I'm looking for guidance on converting our Azure-only users with Exchange Online to hybrid users. We want to join an existing on-premises Active Directory domain (which currently doesn't use Exchange) and need to understand the steps involved. We have fewer than 100 users right now in both Azure and the on-prem domain.
1. Should I export the Azure user properties and recreate those users on-premises, and then use Microsoft Entra Sync for soft or hard matching? What specific properties do I need to export and how do I do that?
2. Is there a way to import the passwords of existing Azure-only users when matching them to hybrid users? I assume that once they match, the on-premises users will become authoritative and overwrite the passwords, right?
3. What happens to the existing Azure users who have Exchange Online mailboxes? Will these mailboxes remain connected?
Thanks for any help!
3 Answers
It's definitely possible to convert your domain to use cloud identity, but if you're leaning towards hybrid, then use Entra Connect to perform a soft match for the users. Just to clarify, since you need hybrid identity due to local servers, what happens if you create user accounts locally and then match them against the Azure accounts? What will be the fate of their mailboxes in Exchange Online?
You can use Microsoft Entra Connect on your domain controller to sync users to your on-premises Active Directory. Be sure to check out the Microsoft documentation for downloading the tool.
Are your users already created on-premises, or are you starting from scratch?
Absolutely doable, but you're not likely to find specific Microsoft documentation on it. First, set up a complete mirror test environment that's fully representative, including all necessary PowerShell scripts with multiple users and email addresses.
To address your questions:
1. Rather than exporting everything, I'd recommend dumping the Azure user properties and selecting which ones you want to keep for the match, like ProxyAddresses for mail aliases.
2. Unfortunately, you can't retrieve Azure passwords. A hard match is the way to go; make sure to set the ms-ds-consistency guid on-premises to match the online object GUID. You might want to onboard users in small batches for better communication management.
3. As for the connection between the user and their mailbox, it's established by the msExchMailboxGuid attribute. If this is empty on-premises, it should generally be okay.
Just a heads-up: do the exchange schema preparation on-premises to ensure you get all the necessary attributes. It may be wise to have Exchange installed to modify attributes in a supported manner, but setting up a full hybrid isn't necessary right away either.
Consider the potential complications around Send-As permissions too, as they differ from standard mailbox sharing! Lastly, look at the AD properties for your users like MsExchRecipientDisplayType, so they appear correctly on-premises. Building new remote mailboxes in the test environment can give you insights on attribute adjustments you’ll need to make when it's time to go live.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux