SOLVED
Home

The question nobody dares to ask! How do you create a new user in a hybrid environment.

%3CLINGO-SUB%20id%3D%22lingo-sub-54596%22%20slang%3D%22en-US%22%3EThe%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54596%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20the%20last%20couple%20fo%20days%20the%20question%20how%20to%20create%20a%20new%20user%20in%20a%20hybrid%20exchange%20environment%20is%20floating%20around%20in%20my%20head.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20the%20time%20when%20i%20create%20a%20user%20i%20create%20a%20onpremise%20account%20in%20active%20directory%20sync%20this%20over%20to%20office%20365.%20The%20next%20step%20i%20perform%20is%20the%20creation%20of%20a%20mailbox%20onprem%20in%20exchange%20for%26nbsp%3Bthe%20user%20i%20have%20created.%20When%20i%20have%20done%20this%20i%20migrate%20the%20user%20mailbox%20to%20office%20365%2C%20i%20assign%20a%20license%20and%20the%20user%20is%20good%20to%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20the%20best%20way%20to%20do%20this%3F%20It%20seems%20more%20logical%20to%20create%20a%20user%20in%20AD%20sync%20this%20over%20to%20office365%20and%20give%20them%20a%20Exchange%20online%20license.%20so%20he%20or%20she%20will%20get%20a%20mailbox%20directly%20in%20Office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20give%20me%20an%20explanation%20what%20is%20best%20practice%20for%20creating%20a%20new%20User%20in%20a%20hybrid%20exchange%20environment%20when%20al%20the%20users%20will%20be%20synced%20to%20office365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-54596%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376002%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376002%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286190%22%20target%3D%22_blank%22%3E%40ShrenikSalguna%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20use%20the%20on-premise%20Exchange%20server%20to%20create%20the%20user%20if%20that%20helps%20you%20(note%20the%20below%20cannot%20simply%20be%20used%2C%20just%20for%20inspiration)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24Session%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20http%3A%2F%2F%5ByourExchangeServer%5D.dca.dk%2FPowerShell%2F%20-Authentication%20Kerberos%20-Credential%20%24adminCredential%3CBR%20%2F%3E%3CBR%20%2F%3EImport-PSSession%20%24Session%20-Prefix%20XXX%3CBR%20%2F%3E%24remoteMailbox%20%3D%20New-XXXRemoteMailbox%20-Alias%20%24initials%20-SamAccountName%20%24initials%20-UserPrincipalName%20%24userUPN%20%60%3CBR%20%2F%3E-Name%20%24fullName%20-FirstName%20%24firstname%20-LastName%20%24lastname%20-DisplayName%20%24fullName%20%60%3CBR%20%2F%3E-Password%20(ConvertTo-SecureString%20-AsPlainText%20%24password%20-Force)%20-ResetPasswordOnNextLogon%20%24false%20%60%3CBR%20%2F%3E-OnPremisesOrganizationalUnit%20%24ou.DistinguishedName%20%60%3CBR%20%2F%3E-Confirm%3A%24false%20%60%3CBR%20%2F%3E-DomainController%20%24domainController%20-PrimarySmtpAddress%20%24userUPN%20%23%20%60%3CBR%20%2F%3E%23-Archive%20%23latest%20addition%20to%20have%20an%20archive%20mailbox%20active%3CBR%20%2F%3E%3CBR%20%2F%3EStart-Sleep%20-Seconds%208%20-Verbose%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24remoteMailbox%20%7C%20Set-XXXRemoteMailbox%20-EmailAddressPolicyEnabled%20%24True%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERemove-PSSession%20%24Session%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20for%20sync%20I%20run%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24Session%20%3D%20New-PSSession%20-ComputerName%20%5Bsyncserver%5D.dca.dk%20-Authentication%20Kerberos%20-Credential%20%24adminCredential%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24JobSync1%20%3D%20Invoke-Command%20-Session%20%24Session%20-Scriptblock%20%7B%20Import-Module%20ADSync%20%7D%3CBR%20%2F%3E%24JobSync2%20%3D%20Invoke-Command%20-Session%20%24Session%20-Scriptblock%20%7B%20Start-ADSyncSyncCycle%20-PolicyType%20Delta%20%7D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERemove-PSSession%20%24Session%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353129%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353129%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286190%22%20target%3D%22_blank%22%3E%40ShrenikSalguna%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3ECould%20you%20kindly%20share%20the%20script%20where%20you%20create%20the%20user%20in%20AD%20and%20force%20the%20dir-sync.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20i'm%20trying%20to%20achieve%20is%20to%20make%20the%20whole%20process%20automated%3CBR%20%2F%3EThe%20user%20fields(properties)%20will%20be%20generated%20by%20a%20CSV%20file%3CBR%20%2F%3E1.Create%20the%20user%20in%20AD%20OU%20that%20is%20AD-Connected%3CBR%20%2F%3E2.force%20AD%20Sync%3CBR%20%2F%3E3.Assign%20License%20(by%20PS%20script)%20-%20we%20use%20only%20two%20types%20of%20license%3A%20Business%20Premium%20and%20E3%3CBR%20%2F%3E4.Send%20Notification%20to%20Admin%20that%20email%20account%20was%20activated.%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI%20posted%20my%20script%20in%20the%20following%20location%20because%20I%20used%20the%20OP's%20script%20as%20the%20starting%20point%20for%20my%20script.%20I%20have%20since%20added%20valuable%20functionality%20to%20my%20script%20and%20will%20be%20posting%20an%20update%20as%20soon%20as%20I%20take%20the%20time%20to%20remove%20all%20my%20company%20information%20from%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.spiceworks.com%2Ftopic%2F1964109-powershell-script-to-create-new-users%3Fpage%3D1%23entry-8172286%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcommunity.spiceworks.com%2Ftopic%2F1964109-powershell-script-to-create-new-users%3Fpage%3D1%23entry-8172286%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-352584%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352584%22%20slang%3D%22en-US%22%3ECould%20you%20kindly%20share%20the%20script%20where%20you%20create%20the%20user%20in%20AD%20and%20force%20the%20dir-sync.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20i'm%20trying%20to%20achieve%20is%20to%20make%20the%20whole%20process%20automated%3CBR%20%2F%3EThe%20user%20fields(properties)%20will%20be%20generated%20by%20a%20CSV%20file%3CBR%20%2F%3E1.Create%20the%20user%20in%20AD%20OU%20that%20is%20AD-Connected%3CBR%20%2F%3E2.force%20AD%20Sync%3CBR%20%2F%3E3.Assign%20License%20(by%20PS%20script)%20-%20we%20use%20only%20two%20types%20of%20license%3A%20Business%20Premium%20and%20E3%3CBR%20%2F%3E4.Send%20Notification%20to%20Admin%20that%20email%20account%20was%20activated.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285007%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285007%22%20slang%3D%22en-US%22%3E%3CP%3EEnvironment%3A%20Exchange%202010%20SP3%20and%20Exchange%20Online%20hybrid.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20the%20create%20account%20in%20on-prem%20Exchange%202010%20and%20migrate%20method%20and%20the%20Exchange%20Management%20Shell%20(EMS)%20method%20and%20found%20that%20EMS%20method%20is%20most%20efficient%20for%20me.%20Below%20is%20the%20command%20string%20I'm%20using.%3CBR%20%2F%3E%3CBR%20%2F%3ENew-RemoteMailbox%20-UserPrincipalName%20%22%5Bflast%40MyCompanyDomain.com%5D%22%20-Name%20%22%5BFirst%20Last%5D%22%20-Alias%20%22%5BFirst.Last%5D%22%20-RemoteRoutingAddress%20%22%5BFirst.Last%5D%40%3CSPAN%3EMyCompanyTenant%3C%2FSPAN%3E.mail.onmicrosoft.com%22%20-FirstName%20%22%5BFirst%5D%22%20-LastName%20%22%5BLast%5D%22%20-DisplayName%20%22%5BFirst%20Last%5D%22%20-OnPremisesOrganizationalUnit%20%22%5BOU%20Where%20I%20Want%20User's%20AD%20Account%5D%22%3CBR%20%2F%3E%3CBR%20%2F%3EI%20did%20find%20that%20if%20I%20used%20the%26nbsp%3B-PrimarySmtpAddress%26nbsp%3Bswitch%20with%20New-RemoteMailbox%2C%20there%20was%20the%26nbsp%3Bunintended%20consequence%20of%20disabling%20the%20email%20address%20policy%20for%20the%20mailbox%2C%20creating%20Exchange%20Online%20to%20on-prem%20Exchange%20email%20delivery%20and%20calendar%20free%2Fbusy%20issues.