Based on a recent deployment I had with Azure AD Connect and Office 365, we encounter a problem with a list of users which were reported on the daily Identity synchronization Error Report from Microsoft to have the following problem:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [UserPrincipalName [email protected];]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
The solution for this problem is quite simple, changing the user UPN back to the default of @tenantnane.onmicrosoft.com problem as mentioned on the KB does the trick, but the problem is identifying all of those users in advanced, as the Identity synchronization Error Report contains couple of hundred of users.
Identifying the Users
- Start a cmd prompt and go to %Program Files%\Microsoft Azure AD Sync\bin
- Run: csexport “Name of Connector” %temp%\export.xml /f:x
The name of the Connector can be found in Synchronization Service. It will have a name similar to “contoso.com – AAD” for Azure AD.
- Run: CSExportAnalyzer %temp%\export.xml > %temp%\export.csv
- You now have a file in %temp% named export.csv which can be examined in Microsoft Excel. This file contains all changes which are about to be exported.