Share via

Azure AD Connect (Sync errors)

CWT 391 Reputation points
2021-01-08T01:36:12.513+00:00

Good evening. Hoping to get an idea or two to prevent account deletions if at all possible.

Issue: Duplicate Attribute errors in Azure AD

Problem: 6 sync errors are occurring (2= UserPrincipalName) & 4 (ProxyAddresses)

Normal Approach: From my limited experience, I would expect that we could update the offending attributes locally and the sync server would sync those changes and the errors would no longer be an issue.

Our Issue: In this case however, we have 1 user with two accounts/mailboxes and these two accounts were modified and then reverted back to their original state (example below - fake name).

In AzureAD Zelan Johnson has the UPN zelan.johnson@keyman .com & his other account Johnson,Zelan has the UPN zj@keyman .com. When you view Proxy address for each account the SMTP address (and 1 X500 address) are incorrect (switched).

I've gone through each accounts attributes On-Prem and both accounts look good (specifically ProxyAddresses and UPNs that Azure is calling out). I thought I could possibly force a change in AzureAD, so I tried using the Set-AzureADUser -ObjectId, but that generated the error "Message: Unable to update the specified properties for on-premises mastered Directory Sync objects". I've never had to make changes in AzureAD and have understood that you want to always make changes On-Prem so they sync successfully and the source of authority is maintained.

I then tried the MSOl cmdlets Set-MsolUser -UserPrincipalName and MS apparently has dropped the parameter -newuserprincipalname so that failed as well.

Any thoughts on this would be greatly appreciated.

CWT

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2021-01-08T08:33:24.917+00:00

    You should be able to update locally, however in your scenario it seem that some "cross-pollination" occurred, mixing the attributes. On top of that Office 365 enforces a requirement that at least one SMTP address needs to match the UPN value, which adds to the conflict. I suppose you can try setting some "intermediate" values, let them sync, fix one object, fix the other.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anshika Choubey 336 Reputation points Microsoft Employee Moderator
    2021-01-08T11:03:41.88+00:00

    Hello @CWT , Thank you for reaching out to us.

    In addition to the above suggestion, here is more explanation for more clarity, If i understood correctly the situation in your environment is this:
    User 1:
    UPN : admin@jaswant .com
    Proxy: User1@jaswant .com

    User 2:
    UPN: User1@jaswant .com
    Proxy: admin@jaswant .com

    1st users UPN is added as a primary SMTP on other.
    Now if you have configuration like this, you will see the duplicate proxy OR UPN errors, as Azure Active Directory schema does not allow two or more objects to have the same value of the following attributes. (This is not an exhaustive list.)
    ProxyAddresses
    UserPrincipalName
    onPremisesSecurityIdentifier
    ObjectId

    Troubleshooting:

    If possible try removing Proxy address of any 1 user from AD (from GUI ) or Any 1users UPN and run the sync, this article also explains the scenario and troubleshooting steps:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors#example-case-2

    Or even you may try to reach out to your internal Exchange team if they have any email forwarding concept then you can easily remove the primary SMTP address of the user which is in question and do the forwarding.

    FYI: You will not be able to update User object attributes in Azure which was synced from Local AD.
    And set-AzureADuser and Set-MsolUser will only be able to change cloud only users not synced users.

    In case you have any questions on the same, you can surely let us know and we will be happy to help you further. If this post provides you the answer you were looking for, do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns.

    0 comments
  2. CWT 391 Reputation points
    2021-01-11T17:26:14.277+00:00

    Good morning,

    After taking some time on Friday afternoon I was able to resolve the cross pollinated accounts by performing the following tasks.

    1. Logged into Exchange and temporarily changed both users SMTP address even though they were technically accurate On-Prem.
    2. Forced full sync to AzureAD.
    3. Verified that the UPN, Email, and Proxy addresses for each account updated in AzureAD and listed the temporary emails from step 1.
    4. Logged into Exchange once more and updated the SMTP addresses for both users to the correct email address (which was what they originally were)
    5. Forced full sync to AzureAD.
    6. Verified that AzureAD had successfully been updated for both of these accounts and the sync errors dropped off.

    Thanks again for the feedback. Very much appreciated.

    CWT

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.