Azure AD Connect: Troubleshoot Sync Errors - Microsoft Entra (2023)

Table of Contents
in text Error exporting to Azure AD data mismatch error incorrect soft fit object type mismatch repeat attribute The attribute value must be unique Data verification failed Identity verification failed Fix access violation and password violation errors LargeObject 或 ExceededAllowedLength describe possible scenarios Fix LargeObject or ExceededAllowedLength error Existing administrator role conflicts describe Fix an existing admin role conflict error
  • article

Errors may occur when synchronizing identity data from Windows Server Active Directory to Azure Active Directory (Azure AD). This article provides an overview of the different types of sync errors, some possible causes that can cause them, and possible ways to fix them. This article contains common error types and may not cover all possible errors.

This article assumes you know the basicsAzure AD and Azure AD Connect design philosophy.

important

This article attempts to solve the most common synchronization errors. Unfortunately, it is not possible to include all scenarios in one document. For more information, including detailed troubleshooting steps, seeComprehensive troubleshooting of Azure AD Connect objects and attributesIUser configuration and synchronizationsection in the Azure AD troubleshooting documentation.

In the latest version of Azure AD Connect (August 2016 or later), sync error reporting is available atAzure PortalSynced as part of Azure AD Connect Health.

Effective from September 1, 2016,Resilience against duplicate Azure AD attributesAll enabled by defaultnewAzure AD tenant. This feature is automatically enabled for existing tenants.

Azure AD Connect performs three types of operations from the directories it synchronizes: import, synchronization, and export. Errors may occur in all three operations. This article focuses on errors when exporting to Azure AD.

Error exporting to Azure AD

The following sections describe the different types of sync errors that can occur during an export to Azure AD operation using the Azure AD connector. You can recognize this connector by the name of the contoso format.onmicrosoft.comErrors while exporting to Azure AD indicate that an add, update, or delete operation attempted by Azure AD Connect (sync engine) in Azure AD failed.

Azure AD Connect: Troubleshoot Sync Errors - Microsoft Entra (1)

data mismatch error

This section discusses data mismatch errors.

incorrect soft fit

describe

  • When Azure AD Connect (sync engine) instructs Azure AD to add or update objects, Azure AD usessource anchorattribute and match it toimmutable identifierObject attributes in Azure AD. it's called a gamehard game.
  • When Azure ADI couldn't find itany matching itemimmutable identifierz attributesource anchorIncoming object attributes fall back to use before Azure AD serves the new objectadres proxyIMain usernameattribute to find a match. it's called a gamesoft match.softmatch matches objects that already exist in Azure AD (coming from Azure AD) with new objects added or updated during synchronization that represent the same entity locally (for example, users and groups).
  • The InvalidSoftMatch error occurs when a hard match does not find any matching objectIA soft match finds a matching object, but the object has a different oneimmutable identifiervalue than the value of the incoming objectsource anchorAttributes. This mismatch indicates that the matching object is already synchronized with another object in the local Active Directory.

In other words, for a soft match to work, the soft match object should notimmutable identifierAttributes. If any object withimmutable identifierAn attribute with a value that does not meet the hard match criteria but does meet the soft match criteria will result in an InvalidSoftMatch sync error.

See Also
Quickstart: Seamless single sign-on to Azure Active Directory - Microsoft EntraAzure AD Connect: Single sign-on with SAML 2.0 identity provider - Azure - Microsoft EntraTroubleshooting objects that don't sync with Azure Active Directory - Microsoft Entra

The Azure AD schema does not allow two or more objects to have the same value for the following attributes. This list is not exhaustive:

  • adres proxy
  • Main username
  • onPremisesSecurityIdentifier
  • Object ID

Resilience against duplication of Azure AD attributesAlso implemented as default behavior for Azure AD. This feature reduces the number of sync errors seen by Azure AD Connect and other sync clients. This makes Azure AD more resilient to handling duplicatesadres proxyIMain usernameAttributes that exist in the local Active Directory environment.

This function will not fix duplicate errors, so the data still needs to be fixed. However, it allows you to provide new objects that would otherwise be blocked due to duplicate values ​​in Azure AD. This feature will also reduce the number of sync errors returned to sync clients.

notes

If Azure AD duplicate attribute resiliency is enabled for your tenant, you won't see the InvalidSoftMatch sync error you see when provisioning new objects.

Sample InvalidSoftMatch error scenario

  • two or more objects of the same valueadres proxyThe attribute exists in the local Active Directory. Only one is provisioned in Azure AD.
  • two or more objects of the same valueMain usernameThe attribute exists in the local Active Directory. Only one is provisioned in Azure AD.
  • An object with the same value has been added to the local Active Directoryadres proxyAttributes as attributes of existing objects in Azure AD. Locally added objects are not supported in Azure AD.
  • An object with the same value has been added to the local Active DirectoryMain usernameAzure AD account attributes. The object is not provisioned in Azure AD.
  • The sync account has been moved from Forest A to Forest B. Azure AD Connect (Sync Engine) is in useThe GUID of the objectproperties to calculatesource anchorAttributes. Value after forest transfersource anchorThe attributes are different. New objects in forest B cannot be synchronized with existing objects in Azure AD.
  • The sync object was accidentally deleted from on-premises Active Directory and a new Active Directory object was created for the same entity (for example, user), but the Azure AD account was not deleted. New accounts cannot be synchronized with existing Azure AD objects.
  • Azure AD Connect was uninstalled and reinstalled. A different property was selected as during reinstallationsource anchorAttributes. All objects that were previously synced stop syncing due to an InvalidSoftMatch error.

sample case

  1. Bob Smith is a synchronized user from on-premises Active Directory in Azure ADcontoso.com.
  2. Bob Smith's primary username is bobs@contoso.com.
  3. Tensource anchorproperties„abcdefghijklmnopqrstuv==”Calculated by Azure AD Connect using Bob SmithThe GUID of the objectAttributes from local Active Directory. This attribute isimmutable identifierBob Smith attributes in Azure AD.
  4. Bob also has the following valuesadres proxyAttributes:
    • smtp: bobs@contoso.com
    • smtp: bob.smith@contoso.com
    • smtp: bob@contoso.com
  5. Add a new user, Bob Taylor, to the local Active Directory.
  6. Bob Taylor's primary username is bobt@contoso.com.
  7. Tensource anchorproperties„abcdefghijkl0123456789==”Calculated by Azure AD Connect using Bob TaylorThe GUID of the objectAttributes from local Active Directory. Bob Taylor objects haveNOSynced with Azure AD.
  8. Bob Taylor has the following valuesadres proxyAttributes:
    • smtp: bobt@contoso.com
    • smtp: bob.taylor@contoso.com
    • smtp: bob@contoso.com
  9. During synchronization, Azure AD Connect recognizes the addition of Bob Taylor in the on-premises Active Directory and asks Azure AD to make the same change.
  10. Azure AD performs a hard match first. I mean he's lookingimmutable identifierthe attribute is equal„abcdefghijkl0123456789==”.Hard match failed because no other object in Azure AD hasimmutable identifierAttributes.
  11. Azure AD then performs a soft match to find Bob Taylor. That is, it searches if there are any objectsadres proxyThe attribute is equal to three values, including smtp: bob@contoso.com.
  12. Azure AD finds Bob Smith objects that match the soft match criteria. But the value of this object isimmutableId = "abcdefghijklmnopqrstuv==", which indicates that this object is being synchronized with another object in the local Active Directory. Azure AD cannot match these objects, so it throws an InvalidSoftMatch sync error.

Fix InvalidSoftMatch

The most common cause of InvalidSoftMatch errors is that the two objects have different valuessource anchor(immutable identifier) properties with the same valueadres proxyLubMain usernameAttribute used during soft matching in Azure AD. To fix the InvalidSoftMatch error:

  1. Identify duplicatesadres proxy,Main usernameor other property values ​​that cause errors. Also specify which two or more objects are involved in the conflict. generated reportAzure AD Connect Health for synccan help identify these two objects.
  2. Specify which objects should still have duplicate values ​​and which should not.
  3. Remove duplicate values ​​from objects that should be removedNOhave this value. Make changes to the directory where the object comes from. In some cases, it may be necessary to remove one of the conflicting objects.
  4. If changes have been made to on-premises Active Directory, let Azure AD Connect sync the changes.

The Azure AD Connect Health sync error report for sync is updated every 30 minutes and includes errors from the last sync attempt.

notes

Tenimmutable identifierProperties, by definition, should not change during the lifetime of an object. But maybe Azure AD Connect isn't configured for some of the scenarios in the previous list. In this case, Azure AD Connect may calculate a different valuesource anchorActive Directory object attribute representing the same entity (same user, group, or contact) with an existing Azure AD object that you want to continue using.

Related articles

Duplicate or invalid attributes prevent directory synchronization in Microsoft 365

object type mismatch

describe

When Azure AD tries to mismatch two objects, two objects of different "object types" (such as users, groups, or contacts) may have the same attribute value for non-persistent matching. Because Azure AD does not allow duplication of these attributes, this operation may result in an ObjectTypeMismatch synchronization error.

