SOLVED

On-prem Exchange needed for Azure AD Connected MS365 user with a mailbox?

Brass Contributor

We have an on-prem active directory with users synced to MS365 for their Office 365 logins. Works great.

 

We used to use Zimbra for email, so no Exchange server in sight. We now want to add mailboxes to the users MS365 accounts, and want to confirm if we NEED a full-blown on-prem Exchange 2016 server with a free hybrid config license just to manage things like email addresses, aliases, and other user attributes that are sourced from active directory?

 

I have done this a few times for sites that already had Exchange, but what about MS365 tenants that never had an Exchange server? I guess it's close to Scenario 2 in this article, just want to confirm what is the absolute minimum we should be trying to get away with when adding this to a site with no history of Exchange? Windows 10 and Exchange Management Tools looked like a plan, but that doesn't include Exchange Admin Centre, only EMS and Exchange Toolbox. Is this article still the current situation:

https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange 

 

Best,

Kevin 

5 Replies
best response confirmed by Kevin_Davis (Brass Contributor)
Solution

Hi @Kevin_Davis 

This is a common question, and to answer it quickly - yes you need to install an Exchange 2016 server (not 2019 since you can't get a free hybrid key for this), if you plan to retain your on-prem AD and sync users with Office 365.

The reason is that since you accounts originate in AD, you have to add the email attributes to those accounts in your on-prem AD (not in Azure AD or Exchange), and the only supported way of doing that is to use the EAC. The are other options that are not really viable:

- Just license the users for Exchange online, they will get a mailbox and email will work. But you will find that you cannot do some things e.g. add email aliases (proxy addresses), since they have to be added in AD as properties of the user account.

- Use other tools e.g. ADUC, ADSI edit, 3rd party to manage email the email attributes, no supported and you could cause issues. Exchange uses many different attributes so hard to manage manually (and you wouldn't even have the schema extensions).

 

So basically:

- Install Exchange on one server.

- Use the EAC to manage mailboxes, including mailbox creation (choose New - Office 365 mailbox, or new-remotemailbox in powershell for example).

- Wait for Microsoft remove the requirement to use Exchange and give us another way of doing it.

 

There was a blog post about this recently here where the Exchange team confirmed that for the time being you still need hybrid, but they are working on a solution (and have been for several years by all accounts) that would enable you to remove the on-prem Exchange server.

@Kevin_Davis It really depends on which settings you need to configure. If the users just have one normal E-Mail Address, then you can configure it with the normal "E-Mail" attribute in Active Directory Users and Computers. If you want to add more E-Mail addresses to one user, or hide users in the Exchange address lists, then you need an Exchange Server to manage these attributes.

@halbp Thanks for the reply. Much as I expected, given what I know about sites with historic Exchange servers.

Seems MS missed a trick here; "So you're on a 3rd party email server? Come to MS365 where everything is just better. But you'll have to provision a full blown Exchange server on-premise if you are using Azure AD Connect to sync passwords." I understand the reason behind it, just think there should be a MUCH neater solution, esp. for small companies that over the years landed up with ADDS on a small office file server and want to use their work login details for MS365 with a mailbox. 

Kevin

Thanks for the reply @diecknet
It seems the limitations surrounding not going the full blown Exchange 2016 server route just to manage a few attributes will be too limiting. Fortunately we have suitable hardware to add an Exchange server to the on-premises estate, but I can see such an expense coming as a deal-breaker to most small companies who want MS365 mailboxes with logins synced from active directory.

@Kevin_Davis yes pretty much everyone has the same reaction when they find this out. Move to the cloud, but you still need to install Exchange? Crazy!

They really need to get this fixed, but for the moment that's how you have to do it.

1 best response

Accepted Solutions
best response confirmed by Kevin_Davis (Brass Contributor)
Solution

Hi @Kevin_Davis 

This is a common question, and to answer it quickly - yes you need to install an Exchange 2016 server (not 2019 since you can't get a free hybrid key for this), if you plan to retain your on-prem AD and sync users with Office 365.

The reason is that since you accounts originate in AD, you have to add the email attributes to those accounts in your on-prem AD (not in Azure AD or Exchange), and the only supported way of doing that is to use the EAC. The are other options that are not really viable:

- Just license the users for Exchange online, they will get a mailbox and email will work. But you will find that you cannot do some things e.g. add email aliases (proxy addresses), since they have to be added in AD as properties of the user account.

- Use other tools e.g. ADUC, ADSI edit, 3rd party to manage email the email attributes, no supported and you could cause issues. Exchange uses many different attributes so hard to manage manually (and you wouldn't even have the schema extensions).

 

So basically:

- Install Exchange on one server.

- Use the EAC to manage mailboxes, including mailbox creation (choose New - Office 365 mailbox, or new-remotemailbox in powershell for example).

- Wait for Microsoft remove the requirement to use Exchange and give us another way of doing it.

 

There was a blog post about this recently here where the Exchange team confirmed that for the time being you still need hybrid, but they are working on a solution (and have been for several years by all accounts) that would enable you to remove the on-prem Exchange server.

View solution in original post