Some short pieces for you this time, all of which were encountered on a recent customer engagement.
This customer was migrating from a Europe-hosted tenant to a UK-hosted tenant; since they did not have many users in the cloud, we were able to off-board the mailboxes before removing the Organisation Relationship and creating a new one by re-running the Hybrid Configuration Wizard.
Azure AD Connect – Delete Threshold
To clear down the old tenant, we removed all the user objects from the Synchronisation scope. Azure AD Connect is designed to prevent accidental deletions and caps this at a maximum of 500 deleted objects. Needless to say, a massive change in the scope exceeded this cap.
When making such large changes to the synchronisation scope, we can disable the cap using Disable-AdSyncExportDeletionThreshold. If we were going to use the same tenant in the future, we need to remember to Enable-AdSyncExportDeletionThreshold after we’re done.
Azure AD Connect – Attribute Length
When we began synchronising the user accounts to the new tenant, we received gen-sync-errors on about half a dozen users. This customer uses the custom Attributes for tracking data and these users had a bit too much data on there.
Azure AD Connect will only synchronise 448 characters from those custom Attributes; easily resolved by excluding that specific attribute from the Synchronisation scope but something to be aware of.
Restore-MsolUser – Resolving Proxy Address Conflicts
In disengaging the old tenant, all the previously synced accounts are transferred to the Azure AD Recycle Bin. Once we removed the Azure AD Connect server from the tenant, the customer discovered that they needed to reinstate one of the accounts as a cloud-only account. Since it still had a proxy address from a domain that had been removed from the tenant, the normal Restore-MsolUser wasn’t working.
It was only after a little bit of research that we discovered the way to fix this:
Restore-MsolUser -UserPrincipalName <OldUPN> -NewPrincipalName <NewUPN> -AutoResolveProxyConflicts
Result! One restored cloud-only account with the correct UPN and no proxy addresses.