Azure AD Connect: msExchUserHoldPolicies and cloudMsExchUserHoldPolicies
34 people 👁️ing this randomly
- Article
- 12/30/2021
- 2 minutes to read
In this article
The following reference document describes these attributes used by Exchange and the proper way to edit the default sync rules.
What are msExchUserHoldPolicies and cloudMsExchUserHoldPolicies?
There are two types of holds available for an Exchange Server: Litigation Hold and In-Place Hold. When Litigation Hold is enabled, all mailbox all items are placed on hold. An In-Place Hold is used to preserve only those items that meet the criteria of a search query that you defined by using the In-Place eDiscovery tool.
The MsExchUserHoldPolcies and cloudMsExchUserHoldPolicies attributes allow on-premises AD and Azure AD to determine which users are under a hold depending on whether they are using on-premises Exchange or Exchange on-line.
msExchUserHoldPolicies synchronization flow
By default MsExchUserHoldPolcies are synchronized by Azure AD Connect directly to the msExchUserHoldPolicies attribute in the metaverse and then to the msExchUserHoldPolicies attribute in Azure AD
The following tables describe the flow:
Inbound from on-premises Active Directory:
| Active Directory attribute | Attribute name | Flow type | Metaverse attribute | Sync Rule |
|---|---|---|---|---|
| On-premises Active Directory | msExchUserHoldPolicies | Direct | msExchUserHoldPolicies | In from AD – User Exchange |
Outbound to Azure AD:
| Metaverse attribute | Attribute name | Flow type | Azure AD attribute | Sync Rule |
|---|---|---|---|---|
| Azure Active Directory | msExchUserHoldPolicies | Direct | msExchUserHoldPolicies | Out to AAD – UserExchangeOnline |
cloudMsExchUserHoldPolicies synchronization flow
By default cloudMsExchUserHoldPolicies are synchronized by Azure AD Connect directly to the cloudMsExchUserHoldPolicies attribute in the metaverse. Then, if msExchUserHoldPolicies is not null in the metaverse, the attribute in flowed out to Active Directory.
The following tables describe the flow:
Inbound from Azure AD:
| Active Directory attribute | Attribute name | Flow type | Metaverse attribute | Sync Rule |
|---|---|---|---|---|
| On-premises Active Directory | cloudMsExchUserHoldPolicies | Direct | cloudMsExchUserHoldPolicies | In from AAD – User Exchange |
Outbound to on-premises Active Directory:
| Metaverse attribute | Attribute name | Flow type | Azure AD attribute | Sync Rule |
|---|---|---|---|---|
| Azure Active Directory | cloudMsExchUserHoldPolicies | IF(NOT NULL) | msExchUserHoldPolicies | Out to AD – UserExchangeOnline |
Information on the attribute behavior
The msExchangeUserHoldPolicies are a single authority attribute. A single authority attribute can be set on an object (in this case, user object) in the on-premises directory or in the cloud directory. The Start of Authority rules dictate, that if the attribute is synchronized from on-premises, then Azure AD will not be allowed to update this attribute.
To allow users to set a hold policy on a user object in the cloud, the cloudMSExchangeUserHoldPolicies attribute is used. This attribute is used because Azure AD cannot set msExchangeUserHoldPolicies directly based on the rules explained above. This attribute will then synchronize back to the on-premises directory if, the msExchangeUserHoldPolicies is not null and replace the current value of msExchangeUserHoldPolicies.
Under certain circumstances, for instance, if both were changed on-premises and in Azure at the same time, this could cause some issues.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Source
this site is a gnomie of the domain mym3verse.space
