Cut-over migration with Azure AD Connect running - best procedure

Luca 1 Reputation point
2022-04-22T15:20:38.233+00:00

I'd like to have some feedback on cutover migration scenarios from Exchange (2013/2016) to Online with Azure AD Sync already in place and running for some time. I know that you can't perform a cutover migration with this configuration and to overcome this you need to disable the AD Synch first. However, depending on if you want to get rid of the on Prem Exchange I'd like to know if this is the best way. After much reading and some testing, these are the 2 basic methods which are possible with Azure AD Sync already in place:

1) After disabling Azure AD Synch (Set-MsolDirSyncEnabled -EnableDirSync $false) and deleting the cloud only transformed users, you can proceed with the cutover batch. This will create Cloud only accounts with mailbox based on the primary SMTP value. After the cutover is complete, update MX/SPF and finalize the batch. Subsequently, if the primary SMTP matches the On Site one (it should) you can re-enable Azure AD Sync and the synched accounts should automatically soft-match. Filtering the ExchMailboxGUID atribute is unnecessary in this case. Local Exchange Server can be powered off and let be. Better not to uninstall to avoid removing the SMTP/X400/GUID attributes which then would be synched and removed. If you want to really uninstall, then one must filter out these attributes - or - save them before uninstalling through powershell script (there are a couple floating around) and subsequently re-integrate them if needed.

2) Filter ExcMailboxGUID attribute in the Azure AD Sync rules and set it to NULL and force a full re-synch to Azure AD to remove online attributes. This will trick Exch Online provisioning to believe no local/on prem mailbox exists and will allow the creation of an online one: licences must be pre-assigned to the users in order for this to work. Once they are assigned the staged batch can be started then finalized. This method however should require a Local Exchange running (and synched) for administration as the online migrated mboxes are associated with AD synched accounts (not cloud) ad are not editable via Exchange online. If you are brave enough and know your way with powershell and ADSIEdit for the advanced attributes you can do without a local Exchange but this is not supported by MS. Usually all you need is to modify the smtp/x400 proxy attributes in ADUC, but if more advanced stuff is needed (creation of dist groups etc) you will need to know your stuff.

Based on the number of mailboxes you need to migrate and your AD complexity, one solution may be preferrable than the other; if you have a handful of mboxes then go for the first, while if you have dozens then maybe the second is better based on your knowledge of ADSIEdit and Exchange attributes. If you have over 100 mboxes, then I would suggest keeping an online Exchange running in a hybrid scenario where everything is transitioned online much more transparently (even the Exchange account in Outlook needs not to be be reconfigured). Keep in mind that deleting online accounts has it's downs especially if the account is already associated with Teams and OneDrive etc apps which will stop functioning (and potentially lose all data).

If you have any corrections to the above or suggestions please feel free to point them out - I'm all ears. I also hope MS will implement a full blown online management solution to overcome these problems so that one can safely retire the On Prem server.

P.S. in my testing I have run into an issue after disabling the AD Synch - the status is stuck on PendingDisabled for a couple of days now. However I was able to delete the synched users from Azure AD in any case, which is rather strange, while I still see the Exchange groups which I cannot delete. Probably something got stuck as there are only 5 users in this AD and it shouldn't take days for it to disable - I did the same with another domain with over 30 users and it took a few minutes to change status in Azure.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,174 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luca 1 Reputation point
    2022-04-25T11:06:40.933+00:00

    Hi and thanks for the feedback. Unfortunately when I run the AD Sync now I get a bunch of errors (I updated the AD Synch to the latest version fearing it was something related to this but it doesn't complete) saying that it can't find a user account in the directory plus an endless list of errors the end of which is:

    [12:43:24.765] [ 8] [ERROR] PerformConfigurationPageViewModel: An error occurred executing Configure AAD Sync task: System.InvalidOperationException: There was an issue obtaining cloud sync intervals ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50034: The user account {EmailHidden} does not exist in the bee7aee1-e006-457c-b07f-8d22925ef9bf directory. To sign into this application, the account must be added to the directory.
    Trace ID: b088ba25-35f8-4cda-aa1f-0f57b0444500
    Correlation ID: 1047b820-fa57-4979-b19b-5f3ccf75549f
    Timestamp: 2022-04-25 10:43:24Z

    I think something went wrong during the DirSync disable process and it's stuck in a partial disabled state. I did open a ticket with MS but haven't heard from anyone yet(!).
    I'll try opening another ticket.

