Azure Active Directory (Azure AD) Connect is used to synchronize data to Azure AD. Azure Active Directory Connect checks and validates information along the way. Sync errors may occur, and new objects or updated values may not reach Azure AD.
It's important to understand the flow of data from on-premises to the cloud in Exchange Online. If a failure or error occurs, this article can help determine where the problem is occurring and how to fix it.
- The data flows from source on-premises AD to a source connector space.
During this process, new objects and changes to existing objects are evaluated and if any conflicts exist, they are flagged. If the object is new and errors are present, the object will not be provisioned.If it's an existing object, the conflicting data may not be passed forward. The object may continue to function. However, the desired change, intended or accidental, will not be made. This triggers a DirSync error that has to be corrected in source AD.
For more information, see the following articles:
Introduction to the Azure AD Connect Synchronization Service Manager UI
Using the Sync Service Manager Operations tab
- If a change passes the first stage, it enters the Metaverse, and then the change is passed along to the Target Connector Space. For more information, see Sync Service Manager Metaverse Search.
- If there are no issues, the change is populated into the Target Data Store and Azure AD. At this point, you can use the Get-MSOLUser command and other Azure commands against the object to view them in Azure AD.
If a problem occurs between the Target Connector Space and Azure AD, you may have to remove the object from Azure AD by using the Remove-MsolUser cmdlet. You cannot force Azure AD to reevaluate the object as you can in MMSSPP.
Finally, the data synchronizes to Exchange, where the object exists as a Mailbox, MailUser, Resource, and so on. This is known as Forward Sync. If there is a problem on an object between Azure AD and Exchange Online (represented by validation errors), ask Microsoft to submit the object for a Forward Sync from Azure AD to Exchange Online to force this action.
For more information about this topic, see the following article and explore the topics in the left navigation pane:
A related topic is Active Directory Federation Services. See the following articles for more information.
Here are articles for some common issues:
- Exchange Online object is not present or updated in Azure AD Connect
- Mailbox not provisioned in Azure AD Connect for Office 365
- A user is missing from a group in Azure AD Connect for Office 365
- Mailbox is present in both Office 365 Legacy Dedicated and vNext after license is applied
- A user cannot access a mailbox that's provisioned in Office 365 dedicated/ITAR (vNext)
- You see validation errors for users in the Office 365 portal or in the Azure Active Directory Module for Windows PowerShell
- Validation errors for a mailbox archive GUID for Office 365 dedicated/ITAR (vNext) users