I was at a customer site who was having issues with Azure AD Connect not synchronizing shared and resource mailboxes to Office 365. In short, any accounts that is in a disabled state.
By default, Azure AD Connect does synchronize disabled accounts. In an Exchange hybrid deployment, it is crucial that the shared and resource mailboxes get synchronized as well. The main tool to figure out why the disabled accounts are not getting synchronized is to look at the rules in the “Synchronization Rules Editor” on the AAD Connect server.
The problem was that the scoping filter within “In from AD – User AccountEnabled” rule needed to be modified. Once the userAccountControl was set to ISNOTNULL rather than the ISBITNOTSET, the shared and resource mailboxes showed up after the next AAD Sync.
Run through the steps below to make the change.
- Launch “Synchronization Rules Editor” on the AAD Connect server.
- Highlight the rule “In from AD – User AccountEnabled” and click Edit.
- Click on ‘No’ so that the rule can be modified.
- Select “scoping filter” from the left pane.
- Change the operator value to ‘ISNOTNULL’
- Leave the ‘Value’ column blank.
- Click Save.
- Force an AAD Sync by running Start-ADSyncSyncCycle -PolicyType Delta from the Shell.