Share via

Entra Connect Sync blocking user creation due to hidden proxyAddress on cloud-only user which can't be removed

Steven Perazzo 20 Reputation points
2025-05-30T14:45:05.8033333+00:00

I'm encountering a persistent export error in Entra Connect Sync due to a proxyAddresses conflict. The issue is as follows:

  • An on-prem AD user is failing to export into Entra ID with the AttributeValueMustBeUnique error.
  • The conflict was because a cloud-only user account had the same 'mail' attribute as the on-premise user. This was corrected by changing the 'mail' value for the cloud-only user.
  • However, after making this correction, the error persists, and if I look at the 'proxyAddresses' field for the cloud-only user in the Entra portal, it shows the old address (in addition to the current UPN and new mail value). However, this cannot be edited in the Entra portal.
  • A graph filter search confirms the address is still indexed on the cloud user by doing something like this: Get-MgUser -Filter "proxyAddresses/any(c:c eq 'SMTP:******@address.com')" - but if you look at the MgUser properties the proxyAddresses field shows as empty through the graph module in powershell.

Some additional information:

  • Exchange Online is not being utilized, so looking there is not an option. These are users in Entra and Azure only

How do I get rid of these proxy addresses?

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. SrideviM 5,630 Reputation points Microsoft External Staff Moderator
    2025-06-10T09:04:24.07+00:00

    Hello Steven Perazzo,

    I understand you're trying to remove an old proxy address that's causing a sync issue, and you're not using Exchange. You can do this directly using Microsoft Graph API through Graph Explorer.

    Use the following GET request to fetch the current proxyAddresses of user:

    GET https://graph.microsoft.com/beta/users/userId?$select=id,displayName,proxyAddresses

    enter image description here

    Now send a PATCH request to the same endpoint (/beta/users/{user-id}) with a body by excluding the unwanted address:

    PATCH https://graph.microsoft.com/beta/users/userId
{
  "proxyAddresses": [
    "smtp:******@domain.com"
  ]
}

    enter image description here

    Once the PATCH is successful, the old proxy address will be removed, and the Entra Connect sync error should be resolved.

    To confirm that, run the GET query again where proxyAddresses field successfully updated as below:

    GET https://graph.microsoft.com/beta/users/userId?$select=id,displayName,proxyAddresses

    enter image description here

    Hope this helps!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 3,431 Reputation points
    2025-05-30T15:37:17.95+00:00

    Hello Steven Perazzo,

    I suggest you to contact Microsoft Support they can help you guiding you about how to fix this, without Exchange licensing you wont be able to run some PowerShell commands.

    Possible Required Information : To expedite resolution, include:

    • Tenant ID: Found in Microsoft Entra ID > Overview in the Azure portal.
    • User ObjectId: From your Graph query (Get-MgUser -Filter "proxyAddresses/any(c:c eq 'SMTP:******@domain.com')").
    • Entra Connect Version: Check on the Entra Connect server (e.g., 2.5.3.0, per recent updates).
    • Error Logs: Screenshots or exports from Entra Connect Health (Azure portal > Microsoft Entra ID > Entra Connect > Connect Health > Sync errors).
    • PowerShell Attempts: Details of Set-MsolUser or Set-MsolUser commands tried.

    Support links

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    0 comments
  2. Steven Perazzo 20 Reputation points
    2025-06-09T17:41:04.4466667+00:00

    Since there were no correct answers given in this thread and I went through the rigmarole of going through Entra support, I want to clarify for everyone that there is indeed a way to do this yourself with Microsoft Graph. However, you cannot do it in the Graph powershell module - it must be done via API call, most easily via Graph Explorer.

    There is general information on doing this here: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

    Basically, you have to query the beta URL for the user, something like https://graph.microsoft.com/beta/users/%USERGUID%

    You can use that URL to do both 'GET' and 'PATCH' queries - the PATCH query being the one that will change the settings. You have to put forth a body for the proxyAddresses property in the PATCH query which represents all of the addresses you want the user to utilize as proxy addresses. The formatting for this is most easily gotten by doing a GET query and copying the proxyAddresses property from the response.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.