Hybrid Identity

Changes to hybrid write-back export attribute flow in FIM-based directory synchronization solutions


Those of you who are implementing multi-forest directory synchronization or advanced directory synchronization using Forefront Identity Manager (FIM) 2010 R2 and the Windows Azure Active Directory (AAD) Connector should be aware that recent builds of the Windows Azure Active Directory Sync tool, a.k.a. DirSync, have added an extra Export Attribute Flow (EAF) to the Active Directory Management Agent (ADMA).

This change has been introduced because of an issue with Exchange Online Hybrid and litigation hold.  If you have a FIM deployment synchronising on-premises identity to AAD for Office 365 (O365) for Exchange Online (EXO) you need to consider adding the EAF to your topology.


Basically, you need a direct EAF that doesn’t flow nulls, i.e.:

The screen grab below illustrates the default DirSync configuration, although I appreciate that the text is pretty small given the restrictions of my CSS.

If you’re running a custom FIM implementation and an EXO hybrid topology you need to implement this flow.  I choose to configure all of my hybrid “write-back” EAFs as rules extension (advanced) flows, and control whether or not hybrid write-back is enabled via my XML configuration file (you might prefer a registry key), so my actual solution that I deploy with customers looks like this:

More information

I discuss the flows and the minimum permissions that need to be assigned in my post

Office 365 Exchange Hybrid DIRSYNC write-back attributes and permissions.  I have updated that post to reflect the new information in this post.  The reason for the change is litigation hold – basically, there is a need to bring the msExchUserHoldPolicies attribute value back to the on-premises Exchange infrastructure in hybrid deployments or off-boarding scenarios.

What is msExchUserHoldPolicies?

The msExchUserHoldPolicies attribute is added to the AD schema by either Exchange Server 2013 or Lync Server 2013.  If you do not have the attribute then you obviously don’t need to configure the flow, but you should reach out to an Exchange SME to see if it is an issue that you need to consider.  Most hybrid deployments have the Exchange 2013 schema, so it is likely you will have what’s needed to setup the flow and not have to worry about this.