14
Need Help With Microsoft 365 Azure AD Sync (lemmy.world)
submitted 1 year ago by packetloss@lemmy.world to c/sysadmin@lemmy.world
11 comments fedilink hide all child comments

Hello,

TLDR; Approx 2 years ago we manually created Cloud users on our 365 Tenant to start using Teams. Now we're trying to sync our on-prem AD with AAD and experiencing issues due to pre-existing Exchange Online mailboxes. Cannot delete the mailbox without deleting the user. Can't delete the user because we don't want to lose anything in Teams. Looking for help.

During the pandemic we had a lot of staff start working remotely. Our existing messaging platform was not up to the task and we jumped on the Teams bandwagon, shortly after we bought a mix of Business Basic and Business Standard licenses for all our staff. When applying the licenses to the staff we also inadvertently assigned an Exchange Online license. No big deal we thought at the time because our corporate email MX records point to our on-prem Exchange servers.

Fast forward to now and we're in the process of trying to sync all on-prem users to Azure AD so we can ultimately migrate our mailboxes off of our on-prem Exchange 2013 servers and on to Exchange Online. We've run into an issue that Microsoft support is having trouble solving. Because the cloud users were manually created before we setup AAD Connect and configured Hybrid Exchange, the Tenant knows nothing about the on-prem mailboxes. I cannot sync on-prem users to our Tenant because a mailbox exists for the user already. I cannot delete the Exchange Online user mailbox without deleting the user. Deleting the user will cause data and permission loss with Teams.

The sync process works fine if the user doesn't exist on the Tenant first, or if the 365 user doesn't have a pre-existing mailbox.

Hoping to find someone who's been in a similar situation and was able to solve it. Information online is sparse for this scenario and I'm not able to find anything that helpful.

top 11 comments
sorted by: hot top controversial new old
[-] misanthropy@lemm.ee 9 points 1 year ago

You just need to "hard match" the existing AD accounts with the 365 accounts, using immutableID. Use connect-msolservice cmdlet in PowerShell. immutableID ties the AD object to the 365 one.

Heads up though, you may run into issues if the usernames don't match. This may be time consuming if you have tons of users, but I know of no other good solution

[-] aeluon@programming.dev 2 points 1 year ago

this is the way. done it a few times for clients. not exactly fun but it will work.

[-] SheeEttin@lemmy.world 3 points 1 year ago

Sounds like you need to fix the match. I haven't had to do this in a few years so I don't know what the current process is, but you should be able to find plenty of recent articles on the process.

[-] IHawkMike@lemmy.world 3 points 1 year ago

Does this help?

https://techcommunity.microsoft.com/t5/exchange-team-blog/permanently-clear-previous-mailbox-info/ba-p/607619

You should still be able to sync them and let soft matching connect the onprem and cloud accounts. Then the info in that post can be used to clean up the duplicate cloud mailbox and its properties in preparation for a Migration.

[-] packetloss@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Edit: September 25, 2023 - Added more details to the solution for my issue.

Just wanted to update this so if anyone else is having the same issue hopefully it helps them.

During initial tenant setup I created a couple of retention policies. I thought these would only affect Teams data, but it turns out it also applied to Exchange Online mailboxes. When I tried to remove the Exchange Online license from the user it would give an Exchange error message in admin console and the mailbox would not get removed.

The issue turned out to be caused by holds that were applied to the user mailbox. Specifically these two:

DelayHoldApplied

ReleaseDelayHoldApplied

Both were set to $true.

  1. I removed the retention policies, they probably weren't configured correct in the first place.

  2. Used the following Powershell command to identify the holds applied to mailboxes:

Get-Mailbox | FL Identity,*HoldApplied*

  1. Used the "Set-Mailbox" command to remove those holds:

Set-Mailbox -Identity @mydomain.com -RemoveDelayHoldApplied

Set-Mailbox -Identity @mydomain.com -RemoveDelayReleaseHoldApplied

  1. Delete the user's mailbox by removing the Exchange Online license from the user and waited for the mailbox to disappear from the Exchange Online admin center.

  2. Run the following command to wipe out the pre-existing mailbox data. Without doing this, even after the on-prem user is synced Exchange Online will not care that the user has an on-prem mailbox, and will restore the previously deleted cloud mailbox from step 4.

Set-User @mydomain.com -PermanentlyClearPreviousMailboxInfo

  1. Force a sync of users using Azure AD Connect

  2. Re-enable the Exchange Online license for the user. After this is done in the users Mail settings you should see a message "This user's on-premises mailbox hasn't been migrated to ‎Exchange Online‎. The ‎Exchange Online‎ mailbox will be available after migration is completed"

Thanks to everyone who replied and offered help.

[-] PeachMan@lemmy.one 1 points 1 year ago

Hey, thanks for circling back and updating! More details here on those mailbox properties in case anyone is curious: https://learn.microsoft.com/en-us/purview/ediscovery-identify-a-hold-on-an-exchange-online-mailbox?view=o365-worldwide#managing-mailboxes-on-delay-hold

After any type of hold is removed from a mailbox, a delay hold is applied. This means that the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted (purged) from the mailbox. This gives admins an opportunity to search for or recover mailbox items that will be purged after a hold is removed.

So, did you recently remove a hold from these mailboxes? Or were these properties stuck somehow, even though they were more than thirty days old?

[-] OfficerBribe@lemm.ee 2 points 1 year ago* (last edited 1 year ago)

It should be possible to get rid of only EXO (Exchange Online) mailbox without impacting AAD account, at least it's possible in on-premises. Have you tried to disable EXO service from license and/or used Disable-Mailbox command from EXO shell?

Edit: Try accepted answer here.

[-] themoonisacheese@sh.itjust.works 1 points 1 year ago

MS support should be able to help with that, or at least point you in the correct direction. we had the same problem and yeah they did struggle a bit but eventually they were able to help.

if you want to roll your solution, your best bet is to is forgo the old mailboxes (export the emails to the new accounts first) and then basically only use the online account synced back to on-prem.

[-] PeachMan@lemmy.one 1 points 1 year ago

Can you upgrade the mailboxes by assigning a different license? Like E3?

[-] packetloss@lemmy.world 1 points 1 year ago

No, we don't have any licenses other than Business Basic or Business Standard.

[-] REdOG@lemmy.world 1 points 1 year ago

Wow that's quite a pickle.

Maybe you can make them shared mailboxes temporarily, rename the online accounts, sync the new accounts and give both accounts access to the data until it's merged.

But I'd probably just look into something like veeam's 365 backup/restore.

I know it's possible to restore to a different user account. Maybe you can backup the online users, delete them, sync the new users then restore the data to the hybrid accounts.

just some thoughts

this post was submitted on 20 Sep 2023
14 points (93.8% liked)

Sysadmin

7542 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world