Shared mailboxes permissions fail since changing primary SMTP of users
Posted by yackim@reddit | sysadmin | View on Reddit | 5 comments
Hello all,
We obtained a new domain name, where we need to changeover a lot of user accounts linked to atOldDomain.com to atNewDomain.com . We did the first step of changing their mail address on their AD object, and also changed their primary SMTP to atNewDomain.com .
We did not change or touched the UPN field yet because we need to test this first to see the impact.
Now the thing is that users that are changed to the atNewDomain.com are losing rights on shared mailboxes which seem to still have their atOldDomain.com address linked under the delegation tab. We need to manually remove those users and readd them with their atNewDomain.com account to reactivate the rights.
Why does this not happen automatically? Because they are still the one and same object, I don't see why this is happening. Can this be because their UPN is still not updated to the new domain? And that the shared mailbox permissions is actually linked to the UPN in one or another way? But then I would excpect to unlink and relink the delegation users would still appear as atOldDomain.com in the list, which they don't.
I appreciate all feedback.
purplemonkeymad@reddit
Are you sure they are the same account, there is nothing in the Deleted Users in the admin centre? Sync should be using an immutable ID so that changes to things like email and upn do not create new objects. Have you got your source anchor set to something that is not objectguid/ms-DS-ConsistencyGuid?
yackim@reddit (OP)
Nope, no deleted users. Which makes sense since I've only changed the primary mailaddress and NOT the UPN (and even then it should still be the same object). I checked the source anchor and it is the default setting objectguid/ms-DS-ConsistencyGuid that is used.
Can it be a exchange online issue that it links the UPN one way or another when adding delegations to a mailbox and sort of caches it?
purplemonkeymad@reddit
As far as i know exchange has always used sids for stuff like permissions (since its built on ad.) Which rights are getting removed? Mailbox full access permissions or sender permissions?
I've had sender permissions removed when moving the mailboxes from on-prem to online, but only when the target shared mailbox is moved, never the delegates.
tectail@reddit
Taking a guess as we do not have all the info. It is possible that your AD accounts are soft linked to azure ad accounts instead of hard linked. It is actually creating new azure ad accounts for these users and just porting over data.
I would check deleted users to see if there are of ton of accounts in there, or check to see if the old names still show up in azure ad somewhere.
yackim@reddit (OP)
Yeah sorry forgot to mention we have a hybrid environment with a sync to Azure.