Symptoms

An Exchange Online object (such as a user, contact, or group) is not created or updated in Azure Active Directory (Azure AD) Connect. 

Resolution


There are two Windows Azure Active Directory modules to administer Azure AD through PowerShell. Both are supported currently. 

  • To use the MSOL module, install the following module (one time and in a PowerShell window running as administrator). For more information see Azure ActiveDirectory (MSOnline).

    Install-Module MSOnline

    Then each time you connect, run the following to access the MSOL commands.

    Connect-MsolService

  • To use the AzureAD module, install the following module (one time and in a PowerShell window running as administrator). For more information see Azure Active Directory PowerShell

    Install-Module AzureAD

    Then each time you connect, run the following to access the AzureAD commands.

    Connect-AzureAD

To fix this issue, follow these steps: 

  1. Confirm that the object exists in the Azure AD by using the Azure AD PowerShell module. For example, run the following cmdlets.

    Note If a user needs a mailbox, the UsageLocation parameter is mandatory and has to be populated.


    MSOL module

    Get-MsolUser -SearchString <UserPrinicipalName or DisplayName>

    Get-MsolContact -SearchString <EmailAddress or DisplayName>

    Get-MsolGroup -SearchString <EmailAddress or DisplayName>

    AzureAD module

    Get-AzureADUser -SearchString <UserPrinicipalName or DisplayName>

    Get-AzureADContact

    Get-AzureADGroup -SearchString <EmailAddress or DisplayName>

  2. If object is not present in Azure AD, make sure that the object is in scope of Azure AD Connect.

  3. If the object is present in Azure AD, confirm whether the object is present in Exchange by using the Get-User cmdlet. 

    If there is no result, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online. This request must be made by using the ObjectId parameter. The ObjectId parameter value can be found in Azure AD (It will be in the form of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX). For example: 

    MSOL module

    Get-MsolUser -UserPrincipalName <UserPrinicipalName or DisplayName> | fl ObjectId

    Get-MsolContact -SearchString <UserPrinicipalName or DisplayName> | fl ObjectId

    Get-MsolGroup -SearchString <EmailAddress or DisplayName> | fl ObjectId

    AzureAD module

    Get-AzureADUser -SearchString <UserPrinicipalName or DisplayName> | fl ObjectId

    Get-AzureADContact | fl Mail,ObjectId

    Get-AzureADGroup -SearchString <EmailAddress or DisplayName> | fl ObjectId

  4. Check for DirSync errors. To do this, refer to the following support articles:

    Identify directory synchronization errors in Office 365
    Identifying DirSync provisioning errors in Office 365

    For more information about how to troubleshoot, refer to the following articles:

    Troubleshooting errors during synchronization
    Troubleshoot an object that is not synchronizing to Azure AD

  5. If there is a conflict with another object but that object can't be found in your on-premises Active Directory, confirm that there isn't a cloud-only object that causes the problem.

    You can do this in several ways. For example, select Users -> Guest Users in the Admin Portal or view the properties in the Sync Error details in the Admin Portal. If it shows Source Anchor as blank and the Source of authority is Cloud, this is a guest user instead of a member. The object should be removed or updated to reduce the conflict with a syncing object. Finally, you can also check this by using the following cmdlet in PowerShell. For example: 

    Get-MsolUser -SearchString <UserPrinicipalName or DisplayName> | fl UserType,ImmutableId

    Get-AzureADUser -SearchString <UserPrinicipalName or DisplayName> | fl UserType,ImmutableId

  6. If this is a user or group object, confirm that the user principal name (UPN) suffix is an accepted domain. If not, add the SMTP suffix to accepted domains.

  7. If you make a change to correct a sync error, and the issue is still not resolved, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online by using the UserPrincipalName attribute. Please provide this value, as it may differ from your PrimarySMTPAddress attribute value. Provide the Azure ObjectID parameter, which is now needed to run the forward sync.

    Get-MsolUser -SearchString <UserPrinicipalName or DisplayName> | fl ObjectID

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×