Plan for User Identity in a Staged Exchange Migration


Applies to: Office 365 for enterprises

Topic Last Modified: 2011-11-23

To use a staged Exchange migration, you have to replicate user objects from your on-premises Active Directory directory service to your cloud-based e-mail organization. To do this in Microsoft Office 365 for enterprises, you have to install the Microsoft Online Services Directory Synchronization tool.

Things to consider as you plan for a staged Exchange migration in Office 365 for enterprises

The Directory Synchronization tool has specific requirements about how you manage user identities in the cloud. Let’s look at the implications of those requirements as you plan your staged Exchange migration.  

The directory synchronization process replicates your on-premises Active Directory user objects to the cloud, where it creates new corresponding mail-enabled users. During a staged Exchange migration, these mail-enabled users are converted to mailboxes. After the migration process creates the user’s mailbox, the directory synchronization process continues to update the user attributes on the cloud mailbox according to changes made in the on-premises Active Directory. The properties of the users and mailboxes created by the directory synchronization process are read-only, even to Exchange Online administrators.

However, after a staged Exchange migration, you can deactivate directory synchronization so that you can make changes to the user attributes using tools in Office 365 and Exchange Online.

It’s important to understand that long-term user account management can be performed from either your on-premises Active Directory or from the Office 365 directory after you run a staged Exchange migration to move mailbox data from your on-premises Exchange organization to the cloud. This means you have to decide how you want to manage user identities after a staged Exchange migration.

Manage user identity from Active Directory

There are two ways of manage user identities from your on-premises Active Directory:

  • Managed identities

  • Identity federation for single sign-on

Managed identities

When the directory synchronization process creates mail-enabled users in the cloud, it creates them with the same user principal name (UPN) ( that is on the source user object in the on-premises Active Directory. However, by default, passwords for the cloud and on-premises UPN aren’t synchronized.

This type of user identity management, where the cloud-based UPN is derived from the on-premises Active Directory source account and where the underlying authorization mechanisms aren’t federated, is called managed identities. Managed identities are created by default when you run directory synchronization.

The use of managed identities may be feasible for small organizations where an administrator can train a relatively small number of users to remember and use two sets of credentials—one for on-premises and one for the cloud. However, for large organizations, this approach is likely to require an unsustainable level of helpdesk support.

Identity federation for single sign-on

We recommend that larger organizations deploy Active Directory Federation Services 2.0 (AD FS 2.0) to enable single sign-on (SSO). With single sign-on, your users can access e-mail and other services in Office 365 for enterprises with their existing Active Directory credentials. This type of identity management is also called identity federation.

When you use identity federation for SSO, you can create users in the local Active Directory, set their passwords as you do today, and the corresponding cloud-based users can authenticate using their existing Active Directory credentials. There is some initial cost to deploy the AD FS infrastructure on-premises, but for larger organizations, the long-term cost of user management should be lower than trying to maintain managed identities.

Although you can deploy AD FS and SSO after you have run a staged Exchange migration, we recommend that you deploy AD FS before you install and configure directory synchronization tools. For more information about how to deploy SSO in Office 365 for enterprises, see Prepare for single sign-on.

To learn how to run a staged Exchange migration, see Migrate Mailboxes to the Cloud with a Staged Exchange Migration.

Manage user identity from Office 365

For some organizations, running a staged Exchange migration is one phase of a full migration to the cloud. Some organizations may want to decouple their cloud organization from their on-premises organization, or completely decommission their on-premises Active Directory. In both cases, user identities of cloud mailboxes must be managed using tools in Office 365 and Exchange Online. As previously mentioned, you can deactivate directory synchronization and then manage user identity in Office 365. For more information, see:

Related help topics
No resources were found.