Intune – Conditional Access with Exchange on-prem migration issues

Intune Support Team blogged about “Migration Blockers” in March, mentioning several important steps. You can find more information about that here:

https://blogs.technet.microsoft.com/intunesupport/2017/03/17/intune-migration-blockers-for-grouping-targeting/

Suddendly last week one of my customers reported that users received quarantine email incorrectly. I looked further into it and saw the Exchange Connector started generating logs I haven’t seen before in Windows Logs-> Application.

For instance:

Microsoft.Management.Services.Common.InternalErrorException: An error has occurred – Operation ID (for customer support): be9a87aa-1c83-46ce-9aa3-3a2e5b56241c – Activity ID: a63cf524-5075-41e5-b330-89cff853f7f9 – Url: https://fef.msub02.manage.microsoft.com/StatelessExchangeGatewayService/$batch – CustomApiErrorPhrase:
__BEGINCMEXCEPTIONMETADATA__
{
“CustomApiErrorPhrase”: “”
}
at Microsoft.SystemCenter.Online.Mobile.Services.Exchange.Agent.Proxy.ExchangeConnectorSoapServiceClient.PutMessage(ExchangeGatewayMessage message)
at

Microsoft.SystemCenter.Online.Mobile.Services.Exchange.Agent.Proxy.ExchangeConnectorSoapServiceClient.GetNextCommand(ConnectorData connectorData)
at Microsoft.SystemCenter.Online.Mobile.Services.Exchange.Agent.ExchangeCommandPoller.GetNextCommand()
at Microsoft.SystemCenter.Online.Mobile.Services.Exchange.Agent.ExchangeCommandPoller.RunInAsuMode()

It then started with Informational events, that it always generates when it emails users, but this time the user had no devices that were not compliant, and it warned many users in the tenant (400 out of 1000.)

 Update Conditional access list command. Blocked lists : ’23’, notificationSent ‘False’, WakeUpTime ’01/01/0001 00:00:00′ completed successfully. Details: update conditional access list command result – ‘Commmand ID: ‘b42a06d4-78ce-410b-b9aa-1f86af75e07e’ Exchange health: ‘Server health ‘Name: ‘PowerShellExchangeServer: <Name=EXCHANGE … .USER1@DOMAIN.COM;USER2@DOMAIN.COM…….

When I logged on to the console I noticed that the tenant was migrated to Azure, as it gave me a link to the new Azure Tenant from the Intune Console. I immediately reported this to Microsoft and suggested it had something to do with the migration.. During the time I did troubleshooting with Microsoft another customer reported the same issue, where I saw the exact same thing – it was recently migrated to Azure and the problem started occuring the very same day.

After troubleshooting with support for 4 days, we figured you need to have at least version 5.0.17383.0 of Microsoft Intune Exchange Connector to be supported with the new tenant.

Also ran into some issues configuring the Connector after updating. Made sure the Connector user had Intune Administrator and Intune license, and it worked as expected.

One problem that still remains: Error with Event ID 7007 is still being generated every fifth minute, but from what I can tell everything is working in version 5.0.17383.0.

Hope the Intune team will add changelog when updating the Connector in the future.

Published by

Karim El-Melhaoui

Working as a Technical Architect in Advania Norway with focus on Microsoft Infrastructure, Cloud and security. My daily tasks are advisory, design and implementation of products and security measures for companies Continously focusing on developing my skillset and staying up to date within newest in Technology. Microsoft Certified Trainer, MCSE Cloud Platform & Infrastructure and Mobility, MCSA Windows Client, Server and Office 365

Leave a Reply

Your email address will not be published. Required fields are marked *