Dan Djurasovic Blog
  • SSH
  • Linux
Dan Djurasovic Blog
  • SSH
  • Linux
Dec 14

Change the source of authority from Azure AD to on-premises Active Directory WITHOUT on-premises Exchange Server installed.

  • 14/12/2016
  • Dan Djurasovic
  • 6 Comments

In this scenario presented here, we need to transfer the source of authority for a user account when that account was originally created by using Office 365 management tools.  We need to transfer the source of authority so that the account can be managed through an on-premises Active Directory Domain Services user account by using directory synchronization provide by AD Connect.

Current Settings

Initially, we have configured:

  • Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
  • Users ID and password are setup in Office 365.
  • Local Active Directory has all account objects.
  • There is no AD Connect Server locally installed and there is no sync from On-premises to Office 365.
  • There is no Exchange Server locally Installed.

We need to:

  • Link Office 365 accounts back to On-premises Active Directory accounts.
  • The password needs to be sync from On-premises Active Directory to Office 365.
  • All mailbox properties need to be managed locally and propagated to Office 365 using AD Connect.

 

Those two conditions had to be meet first in our example.

  • The local AD account and UPN was set to first@9tech.ca
  • Exchange Online Primary SMTP (first@9tech.ca) is matching local UPN (first@9tech.ca)

 

Here is the view from Office 365.  Account “First” is “In Cloud” account as you can see from the figure.

Use Active Directory User and Tools and make sure that Email field in AD properties of account is populated with Primary SMTP address.

 

Install AD Connect and run a sync

At this step, we are installing AD Connect and enabling OU filtering to OU where our test account is located.

After AD Connect sync to Office 365, account (first@9tech.ca) is converted from “In-Cloud” to “Sync with On-premises Active Directory” as you can see from the following picture.

The source of authority for directory sync has been moved from Azure AD to the local On-premises Active Directory.

The following table shows how attributes of objects changes in Office 365 after the sync.
Fields in green color were changed in Office 365 after the sync.


The following table show syncing behavior for attributes which are synced from On-premises to Office 365

After we populate all necessary fields, AD Connect will propagate those attribute properties to Azure AD/Exchange Online.
We can manually copy all basic attributes (title, phone, street etc.) from Azure AD/Exchange Online and to Local Active Directory using Active Directory User and Tools.

 

How to fix additional Exchange Online proxy email address?

It is more difficult with an additional email address because Active Directory User and Tools has no field for the proxy address attribute.
After the initial sync, additional proxy email addresses were deleted from Office 365.

We can try to add missing resume@9tech.ca email address back to mailbox in Exchange Online

But when we press save, we are presented with an error which notifies us that we should change properties on On-premises objects in AD instead in Office 365.

 

We can use native AD PowerShell commands to check attributes of objects in local AD.

Get -ADUser -identity first -properties * | fl  DisplayName,mail,ProxyAddresses

We can add resume@9tech.ca to local AD account using the following PowerShell command

Set-ADUser -identity first -Add @{Proxyaddresses=”SMTP:first@9tech.ca”,”smtp:resume@9tech.ca”}

After we sync local Active Directory to Azure AD new proxy email address is added to Exchange Online Mailbox,

After this step existing user is fully functional in Office 365, all attributes are copied from local AD to Office 365 and local Active Directory passwords are propagated to Office 365.

Provision new Mailboxes in Office 365

The following paragraph is showing a process to how to provision mailbox to Office 365 using on-premises Active Directory.

  1. Creating the User
  2. Open Active Directory Users and Computers on Local AD
  3. Create an Active Directory user as you normally would.
  4. Ensure that the user’s email address on the General tab of the AD properties is correct.
  5. Ensure that the user’s UPN name match their primary SMTP address.
  6. Run the following command to add any additional SMTP address to mailbox
    Set-ADUser -identity new -Add @{Proxyaddresses=”SMTP:new@9tech.ca”,”smtp:new2@9tech.ca”}
  7. Run AD Connect Sync
  8. Login to Office 365 and configure users location and assign license
  9. Check if additional email address are assigned correctly

 

There are some of settings and features which we are not able to configure without installing local exchange server.
Those are some of the examples which you will not be able to setup.

