Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9199: What is the cause of a SourceAnchor error when Provisioning an O365 account?

App Access Service ,   App Gateway Service ,  

27 September,17 at 04:37 PM

Applies to: 

Centrify Identity Service, App Edition


What is the cause of the SourceAnchor error when Provisioning an O365 account shown below? 

Full Error Message:  SourceAnchor is a required property for federated user. paramName: FederatedUser.SourceAnchor, objectType: System.String


This error is likely the result of a duplicate account inside of Office 365 that matches, but has a different ImmutableID.  This account could also be in the Office 365 Recycle Bin (aka not visible from the Web GUI).

To try and resolve the issue, do the following:

1.  Connect to Microsoft online with Azure Active Directory Powershell. Instructions from Microsoft provided as a courtesy here,

2.  Look up the user account on O365
get-msoluser -userprincipalname <user_principal_name> | fl
3.  Look for the ImmutableID value.

4.  In Active Directory look for the ObjectGUID attribute.  Use that value to plug into the below script:  (Hint:  Run each line of this code separately)
$OnPremGUID= ADUser_ObjectGUID_Here
$Converted = [system.convert]::ToBase64String($Convert.ToByteArray())
5.  The result of this script SHOULD equal the value for ImmutableID from above.  If they do not match, one option is to remove the O365 account and then re-sync:
NOTE:  If this account contains any data, mail, OneDrive files, etc., take precautions to back up this data prior to deleting any accounts from O365.
Remove-MsolUser -UserPrincipalName <user_principal_name> -Force


Remove-MsolUser -UserPrincipalName <user_principal_name> -Force -RemoveFromRecycleBin

6.  You might also need to look in the Recycle Bin for the problem duplicate account.  Use the following command(s) to view and delete that account:
Get-MsolUser -ReturnDeletedUsers


Get-MsolUser -UserPrincipalName <user_principal_name> -ReturnDeletedUsers


Remove-MsolUser -UserPrincipalName <user_principal_name> -Force -RemoveFromRecycleBin

7.  Once this has been completed, try to re-sync the user.  Open the Centrify Admin Portal and in the User section, find the user and select "Sync All Apps" to initiate a sync.

8.  Validate using the Outbound Provisioning Job History located at Settings -> Users -> Outbound Provisioning -> View Synchronization Job Status and Reports


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.