Exchange Mailbox Provisioning

Hi Everyone ! Hope everyone is Doing Great
We are working on Exchange Mailbox Provisioning in Hybrid environment(Active Directory+ Azure AD) can someone who already implemented similar use case guide us which approach will be recommended by SailPoint.

I found few Use cases in community portal if someone implemented any of these please share the requirements & if any documents available.

1. Provision Active Directory Account and Assign O365 licenses via the On-Premise Account
2. Provision Active Directory Account and Create an On-Premise Exchange Mailbox to Replicate to the Cloud

Thanks in advance

Hi @Chaitanya_Jaya can you confirm whether Exchange is in hybrid mode, ie do you have on-prem Exchange servers?

Hi Jeremy, thank you for the response. Exchange is hybrid in this case.

Also, for the current integration with SailPoint IDN, only AD is in scope and Azure AD is considered for next wave.

Hi @Chaitanya_Jaya @Srikanth_Bandi

I’m going to assume you want to create Exchange Online Mailboxes in an Exchange Hybrid environment, with a Hybrid Identity environment synchronised using Entra Connect (Azure AD Connect).

I’m also going to assume that you have seen Hybrid Provisioning with Active Directory and Azure Active Directory - Compass as your scenarios match the first 2 mentioned there.

I have to be honest, I find that that linked page is not great in explaining the scenarios.

The best way to think about it is that you need to create an AD Account. Entra Connect will create the associated Entra Account. When an MS365 license which includes Exchange Online mailbox is assigned to the Entra Account the mailbox will be created based on the attributes of the Entra Account.

For the Mailbox to be created with all the necessary information, therefore, you need to make sure the attributes exist correctly on the AD Account.

There are 4 AD attribute values to be aware of and need to be populated correctly

1. mail - “Primary” mail Address eg joe.bloggs@contoso.com
2. targetAddress - the “Internal” email routing address. This is to route messages between on-prem Exchange and Exchange online. eg SMTP:joe.bloggs@contoso.onmicrosoft.com
3. mailNickname - the “alias” or shortname for the mailbox. eg joebloggs
4. proxyAddresses - the list of all protocols and associated addresses for the mailbox

There are also some other system-type AD attributes which are used to tell Exchange Online what type of mailbox to create - in this case it is a Remote Mailbox

These attributes can be set using the ISC connector, but they can also be set using the PowerShell command enable-remoteMailbox. It is preferred to use the PowerShell as it means you don’t need to worry about the system-type attributes, also managing the proxyAddresses attribute can get tricky.

1. Create an AD Account using the standard AD connector and include the mail attribute in the create policy. Optionally, include the mailNickname and targetAddress.
2. Use an After Create Rule (see Before and After Operations on Source Account Rule | SailPoint Developer Community) to run the enable-remoteMailbox PowerShell command. This is similar to Scenario 2. in the originally linked page. If you have already set the mailNickname and targetAddress then you don’t need the -alias and -remoteRoutingAddress parameters (see Enable-RemoteMailbox (ExchangePowerShell) | Microsoft Learn). NOTE: If you intend to set the targetAddress attribute using the -remoteRoutingAddress parameter, you don’t need to include the “SMTP:” prefix.
3. Assign an Entitlement to the AD Account which represents membership of the on-prem Group which is synchronised to Entra and assigned to the MS365 license required. Similar to Scenario 1. in the originally linked page.

Next time you aggregate the AD Account, examine the attributes mentioned to check they were populated correctly. NOTE: if the Exchange Online mailbox has been created sucessfully you will see the proxyAddresses attribute populated with Exchange Online information as this is “written back” from Entra.

Thanks @j_place for your response.
I have a follow up Question on this in the above solution we need to
have Azure AD(Entra) connector integrated with SailPoint IDN to use its Attributes to create mailbox right?

I need some advice on similar topic if we want to directly provision mailbox in on Prem AD what will be the steps involved.
1.Can we sync the on prem mailbox with Azure AD account (Entra AD) using the Entra Connect.

Thanks, In advance.

@Chaitanya_Jaya

Active Directory connector provides function to create mailbox in On-prem Exchange server. Apart from that you can try PowerShell scripts to create mailbox and set mail alias as well which will be triggered by AfterCreate rule attached to Active Directory source.

Thanks,
Nikhlesh

Hi @Chaitanya_Jaya - there is no need to integrate ISC with Entra in the scenario I describe. Please re-read my post, particularly:

For the Mailbox to be created with all the necessary information, therefore, you need to make sure the attributes exist correctly on the AD Account.

As to your second question: In hybrid Exchange mode, mailboxes are either in on-prem Exchange or Exchange online. There is no such thing as creating mailbox in on-prem AD, and I’m not sure what you mean by sync-ing an on-prem mailbox with Entra ID.

Also, unless you have a very specific use case, I cannot see the purpose in creating an on-prem Mailbox, Hybrid Exchange mode is used while migrating existing mailboxes from on-prem to Exchange Online allowing the 2 to co-exist for what should be a limited time.

Hi Jeremy,

We have similar use case but Mailbox is a birth right only for selected set of people.
We are currently migrating from IIQ to ISC, Here is how it works in the current state IIQ.

1. When a new employee joins, SailPoint triggers joiner and creates and AD account
2. Users Office 365 account along with Entra ID created behind the scenes with an hour.
3. Licences are assigned to the user if they match any of the assignment criteria of Business and IT roles (These SailPoint roles adds AD group to the user which in turn will add the corresponding licenses )
4. If a license is assigned then during our nightly aggregation task, SailPoint pickup the assigned licenses from O365 aggregation, then through combination of life cycle event and before modify native rule, SailPoint will trigger a power shell script to enable the mailbox.

In ISC, Instead of LCE for mailbox, we are planning to configure a role and would use the same Before modify rule to trigger the PowerShell.

I am curious on how these native rules work? Won’t this be executed before each modify operation ? How does SailPoint filters the script execution for other scenarios. I tried looking into connector rules but couldn’t find any information.

Hi @shiva_Idm19 Please start another forum post with the specific question/problem that you are having. This will provide the best exposure.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.