Change source of authority (SOA) for Exchange Attributes (Preview)

Hi All,

Until now, for a Hybrid Deployment with Entra Connect Sync or Cloud Sync it was required to have an Exchange Server OnPrem or to use Exchange Recipient Management.

A few Weeks ago, Microsoft has published an Article with another Option.

• Introducing Cloud-Managed Remote Mailboxes: a Step to Last Exchange Server Retirement

With the Introducion of the “IsExchangeCloudManaged” Attribute, you can change the source of authority (SOA) from an OnPrem Synced Object for the Exchange Attributes (like Emailaddresses, Alias, HideFromAddressList, ExtensionAttributes) from OnPrem to the Cloud.

More details can be read in the following Article:

• Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments (Preview)

Phase 1 (Preview)

introduces per-mailbox control for cloud management of Exchange attributes. Administrators can opt in individual mailboxes for cloud management by setting IsExchangeCloudManaged to true. During this phase, mailboxes may also be rolled back to on-premises management if required (IsExchangeCloudManaged set back to false). Phase 1 is intended for managing existing user mailbox attributes individually and for feature validation.

Phase 2

will introduce write-back support for designated attributes, as well as Entra Cloud Sync integration. During this phase, modifications to key Exchange properties made in the cloud will be automatically synchronized to on-premises Active Directory. This process ensures that your on-premises AD is consistently updated; for instance, any changes to a proxy address in Exchange Online will be reflected accordingly. To utilize writeback functionality, customers are required to implement Entra Cloud Sync. Additional information regarding this capability will be shared as part of the documentation once phase 2 is about to start.

Prerequisits

Entra Connect Sync Version:

To enable this feature, install the latest version of Entra Connect Sync. Download and install version 2.5.76.0 or higher

(Get-ADSyncGlobalSettings).Parameters['Microsoft.Synchronize.ServerConfigurationVersion']

Role requirements

By default, the IsExchangeCloudManaged parameter in Set-Mailbox is available the following Entra ID Roles:

• Exchange Admininistrator
• Exchange Recipient Administrator

or to any Exchange Online RBAC Role that can run Set-Mailbox -IsExchangeCloudManaged unless the parameter is specifically removed from their RBAC roles.

Exchange Online Object Types

Let’s check the diffrent Mailbox Types

Mailbox

Let’s Check a synced Active Directory Object with an Exchange Online Mailbox

Connect-ExchangeOnline -ShowBannder:$False
Get-Mailbox -Identity <Identity> | fl IsExchangeCloudManaged

Distribution Group

Get-DistributionGroup -Idenity <Identity> | fl IsExchangeCloudManaged

Mail Contact

Get-MailContact -Idenity <Identity> | fl IsExchangeCloudManaged

Mail User

Get-MailUser -Idenity <Identity> | fl IsExchangeCloudManaged

Before changing source of authority (SOA)

$Emailadresses = Get-Mailbox -Identity "m.muster@icewolf.ch" | select -ExpandProperty Emailaddresses
$Emailadresses
$Emailadresses += "smtp:m.muster@subdomain.icewolf.ch"
Set-Mailbox -Identity "m.muster@icewolf.ch" -Emailaddresses $Emailadresses

Change source of authority (SOA)

Now let’s try to change the source of authority (SOA) with setting the Attribute IsExchangeCloudManagement to True.

Set-Mailbox -Identity "m.muster@icewolf.ch" -IsExchangeCloudManagement $true
Set-Mailbox -Identity "m.muster@icewolf.ch" -Emailaddresses $Emailadresses

After a while it’s possible to change the Emailaddress on a Synced AD Object with the Emailaddresses.

Set-Mailbox -Identity "m.muster@icewolf.ch" -Emailaddresses $Emailadresses

Exchange OnPrem

Let’s check if the Emailadresses have been written back to Exchange OnPrem - they do have not

Get-RemoteMailbox -Identity m.muster@icewolf.ch | select -ExpandProperty Emailaddresses

Same check in Active Directory with Active Directory Users and Computers and Attribute Editor

Provisioning

As for the Exchange Provisioning it changes only, that after the Mailbox has been created in Exchange Online, you set the Attribute IsExchangeCloudManagement to True

# OnPrem
Enable-RemoteMailbox -Identity $SamAccountName -RemoteRoutingAddress "$SamAccountName$@$Tenant.mail.onmicrosoft.com"

# Add Exchange Online Licence

#Exchange Online
Set-Mailbox -Identity <Identity> -IsExchangeCloudManagement $true

Summary

As stated, the IsExchangeCloudManagement is currently only available for Exchange Online Mailboxes. No Writeback of changed Attributes. That will come later with Entra Connect Cloud Sync. All other Object Types like Distribution Group, Mail Contact, Mailuser are in the Backlog and will come later.

It’s a welcome change on the way, that helps to get rid of Exchange Server On Prem.

Regards
Andres Bohren