Azure Identity considerations

Synchronizing Azure Active Directory Objects

Use this article from Microsoft for the most up-to-date information: Set up Directory Synchronization

If the local Active Directory (AD) schema has not been extended to support Exchange, then the steps above to set msExchGuid attribute to null are not needed. Synchronization can be run in the normal manner.

If you have previously used DirSync from an environment where the local AD supports Exchange, you cannot set the msExchangeMailboxGUID to null, because this is not supported by DirSync. Therefore, we recommend that you instead use AAD Sync or AAD Connect to rectify this problem, by following the steps outlined above.

If you do not set the msExchMailboxGuid to null, before running a synchronization from an environment where the local AD supports Exchange, all of the On-Premises Exchange attributes for each user will be synchronized, including the MailboxGuid attribute. If users are created in this state on Microsoft 365, an Exchange Online license cannot be activated unless Mailbox Replication Services (MRS) is used to perform the mailbox move, or the steps above are followed to rectify this problem.

Once the users have been created on Microsoft 365, and the licenses have been activated, then you can start using DirSync, AAD Sync, or AAD Connect in the normal manner. The problem is limited to the user creation and license enablement (when the local AD supports Exchange).

If the mailboxes are on an Exchange Server in the local AD, Microsoft 365 accounts can be created using one of the following methodologies. Licenses will also need to be assigned to the users, once they have been created.

    • AAD Sync or AAD Connect. Follow the instructions detailed in the recommended approach above.

    • Manually, one at a time.

    • By bulk import, via CSV file.

    • BitTitan DirSync tool.

Filtering objects using Azure Active Direct (AAD) Connect

The steps below will set a filter, using AAD Connect, that will clear the msExchMailboxGuid to allow objects to be synchronized between environments.

Important:
  • If you are using AAD Sync, instead of AAD Connect, as your synchronization tool, the steps will be very similar to the ones detailed below.
  • If you are using DirSync, the steps will not be similar enough. In this case, we recommend that you upgrade to either AAD Sync or AAD Connect.

The following are example use cases where filtering objects from the synchronization could be advantageous:

  • Some users are already using Microsoft 365 as a production platform. You would want to filter out all objects except those user objects that are already using Microsoft 365. This way only those objects would be included in the synchronization.
  • You are planning a batch migration to Microsoft 365. You would then want to filter out all objects except those user objects that are part of the batch, or any previous batch. This way only those objects would be included in the synchronization.
  • You do not have the required Exchange Online licenses to assign to all the users. This would be useful so that you can then assign licenses to all synchronized accounts.
  • Enabling the Exchange Online license will cause an error.

Important: 

In all of the scenarios above, you would still want to synchronize all the objects using AAD Connect in order to have a complete Global Address List (GAL) on Microsoft 365. This will allow users to send email to the on-premises users, after mail routing has been enabled on Microsoft 365.

Summary explanation:

The filter, based on a specific attribute, will clear the msExchMailboxGuid for the synchronized objects, and thus avoid any service disruption for those users already using Microsoft 365.

Follow the steps below to guide you through the process of creating a new rule on AAD Connect, and filtering objects based on one extensionAttribute (called customAttribute on Exchange, and extensionAttribute on Active Directory Schema).

  • Before you start, it is very important that you are familiar with AAD Connect and PowerShell syntax.

Pre-Migration Tasks

  1. Choose one extensionAttribute that can be populated with a customized tag. In our example, we will use extensionAttribute 5and the tag "BT - User Migrated".
  2. Populate the extensionAttribute of the users that you are planning to assign an Exchange Online license to, with the chosen Tag.
  3. This step can be executed in any of the following ways:
    1. Using Exchange Management Console (EMC):
    2. Using Exchange Management Shell (EMS) by executing the following script:
    3. Set-Mailbox <user_UPN> -customAttribute5 "BT - User Migrated"
    4. Bulk edit using EMS:
      1. Create a users.CSV file with the UPN of the users that you what to enable the Exchange Online.
      2. Execute the following PowerShell script: $UserList = Import-CSV '<Path Name>\Users.csv' foreach( $user in $UserList ) {Set-Mailbox $user.UPN -customAttribute5 "BT - User Migrated"}
  1. Search and select the rule.
    1. In Windows, search for the Synchronization Rules Editor, and open it. Note:The default location is C:\Program Files\Microsoft Azure AD Sync\UIShell\SyncRulesEditor.exe.
    2. Search and select the rule with the name In from AD - User Exchange and click Export. Also, take note of the lowest precedence number (in this example it is 80). You will need it below.
    3. A Notepad (or other text editor defined as a default) will open, with a random name and a .tmp extension.
      Important: Save the file and keep it in a safe location. The file will allow you to recreate the default rule without any customization if something goes wrong.
  2. After you save the file, create a duplicate, change the extension to .ps1, and edit the file.
  3. On the .ps1 file:
    1. Change the Name to identify that it is a customized rule.
    2. Change Precedence to a number lower than the number found in Step 4 (in our example, it was 80).
  1. Delete the lines identifier and ImmutableTag.
  2. Open a PowerShell with elevated privileges, navigate to the folder where you store the .ps1 file, and execute the script. After it finishes, scroll up and validate that no error appears. 
  3. Confirm that a new line was created in the Synchronization Rules Editor. There is no refresh, so you will need to close and reopen it to confirm that a new line was created:
  4. Now, edit the rules.
    1. Start with the customized synchronization rule.
    2. Highlight the rule and click Edit.
    3. Select Scoping filter and click the Add clause  This will create a new line. Choose the extensionAttribute used before. Under Operator, select EQUAL and populate the Value with "BT - User Migrated".  Then select Transformations.
    4. Scroll down until you find the msExchMailboxGuid attribute, and change it to the following:
    5. Flow Type: Expression
      Target Attribute: msExchMailboxGuid
      Source: NULL
    6. Merge Type: Update
  5. Click Save. The window will close automatically.
  6. Now, edit the original Synchronization rule.
    1. On the Scoping filter, click Add clause
    2. Add the extensionAttributeNOTEQUAL,and BT - User Migrated.
  7. Perform a FULL Sync. A DeltaSync will not make the required changes. 
  8. An easy way to perform this step is to open a PowerShell on the computer where AAD Connect is running, and execute the following script:
    1. ​Import-Module ADSync
      Start-ADSyncSyncCycle -PolicyType Initial
  9. Enable the Exchange Online license for the required users.
  10. Using EMC, AD, or using PowerShell, remove the tag BT - User Migrated from the users. If you use PowerShell, replace BT -User Migrated with $null. 
  11. Perform a DeltaSync. An easy way to perform this step is to open a PowerShell on the computer where AAD Connect is running, and execute the following script:
    1. ​Import-Module ADSync
      Start-ADSyncSyncCycle -PolicyType Delta

Post-migration tasks

After you enable all the required Exchange licenses in Microsoft 365, you can revert all the changes made on AAD Connect:

  1. Highlight and delete the customized synchronization rule.
  2. Remove the clause from the Scoping filter of the original rule.
Was this article helpful?
0 out of 0 found this helpful