CodeTwo Base.title

Removing the msExchMailboxGUID attribute from AD synchronization

Problem:

If you are working with AD synchronization tools, like: Azure Active Directory Connect, Azure Active Directory Synchronization Services (AAD Sync), Azure Active Directory Synchronization Tool (DirSync), Forefront Identity Manager 2010 R2 (FIM) in your environment (e.g. hybrid Exchange one) there is high probability that you applied a default configuration for the synchronization process. If so, among many other synced AD attributes there is also: msExchMailboxGuid.

In such a case assigning Office 365 license to synced on-premises users will not result in creating mailboxes. You will be able to create Office 365 mailbox only with a free Microsoft migration tool which excludes a possibility of using third-party migration tools like CodeTwo Office 365 Migration. If you want to use a third party migration tool you need to rebuild on-premises users' synchronization service from scratch removing msExchMailboxGuid attribute from the AD synchronization list.

Solution:

If the synchronization process is already completed and all synced users have had msExchMailboxGuid attribute included in the sync process the only way to remove the attribute is to get rid of all the synced users from Office 365, and appropriately reconfigure the synchronization process.

To remove existing synced account from Office 365 follow the steps below:

The example procedure is described for Azure Active Directory Sync tool but the idea itself stays the same for all similar AD sync tools.

  1. Open the Synchronization Service Manager.
  2. Select the Connectors tab.
  3. Select the connection type: Active Directory Domain Services - which allows connection to your local AD.
  4. Use the right mouse button (RMB) to open Properties.
  5. For the Properties window select the Configure Directory Partitions tab and click the Containers button.
  6. Provide the password for the user used to connect to local AD and click OK.
  7. In the new window uncheck users' synchronization for already synced users and click the OK button.
  8. Close the connection edit window by clicking OK.
  9. Open the Task Scheduler application.
  10. After selecting the Task Scheduler Library tab, search for the Azure AD Sync task.
  11. Select the task and run it with with RMB.
  12. Wait until the operation is completed.
  13. Terminate the Azure AD Sync Scheduler task by selecting it and choosing the Disable option with RMB.
  14. Next, open Windows Azure AD Module for Windows PowerShell.
  15. Connect to your Office 365 service as a global admin account using the following cmdlet:

    To be able to connect to Office 365 as a part of Windows Azure service you need to install an appropriate module for Windows PowerShell.

    $cred = Get-Credential
    where you provide the administrator's password and then continue with the cmdlet below:
    Connect-MsolService –Credential $cred
  16. Retrieve the list of removed users with another cmdlet:
    Get-MsolUser -ReturnDeletedUsers | Select UserPrincipalName, ObjectId
    

    To remove your users, you will have to provide their ObjectId parameters. These values will be displayed when you execute the above cmdlet.

  17. Remove all users from the list with the cmdlet below. Supply appropriate ObjectId values.
    Remove-MsolUser –RemoveFromRecycleBin

    Please note that the removal operation is irreversible.

After completion of all the above steps there should be no synchronized accounts for your Office 365. To make sure please verify in the Office 365 Administration Panel if there are any synced accounts.

Next follow the steps listed below:

If you are running the synchronization task for the first time you should begin with this part of the article

  1. Launch DirectorySyncTool application.
  2. In the first window provide the Office 365 global administrator credentials and click Next.
  3. In the next window provide all required data of the local AD supposed to be the source for synchronization process for your Office 365 environment.

    If you have already performed the synchronization task so far, simply choose the existing connection to your local AD.

  4. Leave the User Matching tab field unchanged and click the Next button.
  5. On the next screen, check all options and click Next (Fig. 1.).
     

    KB509-1
    Fig. 1. Azure AD synchronization - Optional Features.
     

  6. Leave the next window (Azure AD Apps) unchanged and click Next.
  7. In the following step, check the option: I want to further limit the attributes exported to Azure AD, search for the msExchMailboxGuid attribute (Fig. 2.) on the list, deselect (uncheck) it and click Next.

    KB509-2
    Fig. 2. Azure AD synchronization - synced attributes' list.
     

  8. You will now see a synchronization configuration summary window where you also click Next.
  9. In the last step check (select) the Synchronize now option and click Finish.

After the synchronization is finished, all the synced accounts will not have their msExchMailboxGuid attributes synced any more.

 

 

Our Clients: