InnerException=> SourceAnchor attribute has changed

Error message:

Stack Trace error code:

Error in evaluation of expression: IIF(IsPresent([cloudSourceAnchor]), IIF(Word([cloudAnchor],1,”_”)=[sourceObjectType],IIF([cloudSourceAnchor] = [sourceAnchor],[sourceAnchor],Error(“SourceAnchor attribute has changed.”)),[sourceAnchor]),[sourceAnchor]) 

InnerException=> SourceAnchor attribute has changed

Reason:

When an object has been exported to Azure AD then it is not allowed to change the sourceAnchor anymore. When the object has been exported the metaverse attribute cloudSourceAnchor is set with the sourceAnchor value accepted by Azure AD. If sourceAnchor is changed and does not match cloudSourceAnchor, the rule Out to AAD – User Join will throw the error sourceAnchor attribute has changed.

This is mostly caused in our scenario where the AD objects were in an non-synced OU however the object also exists in the Resource forest and hence why an account is created in office 365, when the account forest object is copied across to a synced OU when the object already exists in office 365 then it causes the error.

If you have multiple forest which is synchronized to Azure AD, sourceAnchor will be generated with users primary Domain account and it picks the users other Domain accounts object SID which is causing this issue

Fix:

remove user from resource forest

move user to non synced in account forest

sync to o365

on scheduler there will be delete objects in both AF and RF

run PS: Set-ADSyncScheduler -SyncCycleEnabled $false

remove users from o365 deleted users

resource forest will auto create AD object from the account forest

move account forest objects to synced OU

run PS: Set-ADSyncScheduler -SyncCycleEnabled $true

run delta sync

on scheduler there will be ADD objects in both AF and RF