SharePoint: Another Reason User Profiles are not Imported
This is kind of a “fringe” case, but since it may not be the last time it happens, here’s a post:
Consider the following scenario:
- In SharePoint 2013+ you’re using Active Directory Import to import user profiles as trusted provider-type (SAML) profiles. You find that profiles for some users are not imported.
- You have already been over the most common issues mentioned here.
- In the SharePoint ULS logs that cover a Full Import, you find the following logging sequence for one of your missing users:
OWSTIMER.EXE (0x11D0) 0x24F4 SharePoint Portal Server User Profiles ogvr High User profile record of “i:05.t|ADFS|user1@contoso.com ” was changed by “CONTOSO\sp19_farm”.
OWSTIMER.EXE (0x11D0) 0x24F4 SharePoint Portal Server User Profiles ajhgx Medium Running a full migration of account ‘i:05.t|ADFS|user1@contoso.com ‘ to ‘i:05.t|ADFS|user1@contoso.com’.
OWSTIMER.EXE (0x11D0) 0x24F4 SharePoint Portal Server User Profiles axefw Medium UserProfileManager.RemoveUserProfileBase: User profile (ID ‘6c3e0d1f-3e7b-4a76-9970-39411abf39ae’, PUID ‘i:05.t|ADFS|user1@contoso.com ‘) removed from UPA.
That’s weird. Why is a migration happening?
This one is subtle and not easy to recognize. Look at this, we’re migrating:
‘i:05.t|ADFS|user1@contoso.com ‘
to:
‘i:05.t|ADFS|user1@contoso.com’
See it yet? No? — There’s a trailing space at the end of the first account name.
The profile import process contains code to detect when the account name has changed for a user. If that condition is detected, a user migration is called so that account name can be updated everywhere in SharePoint.
So here’s what happened:
Because there is a trailing space in the problem users email address, and because the email address is part of the account name, a change was detected in the account name, which triggered a user migration at import time. That migration ends with deleting the profile for the “old” account, which is the only profile that exists in this case. It deletes the one profile that it just created, which makes it look like the user was not imported.
Resolution:
Go into Active Directory Users and Computers and remove the trailing space from the problem users email address.
To find all the users in this condition, you could run PowerShell like this on a domain controller:
Get-ADuser -Filter {mail -like “*@contoso.com “}
Note: The example above was a scenario where the identity claim used within SharePoint was Email Address. You could have this same kind of problem if you were using any other attribute as the identity claim, for example, User Principal Name (UPN). You can find all AD users with a trailing space in their UPN in much the same way. Ex:
Get-ADuser -Filter {userprincipalname -like “*@contoso.com “}