G-Suite to Office 365 Migration – No Contact Folder Permissions Solution

Updated: 04/04/2022 – It appears the update folders Technet gallery link is no longer available.  I was able to obtain a copy via Internet Archive and will post that along with a copy that I host.

I recently used Microsoft’s new G-Suite to Office 365 Migration method (this was back in 2019) to migrate a company from G-Suite to Office 365. Microsoft’s new method has a few benefits. Along with emails it also migrates user calendars and contacts to Exchange Online. This is great and and solves the need of paying a third party exorbitant amounts of money to handle a migration. I ran a test migration on a few accounts and it seemed to work well other than one small snag. In the Outlook desktop apps (both 2016 and 2019) users had no permissions for their primary Contacts folder. The contacts had migrated from Google but had no ability to edit them or create new ones. The Outlook Web App functioned correctly.

I tried resetting permissions with PowerShell but ended up with no success. I then opened a ticket with Microsoft and after some basic troubleshooting I was escalated. The next representative I spoke with had me do the same troubleshooting I had done prior to opening the ticket with Powershell. After a while on the phone I was finally escalated again. It took a few days before my ticket was picked back up however when I did I finally got a real resolution.

The Fix (Method 1):

This resolution requires the EWS API to be installed, the Update Folders PS script found below in an accessible folder, and the Application Impersonation Role.  This role can take an hour to propagate however it is usually much faster.  As always never run scripts without reviewing the code and understanding what they do! Additionally, Exchange Online Powershell is ever evolving and this information may be outdated at any time.  I have updated the resources but have no way of guaranteeing the methods are still implemented by Microsoft.  You may also try Method 2 to manually make changes and see if this will resolve your issues.

EWS API: https://www.microsoft.com/en-us/download/details.aspx?id=42951
Update-Folders.ps1: https://gallery.technet.microsoft.com/exchange/PowerShell-Update-mailbox-79fd411a No longer available
Update Folders Readme
Internet Archive:  https://web.archive.org/web/20200402200156/https://gallery.technet.microsoft.com/exchange/PowerShell-Update-mailbox-79fd411a
Hosted PDF Version: https://nxc.nmbgeek.com/s/3S2FNRnk5oTSMtL
Update-Folders.ps1 Download:
Internet Archive: https://web.archive.org/web/20200501145217/https://gallery.technet.microsoft.com/exchange/PowerShell-Update-mailbox-79fd411a/file/223631/2/Update-Folders.ps1
Hosted Version:  https://nxc.nmbgeek.com/s/BCFEPHp3meTsPLg – USE AT YOUR OWN RISK. DISECT THE SCRIPT AND MAKE SURE YOU UNDERSTAND WHAT IT IS DOING.

Make sure to change the YourAdminUsername to the account you wish to use to run the folder fix script.

Assign the impersonation role with a Global Admin account.:

Set-ExecutionPolicy RemoteSigned
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:YourAdminUsername
Get-PSSession | Remove-PSSession

Wait for your permissions to be propagated.  We removed the session previously because that session wouldn’t have the commands needed to impersonate the users and change the flag needed on their Contacts folder.  In the meantime be sure to install the EWS API and download / move to a folder your Powershell Script linked above.  Once ready we can then change the PowerShell prompt to the directory containing the Update-Folders.ps1 script we downloaded earlier.

$cred = Get-Credential
$b = [byte[]]@(01, 04, 00, 00, 16, 00)
Get-Mailbox -ResultSize Unlimited | forEach {.\Update-Folders.ps1 -mailbox $_.PrimarySMTPAddress -FolderPaths "WellKnownFolderName.Contacts" -AddFolderProperties @{"0x36DA0102" = $b} -credentials $Cred -EwsURL "https://outlook.office365.com/EWS/Exchange.asmx" -Impersonate}

This script will go through and change a flag on all mailbox Contact folders to allow the correct permissions. This can take a while to propagate but should work for everyone. The alternative method is to do it for each device’s Outlook profile and affected Mailbox.

Method 2 – One by one using MFCMAPI

This is the much safer way but must be done on each account one by one.  You can also attempt this to make sure the above script will resolve your issue.

Download the MFCMAPI version x86 or 64-bit corresponding with the installed version of Outlook. I am not 100% sure that they need to match up but this is how it was instructed to me. MFCMAPI: https://github.com/stephenegriffin/mfcmapi/releases/tag/19.0.19115.01

In MFCMAPI follow these instructions:

Make sure Outlook is completely closed and open MFCMAPI.
Select Session > Logon

Select the affected Outlook Profile and press OK.

Double click the affected mailbox.

If the selected mailbox is the Root Mailbox expand “IPM_SUBTREE” and select “Contacts“.
If it is not the root mailbox you will expand “Top of Information Store” and select “Contacts“.

In right pane find and double click: PR_EXTENDED_FOLDER_FLAGS

Store current value in a secure location for backup and replace the value with:
010400801200070401000000

Open Outlook

Good luck and if you need any help or find errors in this please leave a comment below!