AADConnect Invalid Username after AD Schema update


There are lots of posts out there like this one: http://www.michev.info/Blog/Post/1370 telling you that after an internal AD Schema update (eg for new exchange version) you need to  run your AADConnect wizard and update your AD schema in the metaverse. (thanks to the author of that post for setting me straight)

I had an issue today where I was still getting AAD errors after running the update to aadconnect. Errors were for 4 systemmailbox accounts, specifically an “invalid username” error … but hang on, those on prem service accounts shouldn’t sync to AAD and anyway what is username, there is no attribute in AD called username nor in the metaverse.

Quick check of the sync rules, the filter to exclude sync to AAD of on prem service accounts is actually for mailnickname starting systemmailbox rather than samaccountname, displayname or UPN.

My colleage had completed our Exchange 2016 schema update, hence creating the 4 accounts but the first server was not yet built and the accounts mailnickname value was empty.

I suspect during first server build the mailnickname value gets populated, but in the meantime I inserted the samaccountname as the mailnickname and the accounts are no longer trying to sync to AAD, as I want, and we will watch carefully for errors as we build the first server.

Azure AD Proxy cert not auto renewing

Make sure your Azure AD proxy is the latest version and update to latest version if it isn’t. Since mid 2017 the app auto updates.

If that doesn’t update the cert try this in powershell:

Import-module AppProxyPSModule


You will be prompted for a feature enter “ApplicationProxy” (no quotes).

Of course do this at your own risk, take backup’s snaps etc.