If it hurts, don’t do it. Here is a good post on the topic from Frank Carius, another Office Servers and Services MVP:
Always the same Story ☺ • Hybrid means AADConnect • AADConnect means „managed locally”, replicated to Cloud With one exception: Azure AD Premium with installed bidirectional Sync • Services are using their local identity source o OnPrem Users are using the Offline Adress book prepared by the local Exchange/SfB service o Online Users are using the OABs from the Cloud services You should replicate all users with a SIP-Address and a MAIL-Address to have a consistent addressbook view. if you start in Online first (or created a user there first), then you should solve that with 1. Pause AADConnect 1. create the “User” on Premise with a matching SMTP-Addresse (or UPN from Mar 2015 on) 3164442 How to use UPN matching for identity synchronization in Office 365, Azure, or Intune 2641663 How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization So we assume that the cloud object does not have a ImmutableID from an earlier AADConnect 2. Configure all Properties as expected So you simply have to remember, that management of DirSyned Accounts is somewhat limited. So all properties, which cannot maintained on a DirSynched User has to be maintained on premise and AADConnect is doing the rest a. Exchange: Create it as “Remote Mailbox” and make sure the ProxyAddresses are done b. SfB: Enable it like you would enable a new user c. Manage Group Memberships to match the Cloud group membership Normally not an issue, because you cannot manage Synched Groups in the Cloud 3. UNPAUSE AADConnect. It should match the local User with the Cloud user and overwrite the properties in the cloud with local properties based on the AADConnect-Transformation and projection rules (AADConnect is a “FIM in an box”) My general Rule: • “People” on one side must be on the other side. • Groups, who are used as Mail DL or SfB Groups • Any other object with a “proxy Address” or “SIP-Address” should be in sync • You may exclude AdminAccount (if they are not used to administer Office 365 too) • You may exclude Service Acccounts (No one really cares the Kerberos ASA-Account of Exchange 2010/2013 CAS-Arrays or backup Jobs etc. Simply compare the GAL on both worlds. If they are different, you may have a problem Frank [cid:__Image_00000348] Frank Carius Enterprise Architect / Partner T: +49 5251 304 600 Net at Work GmbH | Am Hoppenhof 32 A | 33104 Paderborn Zentrale: +49 5251 304 600 | Fax: +49 5251 304 650 Handelsregister Paderborn: HRB 2663 | Geschäftsführer: Uwe Ulbrich www.netatwork.de<http://www.netatwork.de/> From: [email protected] [mailto:[email protected]] On Behalf Of Paul Cookman Sent: Thursday, April 27, 2017 9:29 AM To: [email protected] Subject: [Exchange] 365 Hybrid after all mailboxes are in 365. I have all mailboxes up in 365 as part of a Hybrid with ADSync, each new user is created on premise, mailbox first to insure the attributes are there before the sync and then the mailbox is moved up to 365. If I create the AD account with no mailbox then it creates in 365 with no email policy and some mailboxes I would need to edit from onprem and some in 365. To be able to keep the being able to edit exchange attributes through the onprem existing exchange server, how should I handle this? Regards, Paul.
