Office Servers and Services

"La connaissance ne vaut que si elle est partagée" / "An effective Knowledge is a shared one"

Archive for 17 avril 2018

Microsoft Mobile Apps and Autodiscover redirection issue

Posted by Teruin laurent sur avril 17, 2018


Hi today we will cope with a redirect issue in a scenario where your company would like to integrate a new subsidiary that have an Active Directory and an Exchange 2010 organization

In this scenario the Corporate forest have a mailuser user account for each mailbox user in the Legacy forest. These mailuser accounts are synchronized with Azure AD connect from the corporate forest to 0365 by Azure Ad connect. Because each mailuser account have the same email address of the primary smtp email address of the mailbox user in the legacy forest Azure AD connect will keep the identity coming from the Corporate forest into0365 and the migrated mailbox from the legacy forest will be assigned to this account (see Multiple forests, single Azure AD tenant scenario at this link https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies)

The question is about the Autodiscover process for the mobile devices

If Outlook Client could manage with multiple redirections and prompt user for authentication, the mobile client could have some restriction. During the migration depending where the autodiscover is set, the Mobile client could fail to connect to the mailbox. But let take an example

John.Doe@legacy.com use an Outlook 2016 and Office 2016 Microsoft Mobile application that use autodiscover from external to retrieve the on-premise connection point. The mobile application is set with an account and password that match the legacy identity of the account in Promise that own the mailbox.

When the mailbox is migrated from this agency in the 0365 tenant environment the mailbox in Office 365 is associated with the User AD account synchronized with the corporate Ad user.

  • When a Microsoft Outlook Mobile apps from a 4G will try to get his mailbox, he will perform an autodiscover and will use his agency credentials to get this file from the On-premise organization. Then the mobile will be redirected.
  • As this step the redirection we suspect that, it will fail because the Mobile do know how to handle this redirection.

Below is an illustration of this scenario

The question is how to force the mobile to retrieve the new connection point? MDM?, Exchange 2013 Client Access server migration (https://blogs.technet.microsoft.com/exchange/2015/03/23/exchange-activesync-on-boarding-to-office-365/)?

 

 

Exchange 2013 Client Access server migration (https://blogs.technet.microsoft.com/exchange/2015/03/23/exchange-activesync-on-boarding-to-office-365/) solution :

If you read with attention this article it works with a single Corporate forest that have an exchange hybrid organization. In this scenario the solution should works if you follow the requirements below

  • All on-premises Exchange 2010 Client Access servers handling EAS requests must be running at least Service Pack 3 RU9.
  • Exchange 2013 Mailbox roles handling EAS requests must be running CU8.
  • The EAS version on the device should be 14 or higher, and the device must be able to handle 451 redirect responses.
  • The Exchange on-premises organization has successfully set up hybrid with their Office 365 tenant.
  • The OrganizationRelationship object must exist in the on-premises Active Directory environment and the TargetOWAURL should be populated with the Office 365 URL.
  • The username and password for the user must remain the same after the move to Office 365. The user experience will not be seamless if the username or password is changed after the mailbox is moved to Office 365

Some interrogations

  • First question: How to know if devices are able to handle 451 redirect responses? On IOS / on Android?
  • « The username and password for the user must remain the same after the move to Office 365. The user experience will not be seamless if the username or password is changed after the mailbox is moved to Office 365 ». In our environment the user credentials are not the same because (but could be a solution) we are integrating a new subsidiary with a legacy Active Directory Forest.

One solution that could Works maybe

  1. Let assume that regarding the legacy exchange requirement we are using Exchange 2013 last service pack and last RU
  2. Let assume that all legacy Mobile users use Microsoft Official Mobile Apps with a UPN Username format against their legacy Exchange Organization
  3. Let assume that the same UPN is used in the Corporate Forest and that password is synchronized between the two Active Directories
  4. Let assume that we could publish The OrganizationRelationship in the on-premises legacy Active Directory environment and the TargetOWAURL populated with the Office 365 URL.

     

 

Publicités

Posted in Non classé | Leave a Comment »