Change The Source Authority from Azure AD to Local Active Directory

In the scenario presented here, we need to transfer the source of authority for a user account which was  created by using Office 365 management tools to local Active Directory.
We need to transfer the source of authority so that the account can be managed through an on-premises Active Directory and using directory synchronization provided by AD Connect.

Change The Source Authority from Azure AD to local Active Directory with use of On-premises Exchange Server

Current Settings

Initially, we have configured:

• Office 365 accounts/mailboxes are already provisioned in Office 365/Exchange Online.
• Users IDs and passwords are setup in Office 365.
• Local Active Directory has all account objects.
• There is no AD Connect Server locally installed.
• There is no Exchange Server locally installed.

We need to link Office 365 accounts back to On-premises Active Directory accounts.
Password need to be sync from On-premises Active Directory to Office 365.
In this configuration, we are going to install local Exchange Server which is only supported method of synchronizing and provisioning accounts from local On-premises Active Directory to Office 365.
We will use local AD account (second@9tech.ca)  to sync to already provisioned user\mailbox in Office 365 with primary SMTP second@9tech.ca.

 

The following steps are necessary to change source authority from Azure AD to local Active Directory with On-premises Exchange Server installed.

1. Download your version of Exchange 2016 Server on following link https://www.microsoft.com/en-us/download/details.aspx?id=52968
2. Expand Exchange Schema and install Exchange 2016 server locally On-premises. Use the following link to obtain free product key from Microsoft
http://aka.ms/hybridkey

3. After you install Exchange Server run the following command to disable local SCP record in AD
Set-ClientAccessServices -Identity server -AutodiscoverServiceInternalUri $null

4. To be able to provision new office 365 mailbox using EAC on On-premises, we need to run the following commands to configure remote domains to Exchange Online

New-RemoteDomain -Name “9tech1.mail.onmicrosoft.com” -DomainName “9tech1.mail.onmicrosoft.com”
Set-RemoteDomain -Identity “9tech1.mail.onmicrosoft.com” -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -TNEFEnabled $true

5. Use the following two commands to export user attributes from Azure AD and from Exchange Online to two csv files.

Get-MSOLUser | Select   DisplayName,UserPrincipalName,City,Country,Department,Fax,FirstName,LastName,MobilePhone,Office,PhoneNumber,PostalCode,@{Name=’ProxyAddresses’;Expression={[string]::join(“;”,($_.ProxyAddresses))}},State,StreetAddress,Title | export-csv c:\reports\MSOL-Users.csv -NoTypeInformation

Get-Mailbox | Select DisplayName,UserPrincipalName,@{Name=“EmailAddresses”;Expression={$_.EmailAddresses | Where-Object {$_ -LIKE “SMTP:*” }}},EmailAddressPolicyEnabled,PrimarySmtpAddress,WindowsEmailAddress,ForwardingSmtpAddress,ForwardingAddress | export-csv c:\reports\Exchange-Online-Users.csv -NoTypeInformation

If there are more attributes in use, we will need to expand upper command to include additional attributes. The link with additional attributes can be found here
https://msdn.microsoft.com/en-us/library/azure/dn194133(v=azure.98).aspx
6. Edit both files to populate blank fields with missing data/attributes (tel number, address etc).

7. Run the following command on local On-premises Exchange Server to create a remote mailbox using data from MSOL-Users.csv file.
Enable-RemoteMailbox -Identity “second@9tech.ca” -RemoteRoutingAddress “second@9tech1.mail.onmicrosoft.com” -PrimarySmtpAddress second@9tech.ca

8. Run the following command on local On-premises Exchange Server to assign an additional email address to previously created Remote Mailbox using data from MSOL-Users.csv file.

Set-RemoteMailbox -Identity “second@9tech.ca” -EmailAddressPolicyEnabled $false -EmailAddresses smtp:secondd@9tech.ca,SMTP:second@9tech.ca,smtp:seconddd@9tech.ca

9. Run the following command on local On-premises Exchange Server to assign additional attributes to the local AD account using data from Exchange-Online-Users.csv file.

Set-User -Identity “second@9tech.ca” -DisplayName “Second Test” -UserPrincipalName “second@9tech.ca” -City “Atlanta” -Country “United States” -Department “Information Services” -Fax “” -FirstName “Second” -LastName “Test” -MobilePhone “” -Office “Midtown” -Phone “+1 (404) 326-0000” -PostalCode “30000” -State “GA” -StreetAddress “1100 Baif Street, Suite 1000″ -Title “Senior Helpdesk Support Technician

10. Install AD Connect and scope it to use only single OU for syncing. Move mailbox to OU which was in AD Connect sync scope.
11. Notify users that Office 365 password is going to be changed and that new password is going to be same as internal AD password
12. Perform AD Connect Sync
13. Check if user’s status was changed from “In Cloud” to “Synced with Active Directory”.
14. Check if user can log into Exchange Online using internal Active Directory password

After those steps, all attributes for the specified users are copied from Office 365 back to On-premises Active Directory, passwords are uploaded from Local Active Directory and all attributes of the mailbox are managed locally from Exchange Server.

