question

JoelFurnari-1663 avatar image
0 Votes"
JoelFurnari-1663 asked ricardosolisvillegas-4678 commented

tenant.onmicrosoft.com values not reflecting local AD and Exchange

Our environment is hybrid, so I cannot make any changes from the Microsoft 365, Azure or Exchange admin center using powershell or UI so anything that starts with connect-msolservice will not work.

Due to recent security changes we have changed user logins to lfirst1234@tenant.com but their email addresses remain last.first@tenant.com.
Recently we have had a couple of new employees created, when the remote mailbox is enabled (from the local exchange management shell) it should generate the smtp:last.first@tenant.onmicrosoft.com alias instead it is generating lfirst1234@tenant.onmicrosoft.com in the Microsoft 365 Admin centers. This is causing some issues with internal email routing from systems as it is looking for the last.first@tenant.onmicrosoft.com address.


Local user account reads: UPN: lfirst1234@tenant.com
Attribute Editor: Every value reads last.first@tenant.com or tenant.onmicrosoft.com except for the userPrincipalName (last edited value) reads like above.
I have tried manually updating the users "inbox" in the exchange server to add the last.first@tenant.onmicrosoft.com the Sync Service manager is working and attributes are selected in the properties of the connectors but it never reflects the change on the Microsoft 365 Admin Center(s)
Does anyone have any ideas how I can force this change up to my Microsoft cloud environment I would be greatly appreciative. I believe I have tried searching everything my little Google-Fu brain can find but I am at a stand still

Thanks.

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JoelFurnari-1663

Thank you for your post on our Microsoft Q&A space.

I would like to clarify for me all the great details given above... When you stated that you made this change >>> we have changed user logins to lfirst1234@tenant.com but their email addresses remain last.first@tenant.com.

Did you change the domain or just the username? If you changed the domain... Did you register it and it is showing up as green lights?

Are you using Azure AD and on-premises you have your AD server? If that's the case so, Do you have your AD connector for this scenario?

Did you go over the Outlook exchange Admin center or where exactly?

Looking forward to your reply back.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·
JoelFurnari-1663 avatar image JoelFurnari-1663 ricardosolisvillegas-4678 ·


All we did was change the name the user uses to log in because a security initiative having the same log in username as their email address is inherently insecure, domain remains the same.

AD is local and we have a exchange server local but our mailboxes are hosted in O365. It is referred to as a hybrid format. In short we cannot make changes to AD or Exchange from our cloud environment only our local as changes are only made upstream and not down.

In the Microsoft 365 Admin center select the user, on the "Account" tab it shows "aliases" when you click "Manage username and email" I get the primary email address last.first@tenant.com, the username lfirst1234@tenant.com and under aliases lfirst1234@tenant.com and lfirst1234@tenant.onmicrosoft.com

In the exchange admin center, select the user "General" tab and email addresses. Manage email address types and get the same values as the base 365 Admin Center.

If I go to my local Exchange server and edit the user. On the tab that is labeled "email address" I can see the value(s) SMTP last.first@tenant.com and smtp last.first@tenant.onmicrosoft.com
The last.first@tenant.onmicrosoft.com is what I need to push up to the cloud as that value is not represented in "the cloud" environment.


0 Votes 0 ·
JoelFurnari-1663 avatar image
0 Votes"
JoelFurnari-1663 answered ricardosolisvillegas-4678 commented

All we did was change the name the user uses to log in because a security initiative having the same log in username as their email address is inherently insecure, domain remains the same.

AD is local and we have a exchange server local but our mailboxes are hosted in O365. It is referred to as a hybrid format. In short we cannot make changes to AD or Exchange from our cloud environment only our local as changes are only made upstream and not down.

In the Microsoft 365 Admin center select the user, on the "Account" tab it shows "aliases" when you click "Manage username and email" I get the primary email address last.first@tenant.com, the username lfirst1234@tenant.com and under aliases lfirst1234@tenant.com and lfirst1234@tenant.onmicrosoft.com

In the exchange admin center, select the user "General" tab and email addresses. Manage email address types and get the same values as the base 365 Admin Center.

If I go to my local Exchange server and edit the user. On the tab that is labeled "email address" I can see the value(s) SMTP last.first@tenant.com and smtp last.first@tenant.onmicrosoft.com
The last.first@tenant.onmicrosoft.com is what I need to push up to the cloud as that value is not represented in "the cloud" environment.

