Mailbox Management & SSO after Office 365 Hybrid Migration

So you are coming to the end of an Exchange Online Hybrid migration, and are considering decommissioning the on-premise Hybrid Exchange server.  Are there any considerations that need to be taken into account?

By the end of the mailbox migrations, you may have configured Azure AD Sync and made the on-premises Active Directory the source of authority. Therefore, going forward, you must perform any required changes on the objects in the on-premises Active Directory and not in Office 365, as most attributes on  are read only.

You may also have also configured identity federation via ADFS in order to achieve single sign-on (SSO). With ADFS configured, you must create new users via the on-premises Active Directory to use SSO.

Active Directory users also need to be created with the required mail attributes in order for Exchange Online to accept the object and convert to mail enabled user. This can be done without an on-premise Exchange. Active Directory Users and Computers will create the required mail related attributes:

  • mail
  • proxyAddresses
  • targetAddress

Once synchronized, you can assign it an Exchange license in order to make it a mailbox-enabled object.

However, you may need to enable more advanced Exchange features on the object e.g.

  • hiding the object from the global address list
  • adding additional email addresses

While this is possible using ADSI Edit the Exchange Product Group doesn’t support this approach.  The Exchange Product Group recommends you keep an Exchange server with the Mailbox role on-premises even if all your mailboxes are located in Exchange Online.  This blog has some further references

If you deploy an on premise Exchange for Hybrid management only (i.e. no mailboxes) you can apply for an Exchange Hybrid Key at no cost here .

One thought on “Mailbox Management & SSO after Office 365 Hybrid Migration

  1. Pingback: Decommission or Maintain Exchange Hybrid? It Depends | ODDYTEE

Leave a Reply

Your email address will not be published. Required fields are marked *