How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell




To connect to Local Active Directory, Local Exchange, Azure AD Connect, Office 365 and Azure via PowerShell, follow the steps below.

Pre-requisites -
First you need to ensure your desktop PC is configured to connect to Local Active Directory, Local Exchange, Office 365 and Azure via PowerShell.
** Follow this tutorial to configure your desktop PC for Hybrid Office 365 Administration Link **

Notes - 
Your admin PC must be a member of the local Active Directory Domain to be able to administrate your Active Directory.
This script will only connect to your local Exchange CAS server from the internal network.

-------------------------------------------------------------------------------------------------------

Once your PC is configured, you will need to create a connection script.
** Download and save my Hybrid Exchange - Office 365 - Azure Connection script - Link - **

Next, edit my connection script by opening the file in Notepad or PowerShell ISE.
I personally prefer PowerShell ISE as it provides visual cues when creating and editing scripts.
The screenshots in this tutorial show editing in PowerShell ISE

To edit the script in PowerShell ISE, open PowerShell ISE on the left side of your window, and have Windows Explorer open on the right. Browse to your download directory and drag the file -
Connect-O365-Azure-Hybrid-v1-xx.ps1 -
into PowerShell ISE.

Note the red highlighted area which contains the six variables that need to be edited and saved.

Now update the highlighted fields below with your environment details
$Tenant = "TenantName"
$LocalExchServer = "LocalExchangeCAS-ServerName.internal.domain.com"
$LocalCredential = Get-Credential "domain\administrator"
$CloudCred = Get-credential "admin@tenant.onmicrosoft.com"
$AzureADConnect = "AzureADConnectServer.internal.domain.com"
$AzureADCred = "domain\administrator"


Example updated details for my test environment
$Tenant = "hybrid0617"
$LocalExchServer = "EXC13.internal.teamterry365.com"
$LocalCredential = Get-Credential "internal\administrator"
$CloudCred = Get-credential "admin@hybrid0617.onmicrosoft.com"
$AzureADConnect = "DirSync.internal.teamterry365.com"
$AzureADCred = "internal\administrator"

Original script

Example of an updated script - 
Updated with the tenant name, Local Exchange server name, local credentials, cloud credentials, Azure AD Connect server name and Azure AD Connect admin credentials.

Save your updated connection script - Connect-O365-Azure-Hybrid-v1-xx.ps1

-------------------------------------------------------------------------------------------------

Running your Hybrid Exchange - Office 365 - Azure Administration Connection Script


One of the great features of PowerShell ISE, is that you can edit and RUN your scripts from the same program. Once you have saved your script, simply click on the green arrow to run the script -










Once you click the green arrow and run the script, a PowerShell credential box will appear. This is prompting for your password for the local Active Directory and local Exchange administrator that you edited in the script.
Note that the credential prompt already populates your user name from the variable you edited in the script.

Enter your password and then click OK -

Once accepted, you will then be presented with credentials prompt for your connection to your Office 365 tenant.
Once again, the credential prompt already populates your user name from the variable you edited in the script.












Enter the password for your tenant and then click OK -

You will see several green progress bars appear as the connections occur.

If receive a PowerShell prompt to start the WinRM Service, click Yes.






You will see more green progress bars appear as the connections occur.

Eventually your PowerShell window will look similar to this.










Lastly you will be prompted for the password for your Azure AD Connect administrator account.
Enter the password and click OK.



If your connection script has run successfully, depending on your tenant configuration, you should not receive any errors.

Your Hybrid Connection script is now ready.

--------------------------------------------------------------------------------------------------

Using Prefixes in PowerShell commands -




It is important to note, that when administering your Hybrid environment, there will be several times that PowerShell cmdlets will overlap when using remote PowerShell sessions to both Exchange Online and Exchange Local.

For example, if you had connected via PowerShell to both Exchange Online and Exchange Local, how will PowerShell know which connection you wish to use when running the Get-Mailbox cmdlet?

This is where the PowerShell prefix provides a solution. You will notice in the screenshot above that I have highlighted that several services include the parameter  -Prefix . What this does is tell PowerShell that when you add the prefix EXL to the Get-Mailbox cmdlet - (Get-EXLMailbox) - you are telling PowerShell to run Get-Mailbox on on your Exchange Local connection.

Also, when you add the prefix EXO to the Get-Mailbox cmdlet (Get-EXOMailbox) - you are telling PowerShell to run Get-Mailbox on your Exchange Online connection

In the examples below, you can see how PowerShell differentiates between the two connections by using the prefix to select which connection to use.

Example 1 - Get-Mailbox

Get-EXOMailbox - Get-Mailbox via the Exchange Online connection -









Get-EXLMailbox - Get-Mailbox via the Exchange Local connection














Example 2 - Get-RoleGroup - TechNet Link
There will also be cmdlet overlap on other services like Exchange Local, Exchange Online, the Security & Compliance Center and Exchange Online Protection in the same Windows PowerShell session. For example, the cmdlet - Get-RoleGroup, is used in all four connections, but you can use the prefix to specify which connection to run the cmdlet in.

  • Get-RoleGroup becomes Get-ccRoleGroup in the Security & Compliance Center.
  • Get-RoleGroup becomes Get-EXLRoleGroup in Exchange Local.
  • Get-RoleGroup becomes Get-EXORoleGroup in Exchange Online.
  • Get-RoleGroup becomes Get-EOPRoleGroup in Exchange Online Protection


Get-CCRoleGroup - Get-RoleGroup via the Compliance Center connection







Get-EXORoleGroup - Get-RoleGroup via Exchange Online








Get-EXLRoleGroup - Get-RoleGroup via Exchange Local

Get-EOPRoleGroup - Get-RoleGroup via Exchange Online Protection
 

To summarise, I have added the following prefixes to reduce the potential of cmdlet overlap -

Service                                       Prefix
Exchange Local  -                       EXL
Exchange Online -                      EXO
Exchange Online Protection  -    EOP
Compliance Center -                   CC

Remember to edit pre-existing scripts -
If you have pre-existing scripts used for Hybrid management, you will need to edit the scripts by adding the appropriate prefix to ensure your cmdlets run in the correct connection.

--------------------------------------------------------------------------------------------------

Testing your PowerShell connections

Type the cmdlets below to confirm successful connections to all services via PowerShell

Test - Local Active Directory
Get-ADDomain

Test - Exchange Local
Get-EXLMailbox

Test - Exchange Online
Get-EXOMailbox

Test - Azure AD v1.0
Get-MSOLUser

Test - Azure AD v2.0 Admin
Get-AzureADuser

Test - Azure Resource Manager
Get-AzureRmContext

Test - SharePoint Admin
Get-SPOTenant

Test - Skype for Business Admin
Get-CSTenant

Test - Security and Compliance Centre
Get-CCManagementRole

Test - Exchange Online Protection
Get-EOPTransportRule

Test - Azure AD Connect
Get-ADSyncAutoUpgrade

--------------------------------------------------------------------------------------------------

Congratulations -
You have now confirmed that you can successfully connect via PowerShell to local Active Directory, Local Exchange, and all Office 365 and Azure services via the Connect-O365-Azure-Hybrid script.

--------------------------------------------------------------------------------------------------

No comments:

Post a Comment