Cannot connect Azure Active Directory to Azure DevOps because 1 user has multiple active identities with the same UPN

0
votes

I'm trying to connect Azure DevOps to Azure Active Directory (which is being synced to an on premise AD server) and I keep getting the following error:

Connection Failed Your organization #### failed to connect to the #### Azure Active Directory.

User: ##AADGUID##\##USER##@##DOMAIN## of 1 total users has multiple active identities with the same UPN. Please either remove the duplicates or change the UPNs to be unique.

I've looked at the user's account and don't see anything obviously misconfigured compared to any other user's account but that might not be saying much. Any help would be greatly appreciated.

3
azure-devopsazure-active-directory

3 Answers

0
votes

It sounds like you have multiple users in your azure ad tenant with the same UPN. maybe you created a cloud account with the same UPN before sync'ing the on premise with azure ad connect? or something else of that nature.

try to go to graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer log in with a azure ad admin account and type in a query like this

https://graph.microsoft.com/v1.0/users?$filter=startswith(UserPrincipalName,'##UPNHavingIssues##')

That should get you users with a UPN of whatever it having problems. There should only be entry, but if there are multiple, then that's where the problem is.

The other option is to remove the user having issues from devops completely, then try to connect, then re-add him. because when you try to connect devops to an azure ad domain it will try to match the UPNs of users in your devops with users in your tenant.

0
votes

According to this doc:

During the connect process, we map existing users to members of the Azure AD tenant, based on their UPN, which is often known as sign-in address. If we detect multiple users with the same UPN, we don't know how to map these users.

The cause of this issue is that the target user has the same UPN as other user. A UPN must be unique among all security principal objects within a directory forest.

The UPN contains UPN prefix (the user account name) and a UPN suffix (a DNS domain name). For example:[email protected]

You can compare the target account with other user accounts. Then you could find the duplicate UPN.

You could try to remove the duplicate one or change the UPN as unique.

Hope this helps.

0
votes

Turns out when our Azure DevOps instance was first set up, all our users set up Microsoft accounts with their company emails. Later when we finally stood up Azure AD but before we connected it to DevOps we added a new project and set the permissions for a few existing employees. For some reason the user permissions on the new DevOps project were listed as "aaduser" type instead of the standard "user" type (ms account) that all the users in other projects in DevOps had. In other words duplicate UPNs but different accounts (but sort of the same). What's weird is that DevOps managed to find the Azure AD user account before we even connected the two together services together.

We removed the offending users with the standard "user" type and re-added them so they were now all listed as "aaduser." We were then able to connect Azure AD. To be clear, this was all done on the DevOps side and had nothing to do with AD.

Not sure why it was finding Azure AD users when we weren't even connected to it yet.