none
Modify ProxyAddresses Azure AD Sync

    Question

  • Hi guys,

    We have hybrid setup, we have Azure AD connect setup with the hybrid option, I understand this allows 8 attributes to write back as per the below article.

    https://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx

    With all this setup, we are still unable to modify the email addresses from within the O365 ECP. Is this possible? I thought the hybrid tick box on Azure AD connect would allow this.

    See below for the error when we try and edit. Obviously we can do this from on-premise but we want to edit from the O365 end as well.



    • Edited by Amayacitta Tuesday, March 28, 2017 4:44 PM
    Tuesday, March 28, 2017 4:44 PM

Answers

  • You can change ONLY these hybrid attributes in the cloud and no other attribute. All other attributes are still managed on-prem. The email addresses are still managed on-prem and you cannot change them in the cloud regardless if you use Exchange hybrid or not.
    • Proposed as answer by Andreas Kjellman Wednesday, March 29, 2017 6:54 PM
    • Unproposed as answer by Amayacitta Wednesday, March 29, 2017 7:21 PM
    • Marked as answer by Amayacitta Wednesday, March 29, 2017 7:22 PM
    Wednesday, March 29, 2017 6:15 PM
  • That is only one value in proxyAddresses and only for routing between your Exchange organizations.

    When you enable Exchange hybrid, then Exchange Online will generate the x500 address for the cloud version of the mailbox. This single value is inserted into the on-prem proxyAddresses. But you cannot change anything else in the cloud. All other values in proxyAddresses are managed on-prem.

    • Marked as answer by Amayacitta Wednesday, March 29, 2017 7:20 PM
    Wednesday, March 29, 2017 6:54 PM
  • I setup a lab on a blank DC and setup password sync, the attributes lock out straight away.

    Seems the way to do it would be to remove password sync and federate the domain.

    • Marked as answer by Amayacitta Thursday, March 30, 2017 12:49 PM
    Thursday, March 30, 2017 12:49 PM

All replies

  • You can find the list of Attributes that can be written back to the On-Prem AD from Azure AD in a Exchange Hybrid Writeback.

    Exchange hybrid writeback

    These attributes are written back from Azure AD to on-premises Active Directory when you select to enable Exchange hybrid. Depending on your Exchange version, fewer attributes might be synchronized.

    Attribute Name User Contact Group Comment
    msDS-ExternalDirectoryObjectID X Derived from cloudAnchor in Azure AD. This attribute is new in Exchange 2016 and Windows Server 2016 AD.
    msExchArchiveStatus X Online Archive: Enables customers to archive mail.
    msExchBlockedSendersHash X Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.
    msExchSafeRecipientsHash X Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.
    msExchSafeSendersHash X Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.
    msExchUCVoiceMailSettings X Enable Unified Messaging (UM) - Online voice mail: Used by Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voice mail in online services.
    msExchUserHoldPolicies X Litigation Hold: Enables cloud services to determine which users are under Litigation Hold.
    proxyAddresses X X X Only the x500 address from Exchange Online is inserted.

    Wednesday, March 29, 2017 10:16 AM
    Moderator
  • Hi - thanks for the reply, I'm aware that these attributes are written back.

    What I wondered was why within the O365 ECP we can't change them, as per the screenshot. Is this something that should be possible?

    Wednesday, March 29, 2017 10:26 AM
  • You can change ONLY these hybrid attributes in the cloud and no other attribute. All other attributes are still managed on-prem. The email addresses are still managed on-prem and you cannot change them in the cloud regardless if you use Exchange hybrid or not.
    • Proposed as answer by Andreas Kjellman Wednesday, March 29, 2017 6:54 PM
    • Unproposed as answer by Amayacitta Wednesday, March 29, 2017 7:21 PM
    • Marked as answer by Amayacitta Wednesday, March 29, 2017 7:22 PM
    Wednesday, March 29, 2017 6:15 PM
  • Ok thanks for the confirmation. I guess that's why it say "Only the x500 address from Exchange Online is inserted" rather than SMTP proxyaddresses.
    Wednesday, March 29, 2017 6:35 PM
  • That is only one value in proxyAddresses and only for routing between your Exchange organizations.

    When you enable Exchange hybrid, then Exchange Online will generate the x500 address for the cloud version of the mailbox. This single value is inserted into the on-prem proxyAddresses. But you cannot change anything else in the cloud. All other values in proxyAddresses are managed on-prem.

    • Marked as answer by Amayacitta Wednesday, March 29, 2017 7:20 PM
    Wednesday, March 29, 2017 6:54 PM
  • Hey Andreas, if we wanted to completely remove the hybrid setup, remove the last exchange server, remove the hybrid tick box from Azure AD connect, at this point should we be able to modify the proxy addresses in O365? The end game is to only have password sync in place.

    For example, If we moved the mailboxes with Skykick rather than hybrid then this would be possible, however because we moved them with Hybrid it appears the objects are locked for editing, even with no on premise exchange.

    Any ideas if we can clear any attributes to permit just password sync and unlock the ability to edit the online account? 

    Set-MsolDirSyncEnabled -EnableDirSync $false - places the objects "in cloud" which allows us to edit them, however we still want password sync. As soon as we re-enable password sync, even with no hybrid or on premise exchange they lock out again :(

    Thursday, March 30, 2017 10:42 AM
  • Have I got the wrong end of the stick, is it possible to modify mail attributes in O365 when just password sync is enabled? Or does that in of itself lock out the ability to edit the objects?

    What if a customer never had exchange, added mailboxes in O365 and wanted to sync just AD passwords? Surely this is possible? 

     
    Thursday, March 30, 2017 10:54 AM
  • I setup a lab on a blank DC and setup password sync, the attributes lock out straight away.

    Seems the way to do it would be to remove password sync and federate the domain.

    • Marked as answer by Amayacitta Thursday, March 30, 2017 12:49 PM
    Thursday, March 30, 2017 12:49 PM
  • As soon as you start sync'ing, you are correct that the attributes are locked down. As you guess, you can use federation, but then you must use PowerShell to create your new users in Azure AD. You cannot get that scenario to work with only using the GUI in Office 365/Azure AD.

    Thursday, March 30, 2017 8:32 PM