Problem
You’ve noticed that a newly created user account in your on premise Active Directory is not showing up in your Office 365 Admin center so you review the Operations menu in the Synchronization Service Manager and notice that the export job displays the error InvalidSoftMatch in the Export Errors window pane:
Opening the InvalidSoftMatch entry brings up the following Connector Space Object Properties Pending Export tab with information confirming that this is the missing user account:
Continuing to click on the Export Error tab displays the following information with a Detail button:
Clicking on the Detail button will display the following Error Information:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:crussell@Contoso.com,smtp:crussell@ContosoReAG.mail.onmicrosoft.com,Mail crussell@Contoso.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
Tracking Id: 466344fe-a7c5-403e-8b0a-8621752ac178
You attempt to use the following PowerShell cmdlets via the WAAD (Windows Azure Active Directory) console to determine whether there is another account with the same smtp address:
Connect-MsolService
Get-MsolUser -all | Select DisplayName,ProxyAddresses | where-object {$_.ProxyAddresses -like "*crussell*"} | Format-Table -Wrap -Autosize
… but no results are returned.
Going through the steps outlined the in the KB:
Duplicate or invalid attributes prevent directory synchronization in Office 365
https://support.microsoft.com/en-us/kb/2647098
… and using the IdFix DirSync Error Remediation Tool (https://www.microsoft.com/en-ca/download/details.aspx?id=36832) does not list any references to the problematic account.
Solution
After trying all of the above without having any luck, I reread the contents in the following KB:
Duplicate or invalid attributes prevent directory synchronization in Office 365https://support.microsoft.com/en-us/kb/2647098
… and noticed this:
All alias values in Office 365 must be unique for a given organization. Even if you have multiple unique suffixes after the at sign (@) in the Simple Mail Transfer Protocol (SMTP) address, all alias values must be unique.
Knowing that the user of the user account in question also had a pre-existing contact with an external SMTP email address, I began reviewing the properties of the existing contact in the Admin center:
Proceeded to click on the Edit Exchange settings link:
Which brought me to the Office 365 Exchange console of the contact object and it immediately became obvious that the problem was caused by the Alias of the exist contact (also configured as crussell):
Attempting to change the Alias would fail with:
error
The action ‘Set-MailContact’, ‘Alias,EmailAddresses’, can’t be performed on the object ‘Craig Russell’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
Attempting to delete the mail contact would throw the following error:
error
The action ‘Remove-MailContact’, ‘Identity’, can’t be performed on the object ‘Craig Russell’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
Having no luck with the GUI, I proceeded to review the Remove-MsolContact cmdlet:
https://docs.microsoft.com/en-us/powershell/msonline/v1/remove-msolcontact
Used the following Get-MsolContact cmdlet to export contact objects and their respective properties. Used the find feature to locate the Craig Russell contact’s ObjectID:
Then proceeded to use the Remove-MsolContact cmdlet to delete the contact from the directory:
With the contact deleted, re-running the export job in the Synchronization Service Manager no longer displayed the InvalidSoftMatch in the Export Errors window pane:
Logging back onto the Office 365 Admin center console now displayed the user object.
No comments:
Post a Comment