I have a hybrid environment with on-prem exchange (almost done migrating) and O365 Email.
I create a new user in our on-prem AD via powershell. It syncs properly via AADConnect to our Azure environment and creates the O365 user and Exchange online (O365) email account. Using powershell I can correct proxy addresses and the msExchRecipient/Remote attributes.
The expected result is that I have an email account on both sides for the hybrid environment, with the on-prem Exchange srerver showing the Mailbox Type as "Office 365".
For one particular user, I ended up with email accounts in both on-prem and online exchange as expected. The user receives messages in their O365 account. However, messages that are trapped by our Mimecast server are not getting through. The Mailbox Type listed in on-prem is "User". This is messing up the mail routing for incoming messages from outside the domain.
Is there a way I can powershell my way out of this mess and somehow convert the mailbox type from "User" to "Office 365"? I can't migrate the user because the account already exists in O365. If I delete the O365 I would lose the email.
Should I have my powershell user creation script create the ad user, create the on-prem mailbox and also perform the migration? At least until we are fully migrated and out of our hybrid environment?
For this user, would it work to delete the AD and on-prem Exchange, and re-create both manually? How would I connect the on-prem to online exchange without losing the mail?
Any insight into this can of worms would be greatly appreciated.
One of the documents I referenced is this one about Recipient Type Values:
https://answers.microsoft.com/en-us/msoffice/forum/all/recipient-type-values/7c2620e5-9870-48ba-b5c2...
: Keith
We have a hybrid exchange environment that has all it mailboxes online. ExternalDirectoryObjectId is present in the results for EXO or Azure Powershell user management tools.
However, when i run Onprem Exchange PowerShell tools such as get-remotemailbox against users, the ExternalDirectoryObjectId property is listed but blank.
I have synced msDS-ExternalDirectoryObjectId back from Azure and this populates ExternalDirectoryObjectId for local AD get-aduser commands but not OnPrem Exchange tools.
I think i need to populate the AD user property msexchExternalDirectoryObjectId but i am unsure exactly how to set this up in in AD connect or what online property to sync with?
Has anyone had this issue before and can offer any advice on how to resolve it?
I need to get a list of all mailboxes.
Can I get this list with EWS and PowerShell?
Exchange online shell will not be installed on the server where I run the script.
Thanks for your support
With PowerShell you can just simple call the Get-MailBox powershell command.
This is working for on-premise and O365 mailboxes as well. For O365 environment sooner or later you will need to transfer to modern authentication, but basic authentication will still work for a while. This is the easier way of I can think of.
Based on my knowledge it's not possible to list all mailboxes using entirely with EWS.
Wanted to add an answer to what I learned after researching and succeeding with this issue.
I have a Microsoft O365 account where I run my business. I am using Microsoft Teams so my executive team can see information and emails specific to that function. For instance, Human Resources. That team is setup to use humanresources#contoso.com as its email Office 365 Group. I want to add jobs#contoso.com as an alias to the group. But the O365 Admin panel or Exchange Admin Center (EAC) do not have that function available. How do you add an Alias to a Microsoft O365 Group?
There is a link that describes how to use PowerShell to add an alias:
Add Additional SMTP Aliases to Office 365 Groups
Concise Instructions
Open PowerShell.
Allow Remote, Signed scripts so you can import Microsoft O365 Exchange commands. We will set this back to default when done:
Set-ExecutionPolicy RemoteSigned
Enter your credentials so you can manage the O365 environment you are working on. It will prompt you for your username and your password:
$UserCredential = Get-Credential
Create a new PowerShell session to import the Microsoft O365 Exchange commands:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import the session. You should see the standard PowerShell progress bar as the commands are imported:
Import-PSSession $Session
Now you are ready to issue your commands. First, make sure you can read the properties of the Exchange Group:
Get-UnifiedGroup -Identity humanresources#contoso.com | FL EmailAddresses
It should output the aliases assigned to the Outlook Group.
