You have your Active
Directory configured for SSO with Office 365, therefore the DirSync (or whatever
it’s called this week) tool configured. All of your user accounts are populated
into Azure AD, with the exception of one.
In your environment
you have a number of UPN Suffixes for various reasons, the proper object is
throwing the following error from the DirSync (FIM 2010 R2) interface “Unable
to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName],
is not valid. Update the value in your local directory services.”
On the Connector
Space Object Properties page, the error code 0x8023134a DataValidationFailed is
also flagged.
This error is logged
by DirSync every time the Export Management Agent operation is run, which
happens by default every 3 hours. The user account in question recently had it’s
UPN Suffixes changed via a full installation of Forefront Identity Manager
that is synchronizing identities from Novell eDirectory.
This is a fairly
well known issue to Microsoft as they have outlined in this workaround article;
What they recommend
doing is to connect to the Office 365 via PowerShell using Connect-MsolService.
Set-MsolUserPrincipalName –UserPrincipalName user1@oldupn.com –NewUserPrincipalName
user1@newupn.com
|
This command in
theory should work, as all it is doing is altering the UPN Suffix, which cannot
be done using the Office 365 Web-UI. Unfortunately the gotcha here for me was
that the command failed to run, I had to run it twice. Once to change the user
account to my .onmicrosoft.com domain, and then again to update the UPN back
to one of the internal federated domains.
Set-MsolUserPrincipalName –UserPrincipalName user1@oldupn.com –NewUserPrincipalName
user1@domain.onmicrosoft.com
|
Set-MsolUserPrincipalName –UserPrincipalName user1@oldupn.com –NewUserPrincipalName
user1@newupn.com
|
Once I did this it
completely correctly, and I could see the changes from the Web-UI.