%20This%20can%20be%20resolved%20by%20using%20the%20following%20command.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-RemoteMailbox%20-Identity%20%5Bmailbox%20name%5D%20-EmailAddressPolicy%20%24true%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps%20someone%20save%20some%20time.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20to%20give%20credit%20to%20the%20person%20that%20solved%20the%20issue%20caused%20by%20me%20using%20the%20-PrimarySmtpAddress%20switch.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.spiceworks.com%2Ftopic%2F2164592-issue-with-new-remote-mailbox-user-creation-in-hybrid-exchange%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcommunity.spiceworks.com%2Ftopic%2F2164592-issue-with-new-remote-mailbox-user-creation-in-hybrid-exchange%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142668%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142668%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20with%20Paul%2C%20Vasil%20and%20Nuno%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EJust%20a%20hint%3A%20if%20you%20create%20the%20mailbox%20in%20EXO%2C%20the%20ExchangeGUID%20is%20not%20present%20on%20the%20object%20and%20if%20you%20want%20to%20offboard%20the%20mailbox%2C%20this%20value%20has%20to%20be%20set%20manually.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fca-es%2Fhelp%2F2956029%2F-migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fca-es%2Fhelp%2F2956029%2F-migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142593%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142593%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20me%2C%20the%20only%20way%20to%20make%20it%20that%20let%20you%20migrate%20the%20mailbox%20from%20EXO%20to%20On%20Prem%20and%20vice-%20versa%20without%20issue%2C%20still%20to%20create%20the%20AD%20account%20on%20prem%2C%20create%20the%20mailbox%20on%20prem%20and%20migrate%20it%20to%20EXO.%3C%2FP%3E%0A%3CP%3ESince%20the%20AAD%20Sync%20still%20one%20way.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81455%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81455%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20only%20thing%20that%20is%20missing%20for%20replacing%20my%20script%20is%20the%20advanced%20auditing%20settings%20for%20the%20Exchange%20mailbox%2C%20but%20maybe%20there%20is%20something%20I%20am%20not%20aware%20of.%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81452%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81452%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20own%26nbsp%3BAzure%20AD%20Premium%20(or%20EMS%20or%20SPE%20license)%20then%20you%20can%20simplify%20this%20process%20down%20to%20one%20step%3C%2FP%3E%3CP%3EStep%201%3A%20Create%20the%20Remote%20mailbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20is%20this%20possible%3F%3C%2FP%3E%3CP%3ECreating%20a%20remote%20mailbox%20automatically%20creates%20the%20AD%20account.%20Then%2C%20AAD%20Sync%20will%20sync%20every%26nbsp%3B30%20minutes%20(by%20default)%20and%20that%20will%20create%20the%20account%20after%20the%20new%20remote%20mailbox%20command%20is%20issued%20from%20on-prem.%20So%20no%20real%20need%20to%20force%20a%20sync%20unless%20you%20are%20in%20a%20hurry.%3C%2FP%3E%3CP%3EAzure%20AD%20Premium%20will%20automatically%20License%20the%20user.%20Instructions%20on%20setting%20that%20up%20are%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-licensing-get-started-azure-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-licensing-get-started-azure-portal%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20is%20all%20now%20possible%20due%20to%20the%20new%20Azure%20AD%20Premium%26nbsp%3Bfeature%2C%20which%20lets%20you%20assign%20licenses%20based%20on%20group%20membership%2C%20or%20even%20dynamic%20membership.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81376%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81376%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20agree%20with%20others%20as%20well.%20Creating%20the%20user%20on-prem%20and%20migrate%20it%20to%20the%20cloud%20everytime%20we%20need%20to%20create%20a%20EXO%20user%20is%20a%20hassle.%20But%20as%20of%20now%20this%20is%20the%20accepted%20way.%20(I%20guess)%20And%20this%20is%20mainly%20for%20because%20of%20the%20AAD%20Sync%20is%20setup%20to%20sync%20from%20On-Prem%20to%20EXO.%3C%2FP%3E%3CP%3EThe%20method%20I'm%20using%20to%20create%20a%20new%20user%20is%3C%2FP%3E%3CP%3E*Create%20the%20Remote%20mailbox%20(which%20creates%20the%20AD%20account%20as%20well)%3C%2FP%3E%3CP%3E*AAD%20Sync%20force%20sync%20and%20it%20will%20create%20the%20user%20in%20Office%20365%3C%2FP%3E%3CP%3E*License%20the%20user%3C%2FP%3E%3CP%3E*And%20this%20will%20enable%20the%20EXO%20mailbox%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMethod%20of%20migrating%20an%20exsisting%20user%20is%3C%2FP%3E%3CP%3E*Make%20sure%20the%20user%20is%20synced%20accross%3C%2FP%3E%3CP%3E*License%20the%20user%3C%2FP%3E%3CP%3E*Execute%20the%20Online%20to%20On-Prem%20migration%20from%20the%20EXO%20portal%3C%2FP%3E%3CP%3E*Once%20the%20mailbox%20is%20migrated%2C%20the%20on-prem%20account%20is%20anyway%20will%20be%20a%20remote%20mailbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3CP%3ECheeers!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56975%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56975%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20some%20extensive%20testing%20and%20research%20on%20this%20topic.%26nbsp%3B%20I%20have%20elected%20to%20create%20new%20user%2C%20room%2C%20and%20equipment%20mailboxes%20in%20Exchange%20Online.%26nbsp%3B%20My%20process%20for%20user%2C%20room%2C%20or%20equipment%20mailboxes%20includes%3A%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Create%20AD%20account%20and%20add%20sync%20attribute.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Run%20enable-remotemailbox%20command%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20Wait%20for%20synchronization.%3C%2FP%3E%3CP%3E4.%26nbsp%3B%20License%20mailbox.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20creating%20shared%20mailboxes%20on-prem%20and%20migrating%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20event%20you%20need%20to%20migrate%20a%20mailbox%20created%20in%20Exchange%20Online%20back%20to%26nbsp%3Bon-prem%20you%20will%20need%20to%20add%20the%20mailbox%20GUID%20as%20shown%20in%20this%20article%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2956029%2F-migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-guid-guid-error-message-when-you-try-to-move-a-mailbox-in-an-exchange-hybrid-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2956029%2F-migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-guid-guid-error-message-when-you-try-to-move-a-mailbox-in-an-exchange-hybrid-deployment%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20that%20helps.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55222%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55222%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20let%E2%80%99s%20do%20a%20recap!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20create%20users%20in%20two%20ways.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECreate%20a%20user%20onprem%20sync%20the%20user%20and%20create%20a%20mailbox%20onprem%20then%20migrate%20it.%3CBR%20%2F%3EOr%3CBR%20%2F%3EYou%20create%20a%20new-remotemailbox%20that%20will%20create%20a%20mail%20user%20in%20the%20on-premises%20AD%20and%20also%20create%20an%20associated%20mailbox%20in%20O365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20to%20create%20a%20shared%20mailbox%20is%20create%20it%20onprem%20and%20move%20it%20to%20Online%2C%20or%20create%20a%20user%20mailbox%20online%20and%20convert%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20practice%20is%20whatever%20works%20for%20your%20user%20management.