Entra duplicate ID Sync errors

Question

Entra duplicate ID Sync errors

Richard Sheasley 0

Continue to receive Microsoft 365 Entra ID sync errors and not even sure why they are appearing.

The error is:

There is now after going through all the things needed to get an on premise server Active Directory Domain synced and running the Entra Sync setup, the onmicrosoft.com users are appearing for most of the users in the Microsoft 365 admin and the onmicrosoft.com were not showing up before doing all the installation of the Sync to resolve all the issues of users not allowing to login and or other errors.

We detected that an object with UserPrincipalName “@tenant.onmicrosoft.com” cannot be synchronized because another object already has the same value of “@domainname.com” as its UserPrincipalName. To resolve the conflict you need to determine which of these two objects should be using this UserPrincipalName. The next step is to update the other object to change or remove the conflicting value.

We detected that an object with UserPrincipalName “@tenantname.onmicrosoft.com” cannot be synchronized because another object already has the same value of “@domainname.com” as its UserPrincipalName. To resolve the conflict you need to determine which of these two objects should be using this UserPrincipalName. The next step is to update the other object to change or remove the conflicting value.

0 comments

2 answers

Your answer

Answer 1

Helen Luu 845 Independent Advisor

Hello @Richard Sheasley

Based on the information you provided, it appears that you are experiencing an issue when synchronizing users from your on-premises Active Directory to the cloud. According to the error message, there is a conflict with an existing user object already present in Microsoft Entra ID.

To better understand and assist with the issue, could you please help confirm the following:

Are you able to search for the same UPN in Entra, and is it still active?
- If yes, please consider deleting the existing cloud user if it is no longer needed.
- Alternatively, ensure that all attributes (such as UPN, mail, and proxyAddresses) of the on-premises AD user match those of the cloud user to enable proper matching during synchronization.
If you create a new AD user with a different UPN (for example, ******@tenant.onmicrosoft.com), does the synchronization complete successfully? Additionally, you may try modifying the UPN slightly (e.g., ******@domain.com) to check whether the sync succeeds without conflict.
You can try to run Get-Recipient and Get-MsolUser to check if the account is already existing in the tenant
For more details, you can check this article:
Get-Recipient (ExchangePowerShell) | Microsoft Learn
View Microsoft 365 user accounts with PowerShell - Microsoft 365 Enterprise | Microsoft Learn

Please let me know the results or if you need assistance with any of the steps above. I look forward to your response.

Helen Luu 845 Reputation points Independent Advisor

2026-05-26T15:28:51.04+00:00

Hello @Richard Sheasley,

Just checking if you have any update on this issue. Please feel free to share with me any time.
Richard Sheasley 0 Reputation points

2026-05-27T01:01:29.9+00:00

When I search and look for the Idfix tool mentioned that needs to be run it mentions this warning:

⚠ IdFix is no longer supported and will be retired on June 30, 2026.

No further development, bug fixes, or security updates are being provided. On that date, installers will no longer be available for download and the GitHub repository will be archived. The source code will remain accessible in a read-only state for reference purposes only.

So while it is not going to be an issue- more road blocks in resolving this issue will be encountered in basically 1 month time.
Richard Sheasley 0 Reputation points

2026-05-27T01:09:33.94+00:00
For each conflicting UPN (for example, ******@domainname.com), decide which account is the “real” account that should keep that UPN (usually the production user that should sign in with that address).

The other object(s) must be changed so they no longer use that UPN.

Until I had to create the Entra Sync and set all on premise users in Active Directory to ******@domainname.com and not the previous entries of username alone, the ******@tenantname.onmicrosoft.com did not appear on the Microsoft 365 Administrator's Users page like it does now.

I will run the IDFix and see what it reports as a first step.
Helen Luu 845 Reputation points Independent Advisor

2026-05-27T16:10:30.9633333+00:00

Hello @Richard Sheasley,

If you have any update on this, please feel free to share with me.

Answer 2

The sync errors are caused by duplicate UserPrincipalName (UPN) values between your on‑premises Active Directory objects and existing Microsoft Entra (Azure AD/Microsoft 365) cloud objects. Entra Connect requires UPNs and certain attributes (like proxyAddresses) to be unique; when a duplicate is found, the object is either modified (number appended) or put into an error/quarantine state.

In your case, there is already a cloud object using ******@domainname.com as its UPN. When the corresponding on‑premises user is synchronized, Entra Connect tries to set the same UPN in Entra ID, detects the conflict, and throws the error you see. This is also why some users now show ******@tenant.onmicrosoft.com: Entra ID automatically appends a number to keep the UPN unique when a duplicate exists.

To resolve the errors, the UPNs must be made unique across all objects.

Identify which object should own the UPN
- For each conflicting UPN (for example, ******@domainname.com), decide which account is the “real” account that should keep that UPN (usually the production user that should sign in with that address).
- The other object(s) must be changed so they no longer use that UPN.
Fix duplicates in on‑premises Active Directory
- Run the IdFix DirSync Error Remediation Tool against your on‑premises AD to find duplicate or invalid attributes, including UPN and proxyAddresses.
- For each duplicate UPN reported, change the UPN in AD so that it is unique (for example, change a test or stale account to another UPN or decommission it if not needed).
- IdFix guidance for resolving duplicates is described in "Duplicate" is displayed in the ERROR column.
Check and fix duplicates in Entra ID/Microsoft 365
- In the Microsoft 365 admin center, go to Users → Active users.
- A warning banner appears if there are duplicate attribute conflicts.
- Select the affected user to see the conflict details and then change the user name so that it is unique (for example, adjust or remove the UPN on a cloud‑only or stale account that should not own that UPN).
Alternatively, use Entra PowerShell to list provisioning errors:
- Connect as a tenant admin: Connect-Entra.
- List objects with duplicate UPN or proxyAddresses:
  - Get-EntraDirectoryObjectOnPremisesProvisioningError | Where-Object PropertyCausingError -eq 'UserPrincipalName'
  - Get-EntraDirectoryObjectOnPremisesProvisioningError | Where-Object PropertyCausingError -eq 'ProxyAddresses'
- For each entry, adjust or remove the conflicting value on the object that should not own it.
Let Entra Connect resync
- After fixing duplicates in AD and/or Entra ID, allow the next synchronization cycle to run (or trigger a sync from the Entra Connect server).
- The duplicate‑attribute errors should clear once the changes are synchronized.
General duplicate‑attribute remediation pattern
- Identify the duplicated value (UPN or proxyAddresses) and all objects involved.
- Decide which object should keep the value.
- Remove or change the value on the other object(s) in the source directory (on‑prem AD or Entra ID, depending on where the object is authoritative).
- Allow Entra Connect to sync the changes.

If some users still show numbered ******@tenant.onmicrosoft.com UPNs after conflicts are resolved, update their UPNs (in AD for synced users) to the desired ******@domainname.com and let Entra Connect sync again.

References:

Share via

Entra duplicate ID Sync errors

2 answers

Your answer