Synopsis: Due to Microsoft changes to their EXO module, (bug introduced) the new users are not getting information from new Add2Exchange relationships made because permissions script is not being applied automatically. MS was slated to release their EXO fix but has not as of 1.24.2025.

Severity: This is not critical for normal sync operation, only for onboarding new users. Offboarding is not affected.The new Enterprise Edition has several fixes and enhancements and is required to stay in Band.

Applies to: Office 365 and Hybrid users for onboarding, The new Enterprise Edition applies to all installations

RESOLUTION

You have several options and special considerations available to resolve this issue.The simplest way to resolve is to upgrade to the latest edition of Add2Exchange and run the specified powershell to resolve the onboarding issues.  Test by running the scheduled permissions task and looking for a 10000 Event ID in the Add2Exchange Log when complete.  A 10001 error indicates a failure to upgrade or failure to downgrade the EXO module to a supported band.  Note that automatic permissions may not apply to all installations. 

Update 1.23.25 :  Upgrade Add2Exchange Enterprise Edition and run the ExoModule check powershell to downgrade EXO automatically.  

  • Add2Exchange Short Upgrade Instructions  for one button upgrade OR manually, download the Enterprise Edition from the site, stop the A2E Service, uninstall old and install new.
  •  Run C:\Program Files (x86)\OpenDoor Software®\Add2Exchange\Setup\EXO_Module_Check.ps1 as powershell

 

History, Documentation and Special Considerations

If you cannot upgrade due to no valid software assurance, run permissions powershell manually if needed when a new user is added to the distribution list.  Do not add permissions in the Exchange Online Gui,  add with the powershell.

To manually onboard, after adding a user with a valid mailbox in 365 and adding to the distribution list we manage, and if applicable, wait 15 minutes after your Azure Dir Syncing, then run the DidITBetter Support Menu.PS1 (right click as PowerShell) from the desktop.

Select Auto Shell Permissions.
Select Office 365 (1).
#4 to give permissions to the distribution list members.

This will apply permissions to all members of the distribution group, including your new user.  About 15-20 minutes after the permissions script is run, the actual application of permissions should propagate to the mailboxes in 365. 

Let Add2Exchange run Relationship Group Manager (Relman) every 6 hours or so and it will make the new relationships, remove any relationships of those offboarded (removed) from the distribution list and sync/desync those first.

If you want to make it happen “immediately” (after you run permissions and you waited about 20 minutes for propagation), open and close the Add2Exchange Console, and when closing, if prompted for this, select NOT to pick up where it left off so it will do onboarding and offboarding first, and then NO to logging off and YES to start the Add2Exchange Service. You may lock the machine, but do NOT log off. 

  1. If you are not adding new users to the sync, you can sit on this until you do.  We recommend upgrading to the latest Add2Exchange release dated Add2Exchange Enterprise Version: 26.12.3794.3140 Updated: 12/19/24 Size: 42 MB if you have valid software assurance. Once updated, the Powershell downgrade must be done anyway.  A new version with the fix for this will be out within the week ending January 14, 2025.
  2. Downgrade Microsoft EXO version (see below), or wait for a new Add2Exchange build release which will resolve this automatically.

BACKGROUND: Within the last month, we received support requests for 365 licensed users regarding new users being added to the managed distribution list who are not receiving the information automatically. We traced this issue to a third party issue with Microsoft who have a bug in their new Exchange Online EXO version. Yes, we verified it and found if the permissions script was run manually as specified below, it would work fine, however when running the Permissions scheduled task, it did not apply and resulted in the error below.

Error Encountered

Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639).Exception.Message


Tip: Please never give permissions in the online Exchange GUI, as permissions must be given with PowerShell and with the no automapping switch below.

Problem Specifics: when i run the connect-exchangeonline to connect it it should open a authentications window but it gives the error A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles At C:\Program Files\WindowsPowerShell\Modules\Exc - Microsoft Q&A

If you had a recent Premier Support session, we have probably already taken care of this for you. If not and you would like help under Premier Support, please open a ticket.

After finding the most recent and current Microsoft PowerShell EXO Module is broken, the fix for automation is to uninstall all Exchange online versions and go back to a previous one – for now.

 

To revert to a previous version of EXO module, open a Powershell window in Administrative mode and run this:

Uninstall-Module -Name ExchangeOnlineManagement -AllVersions -Force

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.5.1 -Force

Since the manual process works fine, follow the steps below. Our new version is planned for release on January 10, 2025 which will resolve this after this EXO module downgrade process is completed:   

To manually onboard, after adding a user with a valid mailbox in 365 and adding to the distribution list we manage, and if applicable, wait 15 minutes after your Azure Dir Syncing, then run the DidITBetter Support Menu.PS1 (right click as PowerShell) from the desktop.

Select Auto Shell Permissions.
Select Office 365 (1).
#4 to give permissions to the distribution list members.

This will apply permissions to all members of the distribution group, including your new user.  About 15-20 minutes after the permissions script is run, the actual application of permissions should propagate to the mailboxes in 365. 

Let Add2Exchange run Relationship Group Manager (Relman) every 6 hours or so and it will make the new relationships, remove any relationships of those offboarded (removed) from the distribution list and sync/desync those first.

If you want to make it happen “immediately” (after you run permissions and you waited about 20 minutes for propagation), open and close the Add2Exchange Console, and when closing, if prompted for this, select NOT to pick up where it left off so it will do onboarding and offboarding first, and then NO to logging off and YES to start the Add2Exchange Service. You may lock the machine, but do NOT log off. 

Behind the scenes, we use the bitlocked and encrypted passwords to run the permissions script. To run on a single user, use the commands below. Do not give permissions in the Exchange Online Gui or it will automap the account in Outlook, which is undesirable.

To give permissions manually through powershell
$identity is your new user, $user is Zadd2exchange@yourdomain.com

Add-MailboxPermission -Identity $identity -User $User -AccessRights ‘FullAccess’ -InheritanceType all -AutoMapping:$false

Open a ticket if you would like our help with this under Premier Support.

Helpful topic:

How Add2Exchange Works