Can Okta Integrate with Office 365 in Exchange Hybrid Deployment Scenarios Skip to main content
https://support.okta.com/help/answers?id=906f0000000blluiay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

Can Okta Integrate with Office 365 in Exchange Hybrid Deployment Scenarios

Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 

Yes, most certainly we DO support Exchange Hybrid deployment scenarios.

First a bit of background to understand:

Various Microsoft Online Services such as Exchange Online provide features that work best when certain directory information can be controlled by the online service. In these cases, directory objects (such as users) that are synchronized from your on-premises directory may be modified in the Azure Active Directory, and then these changes need to be written back to your on-premises directory for on-premises applications to consume.

The way to allow these changes to flow back to the on-premises directory is to enable the “Hybrid Deployment” feature in the Directory Sync tool which as i have talked about in the past is really just Microsoft Federated Idenitty Manager, stripped down or what I call, "FIM-Lite". When enabled, the Directory Sync tool will be authorized to write back specific attributes on directory objects.

So this functionality is controlled through the Directory Synchronization mechanism.  The IDP, whether it is Okta or ADFS plays a distinct and separate roll.

 

The Directory Sync tool will not be given the permission to modify all attributes in the Active Directory. It will only have permission to modify those attributes that can be written back from Azure Active Directory.

Simply put, having a hybrid environment allows supporting a mix of both local Exchange mailboxes and online Office 365 Exchange mailboxes. It also enables archiving local mailboxes into the cloud. It enhances how spam protection and unified messaging interact between the cloud and local systems.

It is configured in the following screen in the Directory Synchronization installation

To enable a hybrid configuration, check the box next to Enable Exchange hybrid deployment. Otherwise clear the checkbox.

The following table lists the synced attributes that are written back to the on-premises AD DS from Office 365 in an Exchange hybrid deployment scenario. These attributes are written back only if Exchange federation for the hybrid deployment is enabled for the organization.

 

Write-Back attributeExchange "full fidelity" feature
msExchArchiveStatusOnline Archive: Enables customers to archive mail.
msExchUCVoiceMailSettingsEnable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
msExchUserHoldPoliciesLitigation Hold: Enables cloud services to determine which users are under Litigation Hold. 
ProxyAddresses
(LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Offboards an online mailbox back to on-premises Exchange.
PublicDelegatesCross-premises Public Delegation: Enables users to specify delegates for their mailbox.
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.

 

Here is the logic that Directory Synchronization, i.e. FIM-Lite uses to determine what IS NOT synced from the on-premises environment to the Office 365 Tenent/WaaD (Windows Azure Active Directory which supports Office 365 in the background)

 

Any object is filtered if:

  • Object is a conflict object (DN contains \0ACNF:)

Contact objects are filtered if:

  • DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE
  • mailNickName starts with "CAS_" AND mailNickName contains "{"

SecurityEnabledGroup objects are filtered if:

  • isCriticalSystemObject = TRUE
  • mail is present AND DisplayName isn't present
  • Group has more than 15,000 immediate members ***Perhaps significant for our larger customers***

MailEnabledGroup objects are filtered if:

  • DisplayName is empty (if the version of the Directory Sync tool is earlier than 6385.0012). Otherwise, the group isn't filtered.
  • (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't present/invalid - i.e. indexof ('@') <= 0)
  • Group has more than 15,000 immediate members  ***Perhaps significant for our larger customers***

User objects are filtered if:

  • mailNickName starts with "SystemMailbox{"
  • mailNickName starts with "CAS_" AND mailNickName contains "{"
  • sAMAccountName starts with "CAS_" AND sAMAccountName has "}"
  • sAMAccountName equals "SUPPORT_388945a0"
  • sAMAccountName equals "MSOL_AD_Sync"
  • sAMAccountName isn't present
  • isCriticalSystemObject is present
  • msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR0x20000000)
Original Author: Joseph Gazarik, Mgr of Expert Services, ISVs

All Answers

ThomasThomas (Okta, Inc.) 

Yes, most certainly we DO support Exchange Hybrid deployment scenarios.

First a bit of background to understand:

Various Microsoft Online Services such as Exchange Online provide features that work best when certain directory information can be controlled by the online service. In these cases, directory objects (such as users) that are synchronized from your on-premises directory may be modified in the Azure Active Directory, and then these changes need to be written back to your on-premises directory for on-premises applications to consume.

