Notes From the Field:
I was recently asked to assist an ongoing project with understanding some complex mail routing and identity scenario’s which had been identified during planning for an upcoming mail migration from an external system into Exchange Online.
New User accounts were created in Active Directory for the external staff who are about to be migrated. If we were to assign the target state, production email attributes now, and create the exchange online mailboxes, we would have a problem nearing migration.
When the new domain is verified in Office365 & Exchange Online, new mail from staff already in Exchange Online would start delivering to the newly created mailboxes for the staff soon to be onboarded.
Not doing this, will delay the project which is something we didn’t want either.
I have proposed the following in order to create a scenario whereby cutover to Exchange Online for the new domain is quick, as well as not causing user downtime during the co-existence period. We are creating some “co-existence” state attributes on the on-premises AD user objects that will allow mail flow to continue in all scenarios up until cutover. (I will come back to this later).
We have configured the AD user objects in the following way
- UserPrincipalName – username@localdomainname.local
- mail – username@mydomain.onmicrosoft.com
- targetaddress – username@mydomain.com
We have configured the remote mailbox objects in the following way
- mail – username@mydomain.onmicrosoft.com
- targetaddress – username@mydomain.com
We have configured the on-premises Exchange Accepted domain in the following way
- Accepted Domain – External Relay
We have configured the Exchange Online Accepted domain in the following way
- Accepted Domain – Internal Relay
How does this all work?
Glad you asked! As I eluded to earlier, the main problem here is with staff who already have mailboxes in Exchange Online. By configuring the objects in this way, we achieve several things:
- We can verify the new domains successfully in Office365 without impacting existing or new users. By setting the UPN & mail attributes to @mydomain.onmicrosoft.com, Office365 & Exchange Online do not (yet) reference the newly onboarded domain to these mailboxes.
- By configuring the accepted domains in this way, we are doing the following:
- When an email is sent from Exchange Online to an email address at the new domain, Exchange Online will route the message via the hybrid connector to the Exchange on-premises environment. (the new mailbox has an email address @mydomain.onmicrosoft.com)
- When the on-premises environment receives the email, Exchange will look at both the remote mailbox object & the accepted domain configuration.
- The target address on the mail is configured @mydomain.com
- The accepted domain is configured as external relay
- Because of this, the on-premises exchange environment will forward the message externally.
Why is this good?
Again, for a few reasons!
We are now able to pre-stage content from the existing external email environment to Exchange Online by using a target address of @mydomain.onmicrosoft.com. The project is no longer at risk of being delayed ! 🙂
At the night of cutover for MX records to Exchange Online (Or in this case, a 3rd party email hygiene provider), We are able to use the same powershell code that we used in the beginning to configure the new user objects to modify the user accounts for production use. (We are using a different csv import file to achieve this).
Target State Objects
We have configured the AD user objects in the following way
- UserPrincipalName – username@mydomain.com
- mail – username@mydomain.com
- targetaddress – username@mydomain.mail.onmicrosoft.com
We have configured the remote mailbox objects in the following way
- mail
- username@mydomain.com (primary)
- username@mydomain.onmicrosoft.com
- targetaddress – username@mydomain.mail.onmicrosoft.com
We have configured the on-premises Exchange Accepted domain in the following way
- Accepted Domain – Authoritive
We have configured the Exchange Online Accepted domain in the following way
- Accepted Domain – Internal Relay
NOTE: AAD Connect sync is now run and a manual validation completed to confirm user accounts in both on-premises AD & Exchange, as well as Azure AD & Exchange Online to confirm that the user updates have been successful.
We can now update DNS MX records to our 3rd party email hygiene provider (or this could be Exchange Online Protection if you don’t have one).
A final synchronisation of mail from the original email system is completed once new mail is being delivered to Exchange Online.