Mailbox for Service Account (exchange online)
Hi Our organisation isn't ready to move to Exchange Online yet, though we have Office 365 e3 licencing. I need to create a service account that can send emails via Outlook 365 for use In Power Automate. The documentation I have seen for adding a mailbox to an existing AAD user requires assigning an exchange licence to the account via the licence portal. I can't see any such licences though we do have e3 licencing which are visible that I assume covers this? Unfortunately the admin who did the original configuration has moved on and I don't have a global admin role so have to go through a support team that can't help me with my lack of knowledge in the area! Any advice would be very much appreciated as what ( i think) should be a simple task has taken a lot of time to try and get to the bottom of! Thanks, Dale.Cross Tenant Mailbox Migration: NotAcceptedDomainException
This week I'm performing a new cross tenant mailbox migration. I have some experience with this kind of migrations, ( it's the third one I'm in charge of ), and with the new procedure, ( will paste the link with the instructions at the end of this article ), an Azure Key Vault is no longer required, so I was very confident and thought that I would no have any issue. But, as sometimes occurs, I was wrong The setup was quite easy, and the mail users configuration was like always, so no a big deal. But now comes the point... Once I launched the migration batch, half of the users started syncing correctly and the ther ones failed, ( neither a MoveRequest was able to start for them ). Once I checked the errors, I got the same for all the failed ones: " NotAcceptedDomainException: You can't use the domain because it's not an accepted domain for your organization ". Ok. No problem... ( I thought ). I work with Exchange since more than 10 years and this is a common error message. ( Again I was wrong ). I started to check the mail users, looking for some misspelled domain, missing alias, spaces, etc... Basically, the troubleshooting for this kind of errors. But from my perspective all looked good. So, I decided to reconfigure all the mailusers with a script, launch a delta sync, and resume the failed moverequest. But again, same error for all of them. Checked again, with PS, from source and target tenant, checked in AD, all the proxy addresses... Nothing, all was correct! Non sense... Ok. At that point I decid to compare some syncing mail users with some failed ones, looking for anything that could be a pattern. And "voilรก"! The syncing users were all licensed in O365... The failed ones not! After assigning a license to the failed ones and resume the MoveRequest, all started to work smoothly. For sure, I would have saved many hours of work if the error message had been: " The user is not licensed ". But, yeah... It would have been too simple ๐ Summarizing, make sure that the mail users have an O365 license before you start the migration batch. And remember, not always the error messages are what they seems to be ๐ Cross Tenant Mailbox Migration procedure, ( Preview ๐ https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide
Preserving permissions during EXO migration
Hi, Can you help me understand the outcome of preserving the permissions in our scenario. Exchange Server 2016 (soon Exchange SE) in a hybrid with Exchange Online. We are moving 75% of the mailboxes to Exchange Online. What ways will preserve or break the full-access or sendas permissions? I guess best way would be to migrate both the user and the shared mailbox at the same time in the same batch to keep the permission? If we migrate the user in batch 1 and shared mailbox in batch 2 will that preserve/break the full access/send as? If we migrate the shared mailbox in batch 1 and usermailbox in batch 2 will that preserve/break the full access/send as? If the permission is linked directly on the shared mailbox or via a security group is there a difference? Thanks!OAB download fails after hybrid mailbox move.
