When I upgraded the Azure AD (AAD) connect to the latest version, I faced a critical issue in our Hybrid/Office 365 environment. Few users’ attributes did not sync properly and conflict with the Office 365/Exchange online and local Hybrid mail server.
These particular users’ attributes failed to sync with “InnerException=> SourceAnchor attribute has changed” warning. Based on the error, we can easily identify it is something to do with the SourceAnchor attributes.
It Happens in AF & RF Setup – Mostly
As it happened in my environment, you may face this issue if you have two forests in your setup and AAD connect is installed on a single server that works based on domain/forest trust. Before Office 365 implementation, you might have used the Exchange server on one forest to host other forest user mailboxes. Where the active user AD account is created becomes the Account Forest (AF) and another forest where the Exchange mail server hosted become the Resource Forest (RF). In this case, there will be a disabled account created on Resource forest while creating a linked mailbox. You must consider this information to sync, understand and troubleshoot the setup.
If you are using an Office 365 Hybrid setup with Active and Resource forest setup, all settings and attributes should be intact for email flow to work properly internally and externally.
When the SourceAnchor attribute has changed error occurs for some reason, you may see two similar user accounts in your Office 365 portal. Also, the user’s proxy email address changes from the hybrid mail server will sync to a wrong user account in Office 365. This indicates the linked mailbox AD accounts got separated or not syncing properly. I can’t go into depth about the errors and reasons (Because I’m not so clear about it).
At the moment, you will clearly see that any changes (like changing the SMTP email) you make for an affected user in the local hybrid email server will not replicate to the correct user account in Office 365. It will go and modify the disabled/unlicensed user in Office 365. Meanwhile, you can’t edit the licensed user account or email properties in Office 365 or Exchange online. Because it will give the error saying that the particular account is syncing from the on-prem active directory.
How to Fix The Issue?
Follow the steps to fix this AAD sync issue.
- Move the user in the resource forest domain to a non-sync OU.
If you are syncing the entire domain (without any OU exception), then you need to rerun the AAD connect and set up a non-sync OU. Basically, you need to move the disabled user in the resource domain to non-sync OU.
- Run the AD sync.
Delta sync should be enough.
- Once the sync is fully completed, Office 365 will do soft delete this user account. So you will see a single user account in Office 365 cloud (We used to see duplicate accounts earlier)
- Now move the same user account in the resource forest to synced OU
This is to sync back this user account again to Office 365 cloud.
- Run the AD sync now.
- Once AD sync completely successfully, you can see the correct single user account in Office 365 and the email and proxy addresses are merged correctly in a single account.
Now possibly, the sending and receiving email to all proxy email addresses for the particular user account and Outlook connectivity will be fine without any changes from the user side.
Important Note: When you move the user to non-sync OU and run the AD sync, Office 365 will soft delete the account. During this time, the user will lose connectivity to Office 365 apps. Their Outlook, OneDrive, SharePoint or MS Teams may pop up for user name and password. This happens because the licensed Office 365 account for the particular user gets removed during this time.
So, it is recommended to inform the users in advance or do these tasks during non-office hours.
I hope these steps are useful to fix specific Azure AD connect issues.