Forum Discussion
Adding MailboxFolderPermission to certain user fails with Powershell as well as OWA
Hallo!
I try to add a MailboxFolderPermission for the assistant to the inbox of the manager. That fails with Powershell as well as Outlook on the web. If instead I grant a MailboxFolderPermission on the managers inbox to my test user that works perfectly fine.
We are in a Exchange hybrid setup. However all 3 mailboxes (manager, assistant, test user) are all hosted in Exchange Online (and represented with a RemoteMailbox OnPremise).
The assistant changed her last name some time ago (supposedly married). However currently PrimarySmtpAddress = UserPrincipalName OnPremise (RemoteMailbox) as well as Online (UserMailbox).
[PS] C:\Windows\system32>Get-ADUser (get-remotemailbox *assistantlastname*).guid.guid -Properties msexchrecipientdisplaytype
msexchrecipientdisplaytype : -1073741818
Write-ErrorMessage : |Microsoft.Exchange.Management.StoreTasks.InvalidExternalUserIdException|Der Benutzer "email address removed for privacy reasons" ist entweder keine gültige SMTP-Adresse oder es ist keine
übereinstimmende Informationen vorhanden.
In C:\Users\adm-xyz02\AppData\Local\Temp\tmpEXO_iq3lu4l0.m3f\tmpEXO_iq3lu4l0.m3f.psm1:1191 Zeichen:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
+ FullyQualifiedErrorId : [Server=GVXP194MB1735,RequestId=777a9f1a-076f-058f-2c1c-f1e6afd8ba64,TimeStamp=Mon, 22 Apr 2024 15:19:43 GMT],Write-ErrorMessage
If I use the ExchangeGUID (Exchange Online) of the assistant as identifier, I get the following message:
Write-ErrorMessage : |Microsoft.Exchange.Management.StoreTasks.InvalidInternalUserIdException|Der Benutzer "Last, First" wurde in Active Directory gefunden, ihm können aber keine
Berechtigungen zugewiesen werden. Versuchen Sie stattdessen ein SMTP-Adresse.
In C:\Users\adm-xyz01\AppData\Local\Temp\tmpEXO_iq3lu4l0.m3f\tmpEXO_iq3lu4l0.m3f.psm1:1191 Zeichen:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
+ FullyQualifiedErrorId : [Server=GVXP194MB1735,RequestId=650eac4d-4cf5-73ac-a860-574b4946988d,TimeStamp=Mon, 22 Apr 2024 14:57:04 GMT],Write-ErrorMessage
Any ideas how to fix this?
- Solved.
I'm sorry for not being able to mention everything and everybody that contributed to finding the solution. It helped a lot to find many articles mentioning the relation of this problem to converting between shared and user mailbox as well as changes in name, upn, etc. Both was the case here. As far as I remember i was the following article that led my directly to the cause as well as the solution:
https://answers.microsoft.com/en-us/msoffice/forum/all/the-attribute-accountdisabled-changing-for-true/40b3ed9a-3351-4272-9b91-d447db126c1f
THIS IS HOW I FOUND THE MAILBOX IN EXCHANGE ONLINE WHEN THE ISSUE OCCURED
get-mailbox xyz | select ExchangeUserAccountControl,AccountDisabled,RecipientType,RecipientTypeDetails
ExchangeUserAccountControl : AccountDisabled, NormalAccount
AccountDisabled : True
RecipientType: User : Mailbox
RecipientTypeDetails : UserMailbox
WHEN I TRIED TO ENABLE THE MAILBOX IT TOLD ME IT WAS A SHARED MAILBOX ALTHOUGH IT SHOWED UP AS A USER MAILBOX IN EXCHANGE ONLINE ADMIN CENTER AS WELL AS IN POWERSHELL
set-mailbox xyz -AccountDisabled $false
WARNUNG: Das freigegebene Postfach "email address removed for privacy reasons" kann nicht aktiviert werden.
From now on I assumed that the cause was a party failed re-conversion from a shared to a user mailbox in the past. Although the user account was enabled in Entra, it was disabled in Exchange. Therefore there was no (active) Exchange security principal that permissions could have been assigned to.
SOLUTION
a) RemoteMailbox (Exchange Management Shell)
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type shared
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type regular
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
b) Mailbox (Exchange Online Powershell)
get-mailbox xyz | Set-Mailbox -Type shared
set-mailbox SchoSa1 -Type regular
I could see in the Entra logs that all of my above changes were taking effect on the user object related to the mailbox.
Now I was able to assign MailboxFolderPermissions to the security principal of the mailbox.
1 Reply
- Solved.
I'm sorry for not being able to mention everything and everybody that contributed to finding the solution. It helped a lot to find many articles mentioning the relation of this problem to converting between shared and user mailbox as well as changes in name, upn, etc. Both was the case here. As far as I remember i was the following article that led my directly to the cause as well as the solution:
https://answers.microsoft.com/en-us/msoffice/forum/all/the-attribute-accountdisabled-changing-for-true/40b3ed9a-3351-4272-9b91-d447db126c1f
THIS IS HOW I FOUND THE MAILBOX IN EXCHANGE ONLINE WHEN THE ISSUE OCCURED
get-mailbox xyz | select ExchangeUserAccountControl,AccountDisabled,RecipientType,RecipientTypeDetails
ExchangeUserAccountControl : AccountDisabled, NormalAccount
AccountDisabled : True
RecipientType: User : Mailbox
RecipientTypeDetails : UserMailbox
WHEN I TRIED TO ENABLE THE MAILBOX IT TOLD ME IT WAS A SHARED MAILBOX ALTHOUGH IT SHOWED UP AS A USER MAILBOX IN EXCHANGE ONLINE ADMIN CENTER AS WELL AS IN POWERSHELL
set-mailbox xyz -AccountDisabled $false
WARNUNG: Das freigegebene Postfach "email address removed for privacy reasons" kann nicht aktiviert werden.
From now on I assumed that the cause was a party failed re-conversion from a shared to a user mailbox in the past. Although the user account was enabled in Entra, it was disabled in Exchange. Therefore there was no (active) Exchange security principal that permissions could have been assigned to.
SOLUTION
a) RemoteMailbox (Exchange Management Shell)
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type shared
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type regular
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
b) Mailbox (Exchange Online Powershell)
get-mailbox xyz | Set-Mailbox -Type shared
set-mailbox SchoSa1 -Type regular
I could see in the Entra logs that all of my above changes were taking effect on the user object related to the mailbox.
Now I was able to assign MailboxFolderPermissions to the security principal of the mailbox.