Access to on-premise hosted Public Folders using Exchange Online mailboxes

Public Folders are still a thing. And while companies are moving their stuff into the cloud, Public Folders still need to be accessed by cloud-located mailboxes.

Allowing the access from Exchange Online mailboxes to on-premise hosted Public Folders is well documented by Microsoft, but there are also some fuzz. I had to deal with this during a Office 365 transition project at one of my customers.

The background

The customer is running a single Exchange 2016 server in a Windows Server 2012 R2 forest. AzureAD Sync is running and its syncing on-premise identities to AzureAD. The customer uses Office 365 E5 plans and he wants to move to Exchange Online, aside other O365 services like SharePoint Online, Teams etc.

Something was missing

After setting up the Exchange Hybrid, the customer and I where able to migrate the first mailboxes to Exchange Online.

To our surprise the on-premise Public Folders were not visible from the migrated Exchange Online mailboxes. We had still things to do…

In order to get the access to the Public Folders working, the Public Folder mailbox object needs to be synced to AzureAD. This is not complicated, because all you need to make sure is, that the user object is synced. If you are using an OU filter for the AzureAD sync, make sure that the OU with the Public Folder mailbox user object is included into the sync.

But there is also a second requirement: You also need to sync the Microsoft Exchange System Objects container! This is pretty important and it is not mentioned in the docs (Public folders in Microsoft 365, Office 365, and Exchange Online).

Check if the user is synced by using the Exchange Online PowerShell. This is how the Public Folder mailbox user looks like from the Exchange Online perspective:

PS C:\Users\p.terlisten> Get-MailUser Mailbox1

Name                                     RecipientType
----                                     -------------
Mailbox1                                 MailUser

This is the Public Folder mailbox that is hosted on-premise.

PS C:\Users\p.terlisten> Get-Mailbox -PublicFolder

Name                      Alias                ServerName     ProhibitSendQuota
----                      -----                ----------     -----------------
Mailbox1                  Mailbox1             EX             Unlimited

As long as you can’t see the MailUser in Exchange Online, you have no chance to configure the Public Folder access.

The next step is to synchronize the mail-enabled Public Folder objects to Exchange Online. For this, you have to download two scripts from Microsoft.

  • Sync-ModernMailPublicFolders.ps1
  • Sync-ModernMailPublicFolders.psd1

Run the Sync-ModernMailPublicFolders.ps1 script on your on-premise Exchange server. You will need your Office 365 admin credentials for this task.

PS C:\Users\p.terlisten\Download> .\Sync-ModernMailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv

The last step is to enable the Public Folder access using the Set-OrganizationConfig cmdlet in the Exchange Online PowerShell session.

PS C:\Users\p.terlisten> Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes Mailbox1

Please note that some of these steps need some time to get active! It will take some time for the background tasks to get some things sorted.

Controlled Connections to Public Folders in Outlook

It is worth mentioning that after enabling the access to Public Folders all Exchange online users can see the on-premise hosted Public Folders. If you need to enable the access only for some Exchange Online users, Microsoft has a solution for you: Controlled Connections to Public Folders.

First, you need to enable the Public Folder access for the users you have selected.

Set-CASMailbox "John Doe" -PublicFolderClientAccess $true

Then you enable the feature globally using the Exchange Online PowerShell.

Set-OrganizationConfig -PublicFolderShowClientControl $true

This setting applies only to Exchange Online hosted mailboxes!

Patrick Terlisten
Follow me

6 thoughts on “Access to on-premise hosted Public Folders using Exchange Online mailboxes

  1. Charles

    Hey Patrick,

    Great write up on this.

    So I’ve made the changes above and a read through everything I can find however when accessing Public Folders (which are now visible on O365) it redirects Outlook to the OWA on premise address. This works fine on the local network but fails remotely.

    Is this expected behaviour? If so what is the point of the Sync?

    Confused by the whole thing to be honest.

    Thanks,

    Charles

    Reply
  2. Charles Hurst

    Hey Patrick,

    No sorry this is using Outlook connected to O365 user and I have set the OC as below;

    Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PF-Mailbox1

    I didn’t think OWA was supported at all in any of this.

    It’s odd because when I check Outlook connectivity I can see it trying to query owa.xxx.xx.xx as I expand the public folders.

    If I set the OC back to;

    Set-OrganizationConfig -PublicFoldersEnabled Local

    Then the public folder disappear from Outlook completely.

    Thanks,

    Charles

    Reply
      1. Charles

        Hey Patrick,

        Yeah it’s both internal and external.

        It’s just more that I didn’t expect this behaviour, I expected the sync script to sync the public folders to O365 and then we could access them in O365.

        But it looks like all the Sync task does is sync the contacts for mail enabled public folders (for mail relay) and the Organisation Config just pushes Public Folder requests to on-prem.

        Which means we must have some issue with external owa.xxx.xx.xx which I can have a look in to.

        It works fine if your on the local network. I guess we need to decide if this is good enough or come up with another solution.

        Thanks for everything,

        Charles

        Reply
        1. Patrick Terlisten Post author

          Check the external access to the URL. This has to work, regardless if the client accesses from the internal network or externam network. Access is granted using the Proxy Mailbox.

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *