Soft- and hard-matching of synchronized objects should be blocked.

Why This Matters

If soft matching and hard matching of synchronized objects remain enabled, attackers can exploit these mechanisms to take over user identities by matching cloud-only accounts to on-premises objects. This increases the risk of privilege escalation and unauthorized access across your hybrid environment. Blocking these matching processes is essential to prevent identity spoofing and maintain strict control over synchronized directory objects.

What Aether365 Checks

Aether365 verifies whether the tenant blocks both soft matching and hard matching of synchronized objects. This check appears in the Aether365 dashboard under the microsoft-365 checks section.

How to Fix

To enforce this setting, use the Set-MgPolicyAuthorizationPolicy PowerShell cmdlet. Run the following command in an elevated PowerShell session after connecting to Microsoft Graph with the Policy.ReadWrite.Authorization scope:

Set-MgPolicyAuthorizationPolicy -BlockSoftAndHardMatching $true

Note that this setting is not configurable through the Azure Portal. Ensure you have the necessary permissions before executing the command.

Microsoft references

• OnPremisesSynchronization
• [$($onPremisesSynchronization](https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/$($onPremisesSynchronization.id)
• How to connect install existing tenant
• Update mgdirectoryonpremisesynchronization