Exchange Online restore fails with Server not reachable error for users provisioned from Azure to Druva using SCIM
When performing a restore of Exchange Online backed-up data, the restore gets triggered but fails instantly with the following error.
Error: Server not reachable. (#100000011)
After further investigation with Support, we find the following error:
The primary SMTP address must be specified.
This issue has a series of steps as follows:
On the Azure AD -> Enterprise Applications -> Druva’s SCIM app -> Provisioning -> Attribute Mapping section, the following mapped:
Azure AD userPrincipalName was mapped with Druva UserName.
2. There is no mapping of the mail attribute from Azure to Druva.
3. The UPN and PrimarySMTPAddress in Microsoft 365 are different. For example:
UserPrincipalName in Microsoft 365 is set to “EXO_Test@ragnhildindia1.onmicrosoft.com” value. However, the Primary SMTP Address is set to “EXO@ragnhildindia1.onmicrosoft.com” value.
4. On the inSync Management Console menu bar, click the icon to access the global navigation panel.
5. Click SaaS Apps.
6. Click Microsoft 365.
7. Click Overview.
8. Click on the More icon on the top-right corner and click Settings.
9. The Access user account using dropdown is set to inSync Email ID.
This leads to the following workflow:
With SCIM Provisioning, the user was added to Druva from Azure with the UserPrincipalName attribute under Druva’s UserName attribute.
In inSync, the UserName attribute translates to inSync Email ID.
Hence, inSync Email ID is now EXO_Test@ragnhildindia1.onmicrosoft.com whereas in Microsoft 365, the user’s PrimarySMTPAddress is EXO@ragnhildindia1.onmicrosoft.com
inSync will send the EXO_Test@ragnhildindia1.onmicrosoft.com to Exchange Online at the time of the restore job.
Since there is a mismatch of the SMTP Address, Exchange Online will reject the request and Druva will get the error: The primary SMTP address must be specified.
In the user’s restore logs, we get the Server not reachable error.
Note: This setup does not impact backup operation as Exchange Online will match the inSync Email ID with either the SMTP, alias, or UserPrincipalName of the user and will allow Druva to read the data.
The issue only occurs when we are trying to write the data to Exchange Online when Microsoft specifically needs the proper SMTP address.
Download the user’s logs using the following steps:
- Navigate to the inSync Management Console.
- Click Users.
- Click on the affected user’s account.
- Click on the More icon next to the Restore button.
- Select Download Debug Logs.
Step 1: Fix the attribute mappings in Azure AD - Druva SCIM App.
The following provision should be set via the SCIM App in Azure AD:
(source) Azure AD Attribute
(target) Druva Attribute
Note: The Druva Attributes translates to:
userName = inSync Email Address
urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName = userPrincipalName.
The userPrincipalName in Druva is not access on the inSync Management Console. It is updated on the backend in database.
Follow the below steps to achieve the above configuration:
To add a userPrincipalName attribute for Druva in the Attribute Mapping:
Select Show advanced options.
Click the Edit attribute list for the Druva link.
3. On the Edit Attribute List windows, set all values as follows:
4. Click Save.
5. Navigate to Druva App Provisioning and click userPrincipalName attribute.
6. Change it to mail as follows.
Hence, the Azure AD mail attribute is now targeting Druva’s userName attribute.
7. Click Add New Mapping.
8. Select Source attribute as userPrincipalName and Target attribute as urn:ietf:params:scim:schemas:extension:Druva:2.0:User:userPrincipalName.
9. Click Save. The attribute appears in the Attribute Mappings.
10. Azure has a default auto-provisioning cycle of 40 minutes since the last provisioning cycle. You may wait until then or you may run the manual provisioning with the Provision on Demand option.
11. After the user provisioning is completed, you may attempt the restore once again.
Step 2: Change inSync’s settings to access user account in Microsoft 365:
To ensure that both OneDrive and Exchange Online continue to get backed up successfully, implement the following changes:
- On the inSync Management Console menu bar, click the icon to access the global navigation panel.
- Click SaaS Apps.
- Click Microsoft 365.
- Click Overview.
- Click on the More icon next to the Reconfigure button.
- Click Settings:
7. Click on the Access user accounts using dropdown and set it to AD Attribute.
8. Click Save.