On-prem AD vs Office365
When using a local Active Directory connected to Office365 via Azure Active Directory and Azure AD Connect you will run into issues controlling Exchange features via Active Directory. Here is a quick guide how to manage it anyway.
The problem
When you connect your local Active Directory via Azure AD connect to sync everything with Office365 every synced account has to be managed locally. You can’t create a local user, distribution list or contact and then change properties like who can send e-mails to it in the Office365 web ui.
At the same time there is no way to set these properties locally since properties on your Active Directory objects are missing. Fields like authOrig that controls who can send e-mails to a distribution group just isn’t their.
Extending the schema
To solve this problem we first have to Extend our Active directory schema. This can be solved by using the Exchange 2016 Setup files that we can download from Microsoft for free.
- Download the Exchange 2016 Setup files from: https://www.microsoft.com/en-us/download/details.aspx?id=57827
- Mount it to you server. I used one of my domain controllers.
- Start a CMD as Administrator
- From the mounted ISO run: setup.exe /IAcceptEchangeServerLicenseTerms /PrepareSchema
- Now run the Azure AD Connect application and run Refresh directory schema.
Now you will find all the fields on your objects. You have to select Advanced Features from the View menu in Active Directory Users and Computers to see the new fields.
Powershell examples
There are dedicated CMDlet’s for working with Exchange objects but they are not available to us so we need to be creative with the standard stuff.
Creating a new mail group
New-ADGroup -Name 'Test Group' -GroupCategory Distribution -GroupScope Global -OtherAttributes @{'mail'='test.group@example.com'} -Path 'CN=Users,DC=example,DC=com'
This will create a basic e-mail group, also known as distribution group.
Add users to the group
Since we don’t have the normal Exchange cmdlet’s to use for group membership we have to do our own. In the example below we add all users from the OU Users unless they’re already a member.
# Get the group via e-mail
$group = Get-AdGroup -Filter ('mail -eq "test.group@example.com"') -SearchBase 'CN=Users,DC=example,DC=com';
# Get all the users and loop them
Get-ADObject -Filter 'ObjectCLass -eq "user"' -SearchBase 'CN=Users,DC=example,DC=com' | ForEach-Object {
if(!($group.Members.Contains($_.DistinguishedName)))
{
# Add contact to the group
Set-ADGroup $group -Add @{'member'=$_.DistinguishedName};
}
}
The Set-ADGroup can be used with several switches to effect the properties like -Add, -Remove, -Clear, -Clear. More information here: https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-adgroup?view=win10-ps
Control who can send to the e-mail group
# Get the user via e-mail
$sender = Get-ADUser -Filter ('mail -eq "mr.admin@example.com"');
# Add the user
Set-ADGroup $group -Add @{authOrig=@($sender.DistinguishedName)};
Above we just get a user by e-mail but you can get them with all the different cmdlet’s that search for users and filter on what ever you like. You could also use the .Members.Contains() function from the previous example.
Hide objects from Global Address List
The last example is to hide users, contacts or groups from the global address list.
# Get the object
$sender = Get-ADUser -Filter ('mail -eq "mr.secret@example.com"');
# Hide from address list
Set-ADObject $sender -Replace @{msExchHideFromAddressLists'=$true;mailNickname='mr.secret@example.com'};
For this to sync you need to set the mailNickname property as well. That will be used as alias on the Office365 side. To avoid alias just set it to the same e-mail as the user have.
Hackviking aka Kristofer Källsbo 