Invalid Email Addresses Adding Mailbox Permissions

Unable To Add Mailbox Permissions

I was recently with a customer and where they were attempting to add full access or send as permissions on a mailbox in Exchange Online. When saving they received the error: “You can’t use this domain because it’s not an accepted domain for your organization“. The error message pointed right at what the problem was, invalid email addresses. What was curious was that the action of adding mailbox permissions was how the issue manifested.

The issue was seen on a significant number of mailboxes, reported as intermittent. However, it proved out to be only certain mailboxes had the issue. The source of the issue was not completely understood.

The Underlying Cause

Once I checked the email addresses on the mailbox, there were email addresses for domains which were no longer accepted domains in Exchange Online.

I suspect the domain was removed from Azure Active Directory. This was forward sync’ed to Exchange Online, where the accepted domain was also removed. This activity has created orphaned email addresses on the mailboxes for the no longer valid accepted domain.

Interestingly enough when I tried to reproduce this issue either from the Office 365 admin portal, Azure admin portal or Exchange admin control panel all the tools either stopped me from removing a domain with dependencies – recipient email addresses.

How was it fixed?

The solution to the issue was to remove the email addresses from the mailboxes which are no longer part of a valid accepted domain.

Note if the accounts are synchronized from On-Premise Active Directory the email addresses will need to be removed in Exchange On-Premise and synchronized into the cloud with the next delta sync on AADConnect.

Ideally use Set-RemoteMailbox [email protected] -EmailAddresses @{[email protected]} to remove the email addresses from the accounts.

Script to discover invalid email addresses

The script below will find all the accounts with invalid email addresses, described in the scenario above. They will be saved in an output file in c:\temp\Get-InvalidEmailAddresses\

Presuming there are have invalid email addresses in the environment, the script will throw warnings. This is what you will want to see when identifying the email addresses not on an accepted domain. No warnings means you have fixed all the email addresses.

Review the file created, it will list each account / mailbox which has the issue along with the email addresses which are an issue.

Note the script does not run any Set- cmdlets, just Get-. As in the script only identities the accounts with this issue, it does not attempt to fix them.

############################################################
# Find-EmailInvalidEmailAddresses.ps1.

# Script to find email addresses on objects which are not on valid accepted domains in the organisation.
# Scenario suspected to have come about by removing domains from tenant possibly in Azure AD, which is sync'ed to EXO.

# The easiest way to reproduce the scenario in a lab is to create a mail user object with an email address
# not on an accepted domain. Email addresses are only validated according to accepted domains on mailbox objects.
############################################################

# Output File.
$OutputPath = "c:\temp\Get-InvalidEmailAddresses"
If(!(test-path $OutputPath)) {New-Item -ItemType Directory -Force -Path $OutputPath}
$OutputFile = "$OutputPath\Find-InvalidEmailAddresses-$(Get-Date -Format yyyy.MM.dd_hh.mm.ss).ps1.txt"

# 1. Get Accepted Domains.

$AcceptedDomains = Get-AcceptedDomain | Select-Object -property Name

# 2. Get All Recipient objects.

$Recipients = Get-Mailbox -ResultSize Unlimited | Select-Object -property DisplayName,Identity,EmailAddresses,ExternalEmailAddress
#$Recipients = Get-Recipient -RecipientTypeDetails Mailuser | Select-Object -property DisplayName,Identity,EmailAddresses,ExternalEmailAddress

# 3. Loop through each recipient, look for email addresses which are not in the accepted domain list, output one-liners to remove unwanted email addresses.

# Reset recipient counter.
$Count = 0
ForEach ($Recipient in $Recipients) {
    # Increment counter
    $Count++
    # Output to screen what is being checked.    
    Write-Host "Checking: $Count of $($Recipients.Count) - $($Recipient.Identity)"
    # Loop through each email address on the recipient.    
    ForEach ($EmailAddress in ($Recipient).EmailAddresses) {
        # Essential, reset on counter for each new email address.
        $ValidEmailAddressCount = 0
        # Get domain from email address.
        $EmailAddressDomain = $EmailAddress.split("{@}")[1]
        # Does accepted domain list contain email address domain?
        $AcceptedDomains | ForEach-Object {
            if ($_.Name -contains $EmailAddressDomain) {
                $ValidEmailAddressCount++
            }
        }
        # Output if valid email address count is zero AND the current email address does not match an external email address (mail users/contacts).
        if ($ValidEmailAddressCount -eq 0 -AND $EmailAddress -ne $($Recipient.ExternalEmailAddress)) {
            # Exclude X500 and SPO addresses. 
            # These can be ignored as they don't follow email address formats containing domain names.
            if (!($EmailAddress -Match "X500:" -OR $EmailAddress -Match "SPO:")) {
                # Output to screen on an invalid email address found.
                Write-Warning "$EmailAddress not found on an Accepted Domain."
                # Write out PowerShell one-liners. Formatting comes out well with PS 5.1.
                Add-Content $OutputFile "$($Recipient.DisplayName) $EmailAddress"
            }
        }
    }
}

Leave a Comment

Your email address will not be published. Required fields are marked *