Exchange Online

Recipient missing from Exchange Online

When you configure ADConnect for Exchange Hybrid you expect that a UserMailbox from on-premise will be represented in Exchange Online as a MailUser. I had an issue where one mailbox on-premise didn’t have a recipient in Exchange Online. I checked the Admin Center and found the user was synced from on-premise Active Directory successfully. When I clicked on the user I saw the following error “Exchange: The execution of cmdlet Enable-MailUser failed.”

I moved the user in Active Directory to an OU that wasn’t in sync with ADConnect. Running a delta sync with ADConnect removed the user from Azure Active Directory. I then went to Deleted Users in Azure Active Directory, found the user and clicked on Delete Permanently.

Finally I moved the user in Active Directory back to the original OU and ran another delta sync with ADConnect. This time when the user was provisioned in Azure Active Directory they are correctly showing as a Mail User and I’m able to migrate the mailbox.

Exchange Online

Moderated Groups in Hybrid

Working with a customer who was in the middle of the hybrid migration to Exchange Online they had an issue where emails being sent to All Company were not being approved. The All Company distribution group is a moderated group and the approvers had their mailboxes On-Premise. I found the following error in the message trace:

Moderated groups leverage arbitration mailboxes to send the notification emails to the approvers. Unfortunately the approvers were not getting any notifications when the senders mailbox was in Exchange Online. In the message trace I did find a NDR for “550 5.6.0 APPROVAL.InvalidExpiry; Cannot read expiry policy.” It turns out that Exchange Online required a Retention Policy Tag for Moderation. I ran the following commands in Exchange Online:

After running these two commands messages sent to a moderated group from a cloud mailbox were able to have the notifications delivered to the approvers. This is documented in the Microsoft Docs https://docs.microsoft.com/en-us/exchange/troubleshoot/email-delivery/550-5-6-0-approval-invalidexpiry-cannot-read-expiry-poilcy-error

Exchange Online

Office 365 ATP External email forwarding

I have been discussing with several customers on the upcoming change to block auto forwarding in Exchange Online. The announcement from Microsoft is for Roadmap ID 63831 and goes into effect September 1st 2020.

There is no impact on external forwarding in this update, however automatic forwarding will be disabled based on the policy in a future update currently planned for September 1, 2020 and we will communicate via Message center. Once the policy takes effect messages that are being automatically forwarded outside the organization will be blocked and non-delivery report (NDR) will be sent to the user.

If like many of my customers you have a legitimate reason to forward to external addresses you need to login to https://protection.office.com/antispam and change the “Outbound spam filter policy (always ON)”

The setting you are looking for is under Automatic forwarding and you should set this to “On – Forwarding is enabled”

Now if you want to be more secure you can create a new Outbound policy and scope this to just the mailboxes that need forwarding enabled.

Exchange Online

Data Consistency Score

Microsoft recently announced improvements in mailbox move requests with something call Data Consistency Score. It is meant to prevent you from setting the bad items to a high number like 5000.

Improving Migrations Using Data Consistency Scoring – Microsoft Tech Community – 1105920

I started not to set any bad item limits and let the new feature go to work. After a few batches it all worked and I was impressed. Last night I hit a snag where the move request was stuck and wouldn’t complete. The move request statistics was stuck on Synced.

I was required to check the migration user to find the data consistency was set to Investigate:

I was required to set the migration user in Exchange Online to approve skipped items:

After setting this the mailbox completed the move request successfully.