Working with many Office365 clients, I receive queries on how to go about provisioning users and mailboxes for an Exchange hybrid deployment.
To begin with, letâ€™s assume aÂ couple things.
- We have a Windows 2012 R2 member server with Azure AD Connect (AAD Connect) version 1.1.105.00 (or newer) and the Azure AD Module for PowerShell installed; and
- We have an Exchange 2013 CU11 (or newer) server configured for hybrid with an active O365 tenant.
Now that weâ€™ve established a baseline, there are a couple of options to perform the task of provisioning an AD user, creating a mailbox, and assigning an Office 365 license.
- The first optionÂ would beÂ to createÂ an AD user, create anÂ on premiseÂ mailbox, migrate the mailbox to Office 365, and assign a license; or
- The second optionÂ would beÂ to createÂ an AD user, create a remote (or Office 365)Â mailbox, and assign a license.
In this post, I will cover the second option simply because it includes fewer steps and attempts to avoid confusion around where the mailbox should be created.
STEP 1: CREATE USERÂ & MAILBOX
FromÂ the Exchange server, first create the AD user with remote mailbox using one commandÂ via Exchange Management Shell (EMS or Exchange PowerShell)â€¦
New-RemoteMailbox -UserPrincipalName "[email protected]" -Alias "UserTest" -Name "UserTest" -FirstName "User" -LastName "Test" -DisplayName "User Test" -OnPremisesOrganizationalUnit "Office 365 Users" -Password (ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force) -ResetPasswordOnNextLogon $true
In the command above,Â I created the AD user in an OU named â€œOffice 365 Usersâ€, set the password to â€œEnterPasswordHereâ€, and will require the user to change their password at next logon. However, I did not assign an SMTP address orÂ remote routing address assuming that the email address policies are configured to be applied as new mailboxes are created.
STEP 2: SYNCHRONIZE USER
Once the AD user and mailbox are created, the AD object must to be synchronized to O365 in order to add the user with associated mailboxÂ in the tenant. With the new version of AAD Connect, the scheduled sync time occurs every 30 minutes. In my case, Iâ€™m not that patient and will manually force a sync to O365.
From the server with AAD Connect installed, via an elevated PowerShell console, run the following command to perform the sync to O365â€¦
Start-ADSyncSyncCycle -PolicyType Delta
This task will synchronize all changes made to AD since the user and mailbox were created.
STEP 3: ASSIGN LICENSE
In the final step, I assign an O365Â license to the newly created and synchronized user.Â The following commands can be run from any machine that has bothÂ Microsoft Online Services Sign-in Assistant for IT Professionals RTWÂ andÂ Windows Azure Active Directory Module for Windows PowerShellÂ installed. In my case, they are installed on each server, as well as my admin workstation.
Connect to O365 via PowerShellÂ from anÂ elevated PowerShell console; or usingÂ Azure AD Module for PowerShell console.
Confirm the new user does not have an O365 license assigned.
#Connect to Office365
$O365Cred = Get-Credential
$O365Session = New-PSSession â€“ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
This command returns unlicensed O365 users in which the â€œisLicensedâ€ parameter is â€œFalseâ€.
The next command returns the â€œAccountSkuIdâ€œ, or subscription license(s), of my tenant thatÂ I will use to assign to the new user.
The AccountSkuId will look something similar to â€œtenantname:ENTERPRISEPACKâ€œ; where â€œENTERPRISEPACKâ€ represents my Office 365 Enterprise E3 subscription. Other subscriptions will have different representations.
Before I can assign any licensesÂ to my new user, the user must be assigned a location (or country code). Since Iâ€™m am located in the United States, I use â€œUSâ€ as the two letter country code for the user, using this commandâ€¦
Set-MsolUser -UserPrincipalName email@example.com -UsageLocation US
Now that Iâ€™ve set a location for the new user, I can assign a license from my associated O365 subscription, using this commandâ€¦
Set-MsolUserLicense -UserPrincipalName firstname.lastname@example.org -AddLicenses tenantname:ENTERPRISEPACK
Finally, the user can access their assigned mailbox inÂ Exchange Online.