Forum Discussion
Meeting rooms - end of synchronization with AD
Hi all,
We have a hybrid environment, and the meeting rooms are "physically" in Exchange Online—I can no longer see them on the on-premises Exchange server. However, they are still synchronizing from AD.
What do I need to do to ensure that the meeting rooms are completely in Exchange Online and do not synchronize from AD? So that the "point of truth" is in Exchange Online?
Thank you for your tips.
1 Reply
Hi Gepard,
Conceptually, there's three options:
- End synchronisation from AD to Entra ID (formerly Azure AD);
- De-scope or delete the AD-side object, then recover it from the Entra ID recycle bin;
- Create a new Entra ID-native replacement mailbox and migrate all content to it.
1. End synchronisation from AD to Entra ID
Do not do this unless your organisation is ready to cease all synchronisation from AD to Entra ID.
My assumption from how you've written the question is that you are not yet ready for this and it's not a process you simply play with through a dry run. I'm only mentioning it for completeness, where you can read more about the process itself here:
Technically, you can disable AD synchronisation, mess around with AD objects to achieve your objective and then re-enable AD synchronisation again, however, I wouldn't recommend this for most scenarios or where you're not familiar with how the underlying synchronisation engine works.
2. De-scope or delete the AD-side object, then recover it from the Entra ID recycle bin
This is the option I'd recommend for your specific scenario.
De-scoping refers to the process of moving the AD object to an organisational unit that is not selected for synchronisation to Entra ID (which is configured in Entra ID Connect or Cloud Sync).
Deleting the AD object needs no explanation as it's exactly what it sounds like.
De-scoping is the more convenient option out of the two since it makes rolling back the change a little easier but ultimately they result in the same impact on the Entra ID account, which is that it is soft-deleted.
Once Entra ID Connect (or Cloud Sync if you're using that) soft-deletes the account(s), you can then restore them using the Microsoft-documented process, where the end result is that the restored account is converted to being a cloud-native account and no longer has a relationship to the de-scoped/deleted AD account:
The generic downside to this process is that it triggers licencing plan deprovisioning (when it's soft-deleted) and then provisioning (when it's restored). For important user/service/application accounts, this may require extra care in planning the execution and timing, but it's unlikely a room (or any other kind of resource mailbox) will share any of these sensitivities making it a safe, convenient option to leverage.
It's worth noting this process can be fully scripted should you have many mailboxes to "convert". But initially - as the proof of concept, you'd validate the process manually using some low-risk resource mailboxes.
3. Create a new Entra ID-native replacement mailbox and migrate all content to it
I wouldn't recommend this option as it's actually the most complex and most likely to result in missed steps.
Conceptually, it's easy enough:
- Create a new Entra ID-native account and enable it in Exchange as a room resource mailbox;
- Migrate all content and settings from the original room mailbox to this new mailbox;
- De-scope of delete the original mailbox from AD.
The second point is the one where gaps will potentially creep in and why I wouldn't normally recommend it over the de-scope/delete option above (option 2).
Cheers,
Lain
