I was working heavily on AD Sync Tool with all its versions including the AAD Connect tool. And I came across an issue that will cause you trouble soon. So in this blog post I will share my experience with you.
My environment was consisting of one AD domain with Exchange 2010 on premise and a single sign on experience. The AD domain and SMTP domain is the same (contoso.com)
I have a manager called John Smith:
- UPN : JohnS@contoso.com
- SMTP address : John.Smith@contoso.com
This manager came to me asking me to add a secondary SMTP address for him John@contoso.com. Since that SMTP address is available, I agreed.
Life goes on. John is a big manager and he used his nice clean new SMTP John@contoso.com in all his communications. He printed the new email address to his business cards.
So far, we have all our mailboxes are on premise and we do not have any Office 365 implementation.
After 10 years, the corporate decided to start using Azure services and they decided to start with AD Sync next month.
Meanwhile, a new employee is hired with name John William. The IT department assigned him the following:
- UPN : John@Contoso.com
- SamAccountName : Contoso\John
- SMTP Address : John.William@Contoso.com
Everything is fine so far and there is no single conflict.
Now when we started to Sync users to Azure AAD, John Smith user is no longer synchronizing to Azure AD and the AD sync tool is giving an error for that user.
“Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services:[ProxyAddresses smtp: JohnS@contoso.com].Correct or remove the duplicate values in your local directory.”
After opening a case with Microsoft, we reviewed our AD Sync configuration and after opening the AAD Connect sync tool, we confirmed that we are using ObjectGUID as the anchor attribute and not email address.
Microsoft confirms that when an on premise mail enabled user is synched to Azure AD, he is assigned a secondary SMTP in the form of his UPN. So in this case, when John William is being synched to Azure AD, Azure will try to stamp him with a secondary SMTP in the form of John@Contoso.com which causes a conflict with John Smith user.
So although there is no conflict on premise, Azure introduces this type of conflict and throwing sync error. Microsoft answered us : “THIS IS BY DESIGN DEAL WITH IT”
How big this problem is
Now, we contacted John Smith and asked him to give away his lovely John@Contoso.com SMTP address. What do you think his reaction is ? He is using that email address since years and he cannot give it away. Further more, if he agreed to give it away, and if Azure assigned it to John William user, then people sending emails to John@contoso.com will be sending to John William and this is by itself a security and privacy issue.
So we went to John William and ask him to change his UPN and SamAccountName. This solves the problem for a while, until a new employee come again with the name John Robert, and the IT found that Contoso\John is not used in the enterprise and so they assigned it to John Robert.
Now suddenly the Sync Tool will throw a sync error and the same loop happens over and over.
Imagine you have many users who used to have clean SMTP addresses and you have to go through them one by one and do this 🙂