To add the alias, enter this command. I will use my example in the question above to show what it looks like:
Set-UnifiedGroup -Identity humanresources#contoso.com -EmailAddresses #{Add="jobs#contoso.com"}
You can then run the Get-UnifiedGroup command and see the alias now listed in the email addresses.
Return to the default execution policy:
Set-ExecutionPolicy Default
Next Steps
At this point the group has an alias. You can email the alias internally to your O365 account. For instance, User1#contoso.com can email jobs#contoso.com and it will work correctly. It will be received in your O365 Human Resources group.
However, if you attempt to send email to the alias from external, you will get a 5.4.1 access denied error. You will get this even if you are able to email humanresources#contoso.com. (If you can't email the primary alias externally, you have another problem where the group is not set to receive external email, that can be set in the EAC.)
The problem where the alias cannot receive external email has to do with Directory Based Edge Blocking (DBEB). Essentially, before O365 performs any of its protection actions (anti-malware, anti-virus, SPAM, etc.) it performs a simple lookup into your Active Directory. It looks to see "Hey, does this user even exist here?"
For instance, if you are sending email to User1#contoso.com, DBEB looks up the directory and say, OK, that user exists, send it on. It does the same for humanresources#contoso.com. However, the lookup fails for additional aliases assigned to O365 Groups. There is a workaround.
Workaround
The workaround is disabling DBEB for the contoso.com domain. This does not disable the additional layers of protection of email hygiene (anti's, spam, etc.). To do so, you need to go into the EAC of your O365 account and change the Accepted Domains from Authoritative to Internal relay.
If you have natively started in O365, this is probably set to Authoritative. If you have a hybrid (O365 and Onsite), or did a migration from Onsite to O365 it is most likely already set to Internal relay (Unless post-migration you changed it to Authoritative). This is why for some people, just adding the alias works for them. DBEB is already disabled. Again, this only disables the first check of a valid user or not and the remainder of the hygiene stack is still in place.
After this change, your O365 Groups should now receive external email to their additional aliases.
Better Ways?
Yes, there should be better ways to add aliases to O365 Groups, like going to the group, selecting aliases, and adding them. That way we aren't in the shell and EAC making things work like they should. Microsoft, make it so!
Another way may be somehow to use New-EOPMailUser to create an entry in the Directory for the alias. When I tried to create a new Contact in the EAC, it stated that the email address was already in use. So, I got it to work and haven't looked at other options. I am assuming Microsoft will get aliases added in a more admin friendly way (PLEASE?!).
Keep Calm and Cloud On!
Wayne is spot on, however, there is a method to work around the DBEB issue. If you cycle each alias as the primary address (Cap SMTP) and then end back on the desired primary, all addresses will receive mail from outside addresses.
Set-UnifiedGroup -Identity "O365 Identity" -EmailAddresses SMTP:email#domain1, email#domain2, smtp:email#domain.onmicrosoft.com
Found the work around Here (The update at the very bottom)
If you are an admin, this works (at least for a Distribution Group) using O365.
Go to Admin
On the left, click Show All and then Exchange
In the Exchange Admin go to Recipients and then Groups
Double click the group.
Click Email Options
Click the + and add the additional email.
I've just done this and didn't have to do anything to allow me to email the alias externally (except configure the O365 Group to be able to be emailed externally). I checked the config of my Accepted Domains and they are both Authoritative. We are a cloud only tenant, so no hybrid, and I didn't muck around with the primary address.
To add to existing answers what worked for me:
Create a shared mailbox with desired e-mail.
Set up auto-forwarding
to O365 Group.
Extra hop, little hassle, same effect.
Does any one know a way to give userA full access to userB's mailbox with the exception of one folder in the userB's mailbox using PowerShell.
Thanks in advance
You cannot use the Add-MailboxPermission cmdlet to give full access to a mailbox and then restrict access to one mailbox folder. The Add-MailboxFolderPermission is available in Exchange 2010 and up. You could try using Exchange Web Services (EWS). Read this blog, there might be code from that script you can use.
http://gsexdev.blogspot.com/2008/10/exchange-reverse-permission-audit.html#!/2008/10/exchange-reverse-permission-audit.html