Skip to content
  • Blog
  • Events
  • Help
  • Careers
  • Contact
New Signature
  • About
      • Company

        New Signature has built a record of leadership by delivering exceptional technology and web solutions.

        View Company

      • Awards

        As a company, we are regularly recognized within the IT industry as well as the communities we serve.

        View All Awards
      • News

        Learn about the newest company announcements, technologies, and products at New Signature.

        View News

      • Partners

        New Signature works with a number of outstanding technology companies to deliver the best experiences to our customers.

        View Partners
      • Leadership

        New Signature's executive team includes proven leaders from the most innovative and fast-growing technology fields.

        View Leadership

      • Testimonials

        We love transforming our customers businesses, take a look at what they have to say about New Signature.

        View Testimonials
    Close
  • Services
      • Managed Services

        • Application Health
        • Cloud Management for Azure
        • Cloud Management for Office 365
        • Desktop Experience
        • Recovery Experience
        • Security Managed Services
        • System Health
        • Technology Managed Services
      • View Managed Services
      • Professional Services

        • Advanced Analytics
        • Application Development
        • Collaboration
        • Identity and Access
        • Infrastructure
        • Process and Automation
        • Strategy
        • Training and Change Management
        • Unified Communications
      • View Professional Services
    Close
  • Technologies
    • Learn more about the technologies that power New Signature solutions View All Technologies


      • Advanced Threat Analytics
      • Azure Active Directory
      • Azure IoT Suite
      • Azure Site Recovery
      • Cortana Intelligence Suite
      • DocuSign
      • Dynamics 365
      • Employee Self Service
      • Enterprise Mobility Suite
      • Exchange
      • ExpressRoute
      • Hyper-V
      • Microsoft 365
      • Microsoft Azure
      • Microsoft Azure Stack
      • Microsoft Identity Manager
      • Microsoft Intune
      • Microsoft Phone System
      • Microsoft Project
      • Microsoft Teams
      • Nintex
      • Office 365
      • OneDrive for Business
      • Operations Management Suite
      • Power BI
      • SharePoint
      • Skype for Business
      • SQL Server
      • System Center
      • System Center Configuration Manager
      • Visual Studio
      • Windows 10
      • Windows Server
      • Xamarin
      • Yammer

    • New Signature Cloud Management Portal (CMP)

      Our exclusive portal is a core component of our managed services providing customers with insight into Azure spend and usage, access to incident support tickets, and reporting on system health. Learn More

      Login to the CMP

    • New Signature Microsoft Licensing

      A Microsoft environment is not complete and usable until the proper licensing has been purchased and activated for your organization. Learn More

    Close
  • Industries
      • Communications & Media

        We develop technological solutions to increase collaboration for industries that never stop.

        Learn More

      • Health & Life Sciences

        Dynamic solutions that respect patient privacy, increase collaboration, and provide tools to access vital information.

        Learn More
      • Financial & Professional

        Bringing you the tools to develop a streamlined customer banking experience and enhanced security.

        Learn More

      • Manufacturing & Resources

        Providing advanced technological solutions to enhance and optimize manufacturing operations.

        Learn More
      • Government & Associations

        Optimizing your technology to heighten cyber-security efforts, enhance collaboration, and encourage growth.

        Learn More

      • Retail & Consumer Goods

        Optimizing data operations to create a retail solution that empowers employees and customers.

        Learn More
    Close
  • Resources
      • Insights

        Examine a wide array of New Signature thought leadership assets including videos, ebooks and infographics to learn more about our services and offers.

      • View Our Insights

      • Featured Insights Guides & Ebooks

        Our eBooks are a collection of learning guides that deliver a comprehensive look at some of the most pressing business trends, and how technologies can help you overcome those challenges.
        Learn More

      • Case Studies

        Browse a comprehensive list of companies who have created successful partnerships and experienced transformative solutions with New Signature.

      • View All Case Studies

      • Featured Case Study TalkTalk Modern Workplace

        New Signature worked with TalkTalk to define a new Modern Workplace solution based on Microsoft 365, which kept the user firmly at the center of the transformation.
        View Case Study

    Close
    Close
Blog

Change The Source Authority from Azure AD to Local Active Directory

New Signature / Blog / Change The Source Authority from Azure AD to Local Active Directory
September 28, 2016September 28, 2016| New Signature
  • Facebook
  • Twitter
  • LinkedIn
  • Print

In the scenario presented here, we need to transfer the source of authority for a user account which was  created by using Office 365 management tools to local Active Directory.
We need to transfer the source of authority so that the account can be managed through an on-premises Active Directory and using directory synchronization provided by AD Connect.

