In Azure Active Directory administrators and end users can invite external parties to access their resources through guest accounts. When a resource is accessed a guest account is provisioned in the tenant that shared the source.
Here is a sample of a guest account provisioned as the result of accessing a one drive sharing link.
PS C:\> Get-AzureADUser -ObjectId 2812ee91-3822-4b0e-b650-f9d57a4ac5bd | fl
ExtensionProperty : {[odata.metadata, https://graph.windows.net/f7d9d2a4-dded-4f6f-90a9-5011281137b9/$meta
data#directoryObjects/@Element], [odata.type, Microsoft.DirectoryServices.User],
[createdDateTime, 6/14/2021 2:31:01 PM], [employeeId, ]…}
DeletionTimestamp :
ObjectId : 2812ee91-3822-4b0e-b650-f9d57a4ac5bd
ObjectType : User
AccountEnabled : True
AgeGroup :
AssignedLicenses : {}
AssignedPlans : {}
City :
CompanyName :
ConsentProvidedForMinor :
Country :
CreationType :
Department :
DirSyncEnabled :
DisplayName : Timothy McMichael
FacsimileTelephoneNumber :
GivenName :
IsCompromised :
ImmutableId :
JobTitle :
LastDirSyncTime :
LegalAgeGroupClassification :
Mail : tmcmichael@domain.org
MailNickName : tmcmichael_domain.org#EXT#
Mobile :
OnPremisesSecurityIdentifier :
OtherMails : {tmcmichael@domain.org}
PasswordPolicies :
PasswordProfile : class PasswordProfile {
Password:
ForceChangePasswordNextLogin: True
EnforceChangePasswordPolicy: False
}
PhysicalDeliveryOfficeName :
PostalCode :
PreferredLanguage :
ProvisionedPlans : {}
ProvisioningErrors : {}
ProxyAddresses : {SMTP:tmcmichael@domain.org}
RefreshTokensValidFromDateTime : 6/14/2021 2:31:01 PM
ShowInAddressList : False
SignInNames : {}
SipProxyAddress :
State :
StreetAddress :
Surname :
TelephoneNumber :
UsageLocation :
UserPrincipalName : tmcmichael_domain.org#EXT#@tenant.onmicrosoft.com
UserState :
UserStateChangedOn :
UserType : Guest
When reviewing the attributes in Azure Active Directory mail enabled attribute are present and populated. These include:
ProxyAddresses : {SMTP:tmcmichael@domain.org}
MailNickName : tmcmichael_domain.org#EXT#
Mail : tmcmichael@domain.org
With the mail enabled attribute present the forward synchronization process creates a mail enabled contact in Exchange Online. Here is an example of the mail enabled contact:
PS C:\> Get-Recipient 2812ee91-3822-4b0e-b650-f9d57a4ac5bd | fl
RunspaceId : 4cab3762-6d2a-4c7d-8d12-bdf8ccd840ee
Identity : tmcmichael_domain.org#EXT#
Alias : tmcmichael_domain.org#EXT#
ArchiveGuid : 00000000-0000-0000-0000-000000000000
AuthenticationType : Managed
City :
Notes :
Company :
CountryOrRegion :
PostalCode :
CustomAttribute1 :
CustomAttribute2 :
CustomAttribute3 :
CustomAttribute4 :
CustomAttribute5 :
CustomAttribute6 :
CustomAttribute7 :
CustomAttribute8 :
CustomAttribute9 :
CustomAttribute10 :
CustomAttribute11 :
CustomAttribute12 :
CustomAttribute13 :
CustomAttribute14 :
CustomAttribute15 :
ExtensionCustomAttribute1 : {}
ExtensionCustomAttribute2 : {}
ExtensionCustomAttribute3 : {}
ExtensionCustomAttribute4 : {}
ExtensionCustomAttribute5 : {}
Database :
ArchiveDatabase :
DatabaseName :
Department :
ExternalDirectoryObjectId : 2812ee91-3822-4b0e-b650-f9d57a4ac5bd
ManagedFolderMailboxPolicy :
EmailAddresses : {SMTP:tmcmichael@domain.org}
ExpansionServer :
ExternalEmailAddress : SMTP:tmcmichael@domain.org
DisplayName : Timothy McMichael
FirstName :
HiddenFromAddressListsEnabled : True
EmailAddressPolicyEnabled : False
LastName :
ResourceType :
ManagedBy : {}
Manager :
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted : True
Name : tmcmichael_domain.org#EXT#
Office :
ObjectCategory : NAMPR04A004.prod.outlook.com/Configuration/Schema/Person
OrganizationalUnit : nampr04a004.prod.outlook.com/Microsoft Exchange Hosted
Organizations/tenant.onmicrosoft.com
Phone :
PoliciesIncluded : {}
PoliciesExcluded : {{26491cfc-9e50-4857-861b-0cb8df22b5d7}}
PrimarySmtpAddress : tmcmichael@domain.org
RecipientType : MailUser
RecipientTypeDetails : GuestMailUser
SamAccountName : $RQ7JB1-DC52DJT8HKE5
ServerLegacyDN :
ServerName :
StateOrProvince :
StorageGroupName :
Title :
UMEnabled : False
UMMailboxPolicy :
UMRecipientDialPlanId :
WindowsLiveID : tmcmichael_domain.org#EXT#@tenant.onmicrosoft.com
HasActiveSyncDevicePartnership : False
AddressListMembership : {\All Recipients(VLV), \All Mail Users(VLV)}
OwaMailboxPolicy :
AddressBookPolicy :
InformationBarrierSegments : {}
SharingPolicy :
RetentionPolicy :
ShouldUseDefaultRetentionPolicy : False
MailboxMoveTargetMDB :
MailboxMoveSourceMDB :
MailboxMoveFlags : None
MailboxMoveRemoteHostName :
MailboxMoveBatchName :
MailboxMoveStatus : None
MailboxRelease :
ArchiveRelease :
IsValidSecurityPrincipal : True
LitigationHoldEnabled : False
Capabilities : {}
ArchiveState : None
SKUAssigned :
WhenMailboxCreated :
UsageLocation :
ExchangeGuid : 00000000-0000-0000-0000-000000000000
ArchiveStatus : None
SafeSendersHash :
SafeRecipientsHash :
BlockedSendersHash :
WhenSoftDeleted :
UnifiedGroupSKU :
ExchangeVersion : 1.1 (15.0.0.0)
DistinguishedName : CN=tmcmichael_domain.org\#EXT\#,OU=tenant.onmicrosoft.com,OU=Microsoft
Exchange Hosted Organizations,DC=NAMPR04A004,DC=prod,DC=outlook,DC=com
ObjectClass : {top, person, organizationalPerson, user}
WhenChanged : 6/14/2021 10:37:40 AM
WhenCreated : 6/14/2021 10:37:19 AM
WhenChangedUTC : 6/14/2021 2:37:40 PM
WhenCreatedUTC : 6/14/2021 2:37:19 PM
ExchangeObjectId : ec0d0393-c684-418f-aae3-a84b7de2af0b
OrganizationId : NAMPR04A004.prod.outlook.com/Microsoft Exchange Hosted
Organizations/tenant.onmicrosoft.com – NAMPR04A004.prod.outlook.com/Configurat
ionUnits/tenant.onmicrosoft.com/Configuration
Id : tmcmichael_domain.org#EXT#
Guid : ec0d0393-c684-418f-aae3-a84b7de2af0b
OriginatingServer : BN6PR04A04DC001.NAMPR04A004.prod.outlook.com
IsValid : True
ObjectState : Unchanged
Over the course of time guest users may have a need to access on premises resources of business processes may move to create mail contacts on premises for the users. In this example we will provision a mail user for this resource to provide access to not only on premises Active Directory resources but also Azure Active Directory resources. The object will be mail enabled so that it appears in the global address list.
Here is an example of the mail users attributes.
[PS] C:\>Get-MailUser TimExternal | FL
RunspaceId : 2825f621-657b-4e98-99b2-27b9d1c233a1
DeliverToMailboxAndForward : False
ExchangeGuid : 00000000-0000-0000-0000-000000000000
MailboxContainerGuid :
AggregatedMailboxGuids : {}
ArchiveGuid : 00000000-0000-0000-0000-000000000000
ArchiveName : {}
ArchiveQuota : Unlimited
ArchiveWarningQuota : Unlimited
ProhibitSendQuota : Unlimited
ProhibitSendReceiveQuota : Unlimited
IssueWarningQuota : Unlimited
ForwardingAddress :
ArchiveDatabase :
ArchiveStatus : None
DisabledArchiveDatabase :
DisabledArchiveGuid : 00000000-0000-0000-0000-000000000000
MailboxProvisioningConstraint :
MailboxRegion :
MailboxRegionLastUpdateTime :
MailboxProvisioningPreferences : {}
ExchangeUserAccountControl : None
ExternalEmailAddress : SMTP:tmcmichael@domain.org
UsePreferMessageFormat : False
JournalArchiveAddress :
MessageFormat : Mime
MessageBodyFormat : TextAndHtml
MacAttachmentFormat : BinHex
ProtocolSettings : {}
RecipientLimits : Unlimited
SamAccountName : TimExternal
UseMapiRichTextFormat : UseDefaultSettings
UserPrincipalName : TimExternal@tenant.com
WindowsLiveID :
MicrosoftOnlineServicesID :
MailboxMoveTargetMDB :
MailboxMoveSourceMDB :
MailboxMoveFlags : None
MailboxMoveRemoteHostName :
MailboxMoveBatchName :
MailboxMoveStatus : None
MailboxRelease :
ArchiveRelease :
ImmutableId :
PersistedCapabilities : {}
SKUAssigned :
ResetPasswordOnNextLogon : True
WhenMailboxCreated :
LitigationHoldEnabled : False
SingleItemRecoveryEnabled : False
ComplianceTagHoldApplied : False
DelayHoldApplied : False
RetentionHoldEnabled : False
EndDateForRetentionHold :
StartDateForRetentionHold :
RetentionComment :
RetentionUrl :
LitigationHoldDate :
LitigationHoldOwner :
RetainDeletedItemsFor : 14.00:00:00
CalendarVersionStoreDisabled : False
UsageLocation :
MailboxLocations : {}
IsSoftDeletedByRemove : False
IsSoftDeletedByDisable : False
WhenSoftDeleted :
InPlaceHolds : {}
RecoverableItemsQuota : Unlimited
RecoverableItemsWarningQuota : Unlimited
UserCertificate : {}
UserSMimeCertificate : {}
AccountDisabled : False
StsRefreshTokensValidFrom :
DataEncryptionPolicy :
OtherMail :
GuestInfo :
Extensions : {}
HasPicture : False
HasSpokenName : False
IsDirSynced : False
AcceptMessagesOnlyFrom : {}
AcceptMessagesOnlyFromDLMembers : {}
AcceptMessagesOnlyFromSendersOrMembers : {}
AddressListMembership : {\All Mail Users(VLV), \All Recipients(VLV), \Default Global Address List,
\All Users}
AdministrativeUnits : {}
Alias : TimExternal
ArbitrationMailbox :
BypassModerationFromSendersOrMembers : {}
OrganizationalUnit : home.tenant.com/tenant Objects/Users
CustomAttribute1 :
CustomAttribute10 :
CustomAttribute11 :
CustomAttribute12 :
CustomAttribute13 :
CustomAttribute14 :
CustomAttribute15 :
CustomAttribute2 :
CustomAttribute3 :
CustomAttribute4 :
CustomAttribute5 :
CustomAttribute6 :
CustomAttribute7 :
CustomAttribute8 :
CustomAttribute9 :
ExtensionCustomAttribute1 : {}
ExtensionCustomAttribute2 : {}
ExtensionCustomAttribute3 : {}
ExtensionCustomAttribute4 : {}
ExtensionCustomAttribute5 : {}
DisplayName : Tim McMichael (External)
EmailAddresses : {smtp:TimExternal@tenant.mail.onmicrosoft.com,
smtp:TimExternal@tenant.com, SMTP:tmcmichael@domain.org}
GrantSendOnBehalfTo : {}
ExternalDirectoryObjectId :
HiddenFromAddressListsEnabled : False
LastExchangeChangedTime :
LegacyExchangeDN : /o=tenant Home/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=be4631edc3bf4500986d9811e33d368c-Tim McM
