Symptoms
An Exchange Online mailbox is not provisioned in Azure Active Directory (Azure AD) Connect.
Resolution
There are two Windows Azure Active Directory modules to administer Azure AD through PowerShell. Both are supported currently.
-
MSOL - For more information about the MSOL module, see the following articles: Install - Module MSOnlineConnect - MsolService
-
AzureAD - For more information about AzureAD module, see the following articles: Install - Module AzureADConnect - AzureAD
To fix this issue, follow these steps:
-
Confirm that the object exists in the Azure AD by using the Azure AD PowerShell module. A UsageLocation parameter is required and has to be populated. For example, run the following cmdlet: Get-MsolUser -UserPrincipalName <UserPrinicipalName or DisplayName> | fl ValidationStatus,UsageLocation,*error*
Note The ValidationStatus parameter is only viewable by using the Get-MsolUser cmdlet.
If the ValidationStatus parameter value is not healthy, the following Microsoft Knowledge Base article may help you identify more detailed information about the error:
2741233 You see validation errors for users in the Office 365 portal or in the Azure Active Directory Module for Windows PowerShell
-
If the object is not present in Azure AD, make sure that the object is in scope of Azure AD Connect.
-
If the object is present in Azure AD, confirm that the object is present in Exchange by using the Get-User cmdlet. Get-MsolUser -UserPrincipalName <UserPrinicipalName or DisplayName> | fl ObjectIdGet-AzureADUser -SearchString <UserPrinicipalName or DisplayName> | fl ObjectId
If there is no result, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online. This request must be made by using the ObjectId parameter. The ObjectId parameter value can be found in Azure AD. (It will be in the form of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX). For example, run one of the following cmdlets: -
If a user is not present, review a source AD dump to verify that the values of the UserPrincipalName and mailNickname attributes are populated.
-
If the UserPrincipalName attribute value is set, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online by using the UserPrincipalName attribute. Provide this value, as it may differ from your PrimarySMTPAddress attribute value.
-
Check for DirSync errors. To do this, refer to the following support articles:Identify directory synchronization errors in Office 365 Identifying DirSync provisioning errors in Office 365 For more information about how to troubleshoot, see the following articles: Troubleshooting errors during synchronization Troubleshoot an object that is not synchronizing to Azure AD
-
If there is a conflict with another object but that object can't be found in your on-premises Active Directory, confirm that there isn't a cloud-only object that is causing the problem.get-msoluser -userprincipalname John@contoso.com | fl UserType,ImmutableId The result resembles the following:
You can do this in several ways. Select Users -> Guest Users in the Admin Portal, or view the properties in the Sync Error details in the Admin Portal. If it shows Source Anchor as blank and the Source of authority is Cloud, this is a Guest user. The object should be removed or updated to reduce the conflict with a syncing object. Finally, you can also check this by using the following cmdlet in PowerShell.UserType : Guest ImmutableId :
-
Confirm that there is a license assigned to the user in Azure AD. This can be checked in Azure AD and in Exchange Online. For example:
Azure ADGet-MsolUser -UserPrincipalName <UserPrinicipalName or DisplayName> | fl *license*
Get-AzureADUser -ObjectId <UserPrinicipalName or DisplayName> | fl *license* Exchange Online Get-Recipient <UserPrinicipalName or DisplayName> | fl SkuAssigne
-
Determine whether there is a mailbox in a soft-deleted or inactive state. To do this, run the following cmdlets: Get-Mailbox -SoftDeletedMailbox <UserPrinicipalName or DisplayName> If the mailbox is soft-deleted, it’s recoverable within 30 days by moving the AD account back into scope or restoring content by using the New-MailboxRestoreRequest cmdlet. For more information, see Delete or restore user mailboxes in Exchange Online. InactiveGet-Mailbox -InactiveMailboxOnly <UserPrinicipalName or DisplayName> If the mailbox is inactive, see Recover an inactive mailbox in Exchange Online.
Soft-deleted -
If you make a change to correct a sync error and the issue is still not resolved, ask Microsoft to submit the object for a forward sync from Azure AD to Exchange Online by using the UserPrincipalName attribute. Please provide this value as it may differ from your PrimarySMTPAddress attribute value. Provide the Azure ObjectID parameter, which is now needed to run the forward sync.Get-MsolUser -SearchString <UserPrinicipalName or DisplayName> | fl ObjectID