Saturday, December 19, 2015

Why should you have at least one Exchange Server on-premises with AAD Connect/or AAD Sync/or DirSync

I've tried to explain multiple times my sales and engineering team that sometimes it makes no sense to have AAD Connect/AAD Sync/DirSync for "password sync" or Federated SSO for small organizations as these organizations should keep Exchange Server 2010+ On-Premises in addition to Synchronization tool. It is easier for such customers to keep and maintain identities separately.

Example customer scenarios:

  • "We want to make our legacy Exchange server decommission after Office 365 migration but want users and passwords synchronized from our Active Directory"

  • "We are going to be migrated from non-Exchange Server (Google Apps, Lotus Notes, GroupWise, Zimbra, etc.) to Office 365 and want to have users and passwords synchronized from our Active Directory"

  • "We used Cloud only identities for some time and now we want to have password sync or SSO using our Active Directory on prem credentials."

All mentioned scenarios require Exchange Server 2010+ deployed on premise for Exchange Online mailbox management.

I believe everyone who ever worked with Hybrid have seen similar error when tried to change some mailbox property like "Hide from address lists" or "Add new SMTP address" via Exchange Online Admin center instead of Exchange Server On Premise ECP:
error
The operation on mailbox "User1" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'HiddenFromAddressListsEnabled', can't be performed on the object '
User1' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
error
The operation on mailbox "
User1" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'User1' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
Here is collected reference to official Microsoft sources:

http://blogs.msdn.com/b/vilath/archive/2015/05/26/office-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises.aspx
https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

You can obtain Exchange Server free product key if you still want to have such scenario.
It can be single VM and it will contain no mailbox data (mailbox content is Online). It doesn't have to be full Exchange Server Hybrid setup. It has same UI as Exchange Online for recipient management for Exchange 2013+.

So the only confusing thing here is that you use server On-Premises to manage cloud mailboxes. You can use UI or Shell (EMS) to manage those.

Screenshot from Exchange Management Console Exchange Server 2010 On-Premises:


Screenshot from Exchange admin center Exchange Server 2013 On-Premises:


Screenshot from Exchange admin center Exchange Online (Wave 15) where on premise Identities with remote Office 365 mailboxes properties synchronized to Office 365.

It's your own choice to use NON-SUPPORTED ADSIEdit way or PowerShell scripts like this instead of Exchange Server EMC/ECP or EMS.