You may find that some on-premises user accounts will not synchronize with Azure Active Directory using AAD Connect, no matter what you try. Once you rule out the obvious (OU filtering, object filtering, security permissions, etc.) check to see if the problem user has a linked mailbox in Exchange.
According to the article, Azure AD Connect sync: Understanding Users and Contacts:
"An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later."
I can't tell you what that last sentence is supposed to mean, but I can tell you that a linked mailbox cannot be soft-matched or hard-matched, and it will never provision itself in Azure AD. You will not see any warnings or errors in Synchronization Service Manager or the event logs indicating there's a problem -- the user just never gets provisioned in AAD, as if they are being filtered.
If you're handy with Synchronization Service Manager ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"), you'll see that the on-prem user was pulled into the metaverse, but the Connectors tab only shows the on-prem AD connector. It does not show the corresponding tenant connector, as it should.
A linked mailbox is a special type of mailbox that is accessed by a user in a separate, trusted forest. I don't normally see orgs using linked mailboxes except during specific cross-forest migration scenarios. For example, during a merger or acquisition when both forests need to access the same mailbox. I have, however, seen occasions when a normal user mailbox is somehow converted to a linked mailbox during an Exchange upgrade. This usually happens because the source mailbox has some funky* permissions set on it, and by moving the mailbox to the new Exchange Server infrastructure the mailbox is converted from a user to a linked mailbox for some reason. * Funky is a technical term.
If your environment is a single forest with no trusts or resource forests there's virtually no reason that any mailbox should be a linked mailbox. As a matter of fact, Exchange won't even let you create a linked mailbox unless there's a configured trusted forest in existence.
It is normally safe to convert a linked mailbox to a user mailbox with no ill effects. You cannot use the Exchange Admin Center to convert a linked mailbox to a user mailbox. You must use the Exchange Management Shell.
Use the following EMS command to convert a single linked mailbox to a user mailbox:
Set-User -Identity kljohnson@contoso.com -LinkedMasterAccount $null
Or you can use the following EMS command to convert all linked mailboxes to user mailboxes:
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'LinkedMailbox')} | Set-User -LinkedMasterAccount $null
Once a linked mailbox has been converted to a user mailbox you can run a delta sync of AAD Connect using the following command and the user object(s) will now be provisioned correctly in Azure Active Directory.
Start-ADSyncSyncCycle -PolicyType DeltaI usually do this twice in a row to make sure both on-prem AD and Azure AD objects are completely up to date.
No comments:
Post a Comment
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.