Public Folders are still a thing. And while companies are moving their stuff into the cloud, Public Folders still need to be accessed by cloud-located mailboxes.
Allowing the access from Exchange Online mailboxes to on-premise hosted Public Folders is well documented by Microsoft, but there are also some fuzz. I had to deal with this during a Office 365 transition project at one of my customers.
The background
The customer is running a single Exchange 2016 server in a Windows Server 2012 R2 forest. AzureAD Sync is running and its syncing on-premise identities to AzureAD. The customer uses Office 365 E5 plans and he wants to move to Exchange Online, aside other O365 services like SharePoint Online, Teams etc.
Something was missing
After setting up the Exchange Hybrid, the customer and I where able to migrate the first mailboxes to Exchange Online.
To our surprise the on-premise Public Folders were not visible from the migrated Exchange Online mailboxes. We had still things to do…
In order to get the access to the Public Folders working, the Public Folder mailbox object needs to be synced to AzureAD. This is not complicated, because all you need to make sure is, that the user object is synced. If you are using an OU filter for the AzureAD sync, make sure that the OU with the Public Folder mailbox user object is included into the sync.
But there is also a second requirement: You also need to sync the Microsoft Exchange System Objects container! This is pretty important and it is not mentioned in the docs (Public folders in Microsoft 365, Office 365, and Exchange Online).
Check if the user is synced by using the Exchange Online PowerShell. This is how the Public Folder mailbox user looks like from the Exchange Online perspective:
PS C:\Users\p.terlisten> Get-MailUser Mailbox1 Name RecipientType ---- ------------- Mailbox1 MailUser
This is the Public Folder mailbox that is hosted on-premise.
PS C:\Users\p.terlisten> Get-Mailbox -PublicFolder Name Alias ServerName ProhibitSendQuota ---- ----- ---------- ----------------- Mailbox1 Mailbox1 EX Unlimited
As long as you can’t see the MailUser in Exchange Online, you have no chance to configure the Public Folder access.
The next step is to synchronize the mail-enabled Public Folder objects to Exchange Online. For this, you have to download two scripts from Microsoft.
- Sync-ModernMailPublicFolders.ps1
- Sync-ModernMailPublicFolders.psd1
Run the Sync-ModernMailPublicFolders.ps1 script on your on-premise Exchange server. You will need your Office 365 admin credentials for this task.
PS C:\Users\p.terlisten\Download> .\Sync-ModernMailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv
The last step is to enable the Public Folder access using the Set-OrganizationConfig cmdlet in the Exchange Online PowerShell session.
PS C:\Users\p.terlisten> Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes Mailbox1
Please note that some of these steps need some time to get active! It will take some time for the background tasks to get some things sorted.
Controlled Connections to Public Folders in Outlook
It is worth mentioning that after enabling the access to Public Folders all Exchange online users can see the on-premise hosted Public Folders. If you need to enable the access only for some Exchange Online users, Microsoft has a solution for you: Controlled Connections to Public Folders.
First, you need to enable the Public Folder access for the users you have selected.
Set-CASMailbox "John Doe" -PublicFolderClientAccess $true
Then you enable the feature globally using the Exchange Online PowerShell.
Set-OrganizationConfig -PublicFolderShowClientControl $true
This setting applies only to Exchange Online hosted mailboxes!
Feel free to follow him on Twitter and/ or leave a comment.
- Failed to connect to IKEv2 VPN using iPhone USB tethering - June 26, 2023
- Why you should change your KRBTGT password prior disabling RC4 - July 28, 2022
- Use app-only authentication with the Microsoft Graph PowerShell SDK - July 22, 2022
Hey Patrick,
Great write up on this.
So I’ve made the changes above and a read through everything I can find however when accessing Public Folders (which are now visible on O365) it redirects Outlook to the OWA on premise address. This works fine on the local network but fails remotely.
Is this expected behaviour? If so what is the point of the Sync?
Confused by the whole thing to be honest.
Thanks,
Charles
Hi Charles,
so you try to access the public folders, which are still on-premise, with OWA from Exchange Online and you get a redirect to the local server name on-premise?
Hey Patrick,
No sorry this is using Outlook connected to O365 user and I have set the OC as below;
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PF-Mailbox1
I didn’t think OWA was supported at all in any of this.
It’s odd because when I check Outlook connectivity I can see it trying to query owa.xxx.xx.xx as I expand the public folders.
If I set the OC back to;
Set-OrganizationConfig -PublicFoldersEnabled Local
Then the public folder disappear from Outlook completely.
Thanks,
Charles
Hey Patrick,
No sorry this is using Outlook connected to O365 user and I have set the OC as below;
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PF-Mailbox1
I didn’t think OWA was supported at all in any of this.
It’s odd because when I check Outlook connectivity I can see it trying to query owa.xxx.xx.xx as I expand the public folders.
If I set the OC back to;
Set-OrganizationConfig -PublicFoldersEnabled Local
Then the public folder disappear from Outlook completely.
Thanks,
Charles
Is owa.xx.xx.xx your internal hostname? Have you setup internal and external URL correct?
Hey Patrick,
Yeah it’s both internal and external.
It’s just more that I didn’t expect this behaviour, I expected the sync script to sync the public folders to O365 and then we could access them in O365.
But it looks like all the Sync task does is sync the contacts for mail enabled public folders (for mail relay) and the Organisation Config just pushes Public Folder requests to on-prem.
Which means we must have some issue with external owa.xxx.xx.xx which I can have a look in to.
It works fine if your on the local network. I guess we need to decide if this is good enough or come up with another solution.
Thanks for everything,
Charles
Check the external access to the URL. This has to work, regardless if the client accesses from the internal network or externam network. Access is granted using the Proxy Mailbox.
Thanks Patrick, yeah I’m going to check the IIS logs and see why the external access is failing.
Charles
Hi Patrict
i did everything above. and I got all the printouts correctly. but I can’t see public folders in outlook and owa..
What Version of Exchange do you currently use? Outlook version?