Exchange Hybrid Migration Part 1
Posted by shanmugha bharathy on April 20, 2018
Category Computers & Internet

What is an Exchange Hybrid Deployment?

  • A hybrid deployment offers organizations the ability to extend their administrative control, seamless look & feel and feature-rich experience that they have with their existing on-premises Microsoft Exchange deployment to an online in Microsoft Office 365 deployment.
  • Additionally, a hybrid deployment can serve as an intermediate step prior to moving to a completely online Exchange environment without down time.

Why use an Exchange-Hybrid?

  • Hybrid environments help integrate online applications with on-premises server applications.
  • A hybrid environment allows some users to migrate their accounts and data to Office 365, while others users and/or remain on-premises. Users may not be present in both environments simultaneously, however.
  • Hybrid cloud solutions combine on-premises applications and data with cloud-based services.
  • Hybrid Exchange deployments are sustainable over time, allowing for gradual user migration to Office 365.
  • Users with on-premises mailboxes can find other users in the Exchange Online global address list.
  • Users can send, receive and reply to emails regardless of whether their mailbox is on-premises or online.


Download the hybrid cloud poster to get an overview of Office 365 hybrid options


Office 365 Features

A hybrid deployment enables the following features:

  • Secure mail routing between on-premises and Exchange Online organizations using transport layer security.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the SMTP domain.
  • A unified global address list (GAL), also called a “shared address book."
  • Free/busy and calendar sharing between on-premises and Exchange Online organizations.
  • Centralized control of inbound and outbound mail flow. You can also configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization if desired.
  • A single Outlook on the web URL for both the on-premises and Exchange Online organizations.
  • The ability to move existing on-premises mailboxes to the Exchange Online organization.
  • Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
  • Centralized mailbox management using the on-premises Exchange Admin Center (EAC).
  • Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.
  • No need to create new user mailboxes and import information.

Hybrid deployment prerequisites

  1. Sign up for Office 365.
  2. Add your domain to Office 365 - by using the Office 365 Administrative portal
  3. Azure AD Connect User Sign-on options - Deploy the Azure Active Directory Connect tool to enable Active Directory synchronization with your on-premises organization.
  4. Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-premises Exchange 2016 Client Access server.
  5. Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority (CA).

Ports & Protocol Required for Migration

Transport Protocol

Upper Level Protocol

Feature / Component

On-premises Endpoint



Mail flow between Office 365 and on-premises

Exchange 2016 Mailbox / Edge




Exchange 2016 Mailbox



Free/busy, MailTips, Message Tracking

Exchange 2016 Mailbox



Multi-mailbox search

Exchange 2016 Mailbox



Mailbox migrations

Exchange 2016 Mailbox




Exchange 2016 Mailbox



Hybrid deployment compatibility

On-premises environment

Exchange 2016-based hybrid deployment

Exchange 2013-based hybrid deployment

Exchange 2010-based hybrid deployment

Exchange 2016


Not supported

Not supported

Exchange 2013



Not supported

Exchange 2010




Exchange 2007

Not supported



Mailbox permissions migration

  • Prior to migration, proper permissions are required. Users should be present in Mailbox import group for mailbox migration.
  • On-premises mailbox permissions such as Send As, Full Access, Send on Behalf of, and folder permissions that are explicitly applied on the mailbox are migrated to Exchange Online.
  • Inherited (non-explicit) mailbox permissions and permissions granted to objects that aren’t mail enabled in Exchange online are not migrated.
  • You should ensure all permissions are explicitly granted and all objects are mail enabled prior to migration. In the case of Send As permissions, if the user and the resource attempting to be Sent As aren’t moved at the same time, you'll need to explicitly add the Send As permission in Exchange Online using the Add-RecipientPermission cmdlet.
  • Ensure On-Premises Exchange 2013 Client Access servers; the Mailbox Replication Proxy Service is enabled. Therefore, you have to plan for configuring these permissions in Office 365 if applicable for your organization.

Hybrid deployment example


  • Users will use their same username and password for logging on to the on-premises and Exchange Online organizations (“single sign-on”).
  • User mailboxes located on-premises and in the Exchange Online organization will use the same email address domain. For example, mailboxes located on-premises and mailboxes located in the Exchange Online organization will both use domain in user email addresses.
  • All outbound mail is delivered to the Internet by the on-premises organization. The on-premises organization controls all messaging transport and serves as a relay for the Exchange Online organization (“centralized mail transport”).
  • On-premises and Exchange Online organization users can share calendar free/busy information with each other. Organization relationships configured for both organizations also enable cross-premises message tracking, MailTips, and message search.
  • On-premises and Exchange Online users use the same URL to connect to their mailboxes over the Internet.
  • On-premises Exchange deployment after hybrid deployment with Office 365 is configured




Before hybrid deployment

After hybrid deployment

Mailbox location

Mailboxes on-premises only.

