Managing Hybrid Exchange environments: a Cheat SheetAlex Fields
Office 365 Exchange Online is pretty simple to manage if you are a “cloud-only” organization. Especially now that many edits can be made easily via the Microsoft 365 admin center, without even going into the Exchange Online admin area, separately.
But, for those of us who are still tethered to a legacy on-premises Active Directory domain, and synchronizing our user accounts and passwords using Azure AD Connect, there is a catch: you will find it is not possible to make certain edits in the cloud. You might get a message similar to:
This action should be performed on the object in your on-premises organization.
For instance, if I try to update my user name, or even an alternate alias address at which I could receive email, Office 365 will bark at me. Why? Because the “source of authority” is my on-premises domain. If I want to make those kinds of changes, I have to do it on-premises.
But wait, what if you want to change mailbox permissions–say I am going to be out on leave, and I need to grant access to my manager in my absence?
Well, that edit can be made in the cloud, and in fact, you won’t have any controls for affecting this change on-premises, even if you do have a hybrid Exchange server in place. This is because the delegations/permissions live on the mailbox itself, and not on the user object, as aliases do.
So it can be kind of confusing for the uninitiated–when do you go to Exchange Online to make edits? When do you have to make them on-premises? Once you have managed a hybrid environment like this for a while, you get used to this strange split world. But, for ease of reference, I have created this cheat sheet for small business network admins, which includes many common administrative tasks.
In a hybrid situation with Azure AD Connect, it is best practice to maintain an on-premises Exchange server, just for management purposes. Most of what you need to accomplish can be done via this interface, but know that it is also possible to edit most attributes right in the Active Directory Users and Computers MMC console.
For this you will want to enable the Advanced features from the View menu. That allows you to open any user object and find the Attribute editor tab. From here, you can locate most of what you need, such as the proxyAddresses or the msExchHideFromAddressLists attribute.
If you do not have these attributes, it may be necessary to install the Exchange schema attributes from installation media. Otherwise, check the Filter button below the attributes, and ensure that you are not filtering empty values out.
Know that it is better and preferred to use the Exchange management UI or the Exchange shell to make changes. For instance you can create new users with the New-RemoteMailbox cmdlet, or, if you have already created the user in ADUC, simply use this command to complete the process, and link the on-premises account with a cloud mailbox:
Enable-RemoteMailbox username -RemoteRoutingAddress firstname.lastname@example.org
Now as you can see in the cheat sheet, a whole lot of tasks are still going to be performed cloud-side, and not on-premises. If only you could get off that old legacy Active Directory and embrace a Microsoft 365 subscription…man, life would be sweet then, wouldn’t it? So what’s stopping you?
I’m stuck in this hybrid world. Can I use Office 365 and Teams Groups?
There should be no problem using Teams, etc. even if you have hybrid. But what holds you down to hybrid?
A file server that I want to replace with SharePoint.
Laptop management that I want to replace with Intune.
A legacy ERP app Syteline that is running on-prem.