Exchange Hybrid Mailbox Move - Corruption Due To Missing Security Principals (ACL issues) - TooManyBadItemsPermanentException
Microsoft have introduced DCS (Data Consistency Scoring) which is planned to supersede the Bad Item Limit count you declare on a migration.
There are four grades of DCS; Perfect, Good, Investigate and Poor. You can complete the migration for all grades, except Poor.
Importantly, this now means they can now properly differentiate between a corruption in mailbox data and missing permissions or security principal which couldn't be set on the target mailbox. Previously you had to raise the Bad Item Limit to compensate for security principals and genuine corruption combined; this should no longer be the case.
For now, DCS will be used by default where you don't set a Bad Item Count. If you do specify a Bad Item Count, DCS will not be used
See the below links for more details:
The result is that users who were granted mailbox permissions but have since left the organisation and had their AD user account deleted will show as a corrupt item when that mailbox is migrated to Exchange Online. These errors were previously hidden from the log, but they're not marked as corruptions which means you need to raise that corruption level for your mailbox move/s.
In order to decipher which corruptions are genuine are which are related to ACL issues, you can run the following script. The script can be run against a migration batch in PowerShell for Exchange Online to determine and output which mailbox migrations have genuine corruptions and require investigation, and which do not.
3 files will be output to directory specified with a subfolder with a timestamp prepended.
- A summary CSV output including the mailboxes queried along with the details in the table above.
- An output of all corrupt bad items found, including ACL security principals, should they need to be queried.
- A migrations XML output for each mailbox migration - this can imported into any PowerShell session at a later date and queried; this allows you to remove the migration job but keep a logged record.
Here is an example of what is output to screen: