Aug 06 2020 12:42 PM
Aug 06 2020 12:42 PM
We are trying to setup a self-service password reset for our users residing in on-premises AD but we do not have Exchange online. Is it even possible for us to setup SSPR with Azure AD Connect without involving Exchange at all?
Aug 06 2020 03:08 PMSolution
Hi, Exchange is not relevant to SSPR. As long as you are syncing your on-premises AD to Azure AD with Azure AD Connect, and you have licences as per https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing then you should be good to go with this feature.
Aug 06 2020 03:21 PM
Yes, it is possible. If you want your on-prem users to be able to reset their passwords via the SSPR (i.e. Office 365 synchronises back to the on-prem AD ) then you will need an Azure P1 licence for that user.
The SSPR included in the Free version of Azure AD does not write-back to on-prem, it only changes the password in 365 - the next time AzureAD synchronises that password is changed back to the AD password.
It is my understanding that Exchange Online is not a pre-requisite for this . You may have seen this already, but this goes into a bit more detail about the functionality.
Hope this helps,
Aug 06 2020 05:01 PM
Thanks for the reply!@HidMov Here is the situation, We do have P1 licenses for users but when I verify our custom domain in Azure from, let's say, xyz.onmicrosoft.com to xyz.com so that users can login with their current email addresses this poses issue with Microsoft Teams stop treating "xyz.com" as external address and will not allow invite to be sent for the meeting. Is there a workaround for this? So that Office 365 do not treat xyz.com as internal? Any help will be greatly appreciated!!
Aug 06 2020 11:59 PM
Hi, if you add your xyz.com domain into your M365 tenant, which it seems you have, then this is going to be considered as an internal / accepted domain within your environment. I am curious to understand why you would wish it to be considered external?
Aug 07 2020 08:07 AM
Hi @PeterRising, Let me try explain without confusing you, Since we do not have Exchange Online and do not wish to involve our current on-prem Exchange to any of Office 365 services, we want our users to still use Microsoft Teams for video conferencing purposes. Only handful of employees are currently using the Teams app and would like other employees within the organization to be invited for meetings. Now, currently users using Teams app has "xyz.onmicrosoft.com" email and password setup by Office 365 but If I add my custom domain "xyz.com" for SSPR then it poses two issues; In order to send the invite out to internal employees Teams cannot see "xyz.com" as external to have the "Invite" option available. Teams searches for email addresses for let's say email@example.com and firstname.lastname@example.org in it's own address book which is not there because Exchange online is not integrated. If I do sync email@example.com and firstname.lastname@example.org from our on-prem AD then Teams is not able to send an email invite to those above users since they do not have emails setup with Exchange online. If we do add an email for email@example.com in the Azure AD then it posses another issue with email structure because now we have two emails for the same user - firstname.lastname@example.org created by Exchange online and their own on-prem email@example.com which is more confusing on which one to use.
I might be clearly over complicating the way to implement this with but any idea or a workaround will be greatly appreciated!! Thank you!!
Aug 07 2020 03:14 PM
OK, I see where you are coming from. My suggestion to you here would be to configure Hybrid Coexistence between you on-premises Exchange and Exchange Online. This way, you can add your custom domain into O365 and still use Teams with full functionality with your on-premises mailboxes.
Check this out for further guidance on the subject - https://techcommunity.microsoft.com/t5/microsoft-teams-community-blog/microsoft-teams-and-on-premise...
Also, take a look at this - https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact
What version of on-premises Exchange are you running please?