Worked offline, while investigating the issue noticed the users who were unable to authenticate using FIDO having sync errors during the Sync cycle on the Entra Connect server.
Below is the summary of the troubleshooting which we performed:
Issue: Getting "duplicate attribute error in AD connect".
Solution:
We found that you were getting error messages in AD connect regarding "duplicate attribute" for proxy address.
This means on-premises object which is trying to sync to Azure with specific proxy address value is already stamped on to another object in Azure AD.
To fix this issue, we had to match the on-premises object with Azure AD object.
Follow below steps to fix the issue,
- Open Windows PowerShell as administrator in any machine.
- Run command "Connect-Msolservice" (Enter global admin credentials)
- Now run command "Set-MsolDirSyncEnabled -EnableDirSync $false"
- Now run command "Set-MsolUser -UserPrincipalName <UPN of user in Azure AD >-ImmutableId "$null""
- You can try below script to set null value for bulk users,
Remove Immutable ID of all the bulks users need to be cloud
$Filepath = $env:userprofile\desktop\file.csv
$csv = Import-Csv -Path $filepath
$immutableID=$null
Foreach($user in $csv)
{
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID
}
NOTE: Try above script in lab environment and then try it in your production environment.
- Now once you set the Immutable ID value as Null, in On-premises DC you will have to move the user accounts to non-sync OU (OU's which are not syncing to Azure AD using AD connect)
- Now this will delete the user entry from AD connect.
- Once this is done, login to Azure AD portal and make sure you remove any roles which are assigned to users in Azure AD. As per below document AD connect will not link the on-premise account with Azure AD account if there is any admin role assigned to user account in Azure AD. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#existing-admin-role-conflict
- Now enable sync in Azure AD tenant using command ""Set-MsolDirSyncEnabled -EnableDirSync $true""
- Now move the use account to sync scope OU in On-premise DC.
- Initiate a delta sync in AD connect server by running command in AD connect server as, Start-ADSYncSyncCycle -PolicyType Delta
- This will link your on-premise accounts with Azure AD accounts and you will not see the error anymore.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution. Worked offline, while investigating the issue noticed the users who were unable to authenticate using FIDO having sync errors during the Sync cycle on the Entra Connect server.
Below is the summary of the troubleshooting which we performed:
Issue: Getting "duplicate attribute error in AD connect".
Solution:
We found that you were getting error messages in AD connect regarding "duplicate attribute" for proxy address.
This means on-premises object which is trying to sync to Azure with specific proxy address value is already stamped on to another object in Azure AD.
To fix this issue, we had to match the on-premises object with Azure AD object.
Follow below steps to fix the issue,
- Open Windows PowerShell as administrator in any machine.
- Run command "Connect-Msolservice" (Enter global admin credentials)
- Now run command "Set-MsolDirSyncEnabled -EnableDirSync $false"
- Now run command "Set-MsolUser -UserPrincipalName <UPN of user in Azure AD >-ImmutableId "$null""
- You can try below script to set null value for bulk users,
Remove Immutable ID of all the bulks users need to be cloud
$Filepath = $env:userprofile\desktop\file.csv
$csv = Import-Csv -Path $filepath
$immutableID=$null
Foreach($user in $csv)
{
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID
}
NOTE: Try above script in lab environment and then try it in your production environment.
- Now once you set the Immutable ID value as Null, in On-premises DC you will have to move the user accounts to non-sync OU (OU's which are not syncing to Azure AD using AD connect)
- Now this will delete the user entry from AD connect.
- Once this is done, login to Azure AD portal and make sure you remove any roles which are assigned to users in Azure AD. As per below document AD connect will not link the on-premise account with Azure AD account if there is any admin role assigned to user account in Azure AD. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#existing-admin-role-conflict
- Now enable sync in Azure AD tenant using command ""Set-MsolDirSyncEnabled -EnableDirSync $true""
- Now move the use account to sync scope OU in On-premise DC.
- Initiate a delta sync in AD connect server by running command in AD connect server as, Start-ADSYncSyncCycle -PolicyType Delta
- This will link your on-premise accounts with Azure AD accounts and you will not see the error anymore.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.