During an Office 365 migration (cutover migration in this case) you may encounter an error message on one or more of the users that is automatically provisioned for you in the cloud:

ProvisioningFailedException: Failed to update one of the recipient properties.


Unfortunately the error message and report give no further details about exactly which recipient property failed to update. And some searches online also turned up no specific information about this error.

However, on inspection of the properties of the failed users I noticed that they had some issues. For example, the list of send on behalf permissions for the mailbox included disabled user accounts for people who were no longer working for the company. In other cases it was the Manager field that contained an invalid user.

These are fields that need to be cleaned up as part of the preparation for a migration. To help identity stale delegate and manager entries I’ve created two PowerShell scripts:

After clearing up these invalid entries I was then able to stop and restart the migration batch, and the users were provisioned successfully on the next attempt.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


  1. Tom

    Can someone put how to clean up these delegates? I am doing an exchange migration and I cant seem to get these stale delegates cleaned up.

  2. Ilya Kutsev

    Hi Keith, sorry I didn’t got the notification about your comment.

    Here’s part of my code I use to export list of user’s ActiveSync devices (each file for each user)

    # $user variable contains “get-mailbox user” output.

    # get list of user mobile devices
    $ActiveSyncDevices = Get-MobileDevice -Mailbox $user.primarysmtpaddress

    #create a log file to store user device information
    # $logfile_devices_path contains path like “\\server\share\activesyncdevices\”

    #here you create a path for a certain file for each user
    $logfile_devices = $logfile_devices_path + $user.DisplayName + ‘(‘ + $user.email + ‘)’ +’_activesync_devices.txt’

    #write devices to log
    get-date -Format f | Out-File $logfile_devices -Append
    $ActiveSyncDevices | Out-File $logfile_devices -Append -width 200

    # remove all devices from user’s mailbox (to remove access tokens immidiatelly, it’s important)
    Get-MobileDevice -Mailbox $user.primarysmtpaddress | Remove-MobileDevice -Confirm:$false

  3. James Wilson

    Many thanks Paul always helps me out during migrations

  4. Marc Meyer

    Paul, thanks for you script. It’s very helpful. Your script identified the stale delegates, but how do I go about deleting them? Maybe I’m looking in the wrong place, but I couldn’t find them in the Exchange 2010 Management Console

  5. CS

    Hi, when i execute StaleManagers.ps1 I get the error “Get-Recipient: The term ‘Get-Recipient’ is not recognized as the name of a cmdlet, function, script file…”


  6. Jesper

    Great script Paul!
    You are an IT rockstar!!! 🙂

    I’ve been checking these properties manually when having problem. Now I just run them Before cutover instead. Great.

    BR Jesper

  7. Yasir

    Dear Pual
    i got this error in hybird cloud with ADFS & SSO enabled. All users migrated successfully, just 4 to five users migration speed is really slow, also prompt for below error.

    MigrationTransientException: Failed to communicate with the mailbox database. –> Failed to communicate with the mailbox database. –> MapiExceptionMdbOffline:

  8. Richard Stevens

    Hi Paul

    Many thanks for the script, I was confused when it passed as ‘OK’ my users having this problem though – it turned out they were existent, but ‘hidden from exchange address list’

    It may be useful to update the script to check for the hidden attribute.

    Cheers Richard

  9. Ilya Kutsev

    Hi Paul.
    I think it’s a good idea to do a deep cleanup of user accounts, when people leave the company and you disable them.

    I have a script that exports to a file and cleans their sendAs /FullAccess / Read Permission, active-sync devices and active directory groups.

    If some employee will return to company, in most of situations it is the best to assing permissions again (if they will need it) rather than user will gain access to something he shouldn’t (and it will be your fault).

    I can share this scripts 🙂

    1. Ilya Kutsev

      p.s. I also plan to add calendar permissions cleanup , but there were some buggy issuies )

    2. Keith

      Can you share the script that exports this to a file?

      1. Ilya Kutsev

        Kieth, it’s the second part for you.

        The same way you can export you AD groups for a user or permissions.

        There are 2 ways to check it:
        1. run check permissions on all mailboxes where they are granted to certain user
        Get-mailbox -resultsize unlimited | get-mailboxpermissions | ? user -eq ‘username’
        (check syntax, I writing from my head)
        2. check user’s “publicDelegateBL” attribute.
        Like (get-aduser “user” -properties publicDelegateBL ).publicDelegateBL
        This way you should see an array or mailboxes to which account has full access

Leave a Reply