Provision New Office 365 User and Mailbox from Exchange Hybrid via PowerShell

Todd NelsonSystems Engineer
CERTIFIED EXPERT
Published:
Updated:
In this article, we create a user in the on premise AD with a remote mailbox from the on premise Exchange hybrid server, make sure the user is synchronized from on premise to O365, and finally assign a location and license in O365 to give the user the ability to use their new resources.
There are many cases in which I receive queries on how to go about provisioning users and mailboxes for an Exchange hybrid deployment with Office 365 (O365). I receive just about as many requests for a script to perform the task. Well, I don’t write scripts but I do know the process to create users and mailboxes that will sync to O365 from on premise Active Directory (AD).
 
To begin with, let’s assume a couple things.
  1. We have a Windows 2012 R2 member server with Azure AD Connect (AAD Connect) version 1.1.105.00 (or newer) and the Azure AD Module for PowerShell installed; and
  2. We have an Exchange 2013 CU11 (or newer) server configured for hybrid with an active O365 tenant.

Now that we’ve established a baseline, there are a couple of options to perform the task of provisioning an AD user, creating a mailbox, and assigning an Office 365 license.
  1. The first option would be to create an AD user, create an on premise mailbox, migrate the mailbox to Office 365, and assign a license; or
  2. The second option would be to create an AD user, create a remote (or Office 365) mailbox, and assign a license.

In this article, I will cover the second option simply because it includes fewer steps and attempts to avoid confusion around where the mailbox should be created.
 
IMPORTANT: Do not create an AD user and then go to the Office 365 portal to create a new user and associated mailbox. This method will not properly create ;a synchronized O365 user and mailbox.
  

STEP 1: CREATE USER & MAILBOX


From the Exchange server, I first create the AD user with remote mailbox using one command via Exchange Management Shell (EMS or Exchange PowerShell).
 

New-RemoteMailbox -UserPrincipalName "User1Test@domainname.com" -Alias "User1Test" -Name "User1 Test" -FirstName "User1" -LastName "Test" -DisplayName "User1 Test" -OnPremisesOrganizationalUnit "Office 365 Users" -Password (ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force) -ResetPasswordOnNextLogon $true

Open in new window

 

In the command above, I created the AD user in an OU named “Office 365 Users”, set the password to “EnterPasswordHere”, and will require the user to change their password at next logon. However, I did not assign an SMTP address or remote routing address assuming that the email address policies are configured to be applied as new mailboxes are created. 


STEP 2: SYNCHRONIZE USER


Once the AD user and mailbox are created, the AD object must to be synchronized to O365 in order to add the user with associated mailbox in the tenant. With the new version of AAD Connect, the scheduled sync time occurs every 30 minutes. In my case, I’m not that patient and will manually force a sync to O365.
 
From the server with AAD Connect installed, via an elevated PowerShell console, run the following command to perform the sync to O365.
 

Start-ADSyncSyncCycle -PolicyType Delta

Open in new window

 

This task will synchronize all changes made to AD since the user and mailbox were created.



STEP 3: ASSIGN LICENSE


In the final step, I assign an O365 license to the newly created and synchronized user. The following commands can be run from any machine that has both Microsoft Online Services Sign-in Assistant for IT Professionals RTW and Windows Azure Active Directory Module for Windows PowerShell installed. In my case, they are installed on each server, as well as my admin workstation.
 
First, I Connect to O365 via PowerShell from an elevated PowerShell console; or using Azure AD Module for PowerShell console.
 
Second, I confirm the new user does not have an O365 license assigned.  

Get-MsolUser -UnlicensedUsersOnly

Open in new window



This command returns unlicensed O365 users in which the “isLicensed” parameter is “False”.
 
The next command returns the “AccountSkuId“, or subscription license(s), of my tenant that I will use to assign to the new user.  

Get-MsolAccountSku

Open in new window



The AccountSkuId will look something similar to “tenantname:ENTERPRISEPACK“; where “ENTERPRISEPACK” represents my Office 365 Enterprise E3 subscription. Other subscriptions will have different representations.
 
Before I can assign any licenses to my new user, the user must be assigned a location (or country code). Since I’m am located in the United States, I use “US” as the two letter country code for the user, using this command: 

Set-MsolUser -UserPrincipalName User1Test@domainname.com -UsageLocation US

Open in new window



Now that I’ve set a location for the new user, I can assign a license from my associated O365 subscription, using this command:
 

Set-MsolUserLicense -UserPrincipalName User1Test@domainname.com -AddLicenses tenantname:ENTERPRISEPACK

Open in new window



Finally, the user can access their assigned mailbox in Exchange Online.  


CONCLUSION


In this article, we created a user in the on premise AD with a remote mailbox from the on premise Exchange hybrid server, made sure the user was synchronized from on premise to O365, and finally assigned a location and license to give the user the ability to use their new O365 resources.
 

Reference(s):


0
1,046 Views
Todd NelsonSystems Engineer
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.