Automating Multi-Tenancy in Exchange Server 2010 SP2 (Part 3)

If you would like to read the other parts in this article series please go to:


In the previous article we started the process of creating the Active Directory prerequisites and some of the Exchange requirements for a new tenant. Now, it’s time to finish up by creating the Global Address List, Offline Address Book and the last piece that glues everything together which is the Address Book Policy.

Creating a new Global Address List

A Global Address List cannot be created using Exchange Management Console and it can only be done through the New-GlobalAddressList cmdlet.

In order to maintain the consistency we can use the following naming convention for the Global Address List using the following standard: <Company> – Global Address List where <Company> is the short name that we defined in the previous article.

The cmdlet to create a new global address list should be similar to this one:

New-GlobalAddressList –Name “MSExchange – Global Address List” –RecipientFilter {(Alias –ne $null)} –RecipientContainer apatricio.local/

The cmdlet and its results can be seen in Figure 01. Basically, we are defining any mail-enabled object from the customer Organization Unit in this new Global Address List.

Figure 01

Creating an Offline Address Book

The following steps are to create and configure an Offline Address Book for the new customer:

  1. Log on to Exchange Management Console
  2. Expand Organization Configuration
  3. Click Mailbox
  4. Click the Offline Address Book tab
  5. Click the New Offline Address Book link located in the Toolbox Actions
  6. On the Introduction page, use the same naming convention that we have been using to name this new object (MSExchange – Offline Address Book) and select the option Include the following address lists. Add all Address Lists that we created in the previous article (All Contacts, All Groups, All Rooms and All Users) to the list and click Next. (Figure 02)

Figure 02

  1. On the Distribution Points page, leave both options unchecked and click Next. (Figure 03)

Figure 03

  1. On the New Offline Address Book page, a summary of all settings that we configured so far will be displayed, then click New.
  2. On the Completion page, the results of the operation will be displayed, then click Close.
    Note: If a warning message complaining about Public Folder is displayed that is, okay because it is not a requirement.

The last step is to configure the recently created Offline Address Book object to be distributed globally automatically. In order to do that we can run the following cmdlet:

Set-OfflineAddressBook –Identity “\MSExchange – Offline Address Book” –GlobalWebDistributionEnabled $True

The results of such operation can be seen on Figure 04.

Figure 04

Creating the Address Book Policy

It’s time to complete our tasks by creating a new Address Book Policy where we are going to use all objects that we have created so far in this article series.

In order to create a new Address Book Policy (ABP), the following steps can be used:

  1. Log on to Exchange Management Console
  2. Expand Organization Configuration
  3. Click Mailbox
  4. Click the Address Book Policies tab
  5. Click the New Address Book Policies item located in the Toolbox Actions
  6. On the Introduction page, name this new ABP using the domain name and select the previously created objects for Global Address List, Offline address book and Room List. Since we are using a simple and consistent naming convention, we just need to match the Address Lists required for each field. We also need to add the other Address Lists that we created in the Address lists area by clicking Add (Figure 05). Click New.

Figure 05

  1. On the Completion page, the results of our operation will be displayed, and we should have a completed status for it. Click Finish.

Creating mail-enabled objects for our new tenant

As administrators, we must pay attention to a few details when creating mail-enabled objects in this kind of scenario. In this section we will be creating a mailbox for the new tenant but I would strongly recommend you create all sorts of mail-enabled objects to make sure that everything is working according to your plans before moving to the automation portion of this series.

One of the most important settings is to make sure that any new object for a tenant is placed under the tenant Organization Unit. This is key, because all SMTP is based on that location.

Another important detail is to change the User Principal name to match the tenant domain. Do you remember the UPN creation process in the previous article? Well, the reason was to enable that domain for the user during the creation, and by doing that we enforce the new tenant to always logon with his e-mail address. In our case this is: [email protected] (Figure 06).

Figure 06

In the following page of the New Mailbox wizard we can assign an existent Address book policy (Figure 07) by selecting the option Address Book Policy. If we click Browse we will have a list of all existent Address Book Policies of our Exchange organization.

The Address Book Policy is the key component to define the boundaries for any given user. If the user does not have an Address Book Policy associated to its mailbox then that user will have access to all mail-enabled objects in the organization.

Figure 07

Validating the new objects

After creating the user or any other mail-enabled object, we can check if the Recipient Policies are in place. The first validation that we need to check is on the E-mail Addresses properties of the user and we should see just the SMTP address related to the domain of the user (Figure 08).

Figure 08

We need to use the same rules (Organization Unit location and Address Book Policy when applicable) for all other types of mail enabled objects: Distribution Groups, Contacts, and Resource mailboxes.

Now that we created the first tenant manually, our next step should be to spend some time testing the solution to make sure that a new tenant will have everything in place to work. We don’t want unnecessary help desk calls from a new tenant because we missed some basic steps, right? I would suggest creating several mail-enabled objects and start testing them to see if they are working as planned.

After creating the dummy accounts you must make sure that they are not able to see any other object than the ones created on their domain.

A quick way to validate if our Address Lists were created properly is to follow these steps:

  1. Open Exchange Management Console
  2. Expand Organization Configuration
  3. Click the Mailbox item
  4. Click the Address Lists tab
  5. Double click the desired Address List, click Next twice, and on the third page (Conditions page) a Preview button will be available. Click it and it will show all the objects that will appear in the Global Address List (Figure 09) of the user. Based on these results we can have an idea if our strategy is working properly.

Figure 09

Now that we tested our address list and the procedures to create new mail-enabled objects for a new tenant, we can log on using Outlook Web Access using the e-mail address as shown in Figure 10.

Figure 10

After logging on, the new tenant can search the Global Address List and the result should be similar to the one shown in Figure 11, where only objects familiar to him (in our case objects) will be displayed. Even though we have several other companies in our Exchange Organization the customer view of the Global Address List will be like he had a server just for him.

Figure 11


In this article, we finalized all manual steps to create a new company in a multi-tenant scenario.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top