Identity synchronization to Office 365 - two smpt proxy address

Brass Contributor

Hi everyone,

 

I have two domains example1.com and example2.org.

Our users email is abc@example1.com , however, they all have an alias abc@example2.org

 

When synchronizing users to office 365, i would like to use their email address(mail attribute) as their identity so that their log in (username) for office 365 is abc@example1.com. I don't want to use their user logon name from AD because its' different.

 

proxy address attribute for each user is as follows:

SMTP: abc@example1.com

smpt:abc@example2.org

 

If i do synchronization of identities to office 365 using the mail attribute as the identity source, will this create a user log in in office 365 with abc@example1.com as their username and an alias of abc@example2.org ?

 

If not, how can i go about it , so that their username becomes their email address(abc@example1.com) and their alias becomes abc@example2.org

 

19 Replies

@Ferzaer2 you can configure another attribute in AAD Connect as your logon name, it's called alternate logon id. But from a best practice perspective, the UPN should match your primary smtp address. I can highly recommend to change the UPN and go with the default attributes whenever possible. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-logi...

 

@Dominik Hoefling 

What can go wrong ?   It's only being used to create their identities i.e. usernames online on office 365 and then their mailbox is going to be synchronized, the on premises server will be decommissioned/

 

I think you are not understanding my question or i phrased it wrong.

I know i can configure alternative id (and that is what i plan to do) use mail attribute as alternative ID so i don't have to edit user log in id for office 365.

 

However, i would like to know how i could do this so that the users get both aliases created automatically.

 

Here's a better example:

Imagine a user with a name Jenny Dear

User log on name is

dearj

UPN: example1.com

so we have dearj@example1.com as her windows log in username-  not that they use it.

However, her email is

Jenny@EXAMPLE1.COM

So the AD attribute has this:

mail: Jenny@example1.com

proxyaddress:

SMTP: Jenny@example1.com

smtp: jenny@example2.org

 

I want to use the mail attribute as an alternative log on id, so that when 400 users get synchronized, all their username for office 365 will be their mail attribute i.e. Jenny@example1.com

Perfect scenario is, they also get an alias Jenny@example2.org created in the process so i don't have to go and update all of them manually.

After their identities are created + passwords synchronized, the mailbox move is done, the exchange server will be killed. We won't be keeping it around for long, hopefully a week or two.

 

@Ferzaer2 Yes, I actually got it :)

 

1. You can't remove any Exchange as long as AAD Connect is in place. If you want to remove Exchange, you "have to" switch to cloud-only accounts. It's not supported to change Exchange attributes in AD/ADSIEDIT.

 

2. You can configure the mail-attribute in Azure AD Connect as the logon name (UPN in Azure) which is explained in my link. A user can only have one logon name (UPN) and I believe you mean by alias another email address, right? If yes, use email address policies on-premises, then Exchange will add all your required aliases to the mailbox and these addresses will be synchronized to Exchange Online with AAD Connect and you can receive emails on those aliases as well.

@Dominik Hoefling 

 

We are getting somewhere. I really appreciate your input. Here is a bit more clarification.

 

1. We are not going to keep ADconnect around, we plan on moving all mailboxes/users to the cloud and killing exchange(after we uninstall adconnect). We don't need password synchronization, etc. We are going to keep AD on premises for file sharing etc, and users will continue to use their current log ins as if nothing changed. Only email access will be changed and they will have two passwords moving forward.

 

2. Our on premises exchange email policy has a rule where whenever we create

jenny@example1.com , they also have an alias created jenny@example2.org (yes, different domains) which is why in AD attribute the proxy address has two smtp (different domains for same user linked to one mailbox).

 

However,

I would like to create in office 365 a user log in based on the mail attribute which will result in

 

Primary email address and username: jenny@example1.com
Alias: jenny@example2.org

 

 

Is there a way to do this  iautomatically or with powershell based on the proxy address since they already have SMTP: jenny@example1.com (with capital so that it's the primary domain/address) and the second one smtp: jenny@example2.org as the second one or alias.

 

 

Or for example, i synch them and their identities are created as:

jenny@example1.com, can i use powershell to create an alias for them automatically for each user so they become

jenny@example2.org , basically taking whatever is after @ i.e. example1.com and replacing that with example2.org and thus creating an alias automatically ?

 

I feel like i will have to do this manually, but still looking for ways.

 

@Ferzaer2 sure thing, you're welcome!

