Resolving conflicts between Guest accounts and mail users in Azure AD

This is how to resolve conflicts between mail users or contacts and Guest accounts in Azure AD.

If you create mail users or contacts in Exchange on-prem or Exchange Online, you may well run into issues due to email (proxyAddress) conflicts.

This issue is especially prevalent in tenants where OneDrive, Teams or SharePoint files are being shared with external users, and SharePoint is integrated with Azure B2B (see https://docs.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration). Every time a file is shared with an external user, of a user added to a Team, an Azure AD Guest account is automatically created, which is redeemed when the user redeems the invite. The Azure AD Guest account then has the proxy address set as the users external email address.

This issue can cause several problems which manifest itself in one of several ways:

Symptoms

Directory Sync errors

One of the most obvious indications that something bad is happening, is that you start seeing directory sync errors in the Office portal. This will only happen if you have on-prem AD, Azure AD Connect and probably Exchange on-prem, and only if you have enabled the mail users using Exchange on-prem, added an external email address manually to the E-mail field in AD users and computers, or edited the mail attribute or proxyAddress attribute using an attribute editor.

If there is an existing Guest account with the same email address, you will see sync errors in https://admin.microsoft.com/:

If you open one of the errors you can see that the proxy address attribute is conflicting and will have been removed:

What’s happening is that there is already a Guest account in Azure AD with the same email address. When AD Connect tries to sync the user, it finds a conflict with the proxyAddress attribute so has to remove the conflicting attribute from the synced user.

Unable to share with external users

If the mail user already exists before the Guest account, you will find that you are unable to share files or Teams with the external email address, since Azure AD will be unable to create the guest account automatically. It will either show you the mail user account with the same address, or just not work. So you won’t be able to share documents from SharePoint, OneDrive or Teams, or add the user to a Team.

Unable to create a Guest account manually

If you try and create a Guest account manually, the invite will fail if a mail user already exists. This is a good way to troubleshoot the issue and see what is going on:

Strangely, if there is an existing mail contact (rather than mail user) then the invite succeeds. However proxyAddress will be blank and the account won’t work (unless you create both at the same time which I would not advise!).

Unable to create contacts

You will also be unable to create a mail contact in Exchange Online, if there is an existing mail user or Guest account using the address. You might try this if you wanted a Guest to show in the GAL for instance:

Resolution

Due to the increasing prevalence of Guest accounts, which is something you have little control over assuming you want to allow Guest accounts, the solution is to avoid using mail users and mail contacts completely. However, this can cause other issues since they are probably being created for a reason, for example:

  • You want the accounts visible in the GAL, so users can easily find the external email addresses.
  • The on-prem AD user accounts belong to external users, and you want them associated with their external address. For example accounts are sometimes created for external users so they can access legacy applications which don’t support Guest account access.

Disable the mail users

Either to allow the creation of Guest accounts or avoid conflicts, you need to remove the mail attributes from the on-prem users. You can do this in Exchange on-prem by disabling the mail user. Note: don’t hit delete which also deletes the AD user account!

Publish Guest accounts in the GAL

If you still want the accounts in the GAL, you can make the Guest visible in the GAL using Exchange Online PowerShell:

get-mailuser some.user_domain.com#EXT#@tenantname.onmicrosoft.com | set-mailuser -HiddenFromAddressListsEnabled $false

Or you can also just use PrimarySMTPAddress

get-mailuser first.last@domain.com | set-mailuser -HiddenFromAddressListsEnabled $false

Once you’ve done this you could also add them to distribution lists using the EAC or PS.

You could automate this using an Azure runbook to get all guests and mail enable them, or just run it ad-hoc as required. It’s a neat solution because there is only one object in Azure AD, and it will be removed from the GAL if the Guest account is ever deleted.

Moving the email address to ‘OtherMails’

You may still want the external email address associated with the AD user account, for example if you have an application that needs an email address. After disabling the mail user, which removes all the email attributes from the user account, you can’t add it manually to the e-mail field on the user account, since that also populates proxyaddress field once it syncs to Azure AD and will cause conflicts. You could choose a random field such as Notes or webpage, but that doesn’t seem ideal. Instead, my preferred solution is to use the OtherMails attribute in AzureAD. The interesting thing about this is that you can edit it in Azure AD even when the account is synced from AD Connect:

So, add the address here and then any applications using it can use OtherMails instead of Mail. If the application talks directly to AD, then you will have to user another attribute of the on-prem AD account.

Conclusion

This article discusses issues with conflicts between mail users, contacts and Guest accounts and shows you how to fix. Mail users and mail contacts cause multiple issues and should be avoided. If you must have external users in the GAL, add them as a guest and unhide the accounts from the GAL.

Posted in Azure AD, Azure AD Connect, Exchange Online

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.