Azure AD Connect: Correct Or Remove Duplicate Values

KB ID 0001588

Problem

I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.

Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;

ADSync duplicate attribute value

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]

OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?

Solution

Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)

Within Office 365 Admin > Admin Centers > Azure Active Directory.

Admin Center Azure Active Directory

Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.

ADConnect Health

Sync errors.

Sync Errors

Duplicate Attribute.

AD Connect Duplicate attribute

Select the affected user(s) > Troubleshoot.

AD Connect Fix Duplicate attribute

Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.

ADConnect Fix SMTP Proxy Error

Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.

Related Articles, References, Credits, or External Links

AAD Contains Another Object With The Same DN

Author: PeteLong

Share This Post On

17 Comments

  1. Same issue for me supporting a company, but get a “User with conflicting attribute is soft deleted in Azure Active Directory. Ensure the user is hard deleted before retrying” error when I try to apply the fix. How should that be resolved without losing any data?

    Post a Reply
    • Same here. Have case open with MS on this and hoping for an update tomorrow. Having followed the guide and got the soft delete warning I found my O365 account in the deleted Users folder 🙁

      Post a Reply
      • Hello Mike,

        did you get a solution with MS ? We have the same issue.

        Many Thanks in advance !

        Corrado

        Post a Reply
  2. Thank you Pete for another great post! I had exactly the same scenario and this worked like a BOSS! I tried the MS suggested fix and also did nothing for me.

    Post a Reply
  3. Thank you Pete.
    I tried to fix it before with powershell and it doesn’t work me. Exactly the same issue with one account only.
    After this simple steps everything synchronized and work well!

    Post a Reply
  4. Thank you , your article led me to the resolution – for me I didnt have the troubleshoot link active but looking at Duplicate Error part in your post I saw that the object was related to a distribution group where the owner was the dupe UPN. Thanks!!

    Post a Reply
  5. Does this preserve the mailbox if the account is created in cloud?

    Post a Reply
    • Yes, it does preserve the mailbox, since it basically adds an immutableID property (translated version of the on-prem ExchangeGUID) to the cloud object. This allows it to do a proper match between the on-prem and cloud object, just allows it to sync without an error. It doesn’t delete or break the cloud object, so your cloud mailbox will become a synced object without breaking the mail functionality.

      Post a Reply
  6. thaaanks for this article!! i had exactly the same problem, but now it works.

    Post a Reply
  7. Hi Pete, your solution worked perfectly!

    Post a Reply
  8. Great and detailed post! The explanation solved my (same) issue.

    Many thanks!!

    Post a Reply
  9. Why would the Troubleshoot button be greyed out?

    Post a Reply
  10. Do you guys know what permission or role needed to grant on an account to be able to do this Fix. My Troubleshoot button is greyed out. Hoping someone can respond ASAP

    Post a Reply
  11. Just a note that doing a delta sync still gave me some weird errors, so make sure to do a full sync after making these changes. Also I have no idea why the source anchor immutable ID was different onprem AD for the user object’s Guid. I used the base64 converter on their object guid, and made the one in Azure match, but the source anchor on premise was actually a different string which had me puzzled!! Great fix!

    Post a Reply
  12. I have the same errors ons Synchronization Service Manager, but in AzureAD / Entra i get 0 sync errors..

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *