Knowledge Base

Prepare AD sync tools for migration to Office 365 via CodeTwo software

Problem:

If you are working with AD synchronization tools (e.g. Microsoft Entra Connect / Azure AD Connect) in an Exchange hybrid environment, there is a high probability that you applied a default configuration for the synchronization process. If so, among various synced AD attributes there is also msExchMailboxGuid.

In such a case, assigning an Office 365 (Microsoft 365) license to synced on-premises users will not result in creating mailboxes. You will be able to create an Office 365 mailbox only with Microsoft migration tools, which excludes any possibility of using third-party migration tools like CodeTwo Office 365 Migration.

Solution:

To be able to use any third-party migration tool (including CodeTwo Office 365 Migration) to migrate mailboxes within an Exchange hybrid deployment, first you need to prepare your environment by either setting the msExchMailboxGuid attribute to NULL (recommended) or rebuilding the synchronization service for on-premises users from scratch, removing the msExchMailboxGuid attribute from AD synchronization. However, you need to be aware that other attributes that are synchronized based on the Exchange mailbox GUID, e.g. ImmutableId – responsible for syncing on-premises Global Address List (GAL) to Exchange Online, might stop working as well. Once new mailboxes are created in Office 365, they will be assigned new GUIDs that will be propagated across all services in your tenant (including the GAL).

Keep in mind that after the mailboxes are migrated, Office 365 users are synchronized with your on-premises AD environment. Because of that, you need to manage Office 365 mailboxes (e.g. change their email addresses) through your on-premises Exchange server.

If you delete the mailboxes in your on-premises organization (or decommission the on-premises server), you will not be able to modify or delete their cloud counterparts in Office 365 unless you disable the directory synchronization. Learn more here

Follow the links below to find a solution that works best for your environment:

Warning

These solutions do not apply to public folders.

These solutions make it possible to create a separate mailbox for the same user in the target environment and essentially complete the migration. Be aware that coexistence of the two mailboxes (on-premises & cloud) for the same user in a hybrid environment is an undesirable state because it may lead to mail routing issues. For example, emails from within the organization will be delivered to the mailbox that is located only in the same environment (e.g. Exchange Server) as the sender’s one. That’s why, for migrations within a hybrid environment, we recommend that you complete the process without unnecessary delays. Learn more

Solution 1

Perform the following steps to set the msExchMailboxGuid attribute to NULL:

Important

This solution applies to Microsoft Entra Connect (Azure AD Connect) and Microsoft Entra Connect Sync (Azure AD Sync) only.

  1. Stop the scheduler used in Microsoft Entra Connect sync by using the following cmdlet:
    Set-ADSyncScheduler -SyncCycleEnabled $false
  2. Start Synchronization Rules Editor as an administrator (Fig. 1.).

    509_01
    Fig. 1. Running Synchronization Rules Editor as administrator.

  3. Select Inbound from the Direction drop-down menu (or from the Rule Types menu, if you're using Microsoft Entra Connect Sync).
  4. Select the In from AD - User Exchange rule and click Edit (Fig. 2.). In the example shown below, the Precedence value of this rule is 108. Remember that value, as it will be used later on. 

    509_02
    Fig. 2. Editing the In from AD - User Exchange object.

  5. When prompted, click Yes to disable that rule and create an editable copy of the rule.
  6. In the window that opens, in the Description step, change the Precedence value to 200
  7. Go to the Transformations step and find the msExchMailboxGuid attribute on the list and perform the following changes (Fig. 3.):

    509_03
    Fig. 3. Editing the msExchMailboxGuid attribute.

    • In the FlowType column, select Expression from the drop-down menu.
    • In the Source column, type NULL (uppercase).
    • Select the Apply Once checkbox.
    • In the Merge Type column, select Update from the drop-down menu.
    • Click Save.
  8. Delete the original rule (that was disabled in step 5 ).
  9. Change the Precedence value of the new rule (the copy created in step 5) to the value used in the original rule. In our example, this was 108
  10. Start the scheduler again by using the following cmdlet:
    Set-ADSyncScheduler -SyncCycleEnabled $true
  11. Perform a full synchronization by executing this cmdlet:
    Start-ADSyncSyncCycle -PolicyType Initial

Once the synchronization is finished, assigning an Office 365 license to synced on-premises users will result in creating mailboxes, allowing you to perform the migration.

If the license is already assigned, but the user has no mailbox, remove the license and assign it again.

Solution 2

Important

We recommend using the first solution instead, since it's easier to implement and takes up less of your time. However, if that's not the option, or the solution didn't work in your environment, proceed with this solution instead.

If the synchronization process is finished, and the synced users have msExchMailboxGuid attribute values in Office 365, you can also try removing this attribute by permanently deleting (hard-deleting) all of the synced users from Office 365, reconfiguring the synchronization (to exclude msExchMailboxGuid) and performing it all over again. Use the links below to learn more.

How to remove synced users from Office 365

To permanently remove the synced accounts from Office 365, follow the steps below.

