Scenario: Adding Azure AD Connect to an existing AD domain with existing MS365 cloud-only mailboxes. AADC and EX2016 Management Server are set up with Minimal Hybrid Exchange, and everything is working with test accounts created in EAC as remote mailboxes. However, once AAD syncs an existing AD account to AAD and soft-matches it, SSO will work, but the remote mailbox is not visible in on-prem EAC until the user account is AD-Enabled. I had hoped to do something like this in Exchange Management Shell: Get-User -OrganizationalUnit "OU=AAD.Sync,OU=Users,DC=[REDACTED],DC=Local" | Enable-RemoteMailbox -RemoteRoutingAddress $_.userPrincipalName But I get this output: The address '@redacted.mail.onmicrosoft.com' is invalid: "@redacted.mail.onmicrosoft.com" isn't a valid SMTP address. The domain name can't contain spaces and it has to have a prefix and a suffix, such as example.com. + CategoryInfo : NotSpecified: (:) [Enable-RemoteMailbox], DataValidationException + FullyQualifiedErrorId : [Server=REDACTED,RequestId=980e059c-1250-4de3-9b3d-27964d9cd9b1,TimeStamp=12/15/2021 11:12:18 PM] [FailureCategory=Cmdlet-DataValidationException] EFF760F5,Microsoft.Exchange.Management.RecipientTask s.EnableRemoteMailbox + PSComputerName : redacted.redacted.local So I feel like I'm close...I'm just not getting the UPN; I'm getting only the tenancy name. I haven't figured out from the Get-User documentation how to find out how to get the userPrincipalName attribute. I know I will also need to deal with the ExchangeGUID but haven't gotten that far yet! This will at least make the remote mailboxes manageable in EAC.

@JRV I don't quite understand what you are going to do. But, from the script that you provided, I guess you want to enable remote mailboxes for AD accounts which contained in a specific OU, if so, you could try with the script below: $users = Get-User -OrganizationalUnit "domain.com/ToOnline" ForEach($user in $users){ $address = $user.Name+"@contoso.mail.onmicrosoft.com" Enable-RemoteMailbox $user.Name -RemoteRoutingAddress $address } If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Exchange PowerShell to mail-enable AD accounts

Accepted answer

KyleXu-MSFT 26,211 Reputation points

2021-12-16T06:48:47.443+00:00
@JRV

I don't quite understand what you are going to do. But, from the script that you provided, I guess you want to enable remote mailboxes for AD accounts which contained in a specific OU, if so, you could try with the script below:

$users = Get-User -OrganizationalUnit "domain.com/ToOnline" ForEach($user in $users){ $address = $user.Name+"@contoso.mail.onmicrosoft.com" Enable-RemoteMailbox $user.Name -RemoteRoutingAddress $address }

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
JRV 546 Reputation points

2021-12-16T20:41:34.46+00:00

This looks good, KyleXu, thanks! I will try it on my next visit.

Contrary to LuDai's tag removal, this is very much related to MS365. If it wasn't for MS365, I wouldn't be doing this. But tag or no, I got an answer.

The existing tenancy was set up without Azure AD Connect. I've added it now. But because the AD accounts were not created through on-prem EAC, and in fact were created before EAC or AAD Connect were even present, they are not mail-enabled user accounts. On-prem EAC will only display remote mailboxes where the AD user accounts are mail-enabled. Even after AAD Connect first syncs the AD accounts and soft-matches them to the AAD accounts.

Once they're mail-enabled, they'll show up in on-prem EAC, and the mailboxes can then be managed. At this point, that's what this script will do.

The final step in making these AD accounts match remote mailboxes created through EAC is to add the mailboxGUID from AAD. I think I've mostly puzzled that out but will be back if I have further questions.

KyleXu-MSFT 26,211 Reputation points

2021-12-17T09:43:58.1+00:00

About this one, I would suggest you try to enable remote mailbox for one of AD account first.

If it could make you connect mailbox successfully and manage Office 365 mailbox from Exchange on-premises successfully. Then try to use that script for users in batch.

JRV 546 Reputation points

2021-12-17T14:12:38.94+00:00

Definitely. I tested on a test user a while ago. I know it works. Just need a way to do it quickly for all the mailboxes when I go live. And it will also be handy for new users created in ADU&C instead of EAC.

Thanks!

JRV 546 Reputation points

2021-12-23T21:28:03.967+00:00

Finally got back to this client and tested your script. Almost worked!

$User.Name is the display name, for example, "Test User". So the generated UPN is "Test User@tenancy.mail.onmicrosoft.com", which is invalid.

I tried $User.sAMAccountName, and that worked...but only because the SAM account name is "testuser" and the UPN is "testuser@tenancy.onmicrosoft.com". But that's risky, because it's not required that the SAM account name and UPN prefix be the same. And, indeed, in our AD, we have a few that differ.

Then I tried $User.userPrincipalName. You'll recall from my initial post that this property returned "@redacted.mail.onmicrosoft.com" as the UPN in my one-liner. I do not know why. Used in your script, it returns the correct UPN as expected. However, the resulting remote mailbox in on-prem EAC shows only the primary SMTP address and the x500 address, but not the "@onmicrosoft.com" address. While the UPN would appear to be the best possible identifier, we need to see ALL the SMTP addresses. Evidently we must use the @redacted.mail.onmicrosoft.com address to achieve that.

So I parsed the prefix out of the UPN property and used that to build the email address, making the script as follows:

ForEach($user in $users){ $address = $user.userPrincipalName.Split("@")[0]+"@cheyennecentercom.mail.onmicrosoft.com" Enable-RemoteMailbox $user.Name -RemoteRoutingAddress $address }

That should be robust.

JRV 546 Reputation points

2021-12-23T21:29:41.233+00:00

The final (probably) script adds provisions for setting the Exchange GUID from a CSV file exported from Exchange Online on a different computer and copied to the script folder. (The EX2016 server is a WS2012R2/PowerShell v4 machine that probably doesn't have much longer to live...avoiding the PS upgrade)--

$users = Get-User -OrganizationalUnit "redacted.Local/redacted/Users/AAD.Sync" $exchangeGUIDsFile = $PSScriptRoot+'\ExchangeGUIDs.csv' $exchangeGUIDsExists = Test-Path ( $exchangeGUIDsFile ) If ( $exchangeGUIDsExists ) { $exchangeGUIDs = Import-CSV $exchangeGUIDsFile } Else { Write-Warning "Remote mailboxes will be made AD Mail Users, but skipping setting ExchangeGUID because $exchangeGUIDsFile not found. Run Get-ExchangeGUIDs.ps1 on a Windows 10+ PC to generate the file and put it in this folder, then re-run this script." } ForEach($user in $users){ If ($user.RecipientType -ne 'MailUser') { $address = $user.userPrincipalName.Split("@")[0]+"@redacted.mail.onmicrosoft.com" Enable-RemoteMailbox $user.Name -RemoteRoutingAddress $address } $user2 = Get-User $user If ( $exchangeGUIDsExists -and $user2.RecipientType -eq 'MailUser' ) { $guid = $exchangeGUIDs.Where({[string]$_.Name -eq $user2.Name}).ExchangeGUID Set-RemoteMailbox $user2.Name -ExchangeGUID $guid } }

JRV 546 Reputation points

2021-12-23T21:36:56.693+00:00

Oh, yeah, one more thing. This script will generate the CSV file. I run it on my Windows 10 machine.

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
$path = [Environment]::GetFolderPath('Desktop')+'\ExchangeGUIDs.csv'
Get-Mailbox | Select-Object -Property Name,ExchangeGuid | Export-Csv $path -NoTypeInformation
Disconnect-ExchangeOnline

KyleXu-MSFT 26,211 Reputation points

2021-12-24T01:16:53.503+00:00

$user.userPrincipalName.Split("@")[0]+"@keyman .mail.onmicrosoft.com"

Gald to see it works. In my lab, there only exists one word for test users name, so I don't notice that one. Thanks for your update.
Sign in to comment

Exchange PowerShell to mail-enable AD accounts

0 additional answers