Chicken and Egg Problem with Local AD Accounts and Exchange Online Mailboxes

Issue:  

When automating the creation of Active Directory (AD) accounts and licensing Office 365 Exchange online mailboxes, you run into the problem of creating accounts locally that have not synchronized to Office 365. However, you need to setup their mailboxes as the next step after creating the accounts.

Solution:

This powershell script below solves the chicken and egg problem with needing accounts synchronized to Office 365 prior to setting up Exchange Online Mail boxes. When automatically creating accounts you can’t wait for Office 365 synchronization to happen while initially creating accounts and needing to setup the AD user once.

Overall Steps:

  • Step 1 Automatically Create AD Accounts (powershell or UMRA)
  • Step 2 run this script below
  • Step 3 synchronize Office 365 Accounts using AD Connect (This script calls AD Connect Delta Synch at the bottom so you could skip this step)
  • Step 4 License Office 365 Users via powershell

 

Caveat:

  • These accounts cannot be migrated back from Office 365 to a local Exchange mailbox.  So you would only do this for accounts that you never plan on moving back to your on prem Exchange server.

 

Script:

This script below must be run from the server with AD Connect installed if you want to use the ADSync module.

Import-Module ActiveDirectory;
Import-Module ADSync

#Mail Enable Student Accounts and set Accounts as Exchange Online Only Accounts without ever having a local mailbox and solving chicken and egg problem

#*********************************************************************************************************************
# Object Created: 9/29/2016

# Object Name: Mail Enable Exchange Online Accounts that will never need to be migrated back to Local Exchange Server and these accounts are automatically created
# Object Type: Powershell
# Related Objects:  automatic licensing of Office 365 users powershell code
# Object Description:  This solve chicken and egg problem with needing accounts synched to Office 365 prior to setting up Exchange Online Mail boxes.  
#When automatically creating accounts you can't wait for Office 365 syncing to happen while initially creating accounts and needing to setup the AD user once.

#Step 1 Automatically Create AD Accounts (powershell or UMRA)
#Step 2 run this script
#Step 3 synchronize Office 365 Accounts using AD Connect  (This script calls AD Connect Delta Synch at the bottom so you could skip this step)
#Step 4 License Office 365 Users via powershell

# Created Date:
# Created by: pcooper
# Comments:

#*********************************************************************************************************************


#How to install active directory module
#https://4sysops.com/archives/how-to-install-the-powershell-active-directory-module/


#Start-Sleep -m 12


$username = "[LOCAL AD ADMIN ACCOUNT]";

#$secpasswd = ConvertTo-SecureString "Local AD Admin Password" -AsPlainText -Force
#$cred = New-Object System.Management.Automation.PSCredential($username, $secpasswd);
$cred = Get-Credential;

#Connect to Local Exchange to Create Mailboxes in the Cloud
$sessionoption = New-PSSessionOption -SkipCNCheck 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://LOCAL_EXCHANGE_SERVER/powershell/ -Credential $cred -AllowRedirection -SessionOption $sessionoption;

#Connect to Local Exchange Server Powershell Session
Import-PSSession $Session

#Get Current AD Domain
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
#$root = $dom.GetDirectoryEntry()

$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DOMAIN_CONTROLLER_SERVER/OU=School Sites,DC=DOMAIN_NAME,DC=com")

$search = [System.DirectoryServices.DirectorySearcher]$root
#In Active Directory Searching the back slash has to be escaped by using "\5c"
#Change the search filter as desired (Currently filters to all students)
$search.Filter = "(&(&(&(&(objectCategory=person)(objectClass=user))(memberOf=CN=Students,OU=School Sites,DC=DOMAIN_NAME,DC=com))(|(samAccountName=8*)(samAccountName=9*)))(!msExchRecipientDisplayType=-2147483642))" 
$result = $search.FindAll()


foreach ($user in $result)
{
    #the properties have to be all lowercase
    $username1 = $($user.properties.samaccountname);
    $remotemailbox = "$username1@TENANT_ID.mail.onmicrosoft.com"

    try {
        WRITE-HOST "MailEnable: $username1";
        #Enable the mailbox
        #Enable-RemoteMailbox -Identity "$username1" -RemoteRoutingAddress "$username1@TENANT_ID.mail.onmicrosoft.com";
        Enable-MailUser -Identity $username1 -ExternalEmailAddress $remotemailbox;
    }
    catch {
        Write-Error $Error[0];
    }
	
	
}


foreach ($user in $result)
{
    #the properties have to be all lowercase
    $username1 = $($user.properties.samaccountname);
    $remotemailbox = "$username1@TENANT_ID.mail.onmicrosoft.com"

    try {
        WRITE-HOST "Set-ADUser: $username1";
        Set-ADUser -Identity "$username1" –Replace @{msExchHideFromAddressLists = $true; msExchRecipientDisplayType = "-2147483642"; msExchRecipientTypeDetails = "2147483648"; msExchRemoteRecipientType = "4"};
	Set-ADUser -Identity "$username1" –Replace @{msExchHideFromAddressLists = $true; msExchRecipientDisplayType = "-2147483642"; msExchRecipientTypeDetails = "2147483648"; msExchRemoteRecipientType = "4"};
    }
    catch {
        Write-Error $Error[0];
    }
	
	
}

#Update Email Address Policy for Migrated Office 365 Exchange Online Accounts because the account properties were modified using powershell
Update-EmailAddressPolicy -Identity O365

Remove-PSSession $Session

#Force Delta Synch to send up accounts prior to assigning Office 365 licensing
Start-ADSyncSyncCycle -PolicyType Delta

Resources:

O365: Exchange and AD – How msExchRecipientDisplayType and msExchangeRecipientTypeDetails Relate to Your On-Premises

Leave a Reply

%d bloggers like this: