How to resolve Mail Users not synced to Azure AD

In a recent support case, the migration of mail boxes from an on-premise Domino platform to Exchange Online was started, but the migration got stuck because the on-premises accounts, enabled as Mail Users, did not appear in “Contacts” in the Exchange Online Admin Center. Also, in the on-premises environment Azure AD Connect was present and an Exchange Server 2013 was introduced to be support management of the synchronized objects and handle mail flow, both during and after the migration.

Note that Mail Users are enabled through the Exchange Admin Center and is controlled by the account attribute msExchRecipientTypeDetails, where a value of 128 refers to the recipient type of a Mail User.

During my troubleshooting I investigates both the connectors and the metaverse in Azure AD Connect, and noted that Azure AD Connect did synchronize all the relevant accounts, but somehow Exchange Online did not recognize some of the accounts as Mail Users. Going through the metaverse I noted that Exchange attributes seems to be missing, which led to the root cause.

When Azure AD Connect is installed, based on information from the on-premise AD service and the Azure AD service schemas, two connectors are created.

If the on-premise AD Schema has not been extended with Exchange attributes, at the time when Azure AD Connect is installed, the connector space will not get populated with any of these attributes.

When Exchange is later deployed in the on-premises AD, it extends the on-premise AD Schema. If the connectors in Azure AD Connect are not manually refreshed following this, the synchronization will simply ignore all the Exchange attributes of the on-premises AD objects.

To trigger an update of the Connectors, either refresh the Connector schema or perform an uninstallation and re-installation of Azure AD Connect.

To perform a refresh of the Connector space schema, open the Synchronization Service Manager in Azure AD Connect and switch to the Connectors tab.

Right-click on the connector for the on-premise Active Directory and click Refresh Schema

clip_image001

Finally, perform a full sync in Azure AD Connect using the following PowerShell command:

Start-ADSyncSyncCycle -PolicyType Initial

clip_image002

This assumes that you have upgraded the Azure AD Connect to build 1.1.105.0 (February 2016 release) or later.
For earlier releases, use this process to perform a full sync:

Open an elevated PowerShell prompt

Run this command:

PUSHD “C:\Program Files\Microsoft Azure AD Sync\Bin”

Run the command, where “Initial” will perform a full synchronization:

.\DirectorySyncClientCmd.exe Initial

clip_image003

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.