Office 365 Recipient Administration

In this article, I summarize the different deployment options for Office 365 and what options and tools are available for the administration of each scenario.

by | Published: | Updated:

Introduction

Office 365 is a great bundle of SaaS cloud services that bring enterprise-grade services like Exchange, Lync and SharePoint to organizations of any size and type. One of most interesting services in the Office 365 bundle is the Exchange Online service, which is included with almost every O365 plan. Behind the scenes, the service runs on highly available Microsoft Exchange servers and clusters, that up until a few years ago, only large enterprises could afford.

The Exchange Online service of O365 can be used in a variety of ways to fit your organization's requirements – but this flexibility also brings lots of confusion, especially when it comes to the main concern of Exchange administrators:

"How am I going to manage my recipients?"

In this article, I will try to demystify the different deployment scenarios available with Office 365 and the different ways you can manage your recipients in each scenario, including built-in tools and software tools developed by U-BTech Solutions.

Note: although "Office 365" is a bundle of services - in this article, when I use the terms "Office 365" and "O365", I refer to the "Exchange Online" part of it.

 

 

Scenario 1: Stand-alone Office 365 tenant

In this scenario, a single O365 tenant is the sole messaging infrastructure of your entire organization. If a local (on premise) Exchange or Active Directory infrastructure exists, it is totally separated from the cloud messaging infrastructure – including user accounts and passwords.

Administration tools:

 

 

Scenario 2: Hybrid Deployment (Office 365 + Exchange On-Premise)

In this scenario, the messaging infrastructure is split in two: an on premise Exchange 2010 or 2013 Server, and an online O365 tenant. As an administrator, you can choose which user mailboxes will be stored on premise and which in the cloud. You can always move a mailbox from the on premise server to the cloud service and vice versa (however this process may be lengthy, especially for large mailboxes). User authentication can be handled in different ways, including split passwords, synchronized passwords or federation (using ADFS).

Administration tools:

 

 

Scenario 3: DirSync Only (Office 365 + On premise Active Directory with Extended Schema)

In this scenario, just like scenario 1, a single O365 tenant is the sole messaging infrastructure of your entire organization. However, unlike scenario 1, an on premise service, named "Directory Synchronization Tool" (DirSync for short), is used for synchronizing your on premise Active Directory to the cloud. This way, you can keep enjoying the advantages of on premise AD, like domain logons and policies, without the burden of managing expensive on premise messaging servers.

How does it work? Generally speaking, DirSync is a one-way sync tool (with few exceptions) that periodically reads object properties from your on premise AD and writes them to the cloud. More specifically, properties are written to the Azure Active Directory, which is the infrastructure behind many Cloud services offered by Microsoft – including Exchange Online services.

Since recipient management is a subtle "dance" between Directory Services properties and Exchange properties, this deployment scenario is a bit tricky. Here's an example:

 PS C:\> Set-Mailbox "Allie" -HiddenFromAddressListsEnabled $false

The operation on mailbox "Allie" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'HiddenFromAddressListsEnabled', can't be performed on the object 'Allie' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
    + CategoryInfo          : InvalidOperation: (Allie:ADObjectId) [Set-Mailbox], InvalidOperationException
    + FullyQualifiedErrorId : ... [FailureCategory=Cmdlet-InvalidOperationException] 9DD0E84C,Microsoft.Exchange.Management.RecipientTasks.SetMailbox

 

Administration tools:

 

 

Scenario 4: DirSync Only (Office 365 + on premise Active Directory with Native Schema)

This scenario is the trickiest one, in terms of recipient management. It is much like scenario 3, with one key difference: the on premise Active Directory Schema was never extended by an Exchange Server installation. This means that many recipient-level properties, like "Hidden from Address List" and "Custom Attributes" do not exist in the on premise Directory.

The problem with this scenario, is that you won't be able to set those property online as well. Attempts to change such properties will result with the infamous "out of write scope" error message.

Administration tools:

 

Summary

The Exchange Online part of Office 365 is very flexible in terms of deployment scenarios. When planning an Office 365 deployment, it is important to consider the aspect of recipient management.

Did you find the article useful? Do you have a question or a comment? Join the discussion and share your thoughts!

 

Oren Chapo

About the Author

Oren Chapo - Development Team Leader at U-BTech Solutions

Oren is the Development Team Leader at U-BTech Solutions. Oren has over 15 years of experience in various IT and Software Development roles: projects leadership, design and implementation, consulting and instruction.

comments powered by Disqus