Office 365 Exchange Attribute migration between forests

Back in late 2012 / early 2013 I created a number of documents on advanced identity integration with Office 365 using FIM and the Windows Azure Active Directory (WAAD) Management agent.   That guidance is now available on TechNet Here :

https://aka.ms/WAADFIMQuickStart

https://aka.ms/WAADTechRef

 

One of the many advantages of the migration of a traditional account forest \ resource forest model to Office 365 is the ability to collapse the resource forest upon completion.

 

Many of my customers have expressed an interest in the sync of Exchange attributes from the resource forest to the account forest outside of FIM or the DirSync appliance, so I thought I would provide a summary of the Exchange resource forest attributes that you want to consider syncing along with some sample PowerShell code to accomplish this feat.

 

AD Property Name Standard AD User Object Mailbox-Enabled User Mail Enabled User Distribution List Contact
Assistant x x x   X
C x x x   X
Cn x x x x X
Co x x x    
company x x x   X
countrycode x x x   X
department x x x   X
description x x x x X
displayName x x x x X
Distribution ListMemRejectPerms   x x x X
Distribution ListMemSubmitPerms   x x x X
extensionAttribute1 x x x x X
extensionAttribute10 x x x x X
extensionAttribute11 x x x x X
extensionAttribute112 x x x x X
extensionAttribute13 x x x x X
extensionAttribute14 x x x x X
extensionAttribute15 x x x x X
extensionAttribute2 x x x x X
extensionAttribute3 x x x x X
extensionAttribute4 x x x x X
extensionAttribute5 x x x x X
extensionAttribute6 x x x x X
extensionAttribute7 x x x x X
extensionAttribute8 x x x x X
extensionAttribute9 x x x x X
facsimileTelephoneNumber x x x   X
givenName x x x   X
GroupType       x  
hideDLMembership       x  
homeMDB   x      
homePhone x x x   X
info x x x x X
initials x x x   X
ipPhone x x x   X
isCriticalsystemObject x x x x  
legacyExchangeDN   x x x X
Mail   x x   X
mailNickname   x x x X
managedBy       x  
Manager x x x   X
Member       x  
Mobile x x x   X
MsExchArchiveGUID   x x    
MsExchArchiveName   x x    
msExchAssistantName   x x   X
msExchAuditAdmin   x x x X
msExchAuditDelegate   x x x X
msExchAuditDelegateAdmin   x x x X
msExchAuditOwner   x x x X
msExchBypassAudit   x x x X
MsExchBypassModerationFromDLMembersLink   x x x X
MsExchBypassModerationLink   x x x X
msExchDelegateListLink   x x   X
msExchELCExpirySuspensionEnd   x x   X
msExchELCExpirySuspensionStart   x x   X
msExchELCMailboxFlags   x x   X
MsExchEnableModeration   x x x X
MsExchGroupDepartRestriction       x  
MsExchGroupJoinRestriction       x  
msExchHideFromAddressLists   x x x X
MsExchImmutableID   x x    
msExchLitigationHoldDate   x x   X
msExchLitigationHoldOwner   x x   X
msExchMailboxAuditEnable    x    
msExchMailboxAuditLogAgeLimit    x  X    
MsExchMailboxGuid   x x    
MsExchModeratedByLink   x x x X
MsExchModerationFlags   x x x X
msExchRecipientDisplayType   x x x X
msExchRecipientTypeDetails   x x x X
msExchRemoteRecipientType   x x x X
MsExchRemoteRecipientType   x x    
msExchRequireAuthToSendTo   x x x X
MsExchResourceCapacity   x x    
MsExchResourceDisplay   x x    
MsExchResourceMetaData   x x    
MsExchResourceSearchProperties   x x    
msExchRetentionComment   x x   X
msExchRetentionURL   x x   X
MsExchSafeRecipientsHash   x x    
MsExchSenderHintTranslations   x x x X
msOrg-IsOrganizational       x  
msRTCSIP-DeploymentLocator   x x   X
msRTCSIP-Line   x x   X
msRTCSIP-PrimaryUserAddress   x x   X
msRTCSIP-UserEnabled   x x   X
objectGUID  x x x x X
oOFReplyToOriginator       x  
otherFacsimileTelephoneNumber x x x   X
otherHomePhone x x x   X
otherIpPhone x x x   X
otherMobile x x x   X
otherPager x x x   X
otherTelephone x x x   X
PersonalPager x x x   X
personalTitle x        
photo x        
physicalDeliveryOfficeName x x x   X
postalCode x x x   x
postOfficeBox x x x   x
preferredLanguage x x x    
PublicDelegates x x x x x
samAccountName x x x    
Sn x x x   x
St  x  x x   x
streetAddress x x x   x
targetAddress   x x   x
TelephoneAssistant x x x   x
telephoneNumber x x x   x
ThumnailPhoto x x x   x
title x x x   x
unauthOrig x x x x x
url x x x   x
userPrincipalName x x x    
wWWHomePage x x x x

 

 

Please remember that this is NOT a list of all AD attributes, nor do you NEED to copy all attributes.

 

The list of attributes synced by DirSync can be found here :   https://aka.ms/AzureAttribs

 

Now for the PS code :

 

This script grabs all the users in the target forest, and matches them with the corresponding user in the source forest, matches on MAIL and copies some attributes.  You will need to update the attributes you want to copy.

 

# Source forest is the Exchange Resource Forest

$Source = Connect-QADService sourcedomain.local -Credential "sourcedomain\Administrator"

# Target forest is the Account Forest

$Target = Connect-QADService targetdomain.local -Credential "targetdomain\Administrator"

 

# Create an array of all users in targetdomain.local\Users OU, only capturing sAMAccountName, ObjectSid and mail

$users = Get-QADuser * -connection $target -includedProperties "objectSid,sAMAccountName,mail" -SearchRoot "OU=users,DC=targetdomain,DC=local"

# Loop, match on mail, and set attributes via the –ObjectAttributes array method

foreach ($user in $users)

{

   $SourceUser = Get-QADUser $user.mail -Connection $Source -includedProperties "mail,msExchMasterAccountSID,extensionattribute1,extensionattribute2"

   Set-QADUser $user.mail -connection $target -ObjectAttributes @{extensionAttribute1 = $SourceUser.extensionAttribute1;extensionattribute2 = $SourceUser.extensionattribute2}

}


I use the Quest powershell cmdlets, you can get those here : http://www.quest.com/powershell/activeroles-server.aspx

 

One final note : scripts here are "use at your own risk" – you should make sure to test thoroughly in an isolated environment before execution in your production environment, and you should always make a backup before making ANY changes, as well as validate and know how to restore that backup if needed.

 

Thanks!