Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5111: Group objects created in Active Directory fail to synchronize to Office 365

Centrify Identity Service, App Edition ,  

12 April,16 at 10:31 AM

Applies to: Centrify Identity Service
 


Note: Before attempting to synchronize group objects using Centrify provisioning, the "Enable Hybrid Exchange Support" option within the Centrify for Office 365 app provisioning settings must be enabled. This option should be enabled regardless if Hybrid Exchange deployments (consisting of both an on-premises Exchange Server environment and Office 365 Exchange Online) are actually in use.



Problem:
 
An administrator creates a new distribution or security group in Active Directory to be provisioned to Office 365. When provisioning is performed, the synchronization report does not record any instances of the newly created group and the distribution group does not sync to Office 365.
 

Cause:

This issue can be caused by replication delays within the Active Directory environment, but the most common reason group objects would fail to sync relate to missing object attributes.


 
Solution:

Account attributes can be managed using the Active Directory Users and Computers (ADUC) console (when Advanced Features are enabled) or by using the ADSIEdit utility.

 Any object is filtered if:
  • Object is a conflict object (DN contains \0ACNF: )
SecurityEnabledGroup objects are filtered if:
  • isCriticalSystemObject attribute = TRUE
  • mail attribute is not present
  • Group has more than 15,000 immediate members
MailEnabledGroup objects are filtered if:
  • proxyAddresses attribute does not contain primary SMTP address AND mail attribute is empty or invalid
  • Group has more than 15,000 immediate members

For a complete list of account attributes synchronized by Centrify provisioning and object filter conditions, please refer to the below Centrify Knowledge articles:

For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.