This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are attempting to connect our Azure DevOps organization to our Microsoft Entra according to this page: https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#connect-your-organization-to-your-azure-ad
During the process we receive the "Tenant switch failed on a precondition, with the following message: 1 of 94 total users has multiple active identities with the same UPN. Please either remove the duplicates or change the UPNs to be unique."
We have gone over the identities by hand several times. We identified and removed several duplicates, but we cannot find this last one.
Is there a way to have someone identify the duplicate identity?
Organization: https://cnoappdev.visualstudio.com/
Azure subscription ID: 5a570a16-1335-4c01-a471-546b636cea9e
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Are you using Entra Connect to sync on-premise users to ENtre ID ?
In this case I think all duplicate UPN should be in error.
Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName UserPrincipalName
I invite you to read the following article:
Identity synchronization and duplicate attribute resiliency
Please don't forget to accept helpful answer and close this thread
Thank you for the quick response!
I know our systems team has connected AAD/Entra in Azure to our on-premise Active Directory environment and push users and settings up to Azure. I assume they are using something like Azure Connect.
I checked all the users in our DevOps organization against "https://graph.microsoft.com/v1.0/users?$filter=startswith(UserPrincipalName,'##UPNHavingIssues##')" to determine if there were duplicates on the Entra side. I wasn't able to find any but I did find duplicate users in Azure DevOps with the same ID/email address. After removing those it brought the total duplicate count down to 1, but we haven't been able to identify that one yet.
I think you should powershell script to identify user account with same UPN. You can use the script below:
$All_UPN = Get-AzureADUser -All | select -ExpandProperty UserPrincipalName
foreach($upn in $All_UPN)
{
$user = $null
[int32]$UserNumber = 0
$user = Get-AzureADUser -Filter "userPrincipalName eq $upn"
$UserNumber = $user.count
if( $UserNumber -gt 1 )
{
$user
}
}
Please don't forget to accept helpful answer and close this thread
Hi Hi @Michael Glover
Just checking if there is any progress ?
Please don't forget to accept helpful answer and close this thread
I had a chance to revisit the issue this morning. I was able to run a slightly modified version of the Powershell script you provided:
$All_UPN = Get-AzureADUser -All $true | select -ExpandProperty UserPrincipalName
foreach($upn in $All_UPN) { $user = $null; [int32]$UserNumber = 0; $user = Get-AzureADUser -Filter "userPrincipalName eq '$upn'"; $UserNumber = $user.count; if( $UserNumber -gt 1 ) { $user; }}
It returned with no results. I believe that indicates that there are no duplicate UPNs on the Azure AD/Entra side.
From what I can tell this script is comparing users in the Azure AD/Entra side to see if there are any duplicate UPNs. The error message coming from DevOps seems to indicate that there is a duplicate UPN on the Azure AD/Entra side, but having ran all the DevOps accounts through the Microsoft Graph API and determining that there were no duplicates we had been able to find duplicates on the DevOps side and remove those.
For example, we had an instance of two user accounts with the same UPN in the Azure DevOps users. When we removed one of those accounts the error message changed and reduced the number of duplicates.
Following to your feedback the problem seems from DevOps side , and this case you should do the cleanup on Devops side and nothing to do on Entra ID (Azure AD).
The link below talk about the same issue:
Please don't forget to accept helpful answer
For future users: Please refer to this thread for more information on this problem.