Azure AD Connect and Exchange Online


  • i have a client that wants to use AD Connect from on-premise active directory just for password synchronization.

    However, it seems that if you use AD Connect password sync you can't manage SMTP addresses in Office 365 Exchange Administration, you have to edit them with the ASDIEdit tool on-premises, even when every single users' email mailbox is in Exchange Online. WHAT?

    I used the Synchronization Rules Editor in AD Connect to disable the user Exchange sync but disabling for both in and out but this does not seem to allow you to manage email addresses in Office 365, which is weird. What is disabling these rules actually doing then? 

    I can't get a definitive answer about this because its impossible, even for a partner, to get Azure cloud support unless the client has paid Azure support, which they don't because they are just an Office 365 client. 

    Does anybody have any answer for this bizarre behavior? Is this just some legacy of AD that Microsoft can't fix right now? If so, is it just better to tell clients to wait the AD Connect product matures?


    Friday, March 24, 2017 10:43 PM

All replies

  • This is "by design". When you use DirSync, the On-Prem directory is the source of authority, thus all attributes are managed locally. Including Exchange related ones. That's the reason why the only "supported" configuration is to use the Exchange management tools On-Prem, even if you don't have a need for Exchange server.

    And yes, it's far from optimal, but it's the only solution we have now. Folks from Microsoft have acknowledged that there is a need for a different model years ago, but we haven't seen anything on that front yet.

    Saturday, March 25, 2017 7:38 AM
  • We're right there with you. Hopefully somebody comes up with an answer. That's really annoying
    Wednesday, May 2, 2018 5:17 PM
  • It's not a question of "legacy" per se, so much as it as a question of source of authority.  Any autonomous system can really only have one "source of authority" for data; once you start synchronizing bits of data, the source system becomes that authority. When it comes to this piece, we don't have a mechanism for bidirectional sync; that is, a way to verify a change log cross-premises and verify which version of an object's attributes are the most current. AAD Connect is built on the Microsoft Identity Manager platform, and utilizes a specific set of APIs that enforces this.

    "By design" is the current answer; I wouldn't anticipate it changing any time soon.

    MessageOps, however, does have a product that may meet this particular requirement. It is essentially a standalone program (not related to AAD Connect) that allows you to sync only passwords.

    Thursday, May 17, 2018 3:33 AM