This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Environment:
Hybrid with an older Exchange 2010 server.
AD server 2019 running AZURE AD CONNECT (latest version as of March 2022)
I've been adding new employees by creating a new account in AD and syncing with AZURE. No problems there.
Then I go into the Office 365 portal and assign Office for business licenses. A mailbox is then created and working no problem.
Recently, when using the Exchange Admin online, trying to add an alias to ANY mailbox or simply changing the REPLY to SMTP address, I am getting the error:
Error executing request. An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
This was uncovered when a user sent me an email and it came the onmicrosoft.com domain instead of the company domain. When I looked at the account, I tried to change the REPLY TO back to the default company email and got the error also.
Only 3 employees are effected by the "onmicrosoft.com" issue but I cannot add an alias email to ANY mailbox or change the primary email.
About 2/3 of the employees were migrated from the on premise Exchange server about a year ago and the rest created as mentioned above.
Checking the AD CONNECT LOGS, there are no errors at all when syncing and the online dashboards show no sync errors.
I then tried going into the users AD Properties on Premise and changed the PROXY ADDRESS ATTRIBUTE to change the default reply to SMPT:user@keyman .com. That syncs no problem and shows up in the portal as the primary address but when the user sends an email, it still comes from the onmicrosoft.com domain. I'm at a loss without any log errors to point me in the right direction. The syncing from on premise to online seems to be working fine otherwise.
Thank you
I'm having the exact same issue...
" Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration."
I keep seeing all the solutions referring to making the changes in your on-prem ecp..
However, there is no on-prem exchange server.. Only Microsoft 365 Hosted Exchange.
Any advice?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 55.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
seeing the exact same error on 2 tenants now. Something has changed with how microsoft does dirsync/hybrid setup. We used to be able to edit these attributes in EXO.
Im thinking it might be related to this:
Is there a way to turn off the dual-write feature?
I'm sure you already figured this out but for those just now reading these forums... don't forget that AD Sync pushes the attributes from AD to 365 so... if you no longer have an on-prem Exchange server, that's fine... use Active Directory's attribute editor like you did before Exchange started allowing these aliases added directly in the EAC. Jump into your domain controller, open ADUC and open the user. Click the Attribute Editor and add your aliases there. Once you're done, wait for AD to Sync to 365 on its own or use the ADSync service app to start a Delta Sync (you'll likely still have to wait about 10 minutes for things to appear on the 365 side). Your aliases will start to appear in the Active User's properties eventually. That error you see is actually quite smart of Microsoft... it prevents new data from more than one source, potentially corrupting the record since Microsoft has no way of knowing which info source wins in each situation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 41%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
I used Darth's suggestion which worked in my environment. The attribute to add the email aliases to is 'proxyAddresses' (which was blank), within my on-prem AD for the user connected with the shared mailbox. Thanks Darth.
Thanks, Darth. It worked!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 38%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi , Thank Darth's comments and Joe for pointing where to update the Alias, this just helped me today
For now, to be supported, yes. You have to have an Exch Server on-prem as long as you are using syncing to Azure from on-prem.
That will hopefully change one day:
https://learn.microsoft.com/en-us/exchange/decommission-on-premises-exchange
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 91%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
This is for a hybrid migration. We never had hybrid.
So, we used AAD and AD connect tool to create our users on Azure. We manually created the mailboxes on Exchange Online by applying the licenses. Initially, we had issues creating mailboxes because 'MSExchMailboxGUID' attribute was set to a vaule pointing to on-prem exchange. we created a new sync rule on AD connect to pass Null for 'msExchMailboxGUID' which allowed use to create mailboxes on Exchange Online. We have run this new sync rule only once and then disabled it. Now, with the new mailboxes created, we have manually exported and imported into exchange online. We never had a hybrid setup. Now, we want to add smtp address to any mailbox and I get that error.
Also, If I 'disable' a mailbox on Exchange On-prem, the smtp addresses are also removed from exchange online for the mailbox. Please suggest how do I add smtp addresses on Exchange Online.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 11%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
So you have an Exchange Server and Exchange Online but not Hybrid configuration? In this case it's probably best if you implement Hybrid since now both Exchange servers fight over the same objects in AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
A coworker found a way: remove user licenses, change the e-mail in local active directory, sync it to AAD, then re-enable the licenses.
If you have Hybrid Exchange configuration, manage accounts from Exchange Server. If you don't have Hybrid and only have AD plus Exchange Online, then manage accounts through AD.
Each user in AD has property "mail" which corresponds to primary address in Exchange Online. Changing this in AD and syncing with AD Connect, changes the primary address in Exchange Online.
If you want to add aliases to the mailbox in Exchange Online, you have to modify the property "proxyAddresses" in AD. It accepts multiple values, formatted this way :
smtp:secondaryAddress@Company portal .com
SMTP:primaryAddress@Company portal .com
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 46%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hello @Martin Gospodinov @Andy David - MVP and all others,
a clarification regarding cutover (or O365 mboxes): once the cutover has been completed and AAD Synch (re)enabled and soft-matching has "fused" the relevant users properly, is it possible to somehow manage the Exchange Online attributes solely online without the On Prem server by additional attribute filtering or does the presence of AD Synch completely exclude this possibility? I know the official answer is still no as you need an on prem Exc Server just for this, but I am wondering this due to the following reasoning (plz bare with me):
if one never installed Exchange On Prem and has only O365 mailboxes and subsequently decides to enable AD Synch for management ease (password synch for ex. which is one of the most wanted things) and soft match the accounts (or even have a prior AD synch and then assign licenses to these accounts for O365), why would one not be able to administer the maibox properties solely online without a prior existing on prem Exchange? It appears that the moment one implements any kind of AD synch the on Prem AD is reputed "in charge" and synched accounts become read only online, even if there are no specific Exchange attributes present in the on prem AD schema.
So I wonder if it is possible maybe prior to the first AD Synch to implement specific attribute filters that will allow the administration of mailbox properties for synched accounts (such as additional SMTP addresses) through Exc online or does the AD Sync "enabling" automatically exclude this completely Azure side?
My impression was that due to a pre-existing On Prem Exchange the AD schema had been updated to support this and implement all the attributes needed by it and thus by synching accounts these attributes would be passed (if not filtered) over to Azure AD thus Exchange Online would not allow you to manage them as they "belong" to an On Prem Exchange and that for me was logical. However what isn't so logical is that if I never have extended the local AD schema with Exchange On Prem as I never have installed a local Exchange and I enable AAD Sync, there is no reason to why once I assign a license hence enable the online Exchange Mbox these attributes shouldn't be administered solely Online - they needn't be synched back to a local AD as with a hybrid setup as there is no local Exchange. If anyone can enlighten me on why MS has yet to accomplish this or what the issues are I would be grateful.
Instead of using the AD Sync provisioning Agent but going full blown AD Sync, a two way sync should be established and allow a "write back" of the edits from the Exch online management (which is what the OP error moans about) - is this an alternative?
Thanks!
It "used" to provide this function. But MS has a long history of breaking features or building GUI's that do nothing. For example, we had exchange 2016 running on-prem with the web-based ECP which could manage the users, however, if you wanted to add email aliases to a contact, there was a GUI built to do so, but when you attempted to use it, it would make no changes and you were forced to use a PS to manage them. The same here with the online ecp only with no local exchange. I "used" to be able to manage mailbox aliases from within the Exchange Online ECP, but now that no longer works for some reason, and the only way to manage it is to go into Active Directory Users & Computers, select the user, goto attribute editor, find proxyaddress in the long list, and manually a primary SMTP as well as any alias smtp's. Perform an Delta Sync, and then the aliases show up online...
I don't understand why they keep regressing and wasting time building GUI's that do nothing.
@Travis R
Yes, I hear you, I am at loss of words. I used to be able to manage a "sole Exc online but AD Synched" situation about 3 years ago (this client hardly needs any modifications to their users and they are a very small reality) and recently discovered that am no longer able to edit users' smtp addresses from the classic Exchange Online old GUI management receiveing the error you posted when trying. Dear dear. Yes I can "disable" synching but that would be a step back. The complete online management (with AAD Synch) was promised already years ago, but nada. It seems to me that the intention is to push the small realities to a mere online solution and only larger realities can afford a hybrid reality. It is certainly not a technical issue, but appears to be mere marketing strategy.
On a side note, you can do away with the complete AAD Synch solution (uninstall it) and go with the Agent based one (download it from the Azure AD Connect Cloud sync link from the portal) which is lighter as it moves all the SQLDB on cloud with certain restrictions such as becoming mono directional (which it is anyhow in our situation). This is the only "smart" solution I liked (it was in beta for a while) which provides some benefit. The local AD edits are push-synched in 2 minutes whenever you do them and you don't need to force sync all the 4 jobs that the full blown AAD synch has or wait at max the 30 minutes for it to trigger.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 40%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
If you have Hybrid Exchange configuration, manage accounts from Exchange Server. Untick "Automatically update email addresses based on the email address policy applied to this recipient".
It solved my issue.