Dan Djurasovic Blog
Dan Djurasovic Blog
Jan 07

Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server

  • 07/01/2017
  • Dan Djurasovic
  • 4 Comments

Current Settings

Initially, we have configured:

  • Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
  • Users IDs and passwords are setup in Office 365.
  • Local Active Directory has all account objects.
  • There is  AD Connect Server locally Installed which points to an empty OU.
  • There is no Exchange Server locally Installed.

We need to link Office 365 accounts back to On-premises Active Directory accounts.
Password need to be sync from On-premises Active Directory to Office 365.

In this configuration, we are going to install local Exchange Server and use only supported method of syncing and provisioning accounts from local On-premises Active Directory.

We will use local AD account second@9tech.ca to sync to already provisioned user\mailbox in Office 365 with primary SMTP second@9tech.ca.

Install local Exchange server and change The Source of Authority to Local Active Directory

The following steps are necessary to change source authority from Azure AD to local Active Directory with On-premises Exchange Server installed.

  1. Download your version of Exchange 2016 Server on following link https://www.microsoft.com/en-us/download/details.aspx?id=52968
  2. Expand Exchange Schema and install Exchange 2016 server locally On-premises
  3. After you install Exchange server run the following command to disable local SCP record in AD
    Set-ClientAccessServices -Identity  server  -AutodiscoverServiceInternalUri  $null
  4. To be able to provision new office 365 mailbox using EAC on On-premises, we need to run the following commands to configure remote domains to Exchange Online
    New-RemoteDomain –Name “9tech1.mail.onmicrosoft.com” -DomainName “9tech1.mail.onmicrosoft.com”
    Set-RemoteDomain -Identity “9tech1.mail.onmicrosoft.com” -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -TNEFEnabled $true
  5. Use the following two commands to export user attributes from Azure AD and from Exchange Online to two csv
    Get-MSOLUser | Select DisplayName,UserPrincipalName,City,Country,Department,Fax,FirstName,LastName,MobilePhone,Office,PhoneNumber,
    PostalCode,@{Name=’ProxyAddresses’;Expression={[string]::join(“;”,($_.ProxyAddresses))}},State,StreetAddress,Title |
    export-csv c:\reports\MSOL-Users.csv -NoTypeInformation
  6. If there are more attributes in use, we will need to expand upper command to include additional attributes. The link with additional attributes can be found here
    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
    Get-Mailbox | Select DisplayName,UserPrincipalName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses |
    Where-Object {$_ -LIKE “SMTP:*”     }}},EmailAddressPolicyEnabled,PrimarySmtpAddress,WindowsEmailAddress,ForwardingSmtpAddress,ForwardingAddress   |
    export-csv c:\reports\Exchange-Online-Users.csv -NoTypeInformation
  7. Edit both files to populate blank fields with missing data/attributes (tel number, address etc).
  8. Run the following command on local On-premises Exchange Server to create a remote mailbox using data from MSOL-Users.csv file.
    Enable-RemoteMailbox -Identity   “second@9tech.ca” -RemoteRoutingAddress “second@9tech1.mail.onmicrosoft.com” -PrimarySmtpAddress second@9tech.ca
  9. Run the following command on local On-premises Exchange Server to assign an additional email address to previously created Remote Mailbox using data from MSOL-Users.csv file.
    Set-RemoteMailbox -Identity   “second@9tech.ca” -EmailAddressPolicyEnabled $false  -EmailAddresses smtp:secondd@9tech.ca,SMTP:second@9tech.ca,smtp:seconddd@9tech.ca
  10. Run the following command on local On-premises Exchange Server to assign additional attributes to the local AD account using data from Exchange-Online-Users.csv file.

    Set-User -Identity “second@9tech.ca” -DisplayName “Second Test” -UserPrincipalName “second@9tech.ca” -City “Atlanta” -Country “United States” -Department “Information Services” -Fax “” -FirstName “Second” -LastName “Test” -MobilePhone “” -Office “Midtown” -Phone “+1 (404) 326-0000” -PostalCode “30000” -State “GA” -StreetAddress “1100 Baif  Street, Suite 1000” -Title “Senior Helpdesk Support Technician
  11. Move mailbox to OU which is in AD Connect sync scope.
  12. Notify users that Office 365 password is going to change and that new password is going to be same as internal AD password
  13. Perform AD Connect Sync
  14. Check if user’s status was changed from “In Cloud” to “Synced with Active Directory”.
  15. Check if user can login to Exchange Online using internal Active Directory password
  16. After those steps, all attributes for the specified users are copied from Office 365 back to On-premises Active Directory, a password is uploaded from Local Active Directory and all attributes of the mailbox are managed locally from Exchange Server.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

  • LinkedIn
  • E-Mail

About The Author

Dan is a Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory. Dan is Currently employed with Employment and Social Development / Government of Canada.

4 Comments

  1. rnabidur
    09/11/2020 at 09:21 · Reply

    Hi Dan,
    Great article!
    Did you mean to say in “Current Settings”

    Initially, we have configured:

    Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
    Users IDs and passwords are setup in Office 365.
    Local Active Directory has all account objects.
    “There is no AD Connect Server locally Installed.” >>>> “There is AD Connect Server locally Installed.”???
    There is no Exchange Server locally Installed.

    • Dan Djurasovic
      12/11/2020 at 10:51 · Reply

      I corrected it. You need AD Connect installed but it has to point to empty OU.

  2. rnabidur
    09/11/2020 at 09:23 · Reply

    And do you know the updated link for this?
    https://msdn.microsoft.com/en-us/library/azure/dn194133(v=azure.98).aspx
    The above one is not working.

    • Dan Djurasovic
      12/11/2020 at 10:52 · Reply

      I corrected a link in the document.
      The new link is https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • How to deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot
  • How to setup Azure Active Directory Domain Services
  • How to convert Office 365 mailbox to shared mailbox if a mailbox is synced using AD Connect.
  • Set up disaster recovery for Physical On-premises VMs to Azure using Backup and Site Recovery (OMS) services PART2

Recent Comments

  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Jim on Step By Steps instruction how to disable creation of Office 365 Groups.

Archives

  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com