The way to allow these changes to flow back to the on-premises directory is to enable the “Hybrid Deployment” feature in the Directory Sync tool which as i have talked about in the past is really just Microsoft Federated Idenitty Manager, stripped down or what I call, "FIM-Lite". When enabled, the Directory Sync tool will be authorized to write back specific attributes on directory objects.

So this functionality is controlled through the Directory Synchronization mechanism.  The IDP, whether it is Okta or ADFS plays a distinct and separate roll.

 

The Directory Sync tool will not be given the permission to modify all attributes in the Active Directory. It will only have permission to modify those attributes that can be written back from Azure Active Directory.

Simply put, having a hybrid environment allows supporting a mix of both local Exchange mailboxes and online Office 365 Exchange mailboxes. It also enables archiving local mailboxes into the cloud. It enhances how spam protection and unified messaging interact between the cloud and local systems.

It is configured in the following screen in the Directory Synchronization installation

To enable a hybrid configuration, check the box next to Enable Exchange hybrid deployment. Otherwise clear the checkbox.

The following table lists the synced attributes that are written back to the on-premises AD DS from Office 365 in an Exchange hybrid deployment scenario. These attributes are written back only if Exchange federation for the hybrid deployment is enabled for the organization.

 

Write-Back attributeExchange "full fidelity" feature
msExchArchiveStatusOnline Archive: Enables customers to archive mail.
msExchUCVoiceMailSettingsEnable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.
msExchUserHoldPoliciesLitigation Hold: Enables cloud services to determine which users are under Litigation Hold. 
ProxyAddresses
(LegacyExchangeDN <online LegacyDn> as X500)
Enable Mailbox: Offboards an online mailbox back to on-premises Exchange.
PublicDelegatesCross-premises Public Delegation: Enables users to specify delegates for their mailbox.
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.

 

Here is the logic that Directory Synchronization, i.e. FIM-Lite uses to determine what IS NOT synced from the on-premises environment to the Office 365 Tenent/WaaD (Windows Azure Active Directory which supports Office 365 in the background)

 

Any object is filtered if:

  • Object is a conflict object (DN contains \0ACNF:)

Contact objects are filtered if:

  • DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE
  • mailNickName starts with "CAS_" AND mailNickName contains "{"

SecurityEnabledGroup objects are filtered if:

  • isCriticalSystemObject = TRUE
  • mail is present AND DisplayName isn't present
  • Group has more than 15,000 immediate members ***Perhaps significant for our larger customers***

MailEnabledGroup objects are filtered if:

  • DisplayName is empty (if the version of the Directory Sync tool is earlier than 6385.0012). Otherwise, the group isn't filtered.
  • (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't present/invalid - i.e. indexof ('@') <= 0)
  • Group has more than 15,000 immediate members  ***Perhaps significant for our larger customers***

User objects are filtered if:

  • mailNickName starts with "SystemMailbox{"
  • mailNickName starts with "CAS_" AND mailNickName contains "{"
  • sAMAccountName starts with "CAS_" AND sAMAccountName has "}"
  • sAMAccountName equals "SUPPORT_388945a0"
  • sAMAccountName equals "MSOL_AD_Sync"
  • sAMAccountName isn't present
  • isCriticalSystemObject is present
  • msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR0x20000000)
Original Author: Joseph Gazarik, Mgr of Expert Services, ISVs
This was selected as the best answer
Ian WrightIan Wright
Is this still the case? Do we need Azure AD Connect to enable Hybrid Exchange / Skype for Business?
John PerigoJohn Perigo
I'm also having issues trying to impliment a hybrid configuration with Okta. Working with Microsoft it has been determined that the AD sync attributes aren't syncing so Exchange Online isn't seeing our users as Mailuser when sync'ing Okta and O365.

Also wondering if this is the same currently as above article with Exchange 2013 and the current AD Sync tool used with Okta. Do we need to be using both Okta for SSO and AD sync in tandem with Azure AD Sync both running at the same time? I'm confused.
Jon McNamara AdminJon McNamara Admin
I have the same question...
Scott LuziScott Luzi
I just posted a new thread in a similar vein, I'll post here if I get anything back that's relevant.
Brian SpencerBrian Spencer
Does okta ever answer these questions?