Existing AADConnect with Exchange Online, enable "Exchange Hybrid" in AADConnect and Exchange Management Tools afterwards

Steve Weber 136 Reputation points
2022-11-02T09:39:11.067+00:00

Hello,

I inherited an unsupported configuration.

  • All users/groups are synced via AADConnect to AzureAD.
  • They are using Exchange Online mailboxes/distribution lists.
  • No OnPremise Exchange exists.
  • No Exchange Hybrid Wizard exists.
  • In AADConnect "Exchange Hybrid" is not ticked.

I want to change this configuration in a supported state and manage the mail attributes via Exchange Management Tools, introduced with Exchange 2019 CU12.
As far as I understand it, I can simply install Exchange Management Tools and if no OnPremise Exchange is found, it will do a PrepareSchema and create an Exchange organisation.

Do I have to manually compare and edit-match all the AzureAD-users/groups/mail-attributes with the local AD-ones? Or can I simply activate "Exchange Hybrid" in the AADConnect configuration and all local missing mail-attributes are filled in with the ones out of AzureAD/Exchange Online? I ask this, because we have an amount about 200 users and 100 groups in sync.
I found Microsoft documentation about which attributes are activated if you tick "Exchange Hybrid", but there is no description if it is a two-way-sync or only one-way (AD overwrites AzureAD).

Help would by really nice.

Kind regards
Steve

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,847 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,345 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,885 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
Accepted answer
  1. Michael Durkan 12,146 Reputation points MVP
    2022-11-02T11:23:19.52+00:00

    Hi

    The Exchange hybrid deployment feature allows for the coexistence of Exchange mailboxes both on-premises and in Microsoft 365. Azure AD Connect synchronizes a specific set of attributes from Azure AD back into your on-premises directory. You can turn this on at any time.

    Here are the attributes synced once enabled:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-online

    and written back to on-prem:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-hybrid-writeback.

    Note - its not mandatory to have this enabled. Exchange Hybrid configuration isn't really required unless you are going to host mailboxes in both locations at the same time, and thats normally during the initial setup where you are migrating users.

    There is also the caveat that you are introducing an Exchange Server into your on-premises environment. While its purely going to be used for management as per your scenario, it still introduces the same admin over head of maintaining, patching, setting up connectors, security concerns (and there have been a lot lately....) around Exchange Servers.

    When you say you want to get this to a "supported state" - to me, this looks like the state you should want to be in as you have no requirements or dependencies on any on-premises infrastructure apart from Azure AD Connect. What I would be asking is: could you perform the management tasks you are looking to do from Exchange Online?

    Hope this helps - note that this is my opinion only!

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steve Weber 136 Reputation points
    2022-11-02T11:54:42.577+00:00

    @Michael Durkan
    I dont want to install the full Exchange Server 2019 experience. I just want to install the Exchange Management Tools (EMT) for managing mail adresses and so one with the new RecipientManagement-Module and the Powershell-Cmdlets. No Modern Hybrid oder Classic Hybrid is planned. Just the Powershell-Cmdlets for easier attribute control.
    manage-hybrid-exchange-recipients-with-management-tools

    I am missing Exchange entries in ADSI-Edit for e.g. services or an administrative group. But I have attributes at the users for msExch and other Exchange related attributes. So I am assuming in the past at least on run of PrepareSchema was done.

    I do not know, for my configuration, if the enabling of ExchangeHybrid in AADConnect is just a nice2have or a must-do? If it is a must-do, I have to manually compare local and cloud users/groups.
    Available EMT docu from MS just concentrates on the topic Exchange and HybridWizard, it is missing possible adjustments for AADConnect.

    Regard
    Steve

    0 comments
  2. Steve Weber 136 Reputation points
    2022-11-03T08:19:39.41+00:00

    thanks

    for calming my mind, I will do the following steps

    • stop AADConnect service
    • export the local mailrelated attributes of users and groups (aka export1)
    • run PrepareSchema
    • install Exchange Management Tools
    • export the local mailrelated attributes of users and groups (aka export2)
    • compare export1 and export2, make adjustments if needed
    • reenable AADConnect service
    0 comments