Microsoft Entra Connect sync fails with AttributeValueMustBeUnique error when two or more objects in your on-premises Active Directory share a unique attribute like userPrincipalName or proxyAddresses. The sync error log shows the conflicting attribute and the objects causing the collision.

Resolution

Method 1: Find and Remove Duplicate Attributes in On-Premises AD

Open Active Directory Users and Computers, enable View > Advanced Features, then search for the conflicting attribute value.

To find duplicate UPNs:

Get-ADUser -Filter * -Properties userPrincipalName | Group-Object userPrincipalName | Where-Object {$_.Count -gt 1} | Select-Object Name, Count, @{N='Users';E={$_.Group.Name}}

To find duplicate proxyAddresses:

Get-ADUser -Filter * -Properties proxyAddresses | Where-Object {$_.proxyAddresses} | Group-Object {$_.proxyAddresses} | Where-Object {$_.Count -gt 1} | Select-Object Name, Count, @{N='Users';E={$_.Group.Name}}

Open the duplicate object's properties, go to the Attribute Editor tab, and modify or remove the conflicting value. If an object is obsolete, disable or delete it. Then force a full sync:

Start-ADSyncSyncCycle -PolicyType Initial

Method 2: Soft Match Using proxyAddresses

If a cloud-only user exists with the same email as your on-premises user, set the on-premises user's proxyAddresses to match the cloud user's primary SMTP address.

In the Attribute Editor, find proxyAddresses, and add the email in this format (uppercase SMTP for primary):

SMTP:joe@contoso.com

Run a full sync. Entra Connect will soft-match and merge the objects.

Method 3: Hard Match with ImmutableID

For sourceAnchor conflicts, manually set the cloud object's ImmutableID to match the on-premises object's objectGUID.

Get the on-premises ImmutableID:

$user = Get-ADUser "username" -Properties objectGUID
$immutableId = [System.Convert]::ToBase64String($user.objectGUID.ToByteArray())
Write-Output $immutableId

Set the cloud object's ImmutableID:

Install-Module MSOnline -Force
Import-Module MSOnline
Connect-MsolService
Set-MsolUser -UserPrincipalName "joe@contoso.com" -ImmutableId $immutableId

Run a full sync.

Method 4: Resolve User-Device Object Conflicts

Hybrid Azure AD joined devices can conflict with user objects. In the Microsoft Entra admin center, go to Devices > All devices and search for the conflicting ObjectID. Delete or unjoin the unused device, then run a full sync.

Method 5: Clear Null Attribute Values

If the error shows "null value null" for a unique attribute, open the object in Attribute Editor. Find the problematic attribute (often proxyAddresses or userPrincipalName) and remove any blank or null entries. Set a valid value if required, then run a full sync.

Verification

Check the Microsoft Entra admin center under Entra ID Connect Health > Sync errors. The error should clear after the next successful sync cycle. Confirm the object appears correctly in Microsoft Entra ID with the expected attributes.