Prepare AD sync tools for migration to Office 365 via CodeTwo software

Problem:

If you are working with AD synchronization tools (e.g. Azure Active Directory Connect) in your environment (e.g. a hybrid Exchange one), there is a high probability that you applied a default configuration for the synchronization process. If so, among various synced AD attributes there is also msExchMailboxGuid.

In such a case, assigning an Office 365 license to synced on-premises users will not result in creating mailboxes. You will be able to create an Office 365 mailbox only with Microsoft migration tools, which excludes any possibility of using third-party migration tools like CodeTwo Office 365 Migration.

Solution:

If you would like to migrate via a third-party migration tool (such as CodeTwo Office 365 Migration), you need to either set the msExchMailboxGuid attribute to NULL or rebuild the synchronization service for on-premises users from scratch, removing the msExchMailboxGuid attribute from AD synchronization.

Warning

Keep in mind that after the mailboxes are migrated, Office 365 users are synchronized with your on-premises AD environment. Because of that, you need to manage Office 365 mailboxes (e.g. change their email addresses) through on-premises Exchange server.

If you delete the mailboxes in your on-premises organization (or decommission the on-premises server), you will not be able to modify or delete their cloud counterparts in Office 365 unless you disable the directory synchronization. Learn more here

Follow the links below to find a solution that works best for your environment:

Warning

These solutions do not apply to public folders.

Solution 1 

Perform the following steps to set the msExchMailboxGuid attribute to NULL:

Important

This solution applies to Azure AD Connect and Azure AD Sync only.

  1. Stop the scheduler used in Azure AD Connect sync by using the following cmdlet:
    Set-ADSyncScheduler -SyncCycleEnabled $false
  2. Start Synchronization Rules Editor as an administrator (Fig. 1.).

    509_01
    Fig. 1. Running Synchronization Rules Editor as administrator.

  3. Select Inbound from the Direction drop-down menu (or from the Rule Types menu, if you're using Azure AD sync).
  4. Select the In from AD - User Exchange rule and click Edit (Fig. 2.).

    509_02
    Fig. 2. Editing the In from AD - User Exchange object.

    Info

    When prompted, you can select to create an editable copy of this rule or edit the current one. Choose whichever option is best for you.

  5. Select Transformations from the menu on the left and find the msExchMailboxGuid attribute on the list and perform the following changes (Fig. 3.):
    • In the FlowType column, select Expression from the drop-down menu.
    • In the Source column, type NULL (uppercase).
    • Select the Apply Once checkbox.
    • In the Merge Type column, select Update from the drop-down menu.
    • Click Save.

    509_03
    Fig. 3. Editing the msExchMailboxGuid attribute.

  6. Start the scheduler again by using the following cmdlet:
    Set-ADSyncScheduler -SyncCycleEnabled $true
  7. Perform a full synchronization by executing this cmdlet:
    Start-ADSyncSyncCycle -PolicyType Initial

Once the synchronization is finished, assigning an Office 365 license to synced on-premises users will result in creating mailboxes, allowing you to perform the migration.

Solution 2

If the synchronization process is finished, and the synced users have msExchMailboxGuid attribute values in Office 365, the only way to remove this attribute is to permanently remove (hard-delete) all of the synced users from Office 365, reconfigure the synchronization (to exclude msExchMailboxGuid) and perform it all over again. Use the links below to learn more. 

How to remove synced users from Office 365

To permanently remove the synced accounts from Office 365, follow the steps below.

This example shows a solution for Azure AD Connect, but the general idea is similar for all other AD syncing tools.

  1. Open Synchronization Service Manager.
  2. Go to the Connectors tab.
  3. Select the connection type which allows for connection to your local AD: Active Directory Domain Services.
  4. Right-click the selection and choose Properties from the shortcut menu.
  5. In the Properties window, go to the Configure Directory Partitions section and click the Containers button.
  6. Provide the password for the user you used to connect to your local AD and click OK.
  7. A new window will open. Clear (uncheck) the selection for the users (OUs) that are already synced (e.g. HybridUsers, as in the example shown in Fig. 4.) and click OK.

509-1
Fig. 4. Clearing the containers for the synced users (in this example: HybridUsers).

