Office 365 – Distribution List Migration Version 2.0 – Part 20

Adding a new method of verifying the distribution list is directory synchronized.

When a distribution list is migrated to Office 365 there are several health check pre-requisites that are performed to ensure the migration will be successful. One of the checks that is performed is to ensure that the list being migrated is directory synchronized to Office 365.

 

The check is performed by capturing the distribution list configuration from Exchange Online and reviewing the flag isDirSynced. If the flag has a value of TRUE, this signifies that the group is directory synchronized and is eligible for migration. If the value is FALSE this would typically mean the group is not directory synchronized.

 

PS C:\> Get-DistributionGroup atestgroup200 | fl isDirSynced

IsDirSynced : True

 

In Exchange Online there is a forward synchronization process that is responsible for replicating attributes and changes from Azure Active Directory to the corresponding objects in Exchange Online. It was recently discovered that in some circumstances during the forward synchronization process a distribution list that is directory synchronized would be shown as not directory synchronized.

 

PS C:\> Get-DistributionGroup TestDirSync2 | fl isDirSynced

IsDirSynced : False

 

When a distribution list migration is performed under these circumstances the migration process fails. This is by design; the migration process should fail anytime a group migration is attempted and the group is not directory synchronized. The obvious problem is that the group IS directory synchronized.

 

This situation highlights that there could be additional factors that cause migrations to fail when they should not. The real source of authority for group information is Azure Active Directory. In version 2.6.0 of the DLConversionV2 migration module an additional requirement is now present to connect to Azure Active Directory and validate group information. In the function where directory synchronization is verified if the flag in Exchange Online is set to false for any reason the information from Azure Active Directory is validated. If the information demonstrates the group is directory synchronized the migration is allowed to proceed. If the information verifies that the group is not directory synchronized the migration fails. Here is a sample of the same group above from Azure Active Directory.

 

PS C:\> Get-AzureADGroup -SearchString TestDirSync2 | fl DirSyncEnabled

DirSyncEnabled : True

 

With version 2.6.0 there are additional installation requirements. The powershell module for Azure Active Directory must now be used.

 

Install-Module AzureAD

 

When invoking a distribution list migration, you must now either specify credentials to connect to Azure Active Directory or you must specify the certificate authentication information necessary to complete the connection.

 

To specify credentials use -AzureADCredential $cred -azureEnvironemnt <Name> (Optional: Used when connecting to a non-commercial azure environment)

 

To specify certificate authentication use -azureTenantID “TenantID” -azureApplicationID “AppID” -azureCertifcateThumbprint “Thumbprint” -azureEnvironment <name> (Optional: Used when connecting to a non-commercial azure environment)

 

In most cases that same credential utilized for Exchange Online should have sufficient permissions for this operation. If there is a split delegation model the account specified for Azure AD would have to have permissions to read group information and execute the get-AzureADGroup commandlet.