Exchange, Office365

The operation on mailbox failed because it’s out of the current user’s write scope

11 Comments

When you want to change an email address on a Mailbox in Office 365 you get the following error message:

The operation on mailbox “<mailbox>” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘EmailAddresses’, can’t be performed on the object ‘Stacey Brown’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

image

This issue is caused by the fact you’re synchronizing user objects from a local Active Directory using DirSync or WAADSync, and you want to change properties in Office 365. This is not possible since the Source of Authority is your local Active Directory, and not Windows Azure Active Directory. This means you have to change all the user’s properties in Active Directory, including his email address.

The only proper way to do this is by changing the attributes in your local Exchange environment, preferably in a hybrid scenario, although a regular Exchange server will do as well.

However, you can do this (and a lot of admins actually do this) using ADSIEdit or the Attribute Editor in the Active Directory Users and Computers MMC snap-in.

Some more detail regarding this can be found in the article Microsoft Technet article How and when to decommission your on-premises Exchange servers in a hybrid deployment – https://technet.microsoft.com/en-us/library/dn931280%28v=exchg.150%29.aspx

A quote from this article:

The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk. Third-party management tools often work fine, but Microsoft does not validate these tools.

Fellow Exchange MVP Brian Reid has written a blogpost on how to manage this in more detail: Creating Mailboxes in Office 365 When Using DirSync – http://www.c7solutions.com/2014/07/creating-mailboxes-in-office-365-when-using-dirsync

The best solution however is to have an Exchange server on-premises for managing the accounts, and it doesn’t matter if it’s configured in a hybrid scenario or not (although the first makes life a bit easier though).

11 thoughts on “The operation on mailbox failed because it’s out of the current user’s write scope”

  1. So what if all the users are in an On-Premise AD and all the mailboxes are in Office 365? There is no Exchange on-premise server. The only way to go is using adsiedit or the attribute editor tab on the userobject?

    Like

    Reply

  2. Hi Jaap – I find it strange that the MS article you link clearly says : A quote from this article:

    The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported.

    But the Blogpost you link to further down, clearly advices to use ADSIEdit.. whos is right ?

    Like

    Reply

    1. Hi Thomas,

      Using ADSIEdit is not supported by Microsoft, and according to Microsoft the only supported way is to install an Exchange server on-premises (you can use the free hybrid license to do this). But a lot of people do not install an Exchange server, and use ADSIEdit successfully to accomplish these tasks. Who is right? Both I guess, but when it comes to supportability only Microsoft is right I’m afraid.

      Like

      Reply

  3. Hi Japp – and another twist to that story, I recently migrated a Lotus customer – meaning users are Dirsynced from AD – but mailboxes are created in the cloud, this user cannot see the Office365 mailboxes from the onprem hybrid server (because they werent migrated from onprem) and therefore, they actually only have the attribute editor og ADSIEdit to maintain proxyadresses 🙂 Nice little “feature”

    Like

    Reply

    1. What happens if you create a new user on-premises and execute the Enable-RemoteMailbox command on this user? This should give you better results. You can also do this for users that already have a mailbox in the cloud.

      Like

      Reply

      1. Hi Jaap, thanks for your great articles. What is the advantage of setting up hybrid if all your mailboxes are in the cloud and you can – like you said – use Enable-RemoteMailbox even when you don’t have hybrid? (even though you can’t make shared mailboxes in this way). You can also use SMTP Relay on a server that is not hybrid right?

        Like

      2. In this specific scenario there are no real advantages. Yes, it’s easier to implement SMTP relay into company mailboxes from on-premises, and there’s always a way to off board mailboxes back to on-premises. You need an Exchange server on-premises for management purposes, but a hybrid configuration is not needed at this point.

        Liked by 1 person

  5. Hey Jaap, thank you for the article… this information hits home for us. We have AD with Azure AD DirSync but have never used Exchange on prem. We need to make changes like ‘msexchangehidefromaddresslists’ so that a deprecated user account can be revived. However, we can’t make that change in O365 and AD doesn’t have the attribute. Could extending the AD Schema with Office 2016 give us those missing attributes?

    Like

    Reply

Leave a comment