Mailboxes on-premises and in Office 365.

Message transport

On-premises Mailbox servers handle all inbound and outbound message routing.

On-premises Mailbox servers handle internal message routing between the on-premises and Office 365 organization.

Outlook on the web

On-premises Mailbox servers receive all Outlook on the web requests and displays mailbox information.

On-premises Mailbox servers redirect Outlook on the web requests to either on-premises Exchange 2016 Mailbox servers or provides a link to log on to Office 365.

Unified GAL for both organizations

Not applicable; single organization only.

On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to Office 365.

Single-sign on used for both organizations

Not applicable; single organization only.

On-premises Active Directory and Office 365 use the same username and password for mailboxes located either on-premises or in Office 365.

Organization relationship established and a federation trust with Azure AD authentication system

Trust relationship with Azure AD authentication system and organization relationships with other federated Exchange organizations may be configured.

Trust relationship with Azure AD authentication system is required. Organization relationships are established between the on-premises and Office 365.

Free/busy sharing

Free/busy sharing between on-premises users only.

Free/busy sharing between both on-premises and Office 365 users.


Exchange hybrid deployment considerations

Exchange servers

  • At least one Exchange server needs to be configured in your on-premises organization to configure a hybrid deployment.
  • If you're running Exchange 2013 or older, you need to install at least one server running the Mailbox and Client Access roles.
  • If you're running Exchange 2016 or newer, at least one server running the Mailbox role needs to be installed.
  • If needed, Exchange Edge Transport servers can also be installed in a perimeter network and support secure mail flow with Office 365.


Note: Microsoft doesn’t support the installation of Exchange servers running the Mailbox or Client Access server roles in a perimeter network.

Microsoft Office 365

  • The Office 365 service includes an Exchange Online organization as a part of its subscription service.
  • Organizations configuring a hybrid deployment need to purchase a license for each mailbox that's migrated or created in the Exchange Online organization.

Hybrid Configuration wizard

  • Exchange includes the Hybrid Configuration wizard which provides a streamlined process to configure a hybrid deployment between the on-premises Exchange and Exchange Online organizations.

Azure AD authentication system

  • The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange organization and the Exchange Online organization.
  • On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system.
  • The federation trust can either be created manually as part of configuring the federated sharing features between an on-premises Exchange organization and other federated Exchange organizations; or as part of configuring a hybrid deployment with the Hybrid Configuration wizard.
  • A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.

Azure Active Directory synchronization

  • Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication.
  • Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.

Licensing for Office 365

  • To create mailboxes in, or move mailboxes to, Office 365, you need to sign up for Office 365 for enterprises and you must have licenses available.
  • When you sign up for Office 365, you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in Office 365 must have a license.

Antivirus and anti-spam services

  • Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service.
  • We recommend that you carefully evaluate whether the EOP protection in your Office 365 is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.

Public folders

  • Public folders are supported in Office 365, and on-premises public folders can be migrated to Office 365. Additionally, public folders in Office 365 can be moved to the on-premises Exchange 2016 organization.
  • Both on-premises and Office 365 users can access public folders located in either organization using Outlook on the web, Outlook 2016, Outlook 2013, or Outlook 2010 SP2 or newer.
  • Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.

Centralized mail transport

  • The hybrid configuration option in which all Exchange Online inbound and outbound Internet messages are routed via the on-premises Exchange organization.
  • This routing option is configured in the Hybrid Configuration wizard depending upon organization need.

Coexistence domain

  • An accepted domain added to the on-premises organization for hybrid mail flow and Auto discover requests for the Office 365 service.
  • This domain is added as a secondary proxy domain to any email address policies which have PrimarySmtpAddress templates for domains selected in the Hybrid Configuration wizard.
  • By default, this domain is


  • Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Office 365 organization.
  • This is particularly true when moving mailboxes from your on-premises Exchange 2016 server to the Office 365 organization.
  • The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves.
  • Additionally, other Office 365 services, such as SharePoint Server 2016 and Skype for Business, may also affect the available bandwidth for messaging services.

Before moving mailboxes to Office 365, you should:

  • Determine the average mailbox size for mailboxes that will be moved to Office 365.
  • Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
  • Calculate the average expected transfer speed, and plan your mailbox moves accordingly.


  • Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment.
  • They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services.
  • If you're already using digital certificates in your Exchange organization, you may have to modify the certificates to include additional domains or purchase additional certificates from a trusted certificate authority (CA).
  • If you aren't already using certificates, you will need to purchase one or more certificates from a trusted CA.

                                                                                     Images & Source from Microsoft

No comments