KB ID 0001588
Problem
I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.
Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]
OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?
Solution
Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)
Within Office 365 Admin > Admin Centers > Azure Active Directory.
Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.
Sync errors.
Duplicate Attribute.
Select the affected user(s) > Troubleshoot.
Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.
Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.
Related Articles, References, Credits, or External Links
AAD Contains Another Object With The Same DN
14/05/2020
Same issue for me supporting a company, but get a “User with conflicting attribute is soft deleted in Azure Active Directory. Ensure the user is hard deleted before retrying” error when I try to apply the fix. How should that be resolved without losing any data?
25/11/2020
Same here. Have case open with MS on this and hoping for an update tomorrow. Having followed the guide and got the soft delete warning I found my O365 account in the deleted Users folder 🙁
07/01/2022
Hello Mike,
did you get a solution with MS ? We have the same issue.
Many Thanks in advance !
Corrado
06/07/2020
Thank you Pete for another great post! I had exactly the same scenario and this worked like a BOSS! I tried the MS suggested fix and also did nothing for me.
07/07/2020
Thanks Justin
20/12/2020
Thank you Pete.
I tried to fix it before with powershell and it doesn’t work me. Exactly the same issue with one account only.
After this simple steps everything synchronized and work well!
12/02/2021
Thank you , your article led me to the resolution – for me I didnt have the troubleshoot link active but looking at Duplicate Error part in your post I saw that the object was related to a distribution group where the owner was the dupe UPN. Thanks!!
23/02/2021
Does this preserve the mailbox if the account is created in cloud?
25/02/2021
I can’t answer sorry.
29/06/2022
Yes, it does preserve the mailbox, since it basically adds an immutableID property (translated version of the on-prem ExchangeGUID) to the cloud object. This allows it to do a proper match between the on-prem and cloud object, just allows it to sync without an error. It doesn’t delete or break the cloud object, so your cloud mailbox will become a synced object without breaking the mail functionality.
05/03/2021
thaaanks for this article!! i had exactly the same problem, but now it works.
16/09/2021
Hi Pete, your solution worked perfectly!
25/05/2022
Great and detailed post! The explanation solved my (same) issue.
Many thanks!!
21/09/2022
Why would the Troubleshoot button be greyed out?
28/03/2023
Do you guys know what permission or role needed to grant on an account to be able to do this Fix. My Troubleshoot button is greyed out. Hoping someone can respond ASAP
07/07/2023
Just a note that doing a delta sync still gave me some weird errors, so make sure to do a full sync after making these changes. Also I have no idea why the source anchor immutable ID was different onprem AD for the user object’s Guid. I used the base64 converter on their object guid, and made the one in Azure match, but the source anchor on premise was actually a different string which had me puzzled!! Great fix!
15/03/2024
I have the same errors ons Synchronization Service Manager, but in AzureAD / Entra i get 0 sync errors..