 

The next article is an outlining scenario in which no local Exchange Servers is presented.
The following scenario is not supported by Microsoft.
See the blog for more details. https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises/

Change the source of authority from Azure AD to on-premises Active Directory without on-premises Exchange Server installed

Current Settings

Initially, we have configured:
• Office 365 accounts/mailboxes already provisioned in Office 365/Exchange Online.
• Users ID and passwords are setup in Office 365.
• Local Active Directory has all account objects.
• There is no AD Connect Server locally installed, and there is no sync from On-premises to Office 365.
• There is no Exchange Server locally Installed.

 

We need to:

• Link Office 365 accounts back to On-premises Active Directory accounts.
• The password needs to be sync from On-premises Active Directory to Office 365.
• All mailbox properties needed to be managed locally and propagated to Office 365 using AD Connect.

Those two conditions had to be meet first in our example.

• The local AD account and UPN were set to first@9tech.ca
• Exchange Online Primary SMTP (first@9tech.ca) is matching local UPN (first@9tech.ca)
Here is the view from Office 365. Account “First” is “In Cloud” account as you can see from a figure.

Use Active Directory User and Tools and make sure that Email field in AD properties of account is populated with Primary SMTP address.

 

Install AD Connect and run a sync

At this step, we are installing AD Connect and enabling OU filtering to OU where our test account is located.
After AD Connect sync to Office 365, account (first@9tech.ca) is converted from “In-Cloud” to “Sync with On-premises Active Directory”
as you can see from the following picture.

The source of authority for directory sync has been moved from Azure AD to the local On-premises Active Directory.
The following table shows how attributes of objects change in Office 365 after the sync.
Fields in green color were changed in Office 365 after the sync.

Note that additional proxy address (resume@9tech.ca) in Exchange Online were deleted during the sync process.
The following table shows syncing behavior for attributes which are synced from On-premises to Office 365

We can manually copy all basic attributes (title, phone, street,etc.) from Azure AD/Exchange Online and to Local Active Directory
using Active Directory User and Tools.
After we populate all necessary fields, AD Connect will propagate those attribute properties to Azure AD/Exchange Online.

How to fix additional Exchange Online proxy email address?

It is more difficult with an additional email address because Active Directory User and Tools has no field for the proxy address attribute.
After the initial sync, additional proxy email addresses were deleted from Office 365.

We can try to add missing resume@9tech.ca email address back to mailbox in Exchange Online
But when we press save, we are presented with the error which notifies us that we should change properties on On-premises objects in AD instead in Office 365.

We can use native AD PowerShell commands to check attributes of objects in local AD.
Get -ADUser -identity first -properties * | fl DisplayName,mail,ProxyAddresses

 

We can add resume@9tech.ca to local AD account using the following Active Directory PowerShell command
Set-ADUser -identity first -Add @{Proxyaddresses=”SMTP:first@9tech.ca”,”smtp:resume@9tech.ca”}

 

After we sync local Active Directory to Azure AD new proxy email address is added to Exchange Online Mailbox

After this step existing user is fully functional in Office 365, all attributes are copied from local AD to Office 365 and local Active Directory passwords are propagated to Office 365.

 

Provision new Mailboxes in Office 365

The following paragraph is showing a process to how to provision new mailbox to Office 365 using on-premises Active Directory.
Creating the User
1. Open Active Directory Users and Computers on Local AD
2. Create an Active Directory user as you normally would.
3. Ensure that the user’s email address on the General tab of the AD properties is correct

4. Ensure that the user’s UPN name match their primary SMTP address.

5. Run the following command to add any additional SMTP address to mailbox
Set-ADUser –identity new -Add @{Proxyaddresses=”SMTP:new@9tech.ca”,”smtp:new2@9tech.ca”}
6. Run AD Connect Sync
7. Login to Office 365 and configure users location and assign license

8. Check if additional email address are assign correctly

 

There are some of settings and features which we are not able to configure without installing local Exchange Server.
Those are some of the examples which you will not be able to setup:

• Hide Exchange Online mailbox in GAL
• Provision Archive mailbox in Exchange Online for users which are synced from On-premises.
• Create shared or room mailbox which is sync from On-premises.

If you try to hide mailbox in Office 365 for a mailbox, a error will occur and we will be notified that operation needs to be performed in local AD instead in Exchange Online.

This article explained how to change source authority from Office 365 identities to local Active Directory.
This method of provisioning and managing identities without local Exchange Server is not  supported by Microsoft.
According to following TehhNet article,   the only supported tools that are available to manage Exchange recipients and objects.”

• Exchange Management Console
• Exchange Administration Center (EAC)
• Exchange Management Shell