0365 user accounts still have sync status of 'Synced with Active Directory' after AD user account has been moved to a non-synced OU
Hi, for the past month I've had a problem with handling leavers' accounts in O365.
We use Azure Active Directory Connect to handle the syncing between AD and O365.
The way the process used to work is this:
As I say, that's how it USED to work. But beginning about a month ago, the process isn't working properly.
When I restore the user from 'Deleted Users' in 0365 Admin Center, the user is restored but the Sync Type is still saying 'Synced with Active Directory' - even though the AD user account has been moved to an OU which is not synced with O365.
As a result, I can't edit the settings of the leaver's mailbox and tick the 'Hide from Address Book' tickbox - I get a message telling me the 'the object is being synchronized from your on-premises organization'.
Just to make things even more annoying, I tried re-enabling the leaver's AD user account and moving it back into the synced OU. Then I edited the MSExchHideFromAddressLists
I've just updated the version of Azure Active Directory Connect on the Domain Controller to version 1.2.70.0, in case the problem was due to a bug in version 1.2.65.0 which I installed a couple of months ago. But it hasn't made any difference - the leaver accounts are still showing as 'Synced with Active Directory'.
The O365 accounts of users who left more than a month or two ago are fine - they're still 'In Cloud'. The problem is only happening with users who left in the last month or two.
Has anyone else experienced this sudden change in behaviour? Do you know how to fix it?
Any advice most welcome!
We use Azure Active Directory Connect to handle the syncing between AD and O365.
The way the process used to work is this:
- To begin with, the leaver's account appears in O365 Admin Center, with a Sync Type of 'Synced with Active Directory'.
- In 0365 Exchange Admin Center, Convert the leaver's mailbox to a shared mailbox.
- In 0365 Admin Center, remove their O365 licences
- In ADUC, disable the leaver's user account and move the user to an OU which is not synced with O365.
- In Azure Active Directory Connect, perform a delta sync cycle.
- After the sync, the user will have moved from 'Active Users' to 'Deleted Users' in 0365 Admin Center.
- Select the user and click 'Restore'. Set a new password for the user.
- The user will now be restored to 'Active Users' in O365 Admin Center, with a Sync Type of 'In Cloud'.
- In 0365 Exchange Admin Center, edit the settings of the leaver's mailbox and tick the 'Hide from Address Book' tickbox.
As I say, that's how it USED to work. But beginning about a month ago, the process isn't working properly.
When I restore the user from 'Deleted Users' in 0365 Admin Center, the user is restored but the Sync Type is still saying 'Synced with Active Directory' - even though the AD user account has been moved to an OU which is not synced with O365.
As a result, I can't edit the settings of the leaver's mailbox and tick the 'Hide from Address Book' tickbox - I get a message telling me the 'the object is being synchronized from your on-premises organization'.
Just to make things even more annoying, I tried re-enabling the leaver's AD user account and moving it back into the synced OU. Then I edited the MSExchHideFromAddressLists
I've just updated the version of Azure Active Directory Connect on the Domain Controller to version 1.2.70.0, in case the problem was due to a bug in version 1.2.65.0 which I installed a couple of months ago. But it hasn't made any difference - the leaver accounts are still showing as 'Synced with Active Directory'.
The O365 accounts of users who left more than a month or two ago are fine - they're still 'In Cloud'. The problem is only happening with users who left in the last month or two.
Has anyone else experienced this sudden change in behaviour? Do you know how to fix it?
Any advice most welcome!
ASKER
Thanks for your swft reply Cliff.
For 500 points, can you give me a name and address for the people I DO need to shoot...?
I'm just doing some quick googling on your suggestion. Is this the correct Powershell command to use for disabling sync?
Set-MsolDirSyncEnabled -EnableDirSync $false
And am I correct in assuming that
Set-MsolDirSyncEnabled -EnableDirSync $true
will turn it back on afterwards?
(The website I read didn't include a command for turning sync back on, only for turning it off)
The same website said it could take up to 72 hours for the change in sync to take effect. In your experience, does it really take that long?
Finally, do you think it's actually worth the bother? It offends my OCD that a leaver's account says 'Synced with Active Directory' rather than 'In Cloud' and it makes it a little more difficult to spot leavers' accounts at-a-glance. But is there any major drawback in not bothering to change them to 'In Cloud'?
Thanks!
For 500 points, can you give me a name and address for the people I DO need to shoot...?
