Azure AD Connect unable to sync built-in Administrator account

In a recent project I came across a scenario where there was a requirement to synchronize the built-in Administrator account from the on-premise Active Directory into Azure AD.  Reason being was the built-in Administrator account was mailbox enabled, and there was a requirement to migrate the mailbox to Exchange Online (Office 365)

Problem

Azure AD Connect was installed and configure, successfully synchronized all user accounts and groups into Azure AD, with the exception of the built-in Administrator account.  There were no errors to indicate why the account would not synchronize.

This issue is described here

“You don’t receive an error message, and directory synchronization seems to be completed. However, some objects or attributes aren’t updated as expected”

Cause

The built-in administrator account has an attribute of “isCriticalSystemObject” set to True.  This can be seen in Active Directory Users and Computers

This attribute matches an exclusion in the Azure AD Connect synchronization rules.  This can be seen here

 

Solution

You might be tempted to edit the rules from the Azure AD Connect Synchronization Rules Editor so that the Azure AD Connect will not filter the objects whose isCriticalSystemObject being set to true during the synchronization.  The specific rule is the “In from AD – User Join” sync rule

Don’t do this.

If the goal is to migrate the mailbox of the built-in administrator account from on-premises to Exchange Online, then use the following approach:

 

  1. Create a new account in active directory, and allow to synchronize to Azure AD
  2. Disable the administrator mailbox

3. Reconnect the disabled administrator mailbox to the new user account

4. Migrate the new user account mailbox

Leave a Reply

Your email address will not be published. Required fields are marked *