Check Sync Health First
# On the AAD Connect server — check last sync time and scheduler Get-ADSyncScheduler # Check if sync is currently running Get-ADSyncConnectorRunStatus # View last sync statistics Import-Module ADSync Get-ADSyncRunStepResult | Select-Object -Last 20 | Format-Table
Also check the Azure portal: Azure Active Directory → Azure AD Connect → View sync details. If the last sync is more than 3 hours ago, the scheduler may be disabled or the service is stopped.
# Check if the sync service is running Get-Service ADSync | Select Status # Start it if stopped Start-Service ADSync
Export Sync Errors
# Get all sync errors for the tenant Connect-MsolService $errors = Get-MsolDirSyncProvisioningError -All $errors | Format-Table ObjectId, ErrorCategory, ProvisioningErrors -AutoSize
You can also use the Synchronization Service Manager UI on the AAD Connect server: Start → Synchronization Service Manager → Operations. Click the latest export operation and look for objects with errors. Double-click an object to see the exact attribute causing the failure.
AttributeValueMustBeUnique
The most common error. An attribute — usually ProxyAddresses or UserPrincipalName — conflicts with an existing object in Azure AD.
# Find duplicate UPNs in on-prem AD
Get-ADUser -Filter * -Properties UserPrincipalName |
Group-Object UserPrincipalName |
Where-Object {$_.Count -gt 1} |
Select Name, Count
# Find duplicate proxy addresses
Get-ADUser -Filter * -Properties ProxyAddresses |
Where-Object {$_.ProxyAddresses -ne $null} |
Select Name, @{N='Proxies';E={$_.ProxyAddresses -join ', '}} |
Sort Proxies
Fix: update one of the conflicting objects with a unique value, then trigger a sync cycle. If the conflict is with a cloud-only object, that object may need to be deleted or its attribute changed in Azure AD first.
ObjectTypeMismatch
A user in on-prem AD is matched to a contact or group in Azure AD. This happens when a cloud-only object was created manually before AAD Connect was set up.
# Find the conflicting cloud object Connect-MsolService Get-MsolUser -SearchString "conflicteduser@corp.com" | Select ObjectId, UserPrincipalName
Fix options:
- Delete the cloud object and let AAD Connect re-create it from on-prem (user loses cloud-only data like licenses)
- Soft-match: set the on-prem object's
mailattribute to match the cloud UPN, then sync — AAD Connect will merge them
InvalidSoftMatch
AAD Connect tried to match an on-prem object to a cloud object via soft matching but the match was ambiguous or the cloud object already has a different anchor.
# Check what anchor the cloud object has Get-MsolUser -UserPrincipalName "user@corp.com" | Select ImmutableId # If ImmutableId is null, the object is cloud-only and can be soft-matched # If set, it's already synced from a different on-prem object
# Clear the ImmutableId (orphaned sync artifact) Set-MsolUser -UserPrincipalName "user@corp.com" -ImmutableId "$null"
Force a Sync Cycle
# Delta sync — syncs only changes (fastest) Start-ADSyncSyncCycle -PolicyType Delta # Full sync — re-evaluates all objects (use after fixing schema issues) Start-ADSyncSyncCycle -PolicyType Initial # Monitor progress Get-ADSyncConnectorRunStatus
Check Connector Spaces
Objects stuck in the connector space with an error won't sync to Azure AD. Open Synchronization Service Manager: Connectors → [your domain].onmicrosoft.com → Search Connector Space. Set Scope to "Export Error" and click Search.
Objects shown here failed during the last export. Fix the attribute on-prem, then run a Delta sync to clear the error.