The Operation on Mailbox Failed Because It’s Out of the Current User’s Write Scope

The operation on mailbox failed because it's out of the current user's write scope. The action Set-Mailbox EmailAddresses can't be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

When you try to update certain attributes on your Office 365 user object you become victim of the following error message:

The Operation on mailbox "xyz" failed because it's out of the current user's write scope

It can happen in the Microsoft Office 365 Admin Center as well as in the Exchange Admin center and it may look like this:

The operation on mailbox failed because it's out of the current user's write scope. The action Set-Mailbox EmailAddresses can't be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

The same thing can happen if you’re using PowerShell to update Office 365 user attributes or Exchange Online mailbox attributes. Using PowerShell you’ll see an error message similar to this:

Set-MsolUser : Unable to update parameter. Parameter name: COUNTRY.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName Tycho.Brahe@observatory.onmicrosoft.com -Co ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.
PropertyNotSettableException,Microsoft.Online.Administration.Automation.SetUser

What’s going on…?

Attribute Source of Authority

When you’re running a hybrid environment your on-premises Active Directory becomes the source of authority for a lot of the user attributes found in Azure/Office 365. This includes e.g. these attributes:

  • FirstName
  • LastName
  • DisplayName
  • Office
  • ProxyAddresses
  • mailNickname
  • msExchHideFromAddressLists
  • etc…

Some of these attributes (e.g. proxyAddresses, mailNickname, etc.) directly affects the functionality of your Exchange Online mailbox but can only be configured in “a galaxy far away”: For these special mailbox attributes you need to make your updates in your on-prem Active Directory and then synchronize the changes to Azure AD using Azure AD Connect.

To make things more complicated some of the attributes change their name depending on their context. They may have one name in your on-prem Active Directory and another name in the Azure AD Connect MetaVerse and another name in the Azure AD. The attributes may even have different names in the Msol PowerShell module, the Azure AD module and the Exchange Online module!

So, take care when managing your Office 365 users and mailboxes. Know where to change attributes and make sure to use the proper attribute names when doing so.

Using a Professional Office 365 Management Tool

One way to make your life easier is to use a 3rd party tool to simplify Office 365 management.

Easy365Manager extends the Active Directory Users & Computers tool with an Office 365 tab and a Mailbox tab. This allows you to perform all user, mailbox and Office 365 license management without worrying about attribute source of authority or attribute names.

Easy365Manager makes sure your configurations end up in just the right place using native Windows PowerShell commands, just like the official admin portals from Microsoft.

This means you can manage Office 365 users and mailbox from one single tool instead of switching between your local AD, the Office 365 Admin Center and the Exchange Admin Center.

Download the fully functional free 30 day trial to start doing smarter Office 365 management today.