Friday, February 19, 2016

Convert a user mailbox to shared in a hybrid environment.

In a hybrid environment it’s not supported to convert user mailboxes to regular, even there is a link in EAC to do this. It seems to work, but the changes that are made in Exchange Online won’t properly sync back to on-premises. I wrote about this in an earlier post: Do not convert synced mailboxes to shared in a hybrid environment.

After that I kept working with Microsoft to obtain a better understanding of the issue and ultimately develop a process to do this conversion.

Disclaimer: This process was developed in a lab environment under the guidance of Microsoft Premier Support. Before doing this in your environment, make sure you check with your Microsoft contact if they support this procedure until any official guidance has been published.

To convert a mailbox to shared, we need to perform three steps:

  • Convert the mailbox to shared in Exchange Online
  • Modify the on-premises AD attributes accordingly
  • Revoke the Exchange Online license

In Exchange Online simply convert the mailbox to the correct type:

Set-Mailbox MyMailbox -Type Shared

Now in Active Directory Users and Computers, make sure you enabled Advanced Features under the View menu option. Next navigate to the AD object (mail user), open it’s properties and go to the Attribute Editor tab.

Tip: Write down the values before making any changes. Or even better, dump all AD attributes and their values to a text file:
Get-ADUser MyMailbox -Properties * > before.txt.

Now update the following attributes with these values:

  • msExchRemoteRecipientType: 100
  • msExchRecipientTypeDetails: 34359738368

image

Last step is to revoke the Exchange Online license. This is optional but in most cases something you want to do as a shared mailbox does not require a license. Simply use the Office 365 portal and find the user under Active Users. Remove the Exchange Online license.

After we revoked the license it’s important to validate the license status in Azure AD:

Get-MSOLUser -UserPrincipalName MyMailbox@mydomain.com | fl *lic*

image

Pay attention to the LicenseReconciliationNeeded attribute, this should be False. If LicenseReconciliationNeeded returns True Exchange Online thinks this mailbox requires a license and entered the 30 day grace period. A fix

15 comments:

Unknown said...

Do you know how to convert a mail user to a remote user mailbox

Jetze Mellema said...

Hi Juan,

Check this out: http://byronwright.blogspot.nl/2013/11/converting-mail-user-to-remote-user.html

Unknown said...

After setting msExchRemoteRecipientType and msExchRecipientTypeDetails, we see the shared mailbox appear correctly. However, LicenseReconciliationNeeded is still set to True (though the mailbox doesn't get deleted).

The only way I can get LicenseReconciliationNeeded to go false (without migrating the mailbox) is to assign and remove a license - have you come across this, and if so is there a workaround?

Jetze Mellema said...

Try adding and removing the license again, this usually does the trick.

Unknown said...

Great article. Exactly what I needed.

Unknown said...

Hello, how can we convert a Migrated RemoteRecipienttype to none for a User that is on prem?

Kevin P said...

Is it possible to give read only access to a shared mailbox?

We dont want users deleting email in a leavers mailbox.

Thanks

Unknown said...

It worked like magic. Thank you soo much. :)

exrookie said...

Excellent work Jetze!

Onno said...

Worked like a charm. Thank you!

Anonymous said...

After performed all steps mentioned in article, I have manually enforced the delta sync to complete the sync process. However, I am still showing mymalibox as a user mailbox and shared mailbox in O365.

Unknown said...

This is very helpful - do you know - can i complete the task by then deleting the local AD user object?

Peter Forster said...

Hi,

wouldn't fit the command
Set-RemoteMailbox -identity youridentity@yourdomain.com -Type Shared
the same?

I'm always doing in that way and this commands does all needed. Setting the required attribute s and changes the "LicenseReconciliationNeeded" to False.

-Peter

DJ Bizz said...

Great article. Do you know how we can convert the user mailbox to a shared mailbox and then delete the AD user without losing the shared mailbox? I tried the steps in this article and then moved the AD user to a NoSync folder and the mailbox disappears. Thanks!

melike7676 said...

hi, excellent post...do you have any information if there has been any development on this on Microsofts part? =:-)