Zoho Banner September 2011

Archive for September, 2017

I recently had a challenge with a customer that had on-premises Skype for Business (SfB) and were looking to migrate to SfB Online. They did not want to federate the two infrastructures, but instead wanted to undertake a re-pointing of users at a given point in time by modifying the DNS records. When they introduced AAD Connect the default synchronisation included the SfB attributes, which is standard behaviour when AAD Connect detects that the schema extensions for SfB are present in on-premises AD. The presence of SfB-related user attribute values in the synchronisation flow caused SfB Online to detect all existing SfB on-premises users as hybrid. It meant my customer could not assign SfB Online access to synchronised users, which would have been a problem for testing the cut-over. The workaround for this was to modify the AAD Connect synchronisation rules to set the SfB attribute values to null.  The steps implemented to achieve this are shown below.

1. Stop the AAD Connect sync scheduler. 

From an elevated Powershell prompt run the following command

Set-ADSyncScheduler -SyncCycleEnabled $false

2. Open the Synchronisation Rules Editor and create an editable copy of the ‘In from AD – User Lync’ inbound synchronisation rule.



3. Set the new rule to have a higher precedence (lower numeric value) than the original rule. 



4. Leave the scoping filter as is, i.e. no change.



5. Leave the join rules as is, i.e. no change.



6. Edit the transformation for each of the shown values.  Change the flow type to Expression and the source to Authoritative Null.



7. Save the rule.

8. Start the AAD Connect Sync scheduler and run a full (initial) synchronisation by running the following Powershell commands:

Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle -PolicyType Intial

9. Confirm that the synchronised users no longer appear as hybrid users in SfB Online.  Run the following Powershell command:

Get-CsOnlineUser | ft userprincipalname, interpretedusertype -AutoSize

Note. This command requires the Skype for Business Online Windows Powershell Module, available here.

The output should show your synchronised users with an InterpretedUserType of  ‘NoService’.  If any appear as ‘HybridOnPrem’ then the custom synchronisation rule has not taken effect.

The synchronised users should now be available to enable for Skype for Business Online.


Hopefully, this has been useful to you.  Let me know if you have any corrections or suggestions for improvements by adding a comment.


Last week I came across an issue when attempting to create a new custom synchronisation rule in Azure AD Connect. When I tried to finish the wizard and add the rule, I received the error: “Object reference not set to an instance of an object”.


The workaround is to add a tag to the rule on the Description page, as shown below.  The tag doesn’t need to be meaningful.


The issue appears to be specific to version 1.1.561.0 (July 2017) of AAD Connect. It wasn’t a problem in previous versions and it has been addressed in version 1.1.614.0 (September 2017).

For the latest of AAD Connect versions and version history, see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history