Tag Archives: Directory Synchronization

create Shared Mailbox in Exchange Hybrid

Every now and then I get a question regarding creation of Room- or Shared Mailboxes in Office 365 when Exchange Hybrid is in place.There are multiple solutions available, but at the same time there are some restrictions as well. In this blog post I’ll discuss Room Mailboxes, Equipment Mailboxes and Shared Mailboxes.

Room Mailbox

To create a room Mailbox in your hybrid environment create a user account for this room mailbox first. In this example I’m going to create a Room Mailbox called ‘conference room 1st floor’ and have it created directly in Office 365 (for your information, I’ve tested this with Exchange 2010 hybrid as well as Exchange 2016 hybrid).

image

To create the Mailbox in Exchange Online, you can use the Enable-RemoteMailbox cmdlet in Exchange PowerShell. This will mail-enable the account in your on-premises environment and will automatically create a mailbox in Exchange Online the next time Azure AD Connect runs. For the Enable-RemoteMailbox cmdlet you need to use the -RemoteRoutingAddress (which should point to the Mailbox in Exchange Online) and for a Room Mailbox you have to use the -Room option. If you want to create a Shared Mailbox you can use the -Shared option, the result will be the same.

To create the Room Mailbox in Exchange Online we can use the following command:

Get-User -Identity Conference1 | Enable-RemoteMailbox -Room -RemoteRoutingAddress conference1@inframan.mail.onmicrosoft.com

image

When Azure AD Connect has run, the account has been provisioned in Azure AD and the Room Mailbox has been created. It is visible in Exchange Online EAC and permissions can be granted to other users can manage the Room Mailbox.

image

Resource (Equipment) Mailbox

To create a Resource (aka Equipment) Mailbox the process is very similar. First create a user account for the Equipment Mailbox in Active Directory and fill the appropriate attributes, like this:

av

To create the Equipment Mailbox directly in Exchange Online, execute the following in PowerShell (on your on-premises Exchange server):

Get-User -Identity AVEquipment | Enable-RemoteMailbox -Equipment
-RemoteRoutingAddress avequipment@inframan.mail.onmicrosoft.com

equipment

Again, when Azure AD Connect has run, the account is provisioned in Azure AD and the Mailbox is created in Exchange Online:

mbx

Shared Mailboxes

Createing Shared Mailboxes is a bit problematic, after all these years there’s still no option like -Shared when using the Enable-RemoteMailbox cmdlet in Exchange PowerShell so we have to figure out another way to create a Shared Mailbox in Exchange Online when using Azure AD Connect and a Hybrid environment.

<more to come soon>

 

Moving from Exchange 2010 to Office 365

There are a lot of articles on the Internet on how to create a hybrid environment, where Exchange 2016 is connected to Office 365. Now that’s fine, but when you’re running Exchange 2016 you most like are NOT going to move to Office 365 anytime soon I guess. If you are running Exchange 2010 chances are that you will move to Office 365 (soon), but there aren’t that much articles about moving from Exchange 2010 to Office 365. And a lot of the articles available don’t have the right approach I’m afraid, and will result in you (the customer) having to pay way too much money to your system integrator.

In this article, I’ll try to outline the recommended approach when moving from Exchange 2010 to Office 365 in a hybrid scenario. With Azure AD Connect for synchronization purposes. Cliffhanger: I’m not going to install Exchange 2016 into the existing Exchange 2010 environment Smile

Existing Exchange environment

Our organization is called Inframan and they have their own on-premises Exchange 2010 environment which they have been running for 5 years now without too much issues. There are internal Outlook clients using Outlook 2010 and higher, and there are external clients using Outlook Anywhere. There are also mobile clients using ActiveSync to connect to their Mailboxes. Of course, there is Outlook Web Access, but POP3 and IMAP4 are not used.

image

Figure 1. Overview of the Inframan Exchange 2010 environment.

Continue reading Moving from Exchange 2010 to Office 365

Office 365 Directory Synchronization without Exchange server Part II

The question in my previous blog post was “Can we decommission our Exchange servers after moving to Office 365?” and the blunt answer was “No, you cannot decommission your last Exchange server on-premises”.

In this previous blog post I showed you what happens if you synchronize a user to Azure Active Directory from your on-premises Active Directory, and how to create a Mailbox in Exchange Online with a proper primary Email address. At the same time, it was only possible to set only one Email address, and there’s no possibility to add multiple Email addresses, nor is it possible to change any other Exchange related setting.

In this blog post I’ll discuss how to extend Active Directory with Exchange attributes to unleash more functionality and management options in Exchange Online. Please note that the solution in this blog works fine, but it is not recommended and not supported by Microsoft. Continue reading Office 365 Directory Synchronization without Exchange server Part II

Office 365 Directory Synchronization without Exchange server

I get a lot of questions regarding Office 365, Directory Synchronization from an on-premises Active Directory and decommissioning Exchange servers on-premises. A lot of customers want an Active Directory on-premises, they want Mailboxes in Office 365 and they don’t want an Exchange server on-premises anymore.

So the question is basically “Can we decommission our Exchange servers after moving to Office 365?”

It is an easy question with an easy answer, and the answer is “No, you cannot decommission your last Exchange server on-premises”. Let me explain why.

Source of authority

In an earlier blogpost I already discussed the three types of Identities:

  • Cloud Identities.
  • Synced Identities.
  • Federated Identities.

With Directory Synchronization (through Azure AD Connect) in place we’re talking about Synced Identities or Federated Identities. Important to note is that the Source of Authority, which means where the identities are managed, is the on-premises Active Directory. Account are created and managed on-premises and not in the cloud. This is also true for properties of the accounts.

Suppose we have the following situation. There’s an Active Directory environment, no Exchange servers on-premises and there’s an AADConnect server for replication purposes to Azure Active Directory as shown in the following picture.

image

Figure 1. Azure AD Connect is synchronizing user accounts to Office 365.

The internal domain is Exchangelabs.local, the external domain Exchangelabs.nl is only verified in Office 365 and set as the default domain. In the on-premises Active Directory there’s an OU=Accounts where objects are in various OU’s like OU=Groups, OU=Users, OU=Contacts etc.

image

Figure 2. User accounts in Active Directory Users and Computers. Please note the different settings in the E-mail Address column.

The installation of Azure AD Connect automatically detects that there’s no Exchange server installed (the Active Directory Schema is not even prepared, so it’s truly a green-field Active Directory) and thus the Exchange Hybrid option is not available in the setup application:

image

Figure 3. Azure AD Connect is configured with Password hash synchronization

The only option that’s selected is the Password hash synchronization. The Organizational Unit OU=Accounts as mentioned before is the only OU that’s selected for object replication, so after finishing the setup application and the initial synchronization the user account will appear in the Microsoft Online Portal.

When the Office 365 (E3) licenses are assigned to the replicated user accounts, one strange thing is visible. The user account is exactly as expected, i.e. bwesselius@exchangelabs.nl, but the primary SMTP address does not reflect this, and is actually based on the tenant name, i.e. bwesselius@exchangelabsnl.onmicrosoft.com as shown in the following screenshot.

image

Figure 4. User’s email address is set incorrectly. The tenant email address is set as primary SMTP address.

When you want to change the email address from the tenant email address to the regular email address you’ll see the following warning:

image

Figure 5. It is not possible to change the user’s primary SMTP address

The Set as Primary button is greyed out, so it’s not possible to change the email address.

When you try this in the Exchange Admin Center (in Exchange Online) it doesn’t work either and you get the following error message:

The operation on mailbox “Bram Wesselius” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘EmailAddresses’, can’t be performed on the object ‘Bram Wesselius’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

image

Figure 6. An error message about ‘write scope’ is shown when the user’s Email address is changed.

Now it gets interesting. Have a closer look at Figure 2. You will see that user BWesselius does not have an email address set in Active Directory, but user Ahaverkamp does have an email address. This is not an Exchange email address (since Exchange is not installed on-premises, Active Directory doesn’t have the Exchange schema changes applied, it really is a green-field Active Directory) but the email address is set in Active Directory Users and Computers.

image

Figure 7. The user’s Email address is set in Active Directory Users and Computers.

When the Email address is set using Active Directory Users and Computers it is synchronized correctly to Office 365 and used in Exchange Online as the user’s primary Email address.

So, now we know how to set the primary Email address when the user is provisioned in the on-premises Active Directory. Despite the fact the user now has the correct primary Email address, it is still not possible to change the user’s Email address in the Office 365 portal or Exchange (online) Admin Center.

This behavior is caused by the fact that the account in this scenario is a Synced Account. The source of authority is the on-premises Active Directory, and this is where all changes need to be made. Once changed the new settings are synchronized to Office 365.

So, to change the primary Email address for user BWesselius it’s a matter of adding the Email address to the mail property in Active Directory users and computers and wait for synchronization to happen (or force directory synchronization). If you want to change an Email address, for example for user AHaverkamp you can just change the mail property of the user in Active Directory Users and Computers.

image

So, now we know how to create a user in the on-premises Active Directory and have the Exchange Online primary Email address set correctly. In my next blog I’ll talk more about an on-premises Exchange server.

User cannot logon to Office 365 after moving user account in Active Directory

When you have implemented Directory Synchronization between your on-premises Active Directory and Office 365, and you move a user in Active Directory out of the DirSync scope (for example to an Organizational Unit that’s not synchronized) the user is removed from Office 365.

However, when you move the user back to an Organizational Unit that’s synchronized (i.e. in-scope) the password is no longer synchronized. So, when this user tries to logon to Office 365 services, the logon attempt fails. Only when you change the password in Active Directory, the new password is synchronized to Office 365, and the user is able to logon again to the service.

Very similar to this, when a disabled user in the on-premises Active Directory is enabled, the password is not synchronized to Office 365.

This is a known issue with DirSync or Azure AD Connect (up to November 2015). On November 4, 2015 Microsoft released a new version of Azure AD Connect that fixes this particular issue (together with a number of other fixes of course).

You can find more information regarding the updated version of Azure AD Connect on Sander Berkouwer’s blog A new version of Azure AD Connect was released today. You can download the new version of Azure AD Connect on the Microsoft Download Site.