Change The Source Authority from Azure AD to local Active Directory with use of On-premises Exchange Server

Current Settings

Initially, we have configured:

• Office 365 accounts/mailboxes are already provisioned in Office 365/Exchange Online.
• Users IDs and passwords are setup in Office 365.
• Local Active Directory has all account objects.
• There is no AD Connect Server locally installed.
• There is no Exchange Server locally installed.

We need to link Office 365 accounts back to On-premises Active Directory accounts.
Password need to be sync from On-premises Active Directory to Office 365.
In this configuration, we are going to install local Exchange Server which is only supported method of synchronizing and provisioning accounts from local On-premises Active Directory to Office 365.
We will use local AD account (second@9tech.ca)  to sync to already provisioned user\mailbox in Office 365 with primary SMTP second@9tech.ca.

 

The following steps are necessary to change source authority from Azure AD to local Active Directory with On-premises Exchange Server installed.

1. Download your version of Exchange 2016 Server on following link https://www.microsoft.com/en-us/download/details.aspx?id=52968
2. Expand Exchange Schema and install Exchange 2016 server locally On-premises. Use the following link to obtain free product key from Microsoft
http://aka.ms/hybridkey

3. After you install Exchange Server run the following command to disable local SCP record in AD
Set-ClientAccessServices -Identity server -AutodiscoverServiceInternalUri $null

4. To be able to provision new office 365 mailbox using EAC on On-premises, we need to run the following commands to configure remote domains to Exchange Online

New-RemoteDomain -Name “9tech1.mail.onmicrosoft.com” -DomainName “9tech1.mail.onmicrosoft.com”
Set-RemoteDomain -Identity “9tech1.mail.onmicrosoft.com” -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -TNEFEnabled $true

5. Use the following two commands to export user attributes from Azure AD and from Exchange Online to two csv files.

Get-MSOLUser | Select   DisplayName,UserPrincipalName,City,Country,Department,Fax,FirstName,LastName,MobilePhone,Office,PhoneNumber,PostalCode,@{Name=’ProxyAddresses’;Expression={[string]::join(“;”,($_.ProxyAddresses))}},State,StreetAddress,Title | export-csv c:\reports\MSOL-Users.csv -NoTypeInformation

Get-Mailbox | Select DisplayName,UserPrincipalName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses | Where-Object {$_ -LIKE “SMTP:*” }}},EmailAddressPolicyEnabled,PrimarySmtpAddress,WindowsEmailAddress,ForwardingSmtpAddress,ForwardingAddress | export-csv c:\reports\Exchange-Online-Users.csv -NoTypeInformation

If there are more attributes in use, we will need to expand upper command to include additional attributes. The link with additional attributes can be found here
https://msdn.microsoft.com/en-us/library/azure/dn194133(v=azure.98).aspx
6. Edit both files to populate blank fields with missing data/attributes (tel number, address etc).

7. Run the following command on local On-premises Exchange Server to create a remote mailbox using data from MSOL-Users.csv file.
Enable-RemoteMailbox -Identity “second@9tech.ca” -RemoteRoutingAddress “second@9tech1.mail.onmicrosoft.com” -PrimarySmtpAddress second@9tech.ca

8. Run the following command on local On-premises Exchange Server to assign an additional email address to previously created Remote Mailbox using data from MSOL-Users.csv file.

Set-RemoteMailbox -Identity “second@9tech.ca” -EmailAddressPolicyEnabled $false -EmailAddresses smtp:secondd@9tech.ca,SMTP:second@9tech.ca,smtp:seconddd@9tech.ca

9. Run the following command on local On-premises Exchange Server to assign additional attributes to the local AD account using data from Exchange-Online-Users.csv file.

