Azure Synchronization failed with “sync-rule-error-function-triggered” error and InnerException says sourceanchor attribute has changed

By | December 27, 2018
0 Comment

sync-rule-error-function-triggered error is due to the sourceanchor attribute has changed and why this caused the issue and how to Troubleshoot and fix the object which is not synchronizing to Azure AD, before that you have to understand sourceAnchor and immutable attributes and how this used on Azure AD symbolization process

Also Read: Understand how On-Premises Active Directory object get synchronized to Azure AD (Run Profiles Explained)

sourceAnchor attribute is defined as an attribute immutable during the initial object sync, which is same on on-premises active directory and in Azure AD, by default object SID been used to generate sourceAnchor which can’t be changed after the initial object export

While doing object initial export sourceAnchor value will be updated to cloudSourceAnchor attribute on metaverse (MV), if any change in sourceAnchor value after the initial sync then this won’t match with cloudSourceAnchor attribute on MV, Join rule will found this conflict and trigger the error sourceAnchor attribute has changed

Also Read: Force Active Directory Sync through Azure AD Connect to Office 365/Azure with console and Powershell Commands

Now, why sourceAnchor value changed? As the object SID will not get changed during the lifetime of an AD object and why we are getting “sync-rule-error-function-triggered” error?

In my experience this is common if you have multiple forest which is synchronized to Azure AD, sourceAnchor will be generated with users primary Domain account and it picks the users other Domain accounts object SID which is causing this issue

Also Read: Best practice steps to blocking and archiving users in Azure AD and Exchange hybrid environment (Azure AD Housekeeping)

How to check this

 

 

 

 

 

  • Select “sync-rule-error-function-triggered” error
  • click the button Stack Trace
  • This will provide detailed information for the error
  • Check Object SID
  • And compare with AD Object SID
  • If it’s not matching then compare the SID with users other Domain Object
  • Then the Conflicting Object needs to be deleted or moved to non-sync OU to fix the issue
  • or sync rule needs to be updated to fix the issue

Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory

If it’s for contact object then there should have been duplicate contact object with same details on other Domains, in a complex multi Forest/Domain environment this is normal, you have to plan correctly and update the sync rules to avoid sync-rule-error-function-triggered error

Also Read: How to Block user access to Azure portal

 

Related posts:

Force Active Directory Sync through Azure AD Connect to Office 365/Azure with console and Powershell Commands Microsoft Online Reporting MonitoringAgent.Startup consumes all of the CPU resources on Azure AD Connect Awaiting Export Confirmation Error on Azure AD Connect Compare primary and staging Azure AD connect (AADC) sync servers Comparing ADFS vs Passthrough authentication solutions: Which one is better suits your requirement

Leave a Reply

Your email address will not be published. Required fields are marked *