How to fix Azure AD Connect error - AttributeValueMustBeUnique

Question

Hello,

I am experiencing an issue syncing one Windows Server AD user with an existing Azure Active Directory user. This is the same user and I would like them to bed joined / synced. Here's the history (to the best of my recollection, some steps may be slightly out of order):

• Ran IdFix. No issues were found.
• Installed Azure AD Connect and ran the initial sync. The user showed up twice on the Azure Active Directory Users screen, once for the Windows Server AD user (which was given a different user principal name, something like "myuser0348@mycompany.onmicrosoft.com") and one for the existing Azure Active Directory user.
• I don't use exchange, so I tried to ensure that the email addresses matched and ran a delta sync. The issue was not resolved.
• I found this post. I started by manually deleting the "myuser0348@mycompany.onmicrosoft.com" user from the Azure Active Directory Users and removing it from the recycling bin and performed a delta sync. No difference. Note: I did not try a hard match yet.
• I received an email about the sync error from Azure and found the "Sync errors" page on the Azure Active Directory Connect Health page (too bad this email only came the next day). The error was AttributeValueMustBeUnique. I indicated that the 2 user accounts were for the same user and waited for the next sync. The sync error was no longer shown, but "Directory synced" was still false for the existing Azure Active Directory user.
• I followed the instructions from the blog post listed above and set the immutableId for Azure AD User to match the Windows Server AD user. I ran a sync but the issue was not resolved.

While the error is no longer showing up under "Sync errors" on the Azure Active Directory Connect Health page, the Windows Server AD user is still not syncing with the existing Azure Active Directory user, just for this one account. When I view the details in the Synchronization Service Manager, I still see the error. When I "Generate Preview" for this user, I see 3 connectors listed under Connector Updates, where all other users only have 2. It appears that the external(?) CN is duplicated. When I do a Metaverse Search, I also see 3 Connectors listed, rather than 2. In this case, I see 3 different Distinguished Names (one my my locale DN, one that has CN=<guid>, and one with just a GUID (not prefixed with CN=).

I'm pretty sure I made things worse when I deleted the "myuser0348@mycompany.onmicrosoft.com" user on the Azure Users page and when I tried to do a hard-match. Maybe there's still a connector pointing to that deleted Azure user?

I'm not sure what the next steps are. I'm worried if I continue making changes, I may make things worse.

I want to sync my Windows Server AD user to the matching Azure Active Directory user.

Note: Here are a few of the resources that I tried to use to help troubleshoot this issue:

• Troubleshoot an object that is not synchronizing with Azure Active Directory
• Troubleshooting Errors during synchronization
• One or more objects don't sync when using Azure Active Directory Sync tool

Answer 1

I ended up fixing this issue by removing Global Admin from one of the problem users. I fixed it on another user by removing billing admin.

Answer 2

It does seem like the hard matching would be a good thing to try if you haven't tried that yet. You could try going to Azure Active Directory > Deleted Users and seeing if you can restore the user from that list first.