After Accidental Exchange licensing we can no longer change Azure AD email or ProxyAddresses

Jonathon Miles 1 Reputation point
2020-10-15T23:59:43.307+00:00

The History.

My organization is forced(by law) to use email addresses that we don't control and we cannot verify the domain in Azure. We have O365 but do not license any user for Exchange. By default AAD wants to use the UserPrincipalName as the email address but for years we could properly set our Azure AD email attribute by syncing to AAD a combination of AD mail and ProxyAddresses.

Examples of On Prem:
UserPrincipalName = first.last@mathieu.company .com
mail = first.last@unverifiable.com
ProxyAddresses = SMTP:First.Last@unverifiable.com

This would set Azure AD to match BUT if ProxyAddresses was not set we would see "mail = first.last@Company.com" in Azure AD. This was kind of messy but we adapted.

Recently, a large group of users were accidentally provisioned an Exchange license for less than 10 minutes.

Now whatever we do we cannot properly set these users' email addresses. Everything is correct in AD but the email address will not update in Azure AD. During a call with a very knowledgeable MS technical resource I asked about this and was told that he'd seen this one time and in that case it was resolved by deleting the AzureAD accounts and resyncing. That would be great except that it disassociates OneDrive, teams, and just about everything from the user.

So here I am looking for other options.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,181 Reputation points MVP
    2020-10-16T07:35:09.207+00:00

    Afaik the behavior is as follows: a (mail user) object without a license can have any address you want, i.e. @microsoft.com. Once you apply a license, ExO will "sanitize" any and all addresses that correspond to non-verified domains, regardless of whether assigning the license actually resulted in provisioning a mailbox.

    As to how to"fix" this, I'm not 100% sure. One thing to try is to "reprocess" the object after removing the license, you can do this via the Azure AD blade > Users > select the user > Licenses > Reprocess. Another thing is to soft-delete the user object in Azure AD, then recover it immediately, which will not cause any disassociation.

    1 person found this answer helpful.
    0 comments