AD Connect – AttributeValueMustBeUnique

I noticed this error when trying hide some old shared mailboxes from the global address list, no changes were being synced. Hopefully these steps will help you.

Click the AttributeValueMustBeUnique link which will take you to a window like this:

Press the Details button:

At this point you’re probably thinking you have a duplicate ProxyAddress and its worth checking before carrying on. 90% of the time, this is the case and can be fixed by removing the duplicate in Active Directory. However in my case, it was the OnPremiseSecurityIdentifier that I started focusing on.

Firstly, you’ll want to find the sourceAnchor (which is also known as the ImmutableID). To find this, click on the “CN=” link under the Export Errors collum (see first screenshot). You should get a window similar to this:

Copy the value for sourceAnchor and make a note of it, you’ll need it later.

Secondly, we need to find the ObjectID of the problematic user. For this, we’ll need to connect to both Office 365 Powershell and Azure AD PowerShell

Office 365:

Connect-MsolService

Azure AD:

Install-Module AzureAD
Connect-AzureAD

To find the object ID:

Get-MsolUser -UserPrincipalName "user.name@domain.com" | Fl *objectId*

Copy the ObjectID value and again make a note of it.

Now we will check what the current ImmutableID value is based on the ObjectID we just found:

Get-AzureADUser -ObjectId "OBJECT ID HERE" | FL *ImmutableID*

If all is well, the ImmutableID should match the sourchAnchor value from AD Connect – however, you probably wouldn’t be reading this if that was the case. In my case, the ImmutableID was the users e-mail address, which is incorrect:

To fix, we need to match the two together (the value for ImmutableID doesn’t need quotes).

Set-AzureADUser -ObjectId "OBJECT ID HERE" -ImmutableId SOURCHANCHOR VALUE

To check its worked, run the following command again:

Get-AzureADUser -ObjectId "OBJECT ID HERE" | FL *ImmutableID*

The ImmutableID and sourchAnchor values should now be the same.

Go back to your AD Connect server and run a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

The error should have disappeared and the user should be correctly syncing to Office 365.

Leave a Reply

Your email address will not be published. Required fields are marked *