Office 365 Directory Synchronization Tidbits, Part 1

  • Article

In this post I will try to cover some details that may help to understand how Microsoft Online Services Directory Synchronization Tool (MOSDST) works when it synchronizes on-premises Active Directory with Office 365. MOSDST is nothing else than a custom solution built on top of Microsoft Identity Lifecycle Manager 2007, but for non-ILM people it may seem a black box that synchronizes objects from AD to O365 without control. Knowing what it does may help understanding what it does. I name it “Part 1”, as I expect to hopefully add some more posts around this topic Smile.

SourceAD Management Agent

The SourceAD Management Agent created by MOSDST is simply an Active Directory MA, with the following configuration details:

  • Forest: The ADMA connects to your on-premises Active Directory forest. As MOSDST uses a single ADMA, it only supports one forest.
  • Credentials: During setup, MOSDST creates MSOL_AD_Sync user account, with unknown password. You can reset its password to a known one if you wish, providing that you update the ADMA configuration. You may also rename the account, but notice that MOSDST filters out “MSOL_AD_Sync” value in sAMAccountName, so you will find your SourceAD MA user account in Office 365 users list if it does not match other filters (see below). If you accidentally delete the account, you can recreate it with a password and update the MA configuration.
  • Containers: The ADMA does not filter out any container, so it can potentially load every users, groups and contacts (providing that are not filtered out by the MA code) to Office 365.
  • Password Synchronization: The ADMA is not enabled as password synchronization source, so your Active Directory passwords, even if you have PCNS installed, will not flow to Office 365. This is expected, as your users will typically be using ADFS to sign-in into Office 365 using corporate credentials.

 

Active Directory Objects In Scope Of Synchronization

Not all your objects in AD will end up in Office 365. While it is said that MOSDST only synchronizes users, groups and contacts, it is not exactly like that. What it loads into Office 365 depends on:

  • Mapped Objects: Along with “group” and “contact” object in AD, “user” and “inetOrgPerson” objects are also subject to synchronization to Office 365. inetOrgPerson are treated somewhat similar to “user” objects, if they do not fall into a connector filter match.
  • Connector Filters: There are several connector filters defined that filter out objects, so you may expect certain users, groups and contacts to be synched to Office 365 but they will not if they match a filter. So knowing those filter conditions are important to know what to expect.

 

What is Filtered Out

The ADMA filters out certain “user”, “inetOrgPerson”, “contact” and “group” objects if they match certain conditions. Here are those. If you expect an object to be synchronized to Office 365 but it is not, check if it is matching one of these filters.

  • “inetOrgPerson” objects are filtered out if:
    • sAMAccountName attribute is not present.
    • isCriticalSystemObject attribute set to true.
  • “User” objects are filtered out if:
    • sAMAccountName attribute is not present.
    • isCriticalSystemObject attribute set to true.
    • sAMAccountName attribute is “SUPPORT_388945a0”. More info about this account here.
    • sAMAccountName attribute is “MSOL_AD_Sync”.
    • mailNickname attribute starts with “SystemMailbox{“.
    • sAMAccountName or mailNickname attributes start with “CAS_”.
    • sAMAccountName or mailNickname attributes contain “{“ or “}”.
    • msExchRecipientTypeDetails attribute is 0x1000, 0x2000, 0x4000, 0x400000, 0x800000, 0x1000000 or 0x20000000.
  • “contact” objects are filtered out if:
    • displayName attribute contains “(MSOL)” and msExchHideFromAddressLists attribute is set to true.
    • mailNickname attribute starts with “CAS_” and contains “{“.
    • The object is not mail-enabledStar.
    • The displayName attribute is not set.
  • “group” objects are filtered out if:
    • Contains more than the maximum number of allowed members. By default, it is set to 15,000 members, but can be adjusted by the “GroupMembershipSizeFilter” REG_DWORD value under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence” registry key. This limit is based on absoult members list count, not based on those members that are actually synchronized to Office 365.
    • Is a security-enabled group and isCriticalSystemObject attribute is set to true.
    • Is a security-enabled group and is mail-enabledStar but displayName attribute is not set.
    • The object is not mail-enabledStar.
    • The displayName attribute is not set.

Starmail-enabled” in this context means that either has a primary SMTP address in proxyAddresses attribute (i.e. “SMTP:johndoe@contoso.com”), or mail attribute has an SMTP address (i.e. <“johndoe@contoso.com>”).

 

Update: Somewhat similar info can be found here and here. A great PDF is also available here that contains lots of inner details about Sync Tool too.

Enjoy!