Identity Synchronization and Dual Feature Resilience - Microsoft Entra (2023)

  • Article

Duplicate Attribute Resiliency is a feature in Azure Active Directory that will eliminate friction caused byUserPrincipalNameand SMTPProxyAddressconflicts when running one of Microsoft's synchronization tools.

These two attributes are generally required to be unique across allUser,Club, theContactobjects in a given Azure Active Directory tenant.


Only users can have UPNs.

The new behavior this feature enables is in the cloud portion of the sync pipeline, so it's client-agnostic and relevant to any Microsoft sync product, including Azure AD Connect, DirSync, and MIM + Connector. The generic term "sync client" is used in this document to represent any of these products.

Current behavior

If an attempt is made to provide a new object with a UPN or ProxyAddress value that violates this uniqueness constraint, Azure Active Directory blocks the creation of that object. Likewise, if an object is updated with a non-unique UPN or ProxyAddress, the update fails. The provision or update attempt is retried by the sync client on each export cycle and continues to fail until the conflict is resolved. An error report email is generated on each attempt and an error is logged by the sync client.

Behavior with Dual Trait Endurance

Instead of completely failing to provide or update an object with a duplicate attribute, Azure Active Directory "quarantines" the duplicate attribute that would violate the uniqueness constraint. If this attribute is required by the provisioning, such as UserPrincipalName, the service assigns a placeholder value. The format of these temporary values ​​is

The resiliency process feature only handles UPN and SMTPProxyAddressvalues.

If the attribute is not required, such as aProxyAddress, Azure Active Directory simply quarantines the conflicting attribute and continues with the object creation or update.

When quarantining the feature, information about the conflict is sent to the same error report email that was used in the old behavior. However, this information appears in the error report only once, when the quarantine occurs, it will not continue to be recorded in future emails. Also, since the export for this object succeeded, the sync client does not log an error and does not retry the create / update operation in subsequent sync cycles.

(Video) Microsoft Entra Identity & Access Management

To support this behavior a new attribute has been added to the User, Group and Contact object classes:

This is a multi-valued attribute used to store conflicting attributes that would violate the uniqueness constraint if added normally. A background timer job has been enabled in Azure Active Directory that runs every hour to look for duplicate feature conflicts that have been resolved and automatically removes those features from quarantine.

Enable duplicate feature persistence

Duplicate Attribute Resiliency will be the new default behavior across all Azure Active Directory tenants. It will be enabled by default for all tenants who first enabled sync on or after August 22, 2016. Tenants who enabled sync before this date will have the feature enabled in batches. This rollout will begin in September 2016 and an email notification will be sent to each tenant's technical notification contact with the specific date the feature will be enabled.


Once Duplicate Attribute Resiliency is enabled, it cannot be disabled.

To check if the feature is enabled for your tenant, you can do so by downloading the latest version of the Azure Active Directory PowerShell module and running:

Get-MsolDirSyncFeatures -DuplicateUPNResiliency feature

Get-MsolDirSyncFeatures -DuplicateProxyAddressResiliency feature


You can no longer use the Set-MsolDirSyncFeature cmdlet to proactively enable the Duplicate Attribute Resiliency feature before it is enabled for your tenant. Before you can test the feature, you will need to create a new Azure Active Directory tenant.

Identify objects with DirSyncProvisioningErrors

There are currently two methods for detecting objects that have these errors due to duplicate property conflicts, Azure Active Directory PowerShell andMicrosoft 365 admin center. There are plans to expand to additional portal-based reports in the future.

(Video) Azure AD Cross Tenant Synchronisation FIRST LOOK!

Azure Active Directory PowerShell

For the PowerShell cmdlets in this topic, the following applies:

  • All cmdlets below are case sensitive.
  • The–Error Property Class Conflictmust always be included. There are currently no other typesError category, but this may be extended in the future.

First, start runningConnect-MsolServiceand entering credentials for a tenant administrator.

