Azure AAD Connect (new directory sync) Question

Greetings. We recently migrated to Office 365.

Obviously, I will continue to manage AD Users on-premise, but I don't wish to manage their Exchange accounts on-premise.

I wish to create/manage them in the Office 365 portal.

For password sync., we're using a great tool from MessageOps called the "Office 365 Password Synchronization" tool.

I see no reason to abandon this utility, as it works very fast and very reliably.

However, I do understand that Microsoft's newest sync. offering, the Azure AAD Connect tool will synchronize passwords and upload those changes within a minute or two to Office 365.

Here is my extended question:

Should we decide to use the MS AAD Connect utility in the future (it's in Preview now), will I be able to fully retire our On-Premises Exchange 2010 server ?  It currently serves no purpose.  It's only necessary if I were to implement ADSYNC and wish to manage users in the Exchange Management Console.

One slightly confusing thing from Microsoft is whether or not their AAD Connect is able to use the UserPrincipalName attribute (UPN) to match up local AD users with Azure AD (and thus Office 365) users in order to have password sync. work properly.  My understanding is that MS uses either e-mail address or smtp address or some other attribute to match users.  If I retire the on-premise server, I would disable all users first, thus removing those attributes from the user accounts.

There's no harm keeping our 7-year old Exchange server fired up in the server room.  It just takes some space on the rack and uses power.

Thanks much.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
AADConnect is sort of a 'wrapper' for several tools, but the sync client it uses, AADSync, is in general availability since few months now. Both AADSync and Dirsync offer password sync as well, with the former also offering password write-back from the cloud to on-prem. Personally, I'd stick with Microsoft supported tools unless I have a specific reason to avoid them.

Both dirsync and AADsync support two ways of matching the users: by GUID (hard-match) and by primary SMTP address (soft-match). Those attributes are available even without the Exchange AD schema extension.

As for the Exchange box, you can remove it if you want, but simply convert the remaining mailboxes to mail-enabled users, so that their attributes are preserved. Without Exchange, you will still be able to author those attributes from the on-prem AD, using the AD User and computers console, or the AD PowerShell module.

In any case, if you are using dirsync/aadsync, you will not be able to manage attributes for synced users from Exchange Online. The Source of authority will be the on-prem AD and you will have to make the changes there.
lapavoniAuthor Commented:
I don't understand the concept of converting users to "mail enabled".  We did a Cutover migration. All user mailboxes remain in AD until you "disable" them.  Then the Exchange attributes are removed.  I do understand that an Azure Directory is created when your Office 365 tenant is created.  I don't necessarily need other on-premise AD objects/users/attributes synced to Azure, other than passwords. If I understand correctly, while other (3rd party) utilities can match up the UPN for password sync, Azure sync *requires* primary SMTP, yes ?  That will disappear when mailboxes are disabled, yes ?
Vasil Michev (MVP)Commented:
That's why you don't just disable/delete the mailboxes, but convert them to mail-enabled users and keep the relevant attributes. An example script can be found here:

The important attributes you need to preserve are things like proxyAddresses, mail, targetaddress, legacyExchangeDN.

UPN is not a good attribute to use for match, as it can change. Dirsync/AADSync use the objectGUID for primary match, and the primarySMTPaddress for secondary. If needed, you can even designate a custom attribute, but that's only relevant in specific scenarios.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lapavoniAuthor Commented:
Great information. Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.