Before you begin
Configuring a hybrid deployment in your organization provides many benefits. However, to enjoy those benefits, you'll need to first do some careful planning. Before you go any further with the Deployment Assistant, we urge you to review this entire topic to make sure that you fully understand how configuring a hybrid deployment could affect your existing network and Exchange organization.
Important
To successfully configure your organization for a hybrid deployment, you need to sign up for Office 365 using a supported subscription plan. We’ll give you instructions to sign up for Office 365 later in the checklist.
What is a hybrid deployment?
In the Deployment Assistant, a hybrid deployment is when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:
-
Secure mail routing between on-premises between the organizations.
-
Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
-
A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
-
Free/busy calendar information sharing between the organizations.
-
Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
-
A single Outlook on the web URL for both the organizations.
-
Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
-
The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
-
Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
-
Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
-
Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment. Learn more about Exchange Online Archiving at Microsoft Office 365 Additional Services.
Hybrid deployment components
A hybrid deployment involves several different services and components:
Exchange 2016 servers The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365. For example, if the current release of Exchange 2016 is Cumulative Update 10, only that release, and Cumulative Update 9, are supported.
Office 365 Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans. Office 365 Business and Office 365 Home plans don’t support hybrid deployments.
Hybrid Configuration wizard Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
Learn more at: Hybrid Configuration wizard
{#Text:E16ADFSAuth#}
Azure AD authentication system The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2016 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system. The federation trust is created by the Hybrid Configuration wizard as part of configuring a hybrid deployment. A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
Learn more at: Azure AD authentication system
Azure Active Directory synchronization Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
Learn more at: Azure AD Connect - Overview
Hybrid deployment example
Take a look at the following scenario. It's an example topology that provides an overview of a typical Exchange 2016 deployment. Contoso, Ltd. is a single-forest, single-domain organization with two domain controllers and one Exchange 2016 server installed. Remote Contoso users use Outlook on the web to connect to Exchange 2016 over the Internet to check their mailboxes and access their Outlook calendar.
.png "On-premises Exchange deployment before hybrid deployment with Office 365 is configured")
Let's say that you’re the network administrator for Contoso, and you’re interested in configuring a hybrid deployment. You deploy and configure a required Azure AD Connect server and you also decide to use the Azure AD Connect password synchronization feature to let users use the same credentials for both their on-premises network account and their Office 365 account. After you complete the hybrid deployment prerequisites and use the Hybrid Configuration wizard to select options for the hybrid deployment, your new topology has the following configuration:
Users will use their the same username and password for logging on to the on-premises and Exchange Online organizations (“single sign-on”).
User mailboxes located on-premises and in the Exchange Online organization will use the same email address domain. For example, mailboxes located on-premises and mailboxes located in the Exchange Online organization will both use @contoso.com in user email addresses.
All outbound mail is delivered to the Internet by the on-premises organization. The on-premises organization controls all messaging transport and serves as a relay for the Exchange Online organization (“centralized mail transport”).
On-premises and Exchange Online organization users can share calendar free/busy information with each other. Organization relationships configured for both organizations also enable cross-premises message tracking, MailTips, and message search.
On-premises and Exchange Online users use the same URL to connect to their mailboxes over the Internet.
.png "On-premises Exchange deployment after hybrid deployment with Office 365 is configured")
If you compare Contoso's existing organization configuration and the hybrid deployment configuration, you'll see that configuring a hybrid deployment has added servers and services that support additional communication and features that are shared between the on-premises and Exchange Online organizations. Here's an overview of the changes that a hybrid deployment has made from the initial on-premises Exchange organization.
| Configuration | Before hybrid deployment | After hybrid deployment |
|---|---|---|
Mailbox location |
Mailboxes on-premises only. |
Mailboxes on-premises and in Office 365. |
Message transport |
On-premises Mailbox servers handle all inbound and outbound message routing. |
On-premises Mailbox servers handle internal message routing between the on-premises and Office 365 organization. |
Outlook on the web |
On-premises Mailbox servers receive all Outlook on the web requests and displays mailbox information. |
On-premises Mailbox servers redirect Outlook on the web requests to either on-premises Exchange 2016 Mailbox servers or provides a link to log on to Office 365. |
Unified GAL for both organizations |
Not applicable; single organization only. |
On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to Office 365. |
Single-sign on used for both organizations |
Not applicable; single organization only. |
On-premises Active Directory and Office 365 use the same username and password for mailboxes located either on-premises or in Office 365. |
Organization relationship established and a federation trust with Azure AD authentication system |
Trust relationship with th Azure AD authentication system and organization relationships with other federated Exchange organizations may be configured. |
Trust relationship with the Azure AD authentication system is required. Organization relationships are established between the on-premises and Office 365. |
Free/busy sharing |
Free/busy sharing between on-premises users only. |
Free/busy sharing between both on-premises and Office 365 users. |
Things to consider before configuring a hybrid deployment
Now that you're a little more familiar with what a hybrid deployment is, you need to carefully consider some important issues. Configuring a hybrid deployment could affect multiple areas in your current network and Exchange organization.
Directory synchronization and single sign-on
Active Directory synchronization between the on-premises and Office 365 organizations, which is performed every 30 minutes by a server running Azure Active Directory Connect, is a requirement for configuring a hybrid deployment. Directory synchronization enables recipients in either organization to see each other in the global address list. It also synchronizes usernames and passwords which enables users to log in with the same credentials in both your on-premises organization and in Office 365. We'll show you how to set up Azure AD Connect later in the checklist.
{#Text:E16ADFSNote#}Even though you've chosen to configure Azure AD Connect with AD FS, usernames and passwords of on-premises users will still be synchronized to Office 365 by default. However, users will authenticate with your on-premises Active Directory via AD FS as their primary method of authentication. In the event AD FS can't connect to your on-premises Active Directory for any reason, clients will attempt to fall back and authenticate against usernames and passwords synchronized to Office 365.
All customers of Azure Active Directory and Office 365 have a limit of 50,000 objects (users, mail-enabled contacts, and groups) by default. This limit determines how many objects you can create in your Office 365 organization. When you verify your first domain, this object limit is automatically increased to 300,000 objects. If you have verified a domain and need to synchronize more than 300,000 objects or you do not have any domains to verify, and need to synchronize more than 50,000 objects, you will need to contact Azure Active Directory Support to request an increase to your object quota limit.
{#Text:E16ADFSWebProxy#} In addition to a server running Azure AD Connect, you'll also need to deploy a web application proxy server. This server should be placed in your perimeter network and will act as an intermediary between your internal Azure AD Connect server and the Internet. The web application proxy server needs to accept connections from clients and servers on the Internet using TCP port 443.
Hybrid deployment management
You manage a hybrid deployment in Exchange 2016 via a single unified management console that allows for managing both your on-premises and Exchange Online organizations. The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You need to use an Office 365 account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.
Certificates
Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services like AD FS (if you're deploying it), Outlook on the web and Exchange ActiveSync, secure mail flow, and so on. You may have to purchase additional certificates that include additional domains from a trusted third-party certificate authority (CA).
Learn more at: Certificate requirements for hybrid deployments
Bandwidth
Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Office 365 organization. This is particularly true when moving mailboxes from your on-premises Exchange 2016 server to the Office 365 organization. The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 services, such as SharePoint Online and Skype for Business Online, may also affect the available bandwidth for messaging services.
Before moving mailboxes to Office 365, you should:
Determine the average mailbox size for mailboxes that will be moved to Office 365.
Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
Calculate the average expected transfer speed, and plan your mailbox moves accordingly.
Learn more at: Networking
Mail flow
Important
Don't place any servers, services, or devices between your on-premises Exchange servers and Office 365 that process or modify SMTP traffic. Secure mail flow between your on-premises Exchange organization and Office 365 depends on information contained in messages sent between the organization. Firewalls that allow SMTP traffic on TCP port 25 through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organization and Office 365, this information is removed. If this happens, the message will no longer be considered internal to your organization and will be subject to anti-spam filtering, transport and journal rules, and other policies that may not apply to it.
For more information, see Transport options in Exchange hybrid deployments.
Organization Policies
When you run the Hybrid Configuration Wizard, you can choose whether it should copy over organization-wide policies from your on-premises organization to Office 365. The wizard can copy Retention policies, Retention policy tags, OWA Mailbox policies, and Mobile Device Mailbox policies.
Note
Policies other than the ones listed above aren't copied by the wizard and need to be copied to Office 365 manually. For a list of policies and attributes copied by the wizard, see Organization Configuration Transfer Attributes.
When the wizard copies policies to Office 365, it'll check to see if a policy with the same name already exists there. If a policy does exist, the wizard won't copy the version from your on-premises organization. For example, if you already have an OWA Mailbox policy named "Executive Users" in Office 365, the wizard won't copy the "Executive Users" OWA Mailbox policy from your on-premises organization. You'll need to either rename the policy in Office 365 or manually configure the "Executive Users" OWA Mailbox policy in Office 365. This includes any default policies that already exist in Office 365.
Some policy settings in Office 365 can't be changed, even if they can be in an on-premises organization. If the wizard tries to copy a setting to Office 365, and the policy setting in Office 365 is read-only, the on-premises value won't be copied.
Unified Messaging
Unified Messaging (UM) is supported in a hybrid deployment between your on-premises and Office 365 organizations. Your on-premises telephony solution must be able to communicate with Office 365. This may require that you purchase additional hardware and software.
If you want to move mailboxes from your on-premises organization to Office 365, and those mailboxes are configured for UM, you should configure UM in your hybrid deployment prior to moving those mailboxes. If you move mailboxes before you configure UM in your hybrid deployment, those mailboxes will no longer have access to UM functionality.
Learn more at: Plan for UM Coexistence
Information Rights Management
Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. AD RMS templates can help prevent information leakage by allowing users to control who can open a rights-protected message, and what they can do with that message after it's been opened.
IRM in a hybrid deployment requires planning, manual configuration of the Office 365 organization, and an understanding of how clients use AD RMS servers depending on whether their mailbox is in the on-premises or Exchange Online organization.
Learn more at: IRM in Exchange hybrid deployments
Mobile devices
Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on your existing servers, they’ll continue to redirect requests from mobile devices to mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Office 365, Exchange ActiveSync profiles will automatically be updated to connect to Office 365 on most phones. All mobile devices that support Exchange ActiveSync should be compatible with a hybrid deployment.
Learn more at: Mobile Phones
Client requirements
We recommend that your clients use Outlook 2016 or Outlook 2013 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients aren't supported in hybrid deployments or with Office 365.
Licensing for Office 365
To create mailboxes in, or move mailboxes to, Office 365, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365, you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in Office 365 must have a license.
Antivirus and anti-spam services
Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. We recommend that you carefully evaluate whether the EOP protection in your Office 365 is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.
Learn more at: Anti-spam and anti-malware protection
Public folders
Public folders are supported in Office 365, and on-premises public folders can be migrated to Office 365. Both on-premises and Office 365 users can access public folders located in either organization using Outlook on the web, Outlook 2016, Outlook 2013, or Outlook 2010 SP2 or newer. Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.
Learn more at: Public folders
Accessibility
For information about keyboard shortcuts that may apply to the procedures in this checklist, see Keyboard shortcuts in the Exchange admin center.