In a recent project I came across a scenario where there was a requirement to synchronize the built-in Administrator account from the on-premise Active Directory into Azure AD. Reason being was the built-in Administrator account was mailbox enabled, and there was a requirement to migrate the mailbox to Exchange Online (Office 365)
Problem
Azure AD Connect was installed and configure, successfully synchronized all user accounts and groups into Azure AD, with the exception of the built-in Administrator account. There were no errors to indicate why the account would not synchronize.
This issue is described here
“You don’t receive an error message, and directory synchronization seems to be completed. However, some objects or attributes aren’t updated as expected”
Cause
The built-in administrator account has an attribute of “isCriticalSystemObject” set to True. This can be seen in Active Directory Users and Computers
This attribute matches an exclusion in the Azure AD Connect synchronization rules. This can be seen here
Solution
You might be tempted to edit the rules from the Azure AD Connect Synchronization Rules Editor so that the Azure AD Connect will not filter the objects whose isCriticalSystemObject being set to true during the synchronization. The specific rule is the “In from AD – User Join” sync rule
Don’t do this.
If the goal is to migrate the mailbox of the built-in administrator account from on-premises to Exchange Online, then use the following approach:
- Create a new account in active directory, and allow to synchronize to Azure AD
- Disable the administrator mailbox
3. Reconnect the disabled administrator mailbox to the new user account
4. Migrate the new user account mailbox
Shane Jackson IT Pro 
Very helpful, thank you.
LikeLike
I have a question. I was wanting to use the built-in admin account to sync some of our critical directories to One Drive for Business (since that is the account normally logged in to the server). To do that, I need to sync that account with AAD. Can you explain why changing the isCriticalSystemObject attribute on the In from AD – User Join is a bad idea? What are the hazards of doing this?
LikeLike
Hi Bob,
I’m interested in understanding why it’s not a good idea to sync the default domain\administrator account (just that, not all the critical system objects).
Creating a rule just for sync that only object it’s not so hard to do, it requires just a clone of the rule you highlighted with a couple of changes while leaving active the original rule. I did so but now I’m worried to have done something bad…
best regards,
Dario
LikeLike
Sorry, I mean “Hi Shane”!
best regards, Dario
LikeLike