%20And%20in%20an%20Hybrid%20environment%20you%20always%20need%20the%20exchange%20server%20for%20maintenance%20purposes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20last%20question%20when%20you%20use%20the%20new-remotemailbox%20option.%20You%20have%20to%20set%20the%20rights%20on%20the%20user%20manually%3F%20So%20you%20can%E2%80%99t%20use%20Copy%20from%20user%20John%20Doe%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55116%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55116%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20have%20also%20an%20Hybrid%20Server%20Key%20License%20for%20free%2C%20depends%20the%20conditions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20bellow%20site%20is%20the%20how%20to%2C%20and%20the%20conditions%20to%20qualify%20to%20Hybrid%20Server%20free%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2939261%2Fhow-to-obtain-an-exchange-hybrid-edition-product-key-for-your-on-premises-exchange-2007-or-exchange-2003-organization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2939261%2Fhow-to-obtain-an-exchange-hybrid-edition-product-key-for-your-on-premises-exchange-2007-or-exchange-2003-organization%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55099%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55099%22%20slang%3D%22en-US%22%3E%3CP%3EA%20different%20topic%20yes%2C%20but%20a%20quick%20response%20for%20my%20two%20cents.%20You%20can%20run%20without%20the%20Exch%20on%20prem%2C%20but%20it%20is%20not%20supported%20by%20Microsoft%20and%20requires%20digging%20into%20AD%20Attributes%20manually%20if%20you%20need%20to%20change%20some%20objects%20like%20primary%20SMTP%20address%20etc.%20Do-able%2C%20but%20not%20supported.%20It%20is%20best%20to%20leave%20one%20Exch%20server%20on%20premise%20just%20for%20management%20purposes%20event%20if%20it%20doesn't%20have%20any%20mailboxes%20or%20databases.%20I%20have%20heard%20of%20some%20even%20standing%20up%20a%20current%20version%20(in%20the%20event%20your%20on%20prem%20servers%20are%20older)%20in%20a%20VM%20and%20just%20reducing%20resources%20to%20the%20min%20required%20and%20keeping%20it%20around%20as%20a%20management%20machine.%20You%20will%20still%20need%20to%20apply%20OS%20and%20Exchange%20updates%20to%20it%20so%20don't%20forget%20about%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55068%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55068%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20would%20have%20a%20follow%20up%20question.%20If%20I%20use%20the%20New-RemoteMailbox%20command%20instead%20of%20migrating%20the%20user%2C%20I%20see%20as%20a%20difference%20that%20the%20on-premise%20recipient%20gets%20no%20X500%2Cx500%20address%2C%20the%20exchange%20guid%20is%20%26nbsp%3B00000000-0000-0000-00000000%20%26nbsp%3Band%20the%20ExchangeVersion%20is%20lower%20(compared%20to%20a%20migrated%20user).%20Does%20that%20have%20any%20consequence%20if%20I%20move%20the%20online%20mailbox%20back%20to%20on-premise%20(say%20for%20insufficient%20license%20count)%3F%3C%2FP%3E%3CP%3EThe%20Get-RemoteMailbox%20address%20information%26nbsp%3Bdoes%20also%20not%20list%20x500%20addresses%2C%20but%20if%20I%20do%20get-mailbox%20on%20O365%20online%2C%20then%20I%20get%20as%20said%20before%20an%20X500%20entry%20(uppercase%20only%20and%20as%20said%20different%20OU).%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55016%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55016%22%20slang%3D%22en-US%22%3E%3CP%3EO%20i%20did%20not%20know%20that.%20I%20thought%20that%20the%20Serviceaccounts%20from%20the%20AzureADsync%20are%20managing%20the%20the%20writeback%20from%20Exchangeonline.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20just%20an%20idea%20on%20how%20to%20manage%20users%20and%20mailboxes%20it%20is%20not%20an%20real%20customer%20case%20at%20this%20moment.%20We%20have%20one%20customer%20who%20wants%20to%20clean%20up%20there%20onprem%20Exchange%20but%20thats%20a%20different%20topic%20i%20think.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55014%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55014%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5031%22%20target%3D%22_blank%22%3E%40Jerry%20Meyer%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20a%20customer%20is%20planning%20to%20go%20all%20the%20way%20to%20the%20cloud%20i%20use%20create%20user%20sync%20user%20assign%20license.%20With%20the%20assumption%20the%20Exchange%20on-prem%20environment%20will%20be%20cleaned%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EYour%20question%20(and%20thread%20title)%20are%20about%20hybrid%20deployments%2C%20which%20means%20directory%20sync%20is%20in%20place%20%2B%20an%20on-prem%20Exchange%20server.%20What%20is%20this%20second%20scenario%20you're%20throwing%20into%20the%20mix%20where%20Exchange%20will%20be%20%22cleaned%20up%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20that%20with%20directory%20sync%20in%20place%2C%20an%20on-prem%20Exchange%20server%20is%20required%20for%20managing%20mail%20attributes%20in%20a%20supported%20manner%2C%20even%20without%20the%20hybrid%20configuration.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-55009%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-55009%22%20slang%3D%22en-US%22%3E%3CP%3EIts%20good%20to%20see%20that%20this%20question%20isn't%20really%20that%20stupid%20%3A).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20i%20do%20is%20the%20following%2C%20i%20use%20create%20user%20in%20onprem%20and%20mailbox%20onprem%20migrate%20it%20to%20office365%20and%20assign%20license%20when%20the%20customer%20is%20gonna%20use%20the%20hybrid%20server%20for%20Maintanance%20and%20administration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20a%20customer%20is%20planning%20to%20go%20all%20the%20way%20to%20the%20cloud%20i%20use%20create%20user%20sync%20user%20assign%20license.%20With%20the%20assumption%20the%20Exchange%20on-prem%20environment%20will%20be%20cleaned%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54969%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54969%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40458%22%20target%3D%22_blank%22%3E%40Martin%20Meraner%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F69%22%20target%3D%22_blank%22%3E%40Paul%20Cunningham%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EOne%20caveat%20with%20New-RemoteMailbox%20is%20that%20it%20can't%20do%20Shared%20mailboxes.%20Those%20you%20need%20to%20create%20on-prem%20and%20then%20move%2C%20or%2C%20create%20in%20EXO%20as%20a%20user%20mailbox%20and%20then%20convert%20to%20Shared.%20Either%20way%2C%20same%20result.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EFor%20the%20latter%2C%20wouldn't%20that%20skip%20the%20creation%20of%20the%20AD%20user%20for%20the%20shared%20mailbox%3F%20Sure%20one%20might%20ask%20why%20have%20it.%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3ENo.%20Either%20New-RemoteMailbox%2C%20wait%2C%20then%20convert%20to%20Shared%20in%20the%20cloud.%20Or%20New-Mailbox%20with%20-Shared%2C%20and%20then%20move%20to%20the%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEither%20way%2C%20there's%20still%20a%20user%20object%20in%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54958%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54958%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1081%22%20target%3D%22_blank%22%3E%40Ivan%20Unger%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EIt%20gets%20easier%20to%20understand%20once%20you've%20done%20the%20hybrid%20setup%20%3B)%3C%2Fimg%3E%20Exchange%202013%20CU15%20hybrid%20in%20my%20case%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you've%20done%20the%20hybrid%20setup%2C%20you%20simply%20get%20a%20new%20UI%20option%20in%20the%20exchange%20admin%20center%20(onPrem)%20under%20recipients%20%26gt%3B%20mailboxes%20%26gt%3B%20New%20Office%20365%20Mailbox.