Set-User -Identity “second@9tech.ca” -DisplayName “Second Test” -UserPrincipalName “second@9tech.ca” -City “Atlanta” -Country “United States” -Department “Information Services” -Fax “” -FirstName “Second” -LastName “Test” -MobilePhone “” -Office “Midtown” -Phone “+1 (404) 326-0000” -PostalCode “30000” -State “GA” -StreetAddress “1100 Baif Street, Suite 1000″ -Title “Senior Helpdesk Support Technician

10. Install AD Connect and scope it to use only single OU for syncing. Move mailbox to OU which was in AD Connect sync scope.
11. Notify users that Office 365 password is going to be changed and that new password is going to be same as internal AD password
12. Perform AD Connect Sync
13. Check if user’s status was changed from “In Cloud” to “Synced with Active Directory”.
14. Check if user can log into Exchange Online using internal Active Directory password

After those steps, all attributes for the specified users are copied from Office 365 back to On-premises Active Directory, passwords are uploaded from Local Active Directory and all attributes of the mailbox are managed locally from Exchange Server.

 

The next article is an outlining scenario in which no local Exchange Servers is presented.
The following scenario is not supported by Microsoft.
See the blog for more details. https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises/

Change the source of authority from Azure AD to on-premises Active Directory without on-premises Exchange Server installed

Current Settings

Initially, we have configured:
• Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
• Users ID and passwords are setup in Office 365.
• Local Active Directory has all account objects.
• There is no AD Connect Server locally installed, and there is no sync from On-premises to Office 365.
• There is no Exchange Server locally Installed.

 

We need to:

• Link Office 365 accounts back to On-premises Active Directory accounts.
• The password needs to be sync from On-premises Active Directory to Office 365.
• All mailbox properties needed to be managed locally and propagated to Office 365 using AD Connect.

Those two conditions had to be meet first in our example.

• The local AD account and UPN were set to first@9tech.ca
• Exchange Online Primary SMTP (first@9tech.ca) is matching local UPN (first@9tech.ca)
Here is the view from Office 365. Account “First” is “In Cloud” account as you can see from a figure.

in cloud

Use Active Directory User and Tools and make sure that Email field in AD properties of account is populated with Primary SMTP address.

 

Install AD Connect and run a sync

At this step, we are installing AD Connect and enabling OU filtering to OU where our test account is located.
After AD Connect sync to Office 365, account (first@9tech.ca) is converted from “In-Cloud” to “Sync with On-premises Active Directory”
as you can see from the following picture.

The source of authority for directory sync has been moved from Azure AD to the local On-premises Active Directory.
The following table shows how attributes of objects change in Office 365 after the sync.
Fields in green color were changed in Office 365 after the sync.

111

Note that additional proxy address (resume@9tech.ca) in Exchange Online were deleted during the sync process.
The following table shows syncing behavior for attributes which are synced from On-premises to Office 365

OnPrem

We can manually copy all basic attributes (title, phone, street,etc.) from Azure AD/Exchange Online and to Local Active Directory
using Active Directory User and Tools.
After we populate all necessary fields, AD Connect will propagate those attribute properties to Azure AD/Exchange Online.

How to fix additional Exchange Online proxy email address?

It is more difficult with an additional email address because Active Directory User and Tools has no field for the proxy address attribute.
After the initial sync, additional proxy email addresses were deleted from Office 365.

smtp

We can try to add missing resume@9tech.ca email address back to mailbox in Exchange Online
But when we press save, we are presented with the error which notifies us that we should change properties on On-premises objects in AD instead in Office 365.

err

We can use native AD PowerShell commands to check attributes of objects in local AD.
Get -ADUser -identity first -properties * | fl DisplayName,mail,ProxyAddresses

displ

 

We can add resume@9tech.ca to local AD account using the following Active Directory PowerShell command
Set-ADUser -identity first -Add @{Proxyaddresses=”SMTP:first@9tech.ca”,”smtp:resume@9tech.ca”}

dipl2

 

After we sync local Active Directory to Azure AD new proxy email address is added to Exchange Online Mailbox

disp3

After this step existing user is fully functional in Office 365, all attributes are copied from local AD to Office 365 and local Active Directory passwords are propagated to Office 365.

 

Provision new Mailboxes in Office 365

The following paragraph is showing a process to how to provision new mailbox to Office 365 using on-premises Active Directory.
Creating the User
1. Open Active Directory Users and Computers on Local AD
2. Create an Active Directory user as you normally would.
3. Ensure that the user’s email address on the General tab of the AD properties is correct

ad

4. Ensure that the user’s UPN name match their primary SMTP address.

ad2

5. Run the following command to add any additional SMTP address to mailbox
Set-ADUser –identity new -Add @{Proxyaddresses=”SMTP:new@9tech.ca”,”smtp:new2@9tech.ca”}
6. Run AD Connect Sync
7. Login to Office 365 and configure users location and assign license

off

8. Check if additional email address are assign correctly

off2

 

There are some of settings and features which we are not able to configure without installing local Exchange Server.
Those are some of the examples which you will not be able to setup:

  • Hide Exchange Online mailbox in GAL
  • Provision Archive mailbox in Exchange Online for users which are synced from On-premises.
  • Create shared or room mailbox which is sync from On-premises.

If you try to hide mailbox in Office 365 for a mailbox, a error will occur and we will be notified that operation needs to be performed in local AD instead in Exchange Online.

offerror

This article explained how to change source authority from Office 365 identities to local Active Directory.
This method of provisioning and managing identities without local Exchange Server is not  supported by Microsoft.
According to following TehhNet article,   the only supported tools that are available to manage Exchange recipients and objects.”

  • Exchange Management Console
  • Exchange Administration Center (EAC)
  • Exchange Management Shell

 

 

Categories
Technical Reviews
Contact New Signature

Related Information

Technologies

  • Exchange
  • Azure Active Directory
  • Office 365

Services

  • Cloud Identity
  • Cloud Migrations

Blog Posts

  • New Signature Partners with BitTitan to Help Test, Deliver New Microsoft Teams Migration Capabilities
  • What’s New in Office 365: Threat Protection, Outlook Meetings and More
  • How to Troubleshoot Missing Autocomplete in Microsoft Outlook
  • New Podcast Episode: Office Explorers Dive into Microsoft Planner

Events

Thu 12

Transformation with Teams Webinar

December 12 @ 10:00 am - 10:45 am EST

View More

New Signature
New Signature HQ
901 K Street NW, Suite 450
Washington, DC 20001
Phone: 202-452-5923
New Signature Canada HQ
140 Yonge Street - Suite 400
Toronto, ON M5C 1X6
Phone: 416-971-4267
New Signature UK HQ
57 Bermondsey Street
London SE1 3XJ
Phone: +44 (0) 845-402-1752

About

  • Company
  • Awards
  • News
  • Leadership
  • Partners
  • Testimonials

Managed Services

  • Cloud Management for Azure
  • Cloud Management for Office 365
  • Desktop Experience
  • Recovery Experience
  • System Health
  • Technology Managed Services

Professional Services

  • Advanced Analytics
  • Application Development
  • Collaboration
  • Identity and Access
  • Infrastructure
  • Process and Automation
  • Strategy
  • Training and Change Management
  • Unified Communications

Technologies

  • View all Technologies

Resources

  • Insights
  • Case Studies
  • Industries
Copyright © 2019 New Signature
  • Blog
  • Events
  • Careers
  • Help
  • Contact
  • Privacy Policy
  • CMP Login
  • About
    • Company
    • Culture
    • News
    • Leadership
    • Partners
  • Services
    • Managed Services
    • Professional Services
  • Technologies
  • Industries
  • Resources
    • Case Studies
    • Awards
  • Blog
  • Events
  • Careers
  • Help
  • Contact
  • Search
Cookie Settings
New Signature uses "Required Cookies" to run our website, "Functional Cookies" used by third parties to personalise marketing, including social media features.

Change your preferences by clicking the “Cookie Settings” link at the bottom of every page. Learn more about cookies in our Cookie Policy and our Privacy Policy. By clicking the “Accept Cookies” button below, you consent to our use of cookies.

Please note that “Required Cookies” will be set regardless of your consent.
Cookie SettingsAccept Cookies
Privacy & Cookies Policy

Performance

Performance Cookies provide Content Delivery Network assets that deliver faster site content delivery capabilities.

Required

These cookies are required mainly in order to deliver Multilanguage site capabilities.

Functional

Functional Cookies allow us to provided advanced media capabilities including videos, surveys and other multimedia capabilities.

Disabling Functional cookies will block the playing of videos and other multimedia site components.

Targeting

Targeting Cookies are used to capture user information in order for New Signature to deliver better user experiences.

Save & Accept