This blog post describes the process to create a new user in Active Directory on-premises when email is held in Office 365 and DirSync is in use. With DirSync in use the editable copy of the user object is on-premises and most attributes cannot be modified in the cloud.
Creating the User
- Open Active Directory Users and Computers on a Windows 2008 R2 or later server. Ensure that Advanced Features is enabled (View > Advanced Features)
- Note that if you do not have 2008 R2 or later then use ADSI Edit to make the changes mentioned below that are made on the Attribute Editor tab in Active Directory Users and Computers 2008 R2 or later.
- Create an Active Directory user as you normally would. Do not complete any Exchange server properties if you are requested to do so. Completing Exchange on-premises will make a mailbox on premises that will then need to be migrated to Exchange Online. This document describes creating the mailbox online.
- Ensure that the user’s email address on the General tab of the AD properties is correct.
- Ensure that the users login name on the Account tab is as follows:
- User Logon Name: The first part of their email address
- The Domain name drop-down: The second part of their email address (not the AD domain name if they are different)
- User Logon Name (Pre Windows 2000): DOMAIN as provided and use the first part of the email address (i.e. first.last etc). If first part of email is too long enter as much as you can and ensure it is unique within domain)
Setting the Email Address Properties
- On the Attribute Editor tab ensure that Filter > Show only attributes that have values is not selected. Then find and enter the following information:
- proxyAddresses: SMTP:primary.email@domain for this user – SMTP needs to be in capitals. Then add additional email addresses as required, but these start with smtp: in lower case.
- targetAddress: SMTP:email@example.com
- Note that both these addresses need to be unique within your directory – Attribute Editor will not check them for uniqueness but they will fail to replicate to Azure with DirSync if they are not unique.
- Click OK and close the account creation dialog.
- Within three hours this object will sync to Windows Azure Active Directory.
- This can be speeded up by logging into the DirSync server and starting PowerShell
- Type “Import-Module DirSync” in PowerShell
- Type “Start-OnlineCoexistenceSync” in PowerShell – DirSync will replicate now rather than waiting up to three hours.
- Check that the DirSync process was successful – if you have entered values that are not unique then DirSync will fail to replicate them and you will need to fix them on-premises and replicate them again.
- Licence the user in Office 365 by logging into https://portal.office.com and granting a licence to this user that contains an Exchange Online licence. The mailbox will be created automatically shortly after this.
The following are a list of attributes to change in ADSI Edit or the Attribute Editor tab to modify other attributes as required:
- msExchRemoteRecipientType – 1 for mailbox, 2 for archive only and 3 for new mailbox and new archive, 4 for migrated mailbox and 6 for migrated mailbox and new archive. This value is set to 20 to remove a remote archive (see below). This value will change as the mailbox and archive are provisioned and written back via AADConnect
- msExchHideFromAddressLists – Set to TRUE to hide from address lists
- msExchRecipientTypeDetails – Set to 1 for an on-premises mailbox and 2147483648 for a RemoteUserMailbox (and there are other values for this attribute as well).
- msExchRecipientDisplayType – Set to 6 for a remote mail user and -1073741818 for an ACLableSyncedMailboxUser, 7 for room mailbox and 8 for an equipment mailbox, and 0 for a mailbox. A mostly comprehensive list of these is at Every last msExchRecipientDisplayType and msExchRecipientTypeDetails value – Undocumented Features (undocumented-features.com)
- msExchArchiveName – set to “In-Place Archive – Name” to provision a cloud archive. You need to have Exchange Hybrid writeback correctly enabled and working so that the proper attributes are written back
- msExchArchiveGUID – when creating an archive mailbox, generate a new GUID and write it into the attribute in Octet format (hex, with a space between each Hex pair).
- msExchArchiveStatus – this will be written back to AD by Exchange Online as the online archive is created. You do not set this value, but expect it to appear and change over the next few hours (licence dependent). 1 means archive is active.
To remove the Online Archive
- Set msExchArchiveStatus to null
- Move the Archive GUID to msExchDisabledArchiveGUID
- Set msExchArchiveName to an empty string.
- To ensure the remote archive is removed in the cloud (which will result in data loss), also set msExchRemoteRecipientType to 20.
The above attributes are not the full and exclusive list of attributes and values that you need to set. For example, in Jan 2018 Microsoft published support for delegate access permissions across forest in a hybrid deployment – this uses values that are mentioned in the full list link in the paragraph above but are not set here.
