cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD Password Hash Sync & Shared Mailboxes

Boon Leong Ong
Copper Contributor

‎Oct 03 2018 02:27 AM

‎Oct 03 2018 02:27 AM

Azure AD Password Hash Sync & Shared Mailboxes

Hi there,

 

We are considering switching to Exchange Online Azure AD Password Hash Sync with our on-premise AD.

Wondering whether if a user left the company and we set to Exchange Online account to a shared mailbox but delete off the account in the on-premise AD, will the account in Azure AD be deleted off as well?

 

From what I read, it seems that if we disable the account in the on-premise AD, the account in Azure AD will also be removed (30 days). Is there anyway we can prevent that from happening? Like having to manually remove accounts in Azure AD instead? It is password hash sync only.

 

Thanks for reading.

Labels:
2,550 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by Boon Leong Ong (Copper Contributor)
Adam Ochs

‎Oct 03 2018 07:37 AM - edited ‎Oct 03 2018 07:39 AM

‎Oct 03 2018 07:37 AM - edited ‎Oct 03 2018 07:39 AM

Solution

Re: Azure AD Password Hash Sync & Shared Mailboxes

Hello @Boon Leong Ong,

 

There are a few ways you can go about handling this.

 

1. Using a Hybrid exchange server/manually changing the msExchangerecipienttypedetails value. This is one of the values that O365 looks at to determine what type of object you have. If you change this value, and then re-sync the user object, it should convert over to a shared mailbox. At that point the password in O365 does not matter, you can then change the password to your local ad (or lock it) and it should work. You cant disable/delete the AD account, but you can effectively block it out and keep the object in o365. You MAY need to do a full sync to get the type to change, as sometimes O365 is notoriously stubborn at picking up a recipient type change. Once they have been converted to a shared mailbox, you can remove their license.

http://techgenix.com/msexchangerecipienttypedetails-active-directory-values/

 

2. Disable/remove the account in local AD, restore it through the recycling bin - You are correct after 30 days the account is removed once a local AD is deleted. This is just a function of how AADC works. However, since you have that 30 day window, you can choose to go restore the user, and you can restore them as a cloud object. This will provision them out as a cloud object not linked to your AD, you will also want to make sure you re-license them so that the exchange mailbox comes back. Once that is back (and now a cloud user), you can go through the exchange GUI and convert the user mailbox to a shared mailbox. Once that is done you can unlicense the user. Their exchange data will be saved as a shared mailbox.

*Note any data in Onedrive or other applications for this user will however be lost.

 

3. Export and Import - This is the longest option, but probably the "safest" from a process stand point. (assuming you control the steps properly). When a user is going to leave that is currently licensed, you can use the security and compliance center to export their data for you. You just create a search for that user (mail to and from) and then export it to a PST. Go in and create a shared mailbox, this can be a cloud object or a fresh AD account. Then import that data in. Once you are comfortable with your work, delete the user account, purge the data from deleted items in O365 (to free up the email address), and add their email address to the shared mailbox you created.

 

Personally I did mostly 1 or 2 with my clients based on if they wanted their shared mailboxes to have objects in AD or not. If they did, I would do 1, if they did not and were fine with them being cloud objects (and thus having no reference in AD) I would do 2.

 

Adam

0 Likes
Reply
Vasil Michev

‎Oct 03 2018 11:15 AM

‎Oct 03 2018 11:15 AM

Re: Azure AD Password Hash Sync & Shared Mailboxes

For such scenarios, the recommended solution is to use Inactive mailboxes: https://docs.microsoft.com/en-us/office365/securitycompliance/create-and-manage-inactive-mailboxes

 

They are free, allow you to keep the data immutably and indefinitely, and don't rely on the AD user object. Now, if you need "online" access to the data of the departed user, they are not as convenient as Shared mailboxes to use. There are few other factors to consider as well, as detailed here: https://practical365.com/exchange-online/shared-mailboxes-vs-inactive-mailboxes-departed-users/

0 Likes
Reply
Boon Leong Ong

‎Oct 04 2018 06:34 PM

‎Oct 04 2018 06:34 PM

Re: Azure AD Password Hash Sync & Shared Mailboxes

Guys, thank you for your help.

 

So if I restore an deleted (disabled in on-premise AD) account and set it to be a shared mailbox, the synchronization will then be removed? I don't see any option to restore the account as a cloud object though. Just a restore option.

 

That would be great for my case. I just have to remember to do the process. Or basically I could just switch the mailbox to a shared mailbox in Office365 and then disable/delete the account in the on-premise AD.

0 Likes
Reply
Boon Leong Ong

‎Oct 04 2018 06:37 PM

‎Oct 04 2018 06:37 PM

Re: Azure AD Password Hash Sync & Shared Mailboxes

Thank you.

But looks like it requires Exchange Online Plan 2 for it to work. We are on Plan 1.

0 Likes
Reply
Adam Ochs

‎Oct 05 2018 06:43 AM

‎Oct 05 2018 06:43 AM

Re: Azure AD Password Hash Sync & Shared Mailboxes

Hello @Boon Leong Ong,

 

Just restore the user, it should come back as cloud. Since they no longer are in AD.

 

adam

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Boon Leong Ong (Copper Contributor)
Adam Ochs

‎Oct 03 2018 07:37 AM - edited ‎Oct 03 2018 07:39 AM

‎Oct 03 2018 07:37 AM - edited ‎Oct 03 2018 07:39 AM

Solution

Re: Azure AD Password Hash Sync & Shared Mailboxes

Hello @Boon Leong Ong,

 

There are a few ways you can go about handling this.

 

1. Using a Hybrid exchange server/manually changing the msExchangerecipienttypedetails value. This is one of the values that O365 looks at to determine what type of object you have. If you change this value, and then re-sync the user object, it should convert over to a shared mailbox. At that point the password in O365 does not matter, you can then change the password to your local ad (or lock it) and it should work. You cant disable/delete the AD account, but you can effectively block it out and keep the object in o365. You MAY need to do a full sync to get the type to change, as sometimes O365 is notoriously stubborn at picking up a recipient type change. Once they have been converted to a shared mailbox, you can remove their license.

http://techgenix.com/msexchangerecipienttypedetails-active-directory-values/

 

2. Disable/remove the account in local AD, restore it through the recycling bin - You are correct after 30 days the account is removed once a local AD is deleted. This is just a function of how AADC works. However, since you have that 30 day window, you can choose to go restore the user, and you can restore them as a cloud object. This will provision them out as a cloud object not linked to your AD, you will also want to make sure you re-license them so that the exchange mailbox comes back. Once that is back (and now a cloud user), you can go through the exchange GUI and convert the user mailbox to a shared mailbox. Once that is done you can unlicense the user. Their exchange data will be saved as a shared mailbox.

*Note any data in Onedrive or other applications for this user will however be lost.

 

3. Export and Import - This is the longest option, but probably the "safest" from a process stand point. (assuming you control the steps properly). When a user is going to leave that is currently licensed, you can use the security and compliance center to export their data for you. You just create a search for that user (mail to and from) and then export it to a PST. Go in and create a shared mailbox, this can be a cloud object or a fresh AD account. Then import that data in. Once you are comfortable with your work, delete the user account, purge the data from deleted items in O365 (to free up the email address), and add their email address to the shared mailbox you created.

 

Personally I did mostly 1 or 2 with my clients based on if they wanted their shared mailboxes to have objects in AD or not. If they did, I would do 1, if they did not and were fine with them being cloud objects (and thus having no reference in AD) I would do 2.

 

Adam

View solution in original post

0 Likes
Reply