%3C%2FP%3E%3CP%3EThats%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThanks%20a%20lot!%26nbsp%3B(edit)%20apparently%20I%20was%20not%20aware%20of%20that%20option%20at%20the%20time%20I%20wrote%20the%20script.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54957%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54957%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20there%20is%20no%20%22best%22%20way%2C%20you%20could%20aim%20for%20%22fastest%22%20or%20what%20works%20for%20your%20requirements.%20All%20road%20lead%20to%20rome%20in%20this%20case%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54954%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54954%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F69%22%20target%3D%22_blank%22%3E%40Paul%20Cunningham%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EOne%20caveat%20with%20New-RemoteMailbox%20is%20that%20it%20can't%20do%20Shared%20mailboxes.%20Those%20you%20need%20to%20create%20on-prem%20and%20then%20move%2C%20or%2C%20create%20in%20EXO%20as%20a%20user%20mailbox%20and%20then%20convert%20to%20Shared.%20Either%20way%2C%20same%20result.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EFor%20the%20latter%2C%20wouldn't%20that%20skip%20the%20creation%20of%20the%20AD%20user%20for%20the%20shared%20mailbox%3F%20Sure%20one%20might%20ask%20why%20have%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54870%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54870%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20best%20practice%20is%20whatever%20works%20for%20your%20user%20management%20workflows.%20You%20can%20create%20it%20either%20way.%20In%20a%20hybrid%20you%20can%20move%20mailboxes%20back%20and%20forth%20whether%20they%20were%20created%20on-prem%20or%20in%20the%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20caveat%20with%20New-RemoteMailbox%20is%20that%20it%20can't%20do%20Shared%20mailboxes.%20Those%20you%20need%20to%20create%20on-prem%20and%20then%20move%2C%20or%2C%20create%20in%20EXO%20as%20a%20user%20mailbox%20and%20then%20convert%20to%20Shared.%20Either%20way%2C%20same%20result.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54785%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54785%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3400%22%20target%3D%22_blank%22%3E%40Michael%20Van%20Horenbeeck%3C%2FA%3E%26nbsp%3Bdiscusses%20this%20in%20detail%20in%20the%20%22Office%20365%20for%20IT%20Pros%22%20book%2C%20perhaps%20he%20can%20give%20few%20more%20hints.%20Personally%2C%20I%20prefer%20New%2FEnable-RemoteMailbox%2C%20it's%20faster%20and%20cleaner.%20It%20has%20some%20issues%2C%20but%20those%20are%20corner%20cases%20mostly...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54736%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54736%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20al%20have%20some%20very%20good%20answers%26nbsp%3B%20but%20the%20question%20still%20is%20what%20is%20best%20practice.%20i%20have%20done%20al%20the%20scenarios%20and%20they%20al%20work.%20But%20what%20is%20the%20difference%20between%20these%20to%20options%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECreate%20user%26nbsp%3B%20and%20mailbox%20onprem%20sync%20user%20and%20migrate%20%2Cmailbox%20to%20o365%20assign%20license%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3ECreate%20user%20sync%20user%20to%20o365%20and%20assign%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20the%20only%20difference%20is%20that%20when%20you%20migrate%20the%20mailbox%20you%20can%20migrate%20it%20back%20to%20onprem%20when%20you%20have%20a%20Hybrid.%20But%20i%20am%20not%20sure%20if%20that%20is%20still%20relevant%20when%20you%20are%20in%20Exchange%20online.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERemember%20this%20involves%20a%20new%20user%20so%20no%20legacy%20mailboxes%20or%20anything%20like%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54683%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54683%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3188%22%20target%3D%22_blank%22%3E%40Paul%20Bridges%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EThis%20assumes%20the%20user%20doesn't%20have%20an%20IAM%20process%2Fteam%20that%20uses%20some%20other%20user%20management%20process.%20In%20most%20cases%2C%20creating%20the%20user%20through%20Exchange%20is%20not%20an%20option%20at%20the%20larger%20clients%20and%20we%20have%20to%20powershell%20it%20somewhat%20through%20the%20IAM%20tool%20in%20place.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3ETrue%2C%20though%20no%20powershell%20was%20mentioned%20as%20a%20requirement%20in%20this%20case.%20In%20any%20case%2C%20(almost)%20everything%20the%20Exchange%20or%20AD%20Consoles%20can%20do%20via%20GUI%20is%20of%20course%20sriptable%20via%20powershell.%3C%2FP%3E%3CP%3EYou%20can%20even%20auto%20apply%20licenses%20via%20Azure%20AD%20group%20memberships%2C%20therefore%20saving%20you%20one%20scripting%20step%20and%20just%20add%20a%20group%20membership.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54670%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54670%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20the%20environment%20is%20Hybrid%2C%20licensing%20the%20user%20prior%20to%20the%20mailbox%20move%20is%20fine%2C%20it%20will%20not%20create%20a%20duplicate%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54669%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54669%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40458%22%20target%3D%22_blank%22%3E%40Martin%20Meraner%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20ended%20up%20making%20a%20script%20that%3C%2FP%3E%3CP%3E-%20creates%20the%20AD%20user%20object%20and%20the%20mailbox%20on%20our%20Exchange%20server%20(Exchange%20managment%20shell)%3C%2FP%3E%3CP%3E-%20forces%20a%20dirsync%20run%3C%2FP%3E%3CP%3E-%20assigns%20a%20license%20once%20the%20user%20is%20visible%20in%20O365%3C%2FP%3E%3CP%3E-%20create%20a%20move%20request%2C%20once%20the%20mail%20user%20is%20visible%20in%20EXO%20(that%20is%20different%20than%20the%20msol%20user%20object)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20a%20shorter%20or%20recommended%20way%2C%20I%20am%20also%20very%20interested%20(AD%20sync%20experience%20differences%20included).%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI'm%20not%20sure%20your%20path%20is%20correct%2C%20but%20I%20believe%20you%20have%20to%20enable%20the%20license%20AFTER%20the%20mailbox%20move.%20Because%20when%20you%20enable%20it%20before%2C%20you're%20pratically%20provisioning%20a%20cloud%20mailbox%20additionally%20to%20the%20existing%20onPrem%20Mailbox.%20It%20could%20be%20though%20that%20the%20remote%20move%20request%20to%20Exchange%20Online%20understands%20this%2C%20deprovisions%20the%20existing%20cloud%20mailbox%2C%20moves%20the%20onPrem%2C%20and%20enables%20is%20it%20afterwards.%3C%2FP%3E%3CP%3EMight%20not%20be%20an%20issue%20if%20the%20users%20doesn't%20technically%20exist%20yet%2C%20but%20there%20might%20be%20a%20small%20time%20window%20where%20the%20user%20could%20access%20the%20cloud%20mailbox%2C%20before%20his%20onPrem%20is%20properly%20moved.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54667%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54667%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20assumes%20the%20user%20doesn't%20have%20an%20IAM%20process%2Fteam%20that%20uses%20some%20other%20user%20management%20process.%20In%20most%20cases%2C%20creating%20the%20user%20through%20Exchange%20is%20not%20an%20option%20at%20the%20larger%20clients%20and%20we%20have%20to%20powershell%20it%20somewhat%20through%20the%20IAM%20tool%20in%20place.