Pages

Monday, October 26, 2020

Attempting to set immutableId for user throws the error: "Set-MsolUser : Uniqueness violation. Property: SourceAnchor."

Problem

You’re attempting to use the Set-MsolUser cmdlet to configure the immutableId attribute for a user in Azure Active Directory but receive the following error:

PS C:\> Set-MsolUser -UserPrincipalName jsmith@contoso.com -ImmutableId "zxGeOiOTdkivMtgkOsuvKA=="

Set-MsolUser : Uniqueness violation. Property: SourceAnchor.

At line:1 char:1

+ Set-MsolUser -UserPrincipalName jsmith@contoso.com -ImmutableId ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException

+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin

e.Administration.Automation.SetUser

PS C:\>

image

Reviewing the properties of the user account that you are trying to assign the immutableID value to confirms that it is null:

Get-MsolUser -UserPrincipalName jsmith@contoso.com | FL immutableId

image

Using Get-MsolUser to search for an account with the immutableID does not return any results:

Get-MsolUser | Where-Object {$_.ImmutableId -eq "zxGeOiOTdkivMtgkOsuvKA=="} | select UserPrincipalName

image

Solution

One of the most common reasons I’ve found for this error is if a deleted user object has the same immutableID assigned to it. A typical scenario would be:

  1. An effort was made to merge on-premise Active Directory accounts with Azure AD but Azure AD Connect created a new account with a random number following the name rather than merge the two accounts
  2. The administrator deletes the new account and attempts to assign the ObjectGUID (converted to base 64) of the on-premise Active Directory account to the Azure AD account

To confirm whether there is an account in the deleted users container, execute the following cmdlet:

Get-MsolUser -ReturnDeletedUsers

image

The following cmdlet can return the UPN along with the immutableID of the user accounts found in the deleted users container:

Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,immutableID

Once the account with the conflicting immutableID is identified, the following cmdlet can be used to delete it:

Remove-MsolUser -UserPrincipalName jsmith@contoso.com -RemoveFromRecycleBin

image

With the account removed, you should now be able to assign the immutableID.

at

20 comments:

  1. AnonymousDecember 4, 2020 at 1:53 PM

    Thanks, I was beating my head against the desk trying to figure out why this was happening. After finding the test account in the recycle bin I as able to delete it against its objectID (since more than one instance of its UPN was in the recycle bin)

    ReplyDelete
  2. the great quuxJanuary 11, 2021 at 9:47 AM

    Of course, ReturnDeletedUsers doesn't return anything to me. :( Why can't my problems be simple?!

    ReplyDelete
  3. the great quuxJanuary 11, 2021 at 4:32 PM

    nevermind, looks like my problem was related to having to wait for directory sync to fully get disabled. ;)

    ReplyDelete
  4. AnonymousMay 5, 2021 at 5:57 AM

    God bless u Sir u save my day. Thanks!

    ReplyDelete
  5. AnonymousAugust 20, 2021 at 10:39 AM

    This worked for us, thanks man!

    ReplyDelete
  6. AnonymousAugust 26, 2021 at 2:24 PM

    thanks for this write up Terence, saved me a headache
    cheers

    ReplyDelete
  7. AnonymousSeptember 4, 2021 at 5:32 PM

    thank you :)

    ReplyDelete
  8. AnonymousNovember 12, 2021 at 6:25 AM

    Great, why does it always take non-Microsoft sources to find solutions to very common problems with Microsoft software ...

    Thanks!

    ReplyDelete
  9. vmiroJanuary 25, 2022 at 5:37 PM

    I was unable to sync on premise DC with AD Azure...deleted accounts in recycle bin were the problem. Thanks!

    ReplyDelete
  10. AnonymousApril 19, 2022 at 9:00 PM

    After several long hours of swinging at this issue. Thank you very much for this fix.

    ReplyDelete
  11. AnonymousApril 27, 2022 at 1:35 PM

    This was very helpful, complete solution to re-synch AD to Azure for one deleted and rebuilt domain account, thank-you. Peter

    ReplyDelete
  12. AnonymousJune 6, 2022 at 2:22 AM

    After spending hours down endless rabbit holes, this was the article that clinched the solution. Thanks for taking the time to share.

    ReplyDelete
  13. AnonymousJuly 6, 2022 at 2:09 AM

    Top guy, Terence! You saved me many, many, hours of frustration. I owe you many beers.

    ReplyDelete
  14. AnonymousNovember 3, 2022 at 1:38 PM

    appreciate the article so much, it saved my ass!

    ReplyDelete
  15. AnonymousJanuary 5, 2023 at 6:52 PM

    THANK YOU! You are a lifesaver.

    ReplyDelete
  16. AnonymousApril 6, 2023 at 10:38 AM

    First time fix!
    Thank you, I would never have looked there

    ReplyDelete
  17. AnonymousMay 6, 2023 at 11:12 AM

    You can now permanently delete the account from Azure AD portal in the Deleted User section without the powershell command. If you received no output from Get-MsolUser -ReturnDeletedUsers then the account is in active users. Disable the account in AD and move that user into an OU that is not being sync by AD Connect (Typically Lost&Found OU) and run a sync. Now that the account should be in Deleted Users try permanently deleting it.


    ReplyDelete
  18. Chris VAugust 21, 2023 at 2:07 PM

    Thanks for this! I've been banging my head against the wall trying to figure out why it would never sync even after trying every sync option out there.

    ReplyDelete
  19. AnonymousAugust 22, 2023 at 10:42 AM

    First time fix!
    Thanks

    ReplyDelete
  20. Jonas CamposFebruary 8, 2024 at 9:58 PM

    Exelente observação, salvou meu dia! Obrigadooo!

    ReplyDelete