Sample ObjectTypeMismatch error scenario

Create a Microsoft 365 mail-enabled security group. Admin adds a new user or contact in on-premises Active Directory that hasn't been synced to Azure AD but has the same valueadres proxyThe attribute is an attribute of the Microsoft 365 group.

sample case

  1. The administrator creates a new mail-enabled security group for Tax in Microsoft 365 and provides the email address tax@contoso.com. The group has been assignedadres proxyattribute valuesmtp: podatek@contoso.com.
  2. A new user joins Contoso.com and an account is created locally for that useradres proxythe attribute issmtp: podatek@contoso.com.
  3. When Azure AD Connect syncs new user accounts, it receives ObjectTypeMismatch errors.

Fix ObjectTypeMismatch

The most common cause of the ObjectTypeMismatch error is two objects of different types, such as users, groups, or contacts, that have the same valueadres proxyAttributes. To fix ObjectTypeMismatches:

  1. Identify duplicatesadres proxy(or other properties) resulting in invalid values. Also specify which two or more objects are involved in the conflict. generated reportAzure AD Connect Health for synccan help identify these two objects.
  2. Specify which objects should still have duplicate values ​​and which should not.
  3. Remove duplicate values ​​from objects that should be removedNOhave this value. Make changes to the directory where the object comes from. In some cases, it may be necessary to remove one of the conflicting objects.
  4. If changes have been made to on-premises AD, let Azure AD Connect sync the changes. The sync error report for sync in Azure AD Connect Health is updated every 30 minutes. The report contains errors from the last sync attempt.

repeat attribute

This section discusses duplicate attribute errors.

The attribute value must be unique

describe

The Azure AD schema does not allow two or more objects to have the same value for the following attributes. Each object in Azure AD must have unique values ​​for these attributes within a given instance:

  • Post
  • adres proxy
  • User Name
  • Main username

If Azure AD Connect tries to add a new object or update an existing object with the value of the above attribute already assigned to another object in Azure AD, the operation will result in an AttributeValueMustBeUnique sync error.

Possible situation

A duplicate value is assigned to an object that is already synchronized, which conflicts with another object that is already synchronized.

sample case

  1. Bob Smith is an Azure AD sync user from contoso.com on-premises Active Directory.
  2. Bob Smith's local UPN is bobs@contoso.com.
  3. Bob also has the following valuesadres proxyAttributes:
    • smtp: bobs@contoso.com
    • smtp: bob.smith@contoso.com
    • smtp: bob@contoso.com
  4. Add a new user, Bob Taylor, to the local Active Directory.
  5. Bob Taylor's primary username is bobt@contoso.com.
  6. Bob Taylor has the following valuesadres proxyAttributes:
    • smtp: bobt@contoso.com
    • smtp: bob.taylor@contoso.com
  7. Bob Taylor's objects have been successfully synced to Azure AD.
  8. The admin decided to update Bob Tayloradres proxyProperties with the following values:
    • smtp: bob@contoso.com
  9. Azure AD tries to update the Bob Taylor object in Azure AD with the previous value, but the operation fails becauseadres proxyThe value is attributed to Bob Smith. The result is an AttributeValueMustBeUnique error.

Fix AttributeValueMustBeUnique error

The most common causes of AttributeValueMustBeUnique errors are twosource anchor(immutable identifier) attribute has the same value asadres proxyLubMain usernameAttributes. To fix the AttributeValueMustBeUnique error:

  1. Identify duplicatesadres proxy,Main usernameor other property values ​​that cause errors. Also specify which two or more objects are involved in the conflict. generated reportAzure AD Connect Health for synccan help identify these two objects.
  2. Specify which objects should still have duplicate values ​​and which should not.
  3. Remove duplicate values ​​from objects that should be removedNOhave this value. Make changes to the directory where the object comes from. In some cases, it may be necessary to remove one of the conflicting objects.
  4. If changes have been made to on-premises Active Directory, let Azure AD Connect sync the changes to fix errors.

Related articles

Duplicate or invalid attributes prevent directory synchronization in Microsoft 365

Data verification failed

This section discusses data validation errors.

Identity verification failed

describe

Azure AD places various restrictions on the data itself before allowing it to be written to the directory. These restrictions are intended to provide end users with the best experience when using applications that rely on this data.

scenes

  • TenMain usernameThe attribute value contains invalid or unsupported characters.
  • TenMain usernameThe attribute does not meet the required format.

The result of the above situation is the error IdentityDataValidationFailed.

Fix IdentityDataValidationFailed

Make sureMain usernameAttributes have supported characters and required formats.