I'm just doing some quick googling on your suggestion. Is this the correct Powershell command to use for disabling sync?
Set-MsolDirSyncEnabled -EnableDirSync $false
And am I correct in assuming that
Set-MsolDirSyncEnabled -EnableDirSync $true
will turn it back on afterwards?
(The website I read didn't include a command for turning sync back on, only for turning it off)
The same website said it could take up to 72 hours for the change in sync to take effect. In your experience, does it really take that long?
Finally, do you think it's actually worth the bother? It offends my OCD that a leaver's account says 'Synced with Active Directory' rather than 'In Cloud' and it makes it a little more difficult to spot leavers' accounts at-a-glance. But is there any major drawback in not bothering to change them to 'In Cloud'?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This has never been a supported scenario, more of a workaround we exploited. You should look into using Inactive mailboxes for leavers, instead of converting to shared mailboxes.
ASKER
Hi Cliff/Vasil,
Oddly enough, the accounts I've restored in the past month have NOT been re-deleted - o365 seems to leave them alone (so long as I don't move the AD user back into a synced OU and then move it to an unsynced OU again - THAT will make O365 delete it alright).
It's going to be a mighty PITA having to disable/re-enable sync every time I have a leaver mailbox to add. It means user password changes, group membership changes etc. won't be getting synced to 0365 wile the sync is disabled, which will result in all manner of fun and games for us. But if it's the only way of doing it then that's that!
I looked into Vasil's suggestion re: using inactive mailboxes for leavers rather than shared mailboxes. But it seems to rely on me deleting the o365 user account which I don't want to do as the accounts are in a 'Leavers' group. That group is used in a mail flow so that anyone attempting to email a leaver will get an NDR stating 'This user no longer has an account - please contact ITSupport@mycompany.com'.
Also the management options for Inactive mailboxes seem to be very limited compared to shared mailboxes - you have to do most things in Powershell rather than in the Exchange Admin Center. While that's no problem for the experts, Powershell gives me the willies. I prefer having big buttons with helpful things like 'Cancel' and 'Undo' written on them...
Finally, to give someone else access to an Inactive mailbox involves copying the contents of the inactive mailbox into their mailbox - which makes their own mailbox too large for no good reason. I prefer to give them reviewer access to the folders of a shared mailbox - that way it doesn't impact on the performance and size of their own mailbox.
Thank you both very much for your help! :)
Oddly enough, the accounts I've restored in the past month have NOT been re-deleted - o365 seems to leave them alone (so long as I don't move the AD user back into a synced OU and then move it to an unsynced OU again - THAT will make O365 delete it alright).
It's going to be a mighty PITA having to disable/re-enable sync every time I have a leaver mailbox to add. It means user password changes, group membership changes etc. won't be getting synced to 0365 wile the sync is disabled, which will result in all manner of fun and games for us. But if it's the only way of doing it then that's that!
I looked into Vasil's suggestion re: using inactive mailboxes for leavers rather than shared mailboxes. But it seems to rely on me deleting the o365 user account which I don't want to do as the accounts are in a 'Leavers' group. That group is used in a mail flow so that anyone attempting to email a leaver will get an NDR stating 'This user no longer has an account - please contact ITSupport@mycompany.com'.
Also the management options for Inactive mailboxes seem to be very limited compared to shared mailboxes - you have to do most things in Powershell rather than in the Exchange Admin Center. While that's no problem for the experts, Powershell gives me the willies. I prefer having big buttons with helpful things like 'Cancel' and 'Undo' written on them...
Finally, to give someone else access to an Inactive mailbox involves copying the contents of the inactive mailbox into their mailbox - which makes their own mailbox too large for no good reason. I prefer to give them reviewer access to the folders of a shared mailbox - that way it doesn't impact on the performance and size of their own mailbox.
Thank you both very much for your help! :)
ASKER
Thanks again to you both!
Yes, this is new behavior, and no...according to Microsoft...this new behavior is *NOT* a bug. It is the result of them *fixing* a bug with immutable IDs.
The only supported way to convert an account from AD synced to "In Cloud" now is to disable sync, wait for that to complete and report disabled. (All accounts will now be "in cloud." Restore the moved/deleted account in O365. Then re-enable sync, which will do new soft matching and since the account on-prem is no longer in the OU (or was deleted or whatever), it won't match and will remain "in cloud."
There are a few Microsoft support forums discussing this change and a uservoice feature request to allow an easier conversion process, but that's the current situation.