Configure Exchange Server public folders for a hybrid deployment

Summary: Instructions for enabling Exchange Online users to access on-premises public folders in your Exchange 2013, Exchange 2016, or Exchange 2019 environment.

In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your Exchange Server on-premises environment.

Note

If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.

This article describes how to enable your Exchange Online, Microsoft 365, or Office 365 users to access public folders in Exchange 2013, Exchange 2016 and Exchange 2019 (for the rest of this article, referred to as Exchange Server). To enable on-premises Exchange Server users to access public folders in Exchange Online, Microsoft 365, or Office 365, see Configure Exchange Online public folders for a hybrid deployment.

An Exchange Online, Microsoft 365, or Office 365 user must be represented by a MailUser object in the Exchange on-premises environment in order to access Exchange Server public folders. This MailUser object must also be local to the target Exchange Server public folder hierarchy. If you have Exchange Online, Microsoft 365, or Office 365 users who aren't currently represented on-premises by MailUser objects, refer to the Microsoft Knowledge Base article KB3106618 to create matching on-premises entities.

What do you need to know before you begin?

  1. These instructions assume that Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sync) is configured to synchronize public folder mailbox objects to Exchange Online. Ensure that your public folder mailbox objects are synchronized to Exchange Online and that they have auto-discoverable primary SMTP addresses.

    Here is an example of proper configuration in an on-premises environment:

    public folder synchronization in Exchange Server.

    Here is an example of proper configuration in Exchange Online:

    Public folder synchronization in Exchange Online.

  2. These instructions assume that you have used the Hybrid Configuration wizard to configure and synchronize your on-premises and Exchange Online environments and that the DNS records used for most users' AutoDiscover references an on-premises end-point. For more information, see Hybrid Configuration wizard.

  3. The public folders in this configuration cannot be accessed using Outlook on the web (formerly known as Outlook Web App).

  4. Implementing public folder coexistence for a hybrid deployment of Exchange with Office 365 may require you to fix conflicts during the import procedure. Conflicts can happen due to non-routable email addresses assigned to mail enabled public folders, conflicts with other users and groups in Office 365, and other attributes.

  5. In order to access public folders cross-premises, users must upgrade their Outlook clients to the November 2012 Outlook public update or later.

  6. To download the November 2012 Outlook update for Outlook 2010, see Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition.

  7. Outlook 2016 for Mac (and later versions) is supported for cross-premises public folders. If clients in your organization use Outlook 2016 for Mac, make sure they have the April 2016 or higher update installed. For more information, see Accessing public folders with Outlook 2016 for Mac.

Step 1: Download the scripts

  1. Download the following files from Exchange 2013/2016 Public Folders Migration Scripts:

    • Sync-ModernMailPublicFolders.ps1
    • SyncModernMailPublicFolders.strings.psd1

    Note

    The download package at this location contains additional files. To follow the instructions in this article, you only need the two listed above. These scripts now support modern authentication.

  2. Save the files to the local computer. For example, C:\PFScripts.

Step 2: Synchronize mail-enabled public folder objects to Exchange Online

Microsoft Entra Connect Sync doesn't synchronize mail-enabled public folders to Exchange Online. Running the following script will synchronize the mail-enabled public folders across your on-premises environment and Exchange Online. Special permissions assigned to mail-enabled public folders, such as Send As, will need to be recreated in Office 365 since cross-premises permissions are not supported in hybrid deployment scenarios. For more information, see Exchange hybrid deployment documentation.

Note

Synchronized mail-enabled public folders will not be visible in the Exchange admin center (EAC). Instead, use the Get-MailPublicFolder cmdlet. To recreate Send As permissions in the cloud, use the Add-RecipientPermission cmdlet.

On the Exchange server, run the following command in the Exchange Management Shell to synchronize mail-enabled public folders from your local on-premises Active Directory to Office 365:

.\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv

Where CsvSummaryFile is the path to where you would like to log synchronization operations and errors, in .csv format.

Important

Before running the script, we recommend that you first simulate the actions that the script would take in your environment by running it as described above with the -WhatIf switch. As part of the sync operation, the script, when appropriate, could create, update, or delete mail-enabled public folder objects on Exchange Online.

We also recommend that you run this script daily to synchronize your mail-enabled public folders.

Use the steps in Troubleshooting mail enabled public folder synchronization failures when using PowerShell script if you see errors while running the script.

Step 3: Configure Exchange Online users to access Exchange Server on-premises public folders

An Exchange Online mailbox that isn't represented by a MailUser object in on-premises Exchange (local to the target public folder hierarchy) won't be able to access on-premises public folders.

Run the following command in the Exchange Management Shell to identify such mailboxes:

Get-Mailbox |?{$_.IsDirSynced -eq $false}

These users will keep getting credential prompts after public folder mailbox access is configured. Use one of the following solutions for such users before enabling public folder access:

  1. Link the Exchange Online only mailboxes listed in the previous step to on-premises users as described in Exchange Online users can't access legacy on-premises public folders.

  2. Use the steps provided in Controlled Connections to Public Folders to enable public folder access only to mailboxes that have linked users on-premises.

The final step in this process is to configure the Exchange Online organization and to allow access to the Exchange Server public folders.

Run the following command in Exchange Online PowerShell to enable the Exchange Online organization to access the on-premises public folders. You'll point to all of your on-premises public folder mailboxes.

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PFMailbox1,PFMailbox2,PFMailbox3

Note

You must wait until Microsoft Entra synchronization is complete before you can see the changes. This process can take up to three hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can force directory synchronization at any time. For detailed steps to do force directory synchronization, see Microsoft Entra Connect Sync: Scheduler.

How do I know this worked?

Run the following Exchange Online PowerShell command to verify if Exchange Online mailboxes have been assigned an EffectivePublicFolderMailbox value:

Get-Mailbox | Format-Table name,EffectivePublicFolderMailbox

Next, log on to Outlook with the credentials of an Exchange Online user and perform the following public folder tests:

  • View the hierarchy
  • Check permissions
  • Create and delete public folders
  • Post content to and delete content from a public folder