ENow Blog | Azure & Active Directory Center

Preparing for Directory Synchronization to Microsoft 365

Written by AmyKelly Petruzzella | Jul 20, 2021 6:32:11 PM

There are several benefits to hybrid identity and directory synchronization, including:

  • Reducing the administrative programs in your organization
  • Optionally enabling single sign-on scenario
  • Synchronizing complex environments
  • Flexibly enabling re-orgs, consolidations, and transformations

However, directory synchronization requires planning and preparation to ensure that your Active Directory Domain Services (AD DS) synchronizes to the Azure AD tenant of your Microsoft 365 subscription with minimal errors. Follow these steps for the best results.

Directory cleanup tasks

Before you synchronize your AD DS to your Azure AD tenant, you need to clean up your AD DS. If performing AD DS cleanup before you sync is overlooked, it can lead to a significant negative impact on the deployment process. It might take days, or even weeks, to go through the cycle of directory synchronization, identifying errors, and re-synchronization.

In your AD DS, complete the following clean-up tasks for each user account that will be assigned a Microsoft 365 license:

  1. Ensure a valid and unique email address in the proxyAddresses attribute.
  2. Remove any duplicate values in the proxyAddresses attribute.
  3. If possible, ensure a valid and unique value for the userPrincipalName attribute in the user's user object. For the best synchronization experience, ensure that the AD DS UPN matches the Azure AD UPN. If a user does not have a value for the userPrincipalName attribute attribute, then the user object must contain a valid and unique value for the sAMAccountName attribute. Remove any duplicate values in the userPrincipalName attribute.
  4. For optimal use of the global address list (GAL), ensure the information in the following attributes of the AD DS user account is correct:
    • givenName
    • surname
    • displayName
    • Job Title
    • Department
    • Office
    • Office Phone
    • Mobile Phone
    • Fax Number
    • Street Address
    • City
    • State or Province
    • Zip or Postal Code
    • Country or Region

Directory object and attribute preparation

Successful directory synchronization between your AD DS and Microsoft 365 requires that your AD DS attributes are properly prepared. For example, you need to ensure that specific characters are not used in certain attributes that are synchronized with the Microsoft 365 environment. Unexpected characters do not cause directory synchronization to fail but might return a warning. Invalid characters will cause directory synchronization to fail.

Directory synchronization will also fail if some of your AD DS users have one or more duplicate attributes. Each user must have unique attributes.

The attributes that you need to prepare are as follows:

  •  
  • displayName
    • If the attribute exists in the user object, it will be synchronized with Microsoft 365.
    • If this attribute exists in the user object, there must be a value for it. That is, the attribute must not be blank.
    • Maximum number of characters: 256
  • givenName
    • If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
    • Maximum number of characters: 64
  • mail
    • The attribute value must be unique within the directory.
      • If there are duplicate values, the first user with the value is synchronized. Subsequent users will not appear in Microsoft 365. You must modify either the value in Microsoft 365 or modify both of the values in AD DS in order for both users to appear in Microsoft 365.
  • mailNickname (Exchange alias)
    • The attribute value cannot begin with a period (.).
    • The attribute value must be unique within the directory.
      • Underscores ("_") in the synchronized name indicates that the original value of this attribute contains invalid characters.
  • proxyAddresses
    • Multiple-value attribute
    • Maximum number of characters per value: 256
    • The attribute value must not contain a space.
    • The attribute value must be unique within the directory.
    • Invalid characters: < > ( ) ; , [ ] "
      • Invalid characters apply to the characters following the type delimiter and ":", such that SMTP:User@contso.com is allowed, but SMTP:user:M@contoso.com is not. All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards. Remove duplicate or unwanted addresses if they exist.
  • sAMAccountName
    • Maximum number of characters: 20
    • The attribute value must be unique within the directory.
    • Invalid characters: [ \ " | , / : < > + = ; ? * ']
    • If a user has an invalid sAMAccountName attribute but has a valid userPrincipalName attribute, the user account is created in Microsoft 365.
    • If both sAMAccountName and userPrincipalName are invalid, the AD DS userPrincipalName attribute must be updated.
  • sn (surname)
    • If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
  • targetAddress
    • It's required that the targetAddress attribute (for example, SMTP:tom@contoso.com) that's populated for the user must appear in the Microsoft 365 GAL. In third-party messaging migration scenarios, this would require the Microsoft 365 schema extension for the AD DS. The Microsoft 365 schema extension would also add other useful attributes to manage Microsoft 365 objects that are populated by using a directory synchronization tool from AD DS. For example, the msExchHideFromAddressLists attribute to manage hidden mailboxes or distribution groups would be added.
    • Maximum number of characters: 256
    • The attribute value must not contain a space.
    • The attribute value must be unique within the directory.
    • Invalid characters: \ < > ( ) ; , [ ] "
    • All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
  • userPrincipalName
    • The userPrincipalName attribute must be in the Internet-style sign-in format where the user name is followed by the at sign (@) and a domain name: for example, user@contoso.com. All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
    • The maximum number of characters for the userPrincipalName attribute is 113.
    • A specific number of characters are permitted before and after the at sign (@), as follows:
      • Maximum number of characters for the username that is in front of the at sign (@): 64
      • Maximum number of characters for the domain name following the at sign (@): 48
    • Invalid characters: \ % & * + / = ? { } | < > ( ) ; : , [ ] "
    • Characters allowed: A – Z, a - z, 0 – 9, ' . - _ ! # ^ ~
    • Letters with diacritical marks, such as umlauts, accents, and tildes, are invalid characters.
    • The @ character is required in each userPrincipalName value.
    • The @ character cannot be the first character in each userPrincipalName value.
    • The username cannot end with a period (.), an ampersand (&), a space, or an at sign (@).
    • The username cannot contain any spaces.
    • Routable domains must be used; for example, local or internal domains cannot be used.
    • Unicode is converted to underscore characters.
    • userPrincipalName cannot contain any duplicate values in the directory.

Multi-Forest Directory Synchronization with GALsync

Preparing for and ultimately synchronizing contact and user data between Active Directory forests can be difficult, time-consuming, and error prone. GALsync can set up and maintain a sync across Active Directory or Azure AD environments, or even between Active Directory and Azure AD. Now, users in multi-forest deployments and/or merging organizations can find each other in a shared address book.

  • Sync users, contacts, Groups, attributes and more
  • Transfer the encrypted datafile via email, network share, or FTP
  • Manage how attributes are imported and exported
  • Modify target address, primary or secondary SMTP address
  • Automate the sync at pre-determined intervals
  • No Active Directory Trust required
  • No additional firewall port required
  • No additional software, services, hardware or databases required Install and configure in less than one hour!

Access your FREE 14-day trial to establish a multi-forest directory sync.