Creating users and shared mailboxes in an Exchange hybrid environment

Exchange logo

How to create users and shared mailboxes in a Hybrid Exchange environment.

If you are running a hybrid environment, with Active Directory and Exchange on-premises together with Office 365 and Exchange Online, you should already know that you need to keep your Exchange Server(s) in order to be able to correctly manage your mailboxes as per https://docs.microsoft.com/en-gb/exchange/decommission-on-premises-exchange:

‘The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects.’

So, whilst you could just sync users to Azure AD and license them for an Exchange Online license which will create a mailbox, it will be difficult to manage the accounts, they will not appear in your on-premises EAC, and you will have to resort to the AD attribute editor or another tool in order to configure addresses etc, which is not supported. Not only that, if you are still routing mail via your on-premises servers, since the accounts will have no target address they won’t be able to receive email, and any non-migrated user will be unable to email them. Enough of a reason to do it properly?

So, with this in mind, what is the correct way of creating users and shared mailboxes?

Using the EAC

EAC_new_mailbox

Whilst you could use the good old EAC, this has significant drawbacks:

  1. You cannot create a mailbox for a pre-existing user in AD
  2. You can’t create an online archive at the same time, you would have to enable this later
  3. You cannot create an online shared mailbox at all using EAC

You shouldn’t have to modify your whole joiners and leavers process to work around these limitations, so you should do this the right (and easy) way, using PowerShell. Then you can always view the properties and modify them later if you are die hard GUI fan.

Using PowerShell

I accommodate the following commands into PowerShell scripts, typically importing CSV files in order to create multiple accounts at the same time. But here are the commands to get you started. These will create a user account in the OU specified, along with all the correct attributes. The mailbox will be created once the account has synced up to Azure AD.

Connect to your on-premises Exchange PowerShell first (note that the -shared switch requires 2013 or later).

Creating Users

1
New-RemoteMailbox -Alias auser-Name "Alex User" -FirstName Alex -LastName User -OnPremisesOrganizationalUnit "OU=MyOrg,DC=domain,DC=com" -SamAccountName auser -UserPrincipalName alex.user@domain.com -ResetPasswordOnNextLogon:$false
I normally use a CSV file like this:
Alias,DisplayName,FirstName,LastName,UPN
test_shared,Test Shared,Test,Shared,Test.Shared@domain.com
Note that if you want to specify the password in the CSV you will need to use something like this in your script:
$securePass = (ConvertTo-SecureString -String $newUser.Password -AsPlainText -Force)
And then specify -password $securePass
Your script should also add the users into the required groups for licensing, assuming you are using group based licensing, otherwise the mailbox will be deleted in 30 days.

Creating Shared Mailboxes

Pretty much the same except you just add -shared and don’t specify a password.

1
New-Remotemailbox -Shared -Alias test_shared -Name "Test Shared" -FirstName Test -LastName Shared -OnPremisesOrganizationalUnit "OU=MyOrg,DC=domain,DC=com" -SamAccountName test_shared -UserPrincipalName test.shared@domain.com
When you create a shared mailbox like this, there is no password and the account will be disabled, as it should be. It will also be visible in both the on-premises EAC and the online one. Shared mailboxes created correctly do not need any license, since the account is disabled and they cannot be access directly.
Posted in Azure AD, Exchange Online, Office 365

Related Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: