AD Connect – AttributeValueMustBeUnique

I noticed this error when trying hide some old shared mailboxes from the global address list, no changes were being synced. Hopefully these steps will help you.

Click the AttributeValueMustBeUnique link which will take you to a window like this:

Press the Details button:

At this point you’re probably thinking you have a duplicate ProxyAddress and its worth checking before carrying on. 90% of the time, this is the case and can be fixed by removing the duplicate in Active Directory. However in my case, it was the OnPremiseSecurityIdentifier that I started focusing on.

Firstly, you’ll want to find the sourceAnchor (which is also known as the ImmutableID). To find this, click on the “CN=” link under the Export Errors collum (see first screenshot). You should get a window similar to this:

Copy the value for sourceAnchor and make a note of it, you’ll need it later.

Secondly, we need to find the ObjectID of the problematic user. For this, we’ll need to connect to both Office 365 Powershell and Azure AD PowerShell

Office 365:

Connect-MsolService

Azure AD:

Install-Module AzureAD
Connect-AzureAD

To find the object ID:

Get-MsolUser -UserPrincipalName "user.name@domain.com" | Fl *objectId*

Copy the ObjectID value and again make a note of it.

Now we will check what the current ImmutableID value is based on the ObjectID we just found:

Get-AzureADUser -ObjectId "OBJECT ID HERE" | FL *ImmutableID*

If all is well, the ImmutableID should match the sourchAnchor value from AD Connect – however, you probably wouldn’t be reading this if that was the case. In my case, the ImmutableID was the users e-mail address, which is incorrect:

To fix, we need to match the two together (the value for ImmutableID doesn’t need quotes).

Set-AzureADUser -ObjectId "OBJECT ID HERE" -ImmutableId SOURCHANCHOR VALUE

To check its worked, run the following command again:

Get-AzureADUser -ObjectId "OBJECT ID HERE" | FL *ImmutableID*

The ImmutableID and sourchAnchor values should now be the same.

Go back to your AD Connect server and run a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

The error should have disappeared and the user should be correctly syncing to Office 365.

5 thoughts on “AD Connect – AttributeValueMustBeUnique

  1. Thank you so much for actually going into detail.
    I had a similar issue and was able to resolve with the explanation of what is actually going on instead of just providing powershell snippets.

    You are awesome

  2. Currently fighting this issue. When I run the Set command I get an error:

    Set-AzureADUser : Error occurred while executing SetUser
    Code: Request_BadRequest
    Message: Property immutableId is invalid.
    RequestId: e666058f-6f2e-47dc-a1a3-1b1dfa3089d5
    DateTimeStamp: Tue, 04 Jan 2022 21:16:18 GMT
    Details: PropertyName – immutableId, PropertyErrorCode – GenericError
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:1 char:1
    + Set-AzureADUser -ObjectId “eb6dbe62-1676-4a67-8253-1e149e44cbd4” -Imm …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-AzureADUser], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUser

    1. I can’t say I’ve seen a message like that before. Probably best to open a case with MS and see what they say

      1. This is due to a duplicated user. Believe it or not I found a duplicate account in Azure AD that was created due to the sync. Also make sure to completely remove it from deleted user or you will get the same error again. It took me around three hours hope it saves you some time. Cheers

Leave a Reply

Your email address will not be published.