Close Menu
    How to Block Soft and Hard Match in Microsoft Entra ID
    Exchange

    How to Block Soft and Hard Match in Microsoft Entra ID

    Microsoft recommends that all customers disable hard matching and soft matching in Microsoft Entra ID unless they need it to take over cloud-only accounts. By default, both settings are not blocked in the tenants, so you must set it yourself. In this article, you will learn how to block soft and hard match in Microsoft Entra ID.

    Before you start

    Sometimes you want to soft or hard match users, and that’s completely fine. However, this means that you need to enable soft and hard match. In other words, revert the change from this article. After that, you can proceed and soft or hard match the users. Once it’s done, you must block both soft and hard match in the tenant.

    Note: Soft and hard matching should be blocked in your Microsoft tenant for security purposes.

    Step 1. Install Microsoft Graph PowerShell

    Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell.

    Install-Module Microsoft.Graph -Force

    Important: Always update to the latest Microsoft Graph PowerShell module version before you run a cmdlet or script to prevent errors and incorrect results.

    Step 2. Connect to Microsoft Graph PowerShell

    Connect to Microsoft Graph PowerShell with the required scopes.

    Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All" -NoWelcome

    Step 3. Check soft and hard match status

    Run the Get-MgDirectoryOnPremiseSynchronization cmdlet to get the properties and their values.

    Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features | Format-List

    A list of properties with their values appears. The property that we will look for is Block Cloud Object Takeover Through Hard Match Enabled and Block Soft Match Enabled.

    BlockCloudObjectTakeoverThroughHardMatchEnabled  : False
BlockSoftMatchEnabled                            : False
BypassDirSyncOverridesEnabled                    : False
CloudPasswordPolicyForPasswordSyncedUsersEnabled : False
ConcurrentCredentialUpdateEnabled                : False
ConcurrentOrgIdProvisioningEnabled               : True
DeviceWritebackEnabled                           : False
DirectoryExtensionsEnabled                       : False
FopeConflictResolutionEnabled                    : False
GroupWriteBackEnabled                            : False
PasswordSyncEnabled                              : True
PasswordWritebackEnabled                         : False
QuarantineUponProxyAddressesConflictEnabled      : True
QuarantineUponUpnConflictEnabled                 : True
SoftMatchOnUpnEnabled                            : True
SynchronizeUpnForManagedUsersEnabled             : True
UnifiedGroupWritebackEnabled                     : True
UserForcePasswordChangeOnLogonEnabled            : False
UserWritebackEnabled                             : False
AdditionalProperties                             : {}

    To get only the soft and hard match properties and their value.

    Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features | Select-Object BlockCloudObjectTakeoverThroughHardMatchEnabled, BlockSoftMatchEnabled | Format-List

    If both properties show True, everything is already correct. If either one shows False, you need to change it to True.

    BlockCloudObjectTakeoverThroughHardMatchEnabled : False
BlockSoftMatchEnabled                           : False

    Step 4. Block soft and hard match

    To block soft match in Microsoft Entra ID, run the command below.

    $config = @{
    'Features' =
    @{
        'BlockSoftMatchEnabled' = $true
    }
}

Update-MgDirectoryOnPremiseSynchronization -BodyParameter $config -OnPremisesDirectorySynchronizationId (Get-MgDirectoryOnPremiseSynchronization).Id

    To block hard match (cloud object takeover through hard matching) in Microsoft Entra ID, run the command below.

    $config = @{
    'Features' =
    @{
        'BlockCloudObjectTakeoverThroughHardMatchEnabled' = $true
    }
}

Update-MgDirectoryOnPremiseSynchronization -BodyParameter $config -OnPremisesDirectorySynchronizationId (Get-MgDirectoryOnPremiseSynchronization).Id

    To block the soft and hard match at once in Microsoft Entra ID, run the command below.

    $config = @{
    'Features' =
    @{
        'BlockCloudObjectTakeoverThroughHardMatchEnabled' = $true
        'BlockSoftMatchEnabled'                           = $true
    }
}

Update-MgDirectoryOnPremiseSynchronization -BodyParameter $config -OnPremisesDirectorySynchronizationId (Get-MgDirectoryOnPremiseSynchronization).Id

    Run the command below to get the property value and confirm that the change is applied successfully.

    Get-MgDirectoryOnPremiseSynchronization | Select-Object -ExpandProperty Features | Select-Object BlockCloudObjectTakeoverThroughHardMatchEnabled, BlockSoftMatchEnabled | Format-List

    Verify that both properties have the value True.

    BlockCloudObjectTakeoverThroughHardMatchEnabled : True
BlockSoftMatchEnabled                           : True

    That’s it!

    Read more: Configure Microsoft Entra Password Protection for on-premises »

    Conclusion

    You learned how to block soft and hard match in Microsoft Entra ID. Blocking both settings strengthens your security posture by preventing unintended or unauthorized account takeovers. Every organization must apply this security change to its tenants.

    Remember that if you need to use soft or hard match, you must first set the block soft and hard match values to False, and then set them back to True afterward.

    Did you enjoy this article? You may also like How to Compare Microsoft Entra Connect Configuration. Don’t forget to follow us and share this article.

    Share.

    Related Posts

    Add A Comment
    Leave A Reply