Azure AD Sync Errors Test

Errors can occur when identity data is synced from Windows Server Active Directory to Azure Active Directory (Azure AD). Such errors can have a negative impact on the health and availability of the Azure AD Connect Sync service. To ensure the high uptime and good health of the synchronization service, administrators should be able to promptly capture these errors, determine what caused them, and rapidly resolve them. This is where the Azure AD Sync Errors test helps!

This test continuously tracks the health status of the Azure AD Connect Sync service, and alerts administrators if the service is in an Unhealthy state. In addition, the test reveals the probable cause of poor service health by reporting the number and type of errors the service has encountered. Detailed diagnostics of the test provides additional details of these errors, thus enabling administrators to swiftly troubleshoot them and enhance service health.

Target of the Test: A Microsoft Azure Active Directory Connect

Agent deploying the test: An internal agent

Output of the test: One set of results for the Azure AD Connect Sync Service that is monitored

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port at which the specified Host listens

Tenant ID

Specify the Directory ID of the Azure AD tenant to be monitored. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API.

Client ID, Client Password, and Confirm Password

To connect to the target tenant, the eG agent requires an Access token in the form of an Application ID and the client secret value. For this purpose, you should register a new application with the Azure AD tenant. To know how to create such an application and determine its Application ID and client secret, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. Specify the Application ID of the created Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Duplicate attributes

Indicates the number of Duplicate Attribute errors that occurred.

Number

Azure AD schema doesn't allow two or more objects to have the same value of the following attributes. Each object in Azure AD is forced to have a unique value of these attributes at a given instance:

  • mail

  • proxyAddresses

  • signInName

  • userPrincipalName

If Azure AD Connect attempts to add a new object or update an existing object with a value for the preceding attributes that's already assigned to another object in Azure AD, the operation results in the AttributeValueMustBeUnique sync error.

Ideally, the value of this measure should be 0. A non-zero value implies that an sync error has occurred. In this case, you can use the detailed diagnosis of this measure to analyze the errors and fix them.

Data mistmatches

Indicates the number of Data Mismatch errors that occurred.

Number

Data Mismatch errors can be any of the following:

  • InvalidSoftMatch: When Azure AD Connect (sync engine) instructs Azure AD to add or update objects, Azure AD matches the incoming object by using the sourceAnchor attribute and matching it to the immutableId attribute of objects in Azure AD. This match is called a hard match. When Azure AD doesn't find any object that matches the immutableId attribute with the sourceAnchor attribute of the incoming object, before Azure AD provisions a new object, it falls back to use the proxyAddresses and userPrincipalName attributes to find a match. This match is called a soft match. The InvalidSoftMatch error occurs when the hard match doesn't find any matching object and the soft match finds a matching object, but that object has a different immutableId value than the incoming object's sourceAnchor attribute. This mismatch suggests that the matching object was synced with another object from on-premises Active Directory.

  • ObjectTypeMismatch: The InvalidSoftMatch error occurs when the hard match doesn't find any matching object and the soft match finds a matching object, but that object has a different immutableId value than the incoming object's sourceAnchor attribute. This mismatch suggests that the matching object was synced with another object from on-premises Active Directory.

Ideally, the value of this measure should be 0. A non-zero value implies that a Data Mismatch error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them.

Data validation failures

Indicates the number of Data Validation errors that have occurred.

Number

Azure AD enforces various restrictions on the data itself before allowing that data to be written into the directory. These restrictions are to ensure that end users get the best possible experiences while using the applications that depend on this data.

For instance:

  • The userPrincipalName attribute value has invalid or unsupported characters.

  • The userPrincipalName attribute doesn't follow the required format.

The result of the preceding scenarios is an IdentityDataValidationFailed error.

Ideally, the value of this measure should be 0. A non-zero value implies that a IdentityDataValidationFailed error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them.

Large attributes

Indicates the number of Large Attribute errors that occurred.

Number

When an attribute exceeds the allowed size limit, length limit, or count limit set by Azure AD schema, the synchronization operation results in a LargeObject or ExceededAllowedLength sync error. Typically, this error occurs for the following attributes:

  • userCertificate

  • userSMIMECertificate

  • thumbnailPhoto

  • proxyAddresses

Ideally, the value of this measure should be 0. A non-zero value implies that a LargeObject or ExceededAllowedLength error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them.

Federated domain changes

Indicates the number of changes made to the federation configuration.

Number

When you federate your on-premises environment with Azure AD, you establish a trust relationship between the on-premises identity provider and Azure AD.

Due to this established trust, Azure AD honors the security token issued by the on-premises identity provider post authentication, to grant access to resources protected by Azure AD.

Therefore, it's critical that this trust (federation configuration) is monitored closely, and any unusual or suspicious activity is captured.

This measure alerts you to such activity. Ideally, the value of this measure should be 0. A non-zero value implies that the federation configuration has changed. In this case, you can use the detailed diagnosis of this measure to view the details of the change.

Existing admin role conflicts

Indicates the number of 'Existing admin role conflict' errors that occurred.

Number

An Existing Admin Role Conflict sync error occurs on a user object during synchronization when that user object has:

  • Administrative permissions.

  • The same userPrincipalName attribute as an existing Azure AD object.

Ideally, the value of this measure should be 0. A non-zero value implies that a 'Existing Admin Role Conflict' error has occurred. You can use the detailed diagnosis of this measure to analyze the errors and fix them.

Others

Indicates the number of errors that are of types other than the ones captured by the other measures.

Number

The 'Other' errors captured by this test may include Deletion access violation and password access violation errors.

Azure AD protects cloud-only objects from being updated through Azure AD Connect. While it is not possible to update these objects through Azure AD Connect, calls can be made directly to the AADConnect cloud-side back end to attempt to change cloud-only objects. When doing so, the following errors can be returned:

  • This synchronization operation, Delete, is not valid. Contact Technical Support.

  • Unable to process this update because one or more cloud-only users' credential update is included in the current request.

  • Deleting a cloud-only object is not supported. Contact Microsoft Customer Support.

  • The password change request cannot be executed because it contains changes to one or more cloud-only user objects, which is not supported. Contact Microsoft Customer Support.

Ideally, the value of this measure should be 0. A non-zero value implies 'other' errors exist. You can use the detailed diagnosis of this measure to analyze the errors and fix them.

Total sync errors

Indicates the total number of errors that were detected in the synchronization service.

Number

Ideally, the value of this measure should be 0. A non-zero value implies that one/more errors have occurred in the Sync service. In this case, compare the values of the other 'error' measures reported by this test to know which type of errors occurred the most frequently.

Active alerts

Indicates the number of alerts that is still open / unresolved for the Azure AD Connect Syncs service.

Number

The Azure AD Connect Health service sends alerts indicating that your identity infrastructure is not healthy.

These alerts get resolved on a success condition. Azure AD Connect Health Agents detect and report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error condition is not observed within 72 hours from alert generation, the alert is automatically resolved.

If this measure reports a non-zero value, it means that one/more alerts are not resolved yet. Use the detailed diagnosis of this measure to know which are the open alerts, so you can figure out how to fix them.

You can use the detailed diagnosis of the Duplicate attributes measure to analyze the AttributeValueMustBeUnique sync errors and fix them.

Figure 1 : The detailed diagnosis of the Duplicate attributes measure

You can use the detailed diagnosis of the Data validation failures measure to analyze the IdentityDataValidationFailed errors and fix them.

Figure 2 : The detailed diagnosis of the Data validation failures measure