This example shows a solution for Microsoft Entra Connect (Azure AD Connect), but the general idea is similar for all other AD syncing tools.

  1. Open Synchronization Service Manager.
  2. Go to the Connectors tab.
  3. Select the connection type which allows for connection to your local AD: Active Directory Domain Services.
  4. Right-click the selection and choose Properties from the shortcut menu.
  5. In the Properties window, go to the Configure Directory Partitions section and click the Containers button.
  6. Provide the password for the user you used to connect to your local AD and click OK.
  7. A new window will open. Clear (uncheck) the selection for the users (OUs) that are already synced (e.g. HybridUsers, as in the example shown in Fig. 4.) and click OK.

509-1
Fig. 4. Clearing the containers for the synced users (in this example: HybridUsers).

  1. Close the Properties window by clicking OK.
  2. Now you need to perform a full AD synchronization. To do that, open  Windows PowerShell and use the following cmdlet:
    Start-ADSyncSyncCycle -PolicyType Initial
    Alternatively, you can also perform the synchronization process manually, by running it separately for each of your connectors.
  1. Ensure that the synchronization process has been performed successfully: open Synchronization Service Manager and verify the status of connectors (Fig. 5.).

509-2
Fig. 5. Verifying the status of connectors.

  1. All synced user accounts should be visible on the Deleted users page in your Microsoft 365 admin center (Office 365 admin center).

Now, you can either use the MSOnline V1 PowerShell module for Azure Active Directory or Microsoft Entra admin center to hard-delete these users from Entra ID (Azure AD). Please note that these operations are not reversible.

Hard-deleting user mailboxes by using the MSOnline module

Important

To be able to connect to Office 365 as a part of Windows Azure service, you need to install an appropriate module for Windows PowerShell.

  1. Connect to your Office 365 service as a global admin by using the following cmdlets:
    $cred = Get-Credential
    Connect-MsolService -Credential $cred
    Provide your admin credentials when asked.
  1. You can now remove all the recently deleted users in one go or do it one by one:
    • To batch delete all user mailboxes, run this cmdlet:
      get-msoluser -returndeletedusers -All | remove-msoluser -removefromrecyclebin -force

      Warning

      This cmdlet may take some time to complete depending on the number of mailboxes that need to be deleted. During that time PowerShell may seem to be frozen.

    • To delete user mailboxes individually, first retrieve the list of deleted users with this cmdlet:
      Get-MsolUser -ReturnDeletedUsers | Select UserPrincipalName, ObjectId
      This will return the user principal name (UPN) and the ObjectId parameter of these users. Now, to delete a particular user, execute the following cmdlet, providing appropriate <ObjectId> value:
      Remove-MsolUser -RemoveFromRecycleBin -ObjectId <ObjectId>
Hard-deleting user mailboxes in the Microsoft Entra admin center
  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to Azure Active Directory (or Identity) > Users > Deleted users (Fig. 6.).  

Opening the list of recently deleted users in the Microsoft Entra admin center.
Fig. 6. Opening the list of recently deleted users in the Microsoft Entra admin center.

  1. In the central pane, select the checkbox next to each user that you want to delete.
  2. Click Delete permanently to hard-delete all selected users (Fig. 7.).

Hard-deleting selected users.
Fig. 7. Hard-deleting selected users.

  1. Click OK to confirm. 

Important

All your soft-deleted user mailboxes will be automatically deleted permanently after 30 days. If these mailboxes were placed on hold, they will be deleted permanently once the hold is removed (but not earlier than 30 days after they were soft-deleted).

When you complete all the above steps, there should be no synchronized accounts in your Office 365 (you can verify that in the Microsoft 365 admin center).

How to (re)configure AD synchronization tools for migration to Office 365

To (re)configure your AD synchronization for migration to Office 365 via third-party software, you need to exclude the msExchMailboxGuid attribute from the syncing process. Follow the steps below.

This example shows a solution for Microsoft Entra Connect, but the general idea is similar for all other AD syncing tools.

  1. Open Microsoft Entra Connect.
  2. Click the Configure button to proceed to the next section (Tasks/Additional tasks).
  3. Choose Customize synchronization options from the list and click Next.
  4. In the Connect to Azure AD section, provide your Entra ID (Azure AD) credentials.
  5. In the Domain/OU Filtering step, choose Organizational Units (e.g. HybridUsers, as shown in Fig. 8.) that you want to synchronize and click Next.

509-3
Fig. 8. Selecting Organizational Units to be synchronized.

  1. Proceed to the Azure AD Attributes step. Select I want to further limit the attributes exported to Azure AD and clear (uncheck) the msExchMailboxGuid check box, as shown in Fig. 9.

509-4
Fig. 9. Excluding msExchMailboxGuid from synchronization.

  1. Click Next to proceed to the last section (Configure). Ensure that the Start the synchronization process when configuration completes check box is selected.
  2. Click Configure to start full synchronization.

After the synchronization is finished, all the synced accounts will not have their msExchMailboxGuid attributes synced anymore.

Was this information useful?