Speaking of Exchange….. ZeroConfigExchange is dumb

[Jonathan Raper]

So, I’m preparing to migrate 2,500 users - tenant to tenant.

On-prem AD Domain A is syncing to tenant A.

On-prem AD Domain B is syncing to tenant B.

Domain A is not going away yet, due to a ton of dependencies. So users will have two accounts, one in each domain, with password sync to the new domain so the user doesn’t have to remember a new password.

Of course, all of the users’ email addresses are changing, so the mail attribute in Domain A will no longer be valid, which is where the fun begins.

As a part of the migration, Office 365 apps for business is being reset to first run, so that everything Office/email/OneDrive related will be associated to the new tenant.

This is problematic because, the way I understand it, due to changes made by MSFT to “make our lives easier”, there is a feature called ZeroConfigExchange that automatically pulls the email address (presumably from the mail attribute) when you first run Outlook (or any office app), if you simply click OK on the first run dialogue box.

You do have the opportunity to enter an email address, which is what makes this work properly for us in this scenario.

However….asking 2,500 users to manually enter a NEW email address (that they don’t yet know by heart) is less than ideal….because no matter how much we communicate this, a percentage of end users are going to blow right past that dialogue box and then be stuck, requiring a call to the Service Desk.

This is not an ideal end user experience.

The kicker is that we have about ~15k more users to migrate from additional tenants over the next 9-12 months. They each will have the same legacy on-prem domain requirement.

Based on my reading from MSFT, there is no way around this. But there HAS to be a way. Is there?

For context….

https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/let-zeroconfigexchange-automatically-create-first-profile

Thanks,

Jonboy

Get Outlook for iOS

[Henry Awad]

Why not use Powershell to change the mail address attribute for the users that you want to migrate? Am I missing something? 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR12MB67339C6C2C886C01CFF8D0FFA9EDA%40SJ0PR12MB6733.namprd12.prod.outlook.com.

[Jonathan Raper]

Thanks - already thought about that, but one of my engineers states that will be problematic due to timing. If we change it too soon, and it syncs to Tenant A, then mail will break for the user in the legacy tenant.

We have to run the migration batches on a Wednesday night (per the businesses requirements), with essentially zero down time, so timing is everything.

We do have the new email address written to an Exchange extension attribute in Domain A, so wondered about figuring out a way for outlook to look to the Extension Attribute for that on first run….but not sure if that is even remotely possible.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Henry Awad <aw...@cua.edu>
Sent: Friday, September 8, 2023 6:51:17 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Speaking of Exchange….. ZeroConfigExchange is dumb

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK53TBk-NFyd33kHThiBt_Y0AN%3D194e0iyWX6WF5UZxbWw%40mail.gmail.com.

[Michael B. Smith]

No it isn’t.

 

Why change the email addresses?

 

Typically in this scenario the target tenant has the domain as an InternalRelay with the source tenant having the domain as Authoritative. Then the migration “magically” takes care of this problem.

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR12MB6733B46C557B96262A9C386FA9EDA%40SJ0PR12MB6733.namprd12.prod.outlook.com.

[Jonathan Raper]

The business decision is to have everyone in Tenant A ultimately have the @TenantB email address as the primary/default SMTP address, as Tenant A is an acquired company being absorbed into Tenant B. Legacy email address from Tenant A will be added as a proxy/alias on the new mailbox in Tenant B.

Migrations are being facilitated by BitTitan in waves over a period of weeks with OneDrive and email being handled simultaneously for each batch of users, followed by SharePoint and Teams data. Users will be logging into both tenants temporarily until the full migration of all data is complete.

Caveats - 

1. for marketing purposes, we have to do address rewriting for the tenant A users during and post migration for any external emails (that is straightforward enough)
   
2. There is a 3rd party provider being used for email and Teams archiving for regulatory reasons. Ultimately we plan to look at bringing that back into 365, but not until next year sometime.

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Michael B. Smith <mic...@smithcons.com>
Sent: Friday, September 8, 2023 8:09 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: RE: [ntsysadmin] Speaking of Exchange….. ZeroConfigExchange is dumb

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/497ccef7eb914f0d820e2a66589146cd%40smithcons.com.

[Henry Awad]

Check out this thread as it might help with the configuration changes: 

Automating the Outlook 'first run' user mail profile setup... : r/Outlook (reddit.com)

Henry Awad

Senior Systems Engineer

Technology Services

The Catholic University of America

(D) 202-319-5404 | (M) 571-233-4479

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR12MB6733430344294D384A9371C4A9EDA%40SJ0PR12MB6733.namprd12.prod.outlook.com.

[Jonathan Raper]

Thanks - I read through it and the related threads. Unfortunately GPO isn’t going to be reliable as we have so many people remote who aren’t always on-net. Also, we don’t want to disable Autodiscover, as that works the way that it should based off of manually entering just the email address for the user in Tenant B/Domain B.

Even if it were possible, the DomainA smtp address is their legacy email address….so we would need to key off of an Exchange Extension Attribute….which likely isn’t possible (but I will take a look at that policy anyway, just in case).

But even if it were….validating that every user has gotten this GPO applied properly is a challenge in and of itself.

Thanks,

Jonboy

Get Outlook for iOS

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Henry Awad <aw...@cua.edu>

Sent: Friday, September 8, 2023 9:26 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK6dc448HR1xhvvEivKYi0h-uspXt7FsvfRfGEyadroQnA%40mail.gmail.com.

[Philip Elder]

How we’d do it on-premises:

 

# Added 2023-09-07

$DomainName = "DOMAIN.Com"

 

# TODO Create the Domain

New-AcceptedDomain -DomainName "DOMAIN.Com" -DomainType Authoritative -Name "DOMAIN.Com"

 

# TODO Create the EAP

New-EmailAddressPolicy "EAP-DOMAIN.Com" -RecipientFilter {((MemberOfGroup -eq "CN=DOMAIN.Com,OU=E-mail Address Policy Groups,OU=MyDCom-HO-Groups,OU=MyDCom-HO-HeadOffice,DC=Site,DC=DOMAIN,DC=Com"))} -EnabledEmailAddressTemplates "SMTP:%m...@DOMAIN.Com","smtp:%m...@DOMAIN2.Com"

Get-EmailAddressPolicy | Sort-Object Priority

 

 

# TODO Apply the address Policies

Update-EmailAddressPolicy -Identity "EAP-DOMAIN.Com"

 

# ? Remove if needed

Remove-EmailAddressPolicy "EAP-DOMAIN.Com" -Confirm:$False

 

A Security Group called DOMAIN.Com in the indicated OU would be the delimiter as far as the default SMTP (FROM) address.

 

When you’re ready to flip users just toss them into the Security Group. Make sure the above EAP is one step above the Default EAP in the sort order.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Jonathan Raper

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR12MB6733B46C557B96262A9C386FA9EDA%40SJ0PR12MB6733.namprd12.prod.outlook.com.

[Melvin Backus]

Is using a mail alias an option to provide both the old and new addresses? If so the entire transition is triggered by the change to the MX records.

 

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

 

¯\_(ツ)_/¯

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR12MB6733B46C557B96262A9C386FA9EDA%40SJ0PR12MB6733.namprd12.prod.outlook.com.