The question in my previous blog post was “Can we decommission our Exchange servers after moving to Office 365?” and the blunt answer was “No, you cannot decommission your last Exchange server on-premises”.
In this previous blog post I showed you what happens if you synchronize a user to Azure Active Directory from your on-premises Active Directory, and how to create a Mailbox in Exchange Online with a proper primary Email address. At the same time, it was only possible to set only one Email address, and there’s no possibility to add multiple Email addresses, nor is it possible to change any other Exchange related setting.
In this blog post I’ll discuss how to extend Active Directory with Exchange attributes to unleash more functionality and management options in Exchange Online. Please note that the solution in this blog works fine, but it is not recommended and not supported by Microsoft.
Add additional email address
As we’ve seen in the previous blog post it is not possible to change the Email address of a user in Office 365 (using EAC) when Azure AD Connect is installed. This is because the source of authority is the on-premises Active Directory.
How do we add additional Email addresses to a user? Typically, Exchange takes care of this, and the (additional) Email addresses are stored in a attribute called proxyAddresses. This is a multi-valued attribute and can contain multiple entries, i.e. Email addresses.
In our example a green-field Active Directory is used, an Active Directory that isn’t even prepared for any Exchange version. This a situation that can occur when a customer has moved from another messaging platform like Groupwise or Notes, but does have Exchange installed. As a result, the Exchange attributes are not available in the on-premises Active Directory.
To add the Exchange attributes you have to prepare the on-premises Active Directory schema for Exchange using the Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms command from the Exchange installation media:
After running this command the Active Directory Schema has been extended, and when checking a user account with ADSI Edit you can see the Exchange related attributes. In the following screenshot you can see the proxyAddresses attribute of a user after running the command mentioned above.
The new attributes need to be made available in Azure Active Directory as well. To do this you have to run the Azure AD Connect tool again and select the Refresh Directory Schema option as shown in the following three screenshots:
Now we can add additional Email addresses to this user.
To do this we have to edit the user’s proxyAddresses property according to the following guidelines:
- The primary Email address format: SMTP:email@example.com (Uppercase SMTP)
- Additional Email addresses format: smtp:firstname.lastname@example.org (lowercase smtp)
So, in the the following screenshot additional email addresses are added using ADSI Edit for the user that was created in the previous blog post:
And when the information is replicated to Azure Active Directory you can check the user properties in the Microsoft Online Portal:
You can change more options. For example, to hide a user from the Address List in Exchange Online, you have to set the msExchHideFromAddressLists property from False to True as shown in the following screenshot:
Please note that for the “Hide From Address Lists” option will be activated in Exchange Online only when the user’s alias attribute is set!
The following questions arise:
- Is this useful? Maybe.
- Does it work? Sometimes (in my experience)
- Is this supported? Absolutely not!
- Would I recommend this? No, I’m afraid not.
In this blogpost I showed you how to extend the on-premises Active Directory with the Exchange attributes, something that might be useful when you’ve migrated from Notes or GroupWise to Exchange Online. This way the Exchange attributes become available on-pemises which can be used for management purposes. But if you’ve moved from Exchange on-premises to Exchange Online and removed the last Exchange server in your organization, you’re basically in the same situation.
Unfortunately, Exchange Online management can only be achieved using ADSI Edit or Active Directory and Computers by directly editing the Exchange attributes, something that can be complex and that’s not supported by Microsoft. It is basically an undocumented feature, and when Microsoft changes the way Azure AD Connect works there’s the possibility your manual configuration will start to fail. I always recommend against it.
The best solution is to add an Exchange server on-premises for management purposes. In some cases, you can get the Exchange license for free, and there’s not much configuration needed on the Exchange server. This is part of my next blog.