At my employer we recently decided to switch over to Office 365. During the migration periode I have set-up our Exchange 2010 server in Office 365 hybrid mode. Also set-up the Azure Active Directory Sync. All existing users being sync both ways, perfect!

But then it happend. New users. All seemed working OK, until we noticed two users were not receiving e-mail from IT. What could be the problem here?

The Problem

The IT department’s mailboxes have already, for testing purposes, been migrated to the Exchange Online environment. But the mailboxes of the rest of the users are still located on the on-premise Exchange server.

After going into full Sherlock mode, the problem became clear. The two users both had a mailbox on the on-premise Exchange server and in the Office 365 cloud.

How did this happen? Well, my best guess is that after the user-account was created in active directory and had been synced to Office 365, instead of creating the on-premise mailbox first, the Office 365 license had been assigned to the user. As Office 365 did not see a corresponding on-premise mailbox, it then created a cloud mailbox for the users. After all this happened, the mailbox was created on the on-premise Exchange server. Resulting in the situation that all-non-IT users could directly e-mail the users. The e-mail send by IT was delivered in the Office 365 mailbox. Since the new users’ Outlook was connected to the on-premise Exchange server and not Exchange Online, the user did not see the e-mail send by IT.

Tools

To fix the problem you will need the following pieces of software installed:

• Microsoft Online Services Sign-in Assistant 64-bit
  • Microsoft Online Services Sign-in Assistant for IT Professionals RTW
• Windows Azure Active Directory Module for Windows PowerShell 64-bit
  • Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

Fix

Now… How to fix this mess 🙂

Attribute filter in Azure AD Connect

First we need to temporary stop syncing the useraccounts to Azure Active Directory. We’ll achieve this by creating an attribute-filter in  Azure AD Connect. We will be creating a negative filter; a do-not-use-these filter. We will be checking if extensionAttribute15 will have the value nosync.

1. Sign-in to the server running Azure AD Connect. Make sure you are using an account with the propper credentials.
2. Start the Synchronization Rules Editor
3. Select Inboud and click Add New Rule.
4. Give the rule a name you’ll understand later. I used “In from AD – User DoNotSyncFilter”. Now set as following:
   1. Connected System: the forest in which the user exists
   2. Connected System Object Type: User
   3. Metaverse Object Type: person
   4. Link Type: Join
   5. Precedence: A number not in use by another rule. In my case I could use 500

   6. 

   7. Now click Next
5. In Scoping filter screen we’ll be setting the actual filter. Click Add Group and then Add Clause. Set as following:
   1. Attribute: extensionAttribute15
   2. Operator: EQUAL
   3. Value: nosync

   4. 

   5. Now click Next
6. You can leave the Join Rules section empty. Click Next

   1. 

7. In the Transformations screen click Add Transformation and set as following:
   1. Flowtype: Constant
   2. Target Attribute: cloudFiltered
   3. Source: True

   4. 

8. Click Add to save the rule

9. 

Set the attribute

We now have to set the extensionAttribute15 to nosync for the user(s).

1. Open Active Directory Users and Computers
2. Make sure you have enable Advanced Feautures
   1. View > Advanced Features

   2. 

3. Now open the user object and open the tab Attribute Editor
4. Scroll to extensionAttribute15 and select it. Now click Edit and set the value to nosync

   1. 

5. Click OK twice

Force Full Sync

After adding or removing a attribute based filter rule. You’ll need to start a Full Synchronization.

1. Sign-in to the server running Azure AD Connect. Make sure you are using an account with the proper credentials.
2. Start the Synchronization Service application
3. Click on Connectors and select the connector you just added the filter to

   1. 

4. Click on Run the right side.
5. Now select Full Synchronization and click Ok
6. 

Now wait until a full synchronization cycle has passed. You’ll see that in Office 365 the user won’t be active anymore. The license it had assigned to can be reused.

Remove mailbox from Recycle Bin

Although the user isn’t active anymore, we’ll have to remove the user from the Recycle Bin before we can continue.

1. Start by opening Windows Azure Active Directory Module for Windows PowerShell
2. Now connect to your Office 365 environment
   1. First get your credentials in a variable with this command

   2. $usercred = Get-Credential

   3. Now connect to the service with this command

   4. Connect-MsolService -Credential $usercred

   5. We now have to retrieve the ObjectID of the deleted mailbox. Using the following command we’ll get a list with mailbox username and corresponding ObjectID

   6. Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,ObjectID

   7. Make sure you write down or copy/paste the ObjectID to your favorite editor.
   8. Now we can remove the deleted mailbox from the recycle bin. Use the following command:

   9. Remove-MsolUser -ObjectId <GUID>  -RemoveFromRecycleBin –Force

   10. The mailbox has now completely been remove from the Office 365 environment.

Unset Attribute

We now have to clear extensionAttribute15.

1. Open Active Directory Users and Computers
2. Now open the user object and open the tab Attribute Editor
3. Scroll to extensionAttribute15 and select it. Now click Edit and click Clear.

   1. 

4. Click OK twice.

Finishing up

After clear the attribute, the user will be synced to Office 365 again. When it’s resync, you’ll be able to assign a license again and because the on-premise mailbox is present, a Exchange Online mailbox will not be created.