In an O365 Exchange hybrid environment, administrators go to the on-premise Exchange server for Exchange administration, they may or may not have mailboxes on-prem. For a new AD account they go to the Exchange Management Console (EMC) and create a new account. This calls the “New Remotemailbox” process which will create a new AD account and then connect to O365 and create the mailbox. A very important feature is that it will apply the organizational email policies like mailbox size, email address format, proxy addresses, set the mailnickname etc.
With MIM 2016 you can provision a new AD account, AD Connect will synchronize the account with Azure and then the new mailbox is created when the O365 license is granted. The one item missing here is the application of organizational email policies on the new account. So there should be a way to create the mailbox from the Exchange server after the account is provisioned by AD.
Solution
- Save the Exchange Administration service account password in an encrypted key file on the MIM server. See my blog on how to do that.
- Create a PowerShell script that will
- Use the encrypted password key file to connect to the Exchange Server
- Download all the Exchange Management PS functions
- Call the “Enable Remotemailbox” function to create the mailbox in O365 and apply the policies.
$NewUserInfo = Use Lithnet PS and get the info from FIM Service
$myroutingaddress = $NewUserInfo.SamAccountName + “@tlkenterprise.onmicrosoft.com”
#Get the Exchange password and set the credentials
$TenantUname = “exchangesrvc@tlkenterprise.net”
$TenantPass = cat “C:\Portal\O365Key\Exchangepassword.key” | ConvertTo-SecureString
$TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass
#Connect to the Exchange Hybrid Server on-premise
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ExchangeHybridServer.tlkenterprise.net/powershell -Credential $TenantCredentials -Authentication Kerberos
Import-PSSession $s -AllowClobber
#Enable the account created by MIM 2016
enable-remotemailbox $NewUserInfo.SamAccountName -remoteroutingaddress $myroutingaddress
#Cleanup the session
remove-pssession $s
In the MIM Portal create a workflow/MPR to be triggered on creation of new AD account. Attach an activity in the workflow to call the PowerShell script.