorySynchronizationFeature resource type.