Disable Soft Matching After Synchronisation
Ensure soft matching is turned off after syncing Microsoft AD DS with Microsoft Entra ID to enhance security.
Plain language
After you sync your local Microsoft Active Directory (AD DS) with Microsoft's cloud service, Microsoft Entra ID, you should switch off something called 'soft matching'. This matters because leaving it on could accidentally link the wrong user accounts together, which might give someone access to things they shouldn't see.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningTopic
Microsoft Entra ConnectOfficial control statement
Soft matching between Microsoft AD DS and Microsoft Entra ID is disabled following initial synchronisation activities.
Why it matters
If soft matching remains enabled after initial sync, AD DS and Entra ID accounts may link incorrectly, enabling unauthorised access to data and services.
Operational notes
After initial synchronisation, confirm soft matching is disabled in Entra Connect/AAD Connect settings and periodically re-check to prevent unintended AD DS–Entra ID account linking.
Implementation tips
- The IT team should confirm that soft matching is disabled in Microsoft Entra Connect settings after syncing. They can do this by logging into the Microsoft Entra Connect admin interface, navigating to the synchronisation settings, and ensuring that soft matching is turned off.
- The IT manager should schedule a review meeting one week after initial synchronisation to verify settings. During the meeting, they should ask the IT team for a demonstration that soft matching was properly turned off post-sync.
- A system administrator should document the procedure of disabling soft matching and include step-by-step screenshots. This can be useful for training purposes and as evidence that the control was implemented correctly.
- The compliance officer should ensure all IT staff are aware of the risks associated with soft matching. They can organise a training session where the consequences of improper account linking are clearly explained through examples.
- Procurement should verify that any external IT support used is aware of this control and includes it in their service agreement. When hiring, they should ask potential vendors about their experience with Microsoft Entra Connect and managing synchronisation settings.
Audit / evidence tips
-
Askthe Microsoft Entra Connect configuration documentation: Request the official procedure document that details the settings used during AD synchronisation
GoodThe document clearly states that soft matching is turned off and provides a rationale for this setting
-
Askto see the synchronisation settings in the Microsoft Entra Connect console: Request a live demonstration or screenshots of the current settings
GoodEvidence from the IT system showing the off position for soft matching, properly documented and timestamped
-
Askchange management records related to initial sync: Request logs or records that show when soft matching was disabled
GoodLogs indicate that soft matching was switched off immediately following initial AD sync
-
AskIT training materials on Microsoft Entra Connect: Request slides or training guides provided to IT staff
GoodTraining materials with a section dedicated to this control, including risks and steps taken
-
AskIT staff acknowledgements of understanding the control: Request signed documents or digital confirmations from IT staff indicating their understanding of disabling soft matching
GoodEach relevant IT staff member has confirmed understanding via a signed document
Cross-framework mappings
How ISM-1950 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-1950 requires organisations to disable soft matching between Microsoft AD DS and Microsoft Entra ID after initial synchronisation to ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.2 | ISM-1950 requires organisations to disable soft matching between Microsoft AD DS and Microsoft Entra ID after initial synchronisation to ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.