Cutover Exchange Migration and Single Sign-On

Audience: Office 365/Exchange Online administrators

Author: Mark Johnson, Senior Technical Writer - Exchange Online

Do you want to migrate all your on-premises Exchange mailboxes to Exchange Online in Office 365, but still allow users to use their on-premises Active Directory credentials (username and password) to access their new cloud mailboxes and existing on-premises resources? If your on-premises organization is running Exchange 2003 or later and you have less than 1000 mailboxes, you can perform a cutover Exchange migration to move all your mailboxes to Office 365. Then you can implement a single sign-on (SSO) solution by deploying Active Directory Federation Services 2.0 (AD FS 2.0). With single sign-on, your users can access e-mail and other services in Office 365 with their existing n-premises Active Directory credentials.

Here are the steps to implement this scenario:

  1. Perform a cutover Exchange migration to migrate all on-premises Exchange mailboxes to Office 365.
  2. Convert on-premises mailboxes to mail-enabled users.
  3. Implement AD FS 2.0 to enable single sign-on.
  4. Activate and install the Microsoft Online Services Directory Synchronization tool.
  5. Decommission on-premises Exchange servers (optional).


Step 1: Perform a cutover Exchange migration

Perform a cutover Exchange migration to migrate up to 1000 Exchange 2003, Exchange 2007, or Exchange 2010 on-premises mailboxes to Office 365. For information about how to plan, prepare, and run a cutover Exchange migration, see Migrate All Mailboxes to the Cloud with a Cutover Exchange Migration.

After you have migrated all mailboxes to Office 365 and configured your MX record to point to your Office 365 organization, complete the migration by clicking Complete Migration in the E-mail Migration pane in the Exchange Control Panel.


Step 2: Convert on-premises mailboxes to mail-enabled users

When you convert on-premises mailboxes to mail-enabled users (MEUs), the proxy addresses and other information from the Office 365 mailboxes are copied to the MEUs, which reside in Active Directory in your on-premises organization. These MEU properties enable the Directory Synchronization tool, which you activate and install in step 4, to match each MEU with its corresponding cloud mailbox.

Microsoft provides scripts and procedures for using these scripts to convert on-premises mailboxes to MEUs. See one of the following wiki topics:

Prepare a CSV file to collect information from cloud mailboxes

One of the scripts to help you convert on-premises mailboxes to MEUs is a Windows PowerShell script (named ExportO365UserInfo.ps1) that you run in your Office 365 organization to collect information about the cloud mailboxes. This script requires a CSV input file that lists the primary SMTP address for all cloud mailboxes. Perform the following steps in your Office 365 organization to create this CSV file:

1. Run the following PowerShell command:

        Get-Mailbox | Select PrimarySmtpAddress | Export-csv -Path .\migration.csv -NoTypeInformation

2. Edit the migration.csv file and make the following changes:

  • If you open the CSV file in Notepad, remove all double quotation marks ( " )
  • In the header row, change PrimarySmtpAddress to EmailAddress
  • Remove rows that contain a system mailbox, such as the Discovery Search Mailbox. The migration.csv file should have a row for each cloud mailbox that has a corresponding on-premises mailbox that will be converted to an MEU.

3. Save the migration.csv file. Be sure to keep migration.csv as the filename.

4. Copy the ExportO365UserInfo.ps1 and migration.csv files to the same directory, and then follow the instructions to run ExportO365UserInfo.ps1 in the wiki topic on converting your on-premises mailboxes to MEUs.


Step 3: Implement AD FS 2.0 to enable single sign-on

After you have converted the on-premises mailboxes to MEUs, the next step is to enable single sign-on by implementing AD FS 2.0. To prepare for and deploy AD FS 2.0, see the following topics:


Step 4: Activate and install the Directory Synchronization tool

After you set up single sign-on, you activate and install the Directory Synchronization tool so that you can synchronize your on-premises Active Directory with your Office 365 organization. After the first sync cycle is completed, each on-premises MEU is matched to its corresponding cloud mailbox. The directory synchronization process continues to update the user attributes on the cloud mailboxes according to changes made to MEUs using the on-premises Active Directory tools. For more information, see Directory synchronization and source of authority.

To prepare for and install the Directory Synchronization tool, see the following topics:


Step 5: Decommission on-premises Exchange servers (optional)

After you’ve verified that all e-mail is being routed directly to the cloud-based mailboxes, completed the migration, and no longer need to maintain your on-premises e-mail organization for mail delivery you can uninstall Exchange from servers in your on-premises Exchange organization. However, it’s strongly recommended that you maintain at least one Exchange server so that you have access to Exchange System Manager (Exchange 2003) or Exchange Management Console/Exchange Management Shell (Exchange 2007 and Exchange 2010) to manage mail-related attributes on the on-premises MEUs. For Exchange 2007 and Exchange 2010, the Exchange server that you maintain should have the Hub Transport, Client Access, and Mailbox server roles installed.

For instructions about how to remove Exchange servers in your on-premises organization, see one of the following topics: