Hybrid Deployment and M365 Integration

What is Hybrid Deployment?

Hybrid Deployment allows your on-premises Exchange Server and Microsoft 365 Exchange Online to coexist, providing a unified user experience.

Key Benefits

1. Gradual Migration: Move mailboxes in batches, no need for all-at-once cloud migration
2. Unified GAL: On-premises and cloud users share the Global Address List
3. Calendar Sharing: Cross-environment free/busy lookup
4. Mail Routing: Flexible control over mail flow
5. Centralized Management: Manage cloud attributes through on-premises Exchange

HCW (Hybrid Configuration Wizard) Core

What Does HCW Do?

Objects Created by HCW

1. Send Connector

# Example output from Get-SendConnector after HCW
Name                     : Outbound to Office 365
AddressSpaces            : {SMTP:*.mail.onmicrosoft.com;1}
SmartHosts               : {your-tenant.mail.protection.outlook.com}
TlsAuthLevel             : DomainValidation
RequireTLS               : True
CloudServicesMailEnabled : True

2. Receive Connector

# Inbound from Office 365
Name              : Inbound from Office 365
RemoteIPRanges    : {23.103.132.0/22, 23.103.136.0/21, ...} # M365 IP ranges
AuthMechanism     : Tls
PermissionGroups  : ExchangeServers
TlsDomainCapabilities : {*.outlook.com:AcceptCloudServicesMail}

3. Organization Relationship

Get-OrganizationRelationship | Format-List Name, TargetApplicationUri, Enabled

# Example:
# Name                  : O365 to On-premises
# TargetApplicationUri  : outlook.com
# Enabled               : True
# FreeBusySharingEnabled: True

OAuth Configuration

What is OAuth's Role in Hybrid?

OAuth replaces the old Federation Trust, providing:

• More secure authentication
• Support for new features (such as eDiscovery, MailTips)
• Simplified configuration

Verify OAuth Configuration

# Check OAuth configuration
Get-AuthConfig | Format-List ServiceName, Realm, CertificateThumbprint

# Test OAuth connectivity
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox user@contoso.com

Common OAuth Errors

Error: OAuth token request failed

# Symptom: Free/busy lookup fails between on-prem and cloud
# Check:
1. Certificate used for OAuth is valid
2. Autodiscover points correctly
3. EWS virtual directory is accessible

# Fix: Re-create OAuth configuration
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Get-Credential) -Authentication Basic -AllowRedirection
Import-PSSession $Session

# Remove old OAuth config
Remove-MsolServicePrincipalCredential -AppPrincipalId <AppId> -KeyId <KeyId>

# Re-run HCW to recreate

Mail Flow Architecture

Centralized Mail Transport

Advantages:

• All mail protected by EOP
• Unified mail policies (DLP, Anti-spam)

Configuration:

# On-premises: Set all inbound mail to route through EOP
Set-TransportConfig -InternalSMTPServers @{Add="your-tenant.mail.protection.outlook.com"}

Distributed Mail Transport

Advantages:

• Local mail doesn't traverse cloud
• Reduced latency

Disadvantages:

• Need to maintain two protection systems
• Higher management complexity

Mailbox Migration

Migration Types

Type	Direction	Use Case
Remote Move	On-prem → Cloud	Standard cloud migration
Onboarding	On-prem → Cloud	Batch migration
Offboarding	Cloud → On-prem	Cloud downgrade (rare)

Execute Remote Move

# 1. Create migration endpoint (one-time setup)
$Credential = Get-Credential # On-prem admin account
New-MigrationEndpoint -Name "OnPremisesEndpoint" `
  -ExchangeRemoteMove `
  -RemoteServer "mail.contoso.com" `
  -Credentials $Credential

# 2. Create migration batch
New-MoveRequest -Identity user@contoso.com `
  -Remote `
  -RemoteHostName "mail.contoso.com" `
  -RemoteCredential $Credential `
  -TargetDeliveryDomain "contoso.mail.onmicrosoft.com"

# 3. Monitor migration
Get-MoveRequest -Identity user@contoso.com | Get-MoveRequestStatistics | Format-List Status, PercentComplete, BytesTransferred

# Example output:
# Status           : InProgress
# PercentComplete  : 45
# BytesTransferred : 2.5 GB (2,684,354,560 bytes)

Batch Migration

# Create CSV file: users.csv
# EmailAddress
# user1@contoso.com
# user2@contoso.com

# Create batch migration
New-MigrationBatch -Name "Batch01" `
  -SourceEndpoint "OnPremisesEndpoint" `
  -CSVData ([System.IO.File]::ReadAllBytes("C:\Migrations\users.csv")) `
  -TargetDeliveryDomain "contoso.mail.onmicrosoft.com" `
  -AutoStart

# Monitor batch
Get-MigrationBatch "Batch01" | Format-List Status, TotalCount, SyncedCount, FailedCount

Troubleshooting Migration Failures

# Get detailed error for failed move
Get-MoveRequest -Identity user@contoso.com | Get-MoveRequestStatistics -IncludeReport | Select-Object -ExpandProperty Report | Out-File C:\Logs\MoveReport.txt

# Common errors:
# 1. "MapiExceptionNotFound" → Mailbox corrupted, run New-MailboxRepairRequest
# 2. "ProxyNotAuthenticated" → Credential expired, update migration endpoint
# 3. "DataValidationException" → Large/corrupted item, use -BadItemLimit / -LargeItemLimit

Handle Large or Corrupted Items:

# Allow skipping bad/large items
New-MoveRequest -Identity user@contoso.com `
  -Remote `
  -RemoteHostName "mail.contoso.com" `
  -RemoteCredential $Credential `
  -TargetDeliveryDomain "contoso.mail.onmicrosoft.com" `
  -BadItemLimit 50 `
  -LargeItemLimit 50 `
  -AcceptLargeDataLoss

Security Considerations

1. MFA (Multi-Factor Authentication)

MFA challenges in hybrid environments:

• On-premises Exchange does not natively support MFA
• Requires Azure AD Conditional Access control

Solution:

1. Enable Modern Authentication (OAuth)
2. Configure Conditional Access policies in Azure AD
3. Force specific applications (OWA, EAS) to use MFA

2. Certificates and TLS

Ensure all Connectors enforce TLS:

# Send Connector
Set-SendConnector "Outbound to Office 365" -RequireTLS $true -TlsAuthLevel DomainValidation

# Receive Connector
Set-ReceiveConnector "Inbound from Office 365" -RequireTLS $true

3. IP Allowlist

Regularly update M365 IP ranges:

# Get latest M365 IP ranges
$url = "https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid)"
$ips = (Invoke-RestMethod -Uri $url) | Where-Object { $_.serviceArea -eq "Exchange" } | Select-Object -ExpandProperty ips

# Update Receive Connector
Set-ReceiveConnector "Inbound from Office 365" -RemoteIPRanges $ips

Common Issues

Q: HCW execution failed, how to rollback?

# HCW doesn't have built-in rollback, manually remove objects:
Remove-SendConnector "Outbound to Office 365"
Remove-ReceiveConnector "Inbound from Office 365"
Remove-OrganizationRelationship "O365 to On-premises"

# Re-run HCW after fixing the issue

Q: Hybrid broken after certificate renewal

Solution: Re-run HCW

# After certificate renewal:
1. Download latest HCW from https://aka.ms/hybridwizard
2. Run HCW again (it will detect existing config and update)
3. Select "Update Hybrid Configuration"

Q: Unable to receive mail after migration

Troubleshooting Steps:

# 1. Verify mail routing
Get-Recipient user@contoso.com | Format-List RecipientType, EmailAddresses

# Should show:
# RecipientType : MailUser (on-prem) or UserMailbox (cloud)
# EmailAddresses : {SMTP:user@contoso.com, smtp:user@contoso.mail.onmicrosoft.com}

# 2. Check MX record points to EOP
Resolve-DnsName -Name contoso.com -Type MX

# 3. Test mail flow
Test-MigrationServerAvailability -ExchangeRemoteMove -RemoteServer "mail.contoso.com" -Credentials (Get-Credential)

Checklist

Before deploying Hybrid, verify:

• Exchange Server upgraded to latest CU
• Certificate includes all required SANs (including Autodiscover)
• Public DNS Autodiscover record is correct
• Firewall allows 443/25 to M365 IP ranges
• Azure AD Connect syncing normally
• Exchange configuration backed up
• OAuth connectivity tested
• Mail flow architecture planned (Centralized vs. Distributed)

Next Steps

• Certificate and TLS Practices: Deep dive into certificate management
• Troubleshooting: Common Hybrid errors