Problem
You’re attempting to use the Set-MsolUser cmdlet to configure the immutableId attribute for a user in Azure Active Directory but receive the following error:
PS C:\> Set-MsolUser -UserPrincipalName jsmith@contoso.com -ImmutableId "zxGeOiOTdkivMtgkOsuvKA=="
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName jsmith@contoso.com -ImmutableId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin
e.Administration.Automation.SetUser
PS C:\>
Reviewing the properties of the user account that you are trying to assign the immutableID value to confirms that it is null:
Get-MsolUser -UserPrincipalName jsmith@contoso.com | FL immutableId
Using Get-MsolUser to search for an account with the immutableID does not return any results:
Get-MsolUser | Where-Object {$_.ImmutableId -eq "zxGeOiOTdkivMtgkOsuvKA=="} | select UserPrincipalName
Solution
One of the most common reasons I’ve found for this error is if a deleted user object has the same immutableID assigned to it. A typical scenario would be:
- An effort was made to merge on-premise Active Directory accounts with Azure AD but Azure AD Connect created a new account with a random number following the name rather than merge the two accounts
- The administrator deletes the new account and attempts to assign the ObjectGUID (converted to base 64) of the on-premise Active Directory account to the Azure AD account
To confirm whether there is an account in the deleted users container, execute the following cmdlet:
Get-MsolUser -ReturnDeletedUsers
The following cmdlet can return the UPN along with the immutableID of the user accounts found in the deleted users container:
Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,immutableID
Once the account with the conflicting immutableID is identified, the following cmdlet can be used to delete it:
Remove-MsolUser -UserPrincipalName jsmith@contoso.com -RemoveFromRecycleBin
With the account removed, you should now be able to assign the immutableID.
20 comments:
Thanks, I was beating my head against the desk trying to figure out why this was happening. After finding the test account in the recycle bin I as able to delete it against its objectID (since more than one instance of its UPN was in the recycle bin)
Of course, ReturnDeletedUsers doesn't return anything to me. :( Why can't my problems be simple?!
nevermind, looks like my problem was related to having to wait for directory sync to fully get disabled. ;)
God bless u Sir u save my day. Thanks!
This worked for us, thanks man!
thanks for this write up Terence, saved me a headache
cheers
thank you :)
Great, why does it always take non-Microsoft sources to find solutions to very common problems with Microsoft software ...
Thanks!
I was unable to sync on premise DC with AD Azure...deleted accounts in recycle bin were the problem. Thanks!
After several long hours of swinging at this issue. Thank you very much for this fix.
This was very helpful, complete solution to re-synch AD to Azure for one deleted and rebuilt domain account, thank-you. Peter
After spending hours down endless rabbit holes, this was the article that clinched the solution. Thanks for taking the time to share.
Top guy, Terence! You saved me many, many, hours of frustration. I owe you many beers.
appreciate the article so much, it saved my ass!
THANK YOU! You are a lifesaver.
First time fix!
Thank you, I would never have looked there
You can now permanently delete the account from Azure AD portal in the Deleted User section without the powershell command. If you received no output from Get-MsolUser -ReturnDeletedUsers then the account is in active users. Disable the account in AD and move that user into an OU that is not being sync by AD Connect (Typically Lost&Found OU) and run a sync. Now that the account should be in Deleted Users try permanently deleting it.
Thanks for this! I've been banging my head against the wall trying to figure out why it would never sync even after trying every sync option out there.
First time fix!
Thanks
Exelente observação, salvou meu dia! Obrigadooo!
Post a Comment