Share via

Do I need On-prem exchange?

Keith Hampshire 96 Reputation points
2021-01-22T03:06:33.127+00:00

I'm running into an issue with not being able to edit users or security group settings in Office365 in Exchange Admin Center, I always receive a message stating that because the item/object was created on-prem that I would have to make the changes there.

We have a one way sync with Azure AD Connect going from on-prem to Office365.

Just to give you an example. There was a security group "Sales" created on-prem in ADUC. No issues there it will sync just fine into Office365. The issue is the person that created this security group "Sales" also added an email address in the properties of the Sales object. Now, in Office365 it says it's "mail-enabled" and users are emailing it. If I remove the email address in ADUC it still shows up in Office653 as "Mail-enabled". There is NO way around this without deleting the security group and creating another one. I have tried the GUI and powershell to edit this setting and I get the same error message "Can not make changes to this object because the object was created on-prem. Please make the chnage there instead".

Do I need a Hybrid setup to where I have Exchange on-prem as well. If so, how hard is this to do?

Exchange | Exchange Server | Management

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
    2021-01-22T07:42:23.007+00:00

    Hybrid will not help in this specific scenario, but generally speaking every configuration involving dirsync requires you to have at least one Exchange server on-premises for management purposes. As you've noted above, the on-premises AD is the source of authority in such scenarios and changes need to be made there, and the only supported method to create/manage Exchange-related objects and attributes is via the Exchange tools.

    If you dont care about the supported bit, you can do fine without an Exchange server, however at the very least you should extend the AD schema with the Exchange schema extensions.

    0 comments
  2. Joyce Shen - MSFT 16,701 Reputation points
    2021-01-25T06:43:16.17+00:00

    Hi @Keith Hampshire

    Agree with michev's suggestion above, changes cannot be made directly in o365, we should perform the operation on-premise then they will be synced to cloud.

    Installing an Exchange server is the recommended way by Microsoft, however it can work normally without installing on-premise Exchange.

    Extending the Active Directory schema adds and updates classes, attributes, and other items. These changes are needed so that Exchange can create containers and objects to store information about the Exchange organization.

    Please also refer to this thread which discussed the similar question as yours: Is an on-premises Exchange server still required with Azure AD Connect?

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.