Errors tin occur when identity data is synced from Windows Server Active Directory to Azure Active Directory (Azure Advertisement). This article provides an overview of unlike types of sync errors, some of the possible scenarios that cause those errors, and potential ways to set up the errors. This article includes common error types and might not cover all possible errors.

This article assumes you're familiar with the underlying design concepts of Azure Advertisement and Azure Ad Connect.

With the latest version of Azure Advertisement Connect (August 2016 or higher), a Synchronization Errors Study is bachelor in the Azure portal as function of Azure AD Connect Health for sync.

Starting September 1, 2016, Azure Advertizing duplicate aspect resiliency is enabled by default for all the new Azure Advert tenants. This feature is automatically enabled for existing tenants.

Azure AD Connect performs three types of operations from the directories it keeps in sync: Import, Synchronization, and Export. Errors can occur in all three operations. This article mainly focuses on errors during export to Azure Advertising.

Errors during consign to Azure AD

The following section describes different types of synchronization errors that tin can occur during the export operation to Azure AD past using the Azure AD connector. You tin identify this connector by the proper name format contoso.onmicrosoft.com. Errors during export to Azure AD point that an operation like add together, update, or delete attempted by Azure AD Connect (sync engine) on Azure AD failed.

Diagram that shows the export errors overview.

Data mismatch errors

This department discusses data mismatch errors.

InvalidSoftMatch

Description

  • When Azure AD Connect (sync engine) instructs Azure Advert to add together or update objects, Azure AD matches the incoming object by using the sourceAnchor attribute and matching it to the immutableId aspect of objects in Azure Advertizing. This lucifer is called a hard match.
  • When Azure AD doesn't find whatever object that matches the immutableId attribute with the sourceAnchor attribute of the incoming object, before Azure Advertizing provisions a new object, information technology falls dorsum to use the proxyAddresses and userPrincipalName attributes to find a match. This match is called a soft lucifer. The soft lucifer matches objects already present in Azure Ad (that are sourced in Azure AD) with the new objects being added or updated during synchronization that stand for the same entity (like users and groups) on-premises.
  • The InvalidSoftMatch fault occurs when the hard match doesn't observe any matching object and the soft match finds a matching object, but that object has a dissimilar immutableId value than the incoming object'south sourceAnchor aspect. This mismatch suggests that the matching object was synced with another object from on-premises Agile Directory.

In other words, for the soft match to work, the object to be soft-matched with shouldn't have any value for the immutableId attribute. If any object with the immutableId attribute set with a value fails the hard lucifer but satisfies the soft-match criteria, the functioning results in an InvalidSoftMatch synchronization error.

Azure Advertising schema doesn't allow two or more than objects to take the same value of the following attributes. This listing isn't exhaustive:

  • proxyAddresses
  • userPrincipalName
  • onPremisesSecurityIdentifier
  • objectId

Azure AD aspect duplicate aspect resiliency is too being rolled out every bit the default behavior of Azure Advertisement. This feature reduces the number of synchronization errors seen by Azure AD Connect and other sync clients. Information technology makes Azure Ad more than resilient in the fashion it handles duplicated proxyAddresses and userPrincipalName attributes present in on-premises Agile Directory environments.

This feature doesn't fix the duplication errors, and so the data still needs to be fixed. Just it allows provisioning of new objects that are otherwise blocked from being provisioned because of duplicated values in Azure AD. This adequacy will also reduce the number of synchronization errors returned to the synchronization client.

Note

If Azure AD attribute duplicate attribute resiliency is enabled for your tenant, yous won't see the InvalidSoftMatch synchronization errors seen during provisioning of new objects.

Example scenarios for an InvalidSoftMatch error

  • Two or more objects with the aforementioned value for the proxyAddresses aspect exist in on-premises Active Directory. But 1 is getting provisioned in Azure Advertizing.
  • Ii or more objects with the aforementioned value for the userPrincipalName attribute exist in on-premises Active Directory. Only one is getting provisioned in Azure Advertizement.
  • An object was added in on-bounds Active Directory with the same value for the proxyAddresses attribute as that of an existing object in Azure AD. The object added on-premises isn't getting provisioned in Azure AD.
  • An object was added in on-premises Active Directory with the same value for the userPrincipalName attribute as that of an business relationship in Azure AD. The object isn't getting provisioned in Azure Advertizing.
  • A synced account was moved from Forest A to Forest B. Azure AD Connect (sync engine) was using the objectGUID aspect to compute the sourceAnchor attribute. Subsequently the wood move, the value of the sourceAnchor attribute is dissimilar. The new object from Forest B fails to sync with the existing object in Azure AD.
  • A synced object was accidentally deleted from on-premises Active Directory and a new object was created in Agile Directory for the same entity (such equally user) without deleting the business relationship in Azure AD. The new business relationship fails to sync with the existing Azure AD object.
  • Azure AD Connect was uninstalled and reinstalled. During the reinstallation, a different aspect was chosen every bit the sourceAnchor attribute. All the objects that had previously synced stopped syncing with the InvalidSoftMatch fault.

Example case

  1. Bob Smith is a synced user in Azure AD from the on-bounds Active Directory of contoso.com.
  2. Bob Smith's user principal proper noun is set as bobs@contoso.com.
  3. The sourceAnchor attribute of "abcdefghijklmnopqrstuv==" is calculated by Azure AD Connect by using Bob Smith's objectGUID attribute from on-bounds Active Directory. This attribute is the immutableId attribute for Bob Smith in Azure Ad.
  4. Bob as well has the following values for the proxyAddresses aspect:
    • smtp: bobs@contoso.com
    • smtp: bob.smith@contoso.com
    • smtp: bob@contoso.com
  5. A new user, Bob Taylor, is added to the on-premises Active Directory.
  6. Bob Taylor'south user principal proper noun is set as bobt@contoso.com.
  7. The sourceAnchor attribute of "abcdefghijkl0123456789==" is calculated by Azure Advertising Connect by using Bob Taylor'due south objectGUID attribute from on-premises Active Directory. Bob Taylor's object has non synced to Azure Advertisement however.
  8. Bob Taylor has the following values for the proxyAddresses attribute:
    • smtp: bobt@contoso.com
    • smtp: bob.taylor@contoso.com
    • smtp: bob@contoso.com
  9. During sync, Azure Advertising Connect recognizes the addition of Bob Taylor in on-bounds Active Directory and asks Azure AD to make the same change.
  10. Azure AD first performs a hard match. That is, it searches for any object with the immutableId attribute equal to "abcdefghijkl0123456789==". The hard lucifer fails because no other object in Azure Advertisement has that immutableId aspect.
  11. Azure Advertizement then performs a soft match to find Bob Taylor. That is, it searches to run into if there's any object with proxyAddresses attributes equal to the 3 values, including smtp: bob@contoso.com.
  12. Azure AD finds Bob Smith'due south object to match the soft-lucifer criteria. Merely this object has the value of immutableId = "abcdefghijklmnopqrstuv==", which indicates this object was synced from another object from on-premises Active Directory. Azure AD can't soft match these objects so an InvalidSoftMatch sync error is thrown.

Set the InvalidSoftMatch fault

The most common reason for the InvalidSoftMatch error is two objects with different sourceAnchor (immutableId) attributes that have the same value for the proxyAddresses or userPrincipalName attributes, which are used during the soft-friction match process on Azure Advertising. To fix the InvalidSoftMatch error:

  1. Identify the duplicated proxyAddresses, userPrincipalName, or other attribute value that'southward causing the mistake. Also identify which two or more than objects are involved in the conflict. The report generated by Azure AD Connect Wellness for sync tin can assistance you identify the 2 objects.
  2. Place which object should continue to take the duplicated value and which object should not.
  3. Remove the duplicated value from the object that should not accept that value. Make the change in the directory from where the object is sourced. In some cases, you might need to delete ane of the objects in conflict.
  4. If you lot fabricated the modify in on-premises Active Directory, allow Azure Advertisement Connect sync the change.

Sync mistake reports inside Azure Ad Connect Health for sync are updated every 30 minutes and include the errors from the latest synchronization attempt.

Note

The ImmutableId aspect, by definition, shouldn't change in the lifetime of the object. But maybe Azure AD Connect wasn't configured with some of the scenarios in mind from the preceding listing. In that instance, Azure AD Connect might calculate a different value of the sourceAnchor attribute for the Active Directory object that represents the same entity (aforementioned user, group, or contact) that has an existing Azure AD object that yous want to continue using.

Related commodity

Duplicate or invalid attributes forestall directory synchronization in Microsoft 365

ObjectTypeMismatch

Clarification

When Azure Advertizement attempts to soft match ii objects, it's possible that two objects of unlike "object type," similar user, group, or contact, accept the aforementioned values for the attributes used to perform the soft match. Because duplication of these attributes isn't permitted in Azure Ad, the operation can result in an ObjectTypeMismatch sync mistake.

Example scenario for an ObjectTypeMismatch error

A mail-enabled security group is created in Microsoft 365. The admin adds a new user or contact in on-premises Active Directory that isn't synced to Azure Advertizing however with the same value for the proxyAddresses aspect as that of the Microsoft 365 group.

Example case

  1. An admin creates a new postal service-enabled security grouping in Microsoft 365 for the Tax section and provides an email accost as tax@contoso.com. This group is assigned the proxyAddresses aspect value of smtp: revenue enhancement@contoso.com.
  2. A new user joins Contoso.com and an business relationship is created for the user on-premises with the proxyAddresses attribute equally smtp: revenue enhancement@contoso.com.
  3. When Azure AD Connect syncs the new user account, it gets the ObjectTypeMismatch error.

Fix the ObjectTypeMismatch error

The most common reason for the ObjectTypeMismatch mistake is that two objects of dissimilar type, like user, grouping, or contact, take the same value for the proxyAddresses attribute. To fix the ObjectTypeMismatch error:

  1. Identify the duplicated proxyAddresses (or other attribute) value that's causing the error. Also identify which two or more objects are involved in the conflict. The report generated by Azure AD Connect Health for sync tin can help yous identify the 2 objects.
  2. Place which object should go along to accept the duplicated value and which object should not.
  3. Remove the duplicated value from the object that should not have that value. Brand the change in the directory where the object is sourced from. In some cases, you lot might need to delete one of the objects in conflict.
  4. If you made the change in the on-premises Advertising, allow Azure AD Connect sync the alter. The sync error report in Azure Advertizing Connect Health for sync is updated every 30 minutes. The written report includes the errors from the latest synchronization endeavor.

Duplicate attributes

This department discusses duplicate attribute errors.

AttributeValueMustBeUnique

Clarification

Azure Advertising schema doesn't allow ii or more objects to take the same value of the following attributes. Each object in Azure AD is forced to accept a unique value of these attributes at a given case:

  • mail
  • proxyAddresses
  • signInName
  • userPrincipalName

If Azure AD Connect attempts to add a new object or update an existing object with a value for the preceding attributes that's already assigned to another object in Azure Advertizing, the operation results in the AttributeValueMustBeUnique sync fault.

Possible scenario

A indistinguishable value is assigned to an already synced object, which conflicts with another synced object.

Example instance

  1. Bob Smith is a synced user in Azure Advertising from the on-premises Active Directory of contoso.com.
  2. Bob Smith'south user principal name on-premises is ready as bobs@contoso.com.
  3. Bob also has the following values for the proxyAddresses aspect:
    • smtp: bobs@contoso.com
    • smtp: bob.smith@contoso.com
    • smtp: bob@contoso.com
  4. A new user, Bob Taylor, is added to on-premises Agile Directory.
  5. Bob Taylor's user principal name is set as bobt@contoso.com.
  6. Bob Taylor has the following values for the proxyAddresses attribute:
    • smtp: bobt@contoso.com
    • smtp: bob.taylor@contoso.com
  7. Bob Taylor'south object is synced with Azure AD successfully.
  8. The admin decided to update Bob Taylor'southward proxyAddresses attribute with the post-obit value:
    • smtp: bob@contoso.com
  9. Azure AD attempts to update Bob Taylor's object in Azure AD with the preceding value, but that operation fails considering that proxyAddresses value is already assigned to Bob Smith. The effect is an AttributeValueMustBeUnique fault.

Gear up the AttributeValueMustBeUnique fault

The most common reason for the AttributeValueMustBeUnique fault is that 2 objects with different sourceAnchor (immutableId) attributes take the same value for the proxyAddresses or userPrincipalName attributes. To fix the AttributeValueMustBeUnique error:

  1. Place the duplicated proxyAddresses, userPrincipalName, or other aspect value that's causing the error. Also identify which 2 or more than objects are involved in the conflict. The report generated past Azure AD Connect Wellness for sync can help you identify the two objects.
  2. Identify which object should continue to accept the duplicated value and which object should not.
  3. Remove the duplicated value from the object that should non have that value. Brand the alter in the directory from where the object is sourced. In some cases, you might need to delete one of the objects in disharmonize.
  4. If you made the alter in on-premises Active Directory, let Azure Advertisement Connect sync the change for the mistake to get fixed.

Related article

Indistinguishable or invalid attributes foreclose directory synchronization in Microsoft 365

Data validation failures

This section discusses information validation failures.

IdentityDataValidationFailed

Clarification

Azure AD enforces diverse restrictions on the data itself before assuasive that information to be written into the directory. These restrictions are to ensure that end users go the all-time possible experiences while using the applications that depend on this data.

Scenarios

  • The userPrincipalName aspect value has invalid or unsupported characters.
  • The userPrincipalName aspect doesn't follow the required format.

The result of the preceding scenarios is an IdentityDataValidationFailed error.

Fix the IdentityDataValidationFailed error

Ensure that the userPrincipalName aspect has supported characters and the required format.

Related article

Prepare to provision users through directory synchronization to Microsoft 365

Deletion access violation and password access violation errors

Azure Advertizement protects deject-just objects from being updated through Azure AD Connect. While it isn't possible to update these objects through Azure AD Connect, calls tin exist made direct to the AADConnect cloud-side back finish to attempt to alter cloud-only objects. When doing so, the following errors can be returned:

  • This synchronization operation, Delete, isn't valid. Contact Technical Support.
  • Unable to process this update because one or more deject-only users' credential update is included in the electric current request.
  • Deleting a cloud-simply object isn't supported. Contact Microsoft Customer Back up.
  • The password change request can't be executed considering it contains changes to one or more deject-only user objects, which isn't supported. Contact Microsoft Customer Support.

LargeObject or ExceededAllowedLength

This section discusses LargeObject or ExceededAllowedLength errors.

Description

When an attribute exceeds the allowed size limit, length limit, or count limit ready by Azure AD schema, the synchronization functioning results in a LargeObject or ExceededAllowedLength sync error. Typically, this error occurs for the following attributes:

  • userCertificate
  • userSMIMECertificate
  • thumbnailPhoto
  • proxyAddresses

Azure AD doesn't impose limits per aspect, except for a hard-coded limit of xv certificates in the userCertificate attribute and up to 100 attributes for Directory extensions with a maximum of 250 characters for each directory extension. At that place'due south a size limit for the whole object. When Azure Advertizement Connect tries to sync an object that exceeds this object size limit, an export error is thrown.

All attributes contribute to the object'southward concluding size. Some attributes have different weight multipliers because of additional processing overhead. An case is indexed values. Too, unlike deject services, service plans, and licenses might be assigned to the account, which consume fifty-fifty more than attributes and contribute to the overall size of the object.

Information technology isn't possible to determine exactly how many entries an attribute can hold in Azure Ad, for example, how many SMTP addresses can fit in the proxyAddresses attribute. The amount depends on the size and multiplying factors of all the attributes populated in the object.

Possible scenarios

  • Bob's userCertificate aspect is storing too many certificates assigned to Bob. These certificates might include older, expired certificates. The hard limit is 15 certificates. For more data on how to handle LargeObject errors with the userCertificate attribute, see Treatment LargeObject errors acquired by userCertificate attribute.
  • Bob's userSMIMECertificate attribute is storing besides many certificates assigned to Bob. These certificates might include older, expired certificates. The hard limit is 15 certificates.
  • Bob's thumbnailPhoto aspect fix in Active Directory is too large to be synced in Azure AD.
  • During automatic population of the proxyAddresses attribute in Active Directory, an object has likewise many proxyAddresses attributes assigned.

The post-obit examples demonstrate the different weights of attributes like userCertificate and proxyAddresses:

  • A synced user that doesn't have whatsoever attributes populated other than the mandatory Agile Directory attributes and Mail might be able to sync up to 332 proxy addresses.
  • For a similar synced user that has a mailNickName attribute, plus x user certificates, the maximum number of proxy addresses decreases to 329.
  • If a similar synced user with 10 user certificates plus, for instance, 4 subscriptions assigned (with all service plans enabled), the maximum number of proxy addresses decreases to 311.
  • Now permit's take the preceding user, which already holds the maximum number of proxy addresses, and say y'all need to add one more SMTP accost. To achieve 312 proxy addresses, y'all would demand to remove at least three user certificates (depending on the size of the certificate).

Notation

These numbers tin can vary slightly. As a dominion of thumb, information technology's safer to assume that the limit of SMTP addresses in the proxyAddresses attribute is approximately 300 addresses to leave room for future growth of the object and its populated attributes.

Fix the LargeObject or ExceededAllowedLength error

Review the user backdrop and remove attribute values that might no longer be required. Examples include revoked or expired certificates and outdated or unnecessary addresses, such equally SMTP, X.400, X.500, MSMail, and CcMail.

Existing Admin Function Conflict

Description

An Existing Admin Office Conflict sync error occurs on a user object during synchronization when that user object has:

  • Administrative permissions.
  • The same userPrincipalName attribute as an existing Azure AD object.

Azure AD Connect isn't allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to information technology. For more information, see Azure Ad userPrincipalName population.

Screenshot that shows the number of Existing Admin Role Conflict sync errors.

Fix the Existing Admin Part Conflict error

To resolve this issue:

  1. Remove the Azure Advertising account (owner) from all admin roles.
  2. Hard delete the quarantined object in the cloud.
  3. The next sync cycle will accept care of soft-matching the on-premises user to the cloud account considering the cloud user is now no longer a global admin.
  4. Restore the function memberships for the owner.

Notation

Yous tin assign the administrative function to the existing user object once again after the soft match between the on-premises user object and the Azure Advertising user object has finished.

  • Locate Agile Directory objects in Active Directory Administrative Center
  • Query Azure Advertizing for an object by using Azure Advertisement PowerShell
  • End-to-terminate troubleshooting of Azure Advertizing Connect objects and attributes
  • Azure AD Troubleshooting