The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

Bryan Hughes /

​Synced accounts showing “AttributeValueMustBeUnique” in AD Connect ​

Recently I was asked to troubleshoot a AAD Connect Sync issue.  There were about 50 users account that were not syncing with a “AttributeValueMustBeUnique” error.  Looking into the error the user ObjectID was conflicting with a device ObjectID. The user account was syncing from Active Directory and the device was an AAD Hybrid Joined machine. This was a new one for me.   

Troubleshot Step 1: 

The first troubleshooting step was to verify none of the accounts had Admin roles in AAD. 

Existing Admin Role Conflict 

“An Existing Admin Role Conflict sync error occurs on a user object during synchronization when that user object has: 

  • Administrative permissions. 
  • The same userPrincipalName attribute as an existing Azure AD object. 

Azure AD Connect isn't allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it. For more information, see Azure AD userPrincipalName population.” 

Fix the Existing Admin Role Conflict error 

Troubleshoot Step 2: 

The next troubleshooting step is to use the “Apply Fix” in Azure AD Connect Health. 

  1. Open Azure Active Directory 
  2. Find Azure AD Connect 
  3. Click Connect Health 
  4. Click Sync Errors 
  5. Click Duplicate Attribute 
  6. Select the affected user 
  7. Click Troubleshoot 
  8. Click Yes 
  9. Click Apply Fix 

Diagnose and remediate duplicated attribute sync errors 

Normally this will fix most errors, but the “Apply Fix” did not fix this issue. 

Troubleshoot Step 3: 

The next troubleshooting step is to do a quick soft match by UPN.   

  1. Move AD account into a non-synching OU. 
  2. Force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta). 
  3. Move AD account back into synching OU. 
  4. Force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta). 

After waiting for AAD Connect sync to complete, I checked the Azure AD Connect health. The “AttributeValueMustBeUnique” error was still present for the user account. 

Troubleshoot Step 4: 

The next troubleshooting step was to try a soft match by email. 

  • Verify the primary SMTP address for user in AD 
  • Open Active Directory Users and Computers 
  • Find user account 
  • Right click properties 
  • On the general tab, update the E-mail field, and then click OK. 
  • Force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta) 
  • You can further verify properties for the account in Advanced Features option in Active Directory Users and Computers. 
  • Open Active Directory Users and Computers, and then select the root node of the AD DS domain. 
  • Select View, and then make sure that the Advanced Features option is selected. 
  • In the left navigation pane, locate the user object, right-click it, and then select Properties. 
  • On the Object Editor tab, locate the attribute that you want. Select Edit, and then edit the attribute value to the value that you want. 
  • Select OK two times. 
  • Check UPN object and Proxy Address for correct values. 
  • Force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta) 

After waiting for AAD Connect sync to complete, the “AttributeValueMustBeUnique” error was still present for the user account. 

Troubleshoot Step 5: 

The next step was to try a hard match by forcing the connection of ObjectID with the ImmutableID with on-prem AD account and AAD account. 

  • Firstly, you’ll want to find the sourceAnchor (which is also known as the ImmutableID). To find this, click on the “CN=” link under the Export Errors column 
  • Copy the value for sourceAnchor and make a note of it, you’ll need it later. 
  • Secondly, we need to find the ObjectID of the problematic user. For this, we’ll need to connect to both Microsoft 365 Powershell and Azure AD PowerShell 
  • To find the object ID: Get-MsolUser -UserPrincipalName "user.name@domain.com" | Fl *objectId* 
  • Copy the ObjectID value and again make a note of it. 
  • Now we will check what the current ImmutableID value is based on the ObjectID we just found: 
  • Get-AzureADUser -ObjectId "OBJECT ID HERE" | FL *ImmutableID* 
  • If all is well, the ImmutableID should match the sourchAnchor value from AD Connect  
  • To fix, we need to match the two together (the value for ImmutableID doesn’t need quotes). 
  • Set-AzureADUser -ObjectId "OBJECT ID HERE" -ImmutableId SOURCHANCHOR VALUE from CN error 
  • Force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta) 

Still the “AttributeValueMustBeUnique” error was still present for the user account. 

Troubleshoot Step 6: 

The next troubleshooting step I tried was to find the conflicting device. 

When I found the device, it showed two icons for the device. The first icon is the normal device icon that was Azure AD Hybrid Joined device indicator.  The second icon indicates an autopilot device object and shows the machine as Azure AD Joined. This is by design. When you register a device with Windows Autopilot, an Azure AD device object will be created corresponding to that Azure AD device.   

After digging into the issue more, I found the customer had a ransomware attack, with their entire network encrypted, which they had to restore the entire local domain with backup images.  They originally deployed devices using Autopilot deployment profiles in Configuration Manger. After they restored the network, they did not bring back the Configuration Manager machine. 

That device objects are important for Windows Autopilot and should never be deleted without also removing the Windows Autopilot device.  To support that, the Azure AD team has added an additional validation that won’t allow you to delete a device object associated with Windows Autopilot. 

If you try deleting autopilot device, you get the following errors: 

“You cannot delete Windows Autopilot devices here” 

“Your selection contains Windows Autopilot Devices. Unselect these devices to continue deleting any remaining selected devices. Click Cancel to return to the list of devices and keep the devices selected.” 

The next step you would usually go to Microsoft Endpoint Admin, Devices, Windows, Windows Enrollment, Devices and delete the device from there.  Because it was an Autopilot device from Configuration Manager it would delete the device, but not the Autopilot device object.  The only option is to disable, but this would not resolve the conflicting ObjectID. 

You can delete the device from the On-Prem AD, but it still will not delete the Autopilot device object which contains the conflicting ObjectID. 

To completely remove the device from Azure AD along with the Autopilot device object we will need to delete from PowerShell in Microsoft Online (MSOL) 

  1. Run: Get-MsolDevice -ObjectId "DEVICE OBJECT ID" 
  2. Copy Device ID 
  3. Run: Remove-MsolDevice -DeviceId "DEVICE ID" 
  4. To verify the changes made, run Get-MsolDevice again and you should be able to get the “Device not found” error. 
  5. The next step is to force a delta sync in AAD Connect (Start-ADSyncSyncCycle -PolicyType Delta) 
  6. The AAD Account and AD Account should make the connection and merge. 
  7. What 5 to 10 minutes after the sync is complete and verify that the AD Account is now syncing with AAD. 

 

I hope this saves you time resolving this error in the future. 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref