Content:
Overview
Linked mailboxes are used in organizations where the Exchange server is deployed in a separate forest called resource forest. User accounts that are located in other trusted forests are called account forests. The user accounts are allowed to access their linked mailboxes in the resource forest. User accounts don't exist in the forest where Exchange is deployed. Therefore, disabled user accounts are created in the resource forest and associated with the corresponding linked mailbox.
For more details, please see the Managed Linked Mailboxes Microsoft article.
Exchange Resource Forest Model
The exchange resource forest model should satisfy the following conditions:
- There are two separate forests in the environment: Exchange resource forest and account forest.
- Exchange resource forest:
- It is used only for resources.
- It doesn't contain any user accounts, it contains service accounts and Exchange resource forest administration accounts only.
- Microsoft Exchange server is installed.
- Account forest:
- All user accounts should be created in a separate account forest.
- At least a one-way outgoing trust should be created so that the Exchange Resource forest trusts the account forest.
For more details, please see this Microsoft article.
Provisioning Linked Mailboxes in Cayosoft Administrator
In Cayosoft Administrator you can provision user accounts with linked mailboxes that will be created in the Exchange resource forest. Linked mailboxes can be created in the on-premise Exchange server or Exchange Online (remote linked mailbox). You can create linked mailboxes in two ways: in the Cayosoft Web Portal and Cayosoft Administrator Console.
In Cayosoft Web Portal you can create on-premise linked mailboxes and remote linked mailboxes.
In Cayosoft Administrator Console you can create only remote-linked mailboxes.
Creating Linked Mailboxes in On-premise Exchange Server
When creating Linked Mailboxes in the On-premise Exchange Server using web action, Cayosoft Administrator Service creates two accounts:
- The master account in the account forest.
- Linked mailbox account in the Exchange resource forest.
How to define if you have a Federated Domain in your tenant
- Sign in to the Microsoft 365 admin center using an administrator account.
- Click Show All
- Click Setup > Domains
- Click Choose columns
- Check Identities
- Click Save
Now in the Identities column, you can see if you have a federated domain in your tenant:
Creating Remote Linked Mailboxes in Non-Federated Domains
When creating Remote Linked Mailboxes in a non-federated domain using web action or automation rule, Cayosoft Administrator Service creates three accounts:
- The master account in the account forest.
- Linked mailbox account in the Exchange resource forest.
- Synced Microsoft 365 user account. Account properties will be taken from the master account and mailbox properties - from the linked mailbox account.
After that Cayosoft Administrator Service assigns licenses to create the Microsoft 365 account:
- If the linked mailbox was created in Cayosoft Web Portal, the Microsoft 365 accounts will be assigned the license specified on the wizard during linked mailbox creation.
- If the linked mailbox was created by running the automation rule in Cayosoft Administrator Console, you should create and schedule the AD Users | Enforce License rule.
Creating Remote Linked Mailboxes in Federated Domains
When creating Remote Linked Mailboxes in the federated domain using web action or automation rule, Cayosoft Administrator Service creates two accounts:
- The master account in the account forest.
- Linked mailbox account in the Exchange resource forest.
Then at the next start, Azure AD Sync creates the Microsoft 365 account with the value of the UserPrincipalName attribute of the master account. Account properties will be taken from the master account and mailbox properties - from the linked mailbox account.
To assign the license for the created Microsoft 365 user account you should configure and schedule the automation rule:
- If the linked mailbox was created in the Cayosoft Web Portal, use the Remote Linked Mailboxes | Enforce License rule. This rule will assign Microsoft 365 licenses that were specified in the Web Portal during linked mailbox creation. The Microsoft 365 licenses that are specified in the rule itself will be ignored.
- If the linked mailbox was created by running the automation rule in Cayosoft Administrator Console, use the AD Users | Enforce License rule.
Web Actions for Linked Mailboxes
There are two web actions in the Cayosoft Web Portal in AD Users web query to provision linked mailboxes:
-
New User with Linked Mailbox web action - create both a new user and a linked mailbox for him
-
New Linked Mailbox web action - create a linked mailbox for an existing user account
You can grant permissions to delegated administrators to perform these Web Actions.
For more details on how to create linked mailboxes in the Web Portal, please see the Work with user accounts article.
Automation Rules for Remote Linked Mailboxes
To perform a bulk provision of Active Directory users with remote mailboxes, you can use the following automation rules in the Administrator Console:
-
Import SQL Data | Create AD Users with Remote Linked Mailbox
-
Import Oracle Data | Create AD Users with Remote Linked Mailbox
These rules work both for federated and non-federated domains.
Provisioning Linked Mailboxes: Step-by-step instruction
Configuring trusted domain in Cayosoft Administrator Console
Before provisioning linked mailboxes, you should verify trusted domain settings: what Domain Controller and credentials are specified:
- In Administrator Console navigate to Active Directory
- Browse for the Trusted Domains section
- Check that the specified Domain Controller is correct
- Check that the credentials specified for this Domain Controller are correct
Creating linked mailboxes in the Web Portal
On-premise linked mailbox
- Connect to the Cayosoft Web Portal
- In the Active Directory Admin Unit click AD Users web query
- In Actions click New User with Linked Mailbox or New Linked Mailbox
- In Mailbox Type select On-premise Linked
- Complete the wizard
Remote linked mailbox in non-federated domain
- Connect to the Cayosoft Web Portal
- In the Active Directory Admin Unit click AD Users web query
- In Actions click New User with Linked Mailbox or New Linked Mailbox
- In Mailbox Type select Remote Linked
- Complete the wizard
Remote linked mailbox in federated domain
- In Cayosoft Administrator Console create Remote Linked Mailboxes | Enforce License rule.
- In Initialization Script section specify this script: {$global:TimeWindow = (Get-Date).AddHours(-1)}
- In AD query criteria set this filter: {whenCreated -ge $TimeWindow}, the rule will find user accounts in the resource forest created for the last hour.
- Schedule this rule to run every hour.
- Then in the Web Portal create remote linked mailboxes, using New User with Linked Mailbox or New Linked Mailbox web actions. Specify Remote Linked as Mailbox Type.
Creating remote linked mailboxes in the Administrator Console
- Depending on the data source, create and configure one of these automation provisioning rules:
- Create AD Users | Enforce License rule
- In the Initialization Script section specify this script: {$global:TimeWindow = (Get-Date).AddHours(-1)}
- In AD query criteria set this filter: {whenCreated -ge $TimeWindow}, the rule will find user accounts in the resource forest created for the last hour.
In the case of the federated domain, you should schedule the AD Users | Enforce License rule to run every day one hour later than the automation provisioning rules, so Azure AD Sync will have enough time to complete cloud account creation and triple linkage for accounts in the federated.
Comments
0 comments
Please sign in to leave a comment.