cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Online and Azure AD Connect

Ru
MVP

‎Sep 26 2018 09:15 AM - last edited on ‎Jan 14 2022 03:42 PM by

‎Sep 26 2018 09:15 AM - last edited on ‎Jan 14 2022 03:42 PM by

Exchange Online and Azure AD Connect

Hi everyone,

 

We are planning to implement Azure AD Connect in a Password Hash Synchronization with Seamless Sign On scenario, hosted on Azure B1ms Windows Server 2016 AD DC connect to on-prem AD via S2S VPN.

 

My company of around 100 users have had O365 for several years and the on-prem and AAD environments are totally separate for now.

 

One thing that has come up in my research is with Azure AD Connect in place, on-prem AD must be the source of all objects, attributes, and changes - makes sense.  Where there is confusion is Exchange Online attributes.  Several older threads on Tech Community and other forums state you cannot change EXO attributes, in an AAD Connect environment, without on-prem Exchange installed or at least its schema changes.

 

On review, the only EXO attributes we would change that aren't in the default AD schema are mailbox delegation (SendAs, AccessRights, etc) and email addresses (multiple SMTP addresses).  Other attributes that show in EXO such as Job Title, Address, and Tel Numbers are all available in the default schema via AD Users & Computers, so my presumption is they're not of concern.

 

Can anyone shed some light on this and confirm how we'd manage things like multiple SMTP addresses without the Exchange scheme in our on-prem AD?  Does this differ depending on where the object is managed (cloud only vs hybrid) or user mailbox vs shared?

 

Thank you,

 

Ruairidh

Labels:
49.5K Views
1 Like
30 Replies
Reply
30 Replies
wroot

‎Jul 11 2019 11:16 AM

‎Jul 11 2019 11:16 AM

Re: Exchange Online and Azure AD Connect

AADC won't sync/write back without Azure Premium license. And usually it syncs from on premise to the cloud. Yes, it is probably better to extend before installing AADC or it won't even install without a schema already being present. Then you would put email addresses into local AD users profiles and then AADC would sync this info to Exchange Online.
1 Like
Reply
redamaleki

‎Jul 11 2019 12:03 PM

‎Jul 11 2019 12:03 PM

Re: Exchange Online and Azure AD Connect

@wroot 

I did see this text on the AADC options:

Exchange Hybrid DeploymentThe Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory.

 

Even though Exchange may not be installed locally, won't AADC and Azure AD still be treating it like a hybrid exchange environment?  @Ru I should be selecting this option when installing AADC, correct?  Seems that others already had Exchange installed on premise, so this would have been checked when they deployed AADC and then later decommissioned their on prem exchange servers.

 

0 Likes
Reply
Ru

‎Jul 11 2019 01:13 PM

‎Jul 11 2019 01:13 PM

Re: Exchange Online and Azure AD Connect

@redamalekiWe did not select options for enabling Exchange Hybrid.  That is strictly for people who want to control Exchange on-prem and Exchange online in a coexisting environment.  If you never had Exchange or have moved all mailboxes to Exchange online, you don't need that; only the schema extension.  You then just need to make sure the attributes match your AAD and on-prem AD before the AAD Connect sync, such as UPN and email.  AAD Connect with then perform a 'soft match' between the AAD and on-prem identity.

2 Likes
Reply
redamaleki

‎Jul 11 2019 01:15 PM

‎Jul 11 2019 01:15 PM

Re: Exchange Online and Azure AD Connect

Awesome, thank you for the clarification.
0 Likes
Reply
wroot

‎Jul 11 2019 09:30 PM

‎Jul 11 2019 09:30 PM

Re: Exchange Online and Azure AD Connect

You can also run Idfix tool against your AD before AADC install. It will show you errors that you can fix before hand, like duplicated UPNs, etc. And yes, if you use emails like name.lastname@domain.com and your AD users use username111 UPN, you will have to change them to email address form before the sync, so it would match AAD format.
1 Like
Reply
redamaleki

‎Jul 22 2019 02:06 PM

‎Jul 22 2019 02:06 PM

Re: Exchange Online and Azure AD Connect

@Ru Thanks for the information.  I believe that we are going to deploy Exchange 2016 on prem soley for management.  My issue is that the AD environment never had Exchange deployed, so the domain has never been prepped, auto discover scp has not been set, and client namespace has not been defined.  My concern is that deploying Exchange on prem after AADC and getting them on board with using on Prem AD credentials might cause some service interruptions.  I've been trying to find a guide or directions on deploying an Exchange 2016 Management server in a greenfield AD only to manage mail properties for Exchange Online for synchronized users.

My approach at this point is to install it like a new Exchange deployment, but point Autodiscover to https://autodiscover.outlook.com/Autodiscover/Autodiscover.xml and use the hybrid wizard only to license the server.  Outside of that, and not routing any mail services to the server, there wouldn't be much else to it.

 

0 Likes
Reply
Ru

‎Jul 23 2019 05:33 AM

‎Jul 23 2019 05:33 AM

Re: Exchange Online and Azure AD Connect

@redamalekiI don't quite understand why you need to install Exchange.  The attributes can managed without it, as long as you extend the schema.  You can do it very easily with the AD Users & Computers console.  What's leading you to this conclusion?

0 Likes
Reply
redamaleki

‎Sep 11 2019 05:10 PM

‎Sep 11 2019 05:10 PM

Re: Exchange Online and Azure AD Connect

@Ru Most information I have found says this is the recommended practice.  What tool are you using to manage email aliases?  The more I think about it, the more I am intending to agree with you.  An on-premise exchange server in a green-field AD seems like more of a headache than what it would be worth.

0 Likes
Reply
wroot

‎Sep 11 2019 09:18 PM

‎Sep 11 2019 09:18 PM

Re: Exchange Online and Azure AD Connect

You can use regular ADUC (AD Users and Computers console), enable Advanced options in it and when you open a user, it should have the Attribute editor tab. In there you can change various attributes. To add/edit aliases you can edit ProxyAddresses attribute.

 

SMPT:name@domain.com is the main address

smpt:name@domain.com is the secondary address and you can add many of them

0 Likes
Reply
Jonas Back

‎Sep 12 2019 08:53 AM - edited ‎Sep 12 2019 08:54 AM

‎Sep 12 2019 08:53 AM - edited ‎Sep 12 2019 08:54 AM

Re: Exchange Online and Azure AD Connect

I’ve had this discussion many times with customers and we all end up with ”it’s unsupported” to remove the last Exchange - period. I also know it’s possible to edit attributes directly in ADUC but I would never recommend it.

But I also agree Microsoft should fix this - it doesn’t make any sense. I was on whole day session just regarding Hybrid at Ignite 3 years ago and they said ”we’re working on it” but now they don’t even say that. I think this requirement will never go away and they are working on other things. Long term solution if you REALLY want to get rid of Exchange on-premises is probably to move away from on-premise AD and Azure AD Connect completely and go all-in on Cloud Only Identities. Again, not what I want to tell my customers but to be honest, that is what I think.

...and I’ll keep asking the experts at Ignite - which I do every year
0 Likes
Reply
BishopstonIT

‎Apr 15 2020 07:13 AM

‎Apr 15 2020 07:13 AM

Re: Exchange Online and Azure AD Connect

@Jonas Back  this still doesn't account for sites that have never had exchange installed

0 Likes
Reply