We help IT Professionals succeed at work.

Retospective AD Federation. Hosted Exchange moving to Exchange Online (365); onsite AD.


We are in the process of planning and investigating a potential move of our email from a hosted Exchange solutions provider to Office 365 (Exchange Online to be specific). Now the hosted exchange provider have their own AD and therefore our email accounts are not federated with our internal domain active directory. Therefore we have seperate passwords for our AD and Email. Not synced.

Now I have a fair idea of how the migration will go; a cutover batch migration of the users (in our OU on the hosting providers AD) and their corresponding passwords and mailboxes to Exchange Online. A sync every evening to "top-up" mail received during the day and then a final sync before the switch get's flicked.

Now my question is how do we tie the post migration accounts that now will sit on Exchange Online, with our onsite AD accounts and is it possible to do it retrospectively in a sensible user friendly nature?

Thanks for your insights in advance,
Watch Question

Most Valuable Expert 2015
Distinguished Expert 2019
In any case, the first step will be running Dirsync/AADSync and soft-matching those EO mailboxes against the on-prem accounts. As Cutover cannot work with dirsync, you need to do this after the migration has completed. Here's the soft-match article: http://support.microsoft.com/kb/2641663

One potential issue that comes to mind is attribute mismatch - might be a good idea to ask the hosting company do to a simple export of all user's attributes to CSV and import them against your local AD. Otherwise, you might end up overwritting the cloud accounts with some attribute value from your local AD, and cause trouble. Once the accounts are soft-matched, you should be able to move to using password sync or AD FS.

The question on how you are going to manage those objects should also be considered. Do you have the local AD schema extended with Exchange attributes?



Thanks for the quick response. The local AD schema is not Exchange extended. Surely I could extend the AD by installing a trial of on-premise Exchange in our environment?

Point taken onboard ref the attribute mismatch.

So the way I see it. This is going to be a two part process.

1. Migrate from the hosting provider to Exchange Online in a very matter of fact way and leave the disparate authentication credentials in place a while longer. Users can use new email solution in much the way they could before.

2. ADFS/Password sync work to tie the O365/On-Prem AD together.

Most Valuable Expert 2015
Distinguished Expert 2019
Yes you can extend the schema at any time. Usually the management process after the migration is the issue, that's why Microsoft's recommended and supported scenario is to keep an Exchange box on-prem. In your case though, it shouldnt make much difference, as you are already used to managing the recipient objects outside of the local AD. The only thing that will be changed is the source of authority moving back to on-prem due to dirsync - so dust off that old ADSI Edit/Attribute editor :)