If you are working with AD synchronization tools (e.g. Azure Active Directory Connect) in your environment (e.g. a hybrid Exchange one), there is a high probability that you applied a default configuration for the synchronization process. If so, among various synced AD attributes there is also msExchMailboxGuid.
You will receive an error inside of Office 365:
In such a case, assigning an Office 365 license to synced on-premises users will not result in creating mailboxes. You will be able to create an Office 365 mailbox only with Microsoft migration tools, which excludes any possibility of using third-party migration tools like Cloud Migrator
If you would like to migrate via a third-party migration tool (such as CloudMigrator), you need to either set the msExchMailboxGuid attribute to NULL or rebuild the synchronization service for on-premises users from scratch, removing the msExchMailboxGuid attribute from AD synchronization.
Keep in mind that after the mailboxes are migrated, Office 365 users are synchronized with your on-premises AD environment. Due of that, you need to manage Office 365 mailboxes (e.g. change their email addresses) through the on-premises Exchange server.
If you delete the mailboxes in your on-premises organization (or decommission the on-premises server), you will not be able to modify or delete their cloud counterparts in Office 365 unless you disable the directory synchronization.
Follow the links below to find a solution that works best for your environment:
- Solution 1: Setting the msExchMailboxGuid attribute to NULL (Azure AD Connect)
- Solution 2: Removing the msExchMailboxGuid attribute from AD synchronization
These solutions do not apply to public folders.
Perform the following steps to set the msExchMailboxGuid attribute to NULL:
This solution applies to Azure AD Connect and Azure AD Sync only.
Stop the scheduler used in Azure AD Connect sync by using the following cmdlet:
Start Synchronization Rules Editor as an administrator
Select Inbound from the Direction drop-down menu (or from the Rule Types menu, if you're using Azure AD sync).
Select the In from AD - User Exchange rule and click Edit
When prompted, you can select to create an editable copy of this rule or edit the current one. Choose whichever option is best for you.
Select Transformations from the menu on the left and find the msExchMailboxGuid attribute on the list and perform the following changes
- In the FlowType column, select Expression from the drop-down menu.
- In the Source column, type NULL (uppercase).
- Select the Apply Once checkbox.
- In the Merge Type column, select Update from the drop-down menu.
- Click Save.
Start the scheduler again by using the following cmdlet:
Perform a full synchronization by executing this cmdlet:
Once the synchronization is finished, assigning an Office 365 license to synced on-premises users will result in creating mailboxes, allowing you to perform the migration
If the synchronization process is finished, and the synced users have msExchMailboxGuid attribute values in Office 365, the only way to remove this attribute is to permanently remove (hard-delete) all of the synced users from Office 365, reconfigure the synchronization (to exclude msExchMailboxGuid) and perform it all over again.
How to remove synced users from Office 365
To permanently remove the synced accounts from Office 365, follow the steps below.
- Open Synchronization Service Manager.
- Go to the Connectors tab.
- Select the connection type which allows for connection to your local AD: Active Directory Domain Services.
- Right-click the selection and choose Properties from the shortcut menu.
- In the Properties window, go to the Configure Directory Partitions section and click the Containers button.
- Provide the password for the user you used to connect to your local AD and click OK.
- A new window will open. Clear (uncheck) the selection for the users (OUs) that are already synced (e.g. HybridUsers) nd click OK.
- Close the Properties window by clicking OK.
Now you need to perform a full AD synchronization. To do that, openWindows PowerShell and use the following cmdlet:
Alternatively, you can also perform the synchronization process manually, by running it separately for each of your connectors.
- Ensure that the synchronization process has been performed successfully: open Synchronization Service Manager and verify the status of connectors.
All synced user accounts should be visible on the Deleted users page in your Microsoft 365 admin center (Office 365 admin center).
Now, you can either use the MSOnline V1 PowerShell module for Azure Active Directory Azure AD admin center to hard-delete these users from Azure AD. Please note that these operations are not reversible.
Hard-deleting user mailboxes by using the MSOnline module
Connect to your Office 365 service as a global admin by using the following cmdlets:
Provide your admin credentials when asked
You can now remove all the recently deleted users in one go or do it one by one:
This cmdlet may take some time to complete depending on the number of mailboxes that need to be deleted. During that time PowerShell may seem to be frozen.
To delete user mailboxes individually, first retrieve the list of deleted users with this cmdlet:
This will return the user principal name (UPN) and the ObjectId parameter of these users. Now, to delete a particular user, execute the following cmdlet, providing appropriate<ObjectId>value:
Hard-deleting user mailboxes in Azure AD admin center
- Log in to your Azure Active Directory admin center.
- Navigate to Users > Deleted users
- In the central pane, select the checkbox next to each user that you want to delete
- Click Delete permanently to hard-delete all selected users.
- Click Yes to confirm.
All your soft-deleted user mailboxes will be automatically deleted permanently after 30 days. If these mailboxes were placed on hold, they will be deleted permanently once the hold is removed (but not earlier than 30 days after they were soft-deleted).
How to (re)configure AD synchronization tools for migration to Office 365
To (re)configure your AD synchronization for migration to Office 365 via third-party software, you need to exclude the msExchMailboxGuid attribute from the syncing process. Follow the steps below.
- Open Azure AD Connect.
- Click the Configure button to proceed to the next section (Tasks/Additional tasks).
- Choose Customize synchronization options from the list and click Next.
- In the Connect to Azure AD section, provide your Azure credentials.
- In the Domain/OU Filtering step, choose Organizational Units (e.g. HybridUsers) that you want to synchronize and click Next.
- Proceed to the Azure AD Attributes step. Select I want to further limit the attributes exported to Azure AD and clear (uncheck) the msExchMailboxGuidcheck box
- Click Next to proceed to the last section (Configure). Ensure that the Start the synchronization process when the configuration completes check box is selected.
- Click Configure to start full synchronization.
After the synchronization is finished, all the synced accounts will not have their msExchMailboxGuid attributes synced anymore.