Once again mystic situation when upgrading DirSync to AAD Connect, at least for me.

Customer environment at on-premises has ADDS at 2008 functional level with Exchange schema at 2013 CU1 level but Exchange Hybrid neither Exchange exists at the environment. All administrative tasks to objects are done at the cloud only, almost.

When upgrading sync tool from DirSync to AADConnect and verifying the staging mode synchronization results (using CSExport and the resulting .csv files) I found that a bit over 31000 account were pending “attribute deletion” for msExchHideFromAddressLists attribute.

Upon investigations it was discovered that in order the attribute not to be deleted, the users in on-prem AD would have to have mailNickname attribute populated. Reason for this is the default Exchange rules in AAD Connect (which were not present with DirSync the same behavioral way).
Scoping filter is mailNickname = ISNOTNULL which means
  • If mailNickname is present all Exchange attributes are in sync scope
  • If mailNickName is not present Exchange attributes are NOT in the sync scope
1.PNG
As there is no on-prem Exchange currently the mailNickName attribute is not populated from Exchange to AD by default.
We manually tried to populate the mailNickname attribute for a few pilot users and then ran the AADConnect synchronization at staging mode and the intended result was seemingly accomplished. We saw that there are two possibilities to achieve the aimed result:
  1. Change AADC default sync rules to contain msExchHideFromAddressLists attribute in new custom rule
  2. Populate mailNickName attribute to all 31k users and use data from a ”mail” attribute

Both options has naturally pros & cons, and both are “somehow” supported by Microsoft.

We chosen to go forward with option number 1 – add new rule to AADC to contain msExchHideFromAddressList attribute. Reason for this was administrative overhead if we are starting to update mailNickName attributes to all identities at on-premises.

Settings for the custom rule

Naming it so that you can identify the purpose and add lowest precedence order

2

Description – leave “Tag” value empty. Reason for this is that it has been reserved to Microsoft out of the box rules. It seems that it cannot be changed afterwards when the rule has been created.

3.png

Scoping filter, Join rules and Transformations

 

That’s about it and the rule with it’s functionality is ready for testing. With custom rule just created we will take information from msExchHideFromAddressList attibute to connector space/metaverse and with default rule “Out to AAD – User ExchangeOnline” AAD Connect will sync changes to Azure Active Directory.

7

 

8

 

As seen below msExchHideFromAddressList is added to existing user sync flow and synced to the AAD after rule has been added.

11

When new user is added to on-premises directory and msExchHideFromAddressList value is present, value will be added to sync flow among with other attributes

12.png

Summary

Many environments might have similar configuration and with Microsoft Support assistance we we able to find these two options to fix the issue. We selected the option to modify sync rules which is more straightforward and less time consuming than populate mailNickName to all users.  Custom rules just need to be taken into account when upgrading AAD Connect at future. Hopefully this helps if someone is struggling with same issue. Keep in mind that Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017, more information from here.