This document should only be used as a reference and not to create or maintain mailboxes for AD accounts that are synced to the cloud – for that you need to have an Exchange Server as that is the only supported way to maintain your Exchange Online attributes. At Microsoft Ignite in 2017, it was announced that cloud management for synced accounts is coming – until that time you are best advised to have the Exchange Server for its admin tools only installed on-premises as well.
Brian, thanks for this. I may have found the missing piece of the puzzle because of your short instructions. We have no on-site exchange server. I have been doing what you do when creating new AD users on-site and tying them to a mailbox in the cloud since we switched over several months ago (DirSync with password sync), and I SWEAR just recently something broke and primary SMTP isn’t being populated automatically.
Another useful attribute to set is “msexchremoterecipientype” to value “3”… This will automatically create an archive mailbox for the user.
Hi Brian, when I set the msExchHideFromAddressLists to TRUE this attribute is not syncronized. What is the reason?
Did you have the Exchange schema changes applied to your forest before you installed DirSync? DirSync will only sync the attributes you choose (AADSync) or those that it knows about at time of install.
The scheme had been changed prior to synchronization but it seems that MSEXCH… attributes are not propagated to O365.
In the connectors are selected the attributes to export.
To hide a user in the address list when you have not got Exchange tools installed you need to set msExchHideFromAddressLists to TRUE. You also might need to clear ShowInAddressBook if this contains a value. Using the Exchange Tools and -HideFromAddressListsEnabled $false will wipe the second of these if it contains a value.
I set the attribute msExchHideFromAddressLists to true and ShowInAddressBook is not set.
I am synchronizing with Synchronization Service Manager
Which sync software are you using. I strongly recommend installing an Exchange Server for admin purposes if you leave DirSync enabled (regardless of the fact this blog helps you work around that for some objects and attributes)
Brian, question for you: if we have standard AD (no Exchange instances in our past) with O365 and Azure AD Sync turned on… what is the quickest, safest route to enabling those ‘missing attributes’ like msExchHideFromAddressLists? Would we need to extend our AD Schema as well as re-installing AADSync?
You need to extend the schema, as the master (writable) copy of AD is the on-premises copy and not the copy in Azure AD, so you cannot make the changes in Azure AD. Once that is done you can refresh the schema is AADConnect (note that this is AADConnect, and I am not sure if this is possible in AADSync – but you should be running AADConnect now and not the previous versions of the software (AADSync and DirSync)
why do you need the “missing” attributes if you have no on-premise Exchange or a have removed the last on-premise Exchange server?
Surely the management of address lists, visibility etc. is done through the Office 365 Admin portals. I fully appreciate the proxyAddresses attribute needs setting as that cannot currently be done in Office 365
You need the missing attributes as they are still mastered on-premises if you use AADConnect to sync to the cloud. Changes to this were mentioned at Ignite this year (The Thrive with Exchange Online session) but this is not the case at the moment. If you sync users from AD, you need to edit the user in AD.
Hi, Is this process described in the article, still relevant in mid-2017 ? We just migrated over 600 users to Office 365 and I am wondering what is the best process to provision users when using the Hybrid Config & DirSync and what is the process when only using DirSync? Our plan is to disable the hybrid config in the coming weeks, hence the questions.
Well hopefully given it is mid-2017 you are not using DirSync but AADConnect to do your sync. Otherwise at this time your AD objects are mastered in AD and so you need to keep the hybrid server around as a management server unless you stop syncing users from AD (and then have separate user accounts to login with – so not recommending that)
Hey Brian. I am wonder if you know where the attribute it in AD to change a users Alias. We were doing a name change and everything is synched with the new name except the alias.
A unique issue where on-prem users external mail id is shown as “*@onmicrosoft.com” instead of “*@domain.com” and being in Hybrid setup I cant change it. All these users on-prem now cant receive emails sent by o365 users and revieve ndr 5.4.1. Now if I make any change to ad attribute of on-prem users they start facing this issue.
I’ll assume you have an Exchange Server on-premises and that you are making your changes in a supported manner, then the Email Address Policy in Exchange Server controls this. If on the other hand you are editing attributes by hand, that is not supported and this is the sort of problem you can end up with. Ensure that proxyAddresses is set properly, that is one SMTP: address and that this matches the mail attribute as well. Ensure all other attributes for a hybrid environment are also correct.