Home

Exchange Online and Azure AD Connect

%3CLINGO-SUB%20id%3D%22lingo-sub-266772%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266772%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20on-prem%20SharePoint%202010%20which%20works%20with%20local%20AD%20users.%20I%20can%20set%20avatar%20in%20there%2C%20but%20it%20doesn't%20overlap%20with%20O365%20avatar%2C%20which%20is%20indeed%20set%20through%20Exchange.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266760%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266760%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20feedback%20everyone%20-%20getting%20clearer.%26nbsp%3B%26nbsp%3B%20We%20have%20never%20used%20Exchange%20(migrated%20from%20Lotus%20Notes)%20and%20I%20want%20to%20avoid%20installing%20unless%20totally%20necessary.%26nbsp%3B%20I%20will%20create%20a%20test%20domain%20and%20O365%20tenant%20with%20Azure%20AD%20Connect%20to%20confirm%20a%20few%20things%2C%20but%20expect%20we'll%20avoid%20Exchange%20and%20just%20manage%20additional%20SMTP%20addresses%20using%20the%20suggestions%20in%20this%20thread.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20more%20question%20if%20anyone%20happens%20to%20know.%26nbsp%3B%20The%20source%20anchor%20for%20things%20will%20now%20change%20to%20be%20on-prem%20Active%20Directory.%26nbsp%3B%20Does%20this%20include%20user%20profile%20images%3F%26nbsp%3B%26nbsp%3B%20Azure%20AD%20Connect%20documentation%20states%20if%20the%20on-prem%20value%20is%20currently%20null%20(which%20it%20is%20for%20images)%2C%20Azure%20AD%20values%20will%20not%20be%20'wiped'.%26nbsp%3B%26nbsp%3B%20But%20I%20assume%20users%20can%20still%20update%20their%20avatar%20using%20O365%3F%26nbsp%3B%20On%20further%20inspection%2C%20it%20appears%20the%20avatar%20value%20comes%20from%20Exchange%20which%2C%20as%20we%20have%20never%20used%2C%20would%20not%20even%20be%20in%20our%20AD%20attributes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264807%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264807%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ruairidh%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20recommends%20that%20you%20have%20an%20Exchange%20on%20Premise%20to%20configure%20mail%20settings%20for%20users%2C%20and%20if%20you%20uninstall%20Exchange%20on-prem%20you%20can't%20setup%20Email%20Address%20Policies%20or%20additional%20proxy%20addresses.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20Its%20much%20better%20to%20leave%20at%20least%20one%20Hybrid%20Exchange%20server%20on-premises%20even%20after%20all%20mailboxes%20have%20been%20migrated%20to%20Office%20365%2C%20to%20allow%20easily%20manage%20mailboxes%20from%20a%20single%20console.%20Remember%20that%20since%20the%20source%20of%20authority%20is%20the%20on-premises%20AD%20(because%20AAD%20Connect)%2C%20many%20changes%20need%20to%20be%20made%20on-premises.%20If%20there%20is%20no%20longer%20an%20Exchange%20server%20to%20manage%20and%20update%20mail%20attributes%2C%20you%20have%20to%20turn%20to%203rd%20party%20tools%20or%20work%20with%20ADSIEDIT.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20your%20scenario%20you%20must%20to%20do%20merge%20with%20Office%20365%20account%20with%20an%20on-premises%20AD%20account%20and%20to%20do%20a%20soft%20match%20between%20objects%20and%20values.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20will%20finish%20the%20merging%20you%20will%20be%20able%20to%20%3CA%20href%3D%22https%3A%2F%2Fwww.eshlomo.us%2Fazure-ad-seamless-sso-modern-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econfigure%20Seamless%20SSO%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%3C%2FP%3E%3CP%3EFor%20Office%20365%20plans%20you%20get%20a%20free%20Exchange%20Server%20Hybrid%20Key%3A%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fhybridkey%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Faka.ms%2Fhybridkey%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20Exchange%20On-Premises%20is%20for%20manage%20without%20any%20configuration%20and%20some%20settings%20and%20components%20need%20to%20disable%20such%20client%20access%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEli.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264787%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264787%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20created%20shared%20and%20resource%20mailboxes%20in%20AD%20as%20regular%20users%20and%20gave%20them%20Exchange%20license%20in%20Office%20365.%20After%20the%20mailbox%20is%20created%2C%20I%20converted%20the%20mailbox%20to%20shared%20and%20removed%20the%20license.%20This%20way%20I%20can%20manage%20them%20(i.e.%20emailaddresses)%20from%20on-prem%20AD.%20Send%20As%20etc.%20needs%20to%20be%20managed%20in%20Office%20365%20unless%20you%20have%20the%20Exchange%20schema.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264268%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264268%22%20slang%3D%22en-US%22%3EAgree.%20Makes%20sense.%20I%20need%20to%20see%20if%20they%20had%20any%20exchange%20sessions%20going%20over%20if%20they%20made%20progress%20in%20this%20st%20ignite.%20Cause%20I%20want%20to%20say%20last%20year%20was%20when%20I%20sat%20in%20on%20one%20when%20they%20were%20talking%20about%20working%20on%20letting%20us%20decommission%20onprem%20exchange%20in%20a%20supported%20manner.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264251%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264251%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20it's%20debatable.%20I%20just%20can't%20force%20myself%20thinking%20it%20is%20normal%20to%20have%20to%20keep%20an%20Exchange%20server%20(and%20keep%20it%20up%20to%20date)%20just%20to%20administer%20users.%20MS%20should%20really%20do%20something%20about%20it%20(like%20making%20a%20slim%20tool%20instead%20of%20having%20to%20install%20Exchange).%20But%20they%20won't%2C%20as%20they%20hope%20everyone%20will%20eventually%20move%20fully%20to%20the%20cloud%20%3A)%3C%2Fimg%3E%20I%20had%20a%20number%20of%20Exchange%20related%20tickets%20during%20the%20year%20(one%20dealing%20with%20some%20rogue%20entry%20from%20our%20local%20AD%20which%20ended%20up%20having%20address%2C%20but%20no%20mailbox%20attached%20somehow)%20and%20support%20never%20asked%20how%20we%20manage%20mailboxes.%20MS%20partners%20helping%20us%20with%20migration%20to%20Office%20365%20also%20didn't%20warn%20us%20strongly%20about%20this.%20It's%20a%20common%20practice%20as%20i%20understood%20(maybe%20in%20small-mid%20size%20orgs).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264195%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264195%22%20slang%3D%22en-US%22%3ESeems%20sketchy%20%3B).%20I%E2%80%99d%20rather%20just%20keep%20a%20VM%20around%20to%20stay%20supported%20hehe.%20It%E2%80%99s%20not%20that%20much%20work%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-264066%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-264066%22%20slang%3D%22en-US%22%3E%3CP%3EYeap%2C%20create%20a%20user%20in%20AD%2C%20add%20SMTP%20entry%20with%20main%20email%20address%20to%20ProxyAddresses%20attribute.%20Wait%20or%20force%20AD%20Connect%20sync%2C%20then%20find%20the%20user%20in%20Office%20365%20admin%20center%20and%20apply%20a%20license.%20Mailbox%20is%20created%20in%20a%20few%20minutes%20usually.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20different%20with%20shared%20mailboxes%20though.%20We%20create%20them%20in%20Office%20365.%20It%20shows%20an%20error%20that%20it%20can't%20save%20changes%20to%20AD%20(we%20don't%20have%20Azure%20AD%20Premium%20and%20writeback%20enabled).%20But%20mailbox%20is%20created%20and%20works%20correctly.%20There%20is%20just%20no%20information%20about%20it%20in%20local%20AD.%20Same%20for%20rooms.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263994%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263994%22%20slang%3D%22en-US%22%3EYeah%20that%20is%20true%2C%20since%20all%20of%20Exchange%20is%20basically%20ran%20via%20AD.%20So%20how%20do%20you%20guys%20create%20mailboxes%20then%20on%20new%20users%3F%20Just%20create%20the%20user%20in%20AD%20then%20add%20exchange%20online%20license%20and%20mailbox%20gets%20created%20since%20the%20attribute%20isn't%20there%20to%20prevent%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263954%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263954%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20here%2C%20decommisioned%20on-prem%20Exchange%20more%20than%20a%20year%20ago.%20So%20far%20not%20missing%20anything.%20Although%20i%20know%20this%20is%20not%20a%20supported%20setup.%20But%20it%20works%20and%20we%20don't%20have%20to%20manage%20another%20on-prem%20server.%20SMTP%20can%20be%20set%20via%20Attribute%20Editor%20in%20AD%20card%20of%20a%20user%20(need%20to%20turn%20on%20Advanced%20settings).%20Send%20As%20and%20Full%20Access%20can%20be%20set%20through%20Office%20365%20Admin%20Center%20or%20Exchange%20Online%20Admin%20Center.%20They%20are%20not%20synced%20back%2C%20so%20it%20doesn't%20complain%20about%20AD%20being%20read-only%20and%20the%20setting%20stick.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh%2C%20but%20as%20we%20already%20had%20on-prem%20Exchange%2C%20our%20schema%20is%20already%20modified%2C%20so%20i%20don't%20know%20if%20ProxyAddress%20attribute%20and%20some%20other%20didn't%20come%20from%20that.%20Maybe%20orgs%20using%20on-prem%20AD%20and%20going%20to%20Exchange%20Online%20still%20have%20to%20update%20schema%20to%20have%20needed%20attributes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263772%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263772%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20often%20read%20that%20the%20on-prem%20Exchange%20server%20is%20required%20but%20we%20have%20been%20using%20Office%20365%20for%20about%203%20years%20and%20decommissioned%20our%20on-prem%20Exchange%20server%20about%202%20years%20ago.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApparently%20there%20are%20things%20we%20can't%20do%20without%20an%20on-prem%20Exchange%20server%20but%20we%20haven't%20found%20them%20yet.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263275%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263275%22%20slang%3D%22en-US%22%3EIf%20you%20are%20going%20to%20still%20manage%20accounts%20on-prem%2C%20then%20you%20must%20setup%20a%20minimal%20hybrid%20configuration%20to%20still%20manage%20the%20exchange%20attributes.%20I%20seen%20sometime%20back%20that%20Microsoft%20was%20working%20on%20a%20way%20to%20completely%20decommission%20Exchange%20on-prem%2C%20but%20AFAIK%20still%20today%2C%20you%20still%20require%20an%20exchange%20server%20on-prem%20for%20management.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748913%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875%22%20target%3D%22_blank%22%3E%40Christopher%20Webb%3C%2FA%3E%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20update%20on%20this%3F%26nbsp%3B%20I%20have%20a%20project%20where%20the%20client%20has%20no%20current%20on%20Prem%20Exchange%20deployed%20with%20their%20on%20Prem%20AD%2C%20but%20have%20a%20separate%20Exchange%20Online%20deployment%20that%20they%20would%20like%20to%20integrate%20with%20their%20on%20Prem%20AD%20for%20SSO%20with%20their%20Exchange%20Online.%26nbsp%3B%20Is%20it%20still%20%22unsupported%22%20without%20a%20local%20exchange%20server%20to%20manage%20the%20mail%20attributes%2C%20even%20when%20exchange%20was%20never%20deployed%26nbsp%3Bon%20prem%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748919%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748919%22%20slang%3D%22en-US%22%3EIt%20is%20still%20unsupported!%20Although%20I%20believe%20you%20can%20get%20a%20free%20version%20of%20exchange%20to%20get%20those%20exchange%20attributes%20to%20AD%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749058%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20quick%20reply.%26nbsp%3B%20I%20was%20thinking%20that%20was%20the%20case%2C%20does%20the%20free%20Exchange%20Hybrid%20License%20include%20a%20Windows%20Server%20license%3F%26nbsp%3B%20Essentially%20they%20are%20requiring%20yet%20%3CEM%3Eanother%3C%2FEM%3Eserver%20for%20me%20to%20manage.%26nbsp%3B%20I'm%20just%20glad%20that%202019%20is%20intended%20to%20be%20run%20on%20Server%20Core.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20or%20is%20using%20their%20%22free%22%20hybrid%20license%20on%20an%20Exchange%202019%20server%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749134%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374445%22%20target%3D%22_blank%22%3E%40redamaleki%3C%2FA%3E%26nbsp%3BAccording%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FExchange-Team-Blog%2FHybrid-Configuration-Wizard-and-licensing-of-your-on-premises%2Fbc-p%2F680755%2Fhighlight%2Ftrue%23M26892%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ENo%20hybrid%20license%20for%20Exchange%202019%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749619%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374445%22%20target%3D%22_blank%22%3E%40redamaleki%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey.%20Just%20to%20confirm%2C%20you%20don't%20need%20to%20install%20Exchange%3B%20you%20only%20need%20to%20extend%20the%20AD%20schema%20to%20include%20its%20attributes.%20Do%20this%20on%20your%20DC%20and%20you%20won't%20need%20another%20server.%20You%20are%20licensed%20to%20do%20this%20an%20O365%20tenant.%20You%20can%20download%20Exchange2016-x64.exe%20from%20the%20Microsoft%20website%2C%20extract%20it%2C%20and%20run%2C%20in%20cmd%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ESetup.exe%20%2FIAcceptExchangeServerLicenseTerms%20%2FPrepareSchema%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-262929%22%20slang%3D%22en-US%22%3EExchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-262929%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20planning%20to%20implement%20Azure%20AD%20Connect%20in%20a%20Password%20Hash%20Synchronization%20with%20Seamless%20Sign%20On%20scenario%2C%20hosted%20on%20Azure%20B1ms%20Windows%20Server%202016%20AD%20DC%20connect%20to%20on-prem%20AD%20via%20S2S%20VPN.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20company%20of%20around%20100%20users%20have%20had%20O365%20for%20several%20years%20and%20the%20on-prem%20and%20AAD%20environments%20are%20totally%20separate%20for%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thing%20that%20has%20come%20up%20in%20my%20research%20is%20with%20Azure%20AD%20Connect%20in%20place%2C%20on-prem%20AD%20must%20be%20the%20source%20of%20all%20objects%2C%20attributes%2C%20and%20changes%20-%20makes%20sense.%26nbsp%3B%20Where%20there%20is%20confusion%20is%20Exchange%20Online%20attributes.%26nbsp%3B%20Several%20older%20threads%20on%20Tech%20Community%20and%20other%20forums%20state%20you%20cannot%20change%20EXO%20attributes%2C%20in%20an%20AAD%20Connect%20environment%2C%20without%20on-prem%20Exchange%20installed%20or%20at%20least%20its%20schema%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20review%2C%20the%20only%20EXO%20attributes%20we%20would%20change%20that%20aren't%20in%20the%20default%20AD%20schema%20are%20mailbox%20delegation%20(SendAs%2C%26nbsp%3BAccessRights%2C%20etc)%20and%20email%20addresses%20(multiple%20SMTP%20addresses).%26nbsp%3B%20Other%20attributes%20that%20show%20in%20EXO%20such%20as%20Job%20Title%2C%20Address%2C%20and%20Tel%20Numbers%20are%20all%20available%20in%20the%20default%20schema%20via%20AD%20Users%20%26amp%3B%20Computers%2C%20so%20my%20presumption%20is%20they're%20not%20of%20concern.