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54665%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54665%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20gets%20easier%20to%20understand%20once%20you've%20done%20the%20hybrid%20setup%20%3B)%3C%2Fimg%3E%20Exchange%202013%20CU15%20hybrid%20in%20my%20case%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you've%20done%20the%20hybrid%20setup%2C%20you%20simply%20get%20a%20new%20UI%20option%20in%20the%20exchange%20admin%20center%20(onPrem)%20under%20recipients%20%26gt%3B%20mailboxes%20%26gt%3B%20New%20Office%20365%20Mailbox.%3C%2FP%3E%3CP%3EThats%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20there%20is%20no%20need%20to%20go%20through%20that%20many%20steps%20as%20you've%20described%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Ecreate%20new%20Office%20365%20Mailbox%3COL%3E%3CLI%3Ethis%20of%20course%20creates%20the%20onPrem%20AD%20User%20with%20the%20linked%20Office%20365%20mailbox%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3Ewait%20for%20Azure%20AD%20Connect%20to%20sync%20your%20your%20AD%20Users%20(not%20sure%20if%20this%20is%20necessary)%3C%2FLI%3E%3CLI%3Eenable%20Exchange%20Online%20License%20for%20synced%20user%3C%2FLI%3E%3CLI%3Edone%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54653%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54653%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20go%20with%20Paul%20here%20as%20having%20used%20New-RemoteMailbox%20myself%20and%20with%20the%20addition%20of%20the%20coming%20use%20of%20Security%20Groups%20in%20Azure%20to%20assign%20licensing%20you%20don't%20have%20to%20worry%20as%20much%20about%20that%20anymore%20either.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54630%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54630%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20not%20an%20answer%20to%20your%20question%2C%20but%20a%20comment.%20We%20were%20advised%20by%20our%20consultants%20too%2C%20to%20do%20exactly%20what%20you%20describe.%20And%20indeed%20it%20is%20a%20back%20and%20forth%20between%20the%20systems%2C%20especially%20if%20you%20do%20it%20manually%20(note%20I%20talk%20here%20still%20of%20experience%20with%20dirsync).%3C%2FP%3E%3CP%3EWe%20also%20had%20cases%20where%20admins%20would%20create%20e.g.%20distribution%20groups%20only%20on%20EXO.%20That%20gave%20some%20issues%20with%20adding%20members%20of%20only%20on-premise%20users%20(obviously).%20So%20from%20my%20experience%20the%20procedure%20makes%20sense%2C%20as%20the%20hyrbrid%20setup%20does%20not%20enforce%20the%20online%20setup%20to%20sync%20back%20entirely%20(note%2C%20still%20just%20talking%20about%20dirsync).%3C%2FP%3E%3CP%3EAdditionally%20I%20noted%20that%20there%20is%20a%20difference%20attribute%20wise%20on%20the%20user%20AD%20object%20if%20you%20create%20the%20user%20in%20the%20AD%20and%20then%20mail%20enable%20it%2C%20or%20directly%20let%20create%20the%20AD%20user%20object%20in%20Exchange%20(all%20on-premise).%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20ended%20up%20making%20a%20script%20that%3C%2FP%3E%3CP%3E-%20creates%20the%20AD%20user%20object%20and%20the%20mailbox%20on%20our%20Exchange%20server%20(Exchange%20managment%20shell)%3C%2FP%3E%3CP%3E-%20forces%20a%20dirsync%20run%3C%2FP%3E%3CP%3E-%20assigns%20a%20license%20once%20the%20user%20is%20visible%20in%20O365%3C%2FP%3E%3CP%3E-%20create%20a%20move%20request%2C%20once%20the%20mail%20user%20is%20visible%20in%20EXO%20(that%20is%20different%20than%20the%20msol%20user%20object)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20a%20shorter%20or%20recommended%20way%2C%20I%20am%20also%20very%20interested%20(AD%20sync%20experience%20differences%20included).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54619%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54619%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20i%20know%20that%20will%20work%20and%20it%20will%20create%20only%20a%20remote%20mailbox%20for%20a%20user.%20But%20the%20question%20is%20what%20is%20the%20best%20practice%20for%20creating%20a%20user%20with%20mailbox%20in%20a%20hybrid%20environment%20so%20the%20mailbox%20will%20be%20in%20O365%20exchange%20online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54607%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54607%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20looked%20at%20using%20New-RemoteMailbox%20or%20Enable-RemoteMailbox%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-487140%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-487140%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5031%22%20target%3D%22_blank%22%3E%40Jerry%20Meyer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20answer%20that%20you%20are%20looking%20for%20is%20not%20something%20that%20is%20easily%20defined%20any%20longer.%20Everyone%20who%20has%20provided%20a%20working%20answer%20here%20is%20in%20part%20correct%20about%20what%20is%20'best%20practice.'%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20speed%20at%20which%20things%20change%20in%20relation%20to%20cloud-hosted%20services%20is%20causing%20us%20to%20change%20our%20perspective%20on%20concepts%20like%20%22Best%20Practice%22%20for%20administration%20tasks%20like%20this.%20What%20is%20%22best%20practice%22%20today%20is%20quickly%20changed%20as%20soon%20as%20that%20new%20feature%20is%20released.%20I'm%20inclined%20to%20reference%20the%20previous%20comment%20regarding%20the%20Exchange%20Admin%20Center%20update%20that%20provides%20the%20%22Create%20New%20Mailbox%20In%20Exchange%20Online.%22%20You%20are%20spot%20on%2C%20that%20is%20a%20%22Best%20Practice%2C%22%20but%20so%20is%20the%20method%20that%20the%20other%20commenter%20has%20about%20creating%20a%20script%20that%20does%20it%20all%20for%20him.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConclusion....%20there%20are%2013%20ways%20to%20slice%20the%20bread%20(administration%20tasks)%20and%20because%20things%20are%20changing%20faster%20than%20we%20can%20establish%20%22Best%20Practice%22%20the%20best%20way%20to%20do%20it%20is%20going%20to%20be%20the%20way%20that%20works%20best%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20the%20answer%20you%20are%20looking%20for%2C%20and%20I%20know%20that...%20I%20am%20sorry....%20%3A%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20take%20a%20list%20of%20the%20possible%20ways%20and%20figure%20out%20which%20are%20most%20applicable%20to%20you.%20Try%20them%20each%2C%20and%20understand%20them%20each.%20Establish%20a%20process%2C%20and%20dub%20that%20YOUR%20BEST%20PRACTICE%20methodology.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-498035%22%20slang%3D%22en-US%22%3ERe%3A%20The%20question%20nobody%20dares%20to%20ask!%20How%20do%20you%20create%20a%20new%20user%20in%20a%20hybrid%20environment.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-498035%22%20slang%3D%22en-US%22%3EAnd%20on%20the%20conversation%20that%20things%20change%20quickly%2C%20now%20with%20the%20latest%20CU's%20for%20Exchange%20Server%20you%20can%20create%20shared%20mailboxes%20in%20Exchange%20Online%20with%20%22New-RemoteMailbox%20-%20Shared%22.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20though%20is%20still%20the%20case%20that%20with%20AD%20Sync%20in%20place%20attributes%20in%20Azure%20AD%20are%20mostly%20read%20only%20and%20need%20changing%20in%20the%20source%20directory%20of%20Active%20Directory.%20Changes%20to%20Exchange%20attributes%20in%20AD%20is%20only%20supported%20via%20Exchange%20management%20tools%2C%20so%20Best%20Practice%20would%20still%20need%20to%20include%20that.%20Creating%20objects%20or%20licensing%20stuff%20that%20results%20in%20attribute%20changes%20before%20Microsoft%20build%20a%20supported%20system%20for%20writing%20back%20the%20attribute%20on%20premises%20is%20likely%20to%20lead%20to%20more%20administrative%20issues%20and%20problems.%3C%2FLINGO-BODY%3E
Jerry Meyer
Contributor

