Unable to update the specified properties for on-premises mastered Directory Sync objects

AD 21

Environment:
Hybrid with an older Exchange 2010 server.
AD server 2019 running AZURE AD CONNECT (latest version as of March 2022)
I've been adding new employees by creating a new account in AD and syncing with AZURE. No problems there.
Then I go into the Office 365 portal and assign Office for business licenses. A mailbox is then created and working no problem.
Recently, when using the Exchange Admin online, trying to add an alias to ANY mailbox or simply changing the REPLY to SMTP address, I am getting the error:
Error executing request. An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
This was uncovered when a user sent me an email and it came the onmicrosoft.com domain instead of the company domain. When I looked at the account, I tried to change the REPLY TO back to the default company email and got the error also.
Only 3 employees are effected by the "onmicrosoft.com" issue but I cannot add an alias email to ANY mailbox or change the primary email.
About 2/3 of the employees were migrated from the on premise Exchange server about a year ago and the rest created as mentioned above.
Checking the AD CONNECT LOGS, there are no errors at all when syncing and the online dashboards show no sync errors.
I then tried going into the users AD Properties on Premise and changed the PROXY ADDRESS ATTRIBUTE to change the default reply to SMPT:user@keyman .com. That syncs no problem and shows up in the portal as the primary address but when the user sends an email, it still comes from the onmicrosoft.com domain. I'm at a loss without any log errors to point me in the right direction. The syncing from on premise to online seems to be working fine otherwise.
Thank you

Travis R 6 Reputation points

2022-04-19T15:09:37.153+00:00

I'm having the exact same issue...

" Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration."

I keep seeing all the solutions referring to making the changes in your on-prem ecp..
However, there is no on-prem exchange server.. Only Microsoft 365 Hosted Exchange.

Any advice?
MiGorengChilli 1 Reputation point

2022-09-15T23:32:20.89+00:00

seeing the exact same error on 2 tenants now. Something has changed with how microsoft does dirsync/hybrid setup. We used to be able to edit these attributes in EXO.
MiGorengChilli 1 Reputation point

2022-09-16T00:02:51.213+00:00

Im thinking it might be related to this:

https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-improvements-to-accelerate-replication-of/bc-p/3628838#M34099

Is there a way to turn off the dual-write feature?
Darth Suslik 31 Reputation points

2022-10-25T16:08:10.493+00:00

I'm sure you already figured this out but for those just now reading these forums... don't forget that AD Sync pushes the attributes from AD to 365 so... if you no longer have an on-prem Exchange server, that's fine... use Active Directory's attribute editor like you did before Exchange started allowing these aliases added directly in the EAC. Jump into your domain controller, open ADUC and open the user. Click the Attribute Editor and add your aliases there. Once you're done, wait for AD to Sync to 365 on its own or use the ADSync service app to start a Delta Sync (you'll likely still have to wait about 10 minutes for things to appear on the 365 side). Your aliases will start to appear in the Active User's properties eventually. That error you see is actually quite smart of Microsoft... it prevents new data from more than one source, potentially corrupting the record since Microsoft has no way of knowing which info source wins in each situation.
Szufnarowski, Joe 20 Reputation points

2023-02-23T20:08:31.3133333+00:00

I used Darth's suggestion which worked in my environment. The attribute to add the email aliases to is 'proxyAddresses' (which was blank), within my on-prem AD for the user connected with the shared mailbox. Thanks Darth.
Aung Si Thu 0 Reputation points

2023-03-15T01:09:20.6766667+00:00

Thanks, Darth. It worked!

11 answers

Andy David - MVP 141.3K Reputation points MVP

2022-03-18T14:33:22.643+00:00

If you are syncing with AADConnect to On-prem, you can not manage any of the mailboxes in 365 that have their AD accounts created on-prem, so what you are seeing is expected.
Essentially you would create a remote mailbox and it syncs and gets created in 365 once a license is applied
You would only be able to modify mailboxes in 365 that had both the user account and mailbox created there.

If you were able to modify mailboxes before directly in 365 that were being synced, I cant explain that because thats really not how it works :)
Please sign in to rate this answer.

2 people found this answer helpful.
Tyler S 1 Reputation point

2022-03-18T17:42:34.807+00:00

Does this mean that if you ever had an on-prem exchange server, even if all mailboxes have been migrated to m365, you will always need to have an on-prem exchange server to manage migrated users? There's no way to "convert" migrated users to full cloud users?

We have ADDS on-prem and moved all email to m365. ADDconnect is used to synchronize on-prem AD to m365. The goal is not not have ANY on-prem exchange servers or management tools.

AD 21 Reputation points

2022-03-20T14:49:31.827+00:00

I have been adding alias emails on the Exchange admin console in the portal and not on premise for over a year since I migrated all mailboxes so that statement is not correct that I cannot manage mailboxes in 365. I have been able to change primary SMTP emails as well as add alias emails. This literally started a few weeks ago out of the blue. The only change I made was adding MFA for all users in the Azure AD Portal. After that, I could not add alias emails for anyone. Azure AD Connect shows no errors syncing on the AD Server on pemise.

Andy David - MVP 141.3K Reputation points MVP

2022-03-20T15:00:14.34+00:00

Yea, sorry dont know what to say. If AADConnect and syncing and configured for Exchange , I have never been able to manage Exchange mail objects directly in 365.:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-online

Martin Gospodinov 6 Reputation points

2022-04-14T11:13:30.687+00:00

In O365 you can manage only objects that were created in O365. You can't manage objects that were created on-premise.

