Share via

SalesForce enterprise application in Azure unable to provision users, is getting quarantined - The attribute with the duplicate values is displayName

Osis, Andrejs 0 Reputation points
2025-06-25T07:29:43.8733333+00:00

Hi!

Can you help me with following:

SalesForce enterprise application in Azure unable to provision users, is getting quarantined - The attribute with the duplicate values is displayName.

Here is what i do see in Provisioning section:

Quarantine details:

This Azure Active Directory service principal has app roles with duplicate attribute values: a5043b43-b995-491d-9470-6e697650013c: "Salesforce Sandbox SSO". The attribute with the duplicate values is displayName. The duplicated value is { Add:"Contract Manager" (Source) }. The synchronization job cannot proceed until the duplication is remedied. One way of remedying the duplication would be to edit the service principal using the Azure Active Directory Graph or the Microsoft Graph. Both of those Web application programming interfaces are documented on the World Wide Web. If the documentation is insufficient, please file a request for support using the Microsoft Azure Active Directory Graph or the Microsoft Graph via Azure support.

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,471 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 29,570 Reputation points Volunteer Moderator
    2025-06-25T07:43:35.52+00:00

    Hello Osis, Andrejs,

    Thanks for your question.

    It looks like the displayname already exists in salesforce so it is counting as a duplicate user. You need to verify that the user is not already created with the same displayname in salesforce.

    If it is, you have to remember in automatic provisioning the soource is entra, so you need to remove the user from there and unassign the user from the app in entra as well You can then re-assign using https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal

    This is a common issue documented here: https://learn.microsoft.com/en-us/entra/identity/saas-apps/salesforce-provisioning-tutorial?source=recommendations

    The user can't be provisioned because it has a Salesforce.com 'Username' that's duplicated in another Salesforce.com tenant.  In Salesforce.com, values for the 'Username' attribute must be unique across all Salesforce.com tenants.  By default, a user’s userPrincipalName in Microsoft Entra ID becomes their 'Username' in Salesforce.com.  You have two options.  One option is to find and rename the user with the duplicate 'Username' in the other Salesforce.com tenant, if you administer that other tenant as well.  The other option is to remove access from the Microsoft Entra user to the Salesforce.com tenant with which your directory is integrated.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

  2. Raja Pothuraju 24,290 Reputation points Microsoft External Staff Moderator
    2025-07-01T03:17:10.9666667+00:00

    Hello Osis, Andrejs,

    Usually when this happens, the root cause is that the role currently in Salesforce with that name is not the same role that previously had it. Each role has a unique identifier (think of it like a sourceAnchor). In Salesforce, this attribute is called id.

    When roles are imported from a SaaS app into Entra, the only supported action for conflicts like this is Create — there’s no built-in logic to match or update roles with the same name but a different ID.

    What likely happened here is:

    Originally, there was a role in Salesforce named “Contract Manager” with an ID (for example) 12345.

    You imported this role to Entra, so Entra has it stored with that ID.

    Later, in Salesforce, the role with ID 12345 was deleted or renamed, and a new role named “Contract Manager” was created with a different ID — say, 67890.

    When AADSC (the Salesforce connector) runs, it sees the new role in Salesforce (67890), but in Entra there is no role with that ID. It tries to create the new role, but encounters a duplicate attribute conflict, because a role with the same displayName already exists — but with a different anchor/ID (12345).

    Since the current role import logic doesn’t automatically resolve this mismatch, the sync keeps failing.

    Right now, you see only one role in Entra named “Contract Manager”, but its anchor (ID) doesn’t match the new Salesforce role.

    To resolve this, you need to delete the existing app role in Entra so that on the next sync cycle, the connector can successfully create the new role with the correct ID.

    You can use either the manifest or Graph Explorer to disable and delete the existing role. Follow the steps in this Microsoft documentation to delete the app role safely: Delete roles - Enterprise app role management

    After you delete the conflicting role, the next sync will create the new role with the correct ID.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.