Howdy folks,
If you are like many of our customers, the data in your on-premises Active Directory (AD) probably isn’t exactly pristine. It’s not unusual to find issues—like duplicate UPN’s and overlapping proxy addresses—which create errors when using Azure AD Connect to synchronize on-premises identity data with Azure AD.
Today Rob de Jong, program manager on the Identity Services team, walks you through our new duplicate attribute error feature for Azure AD that helps identify and resolve some of these issues.
Best regards,
Alex Simons (@Alex_A_Simons )
Corporate VP of Program Management
Microsoft Identity Division
===============================================
Hello folks!
Duplicate attribute errors are one of the most prevalent issues customers run into when using Azure AD Connect to synchronize their on-premises identity data with Azure AD. You see these errors when you attempt to synchronize a user’s on-premises AD account to Azure AD, but Azure AD Connect can’t sync the user object because one or more of the attributes conflicts with an attribute value on an existing user object in Azure AD. These errors show up in your Azure AD Health report in the Azure AD Admin portal, and trigger notification emails from the Azure AD Health Service.
To diagnose and resolve these issues, you need to compare the data for the conflicting objects in both your on-premises AD and Azure AD. Then you need to update the erroneous on-premises AD attribute data for the conflicting user object. This is a lot of work, especially if you need to do this for many user objects.
Today, we are introducing a new feature to help you diagnose and resolve duplicate attribute sync errors in the Azure AD Connect Health portal in less time. The duplicate attribute error feature, now generally available, troubleshoots conflicting attributes and potentially mitigates the conflict directly from the portal.
During the public preview of this feature, hundreds of customers tried it out and many of them cleaned ALL their duplicate attribute sync errors in a just a couple of hours. Just last week, we saw how over 2,000 sync errors were fixed by customers using this feature.
How the duplicate attribute error feature works
The following example illustrates how to find and resolve a duplicate attribute error:
I have two users in my on-premises Active Directory, “David B. Williams” and “David Williams,” and both synced to Azure AD. Unfortunately, when I updated the proxy address of “David B. Williams,” I accidentally entered the proxy address of “David Williams,” and this resulted in a duplicate attribute error when Azure AD Connect attempted to update “David B. Williams” in Azure AD. Using the duplicate attribute error feature, I found, diagnosed, and fixed this issue.
My first step was to go to the Connect Health sync error blade in the Azure AD Admin portal. On that blade, I can see all the synchronization issues in my tenant, including 16 duplicate attribute errors:
When I click the Duplicate Attribute Error button, an overview of all objects with duplicate attribute errors is displayed:
To diagnose the duplicate attribute error of David B. Williams, I click that line to display the error details. I can see the details of the existing object in Azure AD along with the details of the object I’m trying to add. I also see that the “Proxy Address” attribute is flagged. When I examine this attribute, I find that the existing object, “David Williams,” already uses the proxy address “SMTP: david@fabtoso.com.” Since the Proxy Address attribute values need to be unique in Azure AD, I cannot update user the proxy address of “David B. Williams” in Azure AD with that same value:
Now that I have identified the problem, I need to find the root cause, so I can find a way to fix this issue. To analyze the error, I click the Troubleshoot icon at the top of this blade to display the Troubleshoot wizard blade. On this blade, I’m asked if the Azure AD user with UPN “david@fabtoso.com” exists in my on-premises AD. To verify this, I copy and execute the PowerShell cmdlet provided here. In this example, “david@fabtoso.com” does exist in my on-premises AD, so I answer Yes.
Based on my answer, the wizard tells me how to resolve the error. In this case, it says that I should remove the duplicate value from the conflicting user object in my on-premises AD:
When I update the conflicting user object in my on-premises AD, I have to wait for the synchronization cycle to happen. Once that is complete, I can return to the Connect Health portal where I see that this issue is resolved.
In addition to using this feature to find and resolve on-premises data issues, you can also use it to find, troubleshoot, and fix duplicate object issues in Azure AD.
Summary
This feature enables easy and straightforward self-remediation of duplicate attribute value errors. Customers who have deployed Azure AD Connect can access this feature from the Connect Health sync error blade in the Azure AD portal.
For more details, please read our public documentation, which also covers basic FAQ. If you have feedback or feature requests related to this new capability, please let us know in the Connect Health section of our feedback forum or feel free to email us. We always appreciate your feedback
Rob de Jong (@rjong999)
Program Manager
Identity Services