Hi, the last couple fo days the question how to create a new user in a hybrid exchange environment is floating around in my head.

 

Most of the time when i create a user i create a onpremise account in active directory sync this over to office 365. The next step i perform is the creation of a mailbox onprem in exchange for the user i have created. When i have done this i migrate the user mailbox to office 365, i assign a license and the user is good to go.

 

Is this the best way to do this? It seems more logical to create a user in AD sync this over to office365 and give them a Exchange online license. so he or she will get a mailbox directly in Office 365.

 

Can anyone give me an explanation what is best practice for creating a new User in a hybrid exchange environment when al the users will be synced to office365.

 

Thanks in advance!

35 Replies

Have you looked at using New-RemoteMailbox or Enable-RemoteMailbox?

Yes i know that will work and it will create only a remote mailbox for a user. But the question is what is the best practice for creating a user with mailbox in a hybrid environment so the mailbox will be in O365 exchange online.

Also not an answer to your question, but a comment. We were advised by our consultants too, to do exactly what you describe. And indeed it is a back and forth between the systems, especially if you do it manually (note I talk here still of experience with dirsync).

We also had cases where admins would create e.g. distribution groups only on EXO. That gave some issues with adding members of only on-premise users (obviously). So from my experience the procedure makes sense, as the hyrbrid setup does not enforce the online setup to sync back entirely (note, still just talking about dirsync).

Additionally I noted that there is a difference attribute wise on the user AD object if you create the user in the AD and then mail enable it, or directly let create the AD user object in Exchange (all on-premise). 

So I ended up making a script that

- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)

- forces a dirsync run

- assigns a license once the user is visible in O365

- create a move request, once the mail user is visible in EXO (that is different than the msol user object)

 

 

If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).

I would go with Paul here as having used New-RemoteMailbox myself and with the addition of the coming use of Security Groups in Azure to assign licensing you don't have to worry as much about that anymore either. 

It gets easier to understand once you've done the hybrid setup ;) Exchange 2013 CU15 hybrid in my case:

 

Once you've done the hybrid setup, you simply get a new UI option in the exchange admin center (onPrem) under recipients > mailboxes > New Office 365 Mailbox.

Thats it. 

 

So there is no need to go through that many steps as you've described

 

  1. create new Office 365 Mailbox
    1. this of course creates the onPrem AD User with the linked Office 365 mailbox
  2. wait for Azure AD Connect to sync your your AD Users (not sure if this is necessary)
  3. enable Exchange Online License for synced user
  4. done

 

 

This assumes the user doesn't have an IAM process/team that uses some other user management process. In most cases, creating the user through Exchange is not an option at the larger clients and we have to powershell it somewhat through the IAM tool in place.


@Martin Meraner wrote:

 

So I ended up making a script that

- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)

- forces a dirsync run

- assigns a license once the user is visible in O365

- create a move request, once the mail user is visible in EXO (that is different than the msol user object)

 

 

If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).


