Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (2023)

Table of Contents
In this article Troubleshooting task Run the troubleshooting task in the wizard Troubleshoot input parameters Understand the results of the troubleshooting task Detect UPN mismatch if the object is synced to Azure AD UPN suffix is not verified with the Azure AD tenant Azure AD tenant DirSync feature SynchronizeUpnForManagedUsers is disabled Object is filtered due to domain filtering Domain is not configured to sync Domain is configured to sync but is missing run profiles or run steps Object is filtered due to OU filtering Linked mailbox issue Dynamic distribution group issue HTML report Next steps Videos
  • Article
  • 3 minutes to read

This article provides steps for troubleshooting issues with object synchronization by using the troubleshooting task. To see how troubleshooting works in Azure AD Connect, watch a short video.

Troubleshooting task

For Azure AD Connect deployments of version 1.1.749.0 or later, use the troubleshooting task in the wizard to troubleshoot object sync issues. For earlier versions, you can troubleshoot manually.

Run the troubleshooting task in the wizard

To run the troubleshooting task:

  1. Open a new Windows PowerShell session on your Azure AD Connect server by using the Run as Administrator option.
  2. Run Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted.
  3. Start the Azure AD Connect wizard.
  4. Go to Additional Tasks > Troubleshoot, and then select Next.
  5. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell.
  6. In the main menu, select Troubleshoot Object Synchronization.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (1)

(Video) How to sync users in Azure AD Connect | Sync users and groups from on-premise to Azure AD

Troubleshoot input parameters

The troubleshooting task requires the following input parameters:

See Also
Field Notes: How has your Azure AD Connect been configured? - It works in my tenantUninstall Azure AD Connect - Microsoft EntraAzure AD Connect: Get started by using express settings - Microsoft EntraCannot connect with RDP to a Windows VM in Azure - Virtual Machines

  • Object Distinguished Name: The distinguished name of the object that needs troubleshooting.
  • AD Connector Name: The name of the Windows Server Active Directory (Windows Server AD) forest where the object resides.
  • Azure Active Directory (Azure AD) tenant Hybrid Identity Administrator credentials.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (2)

Understand the results of the troubleshooting task

The troubleshooting task performs the following checks:

  • Detect user principal name (UPN) mismatch if the object is synced to Azure AD.
  • Check whether object is filtered due to domain filtering.
  • Check whether object is filtered due to organizational unit (OU) filtering.
  • Check whether object sync is blocked due to a linked mailbox.
  • Check whether the object is in a dynamic distribution group that isn't intended to be synced.

The rest of the article describes specific results that are returned by the troubleshooting task. In each case, the task provides an analysis followed by recommended actions to resolve the issue.

Detect UPN mismatch if the object is synced to Azure AD

Check for the UPN mismatch issues that are described in the next sections.

UPN suffix is not verified with the Azure AD tenant

When the UPN or alternate login ID suffix isn't verified with the Azure AD tenant, Azure AD replaces the UPN suffixes with the default domain name onmicrosoft.com.

(Video) How to troubleshoot Azure AD Connect issues with group writeback?

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (3)

Azure AD tenant DirSync feature SynchronizeUpnForManagedUsers is disabled

When the Azure AD tenant DirSync feature SynchronizeUpnForManagedUsers is disabled, Azure AD doesn't allow sync updates to the UPN or alternate login ID for licensed user accounts that use managed authentication.

See Also
How to identify DirSync or Azure AD Connect provisioning errors in Office 365Azure AD Connect: Upgrade from a previous version - Microsoft Entra

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (4)

Object is filtered due to domain filtering

Check for the domain filtering issues that are described in the next sections.

Domain is not configured to sync

The object is out of scope because the domain hasn't been configured. In the example in the following figure, the object is out of sync scope because the domain that it belongs to is filtered from sync.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (5)

(Video) Azure AD Cross-Tenant Sync

Domain is configured to sync but is missing run profiles or run steps

The object is out of scope because the domain is missing run profiles or run steps. In the example in the following figure, the object is out of sync scope because the domain that it belongs to is missing run steps for the Full Import run profile.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (6)

Object is filtered due to OU filtering

The object is out of sync scope because of the OU filtering configuration. In the example in the following figure, the object belongs to OU=NoSync,DC=bvtadwbackdc,DC=com. This OU is not included in the sync scope.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (7)

Linked mailbox issue

A linked mailbox is supposed to be associated with an external primary account that's located in a different trusted account forest. If the primary account doesn't exist, Azure AD Connect doesn't sync the user account that corresponds to the linked mailbox in the Exchange forest to the Azure AD tenant.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (8)

(Video) Azure AD Connect Powershell Sync Force Status Now Commands

Dynamic distribution group issue

Due to various differences between on-premises Windows Server AD and Azure AD, Azure AD Connect doesn't sync dynamic distribution groups to the Azure AD tenant.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (9)

HTML report

In addition to analyzing the object, the troubleshooting task generates an HTML report that includes everything that's known about the object. The HTML report can be shared with the support team for further troubleshooting if needed.

Azure AD Connect: Troubleshoot object synchronization - Microsoft Entra (10)

Next steps

Learn more about integrating your on-premises identities with Azure Active Directory.

Videos

1. Azure AD Lifecycle Workflows
(John Savill's Technical Training)
2. Azure Active Directory, Entra & Hybrid Identities in Microsoft Education
(Tyler Duncan)
3. Azure Active Directory (Entra) & Hybrid Identities
(OETC)
4. Azure AD Verifiable Credentials - Troubleshooting tips
(Microsoft Security)
5. What's New in Azure AD Connect V2
(Andy Malone MVP)
6. How to Configure Azure AD Connect to Sync On-Prem Ad users to Office 365 ! MS-900 Full Course
(Teach Me Cloud)
Top Articles
Latest Posts
Article information

Author: Stevie Stamm

Last Updated: 12/04/2023

Views: 6144

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.