Skip to main content
Home > Resources > General > Mobile Number Sync Issues with Entra ID

Mobile Number Sync Issues with Entra ID

Mobile Number Sync Issues with Entra ID

Home > Resources > General > Mobile Number Sync Issues with Entra ID

How We Fixed a Mysterious Mobile Number Sync Issues with Entra ID

A deep dive into bypassing Entra ID Connect’s silent attribute sync failures

Discovering the Issue Between Active Directory and Entra ID

We were called in to troubleshoot an issue where a few users’ mobile phone numbers in Entra ID would not update, even though changes were made in on-premises Active Directory (AD) and Entra ID Connect syncs were successful. New numbers would not replace old ones, and even deleting the number in AD did not remove it from Entra ID. Meanwhile, test users synced just fine

Context for the Environment

This client runs hybrid identity using Entra ID (formerly Azure AD) with AD Connect. User objects are synced from on-prem AD, and all standard sync rules were configured properly. No errors were showing in the Synchronization Service Manager or PowerShell sync logs.

Initial Findings

  • Adding a mobile number to a user in AD worked.
  • Deleting or changing an existing number did not.
  • The metaverse and connector space showed the correct value.
  • The Azure AD export showed a `delete` or `update` action for the `MobilePhone` attribute.
  • But Entra ID kept the old value.

Worse, the Entra UI misleadingly showed the `MobilePhone` field as editable, but would fail to save changes with a vague “Retry not possible” error. The `telephoneNumber` field was correctly greyed out as expected for a synced attribute.

The Breakthrough

We discovered that Entra ID can hold onto stale “cloud-managed” values for `MobilePhone`, even after the attribute is (or appears to be) sync-managed again. This happens most often when:

  • The value was manually entered in the Entra portal or via Microsoft Graph
  • The attribute was later overwritten or reconfigured to sync from on-prem

These values become immune to deletes or changes from AD, without any errors. There is Microsoft documentation that describes the issue here: How to use the BypassDirSyncOverridesEnabled feature of a Microsoft Entra tenant.

Diagnosis with ADSyncTools

We opened PowerShell, installed the `ADSyncTools` module and ran:

Compare-ADSyncToolsDirSyncOverrides

This produced a CSV showing users whose `mobile` attribute in AD did **not** match the `MobilePhone` value in Entra ID. The key indicator was the EqualValues column shows False. And sure enough, the rows showing False had the stale mobile phone numbers. Our affected users were all listed. This was **direct evidence** of the issue — Entra was not honoring deletes or changes, even though everything appeared healthy in sync logs.

Fix: Enabling BypassDirSyncOverrides

This is a hidden feature that tells Entra ID to fully trust AD again for mobile numbers:

**Step-by-step:**

  1. Install and import the Microsoft Graph PowerShell SDK:
    “`powershell
    Install-Module Microsoft.Graph -Scope CurrentUser
    Import-Module Microsoft.Graph
    “`
  2. Connect with the correct scopes:
    “`powershell
    Connect-MgGraph -Scopes “Directory.ReadWrite.All”,”OnPremDirectorySynchronization.ReadWrite.All”
    “`
  3. Enable the feature:
    “`powershell
    $sync = Get-MgDirectoryOnPremisesSynchronization
    $sync.Features.BypassDirSyncOverridesEnabled = $true
    Update-MgDirectoryOnPremisesSynchronization -OnPremisesDirectorySynchronizationId $sync.Id -Features $sync.Features
    “`
  4. Force a full sync:
    “`powershell
    Start-ADSyncSyncCycle -PolicyType Initial
    “`

⚠️ Note on Section 2: You must be a **Global Administrator** to do this, and those **specific scopes** are required. The default MS Graph permissions will not work, and the referenced Microsoft article does not list them either. We found the correct permission only by analyzing the PowerShell errors and researching the exact additional Graph permission needed: `OnPremDirectorySynchronization.ReadWrite.All`.

Result

Within minutes, all affected users’ mobile phone numbers in Entra ID reflected the correct value from AD. Deletions and changes sourced from AD began flowing normally again.

Conclusion

This was an advanced case of attribute ownership drift — Entra ID had internally flagged the mobile number as cloud-owned even though it visually appeared to be sync-managed. Unless you know about the `BypassDirSyncOverridesEnabled` flag (and the exact scope required to set it), you’ll be left wondering why it seems is working when it absolutely isn’t.

Takeaway

If Entra ID isn’t updating a synced mobile phone attribute and you’re sure your AD, metaverse, and export logs are correct — suspect a stale cloud override, and run `Compare-ADSyncToolsDirSyncOverrides`. Then enable the bypass flag with the proper Graph permissions.

Author: Michael Pfaff | Crossconnect Engineering

Date: May 2025

Need help with hybrid identity, Entra ID troubleshooting, or secure sync architecture? Visit https://crossconnect.com/contact.