7

I'm performing a migration to Office 365 from a third-party mail server (MDaemon); the local Active Directory doesn't include any Exchange server, and never had any.

We will need directory synchronization in order to enable users to log on to Office 365 using their domain credentials; but it seems that as soon as you enable directory synchronization, you can't perform any action anymore on Office 365 users: all changes need to be made on the local Active Directory, and then replicated by the synchronization process.

For ordinary users with a single e-mail address and standard features, this is not a big problem; but what about users which need an additional address? What if I need to configure some nonstandard setting, like "hide from address list" or a custom mailbox quota?

From what I've gathered, the only supported way to do this, as you can't directly edit Office 365 objects anymore after synchronization is enabled, is to extend the local AD schema with Exchange attributes, and then manually edit them (!). Or, you can install at least one local Exchange server, and then use the Exchange administrative tools to configure the required settings.

Is this correct or am I missing something?
Is there any way to synchronize user accounts and password, but still be able to edit user settings directly in Office 365?
If not (everything really needs to be set locally and then synchronized), is there any simpler way to do this than manually editing LDAP attributes or installing a local Exchange server?

Massimo
  • 68,714
  • 56
  • 196
  • 319

3 Answers3

2

You are correct.

Once the user accounts are synchronized, the accounts on O365 essentially become read only copies of the AD credentials. It's not a two way trust, so no you wont be able to make any changes.

Using PowerShell you should be able to make any of the changes your looking for in O365. http://community.spiceworks.com/how_to/show/28793-managing-office-365-using-powershell

I haven't gone down the local exchange server route so I have no information on that one.

Matt Bear
  • 874
  • 3
  • 12
  • 28
  • Ahem... would not O365 PowerShell become quite useseless too, since it operates on O365 accounts, and they are read-only? – Massimo Aug 30 '13 at 18:03
  • Any attributes managed by AD become read only. Adding additional mailboxes is fairly simple, either through powershell or through the mailbox settings in O365 because those are not AD attributes. – Matt Bear Aug 30 '13 at 18:30
  • I have many users set up with multiple email addresses, but I haven't set any custom quotas. You can actually set a lot of attributes regarding the mailbox itself through O365. And yes you can set hide from address book via powershell: Set-Mailbox -Identity User@domain.com -HiddenFromAddressListsEnabled $true – Matt Bear Aug 30 '13 at 18:32
  • I tried adding an additional address to the mailbox of a synchronized user via PowerShell remoting to Office 365, but it says the object is synchronized and all modifications should be performed on my local AD. – Massimo Sep 09 '13 at 10:04
  • Try using the exchange control panel in O365 itself, http://kb.mosaicdataservices.com/questions/201/Accessing+the+Exchange+Control+Panel+for+Small+Business+Office+365 – Matt Bear Sep 09 '13 at 17:50
  • Doesn't work, it won't let you make any change to synchronized objects. – Massimo Sep 09 '13 at 21:13
1

I wanted to let you know we are in the same boat, but already deployed and using O365 keeping logins separate at the moment. I looked at the new dirsync w/ pwd sync but ran into the same scenario as you and really didn't feel like messing with the local schema extensions and attribute editing. While it probably would be the "best" choice long term and fully supported by MS, I just didn't feel like going that route yet.

We're looking at just using this: http://www.messageops.com/software/office-365-tools-and-utilities/office-365-password-synchronization instead. It handles password syncing but doesn't mess with actually syncing their AD accounts themselves.

This may not work for you, but wanted to throw it out there as on option.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
0

Is this correct or am I missing something?

That's correct. Once you use DirSync to synchronize your AD accounts, they are marked as "MasteredOnPremise" in the cloud, which makes all AD-related attributes read-only in the cloud. This configuration (named "DirSync Only") is the most tricky from recipient administration aspects. You will have to "dance" between setting local AD attributes (using ADUC or ADSI) and setting non-AD attributes (using PowerShell). See the following for PowerShell examples: Office 365 Recipient Administration. (Disclaimer: I work for U-BTech Solutions)

Is there any way to synchronize user accounts and password, but still be able to edit user settings directly in Office 365?

Not an MS-supported way, only using 3rd-party tools.

If not (everything really needs to be set locally and then synchronized), is there any simpler way to do this than manually editing LDAP attributes or installing a local Exchange server?

Not out-of-the-box, but 3rd party tools like U-BTech's Exchange Tasks 2013 (Disclaimer: I work for U-BTech Solutions) provides simple UI for common administration needs.

As for the local Exchange Server solution, some of our customers choose to install a local Exchange "Management Only" server, other prefer to run just the AD preparation wizard of the Exchange 2010 installer to extend the AD Schema with additional Exchange-related attributes. Both solutions provide limited management experience however.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
Oren Chapo
  • 141
  • 5