Provisioning to Office 365 from Forefront Identity Manager


  • Hello All,

    How do we a provision a user to O365 from FIM. Does Microsoft provide Out of box Management Agent?

    Is there any other way to create O365 accounts other than the MA?

    Thank you,

    martedì 30 giugno 2015 19:39

Tutte le risposte

  • 1. Out of the box, so installed with FIM - no, there is no such agent. There is Azure Active Directory Connector for FIM 2010 available at Microsoft Download Center, but it not recommended for new installations. You should rather use AAD Connect to provision users to O365.

    2. There are multiple ways - you can for example create them by script (and use a script inside FIM as a part of FIM Service's Powershell Activity or PowerShell MA).

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposto come risposta Peter_Stapf mercoledì 1 luglio 2015 13:27
    martedì 30 giugno 2015 20:09
  • You are in for quite an adventure. Maybe Microsoft will eventually blog about it, probably after Microsoft Identity Manager is out. Currently it is, quite frankly, a mess.  If you are looking to provision an Exchange Online user, and you have a hybrid implementation of Office 365, you really have three problems to solve:

    1. Provisioning the user locally, and waiting for DirSync to replicate the user to Azure Active Directory.

    2. You need your on-premise Exchange infrastructure to create the mailbox in the cloud (execute the Enable-RemoteMailbox PowerShell command).

    3. You must license the user for Exchange Online. This can only be done after #1 (replication to Azure) completes.

    We accomplished this by using FIM to update an extentionAttribute to contain an XML structure (defined by us) that we created to specify the licensing and any additional Exchange options the user should get. That's all we felt comfortable having FIM do, stamp the user's extentionAttribute. Kinda sad. Then we have a regularly scheduled script that searches for objects in AD with the XML structure and performs the steps. It appropriately waits and continues to check users until they are replicated into Azure and completes the licensing process.

    An alternative we also gave serious consideration to was to write a PowerShell Management Agent to do it.

    mercoledì 1 luglio 2015 20:24
  • I know that this is in response to an old request from nearly 3 years ago. However, I recently had to go through this process and had to find a solution for provisioning through MIM.

    The solution is this:

    Step 1: Create Account in Active Directory as normal

    Step 2: Add the following AD attributes:

    • MailNickname: <should be the prefix of their email. This value correlates to their alias in Exchange>
    • TargetAddress: <Should add ”smtp:< e.g. “>
    • msExchRecipientDisplayType: -2147483642
    • msExchRecipientTypeDetails: 2147483648
    • msExchRemoteRecipientType: 1

    Step 3: Group Membership: Add to ‘OnboardGroup” security group in AD for Azure AD auto-licensing

    Step 4: Enable the extension to provision mailbox and point to http://exchangehybridserver/powershell. Once the AD account is created, update recipient is called and the object will show up in Exchange. Based on the Hybrid exchange policies the mail and the proxy addresses would be created.

    Step 5: Azure AD connect provisions the mailbox to Exchange 365.

    • Proposto come risposta Creados mercoledì 13 giugno 2018 18:33
    mercoledì 13 giugno 2018 18:33