This is an article I’ve been meaning to write for a long time, however actually finding the answer to the problem has always been bottom of my priority list – primarily as no-one had actually asked me if it was possible. So I was quite glad to be challenged by Mike Crowley a couple of weeks ago to come up with a solution.
If you’re reading this and know Office 365, then I’ll take a moment to explain the differences between the way Live@EDU does things and the way Office 365 does it. Exchange Online in both services is pretty much the same – Outlook Live hosted in the same datacentres within the same Exchange Organization. They both synchronize users using the same underlying software, Identity Lifecycle Manager which underpins DirSync and OLSync (the Live@EDU equivalent).
However that’s pretty much where the similarities end. Whilst Office 365 users are synchronised against Microsoft Online Services IDs, Live@EDU users are synchronised against Windows Live IDs.. Yes, the same that are used to login to Messenger, Skydrive etc. Furthermore, unlike Office 365, user passwords are (or usually are, anyway) synchronized from the local Active Directory to the associated Windows Live IDs. That’s very different to Office 365, which relies on ADFS 2.0 to directly use local authentication, preventing passwords needing to be stored outside the local Active Directory.
The Problem
So, what’s the problem I’d been interested in overcoming? Well, OLSync doesn’t create Windows Live IDs (or synchronize passwords) for on-premises mailboxes; it only creates them for mailboxes hosted in Exchange Online.
Instead, it creates Mail Users in Exchange Online that can’t actually be logged on to. In quite a few circumstances, I think that’s a good thing. I don’t like the idea of most users in the organization having their password automatically pushed out to a Windows Live ID.
But (and there is always a but), not everyone has the same security requirements and the convenience of allowing all users – wherever their mailbox is located – access to Live services may be worth the risks. And, if you want to make use of Hybrid Coexistence features in the same way as Office 365 can, like Remote Mailbox moves, automatically creating and synchronizing Windows Live IDs with on-premises Mailboxes makes moving mailboxes back on forth a lot easier.
The Solution
When I was asked how to do this, I was half-convinced it couldn’t be done. I certainly had no intention of re-writing the management agent extension, and from a quick look in the past, didn’t see anything in the configuration and documentation that suggested that it was possible.
So, to cut a long story short, I used the trial of NET Reflector to have a peek inside the DLLs that make up the OLSync management agent and, as it turns out, every time a Mail User is created in Live@EDU for a corresponding On-Premises Mailbox, a flag is checked to see whether it should create a Windows Live ID.
The parameter to set to ensure it does create a Windows Live ID is DisableWLIDOnMailUser, which needs to be set to False in ILM, in the Configure Additional Parameters section of the Exchange Online management agent:
Once that’s set – and the other parameters are correct as per a normal installation, Windows Live IDs will be created for on-premises Mailboxes as they are synchronized.
If this is a new setup, all Mailboxes on-premise that would normally have a Live@EDU Mailuser created will be created with a corresponding Windows Live ID, which should get downlevel password changes the same way normal Live@EDU Mailboxes would from the on-premises Active Directory.
The one caveat is that for existing On-premise Mailboxes / Live@EDU Mailusers that have already been synchronized Windows Live IDs are not created – these need to be manually enabled using the following command:
1 | Set-Mailuser -Identity user@some.edu -WindowsLiveID user@some.edu -Password (ConvertTo-SecureString -String 'Password1' -AsPlainText -Force) |
In the future, this kind of fiddling won’t be neccessary – Office 365 for Education replaces Live@EDU and brings with it the much better ADFS 2.0 integrated Single Sign On and DirSync, which handles rich, hybrid coexistence scenarios a lot better. So I’ll leave you with the full list of optional parameters for you to try out if you are interested in seeing what else OLSync is capable of. Bear in mind though, these are probably unsupported by Microsoft – but could be the solution to something you’ve been trying to do for a while:
public enum ConfigurationParameterName { ClientRetryAttempts, AllowPartialDataImportWithTransientError, DisableWindowsLiveId, FederatedTenant, FederatedIdentitySourceAttribute, FederatedDelegationDomain, FederatedDelegationSourceAttribute, ProvisioningDomain, PasswordFile, FederatedNamespace, ResetPasswordOnNextLogon, NumberOfPages, ClientReportDirectory, DisableWLIDOnMailUser, PreferredDomainController, EnterpriseMode, TargetOU, ForestTrust, EvictLiveIdOnCreate, BypassAdminCountCheck, MVInitialPasswordAttributeName, MVWindowsLiveIdAttributeName, SyncProxyAddressProtocol, SyncGroupAsGroup, NameToDNSuffix, MailboxDeliveryDomain, OutlookLiveX500Sync, ConnectionCleanUpTime }
Pingback: DirSync and Disabled Users: The BlockCredential Attribute [Part 1] | Mike Crowley's Whiteboard
Hi, i wanna ask something.
We have many many mailboxes on live edu. And we want to move(actually copy) these mailbox to local. How can we do it pratically?
Thanks.
Hi Steve. Do you know if something like this is possible when using a locally installed Excange 2010? We have an exchange solution and is looking to assign about 200 users to a live id to be able to use this with a tablet solution. It will take a lot of time to create 200 live id’s manually.
Best Regards
Kim Stroem
IT Sysadmin
Nielsen & Nielsen Holding A/S
Denmark
Hiya,
It is no longer possible, as this was only for a product offered for Education customers and has since been superceded by Office 365 for new customers.
Steve