Why are users missing from my M365 sync?

Here's your troubleshooting guide to finding out why one or more users are missing from your M365 sync.

Courtney Leacock avatar
Written by Courtney Leacock
Updated over a week ago

Here are some common reasons why one or more users could be missing after your M365 sync.

Did you run a Test or Manual Sync?

If you have just run a sync and find that no data has been imported, you may have run a Test Sync. The sync summary email’s subject will have “Test Results” at the end if it was generated for a Test Sync.

Test Syncs do not change system data, but instead email a sync summary detailing the changes that would be made by the next manual or automatic sync. The idea is that you can review the test results to confirm that you are happy with your sync configuration. That is why this option is provided upon completion of the Microsoft 365 Sync’s configuration wizard.

If you wish to run a manual sync please go to the Microsoft 365 Integration settings page and scroll to the Manual Sync section.

Do your users in Microsoft 365 have a First and Last Name set in AD?

The system requires that all users have a first and last name. The Microsoft 365 sync will exclude any user that it cannot determine these for.

Users with both the “First name” and “Last name” fields populated in Azure Active Directory will be included. Otherwise the “Name” field will be split to derive the user’s first and last names. However if their “Name” is a single word then they will be excluded.

Do your users have email addresses with a different domain to the one set on your usecure account?

The domain lock on your account (if present) will block users whose email addresses do not match the domain associated with your account. This will need to be lifted if your company has multiple domains. However if your company only has a single domain and you believe all your users’ email addresses are using it please refer to the next section.

How are your users' email addresses being established?

The sync offers multiple methods to establish a user's email address. The default method for new setups is "User Principal Name Only". When in use the sync will only the use the value of the "User Principal Name" (UPN) field in Azure AD for user email addresses. This approach fits most Microsoft 365 tenants and is our recommended method for establishing a user's email address.

If your sync was configured prior to March 2022, it will use the "Original" method for establishing user email addresses. Under that method the sync determines a user’s email address by reviewing the UPN and “Email”/"SMTP Email Address" (mail) fields in Azure Active Directory. The latter can be found under the Contact Info section in Azure AD. The sync checks mail first and only uses the UPN if that is not populated.

Under the "Original" method, you may find the users are imported with the wrong email address or excluded entirely if the values for mail and UPN do not match. For example, a user with a mail value that does not comply with the domain lock on your account will be excluded. This will occur even if the UPN is compliant with the domain lock.

Please note that all user email methods are subject to the domain lock on your account if enabled.

You can user email method on the "How would you like the sync to establish a user's email address?" step of the configuration wizard. Please contact support if you are unsure of the best method for your dataset.

Do your users have a UserType set?

Older user accounts may not have the UserType property set on their accounts. The UserType field is required for users to be brought over in the sync, and by setting it on users you will allow the sync to pick them up.

Did you authorise the correct Microsoft 365 tenant?

This issue only applies to Managed Service Provider setting up the sync integration on their internal account or one of their customers.

If you have the error message No viable users loaded from API, the sync may have failed to find viable users if you have authorised the wrong Microsoft 365 tenant when setting it up. For example, this would explain why none of the users returned by the MS Graph API conform with the account's domain lock.

To rule out this issue, we recommend that you reauthorise the sync with the correct tenant via the "Sign In with Microsoft" button on the Microsoft 365 Integration settings page.

Did this answer your question?