Office 365 Hybrid Federated User Free Busy (No Information)

There are a lot of posts regarding resolving free/busy issues, this post is one of them but with simple resolution. In this case it's Office 365 Hybrid implementation with multiple domains hosted in single O365 tenant. On premise exchange organization is Exchange 2013 with latest rollup installed. On premise ADFS is configured, and O365 on-boarded users can successfully access O365 resources using their on-premise domain credentials. Organization Sharing between domains configured successfully.
Having this configuration in place, O365 on-boarded users can collaborate with on-boarded and on-premise users successfully (and vice versa) including free/busy information. But, some O365 on-boarded users reported that they cannot see on-premise mailboxes free/busy information (No Information). Because the free/busy (no) information problem was not for all on-boarded users, but for some of them, the debugging of the issue has started on client level.
The debugging started with internet browser debugging options when connected to OWA and adding user mailboxes to scheduling assistant, and finding the POST request url https://outlook.office.com/owa/service.svc?action=GetUserAvailability... for the added user mailboxes. The response for the requests was "Error" with following information:

"<S:Fault xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Receiver</S:Value></S:Code><S:Reason><S:Text xml:lang="en-US">Internal Server Error</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048820</psf:value><psf:internalerror><psf:code>0x800478ac</psf:code><psf:text>Provision is needed before federated account can be logged in.</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault>Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received.   at Microsoft.Exchange.Net.WSTrust.SoapClient.EndInvoke(IAsyncResult asyncResult)   at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.EndIssueToken(IAsyncResult asyncResult)   at Microsoft.Exchange.InfoWorker.Common.Availability.ExternalAuthenticationRequest.Complete(IAsyncResult asyncResult)"

This user had a valid licenses assigned and can successfully access O365 resources.

Finally, the resolution for this issue is trivial, by connecting to AzureAD and changing the UserPrincipalName for this user to @tenant.onmicrosoft.com and then return back the UserPrincipalName. Here are the cmdlets:

Set-AzureADUser -ObjectId username@domain.upn -UserPrincipalName "username@tenantname.onmicrosoft.com"
Set-AzureADUser -ObjectId "username@tenantname.onmicrosoft.com" -UserPrincipalName "username@domain.upn"

After this action, the problematic on-boarded O365 user has successfully accessed the free busy information for the on-premise mailboxes.

Comments

  1. Thank you very much for this solution! Works perfectly. We have this problem for days now and couldn't find a solution for it.

    ReplyDelete
  2. Worked for us.. User needed to resync his password after changeing back the UPN. So forced an start-ADSyncSyncCycle. Thx Vladimir for sharing.

    ReplyDelete
    Replies
    1. You mean, after both commands force the replication?

      Delete
  3. Didn't work at another customer. IISRESET on the old environment(2010) did the trick there.

    ReplyDelete
  4. Thank you, this worked for one of our accounts.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to convert string to Base64 and vice versa using Powershell

Machine domain group policy failed to apply

Failover Clustering Event 1196 and 1228