Customer environment at on-premises has ADDS at 2008 functional level with Exchange schema at 2013 CU1 level but Exchange Hybrid neither Exchange exists at the environment. All administrative tasks to objects are done at the cloud only, almost.
When upgrading sync tool from DirSync to AADConnect and verifying the staging mode synchronization results (using CSExport and the resulting .csv files) I found that a bit over 31000 account were pending “attribute deletion” for msExchHideFromAddressLists attribute.
- If mailNickname is present all Exchange attributes are in sync scope
- If mailNickName is not present Exchange attributes are NOT in the sync scope
- Change AADC default sync rules to contain msExchHideFromAddressLists attribute in new custom rule
- Populate mailNickName attribute to all 31k users and use data from a ”mail” attribute
Both options has naturally pros & cons, and both are “somehow” supported by Microsoft.
We chosen to go forward with option number 1 – add new rule to AADC to contain msExchHideFromAddressList attribute. Reason for this was administrative overhead if we are starting to update mailNickName attributes to all identities at on-premises.
Settings for the custom rule
Naming it so that you can identify the purpose and add lowest precedence order
Description – leave “Tag” value empty. Reason for this is that it has been reserved to Microsoft out of the box rules. It seems that it cannot be changed afterwards when the rule has been created.
Scoping filter, Join rules and Transformations
That’s about it and the rule with it’s functionality is ready for testing. With custom rule just created we will take information from msExchHideFromAddressList attibute to connector space/metaverse and with default rule “Out to AAD – User ExchangeOnline” AAD Connect will sync changes to Azure Active Directory.
As seen below msExchHideFromAddressList is added to existing user sync flow and synced to the AAD after rule has been added.
When new user is added to on-premises directory and msExchHideFromAddressList value is present, value will be added to sync flow among with other attributes
Many environments might have similar configuration and with Microsoft Support assistance we we able to find these two options to fix the issue. We selected the option to modify sync rules which is more straightforward and less time consuming than populate mailNickName to all users. Custom rules just need to be taken into account when upgrading AAD Connect at future. Hopefully this helps if someone is struggling with same issue. Keep in mind that Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017, more information from here.