First published at https://nivleshc.wordpress.com

Background

Over the past few weeks, I have been doing some Cloud-Only Office 365 deployments using Azure AD Connect . As you might imagine, this deployment is abit different to the Hybrid Office 365 deployment.
One of the things that got me thinking was, how are the email addresses created for my Office 365 mailboxes? As I was synchronising objects from my on-premises Active Directory, this question held the answer to what values I needed to change in my on-premises Active Directory user object, to get the desired email addresses populated in the Office 365 mailbox that will be created for it.

Preparation

To find the above answer, I devised a simple experiment.
I decided to create four on-premises Active Directory user objects, with different combinations of Netbios, UserPrincipalName (UPN), Mail attribute and ProxyAddresses and trace what happens to these values as they are used to create their corresponding Azure AD object. I will then assign an Office 365 Exchange Online Plan 2 license to these Azure AD objects and see what email addresses got assigned to the resulting Office 365 mailbox.
Simple? Lets begin.
The four user accounts I created in on-premises Active Directory had the following properties (ProxyAddresses were populated using ADSIEdit). The domains used by the UPN, Email and proxyaddresses attributes are all internet routable domains.

FirstName     :Ross
LastName      :McCary
DisplayName.  :Ross McCary
Netbios       :CONTOSO\R.McCary
UPN           :[email protected]
Email         :{blank}
ProxyAddresses:{blank}
FirstName.    :Angela
LastName      :Jones
DisplayName.  :Angela Jones
Netbios       :CONTOSO\A.Jones
UPN           :[email protected]
Email         :[email protected]
ProxyAddresses:{blank}
FirstName     :Zada
LastName      :Daley
DisplayName.  :Zada Daley
Netbios       :CONTOSO\Z.Daley
UPN           :[email protected]
Email         :[email protected]
ProxyAddresses:{blank}
FirstName     :Bob
LastName      :Brown
DisplayName   :Bob Brown
Netbios       :CONTOSO\B.Brown
UPN           :[email protected]
Email         :[email protected]
ProxyAddresses:SMTP:[email protected]
               smtp:[email protected]
               smtp:[email protected]

The Experiment

I initiated an Azure AD Connect delta synchronisation cycle and waited. After a few minutes, I saw new objects created in my Office 365 tenant’s Azure AD that corresponded to the ones that I had created in the on-premises Active Directory.
Here are the values that Azure AD Connect (AADC) added for the newly created AAD objects (tenantid is the id for the Office 365 tenant)

FirstName     :Ross
LastName      :McCary
DisplayName   :Ross McCary
SignInName    :[email protected]
UPN           :[email protected]
ProxyAddresses:{blank}
FirstName     :Angela
LastName      :Jones
DisplayName   :Angela Jones
SignInName    :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected]}
FirstName     :Zada
LastName      :Daley
DisplayName   :Zada Daley
SignInName.   :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected]}
FirstName     :Bob
LastName      :Brown
DisplayName   :Bob Brown
SignInName.   :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected]}

Now, this was quite interesting. AADC added proxyaddresses for only those Azure AD (AAD) objects that had the email field populated in their corresponding on-premises Active Directory user objects. Also, for Bob Brown, two additional proxy addresses had been added. Interesting indeed! (the additional attributes are in orange above)
I then proceeded to assigning an Office 365 Exchange Online Plan 2 license to all the above AAD objects so that a mailbox would be provisioned for them. After waiting a few minutes, I checked to confirm that the mailboxes had been successfully provisioned. I then went back to Azure AD and checked the attributes again.
Below is what I saw (additional values that got added after license assignment are in Orange)

FirstName     :Ross
LastName      :McCary
DisplayName   :Ross McCary
SignInName    :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected]}
FirstName     :Angela
LastName      :Jones
DisplayName   :Angela Jones
SignInName    :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected]}
FirstName     :Zada
LastName      :Daley
DisplayName   :Zada Daley
SignInName    :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected]}
FirstName     :Bob
LastName      :Brown
DisplayName   :Bob Brown
SignInName.   :[email protected]
UPN           :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected]}

For the mailboxes, below is what I saw

FirstName     :Ross
LastName      :McCary
DisplayName   :Ross McCary
UserID        :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected]}
FirstName     :Angela
LastName      :Jones
DisplayName   :Angela Jones
UserID        :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected]}
FirstName     :Zada
LastName      :Daley
DisplayName.  :Zada Daley
UserID        :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected]}
FirstName     :Bob
LastName      :Brown
DisplayName   :Bob Brown
UserID        :[email protected]
ProxyAddresses:{SMTP:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected],
                smtp:[email protected]}

Quite interesting (hmm well not really 😉 ). The newly created mailboxes had the same proxyaddresses as the proxyaddresses assigned to their corresponding AAD object.

The Result

After looking at the results, I could easily see a pattern between the on-premises Active Directory user object’s email and proxyaddresses values and the Azure AD and Office 365 mailbox email addresses.
From my experiment, I deduced the following process that is used to create email addresses for the Office 365 mailboxes

  1. When provisioning Azure AD objects, AADC first checks to see if the on-premises AD user object has proxyaddresses assigned. If there are any, these are added as proxyaddresses for the Azure AD object (the proxyaddress with the SMTP: prefix (uppercase smtp) will be the primarySMTP for the AAD object). If the email attribute is not part of the proxyaddresses, it is added as an additional proxyaddress. Next, the primarySMTP’s part before the @ is prefixed to the tenant email domain to create the mailbox’s routing email address and then added as an additional proxyaddress (for instance [email protected])
  2. If the on-premises Active Directory user object does not have any proxyaddresses, then the email attribute is assigned as the primarySMTP address for the AAD object. If the email attribute is not the same as the UPN, then the UPN is added as an additional proxy address. Next, the primarySMTP’s part before the @ is prefixed to the tenant email domain to create the mailbox’s routing email address and then added as an additional proxyaddress (for instance [email protected])
  3. In cases where both the email attribute and proxyAddresses are blank, the part of the UPN before the @ is prefixed to the tenant email domain to create the mailbox’s routing email address. In this instance, the routing email address is set as the primarySMTP address. The UPN is then added as an additional proxyaddress.

An interesting thing to note is that even before assigning an Office 365 license, you can see what email addresses will be assigned, by using PowerShell to check the proxyaddresses attribute of the Azure AD object.
I hope the above provides some clarity around how email addresses are created for Office 365 mailboxes and helps with your Cloud-Only Office 365 architectures.
Have a great day 😉

[Update] There could be instances, where by some mistake

  • (a) a new user is assigned an email attribute that is already attached to an existing mailbox in Office 365
  • (b) a new user is assigned a proxyaddress that is already attached to an existing mailbox in Office 365

For issue (a), AADC will not create the new user in AAD and instead display an error in the AADC console when doing an exporting to AAD. The error will be similar to below

“Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses xxxxxxxxx;]. Correct or remove the duplicate values in your local directory.”

The error will provide detailed information regarding the values that are causing the issue. It will also contain the ObjectIdInConflict. This is the id of the existing Object that the new user is in conflict with.

Using the ObjectIdInConflict value, search the AADC Metaverse with the clause “cloudAnchor contains ObjectIdInConflict“. (replace ObjectIdInConflict with the ObjectIdInConflict value as shown in the error). This will show the metaverse record of the object that the new user is conflicting with. In this case, remediate the issue in the on-premises Active Directory and then initiate another AADC delta synchronisation cycle.

 

For issue (b), AADC will create a new user in AAD however it will remove the proxyAddress that is causing the conflict from the new user object in AAD. It will also create a record in the Office 365 Admin Center, under Settings\DirSync errors, with details of the new user, the existing user that it is in conflict with and also the attribute that is in conflict. In this case, remediate the issue in the on-premises Active Directory and initiate another AADC delta synchronisation cycle.

Note: In both cases above, the technical contact for the Office 365 tenant gets sent an email with details of the errors.

Category:
Office 365
Tags:
, , ,