Attributes Synchronized by Microsoft Online Directory Synchronization
If you are running Directory Synchronization, you probably know the basics of what attributes are synchronized from your local Active Directory to Microsoft Online. Things like names, group membership, address and contact information are all synchronized. In this post, we’ll take a look some of the more unusual, but very useful attributes, that are synchronized to Microsoft Online.
Before we get started it is important to note that the majority of these attributes will only appear in your Active Directory if you have the schema extended for Exchange.
First let’s take a look at the interesting attributes which you can set on user objects:
Setting the msExchangeHideFromAddressLists attribute to True on an object in your local Active Directory will hide it from the Global Address List in Microsoft Online. This also applies to Groups.
If the account is enabled in Microsoft Online, you can set the TargetAddress of the object in your local Active Directory. Setting the target address on an objects redirects all mail sent to that object to another address. You can even use this to redirect mail to an external recipient. For those of you not familiar with the TargetAddress attribute, the format is SMTP:firstname.lastname@example.org. A word of warning on this attribute, this probably isn’t supported, as things like mailbox moves do wipe out targetaddresses on mailboxes, so use this with extreme caution.
Groups have a few more attributes that you can modify in AD:
(This information is from the very useful BPositive Blog)
AuthOrig (Authorized Originators: Only these Users can send to the DL)
UnauthOrig (Unauthorized Originators: Anyone BUT these users can send to the DL)
dLMemRejectPerms (Unauthorized DLs: Anyone but members of these DLs can send to this DL)
dLMemSubmitPerms (Authorized DLs: No one but members of these DLs can send to this DL)
msExchRequireAuthToSendTo (Only Authenticated Senders can send to the DL, blocks External senders)
The attribute that most people typically want to modify is AuthOrig. That will allow only those users specified to send to the DL. If you don’t have Exchange Management Tools installed, the tricky part is when populating the attribute in AD you have to enter the Distinguished Name of of the object you want to give the right to. To get the DN you’ll have to open the user you want to give rights to in ADSIEdit and copy the Distinguised Name Attribute out. The DN will look like:
You then enter that value in the AuthOrig attribute on the Group. When complete only Bob will be able to send to that DL.
The other common attribute that people set is msExchRequireAuthToSendTo. If this is set to False or Not Set in your local Active Directory the check mark in the “Allow External Senders” checkbox will be checked in the Microsoft Online Administration Console. Setting it to True in your local Active Directory will cause the checkbox to be Checked in Microsoft Online.
For the dLMemRejectPerms and dLMemSubmitPerms, you must enter the DN(s) of the Group(s) that you want to deny or grant access to.
Additional Attributes you can set are:
Setting this attribute to TRUE on a group in your local Active Directory will hide the group membership in Microsoft Exchange Online.
This is another attribute that you must populate with the DN of the object you want to use. In this case the user specified in the ManagedBy attribute in AD will appear as the owner of the group in Exchange Online. Unfortunately, this does not allow the user to update the group’s membership in Exchange Online.
For additional information about what information is sychronized with Microsoft Online Directory Synchronization, you can request a copy of MessageOps Directory Sync In Depth Whitepaper.