Hi folks, I'm posting this query here as I doubt anyone in the Outlook forums would have the necessary Exchange hybrid knowledge. I run a classic hybrid Exchange environment where Exchange Server 2019 CU15 is the on-premise platform. Authentication is provided by on-premise AD FS, with the accounts being synchronised from on-premise via AAD Connect. I've just moved my on-premise mailbox to Exchange Online via New-MoveRequest and for the most part, everything is fine. One thing that possibly isn't fine - going off the Bits-Client event log is the regular offline address book downloads, where I'm seeing regular failures in the event log and through double-checking with bitsadmin.exe. The initial address book synchronisation worked as the view in Outlook is fully populated, however, I expect that future changes likely won't come through. bitsadmin output Event log output (There's numerous events to choose from - this is the one I'm most curious about.) The BITS service provided job credentials in response to the UNIDENTIFIED authentication challenge from the outlook.office365.com server for the Microsoft Outlook Offline Address Book <guid> transfer job that is associated with the following URL: /OAB/<guid>/oab.xml. The credentials for the <sid> user were rejected. When the mailbox was on-premise, the OAB came from the Exchange Server - no surprise there, where post migration it can be seen from the bitsadmin output it now comes from outlook.office365.com. Perhaps that's also to be expected - I don't know, but it makes sense given the move. What alerted me to there potentially being an issue is the systray icon frequently gets stuck on the "synchronising" icon, and running a manual full OAB sync from within Outlook fails to complete. After an extended "hang" period, the sync window eventually times out with the error shown above (the protracted UI behaviour would appear to be due to the large number of retries). Dropping the BITS job URL into Edge simply returns a HTTP 503, which doesn't necessarily strike me as a problem. After all, I'm unable to provide a BEARER token using this method. I haven't yet tried via PowerShell as it only occurred to me now but perhaps I'll do so after posting this. Searching on this error and scenario has turned up nothing useful. I have also checked and compared event log entries from an Azure AD-native account, where it's a mixed bag of successful OAB BITS downloads and unsuccessful ones that feature the same symptoms as above, which offers up the possibility this might be a transient service-side error (though I'm not leaning heavily towards this). Has anyone else encountered this issue and resolved it? Is it even an issue to begin with, or is this expected behaviour? I'm unsure what to make of the symptoms. Cheers, LainExchange online - track deleted mail
I am 365 admin and see quite often people rapport "all my mails are in deleted post - and I have done nothing" or similar What is the best practice to investigate that. I know in powershell I have made some auditsearches, where it rapports like softdelete, hardelete etc - but is there any more specific way proving that the user actually did in on his own ? - I know with retention policies it is hard delete - but just wondering what the best practice is like to prove to the user that this is the user. Just write that it is soft deleted and means user have done it, often the user think is not understandable
Retire last Exchange Server but keep directory sync
Hello all -- I'm looking for guidance on the recommended way to retire our last Exchange 2019 server while maintaining directory synchronization in our environment. We do not have any mail flowing through our exchange server, never have. It was only installed 10 years ago for a hybrid deployment. I believe one supported path is to stand up a member server and install the Exchange Management Tools on it. Given that Exchange 2019 is already out of support, is the the long term path moving forward? I've also read about an attribute "IsExchangeCloudManaged". In this scenario, I can set this on a per-mailbox basis and manage attributes such as proxyaddresses, extension attributes, and other non-AD-managed attributes. Is this the more forward path to take? Thinking about our user provisioning process now, we have a PowerShell script that creates the user in AD and connects to our hybrid Exchange server to Enable-RemoteMailbox. In this scenario, we would still create the user in AD, wait for the sync to happen, then enable the IsExchangeCloudManaged. Would this now provide the ability to manage additional addresses, or even, shared mailboxes without having to migrate from AD --> EXO - all while keeping AD in sync with cloud mailboxes? Am I thinking about this correctly? Thanks for any insight sb
Dynamic Distribution Group with no Disabled Accounts
Hi I'm trying to build a few Dynamic Distribution Lists in Exchange Online and want to only include Active Users (i.e., users that are marked "Active" in Azure AD). I've tried using the UserAccountControl attribute (-eq 514 or -ne 514 - both are returning the same results, which is strange), but it still includes user accounts that are disabled. This is how my recipient filter looks like: RecipientType -eq 'UserMailbox' -and UserAccountControl -ne 514 What's the best way to achieve this in Exchange Online? Thanks Taranjeet SinghTeams delegation permission issue with Onpremise Exchange Server
we have migrated the exchange server from 2019 to SE Environment and configure the OAuth 2.0 which is working perfectly but there is one issue that one of the user is using Shared calendar but while he create the meeting invite along with Teams meeting option then everytime it shows an error "please login into the meeting" If anyone works on this case please guide or help us. Thanks
Keep user account but provision new empty mailbox
i did ask in another forum but thought i would ask here as it seems impossible... we are hybrid exchange. We have litigation hold and purview retention policies in place. We have a scenario where an existing user is moving to a new role and her existing mailbox needs to be dissociated from her AD account and a new clean mailbox provisioned. The original mailbox needs to stay as inactive and searchable via ediscovery. Is it possible? I have asked AI and its said: Make sure all the holds and retention policies are in place Move the AD account to a non-syncing OU and run a delta sync The mailbox should show as inactive in exchange online Then it tells me to run Set-User <UserUPN> -PermanentlyClearPreviousMailboxInfo but ONLY if the recipient type shows as MailUser or User This is where i am stuck as it is still UserMailbox. It told me to restore the cloud only object which i did. But it still shows as RecipientType = UserMailbox when i check. Its now just a cloud only account, it has no license. The mailbox is inactive but its still a UserMailbox Is what i am trying to do possible? Would now just changing the cloud only account to have a new email address be the only way to retain it and then sync back the on-prem account?
