A client is migrating their remaining mailboxes from
on-premises Exchange to Office 365. Today they went to migrate a mailbox, but
the user account wasn't replicated up to Office 365. After verifying that it
was not being filtered by OU in Azure AD Connect, I checked the Synchronization
Service Manager for Azure AD Connect and found an error listed for the export
to the Azure AD tenant (XXX.onmicrosoft.com).
The error was Large Object and when I drilled down, it had these details:
The provisioned object is too large. Trim the number of attribute values on
this object.
This error is typically caused by:
· Too many user certificates (15 max)
· Too
many SMIME certificates (15 max)
· A
thumbnail photo that is too large
· Too
many proxy addresses
This user object did not have any user certificates,
SMIME certificates, or a thumbnail photo. So, let's check out the proxy
addresses.
The user object had 540 addresses. After a bit more research, I found that user objects in Azure AD have a limit of 400 proxy addresses, Azure AD Connect has a limit of 333 proxy addresses.
They do have a legitimate need for this account to receive mail for all of
those addresses. We implemented a workaround by creating a group for the extra
addresses. We removed 300 email addresses and put them on a group where that
user is the only member. Mail flow is preserved and now both the user and the
group can sync. The group is hidden from address lists to avoid confusing the
users.
More information:
0 Comments