CodeTwo Base.title

Removing msExchMailboxGUID attribute from AD synchronization.

Problem:

If you are working with AD synchronization tools, like: Azure Active Directory Connect, Azure Active Directory Synchronization Services (AAD Sync), Azure Active Directory Synchronization Tool (DirSync), Forefront Identity Manager 2010 R2 (FIM) in your environment (e.g. hybrid Exchange one) there is high probability that you applied a default configuration for the synchronization process. If so, among many other synced AD attributes there is also: msExchMailboxGuid.

In such a case assigning Office 365 license to synced on-premises users will not result in creating mailboxes. You will be able to create Office 365 mailbox only with a free Microsoft migration tool which excludes a possibility of using third-party migration tools like CodeTwo Office 365 Migration. If you want to use a third party migration tool you need to rebuild on-premises users' synchronization service from scratch removing msExchMailboxGuid attribute from the AD synchronization list.

Solution:

If the synchronization process is already completed and all synced users have had msExchMailboxGuid attribute included in the sync process the only way to remove the attribute is to get rid of all the synced users from Office 365, and appropriately reconfigure the synchronization process.

To remove existing synced account from Office 365 follow the steps below:

The example procedure is described for Azure Active Directory Sync tool but the idea itself stays the same for all similar AD sync tools.

  1. Open the Synchronization Service Manager.
  2. Select the Connectors tab.
  3. Select the connection type: Active Directory Domain Services - which allows connection to your local AD
  4. Click the right mouse button (RMB) to open Properties
  5. For the Properties window select Configure Directory Partitions tab and click Containers button
  6. Provide the password for the user used to connect to local AD and click OK
  7. In the new window uncheck users' synchronization for already synced users and click OK button
  8. Close the connection edit window clicking again OK button
  9. Open Task Scheduler application
  10. After selecting Task Scheduler Library tab search for Azure AD Sync task
  11. Select the task and run it with with RMB
  12. Wait until the operation is completed
  13. Terminate the Azure AD Sync Scheduler task by selecting it and choosing Disable option with RMB
  14. Next, open Windows Azure AD Module for Windows PowerShell
  15. Connect to your Office 365 service as a global admin account using following cmdlet:

    To be able to connect to Office 365 as a part of Windows Azure service you need to install an appropriate module for Windows PowerShell.

    $cred = Get-Credential
    where you provide the administrator's password and then continue with the below cmdlet:
    Connect-MsolService – Credential $cred
  16. Retrieve the list of removed users with another cmdlet:
    Get-MsolUser-ReturnDeletedUsers
    
  17. Remove all users from the list with a cmdlet:
    Remove-MsolUser –RemoveFromRecycleBin

    Please note that the removing operation is irreversible.

After completion of all the above steps there should be no synchronized accounts for your Office 365. To make sure please verify in the Office 365 Administration Panel if there are any synced accounts.

Next follow the steps listed below:

If you are running the synchronization task for the first time you should begin with this part of the article

  1. Launch DirectorySyncTool application
  2. In the first window provide the Office 365 global administrator credentials and click Next button
  3. In the next window provide all required data of the local AD supposed to be the source for synchronization process for your Office 365 environment.

    If you have already performed the synchronization task so far simply choose the existing connection to your local AD

  4. Leave the User Matching tab field unchanged and click the Next button
  5. On the next screen check all option and click Next (Fig. 1.)
     

    KB509-1
    Fig. 1. Azure AD synchronization - Optional Features.
     

  6. Leave the next window (Azure AD Apps) unchanged and click Next
  7. In the following step check the option: I want to further limit the attributes exported to Azure AD, search for msExchMailboxGuid attribute (Fig. 2.) on the list, uncheck it and click Next

    KB509-2
    Fig. 2. Azure AD synchronization - synced attributes' list.
     

  8. You will now see a synchronization configuration summary window where you also click Next
  9. In the last step check the option: Synchronize now and click Finish.

After the synchronization is finished all the synced accounts will not have msExchMailboxGuid attribute synced anymore.

 

 

Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea