Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

25. January 2016 Technical 0

When you have a hybrid environment configured between Exchange 2010 or 2013 and Office 365, then you will probably have noticed that mailbox creation and management happens on-premises. For example, to create a new mailbox, you would initiate this process from the local Exchange server instead of the Office 365 portal (e.g. New-RemoteMailbox).

This is because of DirSync / Azure AD Connect. With Directory Synchronization enabled, the “source of authority” for information regarding your users comes from the on-premises Active Directory, and not from Office 365.  Microsoft even explicitly recommends keeping a hybrid server in place.

It is not recommended, and not technically supported to completely remove your hybrid relationship and uninstall Exchange entirely from your organization without also removing Directory Synchronization. Even if you do not keep a hybrid Exchange server, you may consider at least keeping AD schema extensions for the Exchange attributes available in the attribute editor. The impacts of this configuration are most notably:

  • You can no longer manage mailboxes directly from your on-premises organization using an Exchange server
  • Certain actions related to mailbox management will be handled differently as a result (ADSIedit)

Whether you are in this boat, or, if you do not / have never had a hybrid Exchange server, but are using Azure AD Connect to perform Directory Synchronization, the most common questions that come up are:

  • How do I create new mailboxes without an on-premises Exchange Server?
  • How do I edit or add an alias / secondary SMTP address?
  • How can I hide an account from the Exchange address lists?

Let’s look at each of these problems in turn.

To create a new mailbox:

You begin by creating the user in Active Directory, just like always.

  • Be sure your UPN suffix matches your email domain name (e.g. user@domain.com instead of user@domain.local)
  • Be sure your proxyAddresses attribute contains the primary SMTP address, as well as any aliases you prefer

Once the account appears in the Office 365 portal, make sure the sign-in name matches the email address, and then assign a mailbox license.  At this point the mailbox is created, and you should be able to login to Office 365 with the email address and Active Directory password.*

To add an alias/secondary SMTP address:

What about adding alias SMTP addresses?  For this, you will need to open ADSI edit. Connect to the Default naming context, drill down to the location of the user, and open the Properties on the user for whom you would like to add an alias.

ADSI-attribute-1

Scroll to find the proxyAddresses attribute.  Add the address here as follows:

smtp:alias@domain.com (There must not be any spaces before or after the colon.)

ADSI-attribute-2

Note that alias email addresses should feature lowercase smtp:alias@domain.com whereas the primary email address will feature the uppercase (e.g. SMTP:user@domain.com).

How-to hide a mailbox from the Exchange GAL:

Find the attribute called “msExchHideFromAddressLists.”  If you wanted to hide this user from the Exchange Global Address List (GAL), you would need to update that property here, to True.

ADSI-attribute-3

This will take care of 95% of requests & questions related to managing Directory Synchronization without a hybrid server in place.  Obviously, having a hybrid server makes changes like these ones a lot easier to manage. The other option is migrating to Windows Server Essentials Experience with Azure AD / Office 365 Online Services integration enabled.

Footnotes:

*We need to note an exception to this process that may require some additional finagling. Take the following example: Let’s say Rob Johnson’s username is Rob@domain.local — in this case, even switching the UPN suffix to Rob@domain.com wouldn’t do the trick if his email address is technically RJohnson@domain.com.

I always recommend setting the UPN / login name to match the primary SMTP Email address. If for some reason you are firmly decided that you cannot follow this best practice, then you will need to enter the primary Email address manually into the Email field in the user’s account properties, and also into the proxyAddresses field in ADSI edit, as described above (uppercase SMTP:email@domain.com).

Ideally have this all in place before forcing a directory sync. You may also need to check in the Office 365 portal once the account is synchronized, to make sure the prefix and suffix match the desired result (you will still need to update them in the portal—but changes should now stick if it is correct in AD).


Leave a Reply

Your email address will not be published. Required fields are marked *