User object is missing or filtered from the AAD connector in AAD Sync

Symptoms
When you try to sync a user object to Microsoft Azure Active Directory, the operation is unsuccessful.

When you search for the user object in the metaverse objects, you see only the Active Directory connector listed on the Connectors tab. The Windows Azure Active Directory (AAD) connector is not listed. Additionally, no error is returned for this particular user.

You may also notice that the msExchRecipientTypeDetails value for the user object that's not synchronized correctly is 2. This corresponds with the Linked Mailbox type, and the user does not have this value.

Note The following value is the only value that triggers filtering of a user object:
msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)
For more information about user objects that are filtered, see How directory synchronization determines what isn't synced from the on-premises environment to Windows Azure AD.
Cause
This issue occurs because there is a rule for the sourceAnchor attribute. The rule is used to determine whether the value of msexchRecipientTypeDetails is 2.

Note You can view this rule in the following location:
Sync Rules Configuration Editor\Inbound\In From AD\Common\Transformation
You can also see the target sourceAnchor attribute and the expression rule as follows:
IIF(IsPresent([msExchRecipientTypeDetails]),IIF([msExchRecipientTypeDetails]=2,NULL,IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID]))),IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))
If msExchRecipientTypeDetails has a value of 2, the value of sourceAnchor is set toNULL. However, if the value of sourceAnchor is NULL, the user will be filtered.
More information
According to DirSync: List of attributes that are synced by the Azure Active Directory Sync Tool, one reason a user object is filtered is because of the following:
msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)

It is an assumption that if the msExchRecipientTypeDetails attribute on a user is set to value "2" the AADSync server will filter this object. This is not true, AADSync is not filtering this user object, it is just waiting for the master account (from account forest) to join to the object because it is needed for the UPN and the sourceAnchor. 

Value "2" in the msExchRecipientTypeDetails attribute indicates that the mailbox type is a "linked mailbox". A Linked mailbox is usually found in an account-resource forest topology and the user object in account forest must be synchronized before these resource objects will be provisioned to Azure AD.

Therefore, with the msExchRecipientTypeDetails=2 the object is note actually filtered, but when this flag is set, the AADSync waits for the master account (from account forest) to be synced so that it could join the two objects and create a cloud connector for the final user object in AADSync.

In case that you do not have an account-resource forest topology, and a user has msExchRecipientTypeDetails =="2", changing the value similar to a usual object will sync the user object.
Workaround
To work around this issue, use one of the following two solutions:
  • Make sure that the Master user account (in Account forest) is synchronized first.
  • You can change the attribute value of msExchRecipientTypeDetails to 1. You can also use any value that's not supposed to be filtered by either of the rules.

Properties

Article ID: 3066176 - Last Review: 12/03/2015 10:21:00 - Revision: 4.0

Microsoft Azure Active Directory

  • kbsurveynew kbexpertiseadvanced kbprb kbtshoot KB3066176
Feedback