Azure AD Connect Large Object Error

A client is migrating their remaining mailboxes from on-premises Exchange to Office 365. Today they went to migrate a mailbox, but the user account wasn't replicated up to Office 365. After verifying that it was not being filtered by OU in Azure AD Connect, I checked the Synchronization Service Manager for Azure AD Connect and found an error listed for the export to the Azure AD tenant (XXX.onmicrosoft.com).

The error was LargeObject and when I drilled down, it had these details:

The provisioned object is too large. Trim the number of attribute values on this object.

This error is typically caused by:

• Too many user certificates (15 max)
• Too many SMIME certificates (15 max)
• A thumbnail photo that is too large
• Too many proxy addresses

This user object did not have any user certificates, SMIME certificates, or a thumbnail photo. So, let's check out the proxy addresses.

The user object had 540 addresses. After a bit more research, I found that user objects in Azure AD have a limit of 400 proxy addresses, Azure AD Connect has a limit of 333 proxy addresses.

They do have a legitimate need for this account to receive mail for all of those addresses. We implemented a workaround by creating a group for the extra addresses. We removed 300 email addresses and put them on a group where that user is the only member. Mail flow is preserved and now both the user and the group can sync. The group is hidden from address lists to avoid confusing the users.

More information:

• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors#largeobject
• https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38101924-aad-connect-enhance-large-object