Then use the following cmdlets and operators to view the errors in different ways:

  1. View all
  2. By property type
  3. Of conflicting value
  4. Using a string search
  5. Classified
  6. In limited quantity or in all

View all

After you're logged in, to see a general list of feature provisioning errors in the tenant run:

Get-MsolDirSyncProvisioningError - PropertyConflict Category Error

This produces a result like the following:
Identity Synchronization and Dual Feature Resilience - Microsoft Entra (1)

By property type

To see errors by property type, add it-Property nameflag withUserPrincipalNametheProxy addressesdisagreement:

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName UserPrincipalName


Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName Proxy addresses

Of conflicting value

To see errors related to a specific property, add it- Property valueflag (-Property namemust also be used when adding this flag):

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyValue -PropertyName UserPrincipalName

Using a string search

To do a broad string search use this-SearchStringflag. This can be used independently of all the above flags, with the exception of-PropertyConflictCategoryError, which is always required:

(Video) Identity Architecture: Password Hash Synchronization | Azure Active Directory

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -SearchString User

In limited quantity or in all

  1. MaxResultscan be used to limit the query to a specific number of values.
  2. Allcan be used to ensure that all results are retrieved in case there are a large number of errors.

Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -MaxResults 5

Microsoft 365 admin center

You can view directory sync errors in the Microsoft 365 admin center. Only the Microsoft 365 admin center report is displayedUserobjects that have these errors. It does not display information about conflicts betweenTeamsandContacts.

Identity Synchronization and Dual Feature Resilience - Microsoft Entra (2)

For instructions on how to view directory sync errors in the Microsoft 365 admin center, seeIdentify directory sync errors in Microsoft 365.

Identity sync error report

When an object with a duplicate attribute conflict is encountered with this new behavior, a notification is included in the standard identity sync error report email sent to the technical notification contact for the tenant. However, there is a significant change in this behavior. In the past, information about a duplicate feature conflict would be included in each subsequent bug report until the conflict was resolved. With this new behavior, the error notification for a given conflict appears only once - at the time the conflicting attribute is quarantined.

Here is an example of how the email notification for an Address Proxy conflict appears:
Identity Synchronization and Dual Feature Resilience - Microsoft Entra (3)

Conflict resolution

Your troubleshooting strategy and tactics for resolving these errors should be no different than how you handled duplicate feature errors in the past. The only difference is that the timer job scans the tenant on the service side to automatically add the attribute in question to the appropriate object once the conflict is resolved.

The following article describes various troubleshooting and resolution strategies:Duplicate or invalid attributes prevent directory synchronization in Office 365.

Known issues

None of these known issues cause data loss or service degradation. Several of these are aesthetic, others evoke typical "pre-resilience" duplicate attribute errors that should be discarded instead of quarantining the conflicting attribute, and another causes some errors to require additional manual correction.

Basic behavior:

  1. Objects with specific attribute configurations continue to receive export errors unlike quarantined duplicate attributes.
    For example:

    one. A new user is created in AD with its UPNJoe@contoso.comand

    (Video) Azure Master Class v2 - Module 2 - Identity

    si. This object's properties conflict with an existing Group where ProxyAddress residesSMTP:

    do. During export, aAddress Proxy conflicterror occurs instead of quarantining conflicting attributes. The function is retried on each subsequent synchronization cycle as it would have been before the elasticity feature was enabled.

  2. If two Groups are created on-premises with the same SMTP address, one fails to provide a standard copy on the first attemptProxyAddresserror. However, the duplicate value is quarantined during the next sync cycle.

Office Portal Report:

  1. The detailed error message for two objects in a UPN conflict set is the same. This shows that both had their UPN changed / quarantined, when in fact only one of them changed data.

  2. The detailed error message for a UPN conflict shows the wrong displayName for a user whose UPN has been changed/quarantined. For example:

    one.Christis Async first withUPN =

    si.Christis Bit is then attempted to synchronize withUPN =

    do.Christis BThe UPN changes toUser1234@contoso.onmicrosoft.comandUser@contoso.comis added toDirSyncProvisioningErrors.

    Hey. The error message forChristis Bit should indicate thatChristis Ahas alreadyUser@contoso.comas UPN, but it appearsChristis Bown displayName.

Identity sync error report:

The link forsteps on how to resolve this issueit's wrong:
Identity Synchronization and Dual Feature Resilience - Microsoft Entra (4)

It should point to

(Video) Cross-tenant synchronization

See also


What is the difference between Azure AD Connect and Azure AD Sync? ›

Understand your organization's requirements. Azure AD Connect Cloud Sync is the preferred way to synchronize on-premises AD to Azure AD, assuming you can get by with its limitations. Azure AD Connect provides the most feature-rich synchronization capabilities, including Exchange hybrid support.

What are the two features that Azure AD provides? ›

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks.

What is Microsoft Azure IdP? ›

Azure AD: Enterprise cloud IdP that provides SSO and Multi-factor authentication for SAML apps. It synchronizes, maintains, and manages identity information for users while providing authentication services to relying applications.

What are the different types of Azure AD Connect? ›

Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.

What are the different types of AD sync? ›

There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.

What are two types of two-factor authentication? ›

Types of two-factor authentication products

Two-factor authentication products can be divided into two categories: tokens that are given to users to use when logging in; and. infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.

What are the three authentication methods available for MFA? ›

Three Main Types of MFA Authentication Methods
  • Things you know (knowledge), such as a password or PIN.
  • Things you have (possession), such as a badge or smartphone.
  • Things you are (inherence), such as a biometric like fingerprints or voice recognition.

What is the difference between MFA and SSO in Azure? ›

SSO vs MFA - Security

Allows users to access more systems and applications using a single set of login credentials. Whereas, SSO focuses on user convenience, but MFA focuses on user security. The SSO mitigates the repetition of reentering the passwords while MFA mitigates the low security of passwords.

What are the 3 main identity types used in Azure AD? ›

- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.

What are the two types of Azure AD external identities? ›

Azure AD B2C - Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management. Azure AD multi-tenant organization - Collaborate with multiple tenants in a single Azure AD organization via cross-tenant synchronization.

Which Azure features allows synchronization between on-premises and Azure AD? ›

The Azure AD Connect sync service ensures that identity information stored in the cloud is consistent with the identity information stored on-premises. You install this service using the Azure AD Connect software.

What is the difference between SSO and SAML? ›

SAML enables SSO by defining how organizations can offer both authentication and authorization services as part of their infrastructure access strategy. As an open standard, SAML can be implemented by a wide variety of identity and access management (IAM) vendors.

Is IdP same as Active Directory? ›

If the IdP provides endpoint authentication services or user authentication services, it may also be referred to as an authentication as a service (AaaS) provider. An identity provider serves the same basic function as a directory service, like Microsoft's Active Directory (AD).

Is Microsoft Active Directory an IdP? ›

Azure Active Directory is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault. Commvault is the service provider (SP).

What is entra Microsoft? ›

Microsoft Entra is the vision for identity and access that expands beyond identity and access management with new product categories such as cloud infrastructure entitlement management (CIEM) and decentralized identity.

What are the two types of Active Directory? ›

Active Directory has two types of groups:
  • Security groups: Use to assign permissions to shared resources.
  • Distribution groups: Use to create email distribution lists.
Apr 10, 2023

What is the difference between Active Directory and Azure AD? ›

Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.

What are the 4 types of synchronization? ›

Locking, signaling, lightweight synchronization types, spinwait and interlocked operations are mechanisms related to synchronization in .

What are the 4 types of Azure AD? ›

Below we'll explain their differences in order to help you decide what you need.
  • Active Directory (AD) ...
  • Azure Active Directory (AAD) ...
  • Hybrid Azure AD (Hybrid AAD) ...
  • Azure Active Directory Domain Services (AAD DS)
Aug 25, 2019

What are the 3 different types of ad networks? ›

Different Types of Ad Networks
  • Vertical networks: Ad networks that are topic-specific, such as fashion, automotive, or business.
  • Premium networks: Ad networks that offer inventory from popular publishers.
  • Inventory-specific networks: Ad networks that provide a specific type of ad inventory, such as video or mobile.
Nov 9, 2021

What is the strongest form of two-factor authentication? ›

1. Hardware-based 2FA. Using a separate piece of hardware like an authenticator device or a U2F security key is the best way to secure any online account.

What is an example of dual factor authentication? ›

Examples of Two Factor Authentication

When you use your credit card and are prompted for your billing zip code, that's 2FA in action. Knowledge factors like your zip code may also be passwords or a personal identification number (PIN).

