Provisioning Remote Object Types in Exchange Online


Many times, once a customer has migrated from Exchange on-premises to Exchange Online, they want to completely decommission ALL on-premises Exchange servers.  The issue this presents is that on-prem AD is authoritative for all objects, and then synced to Azure using AAD Sync.

There are 2 options –

  1. You can maintain a single Exchange server as a “management node” however in the case of Exchange 2013 and later, this means a CAS \ HUB and Mailbox role.
  2. You can configure your on-premises identity management solution to handle the necessary attributes needed to provision the proper Exchange Online remote object type.

I won’t go into option 1, that’s pretty much an installation of Exchange.

If you go with option 2, you’ll need to be aware of all the following values required for each object so that it provisions to Exchange Online via AAD Sync as the proper object type.

*also, be aware, it’s not possible to create remote shared objects with Exchange powershell, the ability has never been there, so it’s a 3 step process for remote shared

User :

 

mailNickName = SamAccountName

msExchRecipientTypeDetails = “2147483648”

msExchRecipientDisplayType = “-2147483642”

msExchRemoteRecipientType = “1”

TargetAddress = UPN_PREFIX@TenantName.mail.onmicrosoft.com

ProxyAddresses= UserPrincipalName

ProxyAddresses= UPN_PREFIX@TenantName.mail.onmicrosoft.com

mail=UserPrincipalName

 

Room :

 

mailNickName = SamAccountName

msExchRecipientTypeDetails = “8589934592”

msExchRecipientDisplayType = “-2147481850”

msExchRemoteRecipientType = “33”

TargetAddress = UPN_PREFIX@TenantName.mail.onmicrosoft.com

ProxyAddresses= UserPrincipalName

ProxyAddresses= UPN_PREFIX@TenantName.mail.onmicrosoft.com

mail=UserPrincipalName

 

Equipment :

 

mailNickName = SamAccountName

msExchRecipientTypeDetails = “17179869184”

msExchRecipientDisplayType = “-2147481594”

msExchRemoteRecipientType = “65”

TargetAddress = UPN_PREFIX@TenantName.mail.onmicrosoft.com

ProxyAddresses= UserPrincipalName

ProxyAddresses= UPN_PREFIX@TenantName.mail.onmicrosoft.com

mail=UserPrincipalName

 

Shared ( step 1 ) – Create a remote User mailbox :

 

mailNickName = SamAccountName

msExchRecipientTypeDetails = “2147483648”

msExchRecipientDisplayType = “-2147483642”

msExchRemoteRecipientType = “1”

TargetAddress = UPN_PREFIX@TenantName.mail.onmicrosoft.com

ProxyAddresses= UserPrincipalName

ProxyAddresses= UPN_PREFIX@TenantName.mail.onmicrosoft.com

mail=UserPrincipalName

 

Shared ( step 2 ) – Convert cloud User mailbox to Shared mailbox :

 

        Using powershell you would need to connect to Exchange Online and issue the command :

 

Set-Mailbox -Identity $PrimarySMTP -Type Shared

 

Shared ( step 3 ) – Change On-Premises AD attributes to look like shared :

 

msExchRecipientTypeDetails = “34359738368”

msExchRecipientDisplayType = “-2147483642”

msExchRemoteRecipientType = “100”

 

 

For any of these objects, if a LegacyExchangeDN is desired in the on-premises Active Directory to completely emulate the results of the Enable-RemoteMailbox, I do that as follows :

 

/o=DOMAIN_NETBIOSNAME/ou=External (FYDIBOHF25SPDLT)/cn=Recipients/cn=RANDOM_GUID+SAMAccountName

 


Comments (0)

Skip to main content