The following is a list of issues, including those attributed to third-party products, known to exist at the time of this deployment.
Directory Sync known issues
| Known Issue | Issue ID |
|---|---|
| An attempt to install an older version of the agent software will fail if a newer version has already been successfully installed. If, for some reason, the older version is needed, first uninstall the newer version, then remove all registry references to the agent. | 8060 |
| The agent installer cannot accept a password with a first character of !. | 8122 |
| When discovery discovers an environment, it will read in the OU structure of all domains within the forest. The UI will show all domains and you can select them for use in all workflows. However, if a DC for that domain is not included, or the agent account does not have read access to the objects, they will not be read into the database. | 8077 |
| Cloud Only Security Groups are not read in when reading a cloud endpoint. | 22453 |
| User thumbnail photos do not sync to cloud environments. | 8069 |
| The PowerShell User Group should be added to the Tenant Group Filter as the Group Owner. A security group should not be used. | 8070 |
| An account with access to all domains within the forest is needed if you want to sync all domains within a single forest with a single agent. Using an enterprise admin account is the most efficient method for doing this. | 8073 |
| Mapping functions do not work with multivalued attributes. For example, (results(proxyaddresses,"x500:") will not return a true even if an X500 address is present. | 8075 |
| When a workflow for a cloud environment has been run once, but then has been idle for longer than 30 days, an error will be encountered when the job starts, and the job will fail and loop repeatedly until the retry count has been reached. | 8079 |
| In the German and Chinese Office365 tenants, Directory Sync will always do full synchronizations because the delta sync functionality is not available in these local tenants. | 8095 |
| An "Object with ID xyz was not found" error may occur when reading recently created Azure guest users due to the longer length of time for guest users to propagate. | 8101 |
| Remote Mailboxes from the source are incorrectly created in the target as Users instead of MailUsers. | 8102 |
| Delta syncs are limited to 30 days. To avoid full synchronization, a read in should be performed for all cloud environments every 29 days or less. | 8108 |
| Password sync does not support AES hashes. | 21796 |
| A template configured to sync a binary attribute to a non-binary attribute will not sync correctly. For example, if syncing Binary (ThumbnailPhoto) to String(ExtensionAttribute), the target attribute will be synced as "System.Byte[]" instead of the expected binary value converted into a string. | 15683 |
| A security group cannot be used as a filter group. | 8057 |
| When using filter groups for Cloud environments you need to ensure that a group containing any newly created objects is present in the environment filter. This can be accomplished by having a source and target filter group with the same name so they will match and synchronize between the environments. If these objects are not read in after creation, they will not have any additional updates synchronized and they will not be matched. | 8076 |
| When synchronizing local AD groups to Office 365 as Office 365 groups (Unified Groups) any contact in the source group will record an error in the logs and the contact will not appear in the target group. | 8081 |
| Office 365 Group settings are not copied to the target Office 365 Group. | 8104 |
| Likes for Office 365 Group conversations are not migrated. | 8122 |
| Custom schema attributes can be added to template mappings but are not visible in the drop-down selection list. | 8072 |
| All domains within an Active Directory Forest are visible within an environment when adding a single domain even though the agent account credentials may not have access to all domains. | 8074 |
| The DS-Core-Propagation-Data attribute is not synchronized by Directory Sync. The DS-Core-Propagation-Data attribute is a system attribute which is used by the Active Directory service and cannot and should not be modified by anything other than the directory itself. | 34400 |
| The mapping does not update the mailnickname attribute of Non mail-enabled security groups. | 34481 |
| Attribute filters cannot be applied to Security Groups. | 14933 |
| Cloud Environments that use Object Filter Exclusion options may see Unlicensed or Disabled Accounts read in when configured to Exclude Unlicensed or Disabled Accounts. This is because the AccountDisabled and SKUAssigned properties in Exchange Online Management are not always updated to reflect the true state of the object in Office365. | 35957, 36574 |
| Updates of non mail-enabled Security groups in Cloud to Local syncs fail due to an empty samAccountName value. | 37254 |
| Custom schema attributes can be added to template mappings, but are not visible in the drop-down selection list. | 52326 |
| Directory Sync will attempt to add Group Object as Owner to Teams/M365 and Distribution Group when the Group object shares similar name as the Group Owner. For M365 Groups and Teams, an error will be logged for these groups as they cannot be added as an owner. | 41463 |
| A directory operation error occurs when running a cloud to local workflow. | 42444 |
Active Directory known issues
| Known Issue | Issue ID |
|---|---|
| The Server 2016 Rollback action may break a user's profile if the user is not a member of the BUILTIN\Administrators group on the target machine. | 29544 |
| The Cleanup job should not be used with bi-directional match/sync configurations as it may incorrectly remove target ACLs. | 32588 |
| On a Windows 10 or Windows 11 device, when performing the AzureAD Cutover action, the migrated user profiles may lose some of the installed Windows Store application or other Provisioned AppX Packages. These packages will need to be reinstalled by the user after they logon to their target profile. | 36079 |
| An Azure AD device cannot be ReACLed if there is no matching group in mapping file. | 36124 |
| For AzureAD Device Cutover, Windows Hello for Business Setup cannot be completed when Source Account is a Direct Member of the Device BUILTIN\Administrators Group. | 36627 |
Domain Move known issues
| Known Issue | Issue ID |
|---|---|
| Domain Move can not move the domain if it is being used for Active Directory Federation Service(ADFS) between on-prem Active Directory and Azure Active Directory. | 35529 |
Domain Rewrite known issues
| Known Issue | Issue ID |
|---|---|
| Signed and encrypted messages will not be rewritten by the email rewrite service (ERS). | 8004 |
| When ERS is disabled, external email addresses of MEU's are not removed. | 40937 |