The idea with DirSync is to keep your user administration on-prem. A problem arise when you decomission the on-premises Exchange server and want to create a Shared Mailbox or a Resource Mailbox. There is no simple way to create such mailbox without assigning a license. It is possible to create a new regular user, assign a license, and then convert it to a Shared Mailbox or a Resource Mailbox, but the drawback with this method is that it requires a license during the process. On the other hand your user account will be fully managed in your on-prem environment, and the goal is achieved.
Another possibility is to create a Resource Mailbox with a Cloud Identity, and then connect it to an account synced from your Active Directory. This is what I will show you now. Lets start with disabling DirSync. This step is not necessary, but we might get some problems if our accounts are synced before they are ready.
Stop-Service MSOnlineSyncScheduler
Then we create a user account in Active Directory that we will later sync to Office 365:
Import-Module ActiveDirectory
$ADUserProperties = @{
Name = 'Meeting Room 1'
Path = 'CN=Users,DC=365lab,DC=net'
SamAccountName = 'room1'
UserPrincipalName = 'room1@365lab.net'
DisplayName = 'Meeting Room 1'
EmailAddress = 'room1@365lab.net'
OtherAttributes = @{
ProxyAddresses = 'SMTP:room1@365lab.net'
}
}
$ADUser = New-ADUser @ADUserProperties -PassThru
The next step is to create a new Resource Mailbox in Office 365. This can be done either with GUI or PowerShell, I prefer PowerShell.
$O365cred = Get-Credential
$O365sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365cred -Authentication Basic -AllowRedirection
$importcmd = Import-PSSession $O365sess
$O365UserProperties = @{
DisplayName = 'Meeting Room 1'
Name = 'room1'
}
$RoomMailbox = New-Mailbox @O365UserProperties -Room
Now we have two separate accounts, one in Active Directory with the managed attributes, and one in the cloud that we want to connect to our on-prem identity. The connection is done by populating the ImmutableID attribute with the corresponding ObjectGuid from Active Directory. Also, we change the UserPrincipalName in Office 365 to match our domain account.
$ObjectGuid = $ADUser.objectGuid $ImmutableId = [System.Convert]::ToBase64String($ObjectGuid.ToByteArray()) Import-Module MSOnline Connect-MsolService Set-MsolUserPrincipalName -UserPrincipalName $RoomMailbox.UserPrincipalName -NewUserPrincipalName $ADUser.UserPrincipalName -ImmutableId $ImmutableId
Now our UserPrincipalNames are the same in both our Active Directory and in Office 365, and we have linked then together using the ObjectGuid/ImmutableId. Time to start our DirSync service again and force a synchronization to run.
Start-Service MSOnlineSyncScheduler Import-Module DirSync Start-OnlineCoexistenceSync -FullSync
Now the Cloud Identity is converted to a DirSynced Identity, and the attributes in Active Directory are syned to our new Resource Mailbox. From now on all user administration tasks for this account can be managed in our on-prem Active Directory.
/ Andreas
Tailspintoys - 365lab.net 
Thanks for this, really good information. Regarding managing the send as permissions internally via AD, how would you recommend going about this? I’ve attempted to use the ‘Send As’ property, as well as the msExchSendAsAddresses attribute, to no effect. There seems to be very little detail on this dir-synced, locally managed approach, only information about hybrid scenarios. Any input you have would be much appreciated.
My recommendation would be to use the Exchange Management Tools to handle this kind of changes. There are several third party tools on the market that does the same job as the Exchange tools, but I have mixed experience from these tools and I would make a careful evaluation of these tools before putting them in production. I would definitely go with the first option.
What is the difference between what you are doing above, and simply using
New-RemoteMailbox Username -Room
From the exchange management shell?
This blog post was written for situations where there is no hybrid server installed on-prem. I have updated the text to reflect this.
The cmdlet New-RemoteMailbox is of course the preferred way to create Resource Mailboxes. There is however no “-Shared” parameter to New-RemoteMailbox, so for that situation a workaround is still needed. The recommended way is to create the Shared Mailbox on-prem and then migrate it to Office 365.
Your instructions worked perfectly. Question, though: Is there an advantage to doing it this way instead of creating an account with New-RemoteMailbox?
This blog post was written for situations where there is no hybrid server installed on-prem. Please see my answer to David.
What would the shell look like if the resource mailbox is already created in O365? I can create an account in AD but am a little confused on how to populate the ImmutableID attribute with the corresponding ObjectGuid from Active Directory.
Just skip the step to create the new mailbox (line 24), the other steps are the same 🙂
According to almost all posts on provisioning users in a Hybrid environment with Exchange Online, the recommendation is to create on-prem user, enable-remotemailbox, DirSync and assign license. Waiting for the DirSync really messes with a script because you have to wait in a loop for the DirSync to complete. This is very unpredictable and time consuming for the unsuspecting helpdesk person. This example can be used for a standard on-prem user with Exchange Online so that the script doesn’t have to wait. Throw a start-adsyncsyncycle on the end and you are golden.
Do both UserPrincipalName and ObjectGUID need to be added to the AAD account? Which one is checked first? Soft Match vs. Hard Link (or Hard Match)?
Thanks for the post!
I totaly agree with you that you should run Enable-RemoteMailbox if you have a hybrid with an onprem server. This scenario covers when the onprem server is decommissioned.
I could be wrong but in following statement you haven’t linked anything until you actually run your DirSync
“Now our UserPrincipalNames are the same in both our Active Directory and in Office 365, and we have linked then together using the ObjectGuid/ImmutableId. Time to start our DirSync service again “
If you’ve created resources in this way, what would be the best way to back out? If you wanted to leave the resource in 365 with all data and permissions and manage it there, while breaking the link to the on prem AD?
The process will be the same, regardless if the mailbox is a regular UserMailbox or a ResourceMailbox. Just disable DirSync
Set-MsolDirSyncEnabled –EnableDirSync $falseand then uninstall ADConnect.Ah, I should have been more specific. I want to continue synching my user accounts and groups. It’s breaking the connection to the resource mailboxes and removing them from the on prem directory, leaving them as cloud managed resources that can be managed with the 365 admin console that I was after.