  1. Close the Properties window by clicking OK.
  2. Now you need to perform a full AD synchronization. To do that, open  Windows PowerShell and use the following cmdlet:
    Start-ADSyncSyncCycle -PolicyType Initial
    Alternatively, you can also perform the synchronization process manually, by running it separately for each of your connectors.
  1. Ensure that the synchronization process has been performed successfully: open Synchronization Service Manager and verify the status of connectors (Fig. 5.).

509-2
Fig. 5. Verifying the status of connectors.

  1. All synced user accounts should be visible on the Deleted users page in your Microsoft 365 admin center (Office 365 admin center).

Now, you can either use the MSOnline V1 PowerShell module for Azure Active Directory or Azure AD admin center to hard-delete these users from Azure AD. Please note that these operations are not reversible.

Hard-deleting user mailboxes by using the MSOnline module

Important

To be able to connect to Office 365 as a part of Windows Azure service, you need to install an appropriate module for Windows PowerShell.

  1. Connect to your Office 365 service as a global admin by using the following cmdlets:
    $cred = Get-Credential
    Connect-MsolService –Credential $cred
    Provide your admin credentials when asked.
  1. You can now remove all the recently deleted users in one go or do it one by one:
    • To batch delete all user mailboxes, run this cmdlet:
      get-msoluser –returndeletedusers -All | remove-msoluser -removefromrecyclebin –force

      Warning

      This cmdlet may take some time to complete depending on the number of mailboxes that need to be deleted. During that time PowerShell may seem to be frozen.

    • To delete user mailboxes individually, first retrieve the list of deleted users with this cmdlet:
      Get-MsolUser -ReturnDeletedUsers | Select UserPrincipalName, ObjectId
      This will return the user principal name (UPN) and the ObjectId parameter of these users. Now, to delete a particular user, execute the following cmdlet, providing appropriate <ObjectId> value:
      Remove-MsolUser –RemoveFromRecycleBin -ObjectId <ObjectId>
Hard-deleting user mailboxes in Azure AD admin center
  1. Log in to your Azure Active Directory admin center.
  2. Navigate to Users > Deleted users (Fig. 6.).

509-2a
Fig. 6. Opening the list of recently deleted users in Azure AD admin center.

  1. In the central pane, select the checkbox next to each user that you want to delete.
  2. Click Delete permanently to hard-delete all selected users (Fig. 7.).

509-2b
Fig. 7. Hard-deleting selected users.

  1. Click Yes to confirm. 

Important

All your soft-deleted user mailboxes will be automatically deleted permanently after 30 days. If these mailboxes were placed on hold, they will be deleted permanently once the hold is removed (but not earlier than 30 days after they were soft-deleted).

When you complete all the above steps, there should be no synchronized accounts in your Office 365 (you can verify that in the Microsoft 365 admin center).

How to (re)configure AD synchronization tools for migration to Office 365

To (re)configure your AD synchronization for migration to Office 365 via third-party software, you need to exclude the msExchMailboxGuid attribute from the syncing process. Follow the steps below.

This example shows a solution for Azure AD Connect, but the general idea is similar for all other AD syncing tools.

  1. Open Azure AD Connect.
  2. Click the Configure button to proceed to the next section (Tasks/Additional tasks).
  3. Choose Customize synchronization options from the list and click Next.
  4. In the Connect to Azure AD section, provide your Azure credentials.
  5. In the Domain/OU Filtering step, choose Organizational Units (e.g. HybridUsers, as shown in Fig. 8.) that you want to synchronize and click Next.

509-3
Fig. 8. Selecting Organizational Units to be synchronized.

  1. Proceed to the Azure AD Attributes step. Select I want to further limit the attributes exported to Azure AD and clear (uncheck) the msExchMailboxGuid check box, as shown in Fig. 9.

509-4
Fig. 9. Excluding msExchMailboxGuid from synchronization.

  1. Click Next to proceed to the last section (Configure). Ensure that the Start the synchronization process when configuration completes check box is selected.
  2. Click Configure to start full synchronization.

After the synchronization is finished, all the synced accounts will not have their msExchMailboxGuid attributes synced anymore.