Hybrid Configuration Wizard options
Hybrid Configuration Wizard (HCW) has changed a lot since it was released as part of Exchange 2010 Service Pack 2. Currently, it supports a Classic Topology (Minimal, Express, and Full), and a Modern Topology (Minimal and Full). The table below shows the differences between the options available in the Exchange Classic Topology (Minimal, Express, and Full), and Modern Topology (Minimal and Full).
This table is an expanded version of the one which was originally published in Chapter 13 in the book, Microsoft Office 365 Administration Inside Out, 2nd Edition. Reference- Fisher, Ed; Guilmette, Aaron; Kegg, Darryl; Mandich, Lou. Microsoft Office 365 Administration Inside Out (Includes Current Book Service), 2nd ed. Pearson Education, Inc., 2017. Print.
|Exchange Hybrid Configuration Options||Classic Minimal||Classic Express||Classic Full||Modern Minimal||Modern Full|
|E-mail Address Policy and Domain configuration||Yes||Yes||Yes||Yes||Yes|
|Send and Receive Connector Configuration||No||No||Yes||No||Yes|
|OAuth Configuration||No||No||Yes for Exchange 2013/2016/2019 with current CU||No||Yes for Exchange 2013/2016/2019 with current CU|
|Federation Trust and Organization Relationship||No||No||Yes||No||Yes|
|MRS Endpoint Configuration||Yes||Yes||Yes||Yes||Yes|
|AAD Connect in Express Configuration||No||Yes||No; set up separately||No; set up separately||No; set up separately|
|Organization Configuration Transfer||Yes||Yes||Yes||Yes||Yes|
|Hybrid Modern Authentication||No||No||No ||No||No|
|Cross-premises multi mailbox search||No||No||Yes||No||No|
|Cross-premises Mail Tips||No||No||Yes||No||Yes|
|Autodiscover external DNS and public certificate required||Yes||Yes||Yes||Yes (see note after the table)||Yes (see note after the table)|
|Transport external DNS and public certificate required||No||No||Yes||No||Yes|
|EWS external DNS and public certificate required||Yes||Yes||Yes||No||No|
|TCP Port 443 Inbound to Exchange On-premises||Yes||Yes||Yes||Yes for Autodiscover if needed, No for Hybrid Agent||Yes for Autodiscover if needed, No for Hybrid Agent|
|TCP Port 443 Outbound to Exchange Online||Yes||Yes||Yes||Yes||Yes|
|TCP Port 25 Inbound to Exchange on-premises||No||No||Yes||No||Yes|
|TCP Port 25 Outbound to Exchange Online Protection||No||No||Yes||No||Yes|
|TCP Port 80 Outbound for Certificate Revocation Check||Yes||Yes||Yes||Yes||Yes|
|Third-Party Certificate Required- Autodiscover/Transport/EWS for Exchange On-Premises, Exchange Server 2013/2016/2019||Yes||Yes||Yes||Yes for Autodiscover if needed, No for Hybrid Agent||Yes for Autodiscover and Transport if needed, No for Hybrid Agent|
|Exchange Server Edge 2013/2016/2019 with Edge Sync and Edge Third-Party Certificate for Transport Option, TCP Port 25 in/out at network egress||No||No||Yes||No||Yes|
|Exchange Server Edge 2013/2016/2019 without Edge Sync and Edge Third-Party Certificate for Transport Option, TCP Port 25 in/out at network egress||No||No||No||No||No|
Depending on the your topology and configuration, you may still need to publish Autodiscover records in external DNS or open TCP Port 25 inbound and outbound to your Exchange environments for other reasons, such as Exchange Active Sync Clients using the legacy mail client in Android or iOS (although we highly recommend Microsoft Outlook for iOS and Android as the mobile messaging application). Another reason might be using a feature like Exchange Server Hybrid Modern Authentication. Make sure to review the limitations of the hybrid agent and modern hybrid topology covered in the article Microsoft Hybrid Agent.
 The Hybrid Configuration Wizard will provide the foundational components to prepare the environment for Hybrid Modern Authentication. The additional steps needed to complete the process for Hybrid Modern Authentication are located here.