{"id":1980,"date":"2020-07-21T01:00:00","date_gmt":"2020-07-21T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/battle-of-the-proxies\/"},"modified":"2020-07-21T01:00:00","modified_gmt":"2020-07-21T01:00:00","slug":"battle-of-the-proxies","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/migrations\/battle-of-the-proxies\/","title":{"rendered":"Battle of the Proxies"},"content":{"rendered":"<p><span>Hey folks! Pure Awesomeness here! <\/span><\/p>\n<p><span>Hope you\u2019ve all been staying healthy and safe during these uncertain times. I know, I know\u2026It\u2019s been a while since my last blog but I\u2019m back\u2026back once again to deposit as much knowledge and wisdom as one individual with the title of Pure Awesomeness can, whilst maintaining social distancing and carrying on with self-isolation. <\/span><\/p>\n<p><span>So, <a rel=\"noopener\" href=\"\/au\/insights\/geek-speak\/fasttrack\/aad-connect-and-beyond\/\" target=\"_blank\">my last blog<\/a> was all about the new concept of syncing identities using Azure AD Cloud Provisioning. With this blog, I thought I\u2019d keep it to a similar topic and talk to you about the fun and games Microsoft<\/span><span>tenant to tenant migrations can bring to the table, especially around the identities and domain removal. OK, not really a similar topic but if you saw the lack of hair on my head, you\u2019d be forgiven for thinking <\/span><span>I\u2019d pulled them all out as a result of my latest tenant to tenant adventure. <\/span><\/p>\n<p><span>So, what happened on my latest tenant to tenant adventure which has resulted in writing this blog? Well, before I tell you, I need you to <a rel=\"noopener\" href=\"\/au\/insights\/insentragram\/\" target=\"_blank\">sign up to Insentragram<\/a>! Oh, come on, this is basically standard practice with all of my blogs \ud83d\ude42<\/span><\/p>\n<p><span>Now, ensure you\u2019ve checked off all of the requirements below: <\/span><\/p>\n<ul>\n<li><span>Signed up to Insentragram<\/span><\/li>\n<li><span>In possession of a cup of liquid gold, aka coffee<\/span><\/li>\n<li><span>Do the Evan Almighty happy dance because Microsoft is increasing the Teams video tiles to 49!<\/span><\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>HERE WE GO!<\/span><\/h3>\n<p><span>It all started a few months ago when I was assigned a new project where I had to migrate content out of an Office 365 tenant located in Europe to an Office 365 tenant located here in Australia. Only a handful of Office 365 services were in use in the source tenant so as a whole, the project didn\u2019t look too complex (famous last words!).<\/span><\/p>\n<p><span>What happened I hear you ask? <\/span><\/p>\n<p><span>Well, in any tenant to tenant migration, not only is your identity model key, but you also need to make sure the domain(s) you need to remove aren\u2019t tied to any services in the source tenant. If that domain is tied to even a single object, such as a distribution group, you can forget about removing the domain from the source tenant. The tenant gatekeepers won\u2019t allow it. <\/span><\/p>\n<p><span>In my scenario, even though Exchange Online wasn\u2019t being used in the source tenant (phew!), the domains I needed to remove were tied to the proxy addresses of the synchronised identities. What does the proxy addresses have to do with anything given Exchange Online isn\u2019t in use? Well, here\u2019s where the fun begins!<\/span><\/p>\n<p><span>Outside of a few distribution groups which were removed, the issue I had was with Mail User objects (not Mail Contacts) and proxy addresses. Keep reading to find out how these two staples of the Exchange Online world can impact a simple task such as a domain removal.<\/span><\/p>\n<p class=\"P-Heading3\"><strong>msExchMailboxGuid<\/strong><\/p>\n<p><span>If you\u2019re running an on-premises Exchange organisation, every account with an on-premises mailbox has a unique attribute called the msExchMailboxGuid. In an Exchange Hybrid world, this attribute tells Exchange Online there is an on-premises mailbox and not to provision a mailbox until cutover is complete. This bad boy is also responsible for creating Mail User objects in Exchange Online (these come in to play in the Exchange Hybrid world). <\/span><\/p>\n<p><span>Another thing to note is that when you install Azure Active Directory Connect (AAD Connect), by default, this attribute syncs to Azure AD, creating the Mail User objects. These objects are stamped with the proxy address attributes of the corresponding on-premises mailbox and these aliases are tied to the domain you need to remove. You can\u2019t delete these objects from Exchange Online as they\u2019re synced from on-premises and for obvious reasons, you can\u2019t delete the mailbox. So how do you get around this?<\/span><\/p>\n<p><span>You\u2019ve come to the right place my loyal apprentice\u2026<\/span><\/p>\n<p><span>There\u2019s two ways you can remove the Mail User object without impacting the synced identity or the on-premises mailbox:<\/span><\/p>\n<ul>\n<li><span>Attribute filtering from within AAD Connect<\/span><\/li>\n<li><span>Custom AAD Connect synchronisation rules<\/span><\/li>\n<\/ul>\n<p><span>The easiest approach is option 1, so within AAD Connect, unselect the check box for msExchMailboxGuid and click OK.<\/span><\/p>\n<p><span><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/18\/2021\/02\/insentra_hambik_matvosian_07212020_img_1.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/efbd5aa9cfde418095291d36e5979c3f\" \/><\/span><\/p>\n<p class=\"P-BodyText\"><span>Then you\u2019ll be presented with the below heart stopping warning (it\u2019s not that bad I promise).<\/span><\/p>\n<p class=\"P-BodyText\"><span>Just click OK.<\/span><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/18\/2021\/02\/insentra_hambik_matvosian_07212020_img_2.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/6dffb53be2594f21ba96762dc0622082\" \/><\/p>\n<p><span>Next, run a <\/span><span>server to push the changes up to Azure AD. <\/span><\/p>\n<p><span>Please note that the full sync can take some time to complete, depending on the number of objects and attributes you are syncing and any changes which are made during the sync won\u2019t appear in Azure AD until the next sync cycle.<\/span><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/18\/2021\/02\/insentra_hambik_matvosian_07212020_img_3.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/5d9773c142b24d64b78ef8e52de73440\" \/><\/p>\n<p><span>Once the sync cycle completes, you will notice Mail User objects start to disappear from Exchange Online, but the corresponding Azure AD identities remain untouched. Trial this out in a lab environment. The downside to this approach is that there is no way to stage this \u2013 it\u2019s all or nothing.<\/span><\/p>\n<p><span>So, that takes care of the Mail User objects but, yes there\u2019s always a but\u2026you\u2019ve still got proxy addresses to take care of. <\/span><\/p>\n<p><strong>Proxy Addresses<\/strong><\/p>\n<p><span>Back to my scenario\u2026Even though I tried to remove the domain, it was still tied to the Azure AD proxy addresses, so, by default, the first thing I tried was to filter the proxyAddress attribute from AAD Connect (same approach as the msExchMailboxGuid). I ran a full sync and BINGO (just kidding) \u2026 it did not work! All related articles lead me down the path of removing the proxy addresses at the on-premises mailbox level (which I didn\u2019t want to do) so, I decided to log a support ticket with Microsoft to see if there was another way\u2026I mean\u2026there had to be! <\/span><\/p>\n<p><span>Turns out, there isn\u2019t. As it stands now, there is no way to filter the proxy address attribute from an Azure AD synced identity without impacting the on-premises mailbox. So, what do you do? I can almost hear a pin drop as you all wait in anticipation for the answer.<\/span><\/p>\n<p><strong>So, What\u2019s the Answer?<\/strong><\/p>\n<p><span>The only way forward (and it\u2019s not pretty) is to assign Exchange Online licenses to the identities, let the mailbox be provisioned and then remove the license. This approach strips away the proxy addresses and leaves only the onmicrosoft.com domain as the only remaining proxy address. Remember, this approach is only possible because I\u2019ve removed the Mail User object and I\u2019m not syncing the msExchMailboxGuid anymore.<\/span><\/p>\n<p><span>Depending on the number of identities to apply the license to, it may be best to script this or if licensing allows, use Group Based licensing. <\/span><\/p>\n<p><span>Back to my scenario\u2026once the proxy addresses were removed, I was now able to successfully remove the domain from the source and register it in the target tenant. #winning<\/span><\/p>\n<p><span>As the title of this blog suggests, it was definitely a battle with the proxy addresses and trying to get these removed!<\/span><\/p>\n<p><span>Until next time, Pure Awesomeness signing off.<\/span><\/p>\n<p><em><span>&#8220;The greatest glory in living lies not in never falling, but in rising every time we fall.&#8221; &#8211; Nelson Mandela<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey folks! Pure Awesomeness here! Hope you\u2019ve all been staying healthy and safe during these uncertain times. I know, I know\u2026It\u2019s been a while since my last blog but I\u2019m back\u2026back once again to deposit as much knowledge and wisdom as one individual with the title of Pure Awesomeness can, whilst maintaining social distancing and&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/migrations\/battle-of-the-proxies\/\">Continue reading <span class=\"screen-reader-text\">Battle of the Proxies<\/span><\/a><\/p>\n","protected":false},"author":52,"featured_media":1981,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[22],"tags":[],"class_list":["post-1980","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-migrations","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/comments?post=1980"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1980\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media\/1981"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media?parent=1980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/categories?post=1980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/tags?post=1980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}