MaxSendSize : Unlimited
MaxReceiveSize : Unlimited
ModeratedBy : {}
ModerationEnabled : False
PoliciesIncluded : {11c1f0d3-7114-4275-ab8b-fc0db18d2164, {26491cfc-9e50-4857-861b-0cb8df22b5d7}}
PoliciesExcluded : {}
EmailAddressPolicyEnabled : True
PrimarySmtpAddress : tmcmichael@domain.org
RecipientType : MailUser
RecipientTypeDetails : MailUser
RejectMessagesFrom : {}
RejectMessagesFromDLMembers : {}
RejectMessagesFromSendersOrMembers : {}
RequireSenderAuthenticationEnabled : False
SimpleDisplayName :
SendModerationNotifications : Always
UMDtmfMap : {emailAddress:8626424235, lastNameFirstName:62642423539837625846,
firstNameLastName:84662642423539837625}
WindowsEmailAddress : tmcmichael@domain.org
MailTip :
MailTipTranslations : {}
Identity : home.tenant.com/tenant Objects/Users/Tim McMichael (External)
IsValid : True
ExchangeVersion : 0.10 (14.0.100.0)
Name : Tim McMichael (External)
DistinguishedName : CN=Tim McMichael (External),OU=Users,OU=tenant
Objects,DC=home,DC=tenant,DC=com
Guid : c39606b7-ef2d-45c4-a877-869454b686fa
ObjectCategory : home.tenant.com/Configuration/Schema/Person
ObjectClass : {top, person, organizationalPerson, user}
WhenChanged : 6/14/2021 2:56:38 PM
WhenCreated : 6/14/2021 2:56:19 PM
WhenChangedUTC : 6/14/2021 2:56:38 PM
WhenCreatedUTC : 6/14/2021 2:56:19 PM
OrganizationId :
Id : home.tenant.com/tenant Objects/Users/Tim McMichael (External)
OriginatingServer : Azure-DC-0.home.tenant.com
ObjectState : Changed
Azure AD Connect is responsible for replicating the new mail user from on-premises Active Directory to Azure Active Directory. When synchronization is successful the following synchronization error may be noted.
PS C:\> (Get-AzureADUser -SearchString timexternal@tenant.com).provisioningErrors | fl
ErrorDetail : <ServiceInstance Name=”exchange/NAMPRD04-001-01″
xmlns=”http://schemas.microsoft.com/online/error/2010/07″>
<ObjectErrors>
<ErrorRecord>
<ErrorCode>ExFEBFF0</ErrorCode>
<ErrorParameters>
<ErrorParameter>Enable-MailUser</ErrorParameter>
</ErrorParameters>
<ErrorDescription>The execution of cmdlet Enable-MailUser failed.</ErrorDescription>
</ErrorRecord>
<ErrorRecord>
<ErrorCode>Ex1472D1</ErrorCode>
<ErrorParameters />
<ErrorDescription>The proxy address “SMTP:tmcmichael@domain.org” is already being used by the
proxy addresses or LegacyExchangeDN of “tmcmichael_domain.org#EXT#”. Please choose another proxy
address.</ErrorDescription>
</ErrorRecord>
</ObjectErrors>
<LinkErrors />
</ServiceInstance>
Resolved : false
Service : exchange
Timestamp : 6/14/2021 3:02:39 PM
As the error indicates – the proxy address assigned to the mail user on-premsies now collides with the proxy address of the guest account in Azure AD.
To resolve this issue we must decide which of the two objects will be removed. In most cases – the guest account is removed so that the full provisioning process may occur on the mail users from on premises.
remove-AzureADUser -ObjectId 2812ee91-3822-4b0e-b650-f9d57a4ac5bd
Once the object with the duplicate attributes is removed a reprovision of the object can be triggered. This should force re-evaluation of the object.
Redo-MsolProvisionUser -ObjectId (Get-MsolUser -UserPrincipalName onPremUPN).objectid
When completed the administrator may validate that the provisioning errors are cleared by running the following command and verifying no returned errors.
(Get-AzureADUser -SearchString onPremUPN).provisioningErrors | fl