SipProxyAddress AttributeConflictValues while syncing AD On-Premises to Ahzure AD

In some cases, where you have the same user in On-Premises AD and Office 365 Azure AD, synchronization may fail. Fixing a common DirSync/ AAD Connect issue with duplicate cloud account.
This is due to the SOFT MATCH (UPN and ProxyAddesses), you must use HARD MATCH.
The duplicate error, which means the Local AD account and the cloud account did not merger due to Immutable ID mismatch.



$GUID = (Get-ADUser -Filter {UserPrincipalName -eq $upn}).ObjectGUID 
$ImmutableID = [System.Convert]::ToBase64String($GUID.tobytearray()) 
Set-MSOLuser -UserPrincipalName $upn -ImmutableID $immutableID

This fixes the issue. 

Some more verifying the ImmutableID:
Get-MsolUser | ft UserPrincipalName,immutableid,lastdirsync* UserPrincipalName

if you have sourceanchor issue, try setting the ImmutableID to $null
Set-MSOLUser -UserPrincipalName -ImmutableID "$null"

Issue with user newly created in Azure AD in the format of user{4-digit}
You must delete the Online USer and remove this object from recycle bin.
Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin



  1. In your solution, line 3 generates an error on my 2016 server - "You cannot call a method on a null-valued expression."

    1. Hi, this is because a typo in the first line:
      $upn =
      the equal is missing

    2. Thanks Thomas, but no, I spotted that and fixed it (you also need quotes round the email address). Still got the error...

    3. This is honestly wired. The error tells you, that ToBase64String($GUID.tobytearray() is empty/ has no value/ the transformed expression should be empty. can you check, the result if ToBase… only

  2. I get the same thing reported as Thomas Poett. Maybe this blog post should be fixed or taken down?

    1. Did you check the ToBase only. What’s your result?


Post a Comment

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

How to hide users from GAL if they are AD Connect synchronized

MFA with Guest Access and different tenants settings