Author: Marc Kinzel

While setting up AD FS and enabling Single Sign-On into Office 365 and SharePoint online the following scenario caused some decent pain: After the pretty straightforward installation and successful first synchronization the customer reported that one person is missing within the available active users inside of the o365 portal. Against all expectations we didn’t face any of the obvious and well documented symptoms.

Whether we received an error message stating that:

  • an attribute has a duplicate value
  • one or more attributes violate formatting requirements such as character set or character length

neither

  • the idfix tool (IdFix DirSync Error Remediation Tool) came up with any detectable error

Also a manual review of all in this official MS article mentioned properties, possible checks and suggested solutions could explain the missing user.

  • One or more object attributes that require a unique value have a duplicate attribute value (such as the proxyAddresses attribute or the UserPrincipalName) in an existing user account.
  • One or more object attributes violate formatting requirements that restrict the characters and the character length of attribute values.
  • One or more object attributes match exclusion rules for directory synchronization.The following table shows the default sync scoping rules:
    Object type Attribute name Condition of attribute when synchronization fails
    Contact DisplayName Contains “MSOL”
    msExchHideFromAddressLists Is set to “True”
    Security-enabled group isCriticalSystemObject Is set to “True”
    Mail-enabled groups
    (security group or distribution list)
    proxyAddresses

    and

    mail

    Has no “SMTP:” address entry

    and

    is not present

    Mail-enabled contacts proxyAddresses

    and

    mail

    Has no “SMTP:” address entry

    and

    is not present

    iNetOrgPerson sAMAccountName Is not present
    isCriticalSystemObject Is present
    User mailNickName Starts with “SystemMailbox”
    mailNickName Starts with “CAS_”

    and

    contains “{“

    sAMAccountName Starts with “CAS_”

    and

    contains “}”

    sAMAccountName Equals “SUPPORT_388945a0”
    sAMAccountName Equals “MSOL_AD_Sync”
    sAMAccountName Is not present
    isCriticalSystemObject Is set to “True”

After several hours digging deeper into the FIM (Azure AD Connect) and its synchronization rules with the Sync rule editor it became obvious that the official Microsoft article does not list all criteria for marking an account as “cloud filtered” (Not all of these objects will be replicated to Microsoft Online as filters will prevent them from synchronizing).
Having a look into the “outbound sync rule” for “Out to AAD – User Join ” shows the following filter:

outbound_sync

This attribute “cloud filtered” is getting “true” inside the “In from AD – User Join” sync rule:

inbound_sync

IIF(IsPresent([isCriticalSystemObject]) || IsPresent([sAMAccountName]) = False || [sAMAccountName] = “SUPPORT_388945a0” || Left([mailNickname], 14) = “SystemMailbox{” || Left([sAMAccountName], 4) = “AAD_” || (Left([mailNickname], 4) = “CAS_” && (InStr([mailNickname], “}”) > 0)) || (Left([sAMAccountName], 4) = “CAS_” && (InStr([sAMAccountName], “}”) > 0)) || Left([sAMAccountName], 5) = “MSOL_” || CBool(IIF(IsPresent([msExchRecipientTypeDetails]),BitAnd([msExchRecipientTypeDetails],&H21C07000) > 0,NULL)) || CBool(InStr(DNComponent(CRef([dn]),1),”\\0ACNF:”)>0), True, NULL)

So okay, there was at least one more criteria which was not listed here:
msExchRecipientTypeDetails

Further reading and some AD User comparisons later we found that our missing user has a “linked mailbox” (value 2) and all proper synced users have normal user mailboxes (value 1). So AD Users with a linked mailbox won’t be synced to O365. Good to know.

After migrating this mailbox to a normal user mailbox and one sync period later the user showed up finally in office 365 and some hours later in SPO too.
Get-Mailbox -RecipientTypeDetails LinkedMailbox | Set-User -LinkedMasterAccount $null

Useful links:
http://blogs.technet.com/b/johnbai/archive/2013/09/11/o365-msexchangerecipienttypedetails.aspx
http://www.messageops.com/resources/office-365-documentation/office-365-directory-synchronization-in-depth/
http://exchangeitup.blogspot.ch/2013/12/exchange-2010-easily-convert-linked.html
http://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx