Exchange Hybrid
The Exchange Hybrid Connectivity supports importing and provisioning data to and from Microsoft Exchange and Microsoft Exchange Hybrid. It collects data from Microsoft Exchange via Omada Data Warehouse (ODW) and provisions data through Omada Provisioning Service (OPS). Exchange Hybrid Connectivity supports two modes, either connecting to an on-premises Exchange organization only or an Exchange Hybrid environment. You can customize the functionality of the connector both in ODW and OPS.
Managing Microsoft Exchange Online only is not supported by the Exchange Hybrid Connectivity. Mailboxes that reside only in Microsoft Exchange Online will be imported, but assigning, requesting, and provisioning of these mailboxes is not supported. For online-only scenarios use Microsoft Exchange Online connectivity.
To import from Microsoft Exchange, the SQL Server Integration Services (SSIS) Server must run PowerShell version 5.1 or higher.
Supported objects and operations
Exchange Hybrid Connectivity retrieves user, equipment, room and shared mailboxes, permission access to these mailboxes, distribution groups/members, and admin role groups.
| Microsoft Exchange object | Omada data model | Operations |
|---|---|---|
| User Mailbox | Resource assignments | Create, read, update, delete |
| Equipment Mailbox | Resource assignments | Create, read, update, delete |
| Room Mailbox | Resource assignments | Create, read, update, delete |
| Shared Mailbox | Resource assignments | Create, read, update, delete |
| Distribution group | Resource | Create, read, update, delete |
| Distribution group members | Resource assignments | Create, read, update, delete |
| Admin Roles | Resources | Read |
| Admin Role memberships | Resource assignments | Read |
Accounts are not imported from Exchange. Instead, they are looked up and referred from Microsoft Active Directory and Microsoft Entra ID.
The following Microsoft Exchange objects are not managed by Exchange Hybrid Connectivity:
- Public Folders
- Contacts
Mailbox attributes
The table below lists options in Microsoft Exchange supported and managed as attributes in Omada Identity:
| Mailbox type | Option | Operations |
|---|---|---|
| User Mailbox | Primary email | Create, read, update |
| User Mailbox | Additional email addresses | Read |
| User Mailbox | Webmail | Create, read, update |
| User Mailbox | Address | Create, read, update |
| User Mailbox | Quotas (Issue Warning, Prohibit send, Prohibit send and receive) | Create, read, update |
| User Mailbox | Hide in address list | Create, read, update |
| User Mailbox | Location 1 | Create, read, update |
| Equipment Mailbox | Location | Create, read, update |
| Room Mailbox | Location | Create, read, update |
| Shared Mailbox | Location | Create, read, update |
1 This option exists only in Omada Identity. It is used to provision Mailboxes either to Exchange on-premises or Exchange Online. It is also used when connecting to Exchange Hybrid Connectivity.
Mailbox delegation
You can only assign permissions to a mailbox in a hybrid environment. Either a local or remote mailbox. It is not supported by Microsoft to assign permissions to an Exchange Online mailbox. The table below lists permissions which can be assigned to a mailbox type:
| Mailbox type | Permissions |
|---|---|
| User Mailbox | Send As, Send on Behalf, Full Access |
| Equipment Mailbox | Send As, Send on Behalf, Full Access |
| Room Mailbox | Send As, Send on Behalf, Full Access |
| Shared Mailbox | Send As, Full Access |
The appropriate permission for a mailbox can be requested only after it has be confirmed through the import.
Request and assign permissions to mailboxes is supported across the Exchange Hybrid environment, as shown in the table below:
| Location of Mailbox requesting access | Location of Mailbox to set permissions on |
|---|---|
| On-premises | On-premises |
| On-premises | Online (remote mailbox) |
| Online (remote mailbox) | Online (remote mailbox) |
| Online (remote mailbox) | On-premises |
Minimum required permissions
If the connection to on-premises Microsoft Exchange is handled by Kerberos authentication, the user running the SSIS packages should be given the necessary access rights. For other authentication mechanisms, you can create a separate user. The SSIS proxy account also requires local admin rights on the SSIS server to correctly execute the PowerShell scripts.
