Azure (Microsoft Entra ID) Active Directory Shared Mailboxes
| Situation | When you convert an Azure (Entra ID) Active directory object to a shared object Microsoft disables the Azure (Entra ID) object. As a result, mail flow stops and the Proofpoint object is disabled as well. Since we only mirror what Azure (Entra ID) (and AD for that matter tell us). Additionally, if you do this before syncing with Proofpoint for the first time, the objects in Proofpoint Essentials do not come across correctly. |
|---|---|
| Solution |
Following the steps outlined below will allow you to convert Functional Accounts in Azure (Entra ID) Active Directory: Sync the account in Administration > User Management > Import & Sync > Azure Directory sync. The object will come over as either a Group (No change necessary) or it will come over as a User. If it comes over as a user account sync the account with Proofpoint. Then convert that object to a Functional Account by selecting the check box and then choosing Mass Update. Select Functional Account from the Role drop down. Next, manually run the Azure sync and then find the Shared Mailbox in the list of accounts to be updated. Select the EXEMPT button. This will prevent sync from updating the account back to a User role. |
Azure Active directory shared groups in Proofpoint Essentials
Step 1:
Is the Account currently synced as a user? If so check the account status. (If the account status is Green skip to Step 2)
- Go to Administration > User Management > Users.
- If the account has a grey status dot the account is disabled and mail flow is stopped.
- If that is the case, Click on the name. This will take you inside the profile of the customer. Click on button Activate User and then click Save.
- Now the users should show a green status active dot.
Once re-enabled mail flow can take up to an hour to star to flow again. See KB- Timing for configuration changes to occur
Step 2:
Since Shared Account get disabled in Azure(Entra ID) /Active Directory then Proofpoint follows Azure (Entra ID) directions and disables the account. If the account is deleted from Azure (Entra ID) /AD then Proofpoint will delete it. To change the behavior and ignore what Azure (Entra ID) /AD tells us we then need to Exempt the account.
How do you convert a user account to/from a Functional Account. (For KB click on title)
We have improved the experience for managing user roles by allowing admins to directly change users from Functional to End or Silent user and vice versa directly from the User Management- Functional Accounts - Mass Update page. Select the user accounts you wish to update. Then check the boxes to the left of the name(s) you wish to change and then click the Mass Update Functional Accounts button. (You can also perform step 3 at the same time from User to Functional Account.)
Step 3:
How to exempt account in AD and Azure Sync. (For KB click on title)
We have improved the experience for managing user sync exemptions by allowing admins to directly add users to the sync exemption list directly from the User Management- Users page. Go to User Management- Users section. Select the user accounts you wish to update. Then check the boxes to the left of the names(s) and then click the Mass Update button. Change the Drop down option in the Exempt from Sync field to Yes. The click the Update Users Button.