SOLVED

Office 365 Hybrid Migration iPhone Native Mail Stopped Working

%3CLINGO-SUB%20id%3D%22lingo-sub-1112409%22%20slang%3D%22en-US%22%3EOffice%20365%20Hybrid%20Migration%20iPhone%20Native%20Mail%20Stopped%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112409%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20recently%20setup%20Hybrid%20Migration%20for%20our%20tenant%20using%20HCW%20and%20everything%20has%20been%20going%20smoothly%20so%20far.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20currently%20using%20our%20on-prem%20Exchange%20server%20as%20the%20central%20transport%20hub%2C%20so%20any%20emails%20to%20and%20from%20Office%20365%20mailboxes%20should%20be%20routed%20through%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEmail%20on%20users%20phone%20is%20setup%20using%20MaaS360%20MDM%20that%20automatically%20pushes%20it%20out%20to%20the%20native%20mail%20app%20on%20iPhone.%20This%20has%20been%20working%20fine%20for%20on-prem%20users.%3C%2FP%3E%3CP%3EAs%20soon%20as%20I%20migrate%20a%20user%2C%20the%20mail%20on%20the%20phone%20keeps%20asking%20for%20Exchange%20password%20and%20won't%20accept%20the%20user's%20credentials%20saying%20that%20%22unable%20to%20verify%20account%20information%22.%3C%2FP%3E%3CP%3ENothing%20should%20have%20changed%20from%20the%20front-end%2C%20as%20all%20emails%20are%20still%20going%20to%20and%20from%20the%20on-prem%20Exchange%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20asked%20the%20user%20to%20check%20the%20server%20settings%20and%20it%20is%20now%20reporting%20outlook.office365.com%20instead%20of%20the%20previous%20setup%20(mail.domain.com).%20The%20way%20we%20have%20it%20setup%20in%20MaaS%20is%20to%20mail.domain.com%2C%20so%20not%20sure%20how%20this%20has%20propagated%20the%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20the%20users%20can't%20change%20this%20setting%20as%20it's%20forced%20by%20the%20MDM%20provider.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1112409%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112694%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Hybrid%20Migration%20iPhone%20Native%20Mail%20Stopped%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112694%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329754%22%20target%3D%22_blank%22%3E%40nitvit610%3C%2FA%3E%26nbsp%3Bare%20you%20changing%20user%20UPNs%20when%20migrating%20them%3F%20We%20found%20that%20Maas%20profiles%20would%20break%20if%20you%20do%20that.%3C%2FP%3E%3CP%3EHave%20you%20tried%20removing%20and%20adding%20the%20Mass%20profile%20on%20affected%20phones%2C%20does%20that%20resolve%20the%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112793%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Hybrid%20Migration%20iPhone%20Native%20Mail%20Stopped%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112793%22%20slang%3D%22en-US%22%3E%3CP%3ETheir%20UPNs%20have%20remained%20the%20same%20during%20the%20migration.%3CBR%20%2F%3EI%20spoke%20to%20MaaS%20support%20and%20they%20suggested%20a%20new%20policy%20and%20to%20change%20the%20ActiveSync%20settings%20from%20mail.domain.com%20to%20outlook.office365.com.%3CBR%20%2F%3EI%20mentioned%20that%20the%20mail%20hostname%20would%20be%20the%20same%20as%20we%20are%20routing%20all%20traffic%20through%20the%20on-prem%20server%20however%20they%20wouldn't%20budge%20until%20I%20tested%20this.%3CBR%20%2F%3EUnfortunately%2C%20it%20didn't%20seem%20to%20help%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20haven't%20tried%20removing%20the%20profile%20and%20re-adding%20yet%20as%20this%20would%20take%20a%20long%20time%20to%20apply%20to%20each%20migrated%20user%2C%20and%20ideally%20would%20like%20it%20to%20be%20a%20policy%20change.%3C%2FP%3E%3CP%3EKnowing%20MaaS%20though%2C%20it%20won't%20be%20so%20easy%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1114608%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Hybrid%20Migration%20iPhone%20Native%20Mail%20Stopped%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1114608%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F329754%22%20target%3D%22_blank%22%3E%40nitvit610%3C%2FA%3E%26nbsp%3Bso%20mail%20routing%20is%20not%20relevant%20to%20the%20profile%20config%2C%20MX%20just%20says%20where%20to%20send%20the%20mail%2C%20your%20exchange%20server%20then%20forwards%20onto%20Exchange%20online.%20What%20matters%20is%20where%20the%20users%20mailbox%20is%20hosted%2C%20so%20Maas%20support%20were%20correct%20-%20the%20profile%20needs%20to%20point%20at%20where%20the%20mailbox%20resides%2C%20so%20once%20they%20are%20in%20O365%20it%20should%20be%20there.%20This%20is%20where%20the%20mobile%20mail%20client%20needs%20to%20connect%20to%20in%20order%20to%20download%20the%20mail.%3C%2FP%3E%3CP%3EI%20expect%20you%20need%20a%20new%20profile%20for%20migrated%20users%2C%20and%20then%20change%20the%20profile%20when%20they%20get%20migrated.%20I%20know%20it%20can%20be%20done%20because%20I%20have%20seen%20this%20working%20(although%20I%20don't%20know%20Maas%20technically)%20but%20I%20do%20know%20the%20migrate%20can%20be%20done%20without%20setting%20up%20the%20phones%20again.%20But%20you%20could%20set%20up%20a%20new%20Maas%20email%20profile%20pointing%20to%20%3CSPAN%3Eoutlook.office365.com%20and%20just%20see%20if%20you%20can%20get%20that%20working.%20Then%20as%20you%20migrate%20users%2C%20switch%20the%20profile.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAnother%20idea%20is%20to%20get%20rid%20of%20Maas%20you%20migrate%20and%20use%20Intune%20instead.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1114693%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Hybrid%20Migration%20iPhone%20Native%20Mail%20Stopped%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1114693%22%20slang%3D%22en-US%22%3EIt%20was%20like%20you%20mentioned%2C%20where%20the%20mailbox%20is%20hosted%20not%20mailflow.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20created%20a%20new%20policy%20with%20outlook.office365.com%20and%20the%20other%20relevant%20details%2C%20then%20applied%20it.%3CBR%20%2F%3EWeirdly%2C%20it%20half%20applied%20over%20the%20top%20of%20the%20previous%20policy.%3CBR%20%2F%3EThe%20server%20hostname%20had%20updated%20to%20Office365%2C%20however%20the%20domain%20was%20still%20the%20previous%20one%20and%20not%20domain.com.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20figured%20out%20a%20workaround%20to%20this%20which%20was%20to%20apply%20a%20policy%20that%20didn't%20have%20EAS%20setup%2C%20which%20removed%20the%20email%20profile.%3CBR%20%2F%3EAfter%20which%2C%20we%20assigned%20the%20updated%20Office%20365%20profile%20and%20it%20deployed%20properly.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I've recently setup Hybrid Migration for our tenant using HCW and everything has been going smoothly so far.

