In the last part of this series we looked at preparing for Hybrid deployment with Office 365. In this article we’re going to create the Hybrid configuration between the on-premises Exchange organization and the Office 365 tenant.

The current on-premises environment is running:

  • 2 x Exchange 2016 Mailbox servers
  • 1 x Exchange 2013 multi-role server
  • 1 x Exchange 2013 Edge Transport server
  • 1 x Exchange 2010 multi-role server

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

[PS] C:\>Get-WebServicesVirtualDirectory | fl server,mrs*

Server          : EX2013SRV1
MRSProxyEnabled : True

Server          : EX2010SRV1
MRSProxyEnabled : True

Server          : EX2016SRV1
MRSProxyEnabled : False

Server          : EX2016SRV2
MRSProxyEnabled : False

The servers can be MRS Proxy enabled by running Set-WebServicesVirtualDirectory.

[PS] C:\>Get-WebServicesVirtualDirectory -ADPropertiesOnly | Where {$_.MRSProxyEnabled -ne $true} | Set-WebServicesVirtualDirectory -MRSProxyEnabled $true

The Hybrid Configuration Wizard is launched from the Exchange Admin Center, in the hybrid section.


After clicking enable we need to sign in to the Office 365 tenant with a global admin account.


We’re directed to download the Hybrid Configuration Wizard tool. Click on the click here link to download it.


Follow the prompts to install the application.


When the Hybrid Configuration Wizard launches, click Next to begin.


The HCW will detect a server to use automatically, or you can specify one if you need to.


Enter credentials for both the on-premises organization and the Office 365 tenant.


When the connections and credentials have been successfully validated, click Next to continue.


For my scenario I’ll be using the Edge Transport server for secure mail flow, and not enabling centralized mail transport.


There is only one Edge Transport to choose in my environment.


Next we choose a reference server, and then an SSL certificate on that server, to use for secure mail flow.


Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.


After entering all of the information in the wizard click Update to configure and enable Hybrid for your organization. The configuration takes just a few moments as long as there are no errors encountered.

In the next part of this series we’ll look at testing the features of the Hybrid configuration.

[adrotate banner=”50″]

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. mihalevskiy


    Are you using the same certificate for mailbox server and edge for SMTP ?

    In that case you cannot re-subscribe the edge.

    You have to buy an additional certificate for edge.

    Or am I wrong ?

  2. Natarajan

    I have mixed environment
    1. Six 2010 exchange servers
    2. Four 2016 exchange servers
    3. O365 mailboxes.
    Recently updated CU20 in 2016 servers, now users in 2010 can’t see O365 users free busy information.

    O365 users can access all users freebusy information.
    Exchange 2016 users can access O365 users freebusy information.
    Exchange 2010 users can access Exchange 2016 users freebusy information.

    Exchange 2016 servers acts as a proxy server for Exchange 2010 users to get O365 users freebusy information.

    Received following error message in Exchange 2010 servers:

    ProxyWebRequest CrossSite from S-1-5-21-…….. to https://domainname/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The request failed with HTTP status 400: Bad Request.

    Exchange 2016 Server HTTPProxy has Badrequest error.
    Could you help
    Thank you

    1. Mars

      We have identically the same issue.
      Does someone have a solution ?

    2. Imran

      The best place to find what has caused the failure is to check the hybrid logs, which is available under Hybrid Configuration Folder located under C Drive.

  3. TankAdmin

    Hi Paul,
    Exchange HCW8078 – Migration Endpoint could not be created.

    Error details: There was no endpoint listening at that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> Unable to connect to the remote server –> No connection could be made because the target machine actively refused it

  4. Jerry

    Hello Paul,

    Thank for this great posting. I wanted to know if you can clarify the following: We have a hybrid setup from Exchange 2010 to Office 365. Can user use their mailbox (send and receive emails) during the sync process? I was led to believe yes, but we don’t?
    Can you let me know.


  5. Tom

    If I need to change the FQDN on O365 for mailbox migrations and for EWS virtual directory On-Prem, do I have to run the HCW again?

