Hybrid Configuration wizard

This article gives you an overview of the Exchange hybrid deployment process using the Hybrid Configuration Wizard.

For more information about hybrid deployments, check out Exchange Server Hybrid Deployments.

Hybrid configuration process

Here's a quick overview of what the Hybrid Configuration Wizard does:

  1. Create the HybridConfiguration object in your on-premises Active Directory. This object stores the hybrid configuration information for the hybrid deployment.
  2. Complete the following steps:
    1. Gather existing on-premises Exchange and Active Directory topology configuration data, cloud organization data, and Exchange Online configuration data.
    2. Define several organization parameters.
    3. Run an extensive sequence of configuration tasks in both on-premises Exchange and Exchange Online.

Important

There are several important considerations and prerequisites that you need to complete before you use the Hybrid Configuration wizard. These requirements are describe in Hybrid deployment prerequisites. After you meet all of these requirements, you'll be ready to use the Hybrid Configuration wizard.

The general phases of the hybrid deployment configuration process are described in the following section:

Verify prerequisites and do topology checks

Verify that your on-premises and Exchange Online organizations can support a hybrid deployment. For example, the following items are checked:

  • On-premises Exchange server versions
  • Exchange Online version
  • Active Directory synchronization presence and configuration
  • Federated and accepted domains
  • Existing federation trust and organization relationships
  • Web Services virtual directories
  • Exchange certificates

Account permissions requirements

Verify that the on-premises and cloud accounts have the appropriate permissions to connect to both environments. Hybrid deployment management accounts require the following role group memberships as outlined in the next section.

Exchange Server on-premises

The account that is used to configure Exchange hybrid, must be a member of the Organization Management role group.

Exchange Online

In the next section of the documentation, we describe the permissions required to successfully run the HCW to either establish a new hybrid configuration or update an existing one. Note that Global admin permissions are required if Exchange hybrid is configured for the first time!

Minimal Hybrid Configuration

This table shows the permissions that are required, when you have a Minimal Hybrid Configuration configured:

Granular hybrid configuration Classic Hybrid permissions needed Modern Hybrid permissions needed
Not available Exchange admin Global admin
Full Hybrid Configuration

This table shows the permissions that are required, when you have a Full Hybrid Configuration configured:

Granular hybrid configuration Classic Hybrid permissions needed Modern Hybrid permissions needed
Oauth, Intra Organization Connector and Organization Relationship Global admin Global admin
Update Coexistence Domain in Exchange Server Accepted domain and Email Address Policy Exchange admin Global admin
Migration Endpoint Exchange admin Global admin
Organization Configuration Transfer Exchange admin Global admin
Outbound Connector in M365 Organization Exchange admin Global admin
Inbound Connector in M365 Organization Exchange admin Global admin
Receive Connector on Exchange Hybrid Server Exchange admin Global admin
Send Connector on Exchange Hybrid Server Exchange admin Global admin
Enable Centralized Mail Transport Exchange admin Global admin
Update Secure Mail Certificate for connectors Exchange admin Global admin

Tip

You can find more information about each hybrid configuration scenario in the Choose Exchange Hybrid Configuration documentation.

Hybrid deployment configuration changes

Make the required configuration changes to create and enable the hybrid deployment. All changes are automatically logged in the hybrid configuration log. By default, the hybrid configuration log is located on the on-premises Mailbox server at %UserProfile%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration.

Important

Inbound mail flow is controlled by your organization's MX record. Inbound internet mail for a hybrid deployment isn't configured by the Hybrid Configuration wizard.

Hybrid configuration features

By default, the Hybrid Configuration wizard automatically enables all hybrid deployment features each time it runs. To disable specific hybrid configuration features, you need to use the Set-HybridConfiguration in the Exchange Management Shell. The wizard enables the following hybrid deployment features by default:

  • Free/busy sharing: Enables calendar information to be shared between on-premises and Exchange Online users. Free/busy sharing is enabled as part of the federated sharing and organization relationship configuration for on-premises and cloud environments. Learn more at Sharing.

  • MailTips: MailTips are informative messages that users see as they compose messages. Users can adjust messages before they're sent to avoid undesirable situations or non-delivery reports (NDRs). For more information, see MailTips in Exchange and MailTips in Exchange Online.