I'm not sure your path is correct, but I believe you have to enable the license AFTER the mailbox move. Because when you enable it before, you're pratically provisioning a cloud mailbox additionally to the existing onPrem Mailbox. It could be though that the remote move request to Exchange Online understands this, deprovisions the existing cloud mailbox, moves the onPrem, and enables is it afterwards.

Might not be an issue if the users doesn't technically exist yet, but there might be a small time window where the user could access the cloud mailbox, before his onPrem is properly moved.

If the environment is Hybrid, licensing the user prior to the mailbox move is fine, it will not create a duplicate mailbox.


@Paul Bridges wrote:

This assumes the user doesn't have an IAM process/team that uses some other user management process. In most cases, creating the user through Exchange is not an option at the larger clients and we have to powershell it somewhat through the IAM tool in place.


True, though no powershell was mentioned as a requirement in this case. In any case, (almost) everything the Exchange or AD Consoles can do via GUI is of course sriptable via powershell.

You can even auto apply licenses via Azure AD group memberships, therefore saving you one scripting step and just add a group membership.

You al have some very good answers  but the question still is what is best practice. i have done al the scenarios and they al work. But what is the difference between these to options

 

Create user  and mailbox onprem sync user and migrate ,mailbox to o365 assign license

or

Create user sync user to o365 and assign license.

 

I think the only difference is that when you migrate the mailbox you can migrate it back to onprem when you have a Hybrid. But i am not sure if that is still relevant when you are in Exchange online.


Remember this involves a new user so no legacy mailboxes or anything like that.

@Michael Van Horenbeeck discusses this in detail in the "Office 365 for IT Pros" book, perhaps he can give few more hints. Personally, I prefer New/Enable-RemoteMailbox, it's faster and cleaner. It has some issues, but those are corner cases mostly...

Solution

The best practice is whatever works for your user management workflows. You can create it either way. In a hybrid you can move mailboxes back and forth whether they were created on-prem or in the cloud.

 

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


@Paul Cunningham wrote:

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


For the latter, wouldn't that skip the creation of the AD user for the shared mailbox? Sure one might ask why have it. 

Yup, there is no "best" way, you could aim for "fastest" or what works for your requirements. All road lead to rome in this case :)


@Ivan Unger wrote:

It gets easier to understand once you've done the hybrid setup ;) Exchange 2013 CU15 hybrid in my case:

 

Once you've done the hybrid setup, you simply get a new UI option in the exchange admin center (onPrem) under recipients > mailboxes > New Office 365 Mailbox.

Thats it.

 

 


Thanks a lot! (edit) apparently I was not aware of that option at the time I wrote the script.


@Martin Meraner wrote:

@Paul Cunningham wrote:

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


For the latter, wouldn't that skip the creation of the AD user for the shared mailbox? Sure one might ask why have it. 


No. Either New-RemoteMailbox, wait, then convert to Shared in the cloud. Or New-Mailbox with -Shared, and then move to the cloud.

 

Either way, there's still a user object in AD.

Its good to see that this question isn't really that stupid :). 

 

What i do is the following, i use create user in onprem and mailbox onprem migrate it to office365 and assign license when the customer is gonna use the hybrid server for Maintanance and administration.

 

When a customer is planning to go all the way to the cloud i use create user sync user assign license. With the assumption the Exchange on-prem environment will be cleaned up.

 

 


@Jerry Meyer wrote:

 

 

When a customer is planning to go all the way to the cloud i use create user sync user assign license. With the assumption the Exchange on-prem environment will be cleaned up.

 

 


Your question (and thread title) are about hybrid deployments, which means directory sync is in place + an on-prem Exchange server. What is this second scenario you're throwing into the mix where Exchange will be "cleaned up"?

 

Keep in mind that with directory sync in place, an on-prem Exchange server is required for managing mail attributes in a supported manner, even without the hybrid configuration.

O i did not know that. I thought that the Serviceaccounts from the AzureADsync are managing the the writeback from Exchangeonline.

 

Its just an idea on how to manage users and mailboxes it is not an real customer case at this moment. We have one customer who wants to clean up there onprem Exchange but thats a different topic i think.

Hi,

I would have a follow up question. If I use the New-RemoteMailbox command instead of migrating the user, I see as a difference that the on-premise recipient gets no X500,x500 address, the exchange guid is  00000000-0000-0000-00000000  and the ExchangeVersion is lower (compared to a migrated user). Does that have any consequence if I move the online mailbox back to on-premise (say for insufficient license count)?

The Get-RemoteMailbox address information does also not list x500 addresses, but if I do get-mailbox on O365 online, then I get as said before an X500 entry (uppercase only and as said different OU).

Best

Martin

A different topic yes, but a quick response for my two cents. You can run without the Exch on prem, but it is not supported by Microsoft and requires digging into AD Attributes manually if you need to change some objects like primary SMTP address etc. Do-able, but not supported. It is best to leave one Exch server on premise just for management purposes event if it doesn't have any mailboxes or databases. I have heard of some even standing up a current version (in the event your on prem servers are older) in a VM and just reducing resources to the min required and keeping it around as a management machine. You will still need to apply OS and Exchange updates to it so don't forget about it.

You can have also an Hybrid Server Key License for free, depends the conditions.

 

In the bellow site is the how to, and the conditions to qualify to Hybrid Server free license.

 

https://support.microsoft.com/en-us/help/2939261/how-to-obtain-an-exchange-hybrid-edition-product-ke...

So let’s do a recap!

 

You can create users in two ways.

 

Create a user onprem sync the user and create a mailbox onprem then migrate it.
Or
You create a new-remotemailbox that will create a mail user in the on-premises AD and also create an associated mailbox in O365.

 

The way to create a shared mailbox is create it onprem and move it to Online, or create a user mailbox online and convert it.

 

The best practice is whatever works for your user management. And in an Hybrid environment you always need the exchange server for maintenance purposes.

 

One last question when you use the new-remotemailbox option. You have to set the rights on the user manually? So you can’t use Copy from user John Doe?

I did some extensive testing and research on this topic.  I have elected to create new user, room, and equipment mailboxes in Exchange Online.  My process for user, room, or equipment mailboxes includes:

1.  Create AD account and add sync attribute.

2.  Run enable-remotemailbox command

3.  Wait for synchronization.

4.  License mailbox. 

 

I am creating shared mailboxes on-prem and migrating them. 

 

In the event you need to migrate a mailbox created in Exchange Online back to on-prem you will need to add the mailbox GUID as shown in this article:

https://support.microsoft.com/en-us/help/2956029/-migrationpermanentexception-cannot-find-a-recipien...

 

I hope that helps. 

 

 

 

Hello,

 

I would agree with others as well. Creating the user on-prem and migrate it to the cloud everytime we need to create a EXO user is a hassle. But as of now this is the accepted way. (I guess) And this is mainly for because of the AAD Sync is setup to sync from On-Prem to EXO.