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Many thanks for your quick response!

I wonder if this has to be with this relevant note:

200689-image.png


1 Vote 1 ·
image.png (77.0 KiB)
JoelFurnari-1663 avatar image JoelFurnari-1663 ricardosolisvillegas-4678 ·

I was not the one who originally set this up so I am just got in way over my head, so it might be

I am looking at the users attribute editor in AD, and the value "ms-DS-ConsistencyGuid is <not set>. It is also
not a selected attribute in the ADFS Sync Service.


So this article is suggesting that the objectGuid is a good candidate for the ms-DC-ConsstencyGuid and it was part of the initial ADFS sync that may have never been done.

Or am I way off on this?

1 Vote 1 ·

Nope, you are right!

0 Votes 0 ·
Show more comments
ricardosolisvillegas-4678 avatar image
0 Votes"
ricardosolisvillegas-4678 answered ricardosolisvillegas-4678 commented

Hi @JoelFurnari-1663

I am going a follow up about your concern and in case you need additional assistance please let us know.

BR,

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JoelFurnari-1663

Thanks for your patience for this update.

I have a possible resolution for this concern but I just wanted first to double-confirm some details if it is ok....

-Is this a Azure AD DS or Azure AD being used on Cloud?
-Why did you say that you can not make any chance directly via PowerShell terminal or admin center? Since this keeps me thinking of Azure AD DS
-Did you mentioned previously that you are not using AD connector for replicas to cloud? Please correct me if I am mistaken.
-Do you have an idea if for the Azure AD DS/Azure AD instances there is a license being used?

Looking forward to your feedback,

Best Regards,

0 Votes 0 ·
JoelFurnari-1663 avatar image JoelFurnari-1663 ricardosolisvillegas-4678 ·

-Azure is not being used in the cloud, we are on a hybrid system where our AD is local but syncs using Azure AD Sync Services. Our exchange is hosted in the cloud BUT we have a local install of Exchange that is more or less a console for our hosted exchange.

-We cannot make changes to our local AD or Exchange from the online admin center since it only syncs from our local (in house) environment to the cloud. It does not sync in both directions.

  • am not sure with what you are considering a "connector" we did run "Azure AD Connect" application to set up the connection to the cloud, and then created Azure AD Sync Services instances that trigger ever 30 min to update the 365 Admin center

  • am unsure of the licensing question, but I would think we have some sort of license to be using the service(s) that we have been for some time.

Thanks again for your assistance.

1 Vote 1 ·

Hi,

Many thanks for your answer.


https://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx >>Check attributes list/Check also for any conditional policy.

https://docs.microsoft.com/en-us/connectors/office365users/ >>> Check the alias/Nickname settings for office365.


https://admin.microsoft.com/adminportal/home?previewoff=false#/modernonboarding/azureadsetup >>> Do you have access to this by any chance? I know you explained this at some moment.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-features >>>>> those are the attributes required for replication

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis >>>You can get an idea what syncservice must be needed.

Finally, If I was asking for the license details is because depends on your license that is being used, this can limit the number of object/attributes to replicate to cloud.

Regards,




0 Votes 0 ·
JoelFurnari-1663 avatar image JoelFurnari-1663 ricardosolisvillegas-4678 ·

-Attributes that I would think are the ones are being synced, do not see any conditional policy
-Alias and nickname settings are last.first format
-Yes I have full access to the Admin console
-Devicewriteback: False, DirExtentions; True, DuplicateProxyAddressResil: True, DuplicateUPNResil: True, EnableSoftMatchResil: True, PasswordSync: True, SyncUPNForManagers, UnifiedgroupWriteback and UsreWriteback are False.
-We are Office 365 E3 licensed

I was looking around and I did notice something that is very likely related and might simplify my inquiry. I have a user with lets say "davis.betty@domain.com". All her attributes reflect that name. When she started with the company 6 years ago, her name was boop.betty@domain.com but changed her name because of marriage. In the Office 365 Management console along with the correct email address davis.betty@domain.com there is no instance of "smtp:davis.betty@tenant.onmicrosoft.com", just "smtp:boop.betty@tenant.onmicrosoft.com".

So to me it somehow looks like once the username is created and syncs with the cloud creating that "tenant.obmicrosoft.com" as a permanent value which I find hard to believe that MS would be short sighted to do this.

1 Vote 1 ·

Many thanks for response as well as the heads up given using the example above...

0 Votes 0 ·