How to change primary email address for hybrid Azure/Local AD

Mike CoL 15 Reputation points
2023-01-24T16:20:45.9966667+00:00

We have a local AD environment and it syncs only one way up to our Azure AD environment. I created a user account locally and used an extention attribute value "O365" which causes the record to be created in our Azure AD environment. This is the normal process and has worked fine for 1000+ user acounts. The problem I am experiencing is this new user account I created shows the username@colgov.onmicrosoft.com address as the Primary email address in their Azure AD record. It should be username@lynchburgva.gov, which is our local/network domain, the colgov.onmicrosoft.com should be an alias and this address has always been created automatically when the record is created and synced for the 1st time to Azure.

I cannot change this in the Azure record because it is synced to our local AD, there is a small print note at the top of the user record window displaying this:
"This user is synchronized with your local ‎Active Directory‎. Some details can be edited only through your local ‎Active Directory‎." But the local AD record shows only one email address, username@lynchburgva.gov, which is the proper value and format.

Do you know why this is occurring for only this user and how I can reconfigure the account so the primary email address is the one with our domain name?

I apprecate your help.

primary email address Azure vs local AD

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,136 questions
Microsoft Entra
{count} votes

12 answers

Sort by: Most helpful
  1. Zafir Ahmed 35 Reputation points
    2023-05-30T14:22:07.2733333+00:00

    Go To active Directory >find the Users > go to Properties > attribute Editor > add the address to ProxyAddressess object Like SMTP:Zafir.ahmed@xyz.com and sync the active directory

    User's image

    7 people found this answer helpful.

  2. afar 30 Reputation points
    2023-11-14T15:35:57.01+00:00

    For some reason for me if the proxyAddress had a capitalized "SMTP", they system would interpret that as the primary email address (and if there were multiple, the first capitalized address would be primary). Really confusing and frustrating, but when I changed all of the SMTP to smtp in the proxy addresses, it went back to normal.

    4 people found this answer helpful.
    0 comments No comments

  3. NCA Admin 10 Reputation points
    2023-10-08T02:09:02.7066667+00:00

    The issue appears to be a dead-end configuration option in the Hybrid Environment. Microsoft does not have a way to edit the option in a local AD without a local Exchange server running in it. The Hybrid sync locks out the online ability to change the option and it does not exist in a local AD DC. The way they managed to config exchange in the hybrid environment; was to infer the settings you cannot access when the online exchange mailbox is created by looking at other fields in the user account from the local AD. My best guess so far is it is either the Proxy address field or the email address field in the user account attributes. If these are left to the defaults, blank, then when the user account is sync'd to the online servers, it's automatically assigned to the *.onmicrosoft.com domain in your tenant. My default domain is set to the public faced production domain we use, but that apparently does not apply to local user syncs, at least not yet. You can either move the user account to the correct domain online in the 365 Admin portal or set those user attribute fields in the local AD DC. Once the online user account is move to the correct domain, then assign the exchange license. The exchange server will create the mailbox with the correct domain as long as that part is fixed 1st.

    To fix an existing issue, back up everything 1st, then back it up again like always. Then remove the Exchange or equivalent license from the user account. Once the license is removed, and the mailbox is gone, fix the user account so the domain is correct. Up to earlier this year, I was able to permanently delete the mailbox, Fix the user account attributes, then add a license back to the user account and the online exchange server would create a new mailbox for the user account with the correct domain. Now, it uses the old mailbox when its re-enabled, even after permanent removal. Now I have to completely delete the user account everywhere, wait an hour to make sure all the servers update, then create a new user account and make sure the attributes and domain are set before the license is added on. The only other way to fix the issue is to setup a local exchange server in your AD so you have the settings available to you locally. There are many issues with setting up a new local exchange server in an existing hybrid environment to overcome. Unless you have a few dozen user account to worry about, it may be easier to reset them individually and port the data back into the new account and mailboxes.

    Good luck. I don't see Microsoft fixing this issue any time soon. Where the options are imbedded in the AD infrastructure, and how the hybrid environment engages the online config lockouts, makes it extremely difficult for Microsoft to isolate them. Most likely, we will have to wait for the next big server OS revision that is designed from the ground up for hybrid setup and configuration.

    2 people found this answer helpful.

  4. Alex Pettigrew 5 Reputation points
    2023-02-13T23:59:09.71+00:00

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/proxyaddresses-attribute-populate

    Ensure the proxyAddresses attribute is filled out with SMTP:username@domain.com.

    1 person found this answer helpful.
    0 comments No comments

  5. Vasil Michev 108.1K Reputation points MVP
    2023-01-24T19:05:32.38+00:00

    Do you see the desired address at all in Exchange Online? Is it assigned to the same user or a different one? Easiest way to check is via the Get-Recipient cmdlet:

    Get-Recipient user@domain.com

    Depending on the result, you either have to remove the alias for any additional objects returned by the above query, or simply to set it as primary one. Strongly recommended to perform this operation on-premises. Back in the day, there was a workaround that enabled you to change the PrimarySMTPAddress directly in the cloud, but this is not a supported solution (and no longer works):

    Set-Mailbox user@domain.onmicrosoft.com -WindowsEmailAddress user@domain.com

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.