Exchange Online: How to create a dirsynced Resource Mailbox

The idea with DirSync is to keep your user administration on-prem. A problem arise when you decomission the on-premises Exchange server and want to create a Shared Mailbox or a Resource Mailbox. There is no simple way to create such mailbox without assigning a license. It is possible to create a new regular user, assign a license, and then convert it to a Shared Mailbox or a Resource Mailbox, but the drawback with this method is that it requires a license during the process. On the other hand your user account will be fully managed in your on-prem environment, and the goal is achieved.

Another possibility is to create a Resource Mailbox with a Cloud Identity, and then connect it to an account synced from your Active Directory. This is what I will show you now. Lets start with disabling DirSync. This step is not necessary, but we might get some problems if our accounts are synced before they are ready.

Stop-Service MSOnlineSyncScheduler

Then we create a user account in Active Directory that we will later sync to Office 365:

Import-Module ActiveDirectory
$ADUserProperties = @{
    Name =               'Meeting Room 1'
    Path =               'CN=Users,DC=365lab,DC=net'
    SamAccountName =     'room1'
    UserPrincipalName =  'room1@365lab.net'
    DisplayName =        'Meeting Room 1'
    EmailAddress =       'room1@365lab.net'
    OtherAttributes = @{
        ProxyAddresses = 'SMTP:room1@365lab.net'
    }
}
$ADUser = New-ADUser @ADUserProperties -PassThru

The next step is to create a new Resource Mailbox in Office 365. This can be done either with GUI or PowerShell, I prefer PowerShell.

$O365cred = Get-Credential
$O365sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365cred -Authentication Basic -AllowRedirection
$importcmd = Import-PSSession $O365sess

$O365UserProperties = @{
    DisplayName =        'Meeting Room 1'
    Name =               'room1'
}

$RoomMailbox = New-Mailbox @O365UserProperties -Room

Now we have two separate accounts, one in Active Directory with the managed attributes, and one in the cloud that we want to connect to our on-prem identity. The connection is done by populating the ImmutableID attribute with the corresponding ObjectGuid from Active Directory. Also, we change the UserPrincipalName in Office 365 to match our domain account.

$ObjectGuid = $ADUser.objectGuid
$ImmutableId = [System.Convert]::ToBase64String($ObjectGuid.ToByteArray())

Import-Module MSOnline
Connect-MsolService 

Set-MsolUserPrincipalName -UserPrincipalName $RoomMailbox.UserPrincipalName -NewUserPrincipalName $ADUser.UserPrincipalName -ImmutableId $ImmutableId

Now our UserPrincipalNames are the same in both our Active Directory and in Office 365, and we have linked then together using the ObjectGuid/ImmutableId. Time to start our DirSync service again and force a synchronization to run.

Start-Service MSOnlineSyncScheduler

Import-Module DirSync
Start-OnlineCoexistenceSync -FullSync

Now the Cloud Identity is converted to a DirSynced Identity, and the attributes in Active Directory are syned to our new Resource Mailbox. From now on all user administration tasks for this account can be managed in our on-prem Active Directory.

/ Andreas

Advertisements

13 thoughts on “Exchange Online: How to create a dirsynced Resource Mailbox

  1. Simon Knaggs (@MrSimoon)

    Thanks for this, really good information. Regarding managing the send as permissions internally via AD, how would you recommend going about this? I’ve attempted to use the ‘Send As’ property, as well as the msExchSendAsAddresses attribute, to no effect. There seems to be very little detail on this dir-synced, locally managed approach, only information about hybrid scenarios. Any input you have would be much appreciated.

    Reply
    1. Andreas Lindahl Post author

      My recommendation would be to use the Exchange Management Tools to handle this kind of changes. There are several third party tools on the market that does the same job as the Exchange tools, but I have mixed experience from these tools and I would make a careful evaluation of these tools before putting them in production. I would definitely go with the first option.

      Reply
    1. Andreas Lindahl Post author

      This blog post was written for situations where there is no hybrid server installed on-prem. I have updated the text to reflect this.

      The cmdlet New-RemoteMailbox is of course the preferred way to create Resource Mailboxes. There is however no “-Shared” parameter to New-RemoteMailbox, so for that situation a workaround is still needed. The recommended way is to create the Shared Mailbox on-prem and then migrate it to Office 365.

      Reply
  2. Michael

    Your instructions worked perfectly. Question, though: Is there an advantage to doing it this way instead of creating an account with New-RemoteMailbox?

    Reply
    1. Andreas Lindahl Post author

      This blog post was written for situations where there is no hybrid server installed on-prem. Please see my answer to David.

      Reply
  3. Wally

    What would the shell look like if the resource mailbox is already created in O365? I can create an account in AD but am a little confused on how to populate the ImmutableID attribute with the corresponding ObjectGuid from Active Directory.

    Reply
    1. Andreas Lindahl Post author

      Just skip the step to create the new mailbox (line 24), the other steps are the same 🙂

      Reply
  4. MIke Niccum

    According to almost all posts on provisioning users in a Hybrid environment with Exchange Online, the recommendation is to create on-prem user, enable-remotemailbox, DirSync and assign license. Waiting for the DirSync really messes with a script because you have to wait in a loop for the DirSync to complete. This is very unpredictable and time consuming for the unsuspecting helpdesk person. This example can be used for a standard on-prem user with Exchange Online so that the script doesn’t have to wait. Throw a start-adsyncsyncycle on the end and you are golden.

    Do both UserPrincipalName and ObjectGUID need to be added to the AAD account? Which one is checked first? Soft Match vs. Hard Link (or Hard Match)?

    Thanks for the post!

    Reply
    1. Andreas Lindahl Post author

      I totaly agree with you that you should run Enable-RemoteMailbox if you have a hybrid with an onprem server. This scenario covers when the onprem server is decommissioned.

      Reply
  5. Ian

    If you’ve created resources in this way, what would be the best way to back out? If you wanted to leave the resource in 365 with all data and permissions and manage it there, while breaking the link to the on prem AD?

    Reply
    1. Andreas Lindahl Post author

      The process will be the same, regardless if the mailbox is a regular UserMailbox or a ResourceMailbox. Just disable DirSync Set-MsolDirSyncEnabled –EnableDirSync $false and then uninstall ADConnect.

      Reply
      1. Ian

        Ah, I should have been more specific. I want to continue synching my user accounts and groups. It’s breaking the connection to the resource mailboxes and removing them from the on prem directory, leaving them as cloud managed resources that can be managed with the 365 admin console that I was after.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s