Many administrators need to convert regular User Mailboxes to a Shared Mailbox after migration to Office 365. While the task is not very complex in itself, it is admittedly quite boring and you need to remember quota sizes and not least the syntax for removing the license.

I’ve put together a small script that will automate this task given two command line arguments in the format:

.\convertUserToShared.ps1 <user@domain.com> <sec-gr-shared-mailbox-name>

Note:

Remember to assign an email address to the security group or you won’t be able to use it in Exchange Online. You may also want to hide it from the address book (set attribute: msExchHideFromAddressBook to True).

Now, to be able to perform the necessary operations you need the following plug-ins:

• Microsoft Online Services Sign-In Assistant: http://www.microsoft.com/en-us/download/details.aspx?id=39267
• Windows Azure AD Module: http://technet.microsoft.com/library/jj151815.aspx

And I really recoomend upgrading Powershell as well:

• Powershell 3.0: http://www.microsoft.com/en-us/download/details.aspx?id=34595

Connect to Exchange Online AND Office 365 with the following syntax prior to running the script:

   1: $LiveCred = Get-Credential

   2: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $LiveCred -Authentication Basic -AllowRedirection

   3: Import-PSSession $Session

   4: Connect-MsolService -Credential $LiveCred

I’ve commented directly in the source where needed, so the script should be fairly self explanatory:

   1: $count = $args.Count

   2: if ($count -lt 2) {

   3:     Write-Host

   4:     Write-Host "You need to specify username and security group as arguments: .\convertUserToShared.ps1 <username@domain.ext> <securitygroup>" -ForegroundColor Red

   5:     Write-Host

   6: }

   7: else {

   8:     $mbx = $args[0]

   9:     $secGroup = $args[1]

  10:     Write-Host Processing user: $mbx -ForegroundColor Yellow

  11:  

  12:     # Verify if group exist, remember to DirSync it first

  13:     $test = Get-Group $secGroup -ErrorAction SilentlyContinue

  14:     if ($test -ne $null) {

  15:  

  16:         # Verify if mailbox exist

  17:         $test = Get-Mailbox $mbx -ErrorAction SilentlyContinue

  18:         if ($test -ne $null) {

  19:     

  20:             # Do the "clever" stuff to find out if mbx is less than 4500 MB (leaves a little room up to 5 GB)

  21:             $stat = Get-MailboxStatistics $mbx

  22:             $tmp = $stat.TotalItemSize.Value.ToString().Split("(")[0].Replace(" ","")

  23:             $mb = Invoke-Expression $tmp/1MB

  24:             if ([int]$mb -lt 4500) {

  25:  

  26:                 # Setting the actual mailbox parameters

  27:                 Write-Host Converting user $mbx to shared and setting quota to 5 GB...

  28:                 Set-Mailbox -Identity $mbx -Type "Shared" -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB

  29:  

  30:                 # Adding permissions

  31:                 Write-Host Adding permissions for $secGroup on $mbx

  32:                 Add-MailboxPermission $mbx -User $secGroup -AccessRights FullAccess

  33:                 Add-RecipientPermission $mbx -Trustee $secGroup -AccessRights SendAs -Confirm:$false

  34:  

  35:                 # Remove the license, Shared Mailboxes with a 5GB limit are free of charge

  36:                 Write-Host Removing license for $mbx

  37:                 $MSOLSKU = (Get-MSOLUser -UserPrincipalName $mbx).Licenses[0].AccountSkuId

  38:                 Set-MsolUserLicense -UserPrincipalName $mbx -RemoveLicenses $MSOLSKU

  39:                 Write-Host Done! -ForegroundColor Green

  40:  

  41:             }

  42:             else { Write-Host Mailbox is ([int]$mb) MB which is too large for conversion to a nonlicensed shared mailbox, reduce size and try again. -ForegroundColor Red }

  43:         }

  44:         else { Write-Host Mailbox: $mbx does not exist! -ForegroundColor Red    }

  45:     }

  46:     else { Write-Host Group: $secGroup does not exist! -ForegroundColor Red    }

  47: Write-Host

  48: }

Important:

If you’re synchronizing your accounts with Active Directory using DirSync (or FIM), please make sure that the following attributes are set on the modified Shared Mailbox objects in Active Directory:

msExchRemoteRecipientType = 100
msExchRecipientTypeDetails = 34359738368 (Optional but will set correct Remote Mailbox type on-prem)

If these attributes are not set correctly, you will risk that DirSync converts the cloud object back to a regular mailbox.

Note:

If you can make a regex that will do the job of line 22, you will be credited on this page! :)

I am putting together a list of common mistakes made when configuring Hybrid Deployment. Items will be added to the list as I see them or are made aware of their existence, feel free to send me suggestions.

Always use the HCW (Hybrid Configuration Wizard) when configuring Hybrid Deployment.

Admin account not mail enabled

I think that this is probably the most common mistake, especially in hosted environments where multiple people from different organizations are administrators on the the Exchange Organization.

Always mail enable Exchange Admin accounts, or the wizard may fail during Set-HybridConfiguration or Update-HybridConfiguration.

You may see errors such as: “ERROR:Updating hybrid configuration failed with error 'Subtask ValidateConfiguration execution failed: Configure Legacy Exchange Support” as a symptom of the Admin account not being mail enabled.

DNS TXT record

When running the Hybrid Configuration Wizard, you are asked to create a DNS TXT record as proof of domain ownership. Do not ignore this step, as the wizard will fail in the end.

Create the record and wait 15-20 minutes before continuing.

Three strikes and you’re out

If the Hybrid Configuration Wizard fails for any reason; troubleshoot the problem instead of just running the wizard again. If configuring a hybrid relationship fails three times, you need to wait 24 hours before trying again.

I hope this will ease your planning and troubleshooting. Enjoy…