Carry forward the policy that everyone with a kylawoffice.com mailbox should also have a matching demandsam.com address.
Built an active-user/mailbox-backed alias plan from the diagnosis report. Connected to Exchange Online app-only using the existing SAIL-Audit-Visibility app. Exported pre-change recipient state before writes. Added only secondary smtp aliases, with no primary SMTP changes and no deletions. Verified 12 aliases are now present in Exchange.
Added and verified: aguiarlaw@demandsam.com, claudia.fiorello@demandsam.com, contact@demandsam.com, efiling@demandsam.com, email@demandsam.com, it@demandsam.com, lit_events@demandsam.com, mail@demandsam.com, pleadings@demandsam.com, privacy@demandsam.com, sep@demandsam.com, switchvox@demandsam.com.
Sam@demandsam.com and 24 other staff aliases were not added because their mailboxes are synchronized from the on-premises organization. Exchange Online returned the explicit out-of-scope error that EmailAddresses must be changed in the on-prem organization. Four Graph-derived user addresses did not resolve through Exchange recipient lookup: administrator@kylawoffice.com, hatfield.global@kylawoffice.com, hr@kylawoffice.com, and xerox@kylawoffice.com. Distribution groups and cloud groups were not changed in this pass.
Repair folder: /Users/samaguiar/Documents/Projects/admin/outlook-audits/demandsam-alias-repair-20260529T152019Z. Key files: repair-closeout.md, aliases-added.csv, onprem-sync-blocked-users.csv, not-found-users.csv, before-recipients.json, apply-results.json, verify-results.json. Rollback is available by removing the aliases listed in aliases-added.csv from the corresponding mailbox EmailAddresses list.
The Exchange Online portion is complete and verified. The remaining work requires the on-prem AD source or an AD Connect reachable machine. The available RDP target was not reachable from this Mac on RDP, WinRM, LDAP, or LDAPS during this run, and no LDAP service credentials were present in the local vault.
Continue from the on-prem AD lane. Add missing smtp:<local>@demandsam.com values to each synced user proxyAddresses attribute, then trigger or wait for AD Connect sync. Verify Sam first with Get-Recipient and a controlled test email to sam@demandsam.com. After staff are fixed, review group and service-mailbox parity separately so public inbound aliases are widened deliberately.
A capable next agent should treat this as partially repaired, not merely diagnosed. Do not retry Set-Mailbox in Exchange Online for Sam or the listed synced staff; the cloud scope error is definitive. Use on-prem AD proxyAddresses or a reachable AD Connect machine.