Forum Discussion
Exchange Online and Azure AD Connect
Hi everyone,
We are planning to implement Azure AD Connect in a Password Hash Synchronization with Seamless Sign On scenario, hosted on Azure B1ms Windows Server 2016 AD DC connect to on-prem AD via S2S VPN.
My company of around 100 users have had O365 for several years and the on-prem and AAD environments are totally separate for now.
One thing that has come up in my research is with Azure AD Connect in place, on-prem AD must be the source of all objects, attributes, and changes - makes sense. Where there is confusion is Exchange Online attributes. Several older threads on Tech Community and other forums state you cannot change EXO attributes, in an AAD Connect environment, without on-prem Exchange installed or at least its schema changes.
On review, the only EXO attributes we would change that aren't in the default AD schema are mailbox delegation (SendAs, AccessRights, etc) and email addresses (multiple SMTP addresses). Other attributes that show in EXO such as Job Title, Address, and Tel Numbers are all available in the default schema via AD Users & Computers, so my presumption is they're not of concern.
Can anyone shed some light on this and confirm how we'd manage things like multiple SMTP addresses without the Exchange scheme in our on-prem AD? Does this differ depending on where the object is managed (cloud only vs hybrid) or user mailbox vs shared?
Thank you,
Ruairidh
30 Replies
Hi Ruairidh,
Microsoft recommends that you have an Exchange on Premise to configure mail settings for users, and if you uninstall Exchange on-prem you can't setup Email Address Policies or additional proxy addresses.
So Its much better to leave at least one Hybrid Exchange server on-premises even after all mailboxes have been migrated to Office 365, to allow easily manage mailboxes from a single console. Remember that since the source of authority is the on-premises AD (because AAD Connect), many changes need to be made on-premises. If there is no longer an Exchange server to manage and update mail attributes, you have to turn to 3rd party tools or work with ADSIEDIT.
In your scenario you must to do merge with Office 365 account with an on-premises AD account and to do a soft match between objects and values.
Once you will finish the merging you will be able to configure Seamless SSO
Note:
For Office 365 plans you get a free Exchange Server Hybrid Key: http://aka.ms/hybridkey
The Exchange On-Premises is for manage without any configuration and some settings and components need to disable such client access etc.
Eli.
- If you are going to still manage accounts on-prem, then you must setup a minimal hybrid configuration to still manage the exchange attributes. I seen sometime back that Microsoft was working on a way to completely decommission Exchange on-prem, but AFAIK still today, you still require an exchange server on-prem for management.
I have often read that the on-prem Exchange server is required but we have been using Office 365 for about 3 years and decommissioned our on-prem Exchange server about 2 years ago.
Apparently there are things we can't do without an on-prem Exchange server but we haven't found them yet.
Thank you for the feedback everyone - getting clearer. We have never used Exchange (migrated from Lotus Notes) and I want to avoid installing unless totally necessary. I will create a test domain and O365 tenant with Azure AD Connect to confirm a few things, but expect we'll avoid Exchange and just manage additional SMTP addresses using the suggestions in this thread.
One more question if anyone happens to know. The source anchor for things will now change to be on-prem Active Directory. Does this include user profile images? Azure AD Connect documentation states if the on-prem value is currently null (which it is for images), Azure AD values will not be 'wiped'. But I assume users can still update their avatar using O365? On further inspection, it appears the avatar value comes from Exchange which, as we have never used, would not even be in our AD attributes?
Thank you again.
