Identify Azure AD provisioning errors

Posted on by Artur Brodziński

In this article I want to show you how to identify Azure AD provisioning errors during sync.

One of the feature of Azure Active Directory is identifying issues caused by conflicts during run one of the synchronization tools.
Usually this kind of issues are caused by two attrbiutes UserPrincipalName and ProxyAddress which should be unique for objects like Users or Groups in one Azure AD tenant.

Identifying Azure AD provisioning errors
Currently there are two options to identify Azure AD provisioning errors:
Azure Active Directory Powershell
Office 365 Admin portal
In this article of course I wll show you Powershell commands to do that 😉

First of all you must have Azure AD module installed on your machine.
If you don’t have it installed yet, follow this link.
Once you have Azure AD module use below commands to check for all Azure AD provisioning errors

Connect-MSOLService
Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict

It will display you list whole list of sync errors, to limit it error caused by UserPrincipalName use command

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName UserPrincipalName

for ProxyAddress use

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName ProxyAddresses

Duplicate Attribute Resiliency
Azure Active Directory has an option to put an objects with duplicated UPN or ProxyAddress to quarantines.
In case of UserPrincipalName attribute which should be unique, service assign temporary value which follow below pattern
“+<4DigitNumber>@.onmicrosoft.com”.
For ProxyAddress attribute it’s quarantined and object is created.
To support this behavior a new attribute has been added to Azure AD objects DirSyncProvisioningErrors.

To check if duplicate attribute resiliency feature is enabled use below command

Get-MsolDirSyncFeatures

As a result you will see if it’s enabled or not.

If you want enable this feature use commands:

Set-MsolDirSyncFeature -FeatureName "DuplicateProxyAddressResiliency" -Enable
Set-MsolDirSyncFeature -FeatureName "DuplicateUPNResiliency  -Enable

I hope it will be usfeull for some of you 😉
Enjoy!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.