The error was LargeObject and when I drilled down, it had these details:
The provisioned object is too large. Trim the number of attribute values on this object.
This error is typically caused by:
- Too many user certificates (15 max)
- Too many SMIME certificates (15 max)
- A thumbnail photo that is too large
- Too many proxy addresses
The user object had 540 addresses. After a bit more research, I found that user objects in Azure AD have a limit of 400 proxy addresses, Azure AD Connect has a limit of 333 proxy addresses.
They do have a legitimate need for this account to receive mail for all of those addresses. We implemented a workaround by creating a group for the extra addresses. We removed 300 email addresses and put them on a group where that user is the only member. Mail flow is preserved and now both the user and the group can sync. The group is hidden from address lists to avoid confusing the users.