Martin Gospodinov 6 Reputation points

2022-04-14T11:16:38.93+00:00

The only way not to have Exchange Server on-premises is not to have Hybrid configuration but only O365. In that case you can remove you Exchange Server and objects will be managed from Active Directory. If you have a Hybrid configuration, all your mailboxes are in the cloud and you have only one minimal Exchange Server on-premises, you can apply for a free Exchange Server license. But you will still use Exchange Server as a management tool for the cloud mailboxes.

MiGorengChilli 1 Reputation point

2022-09-15T23:30:25.213+00:00

Pretty certain we used to be able to do this as well. Am now seeing the same issue as you describe in 2 of my tenants. So what has changed? Has there been an update to dirsync/hybrid exchange that now prevents this?

In the error message it states something about dualwrite (graph). what is this?

error:

An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) RequestId: The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
Sign in to comment
Andy David - MVP 141.3K Reputation points MVP

2022-03-18T12:15:42.103+00:00
Can you make the change in Exchange instead? If there isnt a remote maibox created for these users, thats what you need to do first, then change the primary within Exchange on-prem so it syncs

or use on-prem Exchange Powershell and let it sync

Enable-RemoteMailbox "Kim Akers" -RemoteRoutingAddress "kima@contoso.mail.onmicrosoft.com" -PrimarySmtpAddress user@domain.com

https://learn.microsoft.com/en-us/powershell/module/exchange/enable-remotemailbox?view=exchange-ps
Please sign in to rate this answer.

1 person found this answer helpful.
AD 21 Reputation points

2022-03-18T13:52:17.653+00:00

Update:
The SMTP attribute that I had added onpremise for the Proxy address is now working as the default address so emails are coming from the correct domain address.
BUT - I still cannot change or modify anthing on the Exchange Admin like adding an alias or changing the primary. Keep in mind I was always able to do tgis until a few days ago.
In reply to your response:
There are no ON-PREMISE mailboxes. The original ones were all migrated to Office 365/Exchange Online.
Any new employee mailboxes are also created online in the 365 portal. Only the user Account is created ON-Premise in AD and then I run the DELTA to update Azure AD which works flawlessly.
Any mailbox management needs to be done in the portal as I always have. This just started happening a few days ago with users that were working fine for months.
The only change was users adding MFA to their accounts in their online security portals using their mobile devices or MS AUTH APP.
I'm not sure why that would effect adding an alias email address. I'm sure I can now add alias emails in the Proxy addess field on premise but never had to do that before.
Sign in to comment
Administrador Kenpei 6 Reputation points

2022-03-23T03:23:37.993+00:00

Hello Community,

Just to comment that I've found the same behavior described on this thread. We do not have an On-Prem Exchange, we have been using AD Connect for about 4 years synching with AAD, when users get created on Azure AD side, we assign an O365 license in order for their mailbox to be ceated and we have been able to add alias or modify "Primary SMTP Address" since a few days ago. This week we also noticed a user sending email from "@keyman .onmicrosoft.com", so we tried to update the "Primary SMTP Address" with no success and the message:

Error executing request. An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.

Checking our Active Directory, we did noticed that attribute "ProxyAddress" is BLANK so I'dont know if it supposed to be populated with Azure AD values coming from the cloud.

Regards.,

Enrique
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Kalyan 1 Reputation point

2022-03-18T19:43:38.64+00:00

I am getting the same error when we modify smtp addresses. In our environment, we had all mailboxes in an older Exchange 2010. We use AAD to sync user info on Azure. I created mailboxes on Exchange Online and now, users have an exchange online mailbox. All end clients are connected to Exchange Online. All mails are received at Exchange Online. But, the SMTP address info comes from onprem AD. How do I properly disconnect the on-prem mailboxes.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Andy David - MVP 141.3K Reputation points MVP

2022-03-18T20:42:14.107+00:00

For now, to be supported, yes. You have to have an Exch Server on-prem as long as you are using syncing to Azure from on-prem.
That will hopefully change one day:

https://learn.microsoft.com/en-us/exchange/decommission-on-premises-exchange
Please sign in to rate this answer.
Kalyan 1 Reputation point

2022-03-21T14:55:21.21+00:00

This is for a hybrid migration. We never had hybrid.

So, we used AAD and AD connect tool to create our users on Azure. We manually created the mailboxes on Exchange Online by applying the licenses. Initially, we had issues creating mailboxes because 'MSExchMailboxGUID' attribute was set to a vaule pointing to on-prem exchange. we created a new sync rule on AD connect to pass Null for 'msExchMailboxGUID' which allowed use to create mailboxes on Exchange Online. We have run this new sync rule only once and then disabled it. Now, with the new mailboxes created, we have manually exported and imported into exchange online. We never had a hybrid setup. Now, we want to add smtp address to any mailbox and I get that error.

Also, If I 'disable' a mailbox on Exchange On-prem, the smtp addresses are also removed from exchange online for the mailbox. Please suggest how do I add smtp addresses on Exchange Online.

Martin Gospodinov 6 Reputation points

2022-04-14T11:22:18.267+00:00

So you have an Exchange Server and Exchange Online but not Hybrid configuration? In this case it's probably best if you implement Hybrid since now both Exchange servers fight over the same objects in AD.
Sign in to comment