This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.00000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Hi together,
i've moved out mail service from on-prem Exchange to Microsoft 365, i've created all users in the tenant by hand (in the format john.doe@mathieu.company .de)
Later i read about Azure ADConnect and installed it to synchronize password hashes from on-prem AD with AAD.
Beforehand i set the UPN of all on-prem users to a registered domain connected in the tenant (@mathieu.company .de).
After the first sync i looked in Azure AD Users and all users except my own (which is the tenant global admin) were shown as synchronized.
Also i got a mail which mentioned a sync error for my account. i took a look in the detailed information for this error in the Synchronization Manager Service which stated:
----------------------------
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:john.doe@mathieu.company .de;UserPrincipalName john.doe@mathieu.company .de;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
Tracking Id: 76cacd34-e243-4205-b35e-fbf9d2f77613
ExtraErrorDetails:
[{"Key":"ObjectId","Value":["a93d44d7-3c28-4ac8-a820-ad59abcfbf8d"]},
{"Key":"ObjectIdInConflict","Value":["7a5ac9c4-080b-45e7-a71e-7c1238c43b98"]},
{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},
{"Key":"AttributeConflictValues","Value":["SMTP:john.doe@mathieu.company .de"]}]
----------------------------
i checked my on-prem accounts and there is only one account which has the UPN set to john.doe@mathieu.company .de. This object has no ProxyAdresses Attributes and only the E-Mail field on the General Tab contains the address john.doe@mathieu.company .de.
I thought that the sync will look for the UPN - find it in this object and maps it to my global administrator account in AAD, but that doesn't happen.
Does anyone have a clou what i'm missing here? any tipps or advices how i can fix this problem?
thanks for any help and have a great day!
Rolf
If the Global Admin account in Azure is a separate account from the one on-prem then that wont work. You'll need rename one of those accounts.
If you want to use the synced on-prem account , then change the UPN on the Azure Global Admin account.
Thanks for your answer Andy!
The on-prem account and the global administrator account are both mine and i want the ad sync to match them together, so that i can for example reset my password in azure/office protal and it gets written back to on-prem.
With all other accounts the matching worked like a charm, it only failed with the global admin.
Ok, I understand now. So you enabled UPN soft matching?
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-features#userprincipalname-soft-match
I checked the option yesterday while troubleshooting and it was already enabled (Presumably because the tenant has only existed for 6 months)
Azure AD Connect's soft-match functionality will not work for highly privileged accounts such as global admin. This is meant to prevent an escalation of privilege attack where someone who has the ability to create users in Active Directory could create a matching account to a cloud-only global admin and seize control when AAD Connect synchronizes it.
To address this, you can use PowerShell to set the ImmutableId value of the global admin account to match the value you see for sourceAnchor in Azure AD Connect - assuming you're using the default configuration, it will be a base64 conversion of the base16 representation of the on-prem user object's objectGuid value.
Going off of memory, but I believe the correct syntax using the MSOnline PowerShell module (after doing Connect-MsolService) would be: Set-MsolUser -UserPrincipalName user@keyman .com -ImmutableId "Base64 Representation of ObjectGuid"
user@keyman .com in the above example would be the UPN of the cloud-managed global admin user object.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 21%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
Tested workaround! Ask another global admin to remove you from global admin or other elevated roles and the synchronization will be finished without errors. Afterwards ask a global admin to re-assign the global admin role to your account.