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20shed%20some%20light%20on%20this%20and%20confirm%20how%20we'd%20manage%20things%20like%20multiple%20SMTP%20addresses%20without%20the%20Exchange%20scheme%20in%20our%20on-prem%20AD%3F%26nbsp%3B%20Does%20this%20differ%20depending%20on%20where%20the%20object%20is%20managed%20(cloud%20only%20vs%20hybrid)%20or%20user%20mailbox%20vs%20shared%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERuairidh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-262929%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749631%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749631%22%20slang%3D%22en-US%22%3EYeah%2C%20as%20said%2C%20you%20only%20need%20to%20extend%20the%20schema%20so%20you%20can%20use%20and%20sync%20the%20correct%20exchange%20attributes%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750741%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20should%20do%20the%20extension%20prior%20to%20installing%20AADC%2C%20correct%3F%26nbsp%3B%20Makes%20the%20most%20sense%20to%20me%20anyway%2C%20so%20that%20when%20AADC%20syncs%2C%20there%20is%20a%20place%20to%20write%20back%20the%20email%20information%20from%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750747%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750747%22%20slang%3D%22en-US%22%3EAADC%20won't%20sync%2Fwrite%20back%20without%20Azure%20Premium%20license.%20And%20usually%20it%20syncs%20from%20on%20premise%20to%20the%20cloud.%20Yes%2C%20it%20is%20probably%20better%20to%20extend%20before%20installing%20AADC%20or%20it%20won't%20even%20install%20without%20a%20schema%20already%20being%20present.%20Then%20you%20would%20put%20email%20addresses%20into%20local%20AD%20users%20profiles%20and%20then%20AADC%20would%20sync%20this%20info%20to%20Exchange%20Online.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-750960%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750960%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33735%22%20target%3D%22_blank%22%3E%40Oleg%20K%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-custom%23optional-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20text%3C%2FA%3Eon%20the%20AADC%20options%3A%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EExchange%20Hybrid%20Deployment%3C%2FTD%3E%3CTD%3EThe%20Exchange%20Hybrid%20Deployment%20feature%20allows%20for%20the%20co-existence%20of%20Exchange%20mailboxes%20both%20on-premises%20and%20in%20Office%20365.%20Azure%20AD%20Connect%20is%20synchronizing%20a%20specific%20set%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-sync-attributes-synchronized%23exchange-hybrid-writeback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eattributes%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efrom%20Azure%20AD%20back%20into%20your%20on-premises%20directory.%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20though%20Exchange%20may%20not%20be%20installed%20locally%2C%20won't%20AADC%20and%20Azure%20AD%20still%20be%20treating%20it%20like%20a%20hybrid%20exchange%20environment%3F%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3BI%20should%20be%20selecting%20this%20option%20when%20installing%20AADC%2C%20correct%3F%26nbsp%3B%20Seems%20that%20others%20already%20had%20Exchange%20installed%20on%20premise%2C%20so%20this%20would%20have%20been%20checked%20when%20they%20deployed%20AADC%20and%20then%20later%20decommissioned%20their%20on%20prem%20exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-751046%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374445%22%20target%3D%22_blank%22%3E%40redamaleki%3C%2FA%3EWe%20did%20not%20select%20options%20for%20enabling%20Exchange%20Hybrid.%26nbsp%3B%20That%20is%20strictly%20for%20people%20who%20want%20to%20control%20Exchange%20on-prem%20and%20Exchange%20online%20in%20a%20coexisting%20environment.%26nbsp%3B%20If%20you%20never%20had%20Exchange%20or%20have%20moved%20all%20mailboxes%20to%20Exchange%20online%2C%20you%20don't%20need%20that%3B%20only%20the%20schema%20extension.%26nbsp%3B%20You%20then%20just%20need%20to%20make%20sure%20the%20attributes%20match%20your%20AAD%20and%20on-prem%20AD%20before%20the%20AAD%20Connect%20sync%2C%20such%20as%20UPN%20and%20email.%26nbsp%3B%20AAD%20Connect%20with%20then%20perform%20a%20'soft%20match'%20between%20the%20AAD%20and%20on-prem%20identity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-751050%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751050%22%20slang%3D%22en-US%22%3EAwesome%2C%20thank%20you%20for%20the%20clarification.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-751519%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751519%22%20slang%3D%22en-US%22%3EYou%20can%20also%20run%20Idfix%20tool%20against%20your%20AD%20before%20AADC%20install.%20It%20will%20show%20you%20errors%20that%20you%20can%20fix%20before%20hand%2C%20like%20duplicated%20UPNs%2C%20etc.%20And%20yes%2C%20if%20you%20use%20emails%20like%20name.lastname%40domain.com%20and%20your%20AD%20users%20use%20username111%20UPN%2C%20you%20will%20have%20to%20change%20them%20to%20email%20address%20form%20before%20the%20sync%2C%20so%20it%20would%20match%20AAD%20format.