In some scenarios, you may have to transfer the source of authority for a user account when that account is originally authored by using Office 365 management tools. These tools include the Office 365 portal, Microsoft Online Services Module for Windows PowerShell, and so on. You can transfer the source of authority so that the account can be managed through an on-premises Active Directory Domain Services (AD DS) user account by using directory synchronization.
This article discusses how this transfer of the source of authority is affected by "SMTP matching," a process that uses the primary Simple Mail Transfer Protocol (SMTP) address to match the on-premises user account with the Office 365 user account.
SMTP matching limitations
The SMTP matching process has the following technical limitations:
- SMTP matching can only be run on user accounts that have a Microsoft Exchange Online email address.
Note This does not mean the user must be licensed for Exchange Online. This means that a mailbox that has a primary email address must exist in Exchange Online for SMTP matching to work correctly.
- SMTP matching can only be used one time for user accounts that were originally authored by using Office 365 management tools. After that, the Office 365 account is bound to the on-premises user by an immutable identity value instead of a primary SMTP address.
- The cloud user’s primary SMTP address cannot be updated during the SMTP matching process because the primary SMTP address is the value that is used to link the on-premises user to the cloud user.
How to use SMTP matching to match an on-premises user to a cloud identity
To use SMTP matching to match an on-premises user to an Office 365 user account for directory synchronization, follow these steps:
1. Obtain the target Office 365 account primary SMTP address. To do this, follow these steps:
- Access the Office 365 portal by using a global administrator account.
- Click Admin, and then under Exchange Online, click Manage to open Exchange Control Panel (ECP).
- In the ECP, locate the user account that you want, and then double-click it.
- Expand the Email Options section, and then note the primary SMTP address of the user account.
2. Start Active Directory Users and Computers, and then create a user account in the on-premises domain that matches the target Office 365 user account. For more information about how to do this, visit the following Microsoft TechNet website:
Create a User Account in Active Directory Users and Computers (http://technet.microsoft.com/en-us/library/dd894463(WS.10).aspx)
3. Use Active Directory Service Interfaces (ADSI) Edit to edit the proxyAddresses attribute of the user object so that it matches the primary SMTP address that you noted in step 1D. To do this, follow these steps:
. Click Start, click Run, type ADSIEdit.msc, and then click OK.
- Right-click ADSI Edit, select Connect to, and then click OK to load the domain partition.
- In the navigation pane, locate the user object that you want to modify, right-click it, and then click Properties.
- In the Attributes list, click the proxyAddresses attribute, and then click Edit.
- In the Value to add field, enter the appropriate SMTP address, and then click Add.
Note The primary SMTP address value for the user object should be prepended by an uppercase "SMTP:" designator for it to be formatted correctly for the proxyAddresses attribute. For example:
- "SMTP:email@example.com" is an acceptable value.
- "firstname.lastname@example.org" and "smtp:email@example.com" are not acceptable values.
- ADSI Edit is included with the Windows Server 2003 Support Tools. The Windows Server 2003 Support Tools are available on the product disc. Also, you could obtain the tool from the Microsoft Download Center by visiting the following Microsoft website:
5. Click OK two times, and then exit ADSI Edit.
Windows Server 2003 Service Pack 2 32-bit Support Tools (http://go.microsoft.com/fwlink/?LinkId=100114)
- For more information about how to use ADSI Edit to edit Active Directory Domain Services attributes, visit the following Microsoft TechNet website:
Using ADSI Edit to edit Active Directory attributes (http://technet.microsoft.com/en-us/library/bb124152(EXCHG.65).aspx)
4. Force directory synchronization. For more information about how to do this, visit the following Microsoft website:
Force directory synchronization (http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx#BKMK_SynchronizeDirectories)
For more information about how to transfer the source of authority between on-premises directory synchronization and cloud-based management tools such as the Office 365 portal and Microsoft Online Services Module for Windows PowerShell, visit the following Microsoft website:
How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for Directory Synchronization
Office 365 Deployment