"LDAP injection characters were found in the user alias" error when you try to run the Azure Active Directory Sync tool

When you try to run the Microsoft Azure Active Directory Sync tool, you receive an email message that resembles the following:
Hello user@<DomainName>.com,

See Directory Synchronization Errors for more information about the errors listed in this e-mail message.

The Directory Synchronization batch run was completed on <Date Month Year Time.>

The following objects encountered errors during synchronization.

Alias Error Description Object GUIDResearch/Development LDAP injection characters were found in the user alias. Change the user alias in the on-premises Active Directory. CN={788ef08b-cf9b-4aec-ac10-5995226a88b7}
This issue may occur if an on-premises user object includes one of the following characters in its primary SMTP email address:
  • Asterisk (*)
  • Braces ({ })
  • Slash mark (/)
  • Opening single curly quotation mark (`)
  • Percent (%)
  • Equal sign (=)
  • Vertical bar (|)
  • Question mark (?)
  • Exclamation mark (!)
  • Period (.) if it's the first or last character or if it appears two or more times consecutively
To resolve this issue, change the on-premises user's primary SMTP address by removing the character that's causing the issue. After the character is removed, directory synchronization will use the string in the new primary SMTP proxy address to create the user's user principal name (UPN) and primary SMTP address.

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Article ID: 2425774 - Last Review: 10/13/2015 16:57:00 - Revision: 38.0

Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management

  • o365 o365a o365e o365m o365022013 KB2425774