Omada recommends that the user is made a member of the Exchange Admin Role Group called View-Only Organization Management. This gives the necessary access rights for retrieving objects from Exchange. With the standard Exchange roles, the user needs to have access to the management role Mail Recipients and Active Directory Permissions. This can be done by assigning the user to the standard role group Organization Management or by giving the user a direct assignment to the two management roles.
If Omada Identity is not configured to get and set Full access and Send as permissions (these import queries can be disabled in the collector) having access to management group Active Directory Permissions is not needed. Then it will be sufficient to be part of the standard role group Recipient Management.
Implementation notes
You must have at least one on-premises Exchange Server and must also use Exchange Online. Additionally, the Microsoft Office 365 Hybrid Configuration Wizard has to be successfully completed. Once the wizard is completed, it is possible to manage both their on-premises and Exchange Online organizations from the Exchange admin center and Exchange management shell.
Mailboxes must be provisioned and synchronized via Microsoft Entra ID Connect before access (Send as, Send on behalf, Full Access) can be assigned to them. Before requesting or assigning a User Mailbox, the Identity must already have an assignment for an Active Directory account.
You can upgrade or perform migration of the legacy Exchange Connectivity to the new Exchange Hybrid Connectivity, but upgrading or migrating to Exchange Online Connectivity is not supported.
Network requirements
Omada Identity utilizes Remote PowerShell to connect to Exchange. For general information on the connection requirements, refer to the Microsoft article.
If you encounter issues with configuring the connection, verify your network configuration including physical and software firewalls. PowerShell uses the following TCP ports by default:
-
5985 or 80 for HTTP
-
5986 or 443 for HTTPS
Prerequisites
Microsoft Exchange is referencing users and groups from Microsoft Active Directory and requires a trust to this system. Microsoft Active Directory must be already successfully onboarded in Omada Identity.
Exchange Hybrid Connectivity requires a trust to both Microsoft Active Directory and Microsoft Microsoft Entra ID, because it references users and groups in those systems. It is required that those two systems are already successfully onboarded in Omada Identity. Utilize the collectors for Microsoft Active Directory and Microsoft Entra ID to onboard the systems.
Example use cases of administering assignments
-
User Mailboxes
-
User Mailboxes can be requested via the Request Access process or assigned via Assignment Policies and provisioned via OPS
-
Send as, Send on behalf, Full Access permissions to other users' mailboxes can be requested via the Request Access process and provisioned via OPS
-
Mailbox options (Mailbox quota, Web mail, Hide in Address List, Mailbox location) can be requested via the Request Access process or assigned via Assignment Policies and provisioned via OPS
-
User Mailboxes can be reviewed via the User Mailbox access review
-
Prioritization Policy can be used to determine which Mailbox location option should have highest priority
-
-
Equipment, Room and Shared Mailboxes
-
Equipment, Room and Shared Mailboxes can be requested via Request Access process and provisioned via OPS
-
Mailbox location can be requested via Request Access process and provisioned via OPS
-
Send as, Send on behalf, Full Access permissions to these mailboxes can be requested via Request Access process and provisioned via OPS
-
The Exchange Hybrid Connectivity always runs a full data import. Delta mode is not supported.
Certificate requirements
To utilize the certificate authentication, install the ExchangeOnlineManagement PowerShell module. Additionally, when using the certificate authentication with thumbprint, install a valid certificate on the servers where OPS and ODW reside. The certificates are imported via the Management Portal.
The Exchange connectivity relies on Microsoft Entra ID Connectivity for the correct operation. Configure and import data from Microsoft Entra ID before importing data from Microsoft Exchange. You can manage more than one Exchange system.
-
For each Exchange system, configure:
- the connection details
- the Microsoft Entra ID trust
- the provisioning type
-
Exchange connectivity integrates with Exchange using remote PowerShell. Specify all of the parameters required by the selected authentication method.
-
After the initial load from Exchange, the new Exchange system is created in Omada Identity. It is then ready for the remaining configuration.
-
Configure the Microsoft Entra ID trust by specifying the system's domain that the Exchange system integrates with.
-
Configure the Exchange system to use OPS for provisioning of resource assignments.
Set-up certificate authentication
-
Create app/certificate, see App-only authentication for unattended scripts in the EXO V2 module in Microsoft documentation.
-
If you chose to create a certificate with a password, convert the certificate into PEM format (see OpenSSL). Conversion command example:
openssl pkcs12 -in filename.pfx -out cert.pem -nodes