SOLVED

The question nobody dares to ask! How do you create a new user in a hybrid environment.

Iron Contributor

Hi, the last couple fo days the question how to create a new user in a hybrid exchange environment is floating around in my head.

 

Most of the time when i create a user i create a onpremise account in active directory sync this over to office 365. The next step i perform is the creation of a mailbox onprem in exchange for the user i have created. When i have done this i migrate the user mailbox to office 365, i assign a license and the user is good to go.

 

Is this the best way to do this? It seems more logical to create a user in AD sync this over to office365 and give them a Exchange online license. so he or she will get a mailbox directly in Office 365.

 

Can anyone give me an explanation what is best practice for creating a new User in a hybrid exchange environment when al the users will be synced to office365.

 

Thanks in advance!

44 Replies

Have you looked at using New-RemoteMailbox or Enable-RemoteMailbox?

Yes i know that will work and it will create only a remote mailbox for a user. But the question is what is the best practice for creating a user with mailbox in a hybrid environment so the mailbox will be in O365 exchange online.

Also not an answer to your question, but a comment. We were advised by our consultants too, to do exactly what you describe. And indeed it is a back and forth between the systems, especially if you do it manually (note I talk here still of experience with dirsync).

We also had cases where admins would create e.g. distribution groups only on EXO. That gave some issues with adding members of only on-premise users (obviously). So from my experience the procedure makes sense, as the hyrbrid setup does not enforce the online setup to sync back entirely (note, still just talking about dirsync).

Additionally I noted that there is a difference attribute wise on the user AD object if you create the user in the AD and then mail enable it, or directly let create the AD user object in Exchange (all on-premise). 

So I ended up making a script that

- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)

- forces a dirsync run

- assigns a license once the user is visible in O365

- create a move request, once the mail user is visible in EXO (that is different than the msol user object)

 

 

If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).

I would go with Paul here as having used New-RemoteMailbox myself and with the addition of the coming use of Security Groups in Azure to assign licensing you don't have to worry as much about that anymore either. 

It gets easier to understand once you've done the hybrid setup ;) Exchange 2013 CU15 hybrid in my case:

 

Once you've done the hybrid setup, you simply get a new UI option in the exchange admin center (onPrem) under recipients > mailboxes > New Office 365 Mailbox.

Thats it. 

 

So there is no need to go through that many steps as you've described

 

  1. create new Office 365 Mailbox
    1. this of course creates the onPrem AD User with the linked Office 365 mailbox
  2. wait for Azure AD Connect to sync your your AD Users (not sure if this is necessary)
  3. enable Exchange Online License for synced user
  4. done

 

 

This assumes the user doesn't have an IAM process/team that uses some other user management process. In most cases, creating the user through Exchange is not an option at the larger clients and we have to powershell it somewhat through the IAM tool in place.


@Martin Meraner wrote:

 

So I ended up making a script that

- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)

- forces a dirsync run

- assigns a license once the user is visible in O365

- create a move request, once the mail user is visible in EXO (that is different than the msol user object)

 

 

If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).


I'm not sure your path is correct, but I believe you have to enable the license AFTER the mailbox move. Because when you enable it before, you're pratically provisioning a cloud mailbox additionally to the existing onPrem Mailbox. It could be though that the remote move request to Exchange Online understands this, deprovisions the existing cloud mailbox, moves the onPrem, and enables is it afterwards.

Might not be an issue if the users doesn't technically exist yet, but there might be a small time window where the user could access the cloud mailbox, before his onPrem is properly moved.

If the environment is Hybrid, licensing the user prior to the mailbox move is fine, it will not create a duplicate mailbox.


@Paul Bridges wrote:

This assumes the user doesn't have an IAM process/team that uses some other user management process. In most cases, creating the user through Exchange is not an option at the larger clients and we have to powershell it somewhat through the IAM tool in place.


True, though no powershell was mentioned as a requirement in this case. In any case, (almost) everything the Exchange or AD Consoles can do via GUI is of course sriptable via powershell.

You can even auto apply licenses via Azure AD group memberships, therefore saving you one scripting step and just add a group membership.

You al have some very good answers  but the question still is what is best practice. i have done al the scenarios and they al work. But what is the difference between these to options

 

Create user  and mailbox onprem sync user and migrate ,mailbox to o365 assign license

or

Create user sync user to o365 and assign license.

 

I think the only difference is that when you migrate the mailbox you can migrate it back to onprem when you have a Hybrid. But i am not sure if that is still relevant when you are in Exchange online.


Remember this involves a new user so no legacy mailboxes or anything like that.

@Michael Van Horenbeeck discusses this in detail in the "Office 365 for IT Pros" book, perhaps he can give few more hints. Personally, I prefer New/Enable-RemoteMailbox, it's faster and cleaner. It has some issues, but those are corner cases mostly...

best response confirmed by Jerry Meyer (Iron Contributor)
Solution

The best practice is whatever works for your user management workflows. You can create it either way. In a hybrid you can move mailboxes back and forth whether they were created on-prem or in the cloud.

 

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


@Paul Cunningham wrote:

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


For the latter, wouldn't that skip the creation of the AD user for the shared mailbox? Sure one might ask why have it. 

Yup, there is no "best" way, you could aim for "fastest" or what works for your requirements. All road lead to rome in this case :)


@Ivan Unger wrote:

It gets easier to understand once you've done the hybrid setup ;) Exchange 2013 CU15 hybrid in my case:

 

Once you've done the hybrid setup, you simply get a new UI option in the exchange admin center (onPrem) under recipients > mailboxes > New Office 365 Mailbox.

Thats it.

 

 


Thanks a lot! (edit) apparently I was not aware of that option at the time I wrote the script.


@Martin Meraner wrote:

@Paul Cunningham wrote:

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.


For the latter, wouldn't that skip the creation of the AD user for the shared mailbox? Sure one might ask why have it. 


No. Either New-RemoteMailbox, wait, then convert to Shared in the cloud. Or New-Mailbox with -Shared, and then move to the cloud.

 

Either way, there's still a user object in AD.

Its good to see that this question isn't really that stupid :). 

 

What i do is the following, i use create user in onprem and mailbox onprem migrate it to office365 and assign license when the customer is gonna use the hybrid server for Maintanance and administration.

 

When a customer is planning to go all the way to the cloud i use create user sync user assign license. With the assumption the Exchange on-prem environment will be cleaned up.

 

 


@Jerry Meyer wrote:

 

 

When a customer is planning to go all the way to the cloud i use create user sync user assign license. With the assumption the Exchange on-prem environment will be cleaned up.

 

 


Your question (and thread title) are about hybrid deployments, which means directory sync is in place + an on-prem Exchange server. What is this second scenario you're throwing into the mix where Exchange will be "cleaned up"?

 

Keep in mind that with directory sync in place, an on-prem Exchange server is required for managing mail attributes in a supported manner, even without the hybrid configuration.

O i did not know that. I thought that the Serviceaccounts from the AzureADsync are managing the the writeback from Exchangeonline.

 

Its just an idea on how to manage users and mailboxes it is not an real customer case at this moment. We have one customer who wants to clean up there onprem Exchange but thats a different topic i think.

1 best response

Accepted Solutions
best response confirmed by Jerry Meyer (Iron Contributor)
Solution

The best practice is whatever works for your user management workflows. You can create it either way. In a hybrid you can move mailboxes back and forth whether they were created on-prem or in the cloud.

 

One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.

View solution in original post