User Identity Management in a Staged Exchange Migration
Applies to: Exchange Online
Topic Last Modified: 2013-02-21
To use a staged Exchange migration, you have to replicate user objects from your on-premises Active Directory to your Office 365 organization. To do this in Office 365, you have to install and activate the Microsoft Online Services Directory Synchronization tool. For more information about staged Exchange migrations and about the Directory Synchronization tool, see:
- Migrate Mailboxes to Exchange Online with a Staged Migration
- Active Directory synchronization: Roadmap
The Directory Synchronization tool has specific requirements for how you manage users in Office 365. Let’s look at the implications of those requirements as you plan a staged Exchange migration.
The directory synchronization process replicates your on-premises Active Directory user objects to the Office 365 directory service, where it creates new corresponding mail-enabled users. During a staged Exchange migration, these mail-enabled users are converted to Exchange Online mailboxes. After the migration process creates a user’s mailbox, the directory synchronization process continues to update the user properties on the Exchange Online mailbox according to changes made in the on-premises Active Directory. The properties of the Office 365 user accounts and Exchange Online mailboxes created by the directory synchronization process are read-only, even to administrators in your Office 365 organization.
But after a staged Exchange migration, you can deactivate directory synchronization so that you can make changes to the user properties using tools in Office 365 and Exchange Online.
It’s important to understand that long-term user account management can be performed from either your on-premises Active Directory or from the Office 365 directory after you run a staged Exchange migration to migrate on-premises mailboxes to Exchange Online. This means you have to decide how you want to manage users after a staged Exchange migration.
There are two ways to manage users from your on-premises Active Directory:
Identity federation for single sign-on
When the directory synchronization process creates mail-enabled users in Office 365, it creates them with the same user principal name (UPN)—for example, firstname.lastname@example.org—that is on the source user object in the on-premises Active Directory. However, by default, passwords for the cloud and on-premises UPN aren’t synchronized.
This type of user identity management, where the cloud-based UPN is derived from the on-premises Active Directory source account and where the underlying authorization mechanisms aren’t federated, is called managed identities. Managed identities are created by default when you run the Directory Synchronization tool.
The use of managed identities may be feasible for small organizations where an administrator can train a relatively small number of users to remember and use two sets of credentials—one for on-premises and one for Office 365. However, for large organizations, this approach is likely to require an unsustainable level of helpdesk support.
We recommend that larger organizations deploy Active Directory Federation Services 2.0 (AD FS 2.0) to enable single sign-on (SSO). With single sign-on, users can access email and other services in Office 365 with their existing Active Directory credentials. This type of identity management is called identity federation.
When you use identity federation for SSO, you can create users in the local Active Directory, set their passwords as you do today, and the corresponding Office 365 users can authenticate using their existing Active Directory credentials. There is some initial cost to deploy the AD FS infrastructure on-premises, but for larger organizations, the long-term cost of user management should be lower than trying to maintain managed identities.
Although you can deploy AD FS and SSO after you have run a staged Exchange migration, we recommend that you deploy AD FS before you install and configure directory synchronization tools. For more information about how to deploy SSO in Office 365, see Prepare for single sign-on.
For some organizations, running a staged Exchange migration is one phase of a full migration to Office 365. Some organizations may want to decouple their Office 365 organization from their on-premises organization, or completely decommission their on-premises Active Directory. In both cases, user identities of Exchange Online mailboxes must be managed using tools in Office 365 and Exchange Online. As previously mentioned, you can deactivate directory synchronization and then manage users in Office 365. For more information, see: