Removing msExchMailboxGUID attribute from AD synchronization
- Unable to create mailbox in O365
If you are working with AD synchronization tools, like: Azure Active Directory Connect, Azure Active Directory Synchronization Services (AAD Sync), Azure Active Directory Synchronization Tool (DirSync), Forefront Identity Manager 2010 R2 (FIM) in your environment (e.g. hybrid Exchange one) there is high probability that you applied a default configuration for the synchronization process. If so, among many other synced AD attributes there is also: msExchMailboxGuid.
In such a case assigning Office 365 license to synced on-premises users will not result in creating mailboxes. You will be able to create Office 365 mailbox only with a free Microsoft migration tool which excludes a possibility of using third-party migration tools like CodeTwo Office 365 Migration. If you want to use a third party migration tool you need to rebuild on-premises users' synchronization service from scratch removing msExchMailboxGuid attribute from the AD synchronization list.
If the synchronization process is already completed and all synced users have had msExchMailboxGuid attribute included in the sync process the only way to remove the attribute is to get rid of all the synced users from Office 365, and appropriately reconfigure the synchronization process.
To remove existing synced account from Office 365 follow the steps below:
The example procedure is described for Azure Active Directory Sync tool but the idea itself stays the same for all similar AD sync tools.
- Open the Synchronization Service Manager.
- Select the Connectors
- Select the connection type: Active Directory Domain Services - which allows connection to your local AD
- Click the right mouse button (RMB) to open Properties
- For the Properties window select Configure Directory Partitionstab and click Containers button
- Provide the password for the user used to connect to local AD and click OK
- In the new window uncheck users' synchronization for already synced users and click OKbutton
- Close the connection edit window clicking again OKbutton
- Open Task Schedulerapplication
- After selecting Task Scheduler Librarytab search for Azure AD Sync task
- Select the task and run it with with RMB
- Wait until the operation is completed
- Terminate the Azure AD Sync Schedulertask by selecting it and choosing Disable option with RMB
- Next, open Windows Azure AD Module for Windows PowerShell
- Connect to your Office 365 service as a global admin account using following cmdlet:
To be able to connect to Office 365 as a part of Windows Azure service you need to install an appropriate module for Windows PowerShell.
$cred = Get-Credential
where you provide the administrator's password and then continue with the below cmdlet:
Connect-MsolService – Credential $cred
- Retrieve the list of removed users with another cmdlet:
- Remove all users from the list with a cmdlet:
Please note that the removing operation is irreversible.
After completion of all the above steps there should be no synchronized accounts for your Office 365. To make sure please verify in the Office 365 Administration Panel if there are any synced accounts.
Next follow the steps listed below:
If you are running the synchronization task for the first time you should begin with this part of the article
- Launch DirectorySyncTool application
- In the first window provide the Office 365 global administrator credentials and click Nextbutton
- In the next window provide all required data of the local AD supposed to be the source for synchronization process for your Office 365 environment.
If you have already performed the synchronization task so far simply choose the existing connection to your local AD
- Leave the User Matchingtab field unchanged and click the Next button
- On the next screen check all option and click Next( 1.)
Fig. 1. Azure AD synchronization - Optional Features.
- Leave the next window (Azure AD Apps) unchanged and click Next
- In the following step check the option: I want to further limit the attributes exported to Azure AD, search for msExchMailboxGuidattribute ( 2.) on the list, uncheck it and click Next
Fig. 2. Azure AD synchronization - synced attributes' list.
- You will now see a synchronization configuration summary window where you also click Next
- In the last step check the option: Synchronize now and click Finish.
After the synchronization is finished all the synced accounts will not have msExchMailboxGuid attribute synced anymore.