  6. Tamil Selvan

    Hi Paul,

    We are already in O365, planning to install On-Prem Exch 2016 (2 Mailbox and 1 Edge )

    1. When External Mail flow Happens from O365, how the ATP works for On-prem mailbox.

    2. is there a any impact to the outlook configured users if i newly install On-Prem Exchange?

    Please answer

  7. endrio milani

    HI, CAN I HAVE MORE THAN ONE EDGE SERVER CONFIGURED ON HYBRID CONFIGURATION ? Third party edge transport… I need to manage some users with one external edge transport and others with another external edge transport .

  8. Chris

    I’m doing migration from 2010 to 2016 following your article. I’m using wildcard certificate and going through the HCW option without selecting transport option s exchange 2016 doesn’t have one…it’s very strange that our on prem mailbox unable receive emails from external after that. Everything works fine except on prem mailbox.

    MX record is fine and mail trace indicating the message already sent but the mailbox never receive any emails at all from external. Care to advise me further?

  9. John Smith

    Hi Paul,
    How to remove the Hybrid configuration and decommission the on-prem exchange?
    All mailboxs have been moved to Office 365 and on-prem exchange is no longer needed

  10. John Smith

    Hi Pual,
    How to remove the Hybrid configuration and decommission the on-prem exchange?
    All mailboxes have been transferred to Office 365 and on-prem exchange is no longer needed

  11. ManhVD

    What happen when i have 3 CAS server, HCW will detect which server to install ?

  12. Vladimir

    Hi Paul,

    Thank you for this article!

    Can I ask you one thing regarding FQDN. In our organization, we have Edge transport log. When I am running the hybrid wizard, should I specify external DNS record of edge server as an FQDN?

    Thank you in advance!


    1. Dave

      What did you end up doing Vladimir? We’re in the same boat.

  13. Shashank

    Hi Paul,

    Great Article !!

    We have 2 Exchange Mailbox servers, 1 CAS server, 1 Edge server. Our MX is pointed to Sophos antispam email device.
    Mail first hits the Sophos antispam device, then goes to the edge then the CAS.

    Now I have the SSL certificate and installed it on all my servers, ran the Hybrid configuration wizard, at the last step where it asks for the FQDN address, I have added the CAS servers FQDN address i.e. as the is our MX pointing and that is at Sophos, please do correct me if I am wrong ?
    Also now when I check the outbound connector setup on Office365 and validate it, it gives me an eror:

    TLS authentication failed.

    Couldn’t validate the recipient’s email server certificate.

    The SSL certificate is installed on Edge server with SMTP binding as well as on CAS & mailbox servers. This is where we are stuck. Would be great if you could guide me a little.


    1. Jesus

      We’re you able to find an answer?

    2. Lionel Shaul

      I am submitting a late reply becuase it may help others. I just successfully completed the minimal HCW setup. Before running the wizard I ensured the MRS Proxy was enabled. I also ensured that TLS v1.2 was configured on my Exchange 2016 server as the preferred protocol as per:

      I did not disable TS 1.0 or TLS 1.1 since the on-premises Exchange 2016 server will be decommissioned in a few weeks.

  14. Tej

    Hi Paul,

    our current on-premises environment is running:
    2 x Exchange 2010 SP3 RU20 Mailbox servers in DAG
    1 x Exchange 2010 SP3 RU20 multi-role server ( CS & HT)
    1 x Exchange 2010 SP3 RU20 Edge Transport server

    Today I run latest HCW and can’t find “Configure my edge transport server for secure mail transport” option to select my Exchange 2010 Edge Transport server as Secure mail transport.

    What configuration I am missing on-premise which prevent this option on HCW.

    Appreciate for any help in advance.


  15. Allan Saul

    Hi Paul,

    Can you undo a Hybrid configuration if it fails ?
    If so how.

    1. kofi

      Hi Allan

      Yes just uninstall all the apps you used to perform the migration: Hybrid Wizard and delete 365 connection in on premise send connector

  16. John Stansell

    Does anyone know if having a 3rd party relay will affect the ability to complete the Hybrid connection? We currently use Symantec as an AV and SPAM scanner so our MX records point to them first.

    1. Will

      It won’t affect running the HCW… however, mail flow to / from O365 cannot go via this 3rd party gateway.
      ( – see “IMPORTANT” notice at top of the article)

      Normal inbound / outbound internet email is perfectly fine to remain going over this appliance, however mail to / from O365 cannot go over this appliance. When you run the HCW you have to enter an FQDN for smart host as the last step… that FQDN cannot point to your third party appliance and must go to an Exchange server (or Edge) server without the SMTP headers being modified.

    2. Will

      It won’t affect running the HCW, however it is not supported for that appliance to be ‘in the way’ of mail flow between O365 and on-premises. (

      When you run the HCW you’re asked for an FQDN as the last step. This FQDN is what O365 will use as a smart host for mail to / from on-premises, it needs to be an Exchange Server or Edge Transport server (Load balancer for SMTP is possible, provided along the way the SMTP headers aren’t modified).

  17. Lee

    Can we run Exchange 2010 and 2016 on-prem and establish a hybrid presence to Exchange Online. We wish to use centralised mail routing along and ADFS. Will Exchange 2010 proxy free/busy requests etc via 2016 frontend servers to Exchange online?

  18. jim bailey

    Does the Office 365 hybrid configuration wizard need to be run on an exchange server, can it be run on an DC server for example?

    1. Will

      It doesn’t have to be run from the Exchange server, it can be run from a client machine for example, provided the correct access to exchange is available.

      I would recommend you don’t run the HCW from your DC though. You shouldn’t be running anything like this from your DC. Create a management workstation / server if you must have a central location to do this sort of thing.

  19. Felipe Cesar Cardoso

    During the wizard, when I select Edge Transport Server, Do I need to select the self-signed certificate? Or I Need to select a third party certificate for the external name of the Edge Server (Ex.:

    As I select the Edge Server choice, In the “Organization FQDN” screen, Do I need to type the external name of Edge Server (Ex.:

  20. Rizwan

    Hi Paul,
    I have configured Hybrid with Exchange 2016 server, AD users synchronizing with Office 365.
    I moved some Mailboxes from Onpremise Exchange to Office 365 cloud.
    Currently I’m sending my email to internet from my barracuda appliance.
    Now I want to send all outbound emails form my Exchange 2016 to Internet via office 365 to utilized EOP.
    Once I have created one send connector on my onpremise Exchange server and defined smart host of Office 365 “” and in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save.
    we started receiving the below message when sending to some external users.

    Delivery has failed to these recipients or groups: (
    Unable to relay due to relay restriction
    The following organization rejected your message:

    Diagnostic information for administrators:
    Generating server:
    Remote Server returned ‘550 5.7.64 TenantAttribution; Relay Access Denied [VE1EUR01FT051.eop-

    Once Barracuda was back online and we changed all setting back to normal, mail flowed correctly.

  21. Eddie

    Hi Paul,

    We have no Edge server and a TrendMicro IMSVA acting as a smarthost. To send mail from on-premises to O365 the TrendMicro IMSVA is not supported. What would be a supported way to send mail from on-premises to O365?

    1. Avatar photo
      Paul Cunningham

      Exchange and Exchange Online need to be able to communicate directly for mail flow. Simple as that really. The Hybrid Configuration Wizard will configure the required connectors for you.

  22. Abraham

    Hi Paul,

    I would like to setup Exchange 2013 Hybrid. We have two servers with both mailbox and CAS role with KEMP loadbalancer. What I understand is we can’t add KEMP loadbalancer in the mailflow routing. Could you please help me with the configuration here? How do I setup Hybrid now?

    1. Avatar photo
      Paul Cunningham

      NAT the inbound connections from Exchange Online directly to an Exchange server, not via the load balancer.

  23. PaulH

    Paul, if you are migrating 10K’s mailboxes using a hybrid configuration, do you need to configure multiple endpoints and split the batches across them or will a single endpoint distribute the batches as required?

    We have exchange servers in 3 regions but a single org.


  24. avi

    I am in a situation where we will run the Hybrid environment (Hybrid wizard) but we dont have any external url published apart from the active sync.So if we publish owa url externally.Can we use the same name to the FQDN that i need to pur in hybrid wizard ?
    When i need to put the send/receive connector to the wizard,do i need to select the internal exchange server name (multi role)which should have public nated IP.Do we need any external URL for the same ?

    so certificate contains which SAN entry ?

  25. Aldo

    For mailflow from Office 365 to an on-premise server can an load balancer be used to have multiple servers for high availability ? Is there any specific settings on load balancer that would be needed say for F5 or does this require a persistent connection

  26. SamB

    Speaking of Hybrid Configuration, I currently have exchange 2010 and 2016. Originally Hybrid Configuration was done on 2010. Recently installed 2016. I’m trying to figure out whats the best way to move the Hybrid Configuration from 2010 to 2016.

    Any help be great.

    Thank You

    1. Avatar photo
      Paul Cunningham

      Short answer for any change in topology or internal infrastructure like that is to re-run the HCW.

      1. SamB

        Thanks, will be testing it sometimes this week.

  27. Garrett Michael Hayes

    Great run-through as usual!
    (Apologies if this is duplicated – I tried to post Friday, but it doesn’t seem to have appeared.)

    I’m struggling with a couple of points, and hoping you can point me in the right direction. Let me give some details, and then pose some questions.

    I have 3 Exchange 2010 servers, SP3, RU18 on 2008 R2E. 2 Are running DB, CAS, Transport in a DAG. 1 is DB only.
    SMTP inbound is fronted by a Barracuda Spam Firewall for all but 1 domain. The remaining domain is passed through our firewall straight to the 2 transport servers, but limited as to the source IPs. I have added the EOP source IPS so we can target the Exchange Online traffic there.
    OWA is accessed through TMG.
    Multiple accepted domains (about 30). Only 2 have Autodiscovery configured, as they are the only two through which users currently log on.
    Azure AD sync is already running.

    Running the Hybrid Configuration Wizard fails at setting up the Federated Trust. Ownership records verify OK. It appears to set up Federation for 1st domain, but fails on the 2nd. I unchecked that 2nd domain and ran again, but that fails with an error that the first is already set up (which it was, of course).

    1) Do I need to set up Autodiscovery for all the accepted domains, even though users don’t log on using those names?
    2) Can I safely remove the partial Federation set up for the first domain? (I presume that would be through the CLI?)

    1. Avatar photo
      Paul Cunningham

      It’s hard to troubleshoot complex scenarios without access to the environment, and I also don’t know what error you’re seeing when the HCW runs. I would suggest you open a support case with Microsoft so they can see the problem first hand.

      1. Garrett Michael Hayes

        I would cheerfully give you access to the environment! But point taken. Thanks anyway!

        1. Garrett Michael Hayes

          For the benefit of anyone else who runs into this, here’s the resolution, which we actually found without recourse to M$.

          It turns out that the initial HCW step which “verifies” the existence of the TXT records on each domain before setting up the Federation trusts doesn’t (apparently) FULLY verify the record. What was going on was that the TXT record for the first domain (the one that worked) was correct, while the next domain’s TXT record had a LF at the end – as did about 4/5ths of the records. This was an artifact of the cut-and-paste process from the text file supplied by Microsoft.

          “Dig txt” showed it when it wasn’t obvious in the UI of the DNS host.

          We removed the LFs from the offending records and the setup continued just fine.

          1. Garrett Michael Hayes

            I’m sure you thought you were rid of me [grin], but I have another question – hopefully not too complex.

            We’re able to migrate mailboxes now, but it’s very slow. I’m sure this is largely because the URL for the MRS proxy points to our TMG server on a slow (10 Mb) channel. So we’re using a slow link with a feeble old machine in the way. I have a couple of existing URLs that point directly to our two CAS/OWA servers through a limited-access firewall hole on a 100 Mb connection. I have verified that the O365 servers can move mail pieces between the cloud and the on-prem servers over that channel. It’s just not using it for the mailbox moves.

            So here’s the question:
            If I change the external URL for the MRS Proxy on each Exchange server to the corresponding address on the main firewall, is anything OTHER than mailbox replication affected? I won’t screw up OWA or ActiveSync will I?
            (Oh, related 2nd question – can I define more than one endpoint at O365?)

          2. Garrett Michael Hayes

            Wow! Thanks. TONS of great info there. Alternate endpoints working just fine now. (Of course, it only took me an entire day to find the one typo in my ACL… [le sigh])

  28. Djam

    Hi, very good explication!

    I’ve 2 questions:
    – you say ” those servers will be internet-facing for the Hybrid configuration” about “the Exchange 2016 Mailbox servers”. Maybe this a DAG (?) as you deals with load balancer. But in the HCW, we see that only one server of the 2 exchnage 2016 is configure. So about if this server will be down ? and is it possible to add the two Exchange servers?

    – My other question do you have test add a hybrid server on existing tenant office 365 that use AADC ? In particulary, do we see the existing o365 mailbox as remote mailbox or we have to do something ( enable remotemailbox for have the good attribute ?)

    Thanks for all! 😉

    1. Avatar photo
      Paul Cunningham

      For question 1, I had two servers load balanced for HTTPS traffic, so any HTTPS connections for Hybrid (e.g. migrations, free/busy) would still work with one server offline.

      But I only have one Edge Transport in that environment, so for SMTP traffic/mail flow if that server is down then hybrid mail flow would stop.

      For question 2, I don’t understand your question. It sounds like you have a particular scenario in mind and want to test it. You should set up an test Exchange environment and a trial Office 365 tenant and run through your scenario so you can test what you’re interested in. That is the best way to ensure that what you experience is well understood and aligns with your needs.

  29. Rae

    Hi paul,

    What apps can be lost when building a Hybrid configuration of Exchange 2010?

  30. Dev

    Hi Paul,

    Nice Article.

    I have single exchange server with CA and MB role installed. I am in the process of building the Hybrid setup to move it to office 365. During the hybrid setup wizard, do i need to select “centralized mail transport” option for typical setup. I dont have edge.

    And the Organization FQDN, how do i get it. its my ECP URL?

    Above all, doing hybrid setup will it create any disturbance in current exchange setup or mail flow ? please help

  31. Mike S

    I may have missed something but what if you don’t need any mail flow between your on prem server and O365 and are just using Exchange 2016 for management? Are the steps different?

  32. Pascal

    Hi Paul,

    Seems like you have a good grip on this stuff – wondering if you have seen anything like this before. When running the Hybrid Configuration Wizard, we are selecting full hybrid. Everything is good with adding TXT entries to verify our domains, and then it just freezes saying “Adding Federated Domain”. In the logs, errors point to receiving an html file when an xml file was expected from a server, but it is not clear where it is connecting to – I believe the Microsoft Federation Gateway. The error is basically just an html webpage saying that the error can’t be reported remotely and to check the web.config errors on the server (yea, what server?).

    We’ve tried changing time settings, making sure MRS Proxy is on, lots of other things. We are on Exchange 2013. Is it possible this error is caused by a firewall or a proxy? I would expect that to not even connect. The minimal Hybrid setup seems to be working as expected. Any thoughts would be appreciated, thanks!

    1. Avatar photo
      Paul Cunningham

      I recommend opening a support case with Microsoft. They should be able to look at your log and spot the problem quickly.

  33. Quentin Capron

    Hello Paul, thanks for this great article.
    I just have a question, I’ve configured a Hybrid deploiement with Exchange 2010 SP3 & Office 365.
    I create a test account on Office 365. My on-premises maibox can write to the Office 365 account only if I configure my company domain to be an Internal Relay. Is it normal ?

    1. Avatar photo
      Paul Cunningham

      The Hybrid Configuration Wizard takes care of all of the necessary configuration.

      In a hybrid environment you should be creating users in the on-premises Active Directory, and enabling them with a remote mailbox. That will create the Exchange Online mailbox for them when the account synchronizes to Azure Active Directory.

      There is documentation on TechNet that you can search for to find the exact steps for creating new users and mailboxes in hybrid environments.

  34. Ram

    Hi – I will be setting up hybrid exchange 2016 at home to learn and understand exchange concept.

    Since our ISP blocks port 25 for home customers, I will be using port 2525 and configure Send Connector – smart host to send email out. Will this be a problem for hybrid configuration?

    Do, I need to buy Exchange Online license to set up exchange hybrid?



    1. Avatar photo
      Paul Cunningham

      You’ll need port 25 for hybrid mail flow, but you can still configure the hybrid configuration without port 25 open.

      Yes, an Exchange Online license is needed for a hybrid Exchange configuration.

  35. Les Davila

    I’m starting a Hybrid migration and your articles are a life saver, thank you! I’m my scenario, my client also has an on-prem Lync/Skype server in use.
    How would the O365 DNS records affect the on-prem Skype?
    Any additional configuration needed for the skype interaction between the cloud and on-prem users?

    1. Avatar photo
      Paul Cunningham

      I don’t do any Skype work myself, but there’s a chapter on Skype in our Office 365 for IT Pros book.

  36. john

    I’m planning to setup hybrid Office 365 with my exchange 2010 environment.
    fyi>EOP had already configured a few years ago with Office 365. so currently all incoming and outbound emails go thru Office 365.
    I was wondering whether I still require to do the Receiver and Sender Connector Configuration steps as part of the Wizard. do I skip this? as it’s already configured.
    Please advise.

  37. Balgates

    Hi Paul,

    We have 2 x Exchange 2016 Servers and Two Edge 2010 Servers
    External (In/out) SMTP are routed via Edge Servers. Exchange 2016 only allowed for https and http traffic and Edge servers are only allowed SMTP Traffic

    Now we have planned to Run Hybrid Wizard with Edge Servers. I have below doubts could you please help me on this.
    => Do we need to open port 25 for Exchange 2016 ?
    => We have public cert (Wild Card) installed on Exchange 2016, do we need to install the same certificate on Edge 2010 as well?
    => on the above steps it was not clear. We are selecting Edge server for mail flow and when it comes to Certificate we were selecting Exchange 2016 Server. Its bit confusing. Please explain with more clarity.
    => Do we need to perform any Manual Steps on Edge Server after the HCW to send or receive external emails?
    => DNS Doubt (We have Wild Card Certificate) – IP is (Port 443 and 80 allowed) pointed to exchange 2016 Server – IP (Port 25 Allowed)is pointed to Edge 2010 Server
    What name i have to provide during the HCW Org FQDN Name Configuration for Secure Email.

  38. Logan

    Hi, we are in the process of setting up our Office 365 environment. We are currently a Notes shop and have installed our very first Exchange server (2016). Our On-prem Exchange server will be used as the first stop in our mail migration. The migrated mail will then be migrated to our Exchange Online with a mailbox move. It is our intent that with the exception of that quick touch during the migration process that our on-prem Exchange will not house mailboxes and will only be used for administration activities.

    We have some confusion about the 3rd party certificates requirement for the hybrid configuration. All documentation that I read indicates that a 3rd part cert is required but in many places the documentation indicates, or implies, that the mail flow is bidirectional.

    So, in the scenario described above are 3rd party certs still a requirement or can self-signed certs be used?



      1. Caleb Stanley

        Hey Paul,

        Regarding the 3rd party certificate… we have two Exchange 2013 servers that are load balanced… we have a cert for the web address that resolves to the public IP of the load balanced servers.

        From my research, we have to point Office 365 to a SINGLE server in order to migrate mailboxes. Creating a NAT rule to one of our servers is not an issue. I am planning on creating a domain name that resolves to the NATed IP address (… my question is, would I need to get a new 3rd party SSL cert for that domain and install it on that single Exchange server in order for it to work? Would installing multiple SSL certs on a single server break anything?

        Thank you in advance.

        1. Avatar photo
          Paul Cunningham

          Yes, you’ll need a certificate on the server that includes the migration namespace that you’re going to use. Only one certificate can be bound to IIS/HTTPS at the same time, so that certificate will need to also include all the other namespaces (it can be a wildcard or a SAN certificate, your choice). Since it is the recommended practice to use the same SSL certificate on all servers that are load balanced together, you should also export/import that same certificate to your other server (the one that isn’t handling migration traffic but is load balanced for other namespaces).

  39. DK

    We are currently in the process of going through a hybrid configuration to O365, and although we can change our MX to point to O365, due to security compliancy we *cannot* bypass our on-prem 3rd party SMTP gateway and go direct to Edge or Mailbox backend Exchange.

    What are the implications of using O365 hybrid in this case? MS white papers suggest ‘information’ is lost going through 3rd party SMTP gateways, but don’t specify what that is.

