During an Office 365 migration (cutover migration in this case) you may encounter an error message on one or more of the users that is automatically provisioned for you in the cloud:
ProvisioningFailedException: Failed to update one of the recipient properties.
Unfortunately the error message and report give no further details about exactly which recipient property failed to update. And some searches online also turned up no specific information about this error.
However, on inspection of the properties of the failed users I noticed that they had some issues. For example, the list of send on behalf permissions for the mailbox included disabled user accounts for people who were no longer working for the company. In other cases it was the Manager field that contained an invalid user.
These are fields that need to be cleaned up as part of the preparation for a migration. To help identity stale delegate and manager entries I’ve created two PowerShell scripts:
After clearing up these invalid entries I was then able to stop and restart the migration batch, and the users were provisioned successfully on the next attempt.
Can someone put how to clean up these delegates? I am doing an exchange migration and I cant seem to get these stale delegates cleaned up.
Hi Keith, sorry I didn’t got the notification about your comment.
Here’s part of my code I use to export list of user’s ActiveSync devices (each file for each user)
# $user variable contains “get-mailbox user” output.
# get list of user mobile devices
$ActiveSyncDevices = Get-MobileDevice -Mailbox $user.primarysmtpaddress
#create a log file to store user device information
# $logfile_devices_path contains path like “\\server\share\activesyncdevices\”
#here you create a path for a certain file for each user
$logfile_devices = $logfile_devices_path + $user.DisplayName + ‘(‘ + $user.email + ‘)’ +’_activesync_devices.txt’
#write devices to log
get-date -Format f | Out-File $logfile_devices -Append
$ActiveSyncDevices | Out-File $logfile_devices -Append -width 200
# remove all devices from user’s mailbox (to remove access tokens immidiatelly, it’s important)
Get-MobileDevice -Mailbox $user.primarysmtpaddress | Remove-MobileDevice -Confirm:$false
Many thanks Paul always helps me out during migrations
Paul, thanks for you script. It’s very helpful. Your script identified the stale delegates, but how do I go about deleting them? Maybe I’m looking in the wrong place, but I couldn’t find them in the Exchange 2010 Management Console
Hi, when i execute StaleManagers.ps1 I get the error “Get-Recipient: The term ‘Get-Recipient’ is not recognized as the name of a cmdlet, function, script file…”
Clues?
Are you running it in the Exchange Management Shell?
Great script Paul!
You are an IT rockstar!!! π
I’ve been checking these properties manually when having problem. Now I just run them Before cutover instead. Great.
BR Jesper
Dear Pual
i got this error in hybird cloud with ADFS & SSO enabled. All users migrated successfully, just 4 to five users migration speed is really slow, also prompt for below error.
MigrationTransientException: Failed to communicate with the mailbox database. –> Failed to communicate with the mailbox database. –> MapiExceptionMdbOffline:
Hi Paul
Many thanks for the script, I was confused when it passed as ‘OK’ my users having this problem though – it turned out they were existent, but ‘hidden from exchange address list’
It may be useful to update the script to check for the hidden attribute.
Cheers Richard
Hi Paul.
I think it’s a good idea to do a deep cleanup of user accounts, when people leave the company and you disable them.
I have a script that exports to a file and cleans their sendAs /FullAccess / Read Permission, active-sync devices and active directory groups.
If some employee will return to company, in most of situations it is the best to assing permissions again (if they will need it) rather than user will gain access to something he shouldn’t (and it will be your fault).
I can share this scripts π
p.s. I also plan to add calendar permissions cleanup , but there were some buggy issuies )
Can you share the script that exports this to a file?
Kieth, it’s the second part for you.
The same way you can export you AD groups for a user or permissions.
There are 2 ways to check it:
1. run check permissions on all mailboxes where they are granted to certain user
Get-mailbox -resultsize unlimited | get-mailboxpermissions | ? user -eq ‘username’
(check syntax, I writing from my head)
2. check user’s “publicDelegateBL” attribute.
Like (get-aduser “user” -properties publicDelegateBL ).publicDelegateBL
This way you should see an array or mailboxes to which account has full access