I recently ran into an issue with Skype for Business users in Hybrid mode with Skype for Business Online. The user in question was added to Active Directory, synchronized using Azure AD Connect, and licensed for Skype for Business Online. However, the user wasn’t able to sign in to Skype. The issue was that when the Skype user was added and then licensed, the user wasn’t also “Enabled” on-premises. As a result, the sign-in attempt was hitting the on-premises environment but failing to be redirected to Skype Online, since the on-premises environment wasn’t aware of the user. While in Skype for Business hybrid mode DNS resolves to the on-premises environment, allowing it to direct users to the appropriate pool, whether they are homed online or on-premises.
Since this was a “Skype Online” user, I ran the following cmdlet via Skype for Business Management Shell:
Enable-CsUser -Identity “email@example.com” -SipAddressType “EmailAddress" -HostingProviderProxyFqdn “sipfed.online.lync.com”
…in an effort to enable the Online user, updating the on-premises AD object.
I immediately received the following error: “Cannot move user in enable operation. Use the Move user cmdlet instead”.
In order to resolve this issue without having to delete the account, I opened up “Active Directory Users and Computers” management console to review the user object. I deleted values for the following “msRTCSIP” attributes:
msRTCSIP-DeploymentLocator, msRTCSIP-FederationEnabled, msRTCSIP-InternetAccessEnabled
msRTCSIP-Line, msRTCPSIP-OptionsFlags, msRTCSIP-PrimaryHomeServer, msRTCSIP-PrimaryUserAddress, msRTCSIP-UserEnabled, msRTCSIP-UserPolicies, and msRTCSIP-UserRoutingGroupID.
Once the changes have been made to the on-premises AD object, wait for it to synchronize throughout all domain controllers. You can even do a manual directory sync via Azure AD Connect. Once everything is synchronized, you can attempt to “Enable” the user using Skype for Business Management Shell as follows:
Enable-CsUser -Identity “firstname.lastname@example.org” -SipAddressType “EmailAddress" -HostingProviderProxyFqdn “sipfed.online.lync.com”.
After executing the command, you should no longer receive the error. Once the user has been enabled, synchronize the directory again (or wait for it to run automatically). The user should now be able to sign in without issue!
Contact Enabling Technologies for all of your Office 365 and Skype for Business needs!