Share via

Azure AD Connect synchronization error

Cloud_Geek_82 901 Reputation points
2023-09-12T04:34:20.07+00:00

Hi All,

Active Directory Domain Services users are synced to Microsoft Azure via Azure AD Connect.

A month ago a resigned user's Active Directory account was disabled and its mailbox was converted to shared.

In 2-3 days for some reason I'm not ware of that user's AD account was re-enabled in AD DS and mailbox was converted to back to regular.

Both AD account and Microsoft 365 accounts are active now.

Since then Azure AD Connect throws this error.

This error indicates that a deleted object was recovered from the recycle bin in Azure AD before Azure AD Connect was able to confirm its deletion. Please delete the recovered object in Azure AD to fix this issue. Please refer to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors#deletion-access-violation-and-password-access-violation-errors Tracking Id: fc2d96a1-4f81-4d4w-9e12-3f700poq7392 ExtraErrorDetails: [{"Key":"ObjectId","Value":["a0367a70-e664-24fd-a2d2-2901d9cd0d1d"]}]

The error says to fix the issue the object should be deleted in Azure AD.

However, wouldn't it delete a mailbox associated with that user.

Should I indeed deleted the object?

Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
    2023-09-14T05:02:01.1433333+00:00

    Hello @Cloud_Geek_82

    Thank you for reaching out. Ideal fix for this would be to remove user from Azure AD as well, however this would remove the Mailbox and other associated data on the account from Azure AD and Exchange as well. The workaround I can suggest you is to identify the affected object and set its Immutable ID parameter to Null. Doing this it would remove any reference to its linked AD Object.

    Command to check if the Cloud-Only affected user has ImmutableID associated with it.

    Get-AzureADUser -ObjectID "Affected User's ObjectID" | Select-Object -Property UserPrincipalName,ObjectId,ImmutableId,DirSyncEnabled

    Command to set Cloud-Only affected user has ImmutableID to $Null

    Set-AzureADUser -ObjectID "Affected User's ObjectID" -ImmutableId $Null

    Once this is done perform a delta sync on Azure AD Connect and the error should be removed.

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Cloud_Geek_82 901 Reputation points
    2023-09-15T03:37:25.0866667+00:00

    Hi @Harpreet Singh Matharoo

    Thanks for your reply.

    What I did:

    Disabled AD account.

    Unlicensed Microsoft 365 account (mailbox is shared, not regular)

    Run Set-AzureADUser -ObjectID ObjectID -ImmutableId $Null

    Now I'm checking the account with Get-AzureADUser -ObjectID ObjectID | Select-Object -Property UserPrincipalName,ObjectId,ImmutableId,DirSyncEnabled and it still shows ImmutableId and DirSyncenabled as $True.

    Does it take some time to take effect or I did something wrong?

    Also, is setting InmutableId as $Null is a reversible process or once done syncing between on-premises AD and Microsoft 365 for that account stops permanently?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.