Shulou(Shulou.com)06/02 Report--

The process of going to the cloud in an enterprise is long, especially for large enterprises. Various situations may occur in the process of going to the cloud. For example, I have encountered such a demand before:

In the local multi-site AD+Exchange environment, Exchange and 21V Office365 are deployed mixed, and ADFS is deployed for SSO. Gradually migrate Exchange users to Office365, and in the process of Shangyun, the customer merged with another company to form a new company, then the most direct problem is: all the company domain names have been replaced, and the main email address uses the new domain name.

For purely locally deployed Exchange, these are minor problems. Add email address policy to UPN,Exchange in AD and change the certificate to meet these requirements. But how can users who have migrated to the cloud after a mixed deployment with Office365 change their primary email address? Modify the user UPN directly in the local AD?

We all need to meet the reasonable needs of Party An as Party B. I have thought of the following methods (of course, the prerequisite for doing this series of operations is that the new domain name has been bound in Office365, the new domain name has been converted into a federated domain name, and a new domain name mix has been added to the Exchange mixed deployment wizard):

1. Modify the user UPN in the local AD and overwrite the cloud user information through AAD Connect

2. Modify it directly in Office365 admin center portal

It is obvious that both of these methods have failed for the following reasons:

1. When an Exchange user migrates from the local Exchange Server to the Office365, the user attribute directly becomes the Office365 user. Although the user principal is in the local AD, the Exchange information in this user can no longer be modified. If the user UPN is forcibly modified and then synchronized, the synchronization will directly report an error, and the administrator will receive a synchronization failure email every 30 minutes (depending on the AAD synchronization frequency).

2. What we need to understand is that all changes to the accounts synchronized to the cloud after converting the accepted domain in Office365 into federated domain names and using the AAD Connect tool can only be made in the local AD. The operation on Office365 will prompt the administrator to go back to the local AD to modify.

# the purpose of my test environment is to change user@ucssi.cn to user@and-sc.com#

First, let's take a look at the first case to modify the local AD user UPN.

At the same time, create a new email address policy in the local Exchange

And then the user's email address did change.

Then let AAD Connect synchronize.

Then let's take a look at the synchronization details

You can see the changes in old value and New value, and it can be seen from AAD Connect's log that the user did make an update. Then some students will ask: you just modified the UPN address, changed the user's email address, the user's AD attribute has been modified, ah, it will be synchronized successfully on the Office365. As I said earlier, Exchange users who have migrated to Office365 will directly become Office365 users. This user can no longer be found in the local Exchange. How to make changes? You can't do another migration, and the risk becomes less manageable.

So let's take a look at how the user types in the local Exchang that have been migrated to Office365 are described.

The administrator will then receive the wrong synchronization email

Then view the user information in Office365

The user's SMTP address is still ucssi.cn, so it has not been changed successfully.

So the first option will not work.

Then we go to the second scheme to modify the user attribute directly on Office365.

Then we will continue to change the user's SMTP address directly in the Office365 Management Center.

An attempt was made to add an SMTP address error from the Exchange Online Management Center as follows:

You can see that there is no doubt that it will fail to modify it directly in Office365.

Then I asked for after-sales technical support, but unfortunately the Office365 after-sales engineer did not solve my problem. So I began to do my own research, and finally met this need. Let's share with you how it is realized:

Add a UPN suffix to the local AD with the default domain name ucssicn.partner.onmschina.cn of Office365

Switch the user UPN who needs to change to another federated domain name to the address you just added

Next, open the command line in the local AD DC (run as an administrator) and execute the following synchronization command (only for multi-site deployment of AD)

Repadmin / syncall / a / p / e / d

Then do an incremental synchronization on the AAD Connect server with the following command:

Start-ADSyncSyncCycle-PolicyType delta

Check that the user UPN has changed in Office365 admin portal

Go back to the local AD server again and change the user's UPN address to the and-sc.com federated domain

At the same time, add an email address policy on the local Exchange Server and apply it to the users you just created.

Perform AAD Connect incremental synchronization again and view the synchronization log

You can see that the original SMTP:hcb@ucssi.cn address is first delete, and then an Add SMTP:hcb@and-sc.com operation is done.

Next, go to office365 admin portal and Exchange Online management center again to check whether the user's primary SMTP address has been changed to hcb@and-sc.com.

This completes the operation of changing the main email address of an Exchage user who has migrated to Office365!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.