Can on-premises Exchange users in Hybrid MS 365 environment receive emails without AD Synced ?

Question

Hi all,

We have Hybrid Exchange 2010 and Exchange 2016, and are going to Migrate to MS 365.

What happen if we only sync 30 users out of 100 users using Azure AD Connect to sync hash password to MS 365?

We plan to use Exchange Online Protection server as mail gateway (through an Exchange 2016 Edge on-premises). Can the left over 70 users receive emails from Internet ?

If we want those 70 users to be able to use MS 365 apps (Outlook, Teams, Words ...), we will have to create 70 "online users" with same name and email address ( *@OurDomain.Com) and assign license to those "online users". In that case, does email flows still work correctly? Can those 70 on-premises users still receive incoming emails from Internet ?

Thanks a lot for helping.

Answer 1

Hi, @Alex2KGM

If you use Azure AD Connect to sync only 30 of the 100 users to synchronize hashed passwords to Microsoft 365, only those 30 users' credentials are synced and they can use their on-premises credentials to sign in to Microsoft 365 services. The credentials of the remaining 70 users are not synced, so they can't use their on-premises credentials to sign in to Microsoft 365 services. Because you already have a hybrid setup, sync users can seamlessly use on-premises and cloud resources.

For the 30 users who have synced and migrated to Exchange Online, EOP sends email directly to their Exchange Online mailboxes. If you plan to use Exchange Online Protection (EOP) as your email gateway through an on-premises Exchange 2016 Edge server, the remaining 70 users who are not synced to Microsoft 365 can still receive email from the Internet. EOP filters incoming emails and routes them to the on-premises Exchange server, which then delivers the emails to the appropriate mailboxes. You can refer to Manage mail flow with mailboxes in multiple locations | Microsoft Learn

If you create 70 "online users" with the same name and email address (*@OurDomain.Com) and assign licenses to those "online users" to use Microsoft 365 applications such as Outlook, Teams, Word, and so on, the email flow will still work. However, you need to make sure that the email address and User Principal Name (UPN) match between your local and online users to avoid any confusion or conflicts. On-premises users can still receive incoming email from the internet through EOP and Exchange 2016 Edge settings.

Also, in a hybrid deployment, if the recipient is both online and on-premises, the message will be routed to the online mailbox by default.

To ensure that messages are only sent to local mailboxes, you can take the following steps:

1.Disable online mailbox: Disable the user's mailbox in Exchange Online. This will ensure that all messages are routed to the local mailbox.

2.Configure mail flow rules: Configure mail flow rules in Exchange Online to route mail flow for specific users to on-premises mailboxes.

For more information about the error 550 5.4.1 Recipient address rejected: Access denied, please refer to it Fix NDR error code 550 5.4.1 in Exchange Online - Exchange | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 2

Yes, as long as you have a mail connector to on-prem address space and the accepted domain in 365 is set to "InternalRelay" , mail will flow from 356 to on-prem