Entra Connect Sync duplicated UPN

Question

Hi&nbsp;I had Entra Connect running for a long time without issues. Out of the blue Connect Sync started to report&nbsp;Duplicate Attribute on 3 users&nbsp;User Principal Name.&nbsp;The 3 users, Connect Sync believe has a conflicting value in Entra, do exist in Entra, but with a smtp address which matches the UPN, and is&nbsp;not the the users UPN.&nbsp;&nbsp;If i run the following command on my on-prem AD the UPN does not exist in any form of domain name:&nbsp;Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"}Get-ADUser -Filter {UserPrincipalName -eq "e-mail@domain.local"}Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"}&nbsp;All my users UPN are different from the configured on-prem ProxyAddresses so the above error mesage makes no sense. And futher more the 3 users which sync sees as a conflict do not even has a ProxyAddresses configured.&nbsp;Any ideas how to futher debug this?&nbsp;/Robert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

micheleariis · Answer

Hi, did you also check the exchange contacts?

rvilhelmsen · Answer

I have no on-prem exchange. All mailboxes exist in M365.

lainrobertson · Answer

RVilhelmsen&nbsp;&nbsp;Hi, Robert.&nbsp;I'm assuming this is being reported within AAD Connect on the export cycle of the Azure AD tenant connector.&nbsp;If so, then I'm also going to assume it's showing as an 'AttributeValueMustBeUnique' error.&nbsp;If the above holds true, then the error is accurate and within the error is a "detail" button, which when clicked opens a new window with greater detail. Part of that detail is 'ObjectInConflictId' GUID.&nbsp;This GUID is the objectId (or simply "id" if using Graph) of the existing Azure AD object (most likely a user object but doesn't have to be), and it's this explicit Azure AD object you should be checking for the conflict.&nbsp;The Get-ADUser commands you've listed will not help diagnose Azure AD objects as those commands face the on-premise environment. Keeping in mind that the on-premise attributes are not written back to, then what exists on-premise does not necessarily reflect what's in Azure - which is even more true for proxyAddresses, which exists as something called a "shadow attribute".&nbsp;Rather, if you're going to use PowerShell for checking Azure objects, you should be using the current commandlets from the Microsoft.Graph.* suite of modules (such as Get-MgUser for user objects).&nbsp;It's also important to note that the Azure ID object in conflict does not have to originate from on-premise via AAD Connect. It could just as easily be an Azure-only object created/updated manually by an administrator (be that directly or via a script).&nbsp;When checking the Azure AD object in conflict, you want to be checking all the name-based addressing attributes, such as:&nbsp;imAddresses;mail;proxyAddresses;userPrincipalName.&nbsp;Cheers,Lain

rvilhelmsen · Answer

Thanks for the very good explanation. You are indeed right and will search for the GUI in Azure.

rvilhelmsen · Answer

Found the error. The error message detail window was a bit misleading, i think.Error message: Object With Conflicting Attribute.It complained UPN was identical with "Object With Conflicting Attribute" and listed a user object with a identical UPN. So far, so good.But it also listed a user object under "Existing Object" with a complete different UPN and GUID. I thought, it was this user object there was a conflict with, but indeed it was not.The conflicting user object was under deleted users. As soon as i permanant deleted the deleted user object Azure Connect sync synced with success.I don´t know why Connect Sync/Azure reports back a "Existing object" which has nothing to do with the sync errors.

Forum Discussion

Entra Connect Sync duplicated UPN

Share

Resources