Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

Back to Blog

Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

When you have a hybrid environment configured between Exchange 2010 or 2013 and Office 365, then you will probably have noticed that mailbox creation and management happens on-premises. For example, to create a new mailbox, you would initiate this process from the local Exchange server instead of the Office 365 portal (e.g. New-RemoteMailbox).

This is because of DirSync / Azure AD Connect. With Directory Synchronization enabled, the “source of authority” for information regarding your users comes from the on-premises Active Directory, and not from Office 365.  Microsoft even explicitly recommends keeping a hybrid server in place.

It is not recommended, and not technically supported to completely remove your hybrid relationship and uninstall Exchange entirely from your organization without also removing Directory Synchronization. Even if you do not keep a hybrid Exchange server, you may consider at least keeping AD schema extensions for the Exchange attributes available in the attribute editor. The impacts of this configuration are most notably:

  • You can no longer manage mailboxes directly from your on-premises organization using an Exchange server
  • Certain actions related to mailbox management will be handled differently as a result (ADSIedit)

Whether you are in this boat, or, if you do not / have never had a hybrid Exchange server, but are using Azure AD Connect to perform Directory Synchronization, the most common questions that come up are:

  • How do I create new mailboxes without an on-premises Exchange Server?
  • How do I edit or add an alias / secondary SMTP address?
  • How can I hide an account from the Exchange address lists?

Let’s look at each of these problems in turn.

To create a new mailbox:

You begin by creating the user in Active Directory, just like always.

  • Be sure your UPN suffix matches your email domain name (e.g. [email protected] instead of [email protected])
  • Be sure your proxyAddresses attribute contains the primary SMTP address, as well as any aliases you prefer

Once the account appears in the Office 365 portal, make sure the sign-in name matches the email address, and then assign a mailbox license.  At this point the mailbox is created, and you should be able to login to Office 365 with the email address and Active Directory password.*

To add an alias/secondary SMTP address:

What about adding alias SMTP addresses?  For this, you will need to open ADSI edit. Connect to the Default naming context, drill down to the location of the user, and open the Properties on the user for whom you would like to add an alias.

ADSI-attribute-1

Scroll to find the proxyAddresses attribute.  Add the address here as follows:

smtp:[email protected] (There must not be any spaces before or after the colon.)

ADSI-attribute-2

Note that alias email addresses should feature lowercase smtp:[email protected] whereas the primary email address will feature the uppercase (e.g. SMTP:[email protected]).

How-to hide a mailbox from the Exchange GAL:

Find the attribute called “msExchHideFromAddressLists.”  If you wanted to hide this user from the Exchange Global Address List (GAL), you would need to update that property here, to True.

ADSI-attribute-3

This will take care of 95% of requests & questions related to managing Directory Synchronization without a hybrid server in place.  Obviously, having a hybrid server makes changes like these ones a lot easier to manage. The other option is migrating to Windows Server Essentials Experience with Azure AD / Office 365 Online Services integration enabled.

Footnotes:

*We need to note an exception to this process that may require some additional finagling. Take the following example: Let’s say Rob Johnson’s username is [email protected] — in this case, even switching the UPN suffix to [email protected] wouldn’t do the trick if his email address is technically [email protected].

I always recommend setting the UPN / login name to match the primary SMTP Email address. If for some reason you are firmly decided that you cannot follow this best practice, then you will need to enter the primary Email address manually into the Email field in the user’s account properties, and also into the proxyAddresses field in ADSI edit, as described above (uppercase SMTP:[email protected]).

Ideally have this all in place before forcing a directory sync. You may also need to check in the Office 365 portal once the account is synchronized, to make sure the prefix and suffix match the desired result (you will still need to update them in the portal—but changes should now stick if it is correct in AD).

Comments (2)

  • Richard Pettigrew Reply

    This is great information, thank you!

    So, I plan to do-away with the on-prem server completely (an SBS 2011 server – and there are no other servers locally either) I can do away with the dir-sync component and remove the hybrid setup, then completely decommmission the SBS box as its no longer required at all.

    Client computers will be Dis-joined from the Local AD Domain and re-joined to Azure-AD instead only.

    This is to be a wholesale switch from a single-server SBS 2011 setup with Hybrid exchange connection to a purely Office365/Azure AD only setup.

    September 4, 2019 at 8:59 am
    • Alex Reply

      yep that sounds like a good path forward!

      September 4, 2019 at 10:52 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.