The Truth About Public Folder Synchronization with Azure Active Directory

Friday, May 19, 2017

AAD Connect version 1.1.524.0 now syncs mail-enabled Public Folders to Azure Active Directory. And there was much rejoicing. "Behold," said hybrid Exchange Server administrators around the world, "I no longer need to manually run the Public Folder synchronization scripts to populate Office 365 with our Public Folders! This great tool does it for me!"

But lo, that is not the case. And there was much gnashing of teeth.

It turns out that AAD Connect 1.1.524.0 only does what the release notes say it does -- it syncs mail-enabled Public Folders with Azure AD. But Exchange Online uses EXODS, Exchange Online Directory Services, which syncs with Azure AD. At this time EXODS still does not sync mail-enabled Public Folders with Azure AD.

What does this all mean? 

Well, it means that if you sync mail-enabled Public Folders to AAD you can finally use Directory Based Edge Blocking (DBEB) in Exchange Online Protection (EOP). That's a big deal. When DBEB is enabled EOP will reject emails addressed to non-valid emails in your tenant, greatly reducing spam and dictionary attacks against your directory. Until now, mail-enabled Public Folders customes couldn't use DBEB because EOP would reject emails to those folders since they weren't synced to AAD. See Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders on the Exchange Team Blog for more details.

That's all well and good, but since EXODS doesn't sync mail-enabled Public Folder objects from AAD, you still need to run the Mail-Enabled Public Folders - Directory Sync Script to populate and configure Exchange Online for Public Folders.

Sometimes change comes slowly.