What is IdFix?


The IdFix tool from Microsoft is a free tool that helps you identify and fix problems with User, Contact and Group objects in your Active Directory.

But what’s the problem? My Active Directory is running just fine!?

If you’re planning to implement Office 365, e.g. to give users Exchange Online mailboxes and get rid of your local Exchange setup, chances are you’re going for a unified login. A unified login ensures that users can authenticate against local resources (e.g. file shares) and Office 365 resources (e.g. Exchange Online mailboxes) using the same set of username and password credentials.

In order to give your users a unified login you must implement a hybrid setup by synchronizing your local AD with the Office 365 AD using the Azure AD Connect synchronization tool. And this is what the fuzz is all about: Azure AD Connect has certain requirements towards the state of your local Active Directory objects. Objects in a “bad state” will simply not be synchronized with Office 365. IdFix will help you identify any issues and solve them.

What specific issues will IdFix solve?

The following is a list of the problems that IdFix will look for:

IdFix Error List

ERRORError Type DescriptionExample
characterAn attribute holds invalid charactersEmail address with trailing space e.g. “jane.doe@company.com “
duplicateTwo or more objects holds the same value in attribute expected to be uniqueA user and a group both have “smtp:marketing@company.com” in the proxyAddresses attribute
formatAn attribute holds a value that’s non-compliant with e.g. the SMTP address formatA user has a trailing period e.g.”jane.doe.” in the mailNickname attribute
topleveldomainA user has a mail alias that’s non-routableA user is using the local non-routable AD domain name in a mail alias e.g. “jane.doe@company.local”
domainpartDomain part (@ right-hand side) of mail address is invalidA user has “smtp:jane.doe@company” in the proxyAddresses attribute
domainpart_localpartLocal part (@ left-hand side) of mail address is invalidA user has “smtp:jane doe@company.com” in the proxyAddresses attribute
lengthAn attribute violates the length constraint of the attribute valueA user has a very long mail address value
blankAn attribute with a not-null requirement is emptyA user has a blank mailNickname
mailmatchMail attribute mis-match (only applicable to Office 365 Dedicated)A user has an smtp alias with no valid match

The find more information about the two most common issues visit the articles on the errors duplicate and topleveldomain.

Do I Need the IdFix Tool for Office 365 Integration?

No. There’s no magic in the IdFix tool. It simply queries your Active Directory data and looks for the issues listed in the above table. You can generate your own scripts if you want to have full control of error finding and fixing. In some rare cases that would make sense, but for most small and mid-sized organizations the IdFix tool is the easiest way to prepare your domain for Azure AD Connect synchronization.

In any case you should be aware of the risk inherent in making bulk changes to mail alias’es and other attributes. It’s our strong recommendation that you backup the proxyAddresses attribute for all objects before starting out with IdFix. By having old values documented you can always roll your changes back when suddenly users are calling you complaining mail is no longer received due to a broken mail alias. Use the following script to create your proxyAddresses backup:

Import-Module ActiveDirectory
"DN;proxyAddress" | Out-File ".\proxyAddressesBackup.txt"
$Objects = Get-ADObject -LDAPFilter "(proxyAddresses=*)" -Properties proxyAddresses
ForEach ($Object In $Objects) {
  ForEach ($proxyAddress in $Object.proxyAddresses) {
    $Output = $Object.distinguishedName + ";" + $proxyAddress
    Write-Host $Output
    $Output | Out-File ".\proxyAddressesBackup.txt" -Append