    0 comments
  2. Luca 1 Reputation point
    2022-04-25T11:27:49.037+00:00

    I went through this process of repairing the Cloudsync Agent:

    https://learn.microsoft.com/it-it/azure/active-directory/cloud-sync/how-to-troubleshoot?WT.mc_id=Portal-Microsoft_Azure_Support#repairing-the-the-cloud-sync-service-account

    I installed the Cloudsync agent successfully but it fails to save any config.

    Running a repair yields the following error:

    PS C:\WINDOWS\system32> Repair-AADCloudSyncToolsAccount
    Repairing Azure AD Cloud Sync Service Account...
    Invoke-AADCloudSyncToolsGraphQuery : PUT https://graph.microsoft.com/beta/servicePrincipals/3c670451-bece-401b-8a5e-e208da6a98fd/synchronization/secrets | Response:
    {"error":{"code":"BadRequest","message":"There was an error enabling DirSync on the tenant. This might be due to another pending request to disable DirSync on the tenant which may
    take around 72 hours. Please try again later.","innerError":{"code":"HybridSynchronizationActiveDirectoryProvisioningEnablingError","details":[],"message":"There was an error
    enabling DirSync on the tenant. This might be due to another pending request to disable DirSync on the tenant which may take around 72 hours. Please try again
    later.","target":null,"innerError":{"code":"HybridSynchronizationActiveDirectoryProvisioningEnablingError","details":[],"message":"Message:There was an error enabling DirSync on
    the tenant. This might be due to another pending request to disable DirSync on the tenant which may take around 72 hours. Please try again
    later.","target":null},"date":"2022-04-25T11:39:32","request-id":"474dd97f-d1eb-4f07-b3ea-b208521797c5","client-request-id":"474dd97f-d1eb-4f07-b3ea-b208521797c5"}}}
    At C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools.psm1:622 char:17

    • ... $response = Invoke-AADCloudSyncToolsGraphQuery -Uri $uri -Method $met ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-AADCloudSyncToolsGraphQuery

    As suspected something definitely went wrong during the ADSync Disable process. Someone on the MS side has to fix this.

    0 comments
  3. Luca 1 Reputation point
    2022-04-26T10:33:02.733+00:00

    @Joyce Shen - MSFT I finally got the issue resolved with a ticket: a back-end command was issued to check the process and the PendingDisabled switched to Disabled. I installed and activated the Azure AD Synch provisioning agent successfully. I soft-matched the accounts during this process with their primary SMTP address. One note: this will fail if any account is a global administrator - you need to revert any O365 user to normal user when soft-matching or you will encounter a cryptic X500 error saying there is a duplicate which is not true (wasted a few hours on this error on one account).
    Everything seems fine but I have 2 questions:

    • why did Exc Online assign the accounts automatically created by the cut-over migration batch process an X500 address? This address was not present on the On Prem accounts, only an X400 was. I now have both an X400 and an X500 address on the cloud accounts which I'd like to remove to clean up. However this leads me to question 2:
      • Now that the accounts have been soft-matched and the sync is working, I am no longer able to edit the email addresses from Exch Online. I was under the impression that even with the synched AD after soft-matching I would be able to edit these parameters as they were considered to be online-only, and only the password hash would be synched from On-Prem AD. Is this possible by implementing specific Exch Attribute filters or are the soft-matched accounts now simply fused with On Prem AD? The X500 address is not in the local AD, and has been maintained on the Online account (not removed) so this is rather confusing as any on Prem AD attribute should overwrite the Azure attribute. Why this inconsistency?

    Thanks