Identity management changes - what options for AAD Connect + Exchange 2016 hybrid setup?

Hi EmMabel,

Here are some considerations and options regarding your question:

Identity Source

In your planned setup, you mentioned OKTA being the primary source of identity. This is feasible, and many organizations use identity providers like OKTA as the source of truth for user profiles.

Azure AD Connect

If you still need some users to have AD accounts for accessing internal resources or using personal laptops, you can use Azure AD Connect to synchronize these accounts to Azure AD. You can configure Azure AD Connect to handle password synchronization or use a federated setup with OKTA for single sign-on (SSO). This way, users can log in to both on-premises resources and Office 365 services using their OKTA credentials.

Exchange 2016

If you need Exchange 2016 to continue sending email, it's possible to maintain a hybrid setup with Exchange Online. This allows you to use Exchange 2016 for specific email needs while utilizing Exchange Online for other features.

SMTP Relay

For sending large volumes of application messages, it's common to set up an SMTP relay. This can be a separate server or service, such as an on-premises SMTP relay server or a cloud-based relay service. Microsoft does have limits on SMTP relay, so consider your email volume and whether you need to scale up your relay infrastructure.

Certificates

If you're maintaining an on-premises Exchange server, you'll still need SSL certificates for secure email communication. You can obtain and manage these certificates for your Exchange server.

Pros and Cons

The choice between provisioning AD accounts for certain users or provisioning directly to Azure AD depends on your specific requirements. Provisioning to AD allows for a hybrid setup, while provisioning directly to Azure AD simplifies the architecture but may limit some on-premises access.

Testing

Before making any significant changes, it's a good practice to set up a test environment to ensure the new identity and email configurations work as expected.

User Education

Keep in mind that changes in the authentication process and identity source may require user education and communication to ensure a smooth transition.

Recommendations

Here are some recommendations based on the information you provided:

• If you need all users to have access to on-premises resources or use personal laptops, I recommend provisioning AD accounts for all users and using Azure AD Connect to synchronize them to Azure AD. This will allow you to continue using your existing hybrid setup and provide users with a single sign-on experience for both on-premises and cloud resources.
• If you only need a subset of users to have access to on-premises resources or use personal laptops, you can provision AD accounts for those users and use Azure AD Connect to synchronize them to Azure AD. You can then use a federated setup with OKTA to provide SSO for these users.
• If you do not need any users to have access to on-premises resources or use personal laptops, you can provision all users directly to Azure AD. This will eliminate the need for Azure AD Connect and simplify the architecture.

Additional Considerations

• If you're maintaining an on-premises Exchange server, you'll need to consider how you will manage email delivery. You can continue to use Exchange 2016 for on-premises email delivery, or you can migrate to Exchange Online. If you choose to migrate to Exchange Online, you'll need to configure a hybrid setup between Exchange 2016 and Exchange Online.
• You'll also need to consider how you will manage certificates for your on-premises Exchange server. You can obtain and manage these certificates yourself, or you can use a third-party certificate management service.