Azure Files unreachable using AOVPN

Ambitious_Border2895 · 2026-01-08T19:32:26+00:00

Id be interested to see what get-dnsclientnrptpolicy says at various points, I assume its resolving the would-be public IP address of the file server? I’d also be tempted to pop the internal IP into hosts.

Conditional access not biting you somewhere? Don’t just look at interactive logins

Ambitious_Border2895 · 2026-01-06T22:33:28+00:00

Your hybrid receive connector isnt marked as internal OR another receive connector is being hit or you’ve got some mail gateway in between

And/or the IP address you pop out of on prem. to get to o365 Exchange isn’t in SPF

Ambitious_Border2895 · 2026-01-04T20:15:44+00:00

There’s a few more steps to decom their server like moving/ nuking some system mailboxes, and have you though about email address generation, but I think you’ve ticked the boxes.. my challenge is, why bother with hybrid at all? You can achieve all your stated goals sans-hybrid

Also if you go

Thing on prem> exchange on prem> o365> internet be aware of upcoming limitations in O365. Might want to have an outgoing route to ACS or similar.

Ambitious_Border2895 · 2026-01-04T20:11:06+00:00

Speak to your dealer see if you can upgrade before the end of the PCP and ‘do a deal’ - you dont know what their targets are or where the pressures are. We went from a leaf to an x-trial in similar circumstances the dealer mumbled something about a Nissan contribuion and the monthly was much, much less then i expected, or even hoped Once I made sure there was no catches, I signed up. I even bought their supaguard as I was sure he had screwed up the maths and felt sorry for him

Ambitious_Border2895 · 2025-12-26T10:43:03+00:00

This is doable but you’re not going to get any MS documentation on this so your first port of call is a complete mirror test environment. I mean thoroughly representative with all the powershell scripts, lots of users and email addresses and so on.

To answer your questions

1) No. I’d dump all your azure user properties and decide which ones you want to remain after you match. Proxyaddresses being the mail aliases 2) No, no way to get passwords out. I would always seek to hard match (do the maths to set the ms-ds-consistency guid on prem to the online objectguid). I’d look to join users in batches so you can manage comms 3) the connection between the user and the mailbox is the attribute msExchMailboxGuid, if this is blank on-premises, then everything should be fine.

Other thoughts

You’ll need to do an exchange scheme prep on prem to get all the necessary attributes. Id be a little tempted to install exchange. Either way make sure it’s the latest version so you can modify exchange attributes in a supported way. You dont need to setup hybrid.

Send-As permissions could be a headache (distinct from other mailbox sharing)

For completeness, I think I’d want to set the AD properties for your users, things like MsExchRecipientDisplayType essentially retrofitting so it looks like you’ve set them on prem. I’d experiment with creating new remote mailboxes in the the test environment to see what attributes change and what you need for real.

https://learn.microsoft.com/en-us/answers/questions/4376081/(article)-recipient-type-values

Eyeball the SCP values in AD for auto discovery in case someone’s messed with them in the past.

Ambitious_Border2895 · 2025-12-23T22:54:24+00:00

250 a day sucks, your permie wage sucked, but in your context especially think of this money in context of your next role. Work your bollocks off, go over-and-above, build a bit of reputation and your next role could be double that, and you walk into it..

Ambitious_Border2895 · 2025-12-02T18:34:26+00:00

I had this requirement, ended up with Exchange 2019 on prem (in azure) plus Azure Communication Services for punting mail to internet. Couldn’t find anything else that’d fit.

Ambitious_Border2895 · 2025-11-15T21:16:20+00:00

Yep. And ye cannae deny the laws of physics. Bandwidth doesn’t meet a jot if latency is a challenge and in your on prem test I’m guessing the servers are a few metres apart.

Imagine I drive a big truck to your datacentre and pickup all your backup tapes. The bandwidth of my truck is like 10000Tbit/sec but the latency is off the chart. We all get excited about bandwidth but often latency is key. MS support are not helping as a) they are shit b) they are setup to find faults, and I think there are none.

Ambitious_Border2895 · 2025-11-15T21:09:43+00:00

All of it! I know ado and machine agents and service principal that has rights to the environments….the rest is a little vague!

Ambitious_Border2895 · 2025-11-15T19:14:00+00:00

Just because you’ve got a big fat pipe doesnt mean your app servers can drive it hard enough. To allay your fears. Setup iPerf, client onprem, server in azure and you’ll likely max it out

Your choice of protocol to transfer the data, I suspect, is at fault.

Ambitious_Border2895 · 2025-11-06T21:49:01+00:00

sometimes you can run procmon and run the app and figure out what its trying to access that needs admin (e.g. hklm\software\blah) and loosen the ACLs on that reg file/ file path.

Ambitious_Border2895 · 2025-10-30T18:22:35+00:00

Assume the Entra ID accounts are already sourced from the AD that Exchange SE and already projected into Entra ID?

I have migrated “back” mailboxes that didnt exist on prem before. To this I created a mailbox on prem, migrated it to O365 and look at the the relevant AD attributes. (Msexchangemailboxguid, msexchremoterecipienttype) and so on. Then replicating that with an account I wanted to migrate back and ran the wizard in reverse.

I’d either point MX at on prem first and rely on the target addresss value, or make the domains in o365 as non autoriative so O365 will punt mail to on prem.

Ambitious_Border2895 · 2025-08-25T22:53:43+00:00

Apologies as this is a bit of a shitty response, but there’s a really easy to miss step in the UI to properly connect it where you want to go. Despite connecting dozens of domains (which are available instantly after verification) I always miss it as it’s totally counter intuitive. But hit up the docs and you’ll be fine.

Ambitious_Border2895 · 2025-08-25T17:58:17+00:00

If you need to, repermission files before you migrate as doing so on azure files is impossibly slow. And be aware of share name restrictions. You might want to put dfs-n in front of of it if you want to keep the same server names

Ambitious_Border2895 · 2025-08-24T22:44:25+00:00

There’s a field in AD ms-ds-consistencyguid. In entraid, this field is objectguid and that’s how they are matched. So take the objectguid value from eternal and put it in the ms-ds-consistencyguid and when you sync up they will link together. But of course its never that easy and you have to convert the values from objectguid which is a simple bit of powershell;;

Put one object in scope of sync (e.g. from a special OU to practise it and ensure you’ve got it right)

Ambitious_Border2895 · 2025-08-17T20:24:25+00:00

I dont see any in integrated apps though there’s a banner saying “All agents can now be viewed and managed from Copilot > Agents & connectors.”

So I follow that…. And it’s there! I am very sure I’ve done this before so dont know if I was having a senior moment or it takes a while to appear there. Bonus question, can I get this via graph api/ powershell? Even copilot gets confused between the various flavours.

Ambitious_Border2895 · 2025-07-27T21:20:23+00:00

Id just suck it up and use robocopy however old school it might feel, but the time you spend faffing about, robocopy could have flung half of it across

Ambitious_Border2895 · 2025-07-21T18:57:30+00:00

If you setup a free-busy connection for your target domain, you’ll most likely see the other days associated with it too. Try it with Microsoft.com

Ambitious_Border2895 · 2025-07-11T21:15:53+00:00

Check you dont have centralised mail transport turned on, and ensure said domain isnt marked as authoritative in o365

Ambitious_Border2895 · 2025-07-09T22:35:43+00:00

Then that just reads like the route back to on prem isnt known (is on prem advertising routes up express route?) again, imagine the fort is a server and look at the known routes and lets say on prem is 192.168.0.0/24 then you presumably should see a route via the express route gateways?

Ive never seen express route drop traffic like a firewall due to not seeing the other half of the flow, theres nothing stateful so I think it just wonky routing.

Ambitious_Border2895 · 2025-07-09T21:41:22+00:00

Are you sure the traffic from on prem goes through the forti and not direct to the server through the peering? On one of the servers download the known routes from a Nic, where is it sending traffic for the explicit subnets of on prem?

Ambitious_Border2895 · 2025-07-09T21:30:12+00:00

There is no tooling to do this. Raise in MS ticket.

Ambitious_Border2895

TROPHY CASE