Exchange 2016: Hybrid mode with Office 365 (part 3)

This is the third part of the series "Exchange 2016 Hybrid Mode with Office 365". This part deals with the synchronization of local user accounts to Office 365 or Azure Active Directory.

Here are the links to the previous articles:

• Exchange 2016: Hybrid mode with Office 365 (Part 1)
• Exchange 2016: Hybrid mode with Office 365 (part 2)

IDFix

The IDFix tool can be used to detect problems in advance that prevent the successful synchronization of local user accounts with Azure AD. IDFix can be downloaded here free of charge:

• https://www.microsoft.com/en-us/download/confirmation.aspx?id=36832

IDFix requires no installation and can be run directly:

By clicking on "Query", IDFix searches for problems and immediately suggests a solution:

No problems were detected in my fresh test environment. If problems occur here, they can also be rectified directly using IDFix. However, a little caution is required here.

Azure AD Connect

In order for hybrid mode to be used, the user accounts of the local Active Directory must be synchronized with Azure Active Directory. The "Azure AD Connect" tool handles the synchronization. Although Azure AD Connect is not absolutely necessary, it makes administration much easier.

The current version of Azure AD Connect can be downloaded here:

• https://www.microsoft.com/en-us/download/details.aspx?id=47594

Installation is completed in just a few clicks, after which the configuration wizard starts:

I choose the "customized" installation here, as some adjustments can be made directly:

In this case, the components can be installed with the default settings; it may make sense to move the installation location to another partition:

After clicking on "Install", the SQL Express database and the other components are installed:

Directly after installing the components, the basic configuration of Azure AD Connect takes place. Password hash synchronization is selected here so that users can log in to Office 365 and local resources with the same user/password.

The advantage of password hash synchronization is that no additional local infrastructure such as ADFS is required; Azure AD Connect synchronizes the password hashes in both directions:

In the next step, the Office 365 credentials are entered so that Azure AD Connect can establish a connection to Azure Active Directory:

Since Azure AD Connect was installed on a server that is a member of the local Active Directory, the local overall structure is already proposed:

However, the login information must still be entered under "Add directory".

In my case, the password field was not visible in the following dialog, but if you press the Tab key once, you can access the field.

Once the login information has been entered, the local Active Directory can be seen in the list of "Configured directories":

The next dialog shows the Azure login configuration for the users. In this case, users can log in to both the local AD and Office 365 with their UPN:

This is one of the main reasons why the "Customized configuration" was selected. In this step, you can select specific OUs to be synchronized with Azure AD. In this way, it is quite easy to restrict which users and groups are synchronized with AzureAD:

The next dialog can be continued with the default settings, the identification based on the e-mail address is usually unique, because this can only exist once:

In this case, the filtering of which users and devices are to be synchronized has already been carried out at OU level. If the synchronization is to be restricted even further, an AD group can also be used here:

"Exchange hybrid provisioning" is selected as an optional feature in the next dialog:

Synchronization can be activated in the next step. After the configuration, Azure AD Connect starts directly with the synchronization of the local AD accounts with AzureAD:

The setup and synchronization now takes some time:

The last dialog shows a summary:

As soon as the first synchronization has been completed, the local user accounts are also visible in the Office 365 portal:

The next part deals with the Exchange configuration.