Share via

autodiscover causing onprem mailbox to appear in Outlook even after permissions have been removed in hybrid Exchange 2016/365 environment

SB Admin 46 Reputation points
2022-06-07T15:12:35.033+00:00

I have an issue where for certain onprem mailboxes, even after a user (whose mailbox is on Exchange Online) has had their access removed, the mailbox still appears in Outlook (new profiles and different computers don't help). When looking at the msExchDelegateListLink attribute for the onprem mailbox, I see that the user is no longer listed however when running Outlook's test e-mail autoconfiguration, the autodiscover service still returns that mailbox in the <alternativeMailbox> section which seems to be the issue. Looking at the Sychronization Service Manager shows the correct information for the msExchDelegateListLink however I noticed another attribute called cloudMSExchDelegateListLink (which does not exist in our AD and I can't find documentation online about it) that still lists the old user. I've tried re-adding the user, synching to Azure AD then removing the user however that hasn't helped. I've also removed the mailbox from syncing so that it no longer shows up as a contact in Exchange Online then synching it again but the problem still persists. Our onprem environment is Exchange 2016 with CU22 and the Azure AD connect service is 2.1.1.0. Any potential solutions for this issue? Thanks.

-Lance

Exchange | Hybrid management
0 comments
Accepted answer
  1. Chris Hill 206 Reputation points
    2023-06-29T10:56:09.5033333+00:00

    We had this issue, and have managed to fix it like this:

    1 - Add the user who previously had permissions to the mailbox to the msExchDelegateListLink attribute on the on-premises shared mailbox manually using Set-ADUser (based on this support article, Scenario 2)

    Set-ADUser -Identity "distinguishedName of on-premises shared mailbox" -Add @{msExchDelegateListLink="<distinguishedName of user where mailbox is still appearing"}

    2 - Perform an Azure AD Connect sync

    3 - Wait 15-20 minutes for the change to replicate from Azure AD to Exchange Online

    4 - Remove the user from msExchDelegateListLink once more

    Set-ADUser -Identity "distinguishedName of on-premises shared mailbox" -Remove @{msExchDelegateListLink="<distinguishedName of user where mailbox is still appearing"}

    5 - Perform an Azure AD Connect Sync

    It seems that according to the support article above, on-premises Exchange does not set or remove msExchDelegateListLink when adding/removing permissions for in-cloud mailboxes, so you have to do it manually, instead of the usual fix of adding & removing the permissions. I found that after an third Azure AD Connect sync beyond those above, the user's entry in the cloudMSExchDelegateListLink attribute was cleared as required, the user's AutoDiscover XML no longer returned the mailbox, and the extra mailbox disappeared from the user's Outlook.

    2 people found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joyce Shen - MSFT 16,701 Reputation points
    2022-06-08T01:47:27.747+00:00

    Hi @SB Admin

    I would like to confirm: do you mean automapping still works, the mailbox still show in the outlook of the user who used to have full access permission for it? And are you able to access the mailbox after removing the permission?

    If that's the case, the scenario is just like the discussion in this link: Mailbox still visible in Outlook after removing permission
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    We will still need to remove the automapping for the mailbox to resolve this issue: 

    Add-MailboxPermission -Identity "******@exoip.com" -User "******@exoip.com" -AccessRights FullAccess -AutoMapping $false  
Remove-MailboxPermission -Identity "******@exoip.com" -User "******@exoip.com" -AccessRights FullAccess

    After you performing the steps above, wait up to an hour for it to take effect

    And if I have any misunderstanding about your question, please correct me.

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. SB Admin 46 Reputation points
    2022-06-08T16:23:04.547+00:00

    Thanks for the information, I tried the steops but unfortunately that did not resolve the issue. When looking at the shared mailbox onprem, I don't see the user listed when looking at the msExchDelegateListLink attribute and the user is not listed when running Get-MailboxPermission -Identity sharedmailbox. The user cannot open the mailbox however when doing "Test E-mail AutoConfiguration", the XML tab still lists the shared mailbox under the AlternativeMailbox tag. The only clue I have is that the user is still listed when viewing the cloudMSExchDelegateListLink attribute that I can only seem to view when looking at the Metaverse Object Properties for the shared mailbox under the Synchronization Service Manager. Let me know if there is something else that I can try. In addition, is there any way to directly modify the cloudMSExchDelegateListLink attribute in Azure AD? Thanks.

    -Lance

  3. Kossert, Jörn 1 Reputation point
    2022-09-14T13:25:53.837+00:00

    I can confirm the behavior. We have exactly the same behavior at one of our customers. Autodiscover returns the mailbox as an alternate mailbox for a mailbox even though the user no longer has access to that mailbox.
    msexchDelegateLinkList and msexchDelegateLinkListBL are clean but in cloudMSExchDelegateListLink the incorrect mailbox is still there.

    0 comments
  4. SB Admin 46 Reputation points
    2022-10-25T21:03:50.923+00:00

    Any other ideas since we still see some objects were the cloudMSExchDelegateListLink is holding outdated values (no sync errors and other attributes sync just fine) which is causing automapping issues?

    -Lance

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.