If you currently have a Microsoft Exchange deployment and are considering migrating to Office 365, you might find yourself faced with the dilemma of whether to use a separate (non-Active Directory integrated) Office 365 login identity or use Azure AD Connect as your SSO solution—which also means maintaining an on-premises Exchange server. After moving all mailboxes from an on-premises Exchange environment to Office 365 Exchange Online, you might think it’s safe to remove the last Exchange Hybrid server from your environment, but you could soon discover you can no longer manage your cloud mailboxes from your Office 365 portal.
Never fear—I’m here to explain the problem and offer a solution.
The Issue
Say your Azure AD Connect (SSO) is configured in the on-premises Active Directory (AD) environment to enable the identity synchronization with Office 365. Once you migrate all on-premises Exchange mailboxes to Exchange Online, the on-premises Exchange server (Hybrid) is still required to manage the mailbox objects. This is the only Azure AD Connect (SSO) solution supported by Microsoft.
Issue Details
When directory synchronization is enabled for an Office 365 tenant and user objects are synchronized from on-premises, then most of the user attributes cannot be managed from Exchange Online and must be managed from the Exchange on-premises environment. This is not due to the hybrid configuration, but it occurs because of directory synchronization (Azure-AD-Connect). This means that even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the Office 365 Portal.
While Microsoft has indicated that they are actively working on removing this requirement, it will most likely take them some time.
The Connection Solution
In the meanwhile, you can move your Active Directory synchronization (Azure AD Connect) and Exchange Hybrid servers for Office 365 to Microsoft Azure (IaaS).
Related: Office 365 Multi-Geo: Multi-Geography Collaboration Made Easy
Solution Details
The on-premises router connects to an Azure gateway at the edge of an Azure V-Net with a site-to-site VPN or an ExpressRoute connection. Inside the V-Net, both the directory synchronization and Exchange Hybrid servers are hosted. The directory synchronization server polls Windows Server AD for changes and then synchronizes them with the Office 365 subscription.
Exchange virtual machines are supported in Azure, with the express support statement that storage for databases, transactions, and transport logs require Azure Premium Storage. As this Exchange server will not host any mailboxes or even act as a relay server, it will not need a pricey (high-end Azure) virtual machine. In addition, with this option there will be no Exchange Server licensing cost.
If you’d like to learn more about our Microsoft services and solutions, contact an Account Manager today. We can help even if you’ve already migrated!
Aman Ayaz
Aman is a Senior Microsoft Cloud Solution Architect at Connection with more than 16 years of experience in IT engineering and management. He holds various professional certifications, including MCITP Enterprise Administrator, MCITP Server Administrator, MCITP Enterprise Messaging Administrator, MCTS Microsoft Office SharePoint Server, and Configuration MCSE 4.0 (Microsoft Certified System Engineer). He especially enjoys presenting in meetups, workshops, and conferences.
