Office 365 Identity Management with DirSync without Exchange Server On-Premises
This post describes how users, groups and contact are provisioned in Office 365 from the on-premises Active Directory. By using DirSync, these objects are created in and synchronized to Office 365. Without an Exchange Server and Exchange Management tools in place, it is not always obvious how these objects should be created.
The following sections describe the procedures you can follow without Exchange or the Exchange management tools in place.
The sections below only specify the basic actions you need to perform in Active Directory to have the object appear in the right place in Office 365 (user, security group, mailbox, distribution group, contact). Note that almost all properties of these objects need to be set in Active Directory. If you want to hide a distribution group from the address book or you want to configure moderation for a distribution group, you have to know the property in Active Directory that’s responsible for the setting, set the value and perform directory synchronization. You will also need to upgrade the Active Directory schema with Exchange Server 2010 schema updates. You cannot use the Exchange Server 2010 System Manager without having at least one Exchange Server 2010 role installed on-premises.
Create a user account
Create a regular user account in Active Directory. This user account will be replicated by DirSync and it will appear in the Users list in the portal (https://portal.microsoftonline.com).
Important: set the user logon name to a value with a suffix that matches the suffix used for logging on to Office 365. For instance, if you logon with email@example.com in Office 365, set the UPN to that value:
User accounts without a mailbox (or any other license) can be used in Office 365 to grant permissions such as Billing Administrator or Global Administrator. A user account like this is typically used to create a DirSync service account.
Create a user account for a user that needs a mailbox
Create a user account as above. Set the user’s primary e-mail address in the email attribute or you will get an onmicrosoft.com address only:
When this user is synchronized and an Exchange Online license is added in the portal, a mailbox will be created that has the E-mail address in the E-mail field as primary SMTP address. Automatically, a secondary SMTP address is created with firstname.lastname@example.org:
What if the user needs extra SMTP addresses?
- You cannot set extra SMTP addresses in Exchange Control Panel (or Remote PowerShell) because the object is synchronized with DirSync.
- In the on-premises Active Directory you need to populate the proxyAddresses attribute of the user object. You can set the values in this field with ADSIEdit or Active Directory Users and Computers (Windows Server 2008 ADUC and higher with Advanced Features turned on)
- In the proxyAddresses field, make sure that you also list the primary SMTP address with SMTP: (in uppercase) in front of the address. Secondary addresses need smtp: (in lowercase) in front of the address.
Note: instead of editing the proxyAddresses field directly, you can use a free (but at this point in time beta) product: http://www.messageops.com/software/office-365-tools-and-utilities/office-365-active-directory-addin. The tool adds the following tabs to Active Directory Users and Computers:
- O365 Exchange General: set display name, Email address, additional Email addresses and even a Target Email Address (for mail redirection)
- O365 Custom Attributes: set custom attributes in AD for replication to Office 365
- O365 Delivery Restrictions: accept messages from, reject messages from
- O365 Photo: this photo will appear on the user’s profile and will be used by Lync Online as well
- O365 Delegates: to set the publicDelegates property
When a user is created in AD, you can use the additional tabs this tool provides to set all needed properties at once.
To summarize the actions for a mailbox:
- Create a user in ADUC with the user logon name (UPN) and e-mail address to the primary e-mail address of the user (UPN and e-mail address do not have to match but it’s the most common case)
- Make sure the user has a display name (done automatically for users if you specify first, last and full name in the AD wizard)
- Set proxyAddresses manually or with the MessageOps add-in to specify additional e-mail addresses (with smtp: in the front) and make sure you also specify the primary e-mail address with SMTP: in the front.
- Let DirSync create and sync the user to Office 365
- Assign an Exchange Online license to the user. A mailbox will be created with the correct e-mail addresses.
Create a security group
Create a security group in Active Directory. The group will be synchronized by DirSync and appear in the Security Groups in the portal. The group will not appear in the Distribution Groups in Exchange Online (obviously).
Create a distribution group
Create a distribution group in Active Directory. In the properties of the group set the primary e-mail address in the E-mail address field:
In addition to the e-mail address, the group object also needs a display name (displayname attribute). If the distribution group in AD has an e-mail address and a display name, the group will appear in the Distribution Groups list in Exchange Online after synchronization.
Note that specifying members and alternate e-mail addresses has to be done in the local Active Directory as well. If you have installed the MessageOps add-in, you can set easily set those properties.
Create a mail-enabled distribution group
You can add a display name and e-mail address to a standard security group to mail-enable the group. After stamping those two properties, the group will appear in the list of Distribution Groups in Exchange Online. When you list groups with the Get-Group cmdlet, you will see the following:
You can stamp the properties manually or use the MessageOps add-in to set these properties easily.
Create a contact
Create a contact object in Active Directory. In the properties of the created object, fill in the E-mail field in the General tab.
Although DirSync makes it easy to create directory objects in Office 365, without an Exchange Server and the Exchange management tools it is not always obvious how to set the needed properties in order to correctly synch these objects. If you find it too much of a hassle to set the required properties on your local Active Directory objects, there are basically two things you can do:
- Turn off Directory Synchronization and start mastering directory objects in the cloud
- Install at least one Exchange Server 2010 SP1 so that you can use the Exchange management tools