Edit

Manage mail users in standalone EOP

  • Article
  • 9 minutes to read

In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, mail users are the fundamental type of user account. A mail user has account credentials in your standalone EOP organization, and can access resources (have permissions assigned). A mail user's email address is external (for example, in your on-premises email environment).

Note

When you create a mail user, the corresponding user account is available in the Microsoft 365 admin center. When you create a user account in the Microsoft 365 admin center, you can't use that account to create a mail user.

The recommended method to create and manage mail users in standalone EOP is to use directory synchronization as described in the Use directory synchronization to manage mail users section later in this article.

For standalone EOP organizations with a small number of users, you can add and manage mail users in the Exchange admin center (EAC) or in standalone EOP PowerShell as described in this article.

What do you need to know before you begin?

Tip

Having problems? Ask for help in the Exchange forums. Visit the Exchange Online Protection forum.

Use the Exchange admin center to manage mail users

Use the EAC to create mail users

  1. In the EAC, go to Recipients > Contacts

  2. Click New New icon.. In the New mail user page that opens, configure the following settings. Settings marked with an * are required.

    • First name

    • Initials: The person's middle initial.

    • Last name

    • *Display name: By default, this box shows the values from the First name, Initials, and Last name boxes. You can accept this value or change it. The value should be unique, and has a maximum length of 64 characters.

    • *Alias: Enter a unique alias, using up to 64 characters, for the user

    • External email address: Enter the user's email address. The domain should be external to your cloud-based organization.

    • *User ID: Enter the account that the person will use to sign in to the service. The user ID consists of a username on the left side of the at (@) symbol (@) and a domain on the right side.

    • *New password and *Confirm password: Enter and reenter the account password. Verify that the password complies with the password length, complexity, and history requirements of your organization.

  3. When you've finished, click Save to create the mail user.

Use the EAC to modify mail users

  1. In the EAC, go to Recipients > Contacts.

  2. Select the mail user that you want to modify, and then click Edit Edit icon..

  3. On the mail user properties page that opens, click one of the following tabs to view or change properties.

    When you're finished, click Save.

General

Use the General tab to view or change basic information about the mail user.

  • First name

  • Initials

  • Last name

  • Display name: This name appears in your organization's address book, on the To: and From: lines in email, and in the list of contacts in the EAC. This name can't contain empty spaces before or after the display name.

  • User ID: This is the user's account in Microsoft 365. You can't modify this value here.

Contact information

Use the Contact information tab to view or change the user's contact information. The information on this page is displayed in the address book.

  • Street

  • City

  • State/Province

  • ZIP/Postal code

  • Country/Region

  • Work phone

  • Mobile phone

  • Fax

  • More options

    • Office
    • Home phone
    • Web page
    • Notes

Organization

Use the Organization tab to record detailed information about the user's role in the organization.

  • Title
  • Department
  • Company

Use the EAC to remove mail users

  1. In the EAC, go to Recipients > Contacts.

  2. Select the mail user that you want to remove, and then click Remove Remove icon..

Use PowerShell to manage mail users

Use standalone EOP PowerShell to view mail users

To return a summary list of all mail users in standalone EOP PowerShell, run the following command:

Get-Recipient -RecipientType MailUser -ResultSize unlimited

To view detailed information about a specific mail user, replace <MailUserIdentity> with the name, alias, or account name of the mail user, and run the following commands:

Get-Recipient -Identity <MailUserIdentity> | Format-List

Get-User -Identity <MailUserIdentity> | Format-List

For detailed syntax and parameter information, see Get-Recipient and Get-User.

Use standalone EOP PowerShell to create mail users

To create mail users in standalone EOP PowerShell, use the following syntax:

New-EOPMailUser -Name "<UniqueName>" -MicrosoftOnlineServicesID <Account> -Password (ConvertTo-SecureString -String '<password>' -AsPlainText -Force) [-Alias <AliasValue>] [-DisplayName "<Display Name>"] [-ExternalEmailAddress <ExternalEmailAddress>] [-FirstName <Text>] [-Initials <Text>] [-LastName <Text>]

Notes:

  • The Name parameter is required, has a maximum length of 64 characters, and must be unique. If you don't use the DisplayName parameter, the value of the Name parameter is used for the display name.
  • If you don't use the Alias parameter, the left side of the MicrosoftOnlineServicesID parameter is used for the alias.
  • If you don't use the ExternalEmailAddress parameter, the MicrosoftOnlineServicesID value is used for the external email address.

This example creates a mail user with the following settings:

  • The name is JeffreyZeng and the display name is Jeffrey Zeng.
  • The first name is Jeffrey and the last name is Zeng.
  • The alias is jeffreyz.
  • The external email address is jzeng@tailspintoys.com.
  • The account name is jeffreyz@contoso.onmicrosoft.com.
  • The password is Pa$$word1.
New-EOPMailUser -Name JeffreyZeng -MicrosoftOnlineServicesID jeffreyz@contoso.onmicrosoft.com -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force) -ExternalEmailAddress jeffreyz@tailspintoys.com -DisplayName "Jeffrey Zeng" -Alias jeffreyz -FirstName Jeffrey -LastName Zeng

For detailed syntax and parameter information, see New-EOPMailUser.