Related articles

Prepare to roll out directory synchronization to Microsoft 365 for users

Fix access violation and password violation errors

Azure AD protects cloud-only objects from being updated via Azure AD Connect. While these objects cannot be updated using Azure AD Connect, it is possible to call the AADConnect cloud backend directly to attempt to change cloud-only objects. In this case, the following errors may be returned:

  • The sync operation "delete" is invalid. Contact support.
  • This update could not be processed because the current request contains at least one cloud-only user login update.
  • Cloud-only object deletion is not supported. Contact Microsoft Customer Service.
  • The password change request could not be completed because it contains an unsupported change to one or more cloud-only user objects. Contact Microsoft Customer Service.

LargeObject 或 ExceededAllowedLength

This section discusses LargeObject or ExceededAllowedLength errors.

describe

Sync operations result in a LargeObject or ExceededAllowedLength sync error when an attribute exceeds the allowed size limit, length limit, or number limit set by the Azure AD schema. Typically, this error occurs for the following properties:

  • user certificate
  • User's SMIMEC certificate
  • Thumbnail
  • adres proxy

Azure AD does not impose an attribute limit, except for the hard-coded limit of 15 certificates in Azure ADuser certificateattributes and up to 100 attributesdirectory extensionEach directory extension has a maximum of 250 characters. The entire object has a size limit. When Azure AD Connect tries to synchronize an object that exceeds this object size limit, an export error will be thrown.

All properties affect the final size of the object. Some attributes have different weighting factors due to additional processing overhead. An example is indexed values. Additionally, different cloud services, service plans, and licenses can be assigned to accounts, which consumes more attributes and increases the overall object size.

It's not possible to specify exactly how many entries an attribute can store in Azure AD, such as how many SMTP addresses can fitadres proxyAttributes. The amount depends on the size and multiplier of all properties filled in the object.

possible scenarios

  • Bobauser certificateThe service stores too many certificates assigned to Bob. These certificates may include old, expired certificates. The hard limit is 15 certificates. For more information on handling errors with LargeObjectuser certificateattributes, seeHandling of LargeObject errors caused by the userCertificate property.
  • BobaUser's SMIMEC certificateThe service stores too many certificates assigned to Bob. These certificates may include old, expired certificates. The hard limit is 15 certificates.
  • BobaThumbnailThe attributes set in Active Directory are too large to be synchronized in Azure AD.
  • during autofilladres proxyAttributes in Active Directory, the object has too manyadres proxyassigned properties.

The following examples show different weights for attributes such asuser certificateIadres proxy:

  • A synchronization user with no attributes filled in, in addition to the required Active Directory and Mail attributes, can synchronize up to 332 proxy addresses.
  • for possessionalias e-mailattribute plus 10 user certificates reduces the maximum number of proxy addresses to 329.
  • If a similar user syncs with 10 user certificates and e.g. 4 assigned subscriptions (all service plans enabled), the maximum number of proxy addresses will be reduced to 311.
  • Now let's take the example of the previous user who already has the maximum number of proxy addresses, and suppose you need to add one more SMTP address. To get a 312 proxy address, you need to remove at least three user certificates (depending on the size of the certificates).

notes

These numbers may vary slightly. Basically assume that SMTP addresses are limited toadres proxyThe attributes are approximately 300 addresses to provide room for future development of the object and its populated attributes.

Fix LargeObject or ExceededAllowedLength error

Review the user's attributes and remove attribute values ​​that may no longer be needed. Examples include revoked or expired certificates and obsolete or unnecessary addresses such as SMTP, X.400, X.500, MSMail, and CcMail.

Existing administrator role conflicts

describe

An existing administrator role conflict sync error occurs for a user object during synchronization when the user object has:

  • Administrative rights.
  • That's allMain usernameattribute as an existing Azure AD object.

Does not allow Azure AD Connect to soft-match user objects in on-premises AD with user objects in Azure AD that are assigned administrative roles. For more information, seeAzure AD userPrincipalName population.

Azure AD Connect: Troubleshoot Sync Errors - Microsoft Entra (2)

Fix an existing admin role conflict error

To fix it:

  1. Remove the Azure AD account (owner) from all administrative roles.
  2. Hard delete of quarantined objects in the cloud.
  3. The next sync cycle will be responsible for soft-matching on-premise users with cloud accounts, as cloud users are no longer hybrid identity admins.
  4. Restores the owner role membership.

notes

After the soft match between the on-premises user object and the Azure AD user object is complete, administrative roles can be reassigned to the existing user object.

  • Locate Active Directory objects in the Active Directory Admin Center
  • Query objects in Azure AD using Azure AD PowerShell
  • Comprehensive troubleshooting of Azure AD Connect objects and attributes
  • Azure AD troubleshooting
Top Articles
Latest Posts
Article information

Author: Dr. Pierre Goyette

Last Updated: 02/04/2023

Views: 5245

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.