This blog post describes the process to create a new user in Active Directory on-premises when email is held in Office 365 and DirSync is in use. With DirSync in use the editable copy of the user object is on-premises and most attributes cannot be modified in the cloud.
Creating the User
- Open Active Directory Users and Computers on a Windows 2008 R2 or later server. Ensure that Advanced Features is enabled (View > Advanced Features)
- Note that if you do not have 2008 R2 or later then use ADSI Edit to make the changes mentioned below that are made on the Attribute Editor tab in Active Directory Users and Computers 2008 R2 or later.
- Create an Active Directory user as you normally would. Do not complete any Exchange server properties if you are requested to do so. Completing Exchange on-premises will make a mailbox on premises that will then need to be migrated to Exchange Online. This document describes creating the mailbox online.
- Ensure that the user’s email address on the General tab of the AD properties is correct.
- Ensure that the users login name on the Account tab is as follows:
- User Logon Name: The first part of their email address
- The Domain name drop-down: The second part of their email address (not the AD domain name if they are different)
- User Logon Name (Pre Windows 2000): DOMAIN as provided and use the first part of the email address (i.e. first.last etc). If first part of email is too long enter as much as you can and ensure it is unique within domain)
Setting the Email Address Properties
- On the Attribute Editor tab ensure that Filter > Show only attributes that have values is not selected. Then find and enter the following information:
- proxyAddresses: SMTP:primary.email@domain for this user – SMTP needs to be in capitals. Then add additional email addresses as required, but these start with smtp: in lower case.
- targetAddress: SMTP:email@example.com
- Note that both these addresses need to be unique within your directory – Attribute Editor will not check them for uniqueness but they will fail to replicate to Azure with DirSync if they are not unique.
- Click OK and close the account creation dialog.
- Within three hours this object will sync to Windows Azure Active Directory.
- This can be speeded up by logging into the DirSync server and starting PowerShell
- Type “Import-Module DirSync” in PowerShell
- Type “Start-OnlineCoexistenceSync” in PowerShell – DirSync will replicate now rather than waiting up to three hours.
- Check that the DirSync process was successful – if you have entered values that are not unique then DirSync will fail to replicate them and you will need to fix them on-premises and replicate them again.
- Licence the user in Office 365 by logging into https://portal.office.com and granting a licence to this user that contains an Exchange Online licence. The mailbox will be created automatically shortly after this.
The following are a list of attributes to change in ADSI Edit or the Attribute Editor tab to modify other attributes as required:
- msExchRemoteRecipientType – 1 for mailbox, 2 for archive only and 3 for new mailbox and new archive, 4 for migrated mailbox and 6 for migrated mailbox and new archive. This value is set to 20 to remove a remote archive (see below). This value will change as the mailbox and archive are provisioned and written back via AADConnect
- msExchHideFromAddressLists – Set to TRUE to hide from address lists
- msExchRecipientTypeDetails – Set to 1 for an on-premises mailbox and 2147483648 for a RemoteUserMailbox (and there are other values for this attribute as well).
- msExchRecipientDisplayType – Set to 6 for a remote mail user and -1073741818 for an ACLableSyncedMailboxUser, 7 for room mailbox and 8 for an equipment mailbox, and 0 for a mailbox. A mostly comprehensive list of these is at Every last msExchRecipientDisplayType and msExchRecipientTypeDetails value – Undocumented Features (undocumented-features.com)
- msExchArchiveName – set to “In-Place Archive – Name” to provision a cloud archive. You need to have Exchange Hybrid writeback correctly enabled and working so that the proper attributes are written back
- msExchArchiveGUID – when creating an archive mailbox, generate a new GUID and write it into the attribute in Octet format (hex, with a space between each Hex pair).
- msExchArchiveStatus – this will be written back to AD by Exchange Online as the online archive is created. You do not set this value, but expect it to appear and change over the next few hours (licence dependent). 1 means archive is active.
To remove the Online Archive
- Set msExchArchiveStatus to null
- Move the Archive GUID to msExchDisabledArchiveGUID
- Set msExchArchiveName to an empty string.
- To ensure the remote archive is removed in the cloud (which will result in data loss), also set msExchRemoteRecipientType to 20.
The above attributes are not the full and exclusive list of attributes and values that you need to set. For example, in Jan 2018 Microsoft published support for delegate access permissions across forest in a hybrid deployment – this uses values that are mentioned in the full list link in the paragraph above but are not set here.
This document should only be used as a reference and not to create or maintain mailboxes for AD accounts that are synced to the cloud – for that you need to have an Exchange Server as that is the only supported way to maintain your Exchange Online attributes. At Microsoft Ignite in 2017, it was announced that cloud management for synced accounts is coming – until that time you are best advised to have the Exchange Server for its admin tools only installed on-premises as well.