1. BitTitan Help Center
  2. Perform a Migration
  3. Migration Planning

Azure Identity considerations

Synchronizing Microsoft Entra ID Objects

Use this article from Microsoft for the most up-to-date information: Set up Directory Synchronization.

If the local Microsoft Entra (ME) schema has not been extended to support Exchange, then the steps above to set msExchGuid attribute to null are not needed. Synchronization can be run in the normal manner.

If you do not set the msExchMailboxGuid to null, before running a synchronization from an environment where the local ME supports Exchange, all of the On-Premises Exchange attributes for each user will be synchronized, including the MailboxGuid attribute. If users are created in this state on Microsoft 365, an Exchange Online license cannot be activated unless Mailbox Replication Services (MRS) is used to perform the mailbox move or the steps above are followed to rectify this problem.

Once the users have been created on Microsoft 365, and the licenses have been activated, then you can start using ME-ID Connect in the normal manner. The problem is limited to the user creation and license enablement (when the local ME supports Exchange).

If the mailboxes are on an Exchange Server in the local ME, Microsoft 365 accounts can be created using one of the following methodologies. Licenses will also need to be assigned to the users, once they have been created.

  • ME-ID Connect. Follow the instructions detailed in the recommended approach above.

  • Manually, one at a time.

  • By bulk import, via CSV file.

Filtering objects using Microsoft Entra (ME-ID) Connect

The steps below will set a filter, using ME-ID Connect, that will clear the msExchMailboxGuid to allow objects to be synchronized between environments.

Warning

Keep in mind that AAD Sync and DirSync are not supported and no longer work. In this case, upgrade to Microsoft Entra Connect to resume your sync process. For more info, see Microsoft Entra Connect.

The following are example use cases where filtering objects from the synchronization could be advantageous:

  • Some users are already using Microsoft 365 as a production platform. You would want to filter out all objects except those user objects that are already using Microsoft 365. This way only those objects would be included in the synchronization.
  • You are planning a batch migration to Microsoft 365. You would then want to filter out all objects except those user objects that are part of the batch, or any previous batch. This way only those objects would be included in the synchronization.
  • You do not have the required Exchange Online licenses to assign to all the users. This would be useful so that you can then assign licenses to all synchronized accounts.
  • Enabling the Exchange Online license will cause an error.

Important

In all of the scenarios above, you would still want to synchronize all the objects using Microsoft Entra Connect to have a complete Global Address List (GAL) on Microsoft 365. This will allow users to send emails to the on-premises users after mail routing has been enabled on Microsoft 365.

Summary explanation:

The filter, based on a specific attribute, will clear the msExchMailboxGuid for the synchronized objects, and thus avoid any service disruption for those users already using Microsoft 365.

Follow the steps below to guide you through the process of creating a new rule on Microsoft Entra Connect, and filtering objects based on one extensionAttribute (called customAttribute on Exchange, and extensionAttribute on Active Directory Schema).

  • Before you start, you must be familiar with Microsoft Entra Connect and PowerShell syntax.

Pre-Migration Tasks

  1. Choose one extensionAttribute that can be populated with a customized tag. In our example, we will use extensionAttribute 5 and the tag "BT - User Migrated".
  2. Populate the extensionAttribute of the users that you are planning to assign an Exchange Online license, with the chosen Tag.
  3. This step can be executed in any of the following ways:
      • Using Exchange Management Console (EMC):
      • Using Exchange Management Shell (EMS) by executing the following script: Set-Mailbox <user_UPN> -customAttribute5 "BT - User Migrated"
      • Bulk edit using EMS:
        1. Create a users.CSV file with the UPN of the users that you want to enable the Exchange Online.
        2. Execute the following PowerShell script:
        $UserList = Import-CSV '<Path Name>\Users.csv' foreach( $user in $UserList ) {Set-Mailbox $user.UPN -customAttribute5 "BT - User Migrated"}
  4. Search and select the rule.
    1. In Windows, search for the Synchronization Rules Editor, and open it.

      Important

      The default location is C:\Program Files\Microsoft Azure AD Sync\UIShell\SyncRulesEditor.exe.
    2. Search and select the rule with the name In from AD - User Exchange and click Export. Also, take note of the lowest precedence number (in this example it is 80). You will need it below.
    3. A Notepad (or other text editor defined as a default) will open, with a random name and a .tmp extension.

      Important

      Save the file and keep it in a safe location. The file will allow you to recreate the default rule without any customization if something goes wrong.
  5. After you save the file, create a duplicate, change the extension to .ps1, and edit the file.
  6. On the .ps1 file:
    1. Change the Name to identify that it is a customized rule.
    2. Change Precedence to a number lower than the number found in Step 4 (in our example, it was 80).
  7. Delete the lines identifier and ImmutableTag.
  8. Open a PowerShell with elevated privileges, navigate to the folder where you store the .ps1 file, and execute the script. After it finishes, scroll up and validate that no error appears. 
  9. Confirm that a new line was created in the Synchronization Rules Editor. There is no refresh, so you will need to close and reopen it to confirm that a new line was created:
  10. Now, edit the rules.
    1. Start with the customized synchronization rule.
    2. Highlight the rule and click Edit.
    3. Select the Scoping filter and click the Add clause  This will create a new line. Choose the extensionAttribute used before. Under Operator, select EQUAL and populate the Value with "BT - User Migrated".  Then select Transformations.
    4. Scroll down until you find the msExchMailboxGuid attribute, and change it to the following:
    5. Flow Type: Expression
      Target Attribute: msExchMailboxGuid
      Source: NULL
    6. Merge Type: Update
  11. Click Save. The window will close automatically.
  12. Now, edit the original Synchronization rule.
    1. On the Scoping filter, click Add clause
    2. Add the extensionAttributeNOTEQUAL, and BT - User Migrated.
  13. Perform a FULL Sync. A DeltaSync will not make the required changes. 
  14. An easy way to perform this step is to open a PowerShell on the computer where Microsoft Entra Connect is running, and execute the following script:
    ​Import-Module ADSync
    Start-ADSyncSyncCycle -PolicyType Initial
  15. Enable the Exchange Online license for the required users.
  16. Using EMC, ME, or using PowerShell, remove the tag BT - User Migrated from the users. If you use PowerShell, replace BT -User Migrated with $null. 
  17. Perform a DeltaSync. An easy way to perform this step is to open a PowerShell on the computer where Microsoft Entra Connect is running, and execute the following script:
    ​Import-Module ADSync
    Start-ADSyncSyncCycle -PolicyType Delta

Post-migration tasks

After you enable all the required Exchange licenses in Microsoft 365, you can revert all the changes made on Microsoft Entra Connect:

  1. Highlight and delete the customized synchronization rule.
  2. Remove the clause from the Scoping filter of the original rule.
Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more