Solved

Office 365 Post Migration Questions

Posted on 2014-10-03
5
415 Views
Last Modified: 2014-12-02
We have just completed our cutover migration to Office 365 with DirSync and I like a few things clarified that I cannot seem to find direct answers to online.
1- We have an on-premise exchange server that is linked to Office 365. I would expect to be able to add/modify email addresses here, but can only do so using ADSI or the Attribute editor in AD. IS this correct? Can I not manage email addresses using Exchange?
2- Secondary addresses added using ADSI with a precurser of smtp: function but do not appear in Office 365's email address list. Is this correct?
3- Single Sign on works, in that the users AD domain password also works for Office 365. Is there some way to extend this functionality? Example: Setting up a new mail profile for a user, autodiscover finds the account, but I still must enter their password to complete the sync. Can single sign on extend to profile setup? When a user changes their password, they must re-enter it in Outlook to re-connect. Can SSO handle this so that their password is detected from the domain?

Thanks for all the help! I am a champion Googler, but their appear to be no straight answers to any of the above!
0
Comment
Question by:JP_TechGroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 41

Expert Comment

by:Vasil Michev (MVP)
ID: 40360168
For cutover migration you cannot have disrync enabled. Do you mean staged migration? Or do you mean that you enabled dirsync after the cutover migration?

Both 1) and 2) can be explained if the on-prem object is not matched with the cloud one after you have run the dirsync (if you have run it). You might have to resort to 'soft-matching': http://support.microsoft.com/kb/2641663
Otherwise the answer is that you should indeed be able to manage them on-prem

3) There is no real single sign on experience with Outlook, it uses the basic authentication method. You can select the "Remember password" option, which will store it in the Credentials manager. Once the password is changed, you have to type/save it again.
0
 

Author Comment

by:JP_TechGroup
ID: 40367112
We enabled DIrSync after the migration was completed. On premise Exchange is able to modify a few attributes, but not Emails or Distribution lists. When we try to add an email address locally, we get an error that states:

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-Mailbox
Failed
Error:
The operation on mailbox "******" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object '******' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'Amparo Carrera' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Dirsync is working and passwords sync up happily. New users added in AD locally sync and their mailbox is created as expected.

We have a similar issue adding users to groups. Worse, we cannot add or modify from the Office 365 console. We are told since we are syncing it must be done locally... hence, we are stuck.
0
 
LVL 41

Expert Comment

by:Vasil Michev (MVP)
ID: 40367180
DG ownership can be managed from dsa/ADSIEdit or directly from Outlook, check here: http://support.microsoft.com/kb/2417592

Your EMC console seems to be connected to Exchange Online, this is why it's giving you the error. Just edit the proxyaddresses attribute with dsa.exe. If you only want to change the primarysmtpaddress, you can use the following cmdlet (works for synced users as well):

Set-mailbox user@domain.com -WindowsEmailAddress new@domain.com
0
 

Author Comment

by:JP_TechGroup
ID: 40401790
So, I'm correct in thinking that I cannot use the EMC console to do anything but look?
0
 
LVL 41

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 40401812
Depends on where the object is located, and where exactly in the EMC you are looking at (the on-prem node or the O365 one). The O365 node is basically an interface for remote PowerShell for EO, so if an object is synced from on-prem you will not be able to make changes. You will have to use the On-prem node and recipient config, etc.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Certification Training 5 62
Migrate calendar from 2003 to 2016 12 47
Run powershell against OU 7 79
Active Directory Powershell Script 9 43
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question