cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Adding MailboxFolderPermission to certain user fails with Powershell as well as OWA

MarkusOE
Brass Contributor

‎Apr 22 2024 08:39 AM

‎Apr 22 2024 08:39 AM

Adding MailboxFolderPermission to certain user fails with Powershell as well as OWA

Hallo!

 

I try to add a MailboxFolderPermission for the assistant to the inbox of the manager. That fails with Powershell as well as Outlook on the web. If instead I grant a MailboxFolderPermission on the managers inbox to my test user that works perfectly fine.

 

We are in a Exchange hybrid setup. However all 3 mailboxes (manager, assistant, test user) are all hosted in Exchange Online (and represented with a RemoteMailbox OnPremise).

The assistant changed her last name some time ago (supposedly married). However currently PrimarySmtpAddress = UserPrincipalName OnPremise (RemoteMailbox) as well as Online (UserMailbox).

 

[PS] C:\Windows\system32>Get-ADUser (get-remotemailbox *assistantlastname*).guid.guid -Properties msexchrecipientdisplaytype

 

msexchrecipientdisplaytype : -1073741818

 

Write-ErrorMessage : |Microsoft.Exchange.Management.StoreTasks.InvalidExternalUserIdException|Der Benutzer "email address removed for privacy reasons" ist entweder keine gültige SMTP-Adresse oder es ist keine
übereinstimmende Informationen vorhanden.
In C:\Users\adm-xyz02\AppData\Local\Temp\tmpEXO_iq3lu4l0.m3f\tmpEXO_iq3lu4l0.m3f.psm1:1191 Zeichen:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
+ FullyQualifiedErrorId : [Server=GVXP194MB1735,RequestId=777a9f1a-076f-058f-2c1c-f1e6afd8ba64,TimeStamp=Mon, 22 Apr 2024 15:19:43 GMT],Write-ErrorMessage

 

If I use the ExchangeGUID (Exchange Online) of the assistant as identifier, I get the following message:
Write-ErrorMessage : |Microsoft.Exchange.Management.StoreTasks.InvalidInternalUserIdException|Der Benutzer "Last, First" wurde in Active Directory gefunden, ihm können aber keine
Berechtigungen zugewiesen werden. Versuchen Sie stattdessen ein SMTP-Adresse.
In C:\Users\adm-xyz01\AppData\Local\Temp\tmpEXO_iq3lu4l0.m3f\tmpEXO_iq3lu4l0.m3f.psm1:1191 Zeichen:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
+ FullyQualifiedErrorId : [Server=GVXP194MB1735,RequestId=650eac4d-4cf5-73ac-a860-574b4946988d,TimeStamp=Mon, 22 Apr 2024 14:57:04 GMT],Write-ErrorMessage

 

MarkusOE_0-1713799518515.png

Any ideas how to fix this?

Labels:
81 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by MarkusOE (Brass Contributor)
MarkusOE

‎Apr 24 2024 12:09 AM

‎Apr 24 2024 12:09 AM

Solution

Re: Adding MailboxFolderPermission to certain user fails with Powershell as well as OWA

Solved.

I'm sorry for not being able to mention everything and everybody that contributed to finding the solution. It helped a lot to find many articles mentioning the relation of this problem to converting between shared and user mailbox as well as changes in name, upn, etc. Both was the case here. As far as I remember i was the following article that led my directly to the cause as well as the solution:
https://answers.microsoft.com/en-us/msoffice/forum/all/the-attribute-accountdisabled-changing-for-tr...

THIS IS HOW I FOUND THE MAILBOX IN EXCHANGE ONLINE WHEN THE ISSUE OCCURED
get-mailbox xyz | select ExchangeUserAccountControl,AccountDisabled,RecipientType,RecipientTypeDetails
ExchangeUserAccountControl : AccountDisabled, NormalAccount
AccountDisabled : True
RecipientType: User : Mailbox
RecipientTypeDetails : UserMailbox

WHEN I TRIED TO ENABLE THE MAILBOX IT TOLD ME IT WAS A SHARED MAILBOX ALTHOUGH IT SHOWED UP AS A USER MAILBOX IN EXCHANGE ONLINE ADMIN CENTER AS WELL AS IN POWERSHELL
set-mailbox xyz -AccountDisabled $false
WARNUNG: Das freigegebene Postfach "email address removed for privacy reasons" kann nicht aktiviert werden.

From now on I assumed that the cause was a party failed re-conversion from a shared to a user mailbox in the past. Although the user account was enabled in Entra, it was disabled in Exchange. Therefore there was no (active) Exchange security principal that permissions could have been assigned to.

SOLUTION
a) RemoteMailbox (Exchange Management Shell)
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type shared
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type regular
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
b) Mailbox (Exchange Online Powershell)
get-mailbox xyz | Set-Mailbox -Type shared
set-mailbox SchoSa1 -Type regular

I could see in the Entra logs that all of my above changes were taking effect on the user object related to the mailbox.

Now I was able to assign MailboxFolderPermissions to the security principal of the mailbox.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by MarkusOE (Brass Contributor)
MarkusOE

‎Apr 24 2024 12:09 AM

‎Apr 24 2024 12:09 AM

Solution

Re: Adding MailboxFolderPermission to certain user fails with Powershell as well as OWA

Solved.

I'm sorry for not being able to mention everything and everybody that contributed to finding the solution. It helped a lot to find many articles mentioning the relation of this problem to converting between shared and user mailbox as well as changes in name, upn, etc. Both was the case here. As far as I remember i was the following article that led my directly to the cause as well as the solution:
https://answers.microsoft.com/en-us/msoffice/forum/all/the-attribute-accountdisabled-changing-for-tr...

THIS IS HOW I FOUND THE MAILBOX IN EXCHANGE ONLINE WHEN THE ISSUE OCCURED
get-mailbox xyz | select ExchangeUserAccountControl,AccountDisabled,RecipientType,RecipientTypeDetails
ExchangeUserAccountControl : AccountDisabled, NormalAccount
AccountDisabled : True
RecipientType: User : Mailbox
RecipientTypeDetails : UserMailbox

WHEN I TRIED TO ENABLE THE MAILBOX IT TOLD ME IT WAS A SHARED MAILBOX ALTHOUGH IT SHOWED UP AS A USER MAILBOX IN EXCHANGE ONLINE ADMIN CENTER AS WELL AS IN POWERSHELL
set-mailbox xyz -AccountDisabled $false
WARNUNG: Das freigegebene Postfach "email address removed for privacy reasons" kann nicht aktiviert werden.

From now on I assumed that the cause was a party failed re-conversion from a shared to a user mailbox in the past. Although the user account was enabled in Entra, it was disabled in Exchange. Therefore there was no (active) Exchange security principal that permissions could have been assigned to.

SOLUTION
a) RemoteMailbox (Exchange Management Shell)
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type shared
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
Get-RemoteMailbox xyz | Set-RemoteMailbox -Type regular
Invoke-Command -ComputerName servername -ScriptBlock {start-adsyncsynccycle -policytype delta}
b) Mailbox (Exchange Online Powershell)
get-mailbox xyz | Set-Mailbox -Type shared
set-mailbox SchoSa1 -Type regular

I could see in the Entra logs that all of my above changes were taking effect on the user object related to the mailbox.

Now I was able to assign MailboxFolderPermissions to the security principal of the mailbox.

View solution in original post

0 Likes
Reply