Ussng Dynamic Azure AD groups for mailbox job in a hybrid environment

[QVR]

Hi we are busy with changing our design for Exchange Mailbox job's scope "organisation" to use Dynamic Azure AD groups to balance the load over several repositories to keep the disk sizes "low".
Our O365 admin configured the following groups:

UserGroup-VBO_S02 = (user.objectId -match "^[0-3].*")
UserGroup-VBO_S03 = (user.objectId -match "^[4-7].*")
UserGroup-VBO_S04 = (user.objectId -match "^[8-9a-b].*")
UserGroup-VBO_S05 = (user.objectId -match "^[c-f].*")

We have a hybrid environment and busy with a migration from on prem to exchange online. But we already know we will keep x amount of mailboxes on prem.
When i start the job i get a lot of warnings (see below), The warning I understand, in the scope of the group are also on prem users and VBO can't find those mailbox to backup.
Error example: 13.12.2023 14:39:50 :: Processing mailbox lastname, firstname completed with warning: Exchange account was not found (ID: xxxxxx-xxx-xxxx)

Now is my question are there maybe others who ran into the same problem and found a solution to filter the on prem users to only have the exchange online users in a dynamic group?
I also made a support case#07049696 with the question if it was possible to supress these warnings or how we could change our filters for the dynamic group. But the answer was that vbo can't supress it and how to change our groups we should better ask to microsoft. So I hope maybe some forum members can give us tips.

[Mildur]

Hello Quirinus

What about filtering the assigned plans?
I assume you have assigned an Exchange Online Plan only to users with a Exchange Online mailbox.
You could use the assignedPlans filter to only add users with an Exchange Online Plan to the dynamic group.
https://learn.microsoft.com/en-us/entra ... #example-1

Best,
Fabian

[dbr]

Hi Fabian,

Thanks for your reply. Unfortunately, assigned plan will not help because a hybrid user has a plan assigned, but the mailbox is still on premises. Same problem for selecting "Site" as workload, when a user in the scope hasn't created a personal site, but we want to backup them, in case a user has created one. This is no problem, if we use an organization object as scope, because then these warning are automatically suppressed but then we cannot load balance across multiple jobs for a specific workload. We asked support if there are options to suppress warnings when using explicit scopes like security groups or single users instead of organizations, but they said no (as Quirinus mentioned before). With such option it would even be possible to fill the jobs with objects independent from existing workload for objects in the scope. The load balancing could be done just by selecting / grouping by the id of a specific type you can get from Veeam Powershell (like SiteId for sites, OfficeId for users, groups and teams). It's then also possible to easily exclude objects by id, if needed. But we have only the id and cannot filter by not having a mailbox, archive, onedrive or personal site. This is only possible in combination with Exchange Online Powershell, SharePoint Powershell and/or Azure AD Powershell, scheduled tasks, app registrations... what makes it much more complicated. Even though we had a look on the best practices guide and veeamhub scripts, we cannot image, that no other customer experiences these issues. If someone's following the best practices guide and using dynamic groups imho this currently cannot work without warnings in hybrid scenario. Or do we miss someting?

@product team: An option to suppress warnings when explicitly adding objects as scope, as it is the case when using an organization as scope, would be really helpful.