The method I'm using to create a new user is

*Create the Remote mailbox (which creates the AD account as well)

*AAD Sync force sync and it will create the user in Office 365

*License the user

*And this will enable the EXO mailbox

 

Method of migrating an exsisting user is

*Make sure the user is synced accross

*License the user

*Execute the Online to On-Prem migration from the EXO portal

*Once the mailbox is migrated, the on-prem account is anyway will be a remote mailbox.

 

Hope this helps.

Cheeers!

If you own Azure AD Premium (or EMS or SPE license) then you can simplify this process down to one step

Step 1: Create the Remote mailbox.

 

How is this possible?

Creating a remote mailbox automatically creates the AD account. Then, AAD Sync will sync every 30 minutes (by default) and that will create the account after the new remote mailbox command is issued from on-prem. So no real need to force a sync unless you are in a hurry.

Azure AD Premium will automatically License the user. Instructions on setting that up are here:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-get-started-azure...

This is all now possible due to the new Azure AD Premium feature, which lets you assign licenses based on group membership, or even dynamic membership.

 

 

Yeah, only thing that is missing for replacing my script is the advanced auditing settings for the Exchange mailbox, but maybe there is something I am not aware of.

Best

Martin

For me, the only way to make it that let you migrate the mailbox from EXO to On Prem and vice- versa without issue, still to create the AD account on prem, create the mailbox on prem and migrate it to EXO.

Since the AAD Sync still one way.

I'm with Paul, Vasil and Nuno :)

Just a hint: if you create the mailbox in EXO, the ExchangeGUID is not present on the object and if you want to offboard the mailbox, this value has to be set manually.

 

https://support.microsoft.com/ca-es/help/2956029/-migrationpermanentexception-cannot-find-a-recipien...

Highlighted

Environment: Exchange 2010 SP3 and Exchange Online hybrid. 

 

I have tried the create account in on-prem Exchange 2010 and migrate method and the Exchange Management Shell (EMS) method and found that EMS method is most efficient for me. Below is the command string I'm using.

New-RemoteMailbox -UserPrincipalName "[flast@MyCompanyDomain.com]" -Name "[First Last]" -Alias "[First.Last]" -RemoteRoutingAddress "[First.Last]@MyCompanyTenant.mail.onmicrosoft.com" -FirstName "[First]" -LastName "[Last]" -DisplayName "[First Last]" -OnPremisesOrganizationalUnit "[OU Where I Want User's AD Account]"

I did find that if I used the -PrimarySmtpAddress switch with New-RemoteMailbox, there was the unintended consequence of disabling the email address policy for the mailbox, creating Exchange Online to on-prem Exchange email delivery and calendar free/busy issues. This can be resolved by using the following command.

 

Set-RemoteMailbox -Identity [mailbox name] -EmailAddressPolicy $true

 

I hope this helps someone save some time.

Also, to give credit to the person that solved the issue caused by me using the -PrimarySmtpAddress switch.

 

https://community.spiceworks.com/topic/2164592-issue-with-new-remote-mailbox-user-creation-in-hybrid...

Could you kindly share the script where you create the user in AD and force the dir-sync.

What i'm trying to achieve is to make the whole process automated
The user fields(properties) will be generated by a CSV file
1.Create the user in AD OU that is AD-Connected
2.force AD Sync
3.Assign License (by PS script) - we use only two types of license: Business Premium and E3
4.Send Notification to Admin that email account was activated.

@ShrenikSalguna wrote:
Could you kindly share the script where you create the user in AD and force the dir-sync.

What i'm trying to achieve is to make the whole process automated
The user fields(properties) will be generated by a CSV file
1.Create the user in AD OU that is AD-Connected
2.force AD Sync
3.Assign License (by PS script) - we use only two types of license: Business Premium and E3
4.Send Notification to Admin that email account was activated.

I posted my script in the following location because I used the OP's script as the starting point for my script. I have since added valuable functionality to my script and will be posting an update as soon as I take the time to remove all my company information from it.

 

https://community.spiceworks.com/topic/1964109-powershell-script-to-create-new-users?page=1#entry-81...

 

 

@ShrenikSalguna 

I use the on-premise Exchange server to create the user if that helps you (note the below cannot simply be used, just for inspiration)


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://[yourExchangeServer].dca.dk/PowerShell/ -Authentication Kerberos -Credential $adminCredential

Import-PSSession $Session -Prefix XXX
$remoteMailbox = New-XXXRemoteMailbox -Alias $initials -SamAccountName $initials -UserPrincipalName $userUPN `
-Name $fullName -FirstName $firstname -LastName $lastname -DisplayName $fullName `
-Password (ConvertTo-SecureString -AsPlainText $password -Force) -ResetPasswordOnNextLogon $false `
-OnPremisesOrganizationalUnit $ou.DistinguishedName `
-Confirm:$false `
-DomainController $domainController -PrimarySmtpAddress $userUPN # `
#-Archive #latest addition to have an archive mailbox active

Start-Sleep -Seconds 8 -Verbose


$remoteMailbox | Set-XXXRemoteMailbox -EmailAddressPolicyEnabled $True


Remove-PSSession $Session

 

 

and for sync I run the following:

 

$Session = New-PSSession -ComputerName [syncserver].dca.dk -Authentication Kerberos -Credential $adminCredential

 

$JobSync1 = Invoke-Command -Session $Session -Scriptblock { Import-Module ADSync }
$JobSync2 = Invoke-Command -Session $Session -Scriptblock { Start-ADSyncSyncCycle -PolicyType Delta }


Remove-PSSession $Session

@Jerry Meyer 

 

The answer that you are looking for is not something that is easily defined any longer. Everyone who has provided a working answer here is in part correct about what is 'best practice.' 

 

The speed at which things change in relation to cloud-hosted services is causing us to change our perspective on concepts like "Best Practice" for administration tasks like this. What is "best practice" today is quickly changed as soon as that new feature is released. I'm inclined to reference the previous comment regarding the Exchange Admin Center update that provides the "Create New Mailbox In Exchange Online." You are spot on, that is a "Best Practice," but so is the method that the other commenter has about creating a script that does it all for him.

 

Conclusion.... there are 13 ways to slice the bread (administration tasks) and because things are changing faster than we can establish "Best Practice" the best way to do it is going to be the way that works best for you.

 

Not the answer you are looking for, and I know that... I am sorry.... : )

 

I would take a list of the possible ways and figure out which are most applicable to you. Try them each, and understand them each. Establish a process, and dub that YOUR BEST PRACTICE methodology.

And on the conversation that things change quickly, now with the latest CU's for Exchange Server you can create shared mailboxes in Exchange Online with "New-RemoteMailbox - Shared".

It though is still the case that with AD Sync in place attributes in Azure AD are mostly read only and need changing in the source directory of Active Directory. Changes to Exchange attributes in AD is only supported via Exchange management tools, so Best Practice would still need to include that. Creating objects or licensing stuff that results in attribute changes before Microsoft build a supported system for writing back the attribute on premises is likely to lead to more administrative issues and problems.