Forum Discussion
Identity management changes - what options for AAD Connect + Exchange 2016 hybrid setup?
Hello Community,
I am trying to figure out best practices for Identity solutions when the Active Directory is no longer the main source of truth for the user IT profile.
Existing setup:
User account created in Active Directory (schema 2016)
RemoteMailbox object created in Exchange 2016
User account synced to Azure AD via AAD Connect + O365 license enabled
Domain Federation / authentication done with VMware IDM
Planned future setup
OKTA IAM (main source of origin for IT profile and also domain federation moved here)
-> option 1) profile provisioned to AD for personal laptop use + network resources
-> AAD connect sync to Azure
-> option 2) no personal laptop needed -> provisioned directly to Azure AD
The puzzling part is about need to use AADConnect for those who need the AD account to be able to login to some company resources on the internal network / use personal domain connected laptop. Or is there more straight forward way to set things up to be so that for example all users provisioned directly from OKTA to Azure and the AD account when needed is connected to the OKTA profile and all authentications are handled by OKTA at that point...
At this point we need the Exchange onprem to be able to send lots and lots of app messages so either we need to leave that to be and consider continuing to create remotemailbox objects or would there be a way to stop needing those...?
I think we still need to have some smtp relay solution for all the onprem app messages we sent - I think Microsoft has quite strict limits for the amount of smtp relayed messages it's willing to accept through it - Correct me if I'm wrong 🙂 Also for the cert requirements those cannot just be directed to O365 from the onprem servers without any "middle man" solution...
Things to consider? Tips, Tricks any other advises are welcomed. I would think there is more than one way to do things so looking to have discussions for the pros and cons of this topic.
Kindly,
Em
Hi EmMabel,
Here are some considerations and options regarding your question:
Identity Source
In your planned setup, you mentioned OKTA being the primary source of identity. This is feasible, and many organizations use identity providers like OKTA as the source of truth for user profiles.
Azure AD Connect
If you still need some users to have AD accounts for accessing internal resources or using personal laptops, you can use Azure AD Connect to synchronize these accounts to Azure AD. You can configure Azure AD Connect to handle password synchronization or use a federated setup with OKTA for single sign-on (SSO). This way, users can log in to both on-premises resources and Office 365 services using their OKTA credentials.
Exchange 2016
If you need Exchange 2016 to continue sending email, it's possible to maintain a hybrid setup with Exchange Online. This allows you to use Exchange 2016 for specific email needs while utilizing Exchange Online for other features.
SMTP Relay
For sending large volumes of application messages, it's common to set up an SMTP relay. This can be a separate server or service, such as an on-premises SMTP relay server or a cloud-based relay service. Microsoft does have limits on SMTP relay, so consider your email volume and whether you need to scale up your relay infrastructure.
Certificates
If you're maintaining an on-premises Exchange server, you'll still need SSL certificates for secure email communication. You can obtain and manage these certificates for your Exchange server.
Pros and Cons
The choice between provisioning AD accounts for certain users or provisioning directly to Azure AD depends on your specific requirements. Provisioning to AD allows for a hybrid setup, while provisioning directly to Azure AD simplifies the architecture but may limit some on-premises access.
Testing
Before making any significant changes, it's a good practice to set up a test environment to ensure the new identity and email configurations work as expected.
User Education
Keep in mind that changes in the authentication process and identity source may require user education and communication to ensure a smooth transition.
Recommendations
Here are some recommendations based on the information you provided:
- If you need all users to have access to on-premises resources or use personal laptops, I recommend provisioning AD accounts for all users and using Azure AD Connect to synchronize them to Azure AD. This will allow you to continue using your existing hybrid setup and provide users with a single sign-on experience for both on-premises and cloud resources.
- If you only need a subset of users to have access to on-premises resources or use personal laptops, you can provision AD accounts for those users and use Azure AD Connect to synchronize them to Azure AD. You can then use a federated setup with OKTA to provide SSO for these users.
- If you do not need any users to have access to on-premises resources or use personal laptops, you can provision all users directly to Azure AD. This will eliminate the need for Azure AD Connect and simplify the architecture.
Additional Considerations
- If you're maintaining an on-premises Exchange server, you'll need to consider how you will manage email delivery. You can continue to use Exchange 2016 for on-premises email delivery, or you can migrate to Exchange Online. If you choose to migrate to Exchange Online, you'll need to configure a hybrid setup between Exchange 2016 and Exchange Online.
- You'll also need to consider how you will manage certificates for your on-premises Exchange server. You can obtain and manage these certificates yourself, or you can use a third-party certificate management service.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
2 Replies
Hi EmMabel,
Here are some considerations and options regarding your question:
Identity Source
In your planned setup, you mentioned OKTA being the primary source of identity. This is feasible, and many organizations use identity providers like OKTA as the source of truth for user profiles.
Azure AD Connect
If you still need some users to have AD accounts for accessing internal resources or using personal laptops, you can use Azure AD Connect to synchronize these accounts to Azure AD. You can configure Azure AD Connect to handle password synchronization or use a federated setup with OKTA for single sign-on (SSO). This way, users can log in to both on-premises resources and Office 365 services using their OKTA credentials.
Exchange 2016
If you need Exchange 2016 to continue sending email, it's possible to maintain a hybrid setup with Exchange Online. This allows you to use Exchange 2016 for specific email needs while utilizing Exchange Online for other features.
SMTP Relay
For sending large volumes of application messages, it's common to set up an SMTP relay. This can be a separate server or service, such as an on-premises SMTP relay server or a cloud-based relay service. Microsoft does have limits on SMTP relay, so consider your email volume and whether you need to scale up your relay infrastructure.
Certificates
If you're maintaining an on-premises Exchange server, you'll still need SSL certificates for secure email communication. You can obtain and manage these certificates for your Exchange server.
Pros and Cons
The choice between provisioning AD accounts for certain users or provisioning directly to Azure AD depends on your specific requirements. Provisioning to AD allows for a hybrid setup, while provisioning directly to Azure AD simplifies the architecture but may limit some on-premises access.
Testing
Before making any significant changes, it's a good practice to set up a test environment to ensure the new identity and email configurations work as expected.
User Education
Keep in mind that changes in the authentication process and identity source may require user education and communication to ensure a smooth transition.
Recommendations
Here are some recommendations based on the information you provided:
- If you need all users to have access to on-premises resources or use personal laptops, I recommend provisioning AD accounts for all users and using Azure AD Connect to synchronize them to Azure AD. This will allow you to continue using your existing hybrid setup and provide users with a single sign-on experience for both on-premises and cloud resources.
- If you only need a subset of users to have access to on-premises resources or use personal laptops, you can provision AD accounts for those users and use Azure AD Connect to synchronize them to Azure AD. You can then use a federated setup with OKTA to provide SSO for these users.
- If you do not need any users to have access to on-premises resources or use personal laptops, you can provision all users directly to Azure AD. This will eliminate the need for Azure AD Connect and simplify the architecture.
Additional Considerations
- If you're maintaining an on-premises Exchange server, you'll need to consider how you will manage email delivery. You can continue to use Exchange 2016 for on-premises email delivery, or you can migrate to Exchange Online. If you choose to migrate to Exchange Online, you'll need to configure a hybrid setup between Exchange 2016 and Exchange Online.
- You'll also need to consider how you will manage certificates for your on-premises Exchange server. You can obtain and manage these certificates yourself, or you can use a third-party certificate management service.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- Thank you Leon for very clear and thorough reply!
You gave me plenty to think about! Much appreciated!
Kindly,
Em
