Managing Hybrid Exchange environments: a Cheat Sheet

Back to Blog
08Apr2019

Managing Hybrid Exchange environments: a Cheat Sheet

Office 365 Exchange Online is pretty simple to manage if you are a “cloud-only” organization. Especially now that many edits can be made easily via the Microsoft 365 admin center, without even going into the Exchange Online admin area, separately.

But, for those of us who are still tethered to a legacy on-premises Active Directory domain, and synchronizing our user accounts and passwords using Azure AD Connect, there is a catch: you will find it is not possible to make certain edits in the cloud. You might get a message similar to:

This action should be performed on the object in your on-premises organization.

For instance, if I try to update my user name, or even an alternate alias address at which I could receive email, Office 365 will bark at me. Why? Because the “source of authority” is my on-premises domain. If I want to make those kinds of changes, I have to do it on-premises.

But wait, what if you want to change mailbox permissions–say I am going to be out on leave, and I need to grant access to my manager in my absence?

Well, that edit can be made in the cloud, and in fact, you won’t have any controls for affecting this change on-premises, even if you do have a hybrid Exchange server in place. This is because the delegations/permissions live on the mailbox itself, and not on the user object, as aliases do.

So it can be kind of confusing for the uninitiated–when do you go to Exchange Online to make edits? When do you have to make them on-premises? Once you have managed a hybrid environment like this for a while, you get used to this strange split world. But, for ease of reference, I have created this cheat sheet for small business network admins, which includes many common administrative tasks.

In a hybrid situation with Azure AD Connect, it is best practice to maintain an on-premises Exchange server, just for management purposes. Most of what you need to accomplish can be done via this interface, but know that it is also possible to edit most attributes right in the Active Directory Users and Computers MMC console.

For this you will want to enable the Advanced features from the View menu. That allows you to open any user object and find the Attribute editor tab. From here, you can locate most of what you need, such as the proxyAddresses or the msExchHideFromAddressLists attribute.

If you do not have these attributes, it may be necessary to install the Exchange schema attributes from installation media. Otherwise, check the Filter button below the attributes, and ensure that you are not filtering empty values out.

Know that it is better and preferred to use the Exchange management UI or the Exchange shell to make changes. For instance you can create new users with the New-RemoteMailbox cmdlet, or, if you have already created the user in ADUC, simply use this command to complete the process, and link the on-premises account with a cloud mailbox:

Enable-RemoteMailbox username -RemoteRoutingAddress [email protected]

Now as you can see in the cheat sheet, a whole lot of tasks are still going to be performed cloud-side, and not on-premises. If only you could get off that old legacy Active Directory and embrace a Microsoft 365 subscription…man, life would be sweet then, wouldn’t it? So what’s stopping you?

Technical , , , 3 Comments
Share:

Comments (3)

  • Phillip Hershkowitz Reply

    I’m stuck in this hybrid world. Can I use Office 365 and Teams Groups?

    March 12, 2021 at 4:51 pm
    • Alex Reply

      There should be no problem using Teams, etc. even if you have hybrid. But what holds you down to hybrid?

      March 16, 2021 at 4:23 pm
      • Phillip Hershkowitz Reply

        A file server that I want to replace with SharePoint.
        Laptop management that I want to replace with Intune.
        A legacy ERP app Syteline that is running on-prem.

        March 16, 2021 at 5:27 pm

Leave a Reply

Back to Blog

Related Posts

21Mar

My favorite Conditional Access Policies for the SMB

It's not even a question in my mind anymore--every org who moves their email and other data sets into Office 365 should be protected with Enterprise Mobility + Security (also available in Microsoft 365 Enterprise plans). If you are in the Business subscription of Microsoft... read more
30Aug

(Mis)Adventures with Conditional Access in Azure Active Directory Premium (P1)

I have been playing with Azure Active Directory Premium (P1) features a lot lately. And I love to try as hard as I can to break things. Turns out, it isn't that hard to do with Conditional Access. But, having brushed up against a few... read more
01Sep

2016 Essentials Integration: Azure Backup

Customers of the late SBS line of products will be familiar with the Essentials Experience backup options for client PC's, and Windows Server Backup to external hard drive, but these days we have a new option with Microsoft Cloud Services integration: reliable offsite backups to the Azure cloud. From the... read more
06Apr

Warning: Domain Renames are Not Recommended (or Supported)

I have recently run into a couple of different scenarios wherein I've been asked to fix domain rename operations gone awry.  After having worked through this process extensively twice now, I thought I'd post about my experience, in case this helps anyone else avoid the same... read more
25Jan

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more
08Apr

Updated! Checklist co-developed with Microsoft: Set up your SMB customers for secure remote working

I had the great pleasure to participate in a webinar today with David Bjurman-Birr (Partner Architect) and Jon Orton (Director of Product Marketing for Microsoft 365 SMB). David and I recently developed a checklist together for Microsoft 365 Business Premium, aimed at helping partners who... read more
20Nov

How to leverage Conditional Access policies to make MFA less annoying: Require only for unmanaged devices

Multi-factor authentication is something I strongly believe in and recommend to all of my customers. But no matter how much I harp on it, most of them don't want to implement it, or  they try it out, then beg me to roll back, because... well...... read more
30May

Automate the deployment of a standalone Hyper-V host server using PowerShell

In this article, I wanted to document a standard, standalone Hyper-V server deployment for a small business using nothing but PowerShell. The best practices for Hyper-V state that the role should be enabled on a server without the GUI (e.g. Core or Nano--although I rarely see this done in a small... read more
06Apr

Inventory and Control of Apps within and beyond the perimeter with Microsoft 365

Managing devices is a topic I have probably burnt my readers out on by this point, so it's time we move into the next stage: wrangling all those crazy third-party applications hiding out in your environment! To build up a foundation of good security, we... read more
14Apr

How to initiate a test failover to Azure Site Recovery

If you've been following along with this series, we have already: Extended our On-Premises Network to Azure Virtual Network Replicated Hyper-V Virtual Machines to an Azure Site Recovery Vault In this post we are going to perform a test fail-over of on-premises virtual machines to Azure. Since... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me