We will be detailing the cause and the fix to any of the three below errors when trying to add or delete authentication methods.
- ‘Unable to delete method’
Unable to delete Microsoft Authenticator. – Another object with the same value for property proxyAddresses already exists.’ - Unable to add the account
The account you’re trying to add is not valid at this time. Contact your admin to fix this issue (Uniqueness validation) - Require User Verification
Delete operation failed. Try this command again or delete them one by one in the user authentication methods blade.’
Symptoms
User trying to add new Authentication method – possibly Microsoft Authenticator app
The user will see ‘Uniqueness validation’ error message in their Microsoft Authenticator app when attempting to register new Microsoft Authenticator app.
Admin resetting user authentication method in Entra ID
A user could be locked out due to MFA (might have lost Microsoft Authenticator app or changed phone number), and the admin goes to reset the user MFA method using the ‘require re-register MFA’ option.
Alternatively, the user could be reporting the ‘The account you’re trying to add is not valid at this time. Contact your admin to fix this issue (Uniqueness validation)’ error. The first thing you as an administrator will do is go to the Entra admin portal and use the option ‘require re-register MFA’ which will clear the user current authentication methods.
However, you will get the error “‘Require User Verification
Delete operation failed. Try this command again or delete them one by one in the user authentication methods blade.’”
Deleting a specific authentication method of user via Entra admin portal
As the above error suggests, you will now try deleting the method one by one. However, you will now be faced with a different error. (You could also be just deleting a user’s old authentication method unaware of above scenarios)
‘Unable to delete method’
Unable to delete Microsoft Authenticator. – Another object with the same value for property proxyAddresses already exists.’
The above error is helpful enough. It is pointing towards a conflict in proxyAddress value of the user.
Troubleshooting steps towards resolution
We now know that there is an issue due to a proxyAddress value. Now this value can be on the affected user’s account or on a different account.
First, let’s check the proxyAddress values of the affected user in Entra ID.
You may go to Entra admin center > Users > All users > Choose the affected user > Properties, and choose ‘View’ under Proxy addresses.
If you see any values that you believe is also used on a different account/mailbox as either a primary or secondary SMTP value, then it is an easy solution. If this is a cloud only account, you can go to the Exchange admin center and remove the conflicting proxyAddress value from any of the account causing the conflict. If it is a syncing account, modify the conflicting SMTP/smtp values in the user local AD account and wait for a sync.
If you are not sure if there are any other accounts with the conflicting proxyAddress, you will have to search each smtp value listed under the account via Exchange admin center.
In the above example, my user has two proxyAddress values. One is the primary SMTP and the secondary smtp. The .onmicrosoft.com smtp value will always be usually unique as it is added on cloud.
I searched for the smtp value using custom domain, however there were no duplicate results – just the affected user.
If the above didn’t help you in finding the conflict. The next step will be to look for sync errors for the account.
You may navigate to Microsoft Entra admin center > Identity > Hybrid Management > Microsoft Entra Connect > Connect Sync > Microsoft Entra Connect Health > Sync errors or click here.
On the sync error page, click on any error list you are seeing.
In my case, I have 2 different errors. One was listed in ‘Other’, however that was for a different account and had the error ‘DeletingCloudOnlyObjectNotAllowed’. This was not related to our issue.
I proceeded to check the ‘Duplicate attribute’ error, and bingo!
You can see there is a sync error due to ProxyAddress conflict for the affected user ‘Mike’. You can click on the error and it would show you more details.
Since you are seeing the sync error in cloud, it means that the object synced to cloud and Entra ID has to make corrections in each sync to resolve the conflict. So it removes the conflicting proxy address value ‘smtp:tech@domain.com’ from Mike’s user account on each sync since it already used in user ‘Linus’ account.
Duplicate attribute error for proxy address can also show up in Entra connect synchronization service export tab. However that wouldn’t lead to the issue ‘Another object with the same value for property proxyAddresses already exists’ error in cloud. This is becuase if the error shows up in Entra connect server side, it means the value/attribute didnt sync.
Resolution step
Go to the affected user in local active directory AD users and computers and choose Attribute editor.
Find the ‘ProxyAddress’ field and choose ‘Edit‘, and remove it.
You may wait for a sync to happen or force a sync by running the following Powershell command in your Entra connect server.
Start-ADSyncSyncCycle -PolicyType Delta
This should clear the sync error. Which should also fix the proxyaddress conflict causing the issue with user registering new authentication (MFA/SSPR) methods, or the admin resetting or removing MFA methods of the user via the Admin portal.
Leave a Reply