Month: September 2013

Managing EXO Online & AD User MBX Settings When Using DirSync and Rich Coexistence

Posted on Updated on

EXO365_ico

As some Office 365 administrators have noticed, licensing is a big part of their jobs, assigning and removing licenses for new hires and removing licenses from people who have been let go.  There is a corner case scenario where an Online Admin removes the online user’s Exchange Online License and any others that might be assigned and disables the online user.

When using this scenario while using Directory Synchronization AND Exchange Rich Coexistence (Sharing the same SMTP Namespace, Free/Busy Lookups, etc), you should use the following process when wanting to either disable or delete Online Users:

On-Premises Active Directory

  1. When using Active Directory and Directory Synchronization, you should understand that the source of authority for all online objects (Users, Contacts, Groups, etc) must be managed within Active Directory itself.
    1. Disabling
      1. Disable the on-premises Active Directory user and leverage DirSync to push this disablement into the cloud
        1. This will NOT remove the user’s license or mailbox at this time and the MBX can be used via Exchange Online Mailbox Search/eDiscovery
    2. Deleting
      1. When you would rather remove the user from your Online Environment and want to make this update permenant (removal of account from all environments), then you would want to remove the on-premises Active Directory user account and leverage DirSync to push this removal into the cloud
        1. This WILL remove the online user and any mailbox attached/associated with the account.  The Online Admin, if they want to save mail data, should login to the EXO MBX via Outlook and save all content to .pst before continuing.

There is a specific corner case scenario where an online Admin has removed an Exchange Online (EXO) license from a user located in on-premises Active Directory and synchronized and enablement with license within Office 365.  Removing the license in this way will cause the following effects:

    1. IF you remove an Exchange Online license from someone in Office 365 without using either of the Delete or Disable options listed above, your online user will have their EXO MBX disconnected, which is available for restore for up to ~30 days after this operation of removing the EXO MBX license.  Since the user’s MBX originally came from an on-premises AD and Exchange environment, the removal of the EXO license will not flow back via Directory Synchronization (DirSync Write-Back), thus leaving the on-premises mail-enabled user (with a targetAddress of user@contoso.onmicrosoft.com) which will continue to route mail to this online user who no longer has an EXO license and/or Mailbox.
      1. The best approach to this is to manage the user account, either using Delete or Disable which will allow the following effects to take place
        1. Delete in AD – Remove the user from AD (no more targetAddress for on-premsies Exchange to use in forwarding mail to the online user’s MBX
        2. Disable in AD – Disabling allows the AD mail-enabled user object (and targetAddress) to be maintained, allowing on-premises Exchange to forward mail to this online users MBX, even though the account is disabled (cannot login) and the user cannot login to the MBX themselves.

Note – It is best to manage the user instead of the license itself.  Removing an EXO license from an online user will do nothing more than disconnect the MBX, while leaving your on-premises Active Directory with the mail-enabled user, which is used by on-premises Exchange to route mail.  So if you no longer want/need the user and MBX == Delete. If you would rather maintain the user and MBX (requires the EXO license to remain applied) then Disable is the route to go.  Removing a license from online will leave your on-premises Active Directory with the mail-enabled user and targetAddress while leaving your online user still able to login and use other services within Office 365.