Latest AAD Connect Removes On-Premises Disabled User Accounts from Azure AD

Shared Mailboxes Aren’t Important, Are They?

First reported by MVP Jeff Guillet, the recent release of AAD Connect includes a very nasty bug: it removes disabled Active Directory user accounts from Azure AD when it synchronizes information from the on-premises directory to the cloud. The issue here is that Exchange uses disabled user accounts for shared mailboxes. When synchronization occurs to remove the disabled user accounts, Exchange Online users can no longer access on-premises shared mailboxes because they’re not present in the GAL.

According to the release history for AAD Connect, on December 21, Microsoft acknowledged the problem and released version for download. This version is unavailable for auto upgrade.

Roll Back to Previous Version

If you’ve already deployed, possibly to explore the (preview) ability to synchronize objects from a single Active Directory forest to multiple Microsoft 365 tenants, Jeff recommends that you roll back to version instead (the software is available from his site). He knows more than I do about AAD Connect and it seems wise to revert to a stable version while Microsoft sorts out any issues which might still lurk in the new version.

A Lack of Testing

Given that the function of AAD Connect is to synchronize mail-enabled objects from on-premises directories to Microsoft 365 tenants, it’s both strange and troubling that Microsoft allowed this software to appear with such a fundamental flaw in place. Omitting shared mailboxes during synchronization cycles creates questions about the kind of testing regime Microsoft used. Perhaps the need to ship the software before Microsoft closed for the holidays meant that some shortcuts in testing crept in. For whatever reason, it’s not a good story.

Happy Holidays

Speaking of the holidays, this is likely the last post in the Office 365 for IT Pros blog for 2021. We’ll be back in 2022 to share information about Office 365 and the wider Microsoft 365 ecosystem in all its glory and occasional seedy bits. If you’re on vacation, enjoy the time off, and if you need to work to keep systems going, we hope you don’t have any major outages to deal with.

As for us, we need to get the January 2022 update done for the Office 365 for IT Pros eBook. That’s a train which keeps on chugging…

3 Replies to “Latest AAD Connect Removes On-Premises Disabled User Accounts from Azure AD”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.