Office 365 Active Directory Hybrid Accounts Administration


This scenario assumes that Azure AD Sync has been used to synchronize on premise Windows 2008 or higher Active Directory objects to Office 365. The following instruction illustrates the process of creating managing user accounts for this type of “Hybrid” environments.

Step 1: Creating Active Directory User Account
Scripting method
# Script to add new user with no group memberships


$username=$firstName[0] + $lastName;
New-ADUser -SamAccountName $username -Name "$firstName $lastName" -GivenName $firstName -Surname $lastName -EmailAddress "$username@$primaryEmailDomainSuffix" -PasswordNeverExpires $False -AccountPassword (ConvertTo-SecureString -AsPlainText "Password1" -Force) -PassThru | Enable-ADAccount
# This script purpose is to copy group memberships from one user account to another
# Usage: Create a file named membershipCopy.bat on a server with MMC Active Directory module installed and execute it
# When I have time, I'll convert this to PowerShell and merge it with the account creation script

@echo off
rem set /p AdminID=Please Input Admin UserID:
rem set / AdminPassword=Please Input Admin Password:

Set /p CopyFrom=Copy From:
Set /p CopyTo=Copy To:

FOR /f "Tokens=*" %%a in ('dsquery user -samid %CopyTo%') DO Set CopyTo=%%a

ECHO Could not find %CopyTo% in AD

FOR /f "Tokens=*" %%a in ('dsquery user -samid %CopyFrom%') DO Set CopyFrom=%%a
ECHO Could not find %CopyFrom% in AD

ECHO Copying groups from user %CopyFrom% to user %CopyTo%...
ping -n 2 > nul
ECHO ===============================================================================
ECHO Copying groups from user %CopyFrom% to user %CopyTo%...

FOR /f "Tokens=*" %%a in ('dsget user %CopyFrom% -memberof') do (
dsmod GROUP %%a -addmbr %CopyTo% | find /i "dsmod succeeded:"
ECHO ===============================================================================
ping -n 2 > nul
echo press any key to continue...
pause > nul
GUI Method

Open Active Directory Users and Computers Microsoft Management Console (ADUC MMC): click on run > type in “dsa.msc” > press Enter to trigger Active Directory Users and Computers (ADUC) Microsoft Management Console (MMC)

There are more than one ways to create an account. The easiest method is to navigate to the appropriate Organizational Unit (OU) container > locate a model user account > right-click > copy

Input firstname, lastname, and username > Next

Input passwords > uncheck “Password never expires” > check “User must change password at next logon” > Next

Verify that all information is correct > click on Finish

Step 2: Create Email addresses for new accounts
Scripting method
# This snippet is to create 1 primary email address and 1 secondary email alias for an AD user

# Set Variables

# Set primary email address for user
$primaryEmail = "SMTP:" + $username + $primaryEmailDomainSuffix
$secondaryEmail = "smtp:" + $username + $secondaryEmailDomainSuffix
Set-ADUser -Identity $username -EmailAddress $primaryEmail
Set-ADUser $username -Add @{proxyAddresses = ($primaryEmail)}
Set-ADUser $username -Add @{proxyAddresses = ($secondaryEmail)}
get-aduser $username -properties proxyaddresses
# Trigger AD Sync
# Assuming the WinRM has been enabled on Azure AD Sync server

$adSyncServer = "O365"
$cred = Get-Credential
Invoke-Command -computername $adSyncServer -scriptblock { Start-ADSyncSyncCycle -PolicyType Delta } -credential $cred
GUI Method

In ADUC (dsa.msc), enable Advanced Features view: Click on View > put a check mark next to “Advanced Features”

Navigate to the targeted OU and locate the account of interest > right-click > Properties

Click on Attributes Editor

Scroll down to locate “proxyAddresses” > double-click on that object to edit it


  • The format to create a primary email address is
  • The format to create a secondary email alias is
Step 3: Assigning User License to AD Synchronized Accounts
Scripting Method
# Connect to Office 365

# Office 365 Global Admin Credential
$password=ConvertTo-securestring "GlobalAdminPasswordHere" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password

# Connect to Office 365
if (!(Get-Module -ListAvailable -NameMSOnline)){Install-Module MSOnline -Confirm:$false -Force;}
$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session -AllowClobber
Connect-MsolService -Credential $cred
# Set primary login ID

Set-MsolUserPrincipalName -UserPrincipalName $defaultPrinciplename -NewUserPrincipalName $primaryPrincipleName

# Apply license to user
Set-MSOLUser -UserPrincipalName $primaryPrincipleName –UsageLocation "US";
Set-MSOLUserLicense -UserPrincipalName $userPrincipleName –AddLicenses $license
GUI Method

Open a browser > navigate to > input the username of an O365 Global Administrator account

Input the password > Sign in

Check “Don’t show this again” > Yes

Close any spammy pop-ups

Navigate to Users > Active Users

Input a name into the Search field > click the search button or press enter

Click on the user account > Edit product licenses

Select “United States” as the location > choose “Office 365 A1 Plus for Faculty” or another appropriate license > Save

Click on the Edit button for setting the primary Office 365 login username to finish the task

Bonus Section: How to View Email “Proxy Addresses”

Under Admin Centers, click on Exchange

Click on Recipients > Mailboxes > Search Icon

Input the user name to be located > click on the resulting item

Select “email addresses”

Since this particular user is synchronized from on premise Active Directory to Office 365, adding or removing email aliases from this panel will trigger this error

Leave a Reply

Your email address will not be published. Required fields are marked *