Recently I noticed a strange behavior with Exchange Classic Full Hybrid for users who synced to Office 365 and have their mailbox still in exchange on-premises.

In past, when you assign an Office 365 license which includes an Exchange Online plan, like E3 or E5, to an user which already had an on-premises mailbox where the ExchangeGUID is successfully synced to Office 365 (Azure AD and Exchange Online), the following completely valid and reasonable status message appeared under the Mail tab for this user in the Office 365 Web Portal after assigning the license.

This user’s on-premises mailbox hasn’t been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed.

And that’s exactly what I expected and want to see in this case.

Now since about beginning march 2021, you will see the following strange and also completely wrong message below, despite the fact that the mailbox for these users never will be prepared and provisioned in Exchange Online.

So thank God Exchange Online is still aware that the user have an on-premises mailbox and therefore will not provision an Exchange Online mailbox as in this case the user would have duplicated mailboxes.

We are preparing a mailbox for the user.

As I encountered this new behavior also in my lab and production environment, I opened a new case and ticket at Microsoft to clarify if this new message in such cases is now expected or something is wrong. I also didn’t encountered any issues and everything works fine as expected in both environments. The mailboxes aren’t really created and duplicated and also moving mailboxes from on-premises to Exchange Online and back using the MRS-Proxy is working fine.

Microsoft replied to this case and told me, that they also will get in their lab environment the same behavior after assigning an Office 365 license to an on-premise Mailbox user account. Even when they ticked off the App Exchange Online Plan during assigning the license.

So this is regarding Microsoft now or at least 🙂 at the moment an expected behavior but unfortunately so far nowhere documented.

If I will get some documented information in future, I will come back and make an update.

Below some information about how this all works under the hood and in what cases after all the mailbox could be duplicated and provisioned wrongly.

Duplicate Exchange Online and Exchange Server Mailboxes

When Active Directory is synced to Azure Active Directory, the ExchangeGUID attribute for the on-premises user is synced to the cloud (assuming that you have not done a limited attribute sync and excluded the Exchange attributes from syncing to AAD – as syncing the attributes is required for Exchange Online hybrid). Exchange Online though does not read attributes from Azure Active Directory. Exchange Online reads its attributes from the Exchange Online Directory Service (EXODS). The Exchange Online directory takes a sync of information relating to Exchange from Azure Active Directory (Azure AD), which is known as forward sync. This ensures that the ExchangeGUID attribute from the on-premises mailbox is synced into Exchange Online for your tenant.

When a user is given an Exchange Online license, it becomes the job of Exchange Online to provision a mailbox for this user. When Exchange Online needs to provision a new mailbox, it will not do so where the ExchangeGUID attribute already exists. The existence of this attribute tells the provisioning process that the mailbox already exists on-premises and may be migrated here later and so not to create a conflicting mailbox. A cloud user who does not have an ExchangeGUID attribute synced from on-premises will get a mailbox created by the Exchange Online provisioning process upon a license being assigned, and on-premises users that do not have a mailbox on-premises (who also have no ExchangeGUID attribute) will also find that granting them an Exchange Online license will trigger the creation of a mailbox for them. Note that this last option will create a mailbox in the cloud – but all the attribute management of this mailbox must be done on-premises, as the object syncs from on-premises and so that is the source of the object.

Therefore avoid licensing synced objects that do not have a mailbox or remote-mailbox on premises (see my session on this at Microsoft Ignite 2018 “THR2145 – Why do we need to keep an Exchange Server on-premises when we move to the cloud?“)

The above is what happens in most cases – the user on-premises has a ExchangeGUID value, that is synced to the cloud, and then the user is licensed and a second mailbox is not created. But there is an edge case where an on-premises user with a mailbox (and therefore has the ExchangeGUID attribute populated) will also get a mailbox in Exchange Online. This happens where the organization manually created cloud mailboxes before enabling AADConnect to sync the directories, and these cloud users match the on-premises user by UserPrincipalName or primary SMTP address.

# Checking if the ExchangeGUID is synced successfully to Exchange Online

# Connect to Exchange Online
$credential = Get-Credential
Connect-ExchangeOnline -Credential $credential -ShowProgress $true

Get-Recipient -Identity | fl Exch*

Get-Recipient -Identity | fl Name, ExchangeGuid

Get-User -Identity | fl name,recipienttype,previousrecipienttypedetails,*sku*

The Exchange hybrid deployment checkbox in Azure AD Connect will sync a specific set of attributes from Azure AD back into your on-premises environment.

So this checkbox enables writeback of some attributes listed below

Exchange hybrid writeback

These attributes are written back from Azure AD to on-premises Active Directory when you select to enable Exchange hybrid. Depending on your Exchange version, fewer attributes might be synchronized.

Azure AD Connect sync: Attributes synchronized to Azure Active Directory

A common question is what is the list of minimum attributes to synchronize. The default and recommended approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud and to get all features in Microsoft 365 workloads.

Attributes to synchronize
Exchange Online

msExchMailboxGuid by default

By default the msExchMailboxGuid attribute is synced from on-premise to Office 365 and Exchange Online

Understanding Mailbox GUIDs

The mailbox globally unique identifier (GUID) is the most fundamental attribute of a Microsoft® Exchange Server mailbox. The value of this attribute is set in the database as the mailbox is created, and it remains the same for the lifetime of the mailbox. The mailbox GUID is designated in the msExchMailboxGUID attribute for each mailbox-enabled Active Directory® directory service account.

on-premises mailboxes shown up in contacts with Contact type MailUser

Determine if the Mailbox is homed in on-premises or in Exchange Online (Office 365)

Connect to Exchange Online
$credential = Get-Credential
Connect-ExchangeOnline -Credential $credential -ShowProgress $true

Get-Recipient -Identity | Select Name, RecipientType

# Recipient Type
# UserMailbox -> Mailboxes that have been migrated to Exchange Online
# MailUser -> Mailboxes homed in on-premises


Azure AD Connect sync: Attributes synchronized to Azure Active Directory

Duplicate Exchange Online and Exchange Server Mailboxes

Understanding Mailbox GUIDs