This guide is written for the desktop support team of my company. We come from an on-premise infrastructure frame of mind with Exchange/AD etc. Now we have a Hybrid setup with Office 365 with some mailboxes on-premise still and some mailboxes in the cloud. Administering Office 365 Exchange Online mailboxes and users are slightly different to on-premises.
This guide will explain some popular administration scenarios. If not included in this guide, it would be safe to assume that you administer things the same as normal. Remember, with a Hybrid, there is Directory Synchronization turned on, which is a one way sync of all objects from the on-prem Active Directory to the Office 365 Active Directory.
How to connect to Exchange Online using the Exchange Management Console (EMC)
- You will need to connect to Exchange Online using the EMC for many purposes, one of which is to check for new mailboxes that you have just setup by enabling remote mailboxes using on-premise Exchange.
Right click the top level in the tree and choose the option to Add Exchange Forest.
- Give a meaningful description for your eyes only, then choose Exchange Online > click OK.
- Enter in your credentials to connect to Exchange Online > Click OK
How to connect to Exchange Online using PowerShell
- Setting up the connection to Exchange Online using PowerShell is slightly different. Microsoft .NET Framework 4.5 and Windows Management Framework 3.0 must be installed on the computer used for the PowerShell connection.
- Windows PowerShell script execution must be enabled on the computer you use to connect to Exchange Online. To enable script execution for signed scripts, run the following command in an elevated Windows PowerShell window.
Set-ExecutionPolicy Unrestricted
- Connect to Exchange Online
- Open Windows PowerShell > Run the following command:
$UserCredential = Get-Credential
- In the Windows PowerShell Credential Request dialog box, type the user name and password of an account in your Exchange Online organization, and then click OK.
Run the following command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic –AllowRedirection
- Run the following command:
Import-PSSession $Session
- Disconnect from Exchange Online
- Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you. You’re allowed to have up to three concurrent remote PowerShell sessions. If you use all the sessions available to you, you’ll need to wait for the sessions to expire.
After you’re finished with your remote Shell session, use the following command to disconnect from Exchange Online.
Remove-PSSession $Session
How to setup a new cloud mailbox
Setting up a new cloud mailbox involves first setting up a user in Active Directory, then mail enabling the user.
- Either setup a new user from scratch using the on-prem Active Directory, or simply copy an existing user account. You do this using the Active Directory Users & Computers management console as normal.
- Make sure Advanced Features is turned on
- If you created a brand new user without copying, go to step 5.
If you copied the user account, select the properties of the new copied user, then click on the Attribute Editor tab.
- Find the attribute msExchHomeServerName, then clear this value > click OK.
- You will need to Mail Enable the new user account. Mail Enabling a user account adds Exchange properties to the AD account, such as an email address. Run the following PowerShell cmdlet with on-premise Exchange:
Enable-MailUser -Identity ‘<user>’ -Alias ‘<alias>’ -ExternalEmailAddress ‘SMTP:<alias>@domain.com’
- Enable a Remote Mailbox for this new Mail User. Run the following PowerShell cmdlet with on-premise Exchange:
Enable-RemoteMailbox <alias> -RemoteRoutingAddress <alias>@domain.mail.onmicrosoft.com
- Make sure that this user has an Office 365 license, contact your IT administrator so that a license can be allocated.
- Wait until Directory Synchronization completes, normally this runs every 3 hours by default, unless your IT administrator has sped this up. Once Directory Synchronization has completed, you will see this new mailbox appear in Exchange Online.
To check to see if the new mailbox has been created online, connect to Exchange Online following the steps above. Using the Exchange Management Console, have a look under Recipient Configuration > Mailbox. Make sure you refresh this view to get the latest listing of remote mailboxes.
- You should be able to see the new mailbox.
How to grant full access to a mailbox
- To grant full access to a mailbox, this is done using PowerShell. You need to find out the mailbox Alias that you are granting access to and the SamAccountName of the user in which you want to have access.
*** Use PowerShell and connect to Exchange Online (as above)
To find out the SamAccountName of of the user that you need to grant access to, run the following PowerShell cmdlet with Exchange Online:
This command below will find all users with ‘law’ in the name.
Get-MailUser -identity law* |fl SamAccountName
- To find the alias of the mailbox, have a look in the Exchange Management Console under Exchange Online > Recipient Configuration > Mailbox, you will see the Alias column.
- The <alias> is the mailbox in which you are granting access to and <SamAccountName> is the account in which you want to have access. Run the following PowerShell cmdlet with Exchange Online:
Add-MailboxPermission -Identity <alias> -User <SamAccountName> -AccessRights FullAccess -InheritanceType All -AutoMapping $false
Granting Send-As and Send on Behalf permissions to cloud mailboxes
This is done using the Exchange Control Panel.
- Logon to https://outlook.office365.com/ecp with your Exchange Online (Office 365) credentials.
- Select Recipients > Mailboxes and find the mailbox that you are granting access to and click Properties
- Select Mailbox Delegation
Changing default User Principle Name (UPN) of cloud mailboxes
- Changing the UPN of a cloud based mailbox is normally done using the on-premise EMC > Recipient Configuration > Mail Contact > select the properties of the Remote User Mailbox, you change the UPN (shown below).
Normally Directory Synchronization will propagate changes to the cloud, default every 3 hours. Sometimes, this does not work and cloud users can’t access cloud resources after synchronization has taken place. What happens, the UPN is changed on-premise, then Directory Synchronization will run as normal with no errors, but the UPN in the cloud doesn’t change. You can check the UPN of the user in the cloud on the portal https://portal.microsoftonline.com/
The User Name field represents the UPN of the user, this sometimes doesn’t change the displays the previous UPN.
- To fix this, you need to connect to Exchange Online using PowerShell (see above steps). Run the following two commands, setting the UPN of the user to the default tenant domain, then the same PowerShell command to change the UPN of the user to what it should be.
Set-MsolUserPrincipalName -UserPrincipalName user@<old_UPN> -NewUserPrincipalName user@<tenant_domain>.onmicrosoft.com
Set-MsolUserPrincipalName -UserPrincipalName user@<tenant_domain>.onmicrosoft.com -NewUserPrincipalName user@<new_UPN>
Kicking off a manual Directory Synchronization
Sometimes waiting for the default 3 hour window of Directory Synchronization can’t be done. Kicking off a manual sync is very easy.
- Logon to the Directory Synchronization server. Navigate to C:\Program Files\Microsoft Online Directory Sync
- Run DirSyncConfigShell.psc1
- Type in Start-OnlineCoexistenceSync and hit enter.
- You can monitor the progress by opening up the Directory Synchronization program "C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"
You can see the history of Directory Synchronization.
Marc Kean 