Fix Syncback attributes for Exchange Online

%3CLINGO-SUB%20id%3D%22lingo-sub-3952%22%20slang%3D%22en-US%22%3EFix%20Syncback%20attributes%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3952%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20problem%20we%20have%20is%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20one%20of%20our%20customers%20we%20had%20issues%20with%20newly%20created%20shared%20mailboxes%20in%20the%20cloud.%20Cross%20premise%20mailbox%20permissions%20for%20this%20mailbox%20where%20not%20working%20for%20on%20premise%20users.%20We%20found%20out%20that%20when%20a%20shared%20mailbox%20is%20provisioned%20in%20the%20cloud%20%2C%20the%20mailboxGuid%20of%20the%20cloud%20mailbox%20is%20not%20synced%20back%20on%20premise.%20When%20you%20migrate%20a%20mailbox%20towards%20the%20cloud%2C%20the%20on%20prem%20object%20is%20converted%20to%20a%20mail%20user.%20In%20the%20case%20the%20mailboxguid%20is%20retained%20and%20the%20issues%20does%20not%20exist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20change%20the%20sync%20rules%20in%20AAD%20connect%20and%20tried%20to%20get%20attribute%20trough%20azure%20ad%20but%20this%20was%20not%20possible.%20The%20only%20way%20we%20could%20achieve%20this%20was%20to%20use%20the%20Get-Mailbox%20command%20and%20copy%20the%20guid%20from%20there%20and%20manually%20set%20it%20to%20the%20on%20prem%20object.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%20there%20are%20some%20other%20issues%20with%20certain%20attributes%20that%20are%20not%20synced%20back%20from%20the%20Exchange%20forest%20in%20O365.%20This%20causes%20strange%20behavior%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIssues%20with%20Shared%20Mailboxes%3A%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253a%252f%252fsupport.microsoft.com%252fen-us%252fkb%252f2710029%26amp%3Bdata%3D01%257c01%257cross.adams%2540microsoft.com%257c77965b6823324d0b342908d3b0f72cb1%257c72f988bf86f141af91ab2d7cd011db47%257c1%26amp%3Bsdata%3Dhm6RyN0z18dVZLqZeNOBclND%252brTZutWqlA11uMoi4Ew%253d%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F2710029%3C%2FA%3E%3C%2FLI%3E%3CLI%3EIssues%20with%20sync%20back%20of%20mailboxes%3A%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253a%252f%252fsupport.microsoft.com%252fen-us%252fkb%252f2956029%26amp%3Bdata%3D01%257c01%257cKyle.Anna%2540microsoft.com%257cde56d11ed7744e88edab08d38f6d2ec0%257c72f988bf86f141af91ab2d7cd011db47%257c1%26amp%3Bsdata%3D6CIPBCsdXAQzDqU1zzd5tAYurbIBgi8RT%252bH%252bSKByzFs%253d%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F2956029%3C%2FA%3E%3C%2FLI%3E%3CLI%3EIssues%20with%20cross%20premise%20permissions%3A%20%3CNOT%20documented%3D%22%22%3E%20%C3%A8%20our%20case%3C%2FNOT%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWe%20opened%202%20premier%20cases%20for%20this%20issue%20both%20with%20the%20AAD%20team%20en%20EOL%20team%20which%20resulted%20in%20a%20request%20for%20a%20design%20change.%20We%20had%20a%20discusion%20in%20the%20Exchange%20TAP%20about%20this%20issue.%20%26nbsp%3BWhere%20Timothy%20Heeney%20stated%20there%20are%20no%20ongoing%20commitments%20on%20fixing%20this%20and%20indeed%20a%20design%20change%20would%20be%20required.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20have%20to%20mention%20that%20we%20tried%20to%20validate%20this%20behavior%20with%20other%20tenants%20(with%20empty%20mailboxGuid%E2%80%99s)%20in%20other%20setups%20and%20the%20behavior%20does%20not%20seem%20to%20be%20consistent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%2C%3C%2FP%3E%3CP%3ERobin%20Vermeirsch%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3952%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-10198%22%20slang%3D%22en-US%22%3ERE%3A%20Fix%20Syncback%20attributes%20for%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-10198%22%20slang%3D%22en-US%22%3EFloating%20this%20question%20to%20the%20top%20to%20see%20if%20we%20can%20get%20some%20answers%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4902%22%20target%3D%22_blank%22%3E%40Robin%20Vermeirsch%3C%2FA%3E.%3C%2FLINGO-BODY%3E
Occasional Contributor

The problem we have is the following:

 

With one of our customers we had issues with newly created shared mailboxes in the cloud. Cross premise mailbox permissions for this mailbox where not working for on premise users. We found out that when a shared mailbox is provisioned in the cloud , the mailboxGuid of the cloud mailbox is not synced back on premise. When you migrate a mailbox towards the cloud, the on prem object is converted to a mail user. In the case the mailboxguid is retained and the issues does not exist.

 

I tried to change the sync rules in AAD connect and tried to get attribute trough azure ad but this was not possible. The only way we could achieve this was to use the Get-Mailbox command and copy the guid from there and manually set it to the on prem object.

 

Additionally there are some other issues with certain attributes that are not synced back from the Exchange forest in O365. This causes strange behavior:

We opened 2 premier cases for this issue both with the AAD team en EOL team which resulted in a request for a design change. We had a discusion in the Exchange TAP about this issue.  Where Timothy Heeney stated there are no ongoing commitments on fixing this and indeed a design change would be required.

 

I do have to mention that we tried to validate this behavior with other tenants (with empty mailboxGuid’s) in other setups and the behavior does not seem to be consistent.

 

Kind Regards,

Robin Vermeirsch

1 Reply
Floating this question to the top to see if we can get some answers for @Robin Vermeirsch.