You have your Active Directory configured for SSO with Office 365, therefore the DirSync (or whatever it’s called this week) tool configured. All of your user accounts are populated into Azure AD, with the exception of one.
In your environment you have a number of UPN Suffixes for various reasons, the proper object is throwing the following error from the DirSync (FIM 2010 R2) interface “Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.”
On the Connector Space Object Properties page, the error code 0x8023134a DataValidationFailed is also flagged.
This error is logged by DirSync every time the Export Management Agent operation is run, which happens by default every 3 hours. The user account in question recently had it’s UPN Suffixes changed via a full installation of Forefront Identity Manager that is synchronizing identities from Novell eDirectory.
This is a fairly well known issue to Microsoft as they have outlined in this workaround article;
What they recommend doing is to connect to the Office 365 via PowerShell using Connect-MsolService.
This command in theory should work, as all it is doing is altering the UPN Suffix, which cannot be done using the Office 365 Web-UI. Unfortunately the gotcha here for me was that the command failed to run, I had to run it twice. Once to change the user account to my .onmicrosoft.com domain, and then again to update the UPN back to one of the internal federated domains.
Once I did this it completely correctly, and I could see the changes from the Web-UI.