    From what I gather, the “X-MS-Exchange-Organization-AuthAs” is seen as Anonymous instead of Internal.

    Any other issues anyone is aware of apart from this??

    1. Avatar photo
      Paul Cunningham

      It breaks internal mail flow. Being able to differentiate between internal and external mail flow is important for features such as Out-of-Office, Transport Rules, and so on.

      It’s not supported to add a non-Exchange SMTP gateway into the hybrid mail flow, and I’m not aware of any compliance regulations that would require it. Every customer I work with accepts the supported topology.

  40. GCPatrick

    When we run “Update” after following the wizard, we are getting an error:

    HCW0000 PowerShell failed to invoke ‘Set-FederatedOrganizationIdentifier’: No federation trust is configured for this organization or no domain is federated as the account namespace.

    Any ideas? We have had Azure AD Connect in place for a few months, with no issues, but we receive this error when we go through HCW.

    1. GCPatrick

      Our environment:
      Exchange 2013 CU14
      3x Mailbox
      2x CAS

      Thanks for the article!

  41. James


    Cannot get a clear answer on this from anyone, or any article…

    We know we need to open up port 80/443 – but to everyone? Or just the list of O365 IP ranges?

    1. Avatar photo
      Paul Cunningham

      Well, what is your requirement? For everyone to access those ports, or just the O365 servers?

      There’s no right/wrong answer, it all depends on your specific scenario.

  42. Colin

    Hi Paul,

    I am trying to run the HCW from a single Exchange 2010 SP3 server and am immediately getting an error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I can’t see too much online around it and was wondering if you have ever experienced it?


    1. Kevin Eyer

      I am having this exact same error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I too can’t see too much online around it and was wondering if you have ever experienced it?

  43. Zamir Mushtaq

    HI Paul,

    We have deployed hybrid environment in which some users are on premises and few on O365. Currently MX record and autodiscover is pointing On premises server. We are planning to Shift MX records to O365. What should we do with autodiscover record. Should it still point to On premises server or to O365? . We have to provide email access on outlook , owa and mobile devices for both users.
    Please advise. Thanks

  44. Vemaiah Bandi

    Hello Paul,

    I have seen some where in Microsoft documentation, they say we should not keep any server or device in between Office 365 and Hybrid servers , that causes some issues for SMTP traffic. But in this case a load balancer has been placed, will it not create in issues for SMTP traffic? please clarify can we place any firewalls or load balancers in between them , if not how can we protect our connection from external attacks?

  45. Administrator

    Hi Paul,

    Following running the HCW, i gather i am meant to see new Send and Receive connectors in the EAC for the on premise server but this hasnt happened. Should i create them manually? Is there a way to find out why the HCW hasnt added them automatically? The wizard completed without errors.


  46. Tony

    Hi Paul,

    Thanks for the informative article. In the step where you mentioned “Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.”

    When you entered, does this point to the Edge server or Exchange 2016 server?


    1. Avatar photo
      Paul Cunningham

      If you are using an Edge Transport server for hybrid mail flow, it goes to your Edge Transport server. If not, it goes to a Mailbox server.

  47. Henry

    Hi Paul,

    Great document, I am in a situation where my CAS and HUB Servers are on different Servers, and I plan on keeping them like. Its eExchange 2010 SP3 with latest CU…we are also using SSL Offloading which isn’t supported for AutoDiscover and EWS (both will be changed to ssl bridging) but there are no third part certs on my Servers and I recently installed a wild card on my hub transport Servers only…is this enough? or do I need to install on my CAS as well? SSL offloading/bridging will be used…

    Thanks Henry

  48. Josh

    We are on office 365 and are migrating to on-site Exchange 2016.
    Exchange 2016 CU3 running on Windows Server 2012 R2.

    When I first installed Exchange 2016 and ran the Hybrid Configuration Wizard – everything went well until the “Update” step at the end. The Error said that I need to update Exchange 2016 to the latest major release.

    So I updated to CU3. And ran the wizard again.

    It still says the same error. And looking into the log – the Hybrid Configuration Wizard is only compatible through CU2. What????? Now I can’t roll back, am stuck on CU3 – and can’t setup the hybrid environment. Help!!