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768521%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768521%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20information.%26nbsp%3B%20I%20believe%20that%20we%20are%20going%20to%20deploy%20Exchange%202016%20on%20prem%20soley%20for%20management.%26nbsp%3B%20My%20issue%20is%20that%20the%20AD%20environment%20never%20had%20Exchange%20deployed%2C%20so%20the%20domain%20has%20never%20been%20prepped%2C%20auto%20discover%20scp%20has%20not%20been%20set%2C%20and%20client%20namespace%20has%20not%20been%20defined.%26nbsp%3B%20My%20concern%20is%20that%20deploying%20Exchange%20on%20prem%20%3CEM%3Eafter%3C%2FEM%3E%26nbsp%3BAADC%20and%20getting%20them%20on%20board%20with%20using%20on%20Prem%20AD%20credentials%20might%20cause%20some%20service%20interruptions.%26nbsp%3B%20I've%20been%20trying%20to%20find%20a%20guide%20or%20directions%20on%20deploying%20an%20Exchange%202016%20Management%20server%20in%20a%20greenfield%20AD%20only%20to%20manage%20mail%20properties%20for%20Exchange%20Online%20for%20synchronized%20users.%3C%2FP%3E%3CP%3EMy%20approach%20at%20this%20point%20is%20to%20install%20it%20like%20a%20new%20Exchange%20deployment%2C%20but%20point%20Autodiscover%20to%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fautodiscover.outlook.com%2FAutodiscover%2FAutodiscover.xml%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.outlook.com%2FAutodiscover%2FAutodiscover.xml%3C%2FA%3E%3C%2FSTRONG%3E%26nbsp%3Band%20use%20the%20hybrid%20wizard%20only%20to%20license%20the%20server.%26nbsp%3B%20Outside%20of%20that%2C%20and%20not%20routing%20any%20mail%20services%20to%20the%20server%2C%20there%20wouldn't%20be%20much%20else%20to%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769462%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769462%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374445%22%20target%3D%22_blank%22%3E%40redamaleki%3C%2FA%3EI%20don't%20quite%20understand%20why%20you%20need%20to%20install%20Exchange.%26nbsp%3B%20The%20attributes%20can%20managed%20without%20it%2C%20as%20long%20as%20you%20extend%20the%20schema.%26nbsp%3B%20You%20can%20do%20it%20very%20easily%20with%20the%20AD%20Users%20%26amp%3B%20Computers%20console.%26nbsp%3B%20What's%20leading%20you%20to%20this%20conclusion%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-850041%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850041%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3BMost%20information%20I%20have%20found%20says%20this%20is%20the%20recommended%20practice.%26nbsp%3B%20What%20tool%20are%20you%20using%20to%20manage%20email%20aliases%3F%26nbsp%3B%20The%20more%20I%20think%20about%20it%2C%20the%20more%20I%20am%20intending%20to%20agree%20with%20you.%26nbsp%3B%20An%20on-premise%20exchange%20server%20in%20a%20green-field%20AD%20seems%20like%20more%20of%20a%20headache%20than%20what%20it%20would%20be%20worth.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-850353%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-850353%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20regular%20ADUC%20(AD%20Users%20and%20Computers%20console)%2C%20enable%20Advanced%20options%20in%20it%20and%20when%20you%20open%20a%20user%2C%20it%20should%20have%20the%20Attribute%20editor%20tab.%20In%20there%20you%20can%20change%20various%20attributes.%20To%20add%2Fedit%20aliases%20you%20can%20edit%20ProxyAddresses%20attribute.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESMPT%3Aname%40domain.com%20is%20the%20main%20address%3C%2FP%3E%3CP%3Esmpt%3Aname%40domain.com%20is%20the%20secondary%20address%20and%20you%20can%20add%20many%20of%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-852510%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20and%20Azure%20AD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-852510%22%20slang%3D%22en-US%22%3EI%E2%80%99ve%20had%20this%20discussion%20many%20times%20with%20customers%20and%20we%20all%20end%20up%20with%20%E2%80%9Dit%E2%80%99s%20unsupported%E2%80%9D%20to%20remove%20the%20last%20Exchange%20-%20period.%20I%20also%20know%20it%E2%80%99s%20possible%20to%20edit%20attributes%20directly%20in%20ADUC%20but%20I%20would%20never%20recommend%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20I%20also%20agree%20Microsoft%20should%20fix%20this%20-%20it%20doesn%E2%80%99t%20make%20any%20sense.%20I%20was%20on%20whole%20day%20session%20just%20regarding%20Hybrid%20at%20Ignite%203%20years%20ago%20and%20they%20said%20%E2%80%9Dwe%E2%80%99re%20working%20on%20it%E2%80%9D%20but%20now%20they%20don%E2%80%99t%20even%20say%20that.%20I%20think%20this%20requirement%20will%20never%20go%20away%20and%20they%20are%20working%20on%20other%20things.%20Long%20term%20solution%20if%20you%20REALLY%20want%20to%20get%20rid%20of%20Exchange%20on-premises%20is%20probably%20to%20move%20away%20from%20on-premise%20AD%20and%20Azure%20AD%20Connect%20completely%20and%20go%20all-in%20on%20Cloud%20Only%20Identities.%20Again%2C%20not%20what%20I%20want%20to%20tell%20my%20customers%20but%20to%20be%20honest%2C%20that%20is%20what%20I%20think.%3CBR%20%2F%3E%3CBR%20%2F%3E...and%20I%E2%80%99ll%20keep%20asking%20the%20experts%20at%20Ignite%20-%20which%20I%20do%20every%20year%3C%2FLINGO-BODY%3E
Ruairidh Campbell
Occasional Contributor

Hi everyone,

 

We are planning to implement Azure AD Connect in a Password Hash Synchronization with Seamless Sign On scenario, hosted on Azure B1ms Windows Server 2016 AD DC connect to on-prem AD via S2S VPN.

 

My company of around 100 users have had O365 for several years and the on-prem and AAD environments are totally separate for now.

 

One thing that has come up in my research is with Azure AD Connect in place, on-prem AD must be the source of all objects, attributes, and changes - makes sense.  Where there is confusion is Exchange Online attributes.  Several older threads on Tech Community and other forums state you cannot change EXO attributes, in an AAD Connect environment, without on-prem Exchange installed or at least its schema changes.

 

On review, the only EXO attributes we would change that aren't in the default AD schema are mailbox delegation (SendAs, AccessRights, etc) and email addresses (multiple SMTP addresses).  Other attributes that show in EXO such as Job Title, Address, and Tel Numbers are all available in the default schema via AD Users & Computers, so my presumption is they're not of concern.

 

Can anyone shed some light on this and confirm how we'd manage things like multiple SMTP addresses without the Exchange scheme in our on-prem AD?  Does this differ depending on where the object is managed (cloud only vs hybrid) or user mailbox vs shared?

 

Thank you,

 

Ruairidh

29 Replies
If you are going to still manage accounts on-prem, then you must setup a minimal hybrid configuration to still manage the exchange attributes. I seen sometime back that Microsoft was working on a way to completely decommission Exchange on-prem, but AFAIK still today, you still require an exchange server on-prem for management.

I have often read that the on-prem Exchange server is required but we have been using Office 365 for about 3 years and decommissioned our on-prem Exchange server about 2 years ago. 

 

Apparently there are things we can't do without an on-prem Exchange server but we haven't found them yet. 

