When migrating to Office 365 there are usually at least a few advantages to keeping your user accounts synchronized with your on-premise AD. When it comes to resource mailboxes such as shared mailboxes and room mailboxes those advantages are usually gone.
Identifying synced resources
Identifying Exchange resources synchronized from on-prem AD is a fairly straight forward process. Just check the isDirSynced attribute in Exchange Online PowerShell.
$Rooms = Get-Mailbox -Filter {isDirSynced -eq $true} -RecipientTypeDetails RoomMailbox -ResultSize Unlimited
$Shared = Get-Mailbox -Filter {isDirSynced -eq $true} -RecipientTypeDetails SharedMailbox -ResultSize Unlimited
Migrating the objects to cloud only
You’d think there was a simple command that could be used to disconnect the Azure AD object from it’s on-premise counterpart but the process methods I’ve come across are a bit more complicated than you may think.
What we’re doing is essentially tricking Azure AD Connect to beleve that the objects have been deleted and then restore them as cloud only.
Removing the accounts from sync
In order to convert the objects to cloud only they need to be removed from the sync. I’d recommend moving the AD objects to an OU that is not synced to Azure AD.
Synchronizing the changes
Next we need to synchronize the changes. Simply connect to your Azure AD connect server and force a delta sync. Once the sync is completed, run it again. This ensures that the deletion of the object is reported back to the Azure AD Connect server. This prevents AADC from trying to delete the cloud object at the next sync.
Restore the object
The objects are now located in the “deleted users” section of Azure AD. Triggering a restore of the object will cause it to be restored as cloud only. My preferred method is doing this using PowerShell.
Restore-MsolUser -UserPrincipalName SharedMailbox@technut.se
After running the command you’ll see the account as an active user and the mailbox should re-appear in Exchange Online within a few minutes.
Update the UPN (if federated)
If you’re using federated identities through ADFS or pass-through authentication I suggest updating the UPN’s of your accounts to use the onmicrosoft.com-domain after the restoration. This will prevent issues with sign-in and is a fairly straight forward process using PowerShell
Set-MsolUserPrincipalName -UserPrincipalName SharedMailbox@technut.se -NewUserPrincipalName SharedMailbox@technut.onmicrosoft.com
Hey good article.
Once the cloud mailbox is restored, will the mailbox still have the same password or it will need a password reset?
Thanks
Thanks, assuming the password was synced from on-prem it should not have changed because of this. If federation is used there probably is no password stored in Azure AD and a reset would be required.
Hope this helps!