1) got it, thanks

2) "I would like to create in office 365 a user log in based on the mail attribute which will result in

Primary email address and username: jenny@example1.com
 
Let me try to explain it: UPN + primary smtp address: jenny@example1.com --> Default user login name (UPN) in Azure if you don't configure alternate login id in Azure AD Connect.
Alias: jenny@example2.org --> what do you mean by alias? Additional proxy address? mail? mailnickname? If you want this as the UPN/login name in Azure, you can use whatever attribute you want as your logon name in Azure AD Connect.
 
If you mean the "alias" in the Microsoft 365 admin center: you can choose a user login name (UPN) from any existing smtp addresses (alias). Is this the feature you are trying to use (see attached screenshot)?
 
If yes: this can be achieved by email address polices or, of course, you can add the alias afterwards in Azure via PowerShell for all your users in bulk.

@Dominik Hoefling 

Hey, i think images help. Yes, I was referring to that alias in microsoft 365 center.

I have both example1.com and example2.org added to my tenant.

However, when i synchronize users to create their identities i would like their primary address to be

jenny@example1.com , and then either later/ or in the same step add the alias

jenny@example2.org - because a lot of people send them emails at the second email.

So if someone sends them an email at jenny@example2.org i want that email to be forwarded to jenny@example1.com - from what i read this is the way to go.

 

Now, I'm attaching some photos so that you see that the users log on name or username for domain computers is "dearj" and when i synchronize and if i use the default identity , their primary address on office 365 will be

dearj@example1.com

However, i want to avoid this as it will cause confusion when their email is jenny@example1.com

 

Rather than updating user log on name on the on premises AD  for all of them manually before synchronization i can use the mail attribute from AD attributes as the alternate identity for add connect and this should create in microsoft 365 their username/id based on the mail attribute. Right ?

 

See attached images

 

I am not sure what could go wrong since we won't be keeping the hybrid for very long ? Every mail attribute is unique if there are two Jenny, then the second one gets a mail attribute Jenny2@example1.com

 

 

Thanks again for being involved and helping me.

 

 

@Dominik Hoefling 

 

Don't know what happened to my last reply (it just went missing) but yes, I am referring to the alias in microsoft 365.

 

Some users receive email at example2.org domain and i would like whatever email they receive at jenny@example2.org gets redirected to jenny@example1.com - and this seems the way to go about it.

 

Now, I'm attaching photos so you use what their upn looks like now with the user log on name, it's

dearj@example1.com , if i use this as my default identity for add connect then their microsoft office 365 account primary address will be dearj@example1.com

 

However, their email is jenny@example1.com and we want this to be created as their microsoft office 365 primary address.

 

See the attached photos.

It seems the only way is to use alternate log in for azure ad connect  and choose mail attribute which corresponds to jenny@example1.com

UPNuserlogonname.PNG

ProxyAddressAttribute.PNG

MailAttribute.PNG

 

 

Just wondering what can go wrong and why not go this way  ?  It seems the best /fastest way to achieve this.

There are no two duplicate mail attributes and i guess we can add the alias manually or automatically with powershell.

   

@Ferzaer2 yes, a mailbox can have many different alias proxy addresses and the automatically get "redirected" to their primary address. Actually it's not a technical redirect, they just get into the mailbox itself. And yes, alternate login id is the best way how to achieve this.

 

Please refer to the following articles regarding UPN ne primary smtp address:
https://invorx.com/upn-should-match-your-primary-smtp-address-in-office-365/

https://blogs.perficient.com/2015/07/07/office-365-why-your-upn-should-match-your-primary-smtp-addre...

https://support.cloudhq.net/it-admin-office-365-why-your-user-principal-name-upn-should-match-your-e...

 

"... Yes, Microsoft did release a feature last year called “Alternate Login ID” that allows you to use an attribute other than UPN for your Office 365 login, but that feature comes with a list of limitations that you should be aware of."

 

It's the easiest way if you prepare your identities on-prem (e. g. email address policy to add all required alias and sync it to Azure), migrate your data, decommission your on-prem infrastructure. If you disable the dirsync afterwards in Azure, you can also change your objects there. Alternate login id (mail) is the way to go, but best practices is to change the UPN on-prem to your primary smtp address value.

@Dominik Hoefling 

I'm confused by this part Alternate login id (mail) is the way to go, but best practices is to change the UPN on-prem to your primary smtp address value.

 

Do you mean to change the user log on name from dearj to jenny@example1.com on prem before doing identity synchronization?  Please see the photo i attached.

 

The UPN part i.e. what comes after @ is already example1.com and it matches my primary smtp address value.

