Exchange Mailbox Provisioning

Identity Security Cloud (ISC) ISC Discussion and Questions
,
5

Hi @Chaitanya_Jaya @Srikanth_Bandi

I’m going to assume you want to create Exchange Online Mailboxes in an Exchange Hybrid environment, with a Hybrid Identity environment synchronised using Entra Connect (Azure AD Connect).

I’m also going to assume that you have seen Hybrid Provisioning with Active Directory and Azure Active Directory - Compass as your scenarios match the first 2 mentioned there.

I have to be honest, I find that that linked page is not great in explaining the scenarios.

The best way to think about it is that you need to create an AD Account. Entra Connect will create the associated Entra Account. When an MS365 license which includes Exchange Online mailbox is assigned to the Entra Account the mailbox will be created based on the attributes of the Entra Account.

For the Mailbox to be created with all the necessary information, therefore, you need to make sure the attributes exist correctly on the AD Account.

There are 4 AD attribute values to be aware of and need to be populated correctly

  1. mail - “Primary” mail Address eg [email protected]
  2. targetAddress - the “Internal” email routing address. This is to route messages between on-prem Exchange and Exchange online. eg SMTP:[email protected]
  3. mailNickname - the “alias” or shortname for the mailbox. eg joebloggs
  4. proxyAddresses - the list of all protocols and associated addresses for the mailbox

There are also some other system-type AD attributes which are used to tell Exchange Online what type of mailbox to create - in this case it is a Remote Mailbox

These attributes can be set using the ISC connector, but they can also be set using the PowerShell command enable-remoteMailbox. It is preferred to use the PowerShell as it means you don’t need to worry about the system-type attributes, also managing the proxyAddresses attribute can get tricky.

  1. Create an AD Account using the standard AD connector and include the mail attribute in the create policy. Optionally, include the mailNickname and targetAddress.
  2. Use an After Create Rule (see Before and After Operations on Source Account Rule | SailPoint Developer Community) to run the enable-remoteMailbox PowerShell command. This is similar to Scenario 2. in the originally linked page. If you have already set the mailNickname and targetAddress then you don’t need the -alias and -remoteRoutingAddress parameters (see Enable-RemoteMailbox (ExchangePowerShell) | Microsoft Learn). NOTE: If you intend to set the targetAddress attribute using the -remoteRoutingAddress parameter, you don’t need to include the “SMTP:” prefix.
  3. Assign an Entitlement to the AD Account which represents membership of the on-prem Group which is synchronised to Entra and assigned to the MS365 license required. Similar to Scenario 1. in the originally linked page.

Next time you aggregate the AD Account, examine the attributes mentioned to check they were populated correctly. NOTE: if the Exchange Online mailbox has been created sucessfully you will see the proxyAddresses attribute populated with Exchange Online information as this is “written back” from Entra.