Azure AD Connect Not Synchronizing Shared and Resource Mailboxes

I was at a customer site who was having issues with Azure AD Connect not synchronizing shared and resource mailboxes to Office 365. In short, any accounts that is in a disabled state.

More...

By default, Azure AD Connect does synchronize disabled accounts. In an Exchange hybrid deployment, it is crucial that the shared and resource mailboxes get synchronized as well. The main tool to figure out why the disabled accounts are not getting synchronized is to look at the rules in the "Synchronization Rules Editor" on the AAD Connect server.

The problem was that the scoping filter within "In from AD - User AccountEnabled" rule needed to be modified. Once the userAccountControl was set to ISNOTNULL rather than the ISBITNOTSET, the shared and resource mailboxes showed up after the next AAD Sync.

Run through the steps below to make the change.

  • check
    Launch "Synchronization Rules Editor" on the AAD Connect server. 
  • check
    Highlight the rule "In from AD - User AccountEnabled" and click Edit.
  • check
    Click on 'No' so that the rule can be modified.
  • check
    Select "scoping filter" from the left pane.
  • check
    Change the operator value to 'ISNOTNULL'
  • check
    Leave the 'Value' column blank.
  • check
    Click Save.
  • check
    Force an AAD Sync by running Start-ADSyncSyncCycle -PolicyType Delta from the Shell.
Rajith

Rajith Enchiparambil

Cloud Architect & Blogger with interests in Microsoft 365, AWS & Azure. I am active on Experts Exchange & TechNet forums and I am a technical author for SearchExchange. Follow me on TwitterLinkedIn or Facebook for the latest updates. For consultancy opportunities, drop me a line.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.