Microsoft EXO Module Issue Affecting New User Onboarding

Due to a Microsoft change in the Exchange Online (EXO) module, new users added through new Add2Exchange relationships may not receive information automatically because the permissions script is not being applied as expected. As of January 24, 2025, Microsoft had not yet released their anticipated fix.

This issue is not critical for normal sync operations. It affects onboarding of new users. Existing sync operations continue normally, and offboarding is not affected.

This issue applies to Office 365 and Hybrid environments for onboarding. The newer Add2Exchange Enterprise Edition applies broadly to all installations and includes several important fixes and enhancements needed to stay in band.

Recommended Resolution

The simplest resolution is to upgrade to the latest Add2Exchange Enterprise Edition and then run the EXO module check PowerShell script to downgrade EXO to a supported version if needed.

After doing so, test by running the scheduled permissions task and checking the Add2Exchange log:

  • Event ID 10000 indicates success.
  • Event ID 10001 indicates a failure to upgrade Add2Exchange or a failure to downgrade the EXO module to a supported band.

Note that automatic permissions may not apply correctly in every installation.

Update as of April 22, 2026

Upgrade to Add2Exchange Enterprise Edition and run the EXO_Module_Check.ps1 script to downgrade EXO automatically.

See Add2Exchange Short Upgrade Instructions for the one-button upgrade or manual upgrade process. In general:

  • Download the latest Enterprise Edition.
  • Stop the Add2Exchange Service.
  • Uninstall the old version.
  • Install the new version.
  • Run:
    C:\Program Files (x86)\OpenDoor Software®\Add2Exchange\Setup\EXO_Module_Check.ps1

Special Considerations

If you cannot upgrade because you do not have valid Software Assurance, you can still onboard users manually by running the permissions PowerShell process when needed.

Do not assign permissions in the Exchange Online GUI. Permissions must be applied by PowerShell so that automapping is disabled properly.

Manual Onboarding Procedure

After creating a new user with a valid Microsoft 365 mailbox and adding that user to the managed distribution list, wait about 15 minutes if Azure directory synchronization is involved.

Then run DidITBetter Support Menu.PS1 from the desktop by right-clicking and launching it as PowerShell.

  1. Select Auto Shell Permissions.
  2. Select Office 365 (1).
  3. Select #4 to give permissions to the distribution list members.

This applies permissions to all members of the distribution group, including the new user. After the permissions script runs, allow approximately 15 to 20 minutes for those permissions to propagate to the Microsoft 365 mailboxes.

Add2Exchange will then handle the rest during its normal Relationship Group Manager (Relman) cycle, typically every six hours or so. At that time it will create new relationships, remove relationships for offboarded users, and perform the related sync or desync processing.

How to Force It Sooner

If you want onboarding to occur more quickly, first run permissions and wait about 20 minutes for propagation.

Then open and close the Add2Exchange Console. When prompted during closing:

  • Select Do not pick up where it left off, so onboarding and offboarding run first.
  • Select No to logging off.
  • Select Yes to start the Add2Exchange Service.

You may lock the machine, but do not log off.

If You Are Not Adding New Users Right Now

If you are not currently onboarding new users, you may choose to wait until you need to. Even so, we recommend upgrading to the latest Add2Exchange release if your Software Assurance is valid.

At the time of this notice, the recommended build was:

Add2Exchange Enterprise Version: 28.4.3889.3333
Updated: 04/19/26

Even after upgrading, the PowerShell downgrade step for EXO still needed to be completed. At that time, a newer Add2Exchange build was expected to automate this fix.

Background

During the month leading up to this notice, we received support cases from Microsoft 365 customers where new users added to managed distribution lists were not receiving information automatically.

We traced the issue to a third-party Microsoft bug in a newer Exchange Online EXO module release. Manual permissions continued to work correctly, but the scheduled permissions task did not apply permissions as expected and produced the error below.

Error Encountered

Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639).Exception.Message

Please do not assign permissions in the Exchange Online GUI. Permissions should be granted through PowerShell using the no automapping switch.

Problem Specifics

A reported symptom was that running Connect-ExchangeOnline should open an authentication window, but instead returned the following error:

“A window handle must be configured.”
See: https://aka.ms/msal-net-wam#parent-window-handles

If you recently had a Premier Support session, this may already have been corrected for you. If not, and you would like assistance under Premier Support, please open a ticket.

Temporary Microsoft EXO Module Workaround

Once it was confirmed that the current Exchange Online PowerShell module was broken for this automation scenario, the workaround was to remove all installed Exchange Online module versions and install a prior supported version.

If you are running an older Add2Exchange build and are still within your Software Assurance period, we also recommend upgrading so you can take advantage of other Microsoft-related fixes and Add2Exchange enhancements. See Add2Exchange Enterprise Release Notes and Add2Exchange Short Upgrade Instructions.

To revert the EXO module, open PowerShell in Administrator mode and run:

Uninstall-Module -Name ExchangeOnlineManagement -AllVersions -Force

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.5.1 -Force

Manual Permission Command for a Single User

Behind the scenes, Add2Exchange uses bitlocked and encrypted passwords to run the permissions script automatically. If you need to apply permissions manually for a single user, use the command below.

In this example:

  • $identity = the new user mailbox
  • $user = the Add2Exchange service account, such as Zadd2exchange@yourdomain.com
Add-MailboxPermission -Identity $identity -User $User -AccessRights 'FullAccess' -InheritanceType all -AutoMapping:$false

Again, do not assign these permissions in the Exchange Online GUI, or the mailbox may automap into Outlook, which is generally undesirable.

Need Help?

If you would like assistance under Premier Support, please open a ticket.

Helpful topic: How Add2Exchange Works

|

Website and materials copyright 2008-2014, all rights reserved DidItBetter.com Software. US: 800-837-8636 Intl: 001-813-977-5739

DidItBetter.com Software specializes in Exchange Sync and Hosting, Outlook Task Management and CRM solutions.