Desktop Support guide to administering Exchange Online

This guide is written for the desktop support team of my company. We come from an on-premise infrastructure frame of mind with Exchange/AD etc. Now we have a Hybrid setup with Office 365 with some mailboxes on-premise still and some mailboxes in the cloud. Administering Office 365 Exchange Online mailboxes and users are slightly different to on-premises.

This guide will explain some popular administration scenarios. If not included in this guide, it would be safe to assume that you administer things the same as normal. Remember, with a Hybrid, there is Directory Synchronization turned on, which is a one way sync of all objects from the on-prem Active Directory to the Office 365 Active Directory.

How to connect to Exchange Online using the Exchange Management Console (EMC)

  1. You will need to connect to Exchange Online using the EMC for many purposes, one of which is to check for new mailboxes that you have just setup by enabling remote mailboxes using on-premise Exchange.

    Right click the top level in the tree and choose the option to Add Exchange Forest.


  2. Give a meaningful description for your eyes only, then choose Exchange Online > click OK.


  3. Enter in your credentials to connect to Exchange Online > Click OK


How to connect to Exchange Online using PowerShell

  1. Setting up the connection to Exchange Online using PowerShell is slightly different. Microsoft .NET Framework 4.5 and Windows Management Framework 3.0 must be installed on the computer used for the PowerShell connection.
  2. Windows PowerShell script execution must be enabled on the computer you use to connect to Exchange Online. To enable script execution for signed scripts, run the following command in an elevated Windows PowerShell window.

    Set-ExecutionPolicy Unrestricted

  3. Connect to Exchange Online
    1. Open Windows PowerShell > Run the following command:

      $UserCredential = Get-Credential

    2. In the Windows PowerShell Credential Request dialog box, type the user name and password of an account in your Exchange Online organization, and then click OK.

      Run the following command:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic –AllowRedirection

    3. Run the following command:

      Import-PSSession $Session

  4. Disconnect from Exchange Online
    1. Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you. You’re allowed to have up to three concurrent remote PowerShell sessions. If you use all the sessions available to you, you’ll need to wait for the sessions to expire.

      After you’re finished with your remote Shell session, use the following command to disconnect from Exchange Online.

      Remove-PSSession $Session

How to setup a new cloud mailbox

Setting up a new cloud mailbox involves first setting up a user in Active Directory, then mail enabling the user.

  1. Either setup a new user from scratch using the on-prem Active Directory, or simply copy an existing user account. You do this using the Active Directory Users & Computers management console as normal.
  2. Make sure Advanced Features is turned on


  3. If you created a brand new user without copying, go to step 5.

    If you copied the user account, select the properties of the new copied user, then click on the Attribute Editor tab.


  4. Find the attribute msExchHomeServerName, then clear this value > click OK.


  5. You will need to Mail Enable the new user account. Mail Enabling a user account adds Exchange properties to the AD account, such as an email address. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-MailUser -Identity ‘<user>’ -Alias ‘<alias>’ -ExternalEmailAddress ‘SMTP:<alias>’

  6. Enable a Remote Mailbox for this new Mail User. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-RemoteMailbox <alias> -RemoteRoutingAddress <alias>

  7. Make sure that this user has an Office 365 license, contact your IT administrator so that a license can be allocated.
  8. Wait until Directory Synchronization completes, normally this runs every 3 hours by default, unless your IT administrator has sped this up. Once Directory Synchronization has completed, you will see this new mailbox appear in Exchange Online.

    To check to see if the new mailbox has been created online, connect to Exchange Online following the steps above. Using the Exchange Management Console, have a look under Recipient Configuration > Mailbox. Make sure you refresh this view to get the latest listing of remote mailboxes.


  9. You should be able to see the new mailbox.

How to grant full access to a mailbox

  1. You can do this from the Exchange Control Panel from Exchange Online – Logon as your tenant account, and select recipients on the left.


  2. Find the mailbox you want to granting access to, and select Edit


  3. Under mailbox delegation, you can add users that you want to have Full Access.


    Once you do this, this will automatically map to the users Outlook in which you granted access to. There is no need to manually adding the additional mailbox to Outlook. Once the mailbox is automatically added to Outlook, it will be cached locally similar to the users’ primary mailbox.

Granting Send-As and Send on Behalf permissions to cloud mailboxes

This is done using the Exchange Online Control Panel.

  1. Logon to with your Exchange Online (Office 365) credentials.
  2. Select Recipients > Mailboxes and find the mailbox that you are granting access to and click Properties


  3. Select Mailbox Delegation


Changing default User Principle Name (UPN) of cloud mailboxes

  1. Changing the UPN of a cloud based mailbox is normally done using the on-premise EMC > Recipient Configuration > Mail Contact > select the properties of the Remote User Mailbox, you change the UPN (shown below).


    Normally Directory Synchronization will propagate changes to the cloud, default every 3 hours. Sometimes, this does not work and cloud users can’t access cloud resources after synchronization has taken place. What happens, the UPN is changed on-premise, then Directory Synchronization will run as normal with no errors, but the UPN in the cloud doesn’t change. You can check the UPN of the user in the cloud on the portal

    The User Name field represents the UPN of the user, this sometimes doesn’t change the displays the previous UPN. 


  2. To fix this, you need to connect to Exchange Online using PowerShell (see above steps). Run the following two commands, setting the UPN of the user to the default tenant domain, then the same PowerShell command to change the UPN of the user to what it should be.  

    Set-MsolUserPrincipalName -UserPrincipalName user@<old_UPN> -NewUserPrincipalName user@<tenant_domain>

    Set-MsolUserPrincipalName -UserPrincipalName user@<tenant_domain> -NewUserPrincipalName user@<new_UPN>

Kicking off a manual Directory Synchronization

Sometimes waiting for the default 3 hour window of Directory Synchronization can’t be done. Kicking off a manual sync is very easy.

  1. Logon to the Directory Synchronization server. Navigate to C:\Program Files\Microsoft Online Directory Sync
  2. Run DirSyncConfigShell.psc1
  3. Type in Start-OnlineCoexistenceSync and hit enter.


  4. You can monitor the progress by opening up the Directory Synchronization program "C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"

    You can see the history of Directory Synchronization.


Calendar Permissions

Granting calendar permissions is the same as granting access to any other mailbox folder, as a mailbox calendar is more or less a folder.

  1. You will need to find the PrimarySmtpAddress of the users’ calendar that you want to work with. Connect to Exchange Online PowerShell as above, then run the following command for the user that is in the cloud.

    Get-Mailbox -Identity user* |fl

    Find the PrimarySmtpAddress of the user in the list.

  2. To view current calendar permissions for this user, run:

    Get-MailboxFolderPermission -Identity\Calendar

  3. To add calendar permissions, run the following cmdlet. This will make Ed an owner of Fred’s calendar.

    Add-MailboxFolderPermission -Identity\Calendar -User -AccessRights Owner

  4. There are a number of different permissions you can grant to a mailbox folder such as a calendar. See below.

    Taken from

  5. The AccessRights parameter specifies the permissions for the user with the following access rights:

    • ReadItems   The user has the right to read items within the specified folder.
    • CreateItems   The user has the right to create items within the specified folder.
    • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
    • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
    • EditAllItems   The user has the right to edit all items in the specified folder.
    • DeleteAllItems   The user has the right to delete all items in the specified folder.
    • CreateSubfolders   The user has the right to create subfolders in the specified folder.
    • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can’t read items, edit items, delete items, or create items.
    • FolderContact   The user is the contact for the specified public folder.
    • FolderVisible   The user can view the specified folder, but can’t read or edit items within the specified public folder.

    The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:

    • None   FolderVisible
    • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
    • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
    • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
    • Reviewer   ReadItems, FolderVisible
    • Contributor   CreateItems, FolderVisible

    The following roles apply specifically to calendar folders:

    • AvailabilityOnly   View only availability data
    • LimitedDetails   View availability data with subject and location

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s