Same here, decommisioned on-prem Exchange more than a year ago. So far not missing anything. Although i know this is not a supported setup. But it works and we don't have to manage another on-prem server. SMTP can be set via Attribute Editor in AD card of a user (need to turn on Advanced settings). Send As and Full Access can be set through Office 365 Admin Center or Exchange Online Admin Center. They are not synced back, so it doesn't complain about AD being read-only and the setting stick.

 

Oh, but as we already had on-prem Exchange, our schema is already modified, so i don't know if ProxyAddress attribute and some other didn't come from that. Maybe orgs using on-prem AD and going to Exchange Online still have to update schema to have needed attributes.

Yeah that is true, since all of Exchange is basically ran via AD. So how do you guys create mailboxes then on new users? Just create the user in AD then add exchange online license and mailbox gets created since the attribute isn't there to prevent it?

Yeap, create a user in AD, add SMTP entry with main email address to ProxyAddresses attribute. Wait or force AD Connect sync, then find the user in Office 365 admin center and apply a license. Mailbox is created in a few minutes usually.

 

It is different with shared mailboxes though. We create them in Office 365. It shows an error that it can't save changes to AD (we don't have Azure AD Premium and writeback enabled). But mailbox is created and works correctly. There is just no information about it in local AD. Same for rooms. 

 

Seems sketchy ;). I’d rather just keep a VM around to stay supported hehe. It’s not that much work ;)

Well, it's debatable. I just can't force myself thinking it is normal to have to keep an Exchange server (and keep it up to date) just to administer users. MS should really do something about it (like making a slim tool instead of having to install Exchange). But they won't, as they hope everyone will eventually move fully to the cloud :) I had a number of Exchange related tickets during the year (one dealing with some rogue entry from our local AD which ended up having address, but no mailbox attached somehow) and support never asked how we manage mailboxes. MS partners helping us with migration to Office 365 also didn't warn us strongly about this. It's a common practice as i understood (maybe in small-mid size orgs).

Agree. Makes sense. I need to see if they had any exchange sessions going over if they made progress in this st ignite. Cause I want to say last year was when I sat in on one when they were talking about working on letting us decommission onprem exchange in a supported manner.

I've created shared and resource mailboxes in AD as regular users and gave them Exchange license in Office 365. After the mailbox is created, I converted the mailbox to shared and removed the license. This way I can manage them (i.e. emailaddresses) from on-prem AD. Send As etc. needs to be managed in Office 365 unless you have the Exchange schema.

Hi Ruairidh,

 

Microsoft recommends that you have an Exchange on Premise to configure mail settings for users, and if you uninstall Exchange on-prem you can't setup Email Address Policies or additional proxy addresses.

 

So Its much better to leave at least one Hybrid Exchange server on-premises even after all mailboxes have been migrated to Office 365, to allow easily manage mailboxes from a single console. Remember that since the source of authority is the on-premises AD (because AAD Connect), many changes need to be made on-premises. If there is no longer an Exchange server to manage and update mail attributes, you have to turn to 3rd party tools or work with ADSIEDIT.

 

In your scenario you must to do merge with Office 365 account with an on-premises AD account and to do a soft match between objects and values.

 

Once you will finish the merging you will be able to configure Seamless SSO

 

Note:

For Office 365 plans you get a free Exchange Server Hybrid Key: http://aka.ms/hybridkey

The Exchange On-Premises is for manage without any configuration and some settings and components need to disable such client access etc.

 

Eli.

Thank you for the feedback everyone - getting clearer.   We have never used Exchange (migrated from Lotus Notes) and I want to avoid installing unless totally necessary.  I will create a test domain and O365 tenant with Azure AD Connect to confirm a few things, but expect we'll avoid Exchange and just manage additional SMTP addresses using the suggestions in this thread.

 

One more question if anyone happens to know.  The source anchor for things will now change to be on-prem Active Directory.  Does this include user profile images?   Azure AD Connect documentation states if the on-prem value is currently null (which it is for images), Azure AD values will not be 'wiped'.   But I assume users can still update their avatar using O365?  On further inspection, it appears the avatar value comes from Exchange which, as we have never used, would not even be in our AD attributes?

 

Thank you again.

We have on-prem SharePoint 2010 which works with local AD users. I can set avatar in there, but it doesn't overlap with O365 avatar, which is indeed set through Exchange.

@Deleted @Chris Webb

Any update on this?  I have a project where the client has no current on Prem Exchange deployed with their on Prem AD, but have a separate Exchange Online deployment that they would like to integrate with their on Prem AD for SSO with their Exchange Online.  Is it still "unsupported" without a local exchange server to manage the mail attributes, even when exchange was never deployed on prem?

 

Thanks!