 

We are currently using our on-prem Exchange server as the central transport hub, so any emails to and from Office 365 mailboxes should be routed through this.

 

Email on users phone is setup using MaaS360 MDM that automatically pushes it out to the native mail app on iPhone. This has been working fine for on-prem users.

As soon as I migrate a user, the mail on the phone keeps asking for Exchange password and won't accept the user's credentials saying that "unable to verify account information".

Nothing should have changed from the front-end, as all emails are still going to and from the on-prem Exchange server.

 

I asked the user to check the server settings and it is now reporting outlook.office365.com instead of the previous setup (mail.domain.com). The way we have it setup in MaaS is to mail.domain.com, so not sure how this has propagated the change.

 

Unfortunately, the users can't change this setting as it's forced by the MDM provider.

 

Any suggestions?

 

Cheers

4 Replies

@nitvit610 are you changing user UPNs when migrating them? We found that Maas profiles would break if you do that.

Have you tried removing and adding the Mass profile on affected phones, does that resolve the issue?

 

Thanks

Their UPNs have remained the same during the migration.
I spoke to MaaS support and they suggested a new policy and to change the ActiveSync settings from mail.domain.com to outlook.office365.com.
I mentioned that the mail hostname would be the same as we are routing all traffic through the on-prem server however they wouldn't budge until I tested this.
Unfortunately, it didn't seem to help the issue.

 

I haven't tried removing the profile and re-adding yet as this would take a long time to apply to each migrated user, and ideally would like it to be a policy change.

Knowing MaaS though, it won't be so easy :(

Best Response confirmed by nitvit610 (Occasional Contributor)
Solution

@nitvit610 so mail routing is not relevant to the profile config, MX just says where to send the mail, your exchange server then forwards onto Exchange online. What matters is where the users mailbox is hosted, so Maas support were correct - the profile needs to point at where the mailbox resides, so once they are in O365 it should be there. This is where the mobile mail client needs to connect to in order to download the mail.

I expect you need a new profile for migrated users, and then change the profile when they get migrated. I know it can be done because I have seen this working (although I don't know Maas technically) but I do know the migrate can be done without setting up the phones again. But you could set up a new Maas email profile pointing to outlook.office365.com and just see if you can get that working. Then as you migrate users, switch the profile.

Another idea is to get rid of Maas you migrate and use Intune instead.

It was like you mentioned, where the mailbox is hosted not mailflow.

We created a new policy with outlook.office365.com and the other relevant details, then applied it.
Weirdly, it half applied over the top of the previous policy.
The server hostname had updated to Office365, however the domain was still the previous one and not domain.com.

We figured out a workaround to this which was to apply a policy that didn't have EAS setup, which removed the email profile.
After which, we assigned the updated Office 365 profile and it deployed properly.