  • Online archiving: Exchange Online host user email archive for both on-premises and cloud users. For more information, see Configure Exchange Online Archiving.

  • Outlook on the web redirection: Provides one URL to access both on-premises and Exchange Online mailboxes via Outlook on the web (formerly known as Outlook Web App or OWA). Client Access servers automatically redirect requests to on-premises mailbox servers or provide the link to Exchange Online mailboxes.

  • Exchange ActiveSync redirection: Most Exchange ActiveSync clients will now be automatically reconfigured when the mailbox is moved to Exchange Online. For more information, see Exchange ActiveSync device settings with Exchange hybrid deployments.

  • Secure mail: Uses Transport Layer Security (TLS) for secure mail delivery between the on-premises and cloud environments. On-premises Exchange and Exchange Online are mutually authenticated through digital certificate subjects and email headers. Rich-text message formatting is preserved across the organizations.

Hybrid configuration options

The Hybrid Configuration wizard allows many customizations for the hybrid deployment. To update a hybrid configuration setting after you initially configured hybrid, you can use the Hybrid Configuration wizard or the Exchange Management Shell.

The following table describes the major options:

Configuration area Description
Domains Adds Exchange Online as accepted domain to on-premises Exchange for hybrid mail flow and Autodiscover requests. By default, this domain is <domain>.mail.onmicrosoft.com, and is called the coexistence domain. The coexistence domain is used for secondary email addresses (proxy addresses) in any email address policies that contain the domains you specified in the Hybrid Configuration Wizard.

You can view the accepted domain by running the following command Exchange Online PowerShell: Get-AcceptedDomain | Format-List DomainName, IsCoexistenceDomain.

Secure mail certificate Select certificate that was issued by a trusted third-party Certificate Authority (CA). This certificate is used to authenticate and secure mail sent between the on-premises and Exchange Online organizations.
Exchange federated sharing If an existing OAuth relationship or federation trust between Microsoft Entra ID and on-premises Exchange is found, that OAuth relationship or trust is used for the hybrid deployment. If not, the wizard configures OAuth authentication or creates a federation trust between Microsoft Entra ID and on-premises Exchange. Any domains that you selected in the Hybrid Configuration Wizard are added to the federation trust as needed.

The wizard also creates and configures organizational relationships for both the on-premises and Exchange Online organizations. These organization relationships allow the wizard to enable several hybrid deployment features:

  • Free/busy sharing
  • Outlook on the web redirection
  • MailTIps

Note: GCC High and DoD environments require a different value for the MetadataUrl parameter on the Set-FederationTrust cmdlet. For more information, see Set-FederationTrust.

Mail flow Client Access servers
  • Exchange 2010: Hub Transport servers
  • The wizard configures any new and existing connectors as required:

    • On-premises Exchange: Send connectors and Receive connectors
    • Exchange Online: Inbound and Outbound connectors

    For Exchange Online, you choose how to route outbound messages to the internet:

    • Direct
    • Routed through your on-premises Exchange servers

    Important: Mail flow form the internet to recipients in your domain is controlled by the domain's MX record in DNS, not by the Hybrid Configuration wizard.

    Hybrid Configuration Engine

    The Hybrid Configuration Engine runs the core actions for configuring and updating a hybrid deployment, based on the Update-HybridConfiguration cmdlet. The Hybrid Configuration Engine compares the state of the HybridConfiguration Active Directory object with current on-premises Exchange and Exchange Online configuration settings. Tasks are run to match the deployment configuration settings to the parameters that are defined in the HybridConfiguration Active Directory object. No changes are made if the current configuration states already match what's defined in the HybridConfiguration Active Directory object.

    The Hybrid Configuration Engine does the following steps to compare and update an existing hybrid deployment:

    1. The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
    2. The Hybrid Configuration Engine reads the "desired state" stored on the HybridConfiguration Active Directory object.
    3. The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization.
    4. The Hybrid Configuration Engine discovers topology data and current configuration from the Exchange Online organization.
    5. The Hybrid Configuration Engine establishes the "difference" between the on-premises Exchange and Exchange Online organizations.
    6. The Hybrid Configuration Engine runs configuration tasks to establish the desired state.

    The following figure describes how the Hybrid Configuration Engine retrieves and modifies configuration settings during the hybrid deployment process.

    Hybrid Configuration Engine flow.