Tag Archives: Exchange On-premises

Exchange, Exchange Hybrid

Exchange Hybrid strange calendar behavior and mail flow

Leave a comment

In a hybrid Exchange environment, mail flow is erratic, meetings are not always visible, and the Teams calendar does not match the calendar in Outlook. The user sends an email, and all recipients receive it. However, the sender does not always receive replies, sometimes resulting in a Non-Delivery Report (NDR). Another issue is that external users send emails to a user, but the user does not always receive the messages. Also, the calendar in Teams does not match the information shown in the Outlook calendar.

This issue occurs in a hybrid Exchange environment when this user accidentally has two mailboxes: one in the Exchange server and one in Exchange Online.

One account with two mailboxes? Yes, this is usually a result of a glitch in the provisioning. Let me explain what happens:

  • A user account is created in Active Directory and most of the time, the user is added to a security group used to assign licenses in Office 365.
  • When Entra Connect runs, the user account is synchronized with Entra ID, and a license is automatically assigned to the new account. As a result, a mailbox in Exchange Online is automatically and immediately created.
  • The last step is creating a mailbox on the Exchange server. The Exchange Server will gladly accept this since it does not know the mailbox in Exchange Online.

Outlook will then connect to the mailbox in Exchange on-premises. Depending on how the mail flow is configured, mail is sometimes delivered to the Exchange Online mailbox and sometimes to the Exchange server mailbox. Since the user’s Outlook is connected to the mailbox in the Exchange server, the user will never see items delivered to the Exchange Online mailbox.

In this situation, the Teams client shows the calendar information found in Exchange Online, while the user’s Outlook looks at the calendar information in Exchange on-premises. You can guess the results.

To fix this, the mailbox in Exchange Online must be removed and to do this, you can follow these instructions:

  • Remove the M365 license from the user, typically by removing the user account from the Security Group that’s used for licensing and wait for Entra Connect Sync to kick in and synchronize with Entra ID.
  • Open Exchange Online PowerShell and execute the following command:
    Get-User | Select name,Recipient
  • The property PreviousRecipientTypeDetails must have the value ‘MailUser’. If it contains the value ‘UserMailbox’ it means that the user has a mailbox in Exchange Online (which is not what we want in this situation)
  • Execute the following command:
    Set-User -PermanentlyClearPreviousMailboxInfo
  • This will permanently remove the mailbox in Exchange Online from the user (keep in mind that it also cannot be restored anymore!)
  • Wait for Entra Connect Sync to synchronize the latest attributes so that the account now becomes a mail-enabled account.
  • Assign the license again to the server, typically by adding the user again to the Security Group used for licensing.

The user now has a mailbox in Exchange on-premises, and this mailbox is represented as a mail-enabled user in Exchange Online.

As a side note: I’ve seen this happen also in a situation where Exchange is running on-premises and Entra Connect Sync is configured without the ‘Exchange Hybrid Deployment’ option as shown in the following screenshot:

If this is the case you can use the same procedure as outlined above.

Exchange Hybrid

Remove Exchange Hybrid Configuration

17 Comments

After decommissioning the Resource Forest I still have an Exchange 2016 environment on-premises, but all my mailboxes are in Office 365. Users are provisioned in Active Directory, Remote Mailboxes are provisioned in Exchange 2016 and everything is synchronized to Office 365 using Azure AD Connect.

Do I still need an Exchange Hybrid Configuration? Unless there are plans to move resources back to Exchange on-premises there’s no need for a Hybrid Configuration. To stay in a supported configuration, an Exchange server on-premises is still needed for management purposes, but only Azure AD Connect is needed and not a full hybrid configuration.

Note. If you want to use the on-premises Exchange server for SMTP relay purposes you don’t need the Hybrid configuration either. Just make sure you have a SMTP Send Connector that points to Exchange Online Protection and you’re good.

Removing the Hybrid configuration consists of the following steps:

  • Disable Autodiscover SCP in Exchange
  • Remove the Hybrid Configuration from Active Directory
  • Remove Connectors in Exchange Online
  • Remove the Organization Sharing from Exchange Online
  • Disable OAuth

Disable Autodiscover SCP in Exchange

When all Exchange resources are in Exchange Online you no longer need the on-premises Service Connection Points (SCP) for Autodiscover. But make sure you have the correct CNAME records for Autodiscover that point to Autodiscover.outlook.com.

To disable the SCP records in Active Directory, execute the following command in Exchange Management Shell:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null

Remove the Hybrid Configuration from Active Directory

Removing the Hybrid Configuration from Active Directory is just one PowerShell command in Exchange Management Shell:

Remove-HybridConfiguration -Confirm:$false

There’s one pitfall here, this will also remove the outbound to Office 365 Send Connector from Exchange. If you want to keep SMTP relay from on-premises to your mailboxes in Exchange Online you have to manually recreate this connector (use yourdomain-com.mail.protection.outlook.com as a smarthost for this)

Remove Connectors in Exchange Online

In the Exchange Online Admin Center, remove the outbound SMTP connectors that point from Exchange Online to your on-premises Exchange organization. If you want to keep SMTP routing, keep the inbound SMTP connector, otherwise you can remove this as well.

Remove the Organization Sharing from Exchange Online
To remove the Hybrid Organization Sharing from Exchange Online navigate to Organization | Sharing in the Exchange Admin Center and remove the organization sharing.

Disable OAuth on-premises

When used before you can disable the OAuth configuration as well from Exchange on-premises and Exchange Online.

In Exchange on-premises Management Shell, execute the following command:

Get-intraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $False

And to do this in Exchange Online Management Shell, execute the following (same) command:

Get-IntraorganizationConnector | Set-IntraOrganizationConnector -Enabled $False

These are the steps needed to remove the Hybrid Configuration from your Exchange environment.

Note. Microsoft recommends to leave the Exchange Hybrid option in Azure AD Connect.

Summary

In this blogpost I explained how to remove the Hybrid Configuration from your Exchange environment after you have moved all resources to Exchange Online.

The on-premises Exchange server is still needed for management purposes. After removing the Hybrid Configuration you can still manage your recipient Exchange Online using the on-premises Exchange server, all changes are replicated through Azure Active Directory.

Is that last Exchange server on-premises still needed? Yes, you need it for managing your recipients in Exchange Online. When you have Azure AD Connect running in your environment, the objects are managed in on-premises Active Directory. The source of authority is Active Directory. As long as Microsoft hasn’t fixed the source of authority problem, an Exchange server on-premises is still needed.