It is still unsupported! Although I believe you can get a free version of exchange to get those exchange attributes to AD

@adam deltinger Thanks for the quick reply.  I was thinking that was the case, does the free Exchange Hybrid License include a Windows Server license?  Essentially they are requiring yet another server for me to manage.  I'm just glad that 2019 is intended to be run on Server Core.  

Anyone know or is using their "free" hybrid license on an Exchange 2019 server?

@redamaleki 

 

Hey. Just to confirm, you don't need to install Exchange; you only need to extend the AD schema to include its attributes. Do this on your DC and you won't need another server. You are licensed to do this an O365 tenant. You can download Exchange2016-x64.exe from the Microsoft website, extract it, and run, in cmd:

 

Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema

 

Yeah, as said, you only need to extend the schema so you can use and sync the correct exchange attributes

@adam deltinger and @Ruairidh Campbell 

I should do the extension prior to installing AADC, correct?  Makes the most sense to me anyway, so that when AADC syncs, there is a place to write back the email information from Exchange Online.

AADC won't sync/write back without Azure Premium license. And usually it syncs from on premise to the cloud. Yes, it is probably better to extend before installing AADC or it won't even install without a schema already being present. Then you would put email addresses into local AD users profiles and then AADC would sync this info to Exchange Online.

@Oleg K 

I did see this text on the AADC options:

Exchange Hybrid DeploymentThe Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Office 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory.

 

Even though Exchange may not be installed locally, won't AADC and Azure AD still be treating it like a hybrid exchange environment?  @Ruairidh Campbell I should be selecting this option when installing AADC, correct?  Seems that others already had Exchange installed on premise, so this would have been checked when they deployed AADC and then later decommissioned their on prem exchange servers.

 

@redamalekiWe did not select options for enabling Exchange Hybrid.  That is strictly for people who want to control Exchange on-prem and Exchange online in a coexisting environment.  If you never had Exchange or have moved all mailboxes to Exchange online, you don't need that; only the schema extension.  You then just need to make sure the attributes match your AAD and on-prem AD before the AAD Connect sync, such as UPN and email.  AAD Connect with then perform a 'soft match' between the AAD and on-prem identity.

Awesome, thank you for the clarification.
You can also run Idfix tool against your AD before AADC install. It will show you errors that you can fix before hand, like duplicated UPNs, etc. And yes, if you use emails like name.lastname@domain.com and your AD users use username111 UPN, you will have to change them to email address form before the sync, so it would match AAD format.

@Ruairidh Campbell Thanks for the information.  I believe that we are going to deploy Exchange 2016 on prem soley for management.  My issue is that the AD environment never had Exchange deployed, so the domain has never been prepped, auto discover scp has not been set, and client namespace has not been defined.  My concern is that deploying Exchange on prem after AADC and getting them on board with using on Prem AD credentials might cause some service interruptions.  I've been trying to find a guide or directions on deploying an Exchange 2016 Management server in a greenfield AD only to manage mail properties for Exchange Online for synchronized users.

My approach at this point is to install it like a new Exchange deployment, but point Autodiscover to https://autodiscover.outlook.com/Autodiscover/Autodiscover.xml and use the hybrid wizard only to license the server.  Outside of that, and not routing any mail services to the server, there wouldn't be much else to it.

 

@redamalekiI don't quite understand why you need to install Exchange.  The attributes can managed without it, as long as you extend the schema.  You can do it very easily with the AD Users & Computers console.  What's leading you to this conclusion?

@Ruairidh Campbell Most information I have found says this is the recommended practice.  What tool are you using to manage email aliases?  The more I think about it, the more I am intending to agree with you.  An on-premise exchange server in a green-field AD seems like more of a headache than what it would be worth.

You can use regular ADUC (AD Users and Computers console), enable Advanced options in it and when you open a user, it should have the Attribute editor tab. In there you can change various attributes. To add/edit aliases you can edit ProxyAddresses attribute.

 

SMPT:name@domain.com is the main address

smpt:name@domain.com is the secondary address and you can add many of them

I’ve had this discussion many times with customers and we all end up with ”it’s unsupported” to remove the last Exchange - period. I also know it’s possible to edit attributes directly in ADUC but I would never recommend it.

But I also agree Microsoft should fix this - it doesn’t make any sense. I was on whole day session just regarding Hybrid at Ignite 3 years ago and they said ”we’re working on it” but now they don’t even say that. I think this requirement will never go away and they are working on other things. Long term solution if you REALLY want to get rid of Exchange on-premises is probably to move away from on-premise AD and Azure AD Connect completely and go all-in on Cloud Only Identities. Again, not what I want to tell my customers but to be honest, that is what I think.

...and I’ll keep asking the experts at Ignite - which I do every year
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies