Timing is Everything
While on assignment I came across a rare occurrence of new employee accounts being created with multiple mailboxes.
You might ask how is this possible? The company I was working with has a well-defined employee onboarding and off boarding process, but that process was developed before the Exchange Hybrid deployment and didn’t include enough time in-between provisioning steps thus leading to two mailboxes being created, one locally and one in Microsoft 365.
By not allowing enough time to pass in-between the creation of the account, the addition of the local mailbox and the addition of the Microsoft Exchange Online License the new account would end up with two mailboxes. Further investigation revealed that the script responsible for creating the account and assigning the Exchange Online license resided in a different site from the Exchange Server, adding to the delay of applying the required attributes to the user account that are required to sync to Azure Active Directory. Add in Active Directory replication delays and a thirty minute DirSync schedule the choreography of the new account creation flow can become defunct rather easily.
In a nutshell, Azure would see the new account without the local Exchange attributes coupled with an Exchange Online License and begin the process to provision a cloud based mailbox.
Fixing the immediate issue of the two mailboxes is a multistep process that I will cover at a very high level addressing the tactical issue of the mailbox and then fixing the onboarding process flow.
Backup the mail messages from the mailbox that is hosted in Microsoft 365 by exporting the mail to a PST file for later injection into the local mailbox. Stop the sync of the user account from the local Active Directory to Azure by placing the ‘UserNoSync’ value in the adminDescription attribute of the account in the local Active Directory. Once the Azure sync process is complete, you will be able to execute a hard delete to the user account and mailbox from the Microsoft 365 PowerShell interface. Once the account has been deleted and the account removed from the Azure recycle bin you can remove the ‘UserNoSync’ value from the adminDescription attribute from the account. This will allow the account to be re projected into the Azure Active Directory with the proper attributes attached. As a courtesy to the end user, import the mail you backed up from the hosted Exchange Online mailbox into their local one as all inbound mail from the internet will be in this PST file.
Fixing the root cause is actually quite easy and has multiple solutions, in this case I did the following.
Fixed the replication delay by cleaning up the Active Directory Sites and Services, it looked like a spaghetti mess when graphed out in Visio. I proceeded to instruct the integration team modify the provision script to look in Azure AD for the newly created / synced user object to have the proper Exchange attributes present. In this case the script looked for a value in the msExchMailboxGuid attribute, this attribute is added by the local Exchange and then synced to Microsoft 365, Microsoft looks for values in msExchMailboxGuid when determining to provision a cloud mailbox or not to. If a value is present in the msExchMailboxGuid attribute on the account in Azure AD, the local mailbox is known to Exchange Online and the license that is applied to the account will not trigger a cloud mailbox provision and is safe to assign a license to the account.
Hope this brain dump was beneficial or helps you to understand some of the cogs that are moving behind the scenes of an Exchange Hybrid deployment.
Remember to “work the problem” and stay well!
CTO of Komodo Cloud
Komodo Cloud is a leading cloud provider and integrator, for more information on Komodo Cloud drop us a line!