Delay Office 365 group synchronization to avoid race condition

After creating a new Exchange Online Distribution Group, it may take up to 20 minutes for the group to become fully available in Microsoft 365. During this time, Entra ID Connect may not detect the group. If Entra ID Connect (DirSync) runs before the group is available, it may incorrectly assume that the group does not exist and attempt to create a duplicate.

The following procedure outlines how to configure Entra ID Connect and Cayosoft Administrator to delay group synchronization until Entra ID Connect can properly detect the group.

Entra ID Connect filter overview

By setting "filtering", you can control which objects appear in Entra ID from your on-premises directory. In some cases, it may be desirable to delay when an object is synchronized so that Microsoft Exchange Online and Entra ID have time to reconcile new Distribution Group objects before those objects are synced from On-premise Active Directory.

Configure Cayosoft Administrator

Select the Attribute used to set the Delay Flag

1. In the Cayosoft Administrator Console, navigate to Configuration > Web Portal > Web Actions.

2. Select the New Distribution Group action.

3. Expand Action > More Options and locate the Delay sync attribute flag field.

4. In the Delay Sync Attribute Flag attribute, select one of the ExtensionAttribute that is not being used in your environment. (In this example, we verified that the extensionAttribute1 was not being used, so we will dedicate this extension attribute for use to set a sync/nosync flag.)

   

5. Save the rule.

Scheduling the rule that will clear the Filter Flag

1. In the Cayosoft Administrator Console, navigate to Rules > Cayosoft Built-in (Pre-configured) > AD Object | Clear Delay Sync Flag.

2. Set the Delay sync attribute flag field to the same ExtensionAtribute set on the New Distribution Group web action above.

3. Select the Enforce/Schedule checkbox and set the schedule so the rule runs no less than every 45 minutes.

4. Save the rule.

Configure Entra ID Connect

NOTE: The following steps document how to configure Entra ID Connect to filter objects with a flag set to NOSYNC. If you have a newer or older version of Entra ID Connect (Formerly DirSync) the steps may be different.

Configure Entra ID Connect to filter AD objects by ExtensionAttribute flag

1. Open the Synchronization Rules Editor on the machine where Microsoft Entra ID Connect is installed.

2. Select In from AD - Group Join sync rule and click Edit.

3. When the message Microsoft recommends disable the default rule, clone it and edit the cloned rule appears, click Yes to create a copy that can be edited.

   

4. In the Edit inbound synchronization rule:

   1. Description tab: set Precedence to any positive number.

      NOTE: The rules editor can throw an SQL deadlock error if you try to set the same precedence value as an already existing synchronization rule. So use unique numbers for each rule.

   2. Scoping Filter tab: click Add clause and set filter as it shown in the picture below (use the same ExtensionAtribute1 used to configure the New Distribution Group rule in the previous section above.)

   

5. Repeat steps 1-4 above, to clone both the In from AD- Group Exchange and In from AD - Group Common.

6. Close the Synchronization Rules Editor.