Use standalone EOP PowerShell to modify mail users

To modify existing mail users in standalone EOP PowerShell, use the following syntax:

Set-EOPMailUser -Identity <MailUserIdentity> [-Alias <Text>] [-DisplayName <Text>] [-EmailAddresses <ProxyAddressCollection>] [-MicrosoftOnlineServicesID <SmtpAddress>]

Set-EOPUser -Identity <MailUserIdentity> [-City <Text>] [-Company <Text>] [-CountryOrRegion <CountryInfo>] [-Department <Text>] [-Fax <PhoneNumber>] [-FirstName <Text>] [-HomePhone <PhoneNumber>] [-Initials <Text>] [-LastName <Text>] [-MobilePhone <PhoneNumber>] [-Notes <Text>] [-Office <Text>] [-Phone <PhoneNumber>] [-PostalCode <String>] [-StateOrProvince <String>] [-StreetAddress <Tet>] [-Title <Text>] [-WebPage <Text>]

This example sets the external email address for Pilar Pinilla.

Set-EOPMailUser -Identity "Pilar Pinilla" -EmailAddresses pilarp@tailspintoys.com

This example sets the Company property for all mail users to Contoso.

$Recip = Get-Recipient -RecipientType MailUser -ResultSize unlimited
$Recip | foreach {Set-EOPUser -Identity $_.Alias -Company Contoso}

For detailed syntax and parameter information, see Set-EOPMailUser.

Use standalone EOP PowerShell to remove mail users

To remove mail users in standalone EOP PowerShell, replace <MailUserIdentity> with the name, alias, or account name of the mail user, and run the following command:

Remove-EOPMailUser -Identity <MailUserIdentity\>

This example removes the mail user for Jeffrey Zeng.

Remove-EOPMailUser -Identity "Jeffrey Zeng"

For detailed syntax and parameter information, see Remove-EOPMailUser.

How do you know these procedures worked?

To verify that you've successfully created, modified, or removed mail users in standalone EOP, use any of the following procedures:

  • In the EAC, go to Recipients > Contacts. Verify that the mail user is listed (or isn't listed). Select the mail user and view the information in the Details pane, or click Edit Edit icon. to view the settings.

  • In standalone EOP PowerShell, run the following command to verify the mail user is listed (or isn't listed):

    Get-Recipient -RecipientType MailUser -ResultSize unlimited

  • Replace <MailUserIdentity> with the name, alias, or account name of the mail user, and run the following commands to verify the settings:

    Get-Recipient -Identity <MailUserIdentity> | Format-List

    Get-User -Identity <MailUserIdentity> | Format-List

Use directory synchronization to manage mail users

In standalone EOP, directory synchronization is available for customers with on-premises Active Directory. You can synchronize those accounts to Azure Active Directory (Azure AD), where copies of the accounts are stored in the cloud. When you synchronize your existing user accounts to Azure Active Directory, you can view those users in the Recipients pane of the Exchange admin center (EAC) or in standalone EOP PowerShell.

Notes:

  • If you use directory synchronization to manage your recipients, you can still add and manage users in the Microsoft 365 admin center, but they will not be synchronized with your on-premises Active Directory. This is because directory synchronization only syncs recipients from your on-premises Active Directory to the cloud.

  • Using directory synchronization is recommended for use with the following features:

    • Outlook Safe Sender lists and Blocked Sender lists: When synchronized to the service, these lists will take precedence over spam filtering in the service. This lets users manage their own Safe Sender list and Blocked Sender list with individual sender and domain entries. For more information, see Configure junk email settings on Exchange Online mailboxes.

    • Directory Based Edge Blocking (DBEB): For more information about DBEB, see Use Directory Based Edge Blocking to reject messages sent to invalid recipients.

    • End user access to quarantine: To access their quarantined messages, recipients must have a valid user ID and password in the service. For more information about quarantine, see Find and release quarantined messages as a user.

    • Mail flow rules (also known as transport rules): When you use directory synchronization, your existing Active Directory users and groups are automatically uploaded to the cloud, and you can then create mail flow rules that target specific users and/or groups without having to manually add them in the service. Note that dynamic distribution groups can't be synchronized via directory synchronization.

Get the necessary permissions and prepare for directory synchronization, as described in What is hybrid identity with Azure Active Directory?.

Synchronize directories with Azure Active Directory Connect (AAD Connect)

  1. Activate directory synchronization as described in Azure AD Connect sync: Understand and customize synchronization.

  2. Install and configure an on-premises computer to run AAD Connect as described in Prerequisites for Azure AD Connect.

  3. Select which installation type to use for Azure AD Connect:

Important

When you finish the Azure Active Directory Sync Tool Configuration Wizard, the MSOL_AD_SYNC account is created in your Active Directory forest. This account is used to read and synchronize your on-premises Active Directory information. In order for directory synchronization to work correctly, make sure that TCP 443 on your local directory synchronization server is open.

After configuring your sync, be sure to verify that AAD Connect is synchronizing correctly. In the EAC, go to Recipients > Contacts and view that the list of users was correctly synchronized from your on-premises environment.