Home

free/busy information after migrated from Exchange on-premises to online is broken

%3CLINGO-SUB%20id%3D%22lingo-sub-186514%22%20slang%3D%22en-US%22%3ERe%3A%20free%2Fbusy%20information%20after%20migrated%20from%20Exchange%20on-premises%20to%20online%20is%20broken%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186514%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20doesn't%20really%20make%20any%20sense.%20AD%20is%20our%20source%20of%20authority%20and%20authentication%20is%20on%20prem.%20When%20we%20switched%20from%20ADFS%20to%20PTA%20-%20We%20needed%20to%20communicate%20to%20everyone%20that%20they%20need%20a%20password%20reset%3F%20That%20is%20a%20little%20extreme.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20converted%20over%20without%20any%20issues%20at%20all%20other%20than%20the%20broken%20Free%2FBusy.%20No%20authentication%20issues.%20Why%20would%20this%20even%20matter%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20not%20doing%20any%20password%20changes%20in%20Azure%20AD%2C%20everything%20happens%20in%20AD.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186492%22%20slang%3D%22en-US%22%3ERe%3A%20free%2Fbusy%20information%20after%20migrated%20from%20Exchange%20on-premises%20to%20online%20is%20broken%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186492%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20are%20switching%20from%20AD%20FS%20to%20any%20other%20auth%20method%2C%20one%20of%20the%20steps%20you%20need%20to%20perform%20is%20to%20%22convert%22%20the%20user%2C%20which%20is%20basically%20generating%20a%20temporary%26nbsp%3Bpassword%20for%20them%20and%20setting%20the%20auth%20type%20to%20standard.%20As%20explained%20in%20the%20article%20you%20linked%2C%20temporary%20password%20can%20cause%20issues%20with%20obtaining%20tokens%2C%20so%20the%20user%20needs%20to%20set%20a%20normal%20password%20first.%20Password%20sync%20is%20just%20a%20way%20to%20get%20past%20the%20temp%20password%20issue%2C%20another%20one%20is%20to%20manually%20unset%20the%20%22force%20change%20password%22%20flag.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20no%20way%20to%20skip%20the%20conversion%20btw%2C%20if%20you%20do%20you%20will%20not%20even%20be%20able%20to%20change%20passwords%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2671093%2Funable-to-reset-this-user-s-password-error-when-an-admin-tries-to-rese%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2671093%2Funable-to-reset-this-user-s-password-error-when-an-admin-tries-to-rese%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186427%22%20slang%3D%22en-US%22%3Efree%2Fbusy%20information%20after%20migrated%20from%20Exchange%20on-premises%20to%20online%20is%20broken%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186427%22%20slang%3D%22en-US%22%3E%3CP%3EHope%20this%20finds%20everyone%20well!%20Thought%20I%20would%20share%20some%20of%20my%20findings%20that%20has%20driven%20me%20wild%20for%20the%20past%2012%20hours.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBack%20story%20here%20is%20that%20I%20was%20migrating%20from%20ADFS%20to%20Azure%20AD%20Connect%20PTA%20and%203SO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20TL%3BDR%20-%26nbsp%3BVERIFY%20if%20Azure%20AD%20Connect%20was%20configured%20with%20password%20hash%20sync%20prior%20to%20ADFS.%20It%20can%20cause%20broken%20free%2Fbusy%20from%20Office%20365%20users%20to%20on-premises%20non-migrated%20users.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20organization%20had%20Azure%20AD%20Connect%20with%20Password%20Hash%20Synchronization%20enabled%2C%20then%20migrated%20to%20ADFS%2C%20and%20now%20are%20migrating%20to%20Azure%20AD%20Connect%20Pass%20Through%20Authentication%20free%2Fbusy%20can%20break.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20fix%20this%2C%20you%20need%20to%20make%20sure%20that%20you%20enable%20password%20hash%20synchronization%20again%20or%20change%20the%20value%20of%20ForceChangePassword%20in%20Azure%20AD.%20Below%20is%20the%20link%20I%20am%20referring%20too.%20In%20my%20case%20it%20was%20less%20invasive%20on%20the%20users%20to%20enable%20and%20then%20disable%20password%20sync%20rather%20than%20send%20a%20ton%20of%20password%20prompts%20for%20users%20to%20enter.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4056251%2Ffree-busy-lookup-fails-from-exchange-on-premises-to-exchange-online%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4056251%2Ffree-busy-lookup-fails-from-exchange-on-premises-to-exchange-online%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20love%20if%20anyone%20from%20Microsoft%20can%20add%20some%20context%20here.......%20It%20really%20caused%20some%20heartburn%20when%20remote%20connectivity%20analyzer%20and%20all%20other%20tests%20passed.%20Finally%20figured%20it%20out%20after%20running%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGet-organizationrelationship%20%22name%20of%20org%20relationship%20of%20cloud%20to%20on-prem%22%20%7C%20test-organizationrelationship%20-useridentity%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-186427%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFree%20busy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPass%20through%20authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPTA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Erich%20coexistence%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Tom Gould
Contributor

Hope this finds everyone well! Thought I would share some of my findings that has driven me wild for the past 12 hours. 

 

Back story here is that I was migrating from ADFS to Azure AD Connect PTA and 3SO.

 

The TL;DR - VERIFY if Azure AD Connect was configured with password hash sync prior to ADFS. It can cause broken free/busy from Office 365 users to on-premises non-migrated users. 

 

If your organization had Azure AD Connect with Password Hash Synchronization enabled, then migrated to ADFS, and now are migrating to Azure AD Connect Pass Through Authentication free/busy can break. 

 

To fix this, you need to make sure that you enable password hash synchronization again or change the value of ForceChangePassword in Azure AD. Below is the link I am referring too. In my case it was less invasive on the users to enable and then disable password sync rather than send a ton of password prompts for users to enter. 

 

https://support.microsoft.com/en-gb/help/4056251/free-busy-lookup-fails-from-exchange-on-premises-to...

 

I would love if anyone from Microsoft can add some context here....... It really caused some heartburn when remote connectivity analyzer and all other tests passed. Finally figured it out after running 

 

Get-organizationrelationship "name of org relationship of cloud to on-prem" | test-organizationrelationship -useridentity <On-Prem-user@domain.com>

 

2 Replies

When you are switching from AD FS to any other auth method, one of the steps you need to perform is to "convert" the user, which is basically generating a temporary password for them and setting the auth type to standard. As explained in the article you linked, temporary password can cause issues with obtaining tokens, so the user needs to set a normal password first. Password sync is just a way to get past the temp password issue, another one is to manually unset the "force change password" flag.

 

There's no way to skip the conversion btw, if you do you will not even be able to change passwords: https://support.microsoft.com/en-us/help/2671093/unable-to-reset-this-user-s-password-error-when-an-...

That doesn't really make any sense. AD is our source of authority and authentication is on prem. When we switched from ADFS to PTA - We needed to communicate to everyone that they need a password reset? That is a little extreme. 

 

We converted over without any issues at all other than the broken Free/Busy. No authentication issues. Why would this even matter? 

 

We are not doing any password changes in Azure AD, everything happens in AD. 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies