Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell

Welcome to my tutorials on Hybrid Exchange - Office 365 Administration -

All Hybrid Administration Tutorials
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link


Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell 

This tutorial will walk you through creating Office 365 User Mailboxes.
The script is available as part of my Hybrid Office 365 Administration Pack - Download Link

It is critical that you follow the pre-requisites below as my Hybrid connection script is needed to run these Hybrid Management scripts successfully.



Preparation Guides
- Follow the guides below to ensure your PC should is configured for Hybrid Administration - 
How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link

Downloads -
My Hybrid Office 365 Administration Pack - Download Link
My Hybrid Connection Script - Download Link


Introduction -
At some point in your Hybrid administration, you will move on from creating local Exchange mailboxes that are later moved to Office 365, to now creating mailboxes directly in Office 365.
The PowerShell process for this is to create a RemoteMailbox. This allows the full Hybrid experience for newly created Office 365 mailboxes.

The basic process for creating all the various types of Office 365 mailboxes is very similar, apart from a few small differences (different cmdlets are used). In fact, if you compare the the powershell script cmdlets used in the creation of these objects, you will see the cmdlet changes.

All spreadsheets for all Office 365 mailbox creations have the three same permissions columns -
- Full Access
- Send As
- Send on Behalf.

This is also the same for both Local Exchange and Office 365 mailboxes.


Preparation for creating Office 365 mailboxes via PowerShell - (Remote Mailboxes)

To start creating Office 365 User Mailboxes, ensure you have already downloaded the following scripts and csv folders mentioned earlier in the pre-requisites section.
--- Hybrid Connection Script - Download Link
--- Hybrid Office 365 Administration Pack - Download Link

Extract the folders in the Hybrid Office 365 Administration Pack zip file to the folder of your choice. Copy the appropriate ps1 and csv files to the root of c:\scripts.


Editing the csv file with your Office 365 User Mailbox details

Firstly we need to determine the SKU-IDs of your tenant. This information will be needed when assigning a license for your users. As this tutorial is created on a trial tenant, at this stage I only have one SKU-ID. In a real world production tenant, you may have many different licenses (and SKU-IDs displayed). The AccountSkuId is only used for LICENSED users. Every user that logs into Office 365 and accesses their personal mailbox will need a license.
Room, Equipment and Shared mailboxes do not need a license assigned.

Run the script - Get-SKUID.ps1 and copy the results to Notepad etc for future reference. The appropriate SKU-ID is needed for the spreadsheet, or your users will not be assigned licenses via the script.

As you can see in the image above, the AccountSkuId I need for assigning my E3 license is -

Edit the RemoteUserMailboxes.csv with your data.
See the example below for guidance -

*** Notes for editing the RemoteUserMailboxes.csv file ***
The following fields MUST contain data to create a valid Office 365 mailbox -
- Name                         ( This becomes the Display Name )
- UPN                           ( This becomes the login ID which matches the email address )
- Alias                          ( This must match the start of the email address / UPN)
- OU                             ( This is the Organizational Unit of where you are creating the user object)
- Password                   ( This is NOT set to change at first login)
- UsageLocation          (This is the two digit country code for the appropriate country)
- AccountSkuID           (This is the APPROPRIATE license for the user)

Although that is the minimum that is needed to actually create a mailbox, you would in normal practice use FirstName and LastName for ease of management.

Things to be aware of when updating the spreadsheet for User mailboxes.
- This becomes the Display Name of the user's mailbox

- This becomes the login ID which needs to match the Primary SMTP address

- Ensure this matches the start for the email address / UPN

- Ensure the Organisational Unit is correct (Local Active Directory OU)

- The script DOES NOT set the user to change password at next logon.
- This is due to Azure AD Premium licensing needs to allow clients to change passwords in Office 365.
- More Information Here - Link
- Make sure you abide by your internal AD password policy or the script will fail

Usage Location
- This is the two digit country code for the appropriate country that your user is located

Account SkuID
- This is the APPROPRIATE license for the user
- This is in a format similar to - hybrid0617:ENTERPRISEPACK
- Run the script - Get-SKUID.ps1 - as mentioned earlier in this tutorial

- This can be used to simplify Enterprise Management - Link

- Enter the UPN of the user (or email address of group) that needs Send As permission to the mailbox

- Enter the UPN of the user (or email address of group) that needs Full Access permission to the mailbox

- Enter the UPN of the user (or email address of group) that needs SendOnBehalf permission to the mailbox

- Enter the Alias of the Manager (this is usually the UPN without the domain name.
- - Example
- UPN / Email address of the Manager - user.101@teamterry365.com
- Alias of the Manager - user.101

- Note that you must use the two character code for the Country - Link
- - Example -
- AU - Australia
- US - United States

The other fields are plain text fields which are self explanatory
- City
- Company
- Department
- HomePhone
- MobilePhone
- Office
- OfficePhone
- StreetAddress
- State
- PostalCode
- Country
- HomePage
- Fax

Once you have finished creating your csv file, save as C:\Scripts\RemoteUserMailboxes.csv

Note that if you would like to save the script in a different location - you can easily edit the script variable as below.

Original script

Updated script with new csv location.


Running the scripts for Remote (Office 365) Exchange Mailbox creation

Connect to your local Exchange, AD and Azure AD Connect server using this tutorial -
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link

Run the script -
Open PowerShell ISE and connect using my Hybrid Connection script - (see above).
Open the folder and drag the script - New-RemoteUserMailbox-v-xxx to PowerShell ISE.

Once you have updated your csv (as previous), you can simply run the script by clicking the Play arrow.

When the script runs, you will see that it has created the mailboxes.
There will be a two minute delay while it sets delegate permissions if specified.

After the Send On Behalf delegates are assigned, the script will continue and synchronize the account to Office 365 and also create a mailbox in Office 365.
The text with 'RunspaceID and Result  : Success' is displayed after Azure AD Connect (DirSync) has successfully synched the objects to Office 365.

The script will now sleep for five minutes to allow for Office 365 to update the objects.

After the five minute delay, the script will then assign licenses to the accounts and add further permissions where appropriate.

While permissions are updated the screen will display the delegate permission changes.

After delegate permissions are assigned you will see the text below.
Please note that I have not included error checking in the script, so please review the changes to ensure your script has created the mailboxes as you expected.


Confirming creation of mailboxes
Log in to the Office 365 Admin Portal and confirm that Users have been created that correspond to the Remote Exchange Mailboxes in the spreadsheet.

Open the Exchange Online EAC and confirm that User mailboxes have been created in Office 365.

You can also confirm the successful setting of delegated permissions by checking the mailboxes.

Check Local Exchange -
Log into the Local Exchange EAC and confirm the creation of the Office 365 user mailboxes.

Confirm mailbox access -
To confirm that the mailbox has created successfully in Office 365, log in to the Office 365 Portal with the credentials and password that were in the spreadsheet.


Congratulations -
You have successfully created Office 365 (Remote) Mailboxes via PowerShell


Troubleshooting - 

Error -
Your organization doesn't allow you to update your password on this site.

Issue -
Depending on how your organization's requirements and how you have run the Hybrid Connection Wizard, your clients may not be able to update their password, even when they are set to Change Password at next logon.

Resolution - Link
Unless you have Azure AD Premium and Password Write-back enabled, you can't reset passwords for synchronized accounts in any part of Azure or O365, even if the user is set to change the password after login. They have to log in to a Domain-joined computer, reset their password, wait for the password sync to occur following their reset, then log in.

Notes -
It is for this reason that I have set the script to not force password change at first log in.


Error -
WARNING: An error caused a change in the current set of domain controllers.
An error caused a change in the current set of domain controllers.

Issue -
The Office 365 backend infrastructure had an 'issue'.
There is nothing you can do about this apart from try and determine where the issue occurred and re-run that part of your script.


No comments:

Post a Comment