Office 365 Directory Synchronization without Exchange server Part III

In my previous blog post I explained how to manage your Email attributes in Office 365 by directly editing the Exchange attributes in your on-premises Active Directory. This works fine, but it is not recommended nor is it supported by Microsoft.

In this blogpost I’ll discuss how to add an Exchange server on-premises (or keep the last Exchange server when you’ve moved all Mailboxes to Office 365 for that matter) and manage your Exchange Online environment properly.

Exchange Server on-premises

So, what options do you have? Add an Exchange server on-premises, or keep one of the existing (hybrid) Exchange servers for management purposes. Since this is a green field Active Directory, and there’s no Exchange server on-premises you can use the free Microsoft Hybrid License to for this management server. For additional details on this free Exchange license you can check the Microsoft knowledgebase article KB2939261:

When adding an Exchange server (in my lab an Exchange 2016 CU2 server) to Active Directory you get an Exchange PowerShell and Exchange Admin Center on-premises available for management purposes.

The first thing that needs to be done is configuring an Accepted Domain and an Email Address Policy. This way the locally created user accounts and Remote Mailboxes will get the appropriate Email addresses.

When a new user is created in Active Directory, only the basic attributes need to be populated. Once created, you can use the Exchange PowerShell to execute the Enable-RemoteMailbox command. This will convert the local user to a Mail-Enabled User, and create the accompanying Mailbox in Exchange Online. The -RemoteRoutingAddress option is used to set the forwarding address from the on-premises Mail-enabled User to the Mailbox in Office 365.

Enable-RemoteMailbox “Dave Heslop” -RemoteRoutingAddress


Do you need a hybrid configuration for this to happen? No, since there’s no traffic between Exchange on-premises and Exchange Online you don’t need to configure the Hybrid Configuration. Even better, the Exchange server is not used for any communication, it’s only there for management purposes so the Exchange server doesn’t have to be configured at all. This includes the self-signed SSL certificate.

The only communication that takes place is the Azure AD Connect synchronization between the on-premises Active Directory and Azure Active Directory. Remember that all Exchange information is stored in Active Directory, so when creating a User account and enable a Remote Mailbox, this is only stored in Active Directory and only this information is synchronized with Azure Active Directory!

Assign the user an appropriate license in the Microsoft Online Portal et voila, your Mailbox in Office 365 is fully functional, in a fully supported scenario, and managed on-premises.

When you want to enable a Personal Archive in Exchange Online you can again use the Enable-RemoteMailbox command, but now with the -Archive option, like:

Enable-RemoteMailbox “Dave Heslop” –Archive


It is also possible to create a new user account in Active Directory and RemoteMailbox-enable the account using the New-RemoteMailbox command.

To create a new user account for ‘Kim Akers’, set the password that’s entered using the credential pop-up box and create a Mailbox in Exchange Online you can use the following Exchange PowerShell commands:

$Credentials = Get-Credential

New-RemoteMailbox -Name "Kim Akers" -Password $Credentials.Password -UserPrincipalName -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -RemoteRoutingAddress


And to create a new Room Mailbox for use with Exchange Online you can use the New-RemoteMailbox command with the -Room option.

$Credentials = Get-Credential

New-RemoteMailbox -Name "Conference Room" -Password $Credentials.Password -UserPrincipalName -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -Room -RemoteRoutingAddress


Note. For a Resource Mailbox of type Equipment you can use the same command, but replace the -Room with the -Equipment option.

You can check the Exchange (online) Admin Center to see if the Room Mailbox is actually created. You can also use the EAC to set permissions on this Mailbox. This cannot be achieved on-premises.


The on-premises EAC can be used to manage most of the settings of your Mailboxes in Exchange Online. When you open the EAC on-premises the Remote Mailboxes will show up as “Office 365 Mailbox”. Dave’s remote Archive Mailbox is clearly visible:


Unfortunately, you cannot create remote Mailboxes using the on-premises EAC, this can only be achieved using the on-premises Exchange PowerShell using the New-RemoteMailbox or the Enable-RemoteMailbox commands.

As mentioned before the Exchange 2016 server in my lab is not configured. After installing the Exchange server I created an Accepted Domain and an Email Address Policy and that’s it. The only communication that takes place between the on-premises environment and Office 365 is through the Azure AD Connect server, so there’s no need to configure the Exchange server.

Can it be useful to configure the Exchange server? Well, if you do configure it, you can also configure the on-premises Exchange server to run the Hybrid Configuration Wizard.

Can it be useful to run the Hybrid Configure Wizard? Yes, even if you have all Mailboxes in Office 365 and don’t even plan to move Mailboxes to your on-premises environment (offboarding). Suppose you have these multi-functional devices like scanners that can send scanned documents directly to your Mailbox. You can send these scanned documents to your on-premises Hybrid Server and have them forwarded to the Mailboxes in Office 365.

The same is true for on-premises applications, like CRM, HR or Finance applications which send messages directly to users. Applications like this can use the on-premises Exchange Hybrid server to forward messages from the application directly to the Mailbox in Office 365.


In this blogpost and the previous two blogpost I showed you how to manage Exchange Online when you don’t have an Exchange server on-premises. This is a typical situation when you’ve moved off of a Notes or Groupwise environment, but the same can be true if you decommissioned the last Exchange server after an Exchange on-premises to Exchange Online environment.

It’s a bit of work and can be complex, but in the end it works. The problem is that it is unsupported and not recommended. One of the problems is that you never know what Microsoft will do when it comes to changes (improvements) regarding Azure AD Sync. If something changes and you’re solution stops working then you’re on your own.

I always recommend installing an Exchange server on-premises (or keep the last Exchange server when moving to Exchange Online), just for management purposes. No need to configure it using the Hybrid Configuration Wizard, although this has some advantages when it comes to relaying messages from on-premises to Exchange Online Mailboxes.

37 thoughts on “Office 365 Directory Synchronization without Exchange server Part III”

  1. And we even can point autodiscover to O365 right?.
    So for a new user in AD that has mailbox in O365 we just run new-remotemailbox? Do we not need run dirsync first cause the user is not synced from AD?

    And if we have user provisioning system in AD that creates the user, we only run enable-remotemailbox, and not run dirsync first?

    BTW you need to set license offcourse 🙂


    1. Yes, autodiscover points to Office 365 since, not much to retrieve on-premises.
      You can just run New-RemoteMailbox, everything will be synchronized with Office 365 in just one run.
      And i’m not a license officer, i’m a techie 😉

      Liked by 1 person

    2. Take a look at these two articles for a reference. The first goes through what I believe you are asking with the process of creating a new AD user and mailbox in O365, and basic license assignment. The second gets a bit more granular on the license assignments.

      Have fun!


  2. OK sweet.
    BTW as per MS support we need to run hybrid Exchange n-2. Is this also applicable in this sccenario? I know it’s always best-practise to keep up though 🙂

    And let’s say we have an on-prem distribution group synced to O365 and is managed by ‘Kim Akers’ she can’t manage it anymore. How do we solve these things? (create pure cloud group or setup the ECP vdir in the hybrid exchange server, so Kim can logon on-premise and edit the group via ecp?


    1. when it comes to N-2, opinions differ. Is that Exchange 2016 CU1 and RTM, or Exchange 2013 CU12 and CU11, or Exchange 2010 SP3 UR13 and UR12? IMHO opinion Microsoft is not very clear about this either. When it’s Exchange 2016 only for hybrid, then why would they release a downloadable version of the HCW for Exchange 2010? Personally I don’t really care about the major version, but do care about the latest patches.

      About Kim and her distribution groups, I’ll ask her 😉


  3. What suggestion do you have with the “last Exchange server” on premise is SBS2008 (with Exchange 2007)? Another member DC currently exists on the network and is running AD Sync. Can the unlicensed Exchange 2016 be installed on the DC? And if so, presumably it needs to be installed first, then Exchange 2007 uninstalled from the SBS server?


    1. Exchange can be installed on the 2nd DC, but I do not recommend this since you cannot upgrade the DC later on. Please be aware that Exchange 2016 cannot be installed in an Exchange 2007 scenario. You need to install Exchange 2013 first, decommission Exchange 2007 and then install Exchange 2016 (or keep it running on Exchange 2013 if you want, as long as you keep it up-to-date with CUs you’re fine)


    1. EMC does not exist anymore, you need Exchange PowerShell or EAC, but these are only available if you install an Exchange 2016 server. But you get a free hybrid license for this, as long as you don’t install mailboxes on it.

      Liked by 1 person

  4. Would you comment on what you setup for your email address policy, such as secondary for, and whether you dismount your automatically created database?


    1. I never change the default settings, so in this example the primary SMTP address would be, which is set by the email address policy. The hybrid configuration wizard will create a secondary address like If you don’t use the HCW I would configure this the same way to establish routing between on-premises and Exchange Online (for multi-functional devices for example).
      As for the default database, I leave it running, but enable circular logging.


  5. Great article thanks! Two questions:
    1. Are you certain that the SMTP functionality can be used on the hybrid server without licensing violation?
    2. Is there anyway to get the existing directory objects in AD to show up in the new Exchange server as Office 365 mailboxes-if you install Exchange after already setting up AD Connect and your O365 tenant?


