0

Trying to streamline our MFA process by manually uploading the -Mobile attribute to Azure in powershell, so that when the user goes to do MFA, it's already filled in.

Set-AzureADUser -ObjectId $emailaddress -Mobile $cellphone

This actually worked before, but now all of a sudden I'm getting

Set-AzureADUser : Error occurred while executing SetUser 
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory 
Sync objects or objects currently undergoing migration.

We're in a hybrid environment with a one-way sync, and the "mobile" attribute is not a synced attribute for us. We set it for a few test users in AD, but it never made it to Azure. So we were doing it this way until this showed up all of a sudden. We haven't made any changes to our sync settings.

Microsoft documentation on doing exactly what I'm doing doesn't show me doing anything wrong.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata

Improve this question

2 Answers 2

Reset to default
1

Figured it out.

Not sure why, since Set-AzureADuser worked before, but Set-MsolUser worked, and was able to update the mobile phone number. When I ran Get-AzureADuser, the number changed by Set-MsolUser was present.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Based on the description and error message, you were using Powershell to update members which were synced from on-premises. This is expected, it is not able to update these objects which synced from on-premises to Azure AD.

To update these type of users, we need to operate it in the on-premises environment and then sync it to Azure. Try changing it on On-prem server and then sync it to Azure AD.

Reference issues:

Improve this answer

1 Comment

I mean, that's not true. We've done it before with zero issue, with users that were synced from Azure AD. I have screenshots to back that up because we made documentation for other team members to do exactly that lol. I actually figured out how to do it in powershell using msolservice

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.