If your Directory Synchronization setting is done from scratch (there are no users on O365 yet), Azure AD Connect is quite straightforward: local objects (and passwords if you chose this option) will be synchronized, where you can later assign services to user accounts.

The problem arises when there are already users in O365 who are also in Active Directory, and there has been no sync between them.

In these cases, it is necessary to create a matching mechanism between local accounts and the accounts in O365. There are two types to create this match:

  1. Soft match (also known as SMTP matching)
  2. Hard match (by immutableID).

The solution we used in our environment was 2. Hard match, and this is the script used.

$credential = Get-Credential

Connect-MsolService -Credential $credential
$ADUser = "username"
$365User = "username@emaildomainname.com"
$guid =(Get-ADUser $ADUser).Objectguid
Set-MsolUser -UserPrincipalName "$365User" -ImmutableId $immutableID