    1. Hi, Thanks for your response.
      1. What license violation are you referring to? If you are using the ‘hybrid license’ you can use the SMTP functionality, you are not allowed to move Mailboxes to this server.
      2. If you install a new Exchange server if you already have directory synchronization and Mailboxes in Exchange Online you can use the Enable-RemoteMailbox command to achieve this.
      Thanks, Jaap


  6. Hi Jaap,

    I installed on-prem Exchange 2016 and ran HCW and got the free license. when I create a “Conference Room” using above PS script, I can see the object in AD, in On-prem EAC under mailboxes, and it synchronizes to AAD, I can see it in Office 365 Admin center under active users and it’s unlicensed, but it doesn’t appear in O365 EAC under resources tab or mailboxes…



      1. That’s weird. Just tried the same (with the Enable-RemoteMailbox) and it does show up in Office 365 EAC under Resources.
        Are you able to create an on-premises user mailbox, and does it show up in Office 365 EAC under Contacts?
        It looks like your user account is created, but the Exchange properties are synchronized properly.


  7. I checked my room object attributes in on-prem AD :
    seems ok.

    my msExchRecipientDisplayType = -2147481850

    my msExchRecipientTypeDetails = 8589934592
    (Remote Room Mailbox)


  8. Can you point me to a resource with more in-depth information about setting up a limited setup of Exchange for management?

    Currently running Exchange 2010, would like to avoid a hybrid deployment and go completely over to O365 with Azure AD Connect, but install Exchange 2016 just for user management. I see that we just have to set up the accepted domain and email address policy, but do you know of any more documentation on this process or can you offer some tips?



    1. Hi,
      Well, installing an Exchange 2016 server, configure the Accepted Domains and Email Address Policy (they are already configured since you have Exchange 2010 installed) and you’re good to go. I always recommend keeping a full hybrid configuration, just to keep an offboarding scenario, just in case.
      I have to admit, it’s a nice topic for a (future) blog post.


  9. Wow, it’s like you were constructed in a lab to answer my exact problem/concern. Expanding a school communications program (it’s a school, so ‘from Google’ of course) to incorporate some basic O365 functionality at the behest of front office folk; I said “Hey Exchange online! One less server role!” Having beaten my head against the wall (only briefly) I struck on the thought of expanding the AD schema as a band-aid but wanted to see what the community consensus was and if someone had already bird-dogged the landmines. I happily found your blog (part II) and it offered a friendly ‘it’ll work, don’t try it’ but clarification that keeping a skeleton, unconfigured role running was fine. Many, many thanks and I look forward to watching for future postings… as well as digging through the archive pile for things I should know, but missed. In lighter news, your blog shows up high on a search that included mild, but frustrated, profanity. I don’t know the reason for the MS choice to limit certain functionality, nor is it fruitful to grip. I’ll just stay grateful that people are kind enough to highlight the path.


    1. you can remove “smaller” in your comment, everyone with Azure AD Connect is required to have an Exchange server on-premises, just for management purposes. Microsoft is working on that (announced at Ignite 2017) but status is unknown.


  10. Can you specify the exchange roles needed to accomplish this? I am doing a green AD and tenant just like your lab. I already have AD installed, new tenant installed and configured, Azure AD connect and ADFS are configured and working. Exchange online is configured and working. I wasn’t going to have an on premise Exchange server, but decided to put one in because of the SMTP relaying. I just installed exchange 2016 CU9, but only installed the management tools. When I look for EAC it is not there, and management console says “no exchange servers are available in any Active Directory sites. I am doing a green setup because we are changing our company name and are moving to a new internal domain and a brand new O365 tenant. Mailboxes are 100% exchange online. Just want the on prem server to have the most minimal setup needed. Thank you for any help.


    1. Hi,
      It’s a common misunderstanding that you only need to install the management tools I’m afraid. The management tools is just a web interface, used to communicate with (other) Exchange servers in the organization and as such it’s useless in a situation like this. You have to install an Exchange 2016 Mailbox server and configure it accordingly. Accepted Domains, Email Address Policies etc. If you do not setup a hybrid configuration there’s no real need to install a SSL certificate, but because of the low cost of a SSL cert these days I recommend installing it. BTW, installing an Exchange server on-premises in a situation like this is the only (by Microsoft) supported solution.


      1. Ah ok, got it. Thank you so much for the information. I have one other question. Do I need to go into Azure AD Connect and check the “hybrid exchange” option in the sync configuration as well?


      2. sorry for my late reply, have been away for a couple of days. As long as you don’t deploy a hybrid configuration (i.e. run the Hybrid Configuration Wizard) there’s no need to check this option, even if you install an on-premises Exchange server


  11. When creating a 3rd Party Certificate for an Exchange2016 Hybrid Server, what services do you need? Do you still recommend using namespaces like All mailboxes are in the cloud.


    1. You need this Exchange 2016 server on-premises for management purposes, creating remote mailboxes etc. No direct need for running the HCW is all services are in the cloud. Otherwise you need IIS and SMTP to work with this certificate.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s