AADC - 0x8023134a - AttributeValueMustBeUnique

I ran into an error during an SMTP matching excercise while merging Active Directory accounts with existing Azure AD Accounts for an Office 365 project I was working on. The account would just not sychronise.

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user.name@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: f6334212-fc15-4eea-9407-xxxxxxxxxxxx
ExtraErrorDetails:
[{"Key":"ObjectId","Value":["cb866447-5dfb-4fdf-xxxx-xxxxxxxxxxxxx"]},{"Key":"ObjectIdInConflict","Value":["516338b6-8cc4-4d78-xxxx-xxxxxxxxxxxxx"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:user.name@domain.com"]}]




I confirmed that the users UPN was the same as the sign-in name within Office 365:

# Connect to MSOL
Connect-MsolService -Credential $UserCredential 

# Change O365 Sign-in Name
Set-MsolUserPrincipalName -UserPrincipalName old.username@domain.com -NewUserPrincipalName new.username@domain.com

After checking that, I checked the user didn't already have an immutable ID:

# Get Immutable ID
Get-MsolUser -UserPrincipalName user.name@domain.com | Select ImmutableId 

Checked they did not have an account in deleted users that could be causing the conflict and SMTP match to fail:

# Check for deleted users
Get-MsolUser -ReturnDeletedUsers  

The users mail attribute matched their primary SMTP address in EOL (using the Mail attribute as Exchange is not deployed within the environment). This is correct but Azure AD Connect was still complaining.

I then found the user had the Global Admin role assigned:

#The Global Admin role is listed as Company Administrator (check GUID of Company Administrator 62e90394-69f5-4237-9190-012177145e10)
Get-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10

After removing this role the account synchronised correctly and we were good to go. I added the role back following the synchronisation.





Comments