I'm working in a hybrid Exchange setup where we have an Exchange 2016 server and an online Exchange with Microsoft 365. We're planning to shut down the 2016 server soon because of security issues. Currently, our helpdesk creates new users using the Exchange 2016 console, which sets up both an online mailbox and an Active Directory (AD) account. I've been assigned to automate this process with a script that creates an online mailbox along with an associated AD account.
So far, I've been able to write a script that connects to the Exchange server and creates the mailbox and AD account, but it ends up creating an on-prem mailbox instead of an online one. When I tried connecting to Exchange Online, it creates a mailbox but doesn't create the AD account.
I'm trying to find a way to accomplish both tasks seamlessly. I'm also considering using Azure AD sync tools, but I'm wary of the potential complications that can arise with that method. Any advice or insights would be greatly appreciated!
4 Answers
You really should think about how you're going to collapse the hybrid setup. Have you assessed what needs to be recreated in the cloud? For scripting, you could use the MS Graph PowerShell cmdlets. Installing the module and creating users through there will ensure they automatically get a remote mailbox when they're set up properly. Just remember, you'll need the right permissions in Entra to do this!
Check out the Microsoft documentation on managing recipients in hybrid environments. It’ll give you a good overview of what must be done. While it's true we need to push for scripts now, it might also be worth considering an eventual switch to management tools as you bring everything online.
I’ve gone through that documentation too. It's useful, but we need something functional in the short term.
From what I gather, since you have a hybrid setup, your approach should be to first create the AD user, have it sync to Azure AD, and then rely on 365 to create the mailbox. Just keep in mind the order of operations; creating a user in Azure AD first won't sync back nicely to on-prem. But this way should work for your needs if everything is set up right.
To set this up, you might want to connect to your on-prem Exchange using `Connect-IPPSSession` and then use the `New-RemoteMailbox` cmdlet to create the remote mailbox directly. After that, make sure to trigger the Azure AD sync cycle so that the user appears in Office 365. Once they are in 365, you can assign any necessary licenses. It can be a bit of a process, but it should work! Just remember, without the on-prem server, this won't be an option.
Using a dynamic group in Entra for licensing could simplify things too—just add the user there when setting them up!
But keep in mind, with the shut down coming, you'll need a long-term solution that relies solely on the online side.
Agreed! Also, don't forget that if you license them correctly, their mailboxes will provision automatically.