However, I'm mainly concerned with the part before @

@Ferzaer2 

Answer found here: https://blogs.perficient.com/2015/07/07/office-365-why-your-upn-should-match-your-primary-smtp-addre...

Thanks for the link.

 

Now, my only question is what is the best approach to create the alias with the second domain ? Before remote mailbox is done or after ?

Is there any powershell script that can do this or i can do it during directory/identity synchronization ?

 

@Ferzaer2 Do you mean to change the user log on name from dearj to jenny@example1.com on prem before doing identity synchronization?

--> exactly, always follow the simplest method and the best practices approach from Microsoft.

 

Now, my only question is what is the best approach to create the alias with the second domain ? Before remote mailbox is done or after ?

Is there any powershell script that can do this or i can do it during directory/identity synchronization ?

--> It's already there from your screenshot (one primary smtp address (SMTP) and one secondary smtp address (smtp). You can add the alias either manually, PowerShell, or email address policy on-prem. All those values will be synchronized to Exchange Online.

 

Prior migration:

1. Manually: ECP

2. PowerShell: Set-Mailbox "Dan Jump" -EmailAddresses @{add="dan.jump@northamerica.contoso.com","danj@tailspintoys.com","jenny@example1.com"}

3. Email address policy in ECP or via PowerShell: Get/Set-EMailAddressPolicy

 

After migration:

1. Manually: ECP

2. PowerShell: Set-RemoteMailbox "Dan Jump" -EmailAddresses @{add="dan.jump@northamerica.contoso.com","danj@tailspintoys.com","jenny@example1.com"}

 

Hope that helps.

@Dominik Hoefling 

 

Guys! I was reading the whole conversation because I am in same sort of situation.

 

Yes, choosing email as Syncing attribute will create users UPNs in office 365.

I need a clarification here..a mailbox having proxies addresses on-premises ,after migration to cloud , will these proxy addresses appear there? Keeping in mind that I only sync my email attribute based domain while proxy addresses are on different domain which is not syncing?

Short answers: no. You need to connect both domains / forests e.g. if you have an account and Exchange ressource forest setup.

@Dominik Hoefling 

Hi, sorry for late reply.

 

So since I already have two smtp proxy addresses on premises for each user , the alias should be created automatically ?

 

Also, one more question. I have decided to try and use a script to change each users UPN to

jenny@example1.com

 

However, I forgot to mention, I will have 3 domains in UPN.

example1.com (also verified in office 365 and used as main upn for users, meaning all users will have a upn of: name@example1.com set prior migration).

example2.org (also verified in office 365, no user will have this as their upn)

example3.gov(not verified in office 365, no user will have this as their upn)

 

Will the example3.gov domain cause an issue since it's not verified in office 365 ? I will not be using it as a upn ? I think there's an option to just ignore it if it's not verified when doing identity synchronization and that the most important part is the actual upn that is selected i.e.

jenny@example1.com for every user (and even though there are other domains, this will be the one that is used, correct )?

 

Thanks.

@Ferzaer2 So since I already have two smtp proxy addresses on premises for each user , the alias should be created automatically ? --> yes.

 

Will the example3.gov domain cause an issue since it's not verified in office 365 ? --> as long as no user has example3.gov as an email address, there will be no issues. If you want to sync these smtp addresses to O365, then you have to register it (but you don't have to add them as an additional UPN suffix in your on-prem AD).

@Dominik Hoefling 

"as long as no user has example3.gov as an email address, there will be no issues. If you want to sync these smtp addresses to O365, then you have to register it (but you don't have to add them as an additional UPN suffix in your on-prem AD)."

No, no user has the example3.gov as an email address and i don't want to sync it.

Also, no user has an upn suffix that ends in example3.gov.

However, the upn suffix is there - it's not being used, but it's there available to be picked up. 

So as long as no user has the upn suffix added to their log on, then it won't be an issue correct ? Even though it's available ?

 

Also, one more question, it seems everyone recommends using express settings, but is it an issue to use custom settings so i can choose two OU for synchronization , without synchronizing some local accounts from other OU that have no email address and are used purely for domain compute access?

 

Thanks again for everything.

 

Doesn’t matter if the UPN is there on-prem or not, right.

Express settings has the advantage that you will automatically receive updates (kind of auto updated) and the default configuration will be applied. Of course you can use the custom setting and configure OU filtering.

@Dominik Hoefling 

 

Got you. Since I plan on getting rid of ad connect soon after migration, i don't think i need updates.

 

I have one more question  ,but I'll make a separate thread about it.

 

Thanks for everything so far.