What are the three types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are the 5 categories of multifactor authentication? ›

Key takeaways

Today, many organizations use multiple authentication factors to control access to secure data systems and applications. The five main authentication factor categories are knowledge factors, possession factors, inherence factors, location factors, and behavior factors.

What are the three 3 common identification and authentication methods? ›

Common types of biometrics include the following: Fingerprint scanning verifies authentication based on a user's fingerprints. Facial recognition uses the person's facial characteristics for verification. Iris recognition scans the user's eye with infrared to compare patterns against a saved profile.

What are the two most commonly used authentication factors? ›

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Can you have MFA without SSO? ›

MFA and SSO are not mutually exclusive. As a matter of fact, you can combine these two technologies to provide your users with high security while ensuring a good user experience. MFA can add an extra layer of protection to the SSO logins of your users.

What is difference between SSO and MFA? ›

SSO simplifies the process of logging into multiple accounts or platforms with just one set of credentials, making it easier for employees to access the resources they need. 2FA and MFA provide an additional layer of security, ensuring that only authorized users have access to the data.

What is the difference between SSO and authentication? ›

Authentication: process of an entity (the Principal) proving its identity to another entity (the System). Single Sign On (SSO): characteristic of an authentication mechanism that relates to the user's identity being used to provide access across multiple Service Providers.

What are the 3 types of data that can be stored in Azure? ›

There are 4 types of storage in Azure, namely:
  • File.
  • Blob.
  • Queue.
  • Table.
May 3, 2017

What is the difference between SPN and managed identity? ›

Service principals can be used for automated processes like scripts, CI/CD pipelines, and other automation scenarios. The main difference between the two is that Managed Identity is tied to a specific Azure resource while Service Principal is a standalone identity.

What are the 3 system properties of Azure tables? ›

System Properties
  • PartitionKey property.
  • RowKey property.
  • Timestamp property.
Feb 3, 2023

What are the three main identity models Azure Active Directory users to manage user authentication in Office 365? ›

First of all, there are three types of identities: cloud identity, synchronized identity and federated identity.
  • Cloud Identity. ...
  • Synchronized Identity. ...
  • Federated identity. ...
  • Office 365 Identity Management advanced scenarios – multi-factor authentication. ...
  • Advanced scenarios – password reset.
Nov 15, 2016

What are the 2 types of Azure AD dynamic groups? ›

Fill in group details. The group type can be Security or Microsoft 365, and the membership type can be set to Dynamic User or Dynamic Device. Select Add dynamic query. MemberOf isn't yet supported in the rule builder.

What is an advantage to Azure AD synchronization? ›

Users and organizations can take advantage of: Users can use a single identity to access on-premises applications and cloud services such as Microsoft 365. Single tool to provide an easy deployment experience for synchronization and sign-in. Provides the newest capabilities for your scenarios.

Can you sync from Azure AD to on-premise AD? ›

Hi, so the process of Azure AD connect works only from on-premises to cloud. Whilst it is capable of things like password write back and device writeback, you cannot create users in Azure AD and sync them back to on-premises AD.

What is the difference between initial sync and Delta Sync? ›

Delta sync is faster than the initial sync, but it checks the whole data of the protected disk. Time may vary depending on the size of the protected volume and sites bandwidth.

Is LDAP considered SSO? ›

What is the difference between SSO and LDAP? SSO is a convenient authentication method that allows users to access multiple applications and systems using just one login. LDAP is the protocol or communication process that will enable users to access a network resource through a directory service.

Does Microsoft SSO use SAML? ›

In this article. The Microsoft identity platform uses the SAML 2.0 and other protocols to enable applications to provide a single sign-on (SSO) experience to their users.

Is SSO the same as IAM? ›

SSO brings several benefits in terms of security and ease-of-administration: Short-lived credentials — IAM users requires persisting the same access key and secret on your workstation (usually in the ~/. aws/credentials file) which is used for all authentication requests (potentially indefinitely).

What are the different types of IdP? ›

Types of Identity Providers (IdP)

There are two primary types of identity providers: Security Assertion Markup Language (SAML) and Single-Sign On (SSO). SAML is an XML based markup language used for authentication via identity federation.

Is IdP an ADFS? ›

A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

What is Active Directory called now? ›

The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows Server operating system. The servers that run AD DS are called domain controllers (DCs).

Is Microsoft Active Directory an IAM? ›

Azure Active Directory (AD) is Microsoft's cloud-based identity and access management (IAM) service; it can be used to manage secure user sign-in to thousands of external services, such as Microsoft Office 365, the Azure portal, and other SaaS applications.

Is Active Directory a part of SSO? ›

If you install only the SSO Agent, the SSO Agent uses Active Directory (AD) Mode for SSO.

What is IdP in SSO? ›

An identity provider (IdP) is a service that stores and verifies user identity. IdPs are typically cloud-hosted services, and they often work with single sign-on (SSO) providers to authenticate users.

What is the point of Azure AD Connect? ›

Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.

Is Azure AD Connect outdated? ›

As of August 31, 2022, all 1. x versions of Azure AD Connect are retired because they include SQL Server 2012 components that will no longer be supported. Upgrade to the most recent version of Azure AD Connect (2. x version) by that date or evaluate and switch to Azure AD cloud sync.

What is the replacement for AD connect? ›

Most customers no longer need Azure AD Connect and can now use Azure AD Cloud Sync. Cloud sync is the next generation of sync tools to provision users and groups from AD into Azure AD.

How do I upgrade Azure AD Connect to Azure AD cloud sync? ›

Azure portal agent verification
  1. Sign in to the Azure portal.
  2. Select Azure Active Directory.
  3. Select Azure AD Connect, and then select Cloud sync.
  4. On the cloud sync page, you'll see the agents you've installed. Verify that the agent is displayed and the status is healthy.
May 4, 2023

What are some of the benefits of integrating Azure AD? ›

The Top 5 Benefits of Azure Active Directory
  • Increased security and compliance. ...
  • Single Sign-On (SSO) and multi-factor authentication (MFA) ...
  • Central Management of Applications and Users. ...
  • Reduced costs. ...
  • Increased flexibility and scalability.
May 25, 2022

Does Azure AD Connect work both ways? ›

By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.

What are the benefits of Azure AD join? ›

Joining devices to Azure AD provides the following benefits to your organization:
  • Single sign-on to cloud resources. ...
  • Windows Hello for Business. ...
  • Device-based conditional access. ...
  • Automatic device licensing. ...
  • Self-service functionality. ...
  • Enterprise state roaming.
Oct 3, 2022

What is the limitation of Azure AD Connect? ›

By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to sync a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API.

How often does Azure AD Sync Sync? ›

How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.

Will Azure AD replace Active Directory? ›

Simply, no. Azure AD cannot fully replace Active Directory. The cloud-specific Azure AD can work for organizations with zero on-premises infrastructure, but not without losing security.

Does AD Connect need to be on a domain controller? ›

Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require a paid support program if you require support for this configuration.

Should you run AD Connect on a domain controller? ›

Ideally, Azure AD Connect should be installed on a dedicated domain-joined server, but you can also install it on your domain controller (Windows Server 2016 or later with Desktop Experience is required for Azure AD Connect V2) AD and AAD accounts for your Azure AD Connect server.

What is the difference between simple ad and ad connector? ›

AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services. Simple AD is an inexpensive Active Directory–compatible service with the common directory features.

Can I sync multiple domains to Azure AD? ›

You can synchronize device objects to more than one tenant but a device can be Hybrid Azure AD Joined to only one tenant. Each Azure AD Connect instance should be running on a domain-joined machine.

Does Azure AD Connect update automatically? ›

Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.


1. 5- Azure AD Connect Sync : Duplicate Identities troubleshooting Scenario-1 : IT Admin Series
2. Microsoft Hybrid Explained! Complete with FULL DEMO
(Andy Malone MVP)
3. Microsoft Azure AD Identity Protection Deep Dive
(John Savill's Technical Training)
4. Syncing Users in Azure AD Connect: Master the Art of Seamless User & Group Integration
5. Azure AD HR-Driven Provisioning
(John Savill's Technical Training)
6. Azure Active Directory (Entra) & Hybrid Identities
Top Articles
Latest Posts
Article information

Author: Ray Christiansen

Last Updated: 06/08/2023

Views: 5767

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.