Troubleshoot directory synchronization

• Directory synchronization has not been activated
  
  
• Unrecognized or invalid data in the on-premises Active Directory
  
  
• Changes to on-premises Active Directory are not reflected in the cloud service and no errors are being sent to administrators
  
  
• Object failed to update due to duplicate address or incorrectly associated attribute
  
  
• Object failed to update due to attribute exceeding the maximum allowed length
  
  
• Object failed to update because it shares the same proxy address with an object of a different class
  
  
• Object failed to update because an associated attribute is not valid
  
  
• Object failed to update due to an invalid multi-valued description attribute
  
  
• Object failed to update due to invalid SMTP proxy address
  
  
• You cannot manage or remove objects that were synchronized from the on-premises Active Directory Domain Services to Office 365
  
  
• Individual Active Directory Domain Services objects do not synchronize to Office 365
  
  
• How to detect duplicate or invalid attributes that prevent Office 365 directory synchronization
  
  

For additional help resolving these errors, see Contact Support for a technical issue.

If directory synchronization has not been activated, you can activate it from your portal.

To activate directory synchronization, see Prepare for directory synchronization.

When synchronization takes place, there are certain acceptance criteria that are searched for in each attribute in each user account in your local Active Directory. Only attributes that are well-formed are synchronized to Windows Azure AD. The criteria for each attribute being well-formed vary depending on the attribute. For instance, email addresses cannot be longer than 256 characters and can’t contain certain non-alphanumeric characters.

Errors caused by non-compliant data in the on-premises Active Directory are discovered in the following ways:

• Users that attempt to log on to Microsoft Office Outlook Web Access receive the following error and exception message:
  
  Exception type: Microsoft.Exchange.Data.DataValidationException
  
  Exception message: “<Alias_Name> is not valid for Alias.”
  
  
• The administrator receives an automated email about LDAP injection or failures to synchronize.
  
  

To fix these errors, install and run the Microsoft Deployment Readiness Tool or watch the video (4:14).

If changes such as new users or updates to existing users made to your on-premises Active Directory are not appearing in Windows Azure AD, it is possible that the Directory Sync process has encountered errors. Error reports are sent to the Technical contact for the company.  Verify that the Technical Contact address specified for your company is a valid email address for an administrator. To do this, open the portal for the cloud service in your browser, navigate to the Admin Overview page and click your company’s name at the top of the left side navigation pane. Your company’s Technical contact will be listed in the pop-up dialog box.

If you are unable to update an object in Windows Azure AD, it may be because one of the attributes associated with this object in the local Active Directory directory service has already been associated with another object in Windows Azure AD. You can resolve this issue by correcting the attribute association or removing the duplicate address.

For more information about attributes in Active Directory, see this list of All Attributes defined by Active Directory.

If you are unable to update an object in Windows Azure AD, it may be because one of the attributes associated with the object in the local Active Directory exceeds the maximum allowed length. You can resolve this issue by reducing the length of the attribute in your local Active Directory.

For more information about attributes in Active Directory, including maximum allowed lengths, see this list of All Attributes defined by Active Directory.

If you are unable to update an object in Windows Azure AD, it may be because the object shares the same proxy address with an object of a different class that has already been synchronized to Windows Azure AD. You can resolve this issue by double-checking the proxy address values of the object and correcting or removing duplicate values in your local Active Directory or in Windows Azure AD.

For more information about attributes in Active Directory, see this list of All Attributes defined by Active Directory.

If you are unable to update an object in Windows Azure AD, it may be because the object has an associated attribute with an invalid value. You can resolve this issue by correcting the attribute value.

For more information about attributes in Active Directory, see this list of All Attributes defined by Active Directory.

If you are unable to update an object in Windows Azure AD, it may be because the object has an invalid multi-valued description attribute. This issue occurs if you receive the flow-multi-values-to-single-value error message in the ILM export report. You can resolve this issue by changing the multi-value description attribute to a single-value description attribute.

For more information about attributes in Active Directory, see this list of All Attributes defined by Active Directory.

If you are unable to update an object in Windows Azure AD, it may be because the object has an invalid SMTP proxy address associated with it. This usually occurs when there are trailing spaces or invalid characters in the SMTP proxy address. You can resolve this issue by correcting the invalid SMTP proxy address in your on-premises Active Directory.

Concepts