  • Hide mailbox in GAL
  • Provision Archive mailbox in Exchange Online for users which are synced from On-premises.
  • Create shared or room mailbox which is sync from On-premises.

If you try to hide mailbox in Office 365 or newly created mailbox, an error will occur and we will be notified that operation needs to be performed in local AD instead in Exchange Online.

This article explained how to change source authority from Office 365 identities to local Active Directory.
Is this method of provisioning and managing identities supported by Microsoft?

The following TechNet article describes what supported tools are:

How and when to decommission your on-premises Exchange servers in a hybrid deployment

“The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects.”

We need to have Exchange on-premises.

The next article is outlining a scenario in which local on-prem exchange servers is presented.

http://blog.djurasovic.com/change-the-source-authority-from-azure-ad-to-local-active-directory-with-use-of-on-premises-exchange-server/

 

See the other blog for more details.

https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises/

  • LinkedIn
  • E-Mail

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

6 Comments

  1. Alitai
    17/09/2018 at 18:59 · Reply

    What happens when you add only one entry to the proxyaddresses?

    Instead:
    Set-ADUser -identity new -Add @{Proxyaddresses=”SMTP:new@9tech.ca”,”smtp:new2@9tech.ca”}

    Only:
    Set-ADUser -identity new -Add @{Proxyaddresses=”smtp:new2@9tech.ca”}

    Would this also work or does it make no sense?

    Regards
    Alitai

    • Dan Djurasovic
      18/09/2018 at 19:20 · Reply

      You can add one entry but that entry must have capital SMTP for part of email address.
      One email address must have capital SMTP (primary SMTP address)
      Here is a example.
      Set-ADUser -identity new -Add @{Proxyaddresses=”SMTP:new2@9tech.ca”}

  2. Alitai
    18/09/2018 at 20:14 · Reply

    Hello Mr. Djurasovic

    Now i understand why it needs both.
    It makes sense for me now.

    Thank you so much for the Answer!

    Best Regards

    Alitai

  3. Darin
    08/10/2018 at 20:28 · Reply

    If you’ve never had on-prem exchange you can “Hide Users from the GAL” by using a custom sync rule in Azure AD Connect as describe in the following article.

    http://jackstromberg.com/2018/08/how-to-hide-users-from-the-gal-in-office-365-synchronized-from-on-premises/

  4. richie
    03/12/2019 at 17:42 · Reply

    Hi Dan,
    I read your article and its good. i have a question, its synchronization issues between our on perm AD and Azure AD after installing AD connect.

    The issue we have is each time I add an email account to the special group we created for DLP in the on perm AD, when it synchronizes it changes the email user name
    example: we have “ John Smith” on our domain controller AD email address is smith@corp.com, then after synchronization the email changes to smithj@corp.com on the Azure AD which automatically disconnects the user.
    how do I fix this issue?

    thank you

    • Dan Djurasovic
      05/12/2019 at 02:13 · Reply

      I am not aware that AD Connect can change attributes on the user.
      You might have local Exchange Email Policy which is changing that SMTP attribute.

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types
  • Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Enable Monitoring and Alerting in Azure using Portal Part 1
  • Configure Windows virtual machine in Azure using Azure AD authentication and RDP.
  • How to deploy CIS hardening scripts on Windows VM hosted in the Azure

Recent Comments

  • George Ewusi on How to setup Azure Active Directory Domain Services
  • Vince on Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Herman on Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • Name (required)Pouya Panahy on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command
  • Dan Djurasovic on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command

Archives

  • July 2022
  • December 2021
  • October 2021
  • June 2021
  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com