Dan Djurasovic Blog
  • SSH
  • Linux
Dan Djurasovic Blog
  • SSH
  • Linux
Jan 07

Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server

  • 07/01/2017
  • Dan Djurasovic
  • 4 Comments

Current Settings

Initially, we have configured:

  • Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
  • Users IDs and passwords are setup in Office 365.
  • Local Active Directory has all account objects.
  • There is  AD Connect Server locally Installed which points to an empty OU.
  • There is no Exchange Server locally Installed.

We need to link Office 365 accounts back to On-premises Active Directory accounts.
Password need to be sync from On-premises Active Directory to Office 365.

In this configuration, we are going to install local Exchange Server and use only supported method of syncing and provisioning accounts from local On-premises Active Directory.

We will use local AD account second@9tech.ca to sync to already provisioned user\mailbox in Office 365 with primary SMTP second@9tech.ca.

Install local Exchange server and change The Source of Authority to Local Active Directory

The following steps are necessary to change source authority from Azure AD to local Active Directory with On-premises Exchange Server installed.

  1. Download your version of Exchange 2016 Server on following link https://www.microsoft.com/en-us/download/details.aspx?id=52968
  2. Expand Exchange Schema and install Exchange 2016 server locally On-premises
  3. After you install Exchange server run the following command to disable local SCP record in AD
    Set-ClientAccessServices -Identity  server  -AutodiscoverServiceInternalUri  $null
  4. To be able to provision new office 365 mailbox using EAC on On-premises, we need to run the following commands to configure remote domains to Exchange Online
    New-RemoteDomain –Name “9tech1.mail.onmicrosoft.com” -DomainName “9tech1.mail.onmicrosoft.com”
    Set-RemoteDomain -Identity “9tech1.mail.onmicrosoft.com” -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -TNEFEnabled $true
  5. Use the following two commands to export user attributes from Azure AD and from Exchange Online to two csv
    Get-MSOLUser | Select DisplayName,UserPrincipalName,City,Country,Department,Fax,FirstName,LastName,MobilePhone,Office,PhoneNumber,
    PostalCode,@{Name=’ProxyAddresses’;Expression={[string]::join(“;”,($_.ProxyAddresses))}},State,StreetAddress,Title |
    export-csv c:\reports\MSOL-Users.csv -NoTypeInformation
  6. If there are more attributes in use, we will need to expand upper command to include additional attributes. The link with additional attributes can be found here
    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
    Get-Mailbox | Select DisplayName,UserPrincipalName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses |
    Where-Object {$_ -LIKE “SMTP:*”     }}},EmailAddressPolicyEnabled,PrimarySmtpAddress,WindowsEmailAddress,ForwardingSmtpAddress,ForwardingAddress   |
    export-csv c:\reports\Exchange-Online-Users.csv -NoTypeInformation
  7. Edit both files to populate blank fields with missing data/attributes (tel number, address etc).
  8. Run the following command on local On-premises Exchange Server to create a remote mailbox using data from MSOL-Users.csv file.
    Enable-RemoteMailbox -Identity   “second@9tech.ca” -RemoteRoutingAddress “second@9tech1.mail.onmicrosoft.com” -PrimarySmtpAddress second@9tech.ca
  9. Run the following command on local On-premises Exchange Server to assign an additional email address to previously created Remote Mailbox using data from MSOL-Users.csv file.
    Set-RemoteMailbox -Identity   “second@9tech.ca” -EmailAddressPolicyEnabled $false  -EmailAddresses smtp:secondd@9tech.ca,SMTP:second@9tech.ca,smtp:seconddd@9tech.ca
  10. Run the following command on local On-premises Exchange Server to assign additional attributes to the local AD account using data from Exchange-Online-Users.csv file.

    Set-User -Identity “second@9tech.ca” -DisplayName “Second Test” -UserPrincipalName “second@9tech.ca” -City “Atlanta” -Country “United States” -Department “Information Services” -Fax “” -FirstName “Second” -LastName “Test” -MobilePhone “” -Office “Midtown” -Phone “+1 (404) 326-0000” -PostalCode “30000” -State “GA” -StreetAddress “1100 Baif  Street, Suite 1000” -Title “Senior Helpdesk Support Technician
  11. Move mailbox to OU which is in AD Connect sync scope.
  12. Notify users that Office 365 password is going to change and that new password is going to be same as internal AD password
  13. Perform AD Connect Sync
  14. Check if user’s status was changed from “In Cloud” to “Synced with Active Directory”.
  15. Check if user can login to Exchange Online using internal Active Directory password
  16. After those steps, all attributes for the specified users are copied from Office 365 back to On-premises Active Directory, a password is uploaded from Local Active Directory and all attributes of the mailbox are managed locally from Exchange Server.
  • LinkedIn
  • E-Mail

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

4 Comments

  1. rnabidur
    09/11/2020 at 09:21 · Reply

    Hi Dan,
    Great article!
    Did you mean to say in “Current Settings”

    Initially, we have configured:

    Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
    Users IDs and passwords are setup in Office 365.
    Local Active Directory has all account objects.
    “There is no AD Connect Server locally Installed.” >>>> “There is AD Connect Server locally Installed.”???
    There is no Exchange Server locally Installed.

    • Dan Djurasovic
      12/11/2020 at 10:51 · Reply

      I corrected it. You need AD Connect installed but it has to point to empty OU.

  2. rnabidur
    09/11/2020 at 09:23 · Reply

    And do you know the updated link for this?
    https://msdn.microsoft.com/en-us/library/azure/dn194133(v=azure.98).aspx
    The above one is not working.

    • Dan Djurasovic
      12/11/2020 at 10:52 · Reply

      I corrected a link in the document.
      The new link is https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types
  • Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Enable Monitoring and Alerting in Azure using Portal Part 1
  • Configure Windows virtual machine in Azure using Azure AD authentication and RDP.
  • How to deploy CIS hardening scripts on Windows VM hosted in the Azure

Recent Comments

  • George Ewusi on How to setup Azure Active Directory Domain Services
  • Vince on Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Herman on Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • Name (required)Pouya Panahy on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command
  • Dan Djurasovic on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command

Archives

  • July 2022
  • December 2021
  • October 2021
  • June 2021
  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com