Unable to update the specified properties for on-premises mastered Directory Sync objects - Updating users manager attribute in azure ad

Question

Having exhaustively search for a solution, I am hoping for some guidance.

I am looking to update users manager attribute which is populated in the on-prem ad but azure/365 don't replicate this as far as I know.

So as I will have to manually change them using the below code;

Set-AzureADUserManager -ObjectId "usersid" -RefObjectId "managersid"

once I run this it fails with the following error;

Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
RequestId: 
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [Set-AzureADUserManager], ApiException
   + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetUserManager

I am not sure what the issue is with this as the users manager is synced in azure with windows ad as the source.

Thanks.

Answer 1

According to the docs the Manager attribute is synchronized.

Both the Get and Set cmdlets here need either the DistinguishedName , ObjectGUID , ObjectSID or SamAccountName fot the -Identity and -Manager parameters.

You should be able to do:

# set the manager property for the user
Get-ADUser -Identity "<THE USER>" | Set-ADUser -Manager "<THE MANAGER>"

After that, you can force an AD Sync using something like this:

$server  = 'YourAzureConnectServer'
$cred    = Get-Credential -Message 'Please enter user name and password for AD Sync'
$session = New-PSSession -ComputerName $server -Credential $cred

Invoke-Command -Session $session {
    if (Get-ADSyncConnectorRunStatus) {
        Write-Warning "A sync is already in progress. Please try again later."
    }
    else {
        Write-Host "Initializing Azure AD Delta Sync..." -ForegroundColor Yellow
        try {
            Start-ADSyncSyncCycle -PolicyType Delta -ErrorAction Stop

            Write-Host "Waiting for Sync to start.."
            # give the Sync Connector 10 seconds time to start-up
            Start-Sleep -Seconds 10

            Write-Host "Waiting for Sync to finish.."
            While(Get-ADSyncConnectorRunStatus) {
                Write-Host "." -NoNewline
                Start-Sleep -Seconds 5
            }
            Write-Host
            Write-Host "Azure AD Sync has finished." -ForegroundColor Green
        }
        catch {
            Write-Error $_
        }
    }
}

Remove-PSSession $session

^{You can also force a full attribute synchronization by using Start-ADSyncSyncCycle -PolicyType Initial}

Answer 2

Seems like I needed to add a sync rule to the Synchronization Rules Editor - I followed the following - [Link] (blog.kloud.com.au/2016/11/14/…) - I added a rule to sync between ad and azure and back again and this seems to have solved the problem, negating the need for the ps script. - once again thanks to @theo for your help. –