Creating Microsoft 365 accounts causes confusion with hybrid mode

Here’s an odd situation you may have encountered when creating Microsoft 365 accounts if you have a hybrid setup. Many companies, like my own, run Exchange 2016/2019 on-premises and also have AAD Connect installed. They have a sync to Azure AD along with the hybrid configuration wizard set up so that Microsoft Office 365 knows what is happening on-premises. For those that do not understand AAD Sync or AAD Connect, this basically syncs your local Active Directory to Azure AD, and the setup determines who the authoritative source is. While we are not going to jump into too much detail, let’s briefly explain this. After a user is created on your local Active Directory, when the next sync happens, it will show up in Azure AD, and both platforms now know of this user. Great, so all is in order.

Microsoft 365 hybrid mode and syncing

Microsoft 365 hybrid setup

The next thing you can do is have groups in your local Active Directory. You can have it set up so that when a user is added to this group, they will be assigned the license you specified that is assigned to these groups. That is great. So, what is the problem here? Let’s say I create User 1 on my local Active Directory and I go and add User 1 to the Microsoft 365 group that will have an E5 plus Microsoft Teams license assigned. Now, the next sync takes place, and because the user is assigned a license, they then have a mailbox created in Microsoft 365.

OK, so now the IT person comes along and sets up the user’s machine — and while doing so creates a local mailbox on Exchange 2016/2019 on-premises. Because the user is logged into the LAN, the account sets up instantly and without error. The laptop is given to the user, but they call you to say that people are emailing them and they are not receiving any email. You log in to Outlook on the web with the local credentials, and you can see the email. When you check the connection status, it points to Microsoft Office 365 and not your local Exchange Server.

A strange error message

People running the Microsoft Office 365 version can also get email bounce backs with a strange X500 address and Exchange reporting this bounce-back message:

Recipient not found by Exchange Legacy encapsulated email address lookup

People running a retail version of Microsoft Office, such as Office 2019 not on the LAN, can email the user from the global address list (GAL) without error. Weird, right?

All right, so why does this happen? First, if you are running the Microsoft 365 version of Office, the behavior is to look at Office 365 for a mailbox, and if there is one, it will automatically connect to it. In this instance, because a license was assigned to the user initially, the mailbox got created. If you want to leave it like that, you can, but then the only way to connect to Exchange 2016/2019 on-premises is to add a host file entry on the local machine like this:

This will allow Outlook when setting up the profile to allow you to enter the details for your Exchange environment. Now, the mailbox will connect, and the user will be able to work locally. Having seen this happen, it does cause issues down the line for the user. Unfortunately, you need to perform a couple of steps to redo everything, which is time-consuming — but it will save you in the long run. Here are the steps:

  • Remove the user from the local Active Directory. This will remove the user from all groups as well.
  • Let AAD Connect Sync run, and it will pick up the change and remove the user and license.
  • Create the user account in your local Active Directory and create an Exchange mailbox for the user.
  • Let AAD Connect Sync run again so that it picks up the new user and all its attributes.
  • Add the user to the groups required again, but this time it will assign the license without error.

Once you set up the profile locally on the machine — and if you’re running OAuth while being in hybrid mode — the behavior will be that it will ask you to enter the username and password with a Microsoft 365 login window. It will then set up the account without error, and when you check the connection status, it will show your on-premises server and not Office 365.

Microsoft 365 hybrid setup


If you email the user now, it should not bounce back, and the email should be delivered. You might have to delete the cached entry in your Outlook and select the user from the GAL the first time if you did email them previously. If the user is an Administrator in Office 365, applying the workaround with the host file entry will block access to the Office 365 portal and they won’t be able to connect to the Admin Center.

Do not be hasty with AAD Connect, as it may result in you having to re-create accounts over and over. Let it sync on its schedule, and once done, you can move onto the next step. You can log in to the portal and view the sync status if you are unfamiliar with AAD Connect and the synchronization tool. This will show on the main Admin Center on Microsoft 365.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top