Send As: “You can’t use the domain because it’s not an accepted domain for your organization”

Azure AD Connect, Exchange 2007, Exchange Online, Office 365 One comment

Issue

Send As permissions cannot be applied to mailboxes migrated to Office 365.

When applying permissions through the Office 365 Exchange Admin center, the following error occurs:

DomainNotValid

The same happens when applying permissions through PowerShell:

Add-RecipientPermission -Identity SteveTest4@x500.co.uk -AccessRights SendAs -Trustee SteveTest1@x500.co.uk

You can’t use the domain because it’s not an accepted domain for your organization.
+ CategoryInfo : NotSpecified: (:) [Add-RecipientPermission], NotAcceptedDomainException
+ FullyQualifiedErrorId : [Server=CWLP265MB0082,RequestId=18a85eb6-4b33-401c-86d7-a98b38d6704e,TimeStamp=03/04/2018 11:02:15] [FailureCategory=Cmdlet-NotAcceptedDomainException] B1DA05D,Microsoft.Exchange.Management.RecipientPermission.AddRecipientPermission
+ PSComputerName : outlook.office365.com

Investigation

Full Access permissions can be applied successfully.

The cause of the issue is quite clear from the error message, looking at a mailbox migrated to Office 365, there is an SMTP address present from an invalid domain (here it’s x500.local, the internal AD domain name).

DomainNotValid_EmailAddresses

There are three accepted domains (x500.co.uk, x500.onmicrosoft.com, and x500.mail.onmicrosoft.com).  So, the x500.local address needs to be removed from the mailbox.

Resolution

AD objects are being synchronised from local AD to Azure AD using Azure AD Connect (see here for Azure AD Connect config), therefore the object needs to be modified at source.

If you attempt to remove the address through the Office 365 Exchange Admin center, you’ll get the following error:

WriteScope

The operation on mailbox “Steve Test4” failed because it’s out of the current user’s write scope.  The action ‘Set-Mailbox’,EmailAddresses’, can’t be performed on the object ‘Steve Test4’ because the object is being synchronized from your on-premises organization.  This action should be performed on the object in your on-premises organization.

Using the Exchange 2007 Management Console, remove the invalid address, and wait for replication from local AD to Azure AD (30 mins by default).

MbxProperties2k7.png

After 30 mins, review the mailbox in the Office 365 Exchange Admin center, as long as the address no longer shows, Send As permissions can be applied.  Sorted!

 

Advertisements

One comment

  1. Pingback: Exchange 2007 to Exchange Online Staged Migration – x500:/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s