    Can I manually setup the hybrid environment with 2016 and office 365? Or should I export PST files from each user on 365 and then import them into ons-te 2016 environment.

    Thanks for any help or direction anyone can provide.

    (reason for moving from 365 to on-site exchange: nested contact/distribution lists in public folder. Not available on 365.)

    1. Paul

      HCW should work with CU3. I suggest you open a support case via the O365 portal.

  49. shahin


    Could you tell me what approach is best for this situation?

    Currently we hosting emails for some of our customers, these customers have no access to the on premise exchange server and the address books of each customer is only accessable to that customer.

    office 365 was registered with this domain:

    our own comany email domain is:

    customer 1 email domain:

    customer 2 email domain:

    customer 3 email domain:

    The address books must be segregated from each other.

  50. Charley Burroughs


    I’m getting an error with Hybrid Wizard HCW8057/HCW8078. There are no firewall ports being blocked and DNS is configured correctly. The MRSProxy.svc is enabled but O365 is unable to communicate. I’m at a loss. The only thing I haven’t done is enabled RPC over HTTP and so, would this cause my issue? Thanks for the great work!


    1. Charley Burroughs

      Follow up: Just in case someone else is having same issue. It turned out to be a Cipher issue in which MS was looking for 1 of 5 Cipher responses that our F5’s had disabled due to vulnerability.
      Basically, go into F5, copy existing SSL profile, modify profile to add “:TLS1” If you have an F5, you will know what I’m talking about.

      1. Tony Holdgate

        Charley was that serverside SSL on F5 or clientside SSL?

  51. lloyd parchment

    We need to know if there is a GUI, and if not then we need to configure our Edge servers to pass traffic inbound from O365 and outbound to the internal network.

    1. Avatar photo
      Paul Cunningham

      A GUI for Edge Transport? No, there isn’t one.

      To use Edge Transport servers for Hybrid mail flow, first subscribe the Edge Transport servers to the AD site, then run or re-run the Hybrid Configuration Wizard and select the Edge Transport servers for mail flow.

  52. Steve

    Hi All.

    My scenario is one Exchange 2010 SP3 Edge and One 2010 SP3 Internal with HUB< TRANSPORT _ CAS . When I run the office 365 hybrid config wizard I do not get the option in the Hybrid Configuration to select the Edge Server. I only have the radio button to select configure my client access and mailbox servers for secure main transport (typical) – any idea wwhy?


    1. Avatar photo
      Paul Cunningham

      My understanding is that is normal, and if you want to use a 2010 Edge for a Hybrid deployment there’s manual config required for the connectors.

  53. Andreas

    Hi Paul,
    we have another Scenario and i will ask you how we can implement this.
    We moving a half year ago from Provider Mail (POP3/IMAP) direct to Office365 E3 Plan. At the Moment we have no Exchange Server on Premise.
    We only Extended our AD-Schema for Exchange and Syncing it with Azure AD Connect and Manage something over AD-Attributes, which is complicate to administrate.
    Can we install Exchange Hybrid in this Scenario after the using of office365 and how it works, or is there a chance to install only some Tools to manage the Exchange Parameters for Office365

    Many Thanks

  54. David Abbott

    Hi Paul,

    Fantastic article. I have a client that is looking to move to Office 365 Hybrid with Exchange 2010, they already have DirSync in place as they previously deployed Office 2016 and so already have accounts in Office 365 but we are unable to add any Exchange licences to them.

    Would I be able to simply run the Hybrid Wizard even with DirSync already in place or would it be a case of disabling DirSync, deleting their existing Office 365 accounts and then running the Hybrid wizard?

    Many thanks


      1. David Abbott

        Hi Paul,

        As they simply put directory sync in place to Office 365 for password sync all the accounts in Office 365 show as not having an Exchange mailbox.

        Many thanks


  55. Bharti

    Great article. thanks!

  56. John

    Hi Paul,

    Thanks for this tutorial.
    My question is, I have 3 servers 01,02,03.
    If I run the HCW using server 03 and then plan to decommission it, Do I need to re-run the HCW and select a different server?


  57. Marc

    Hi Paul,

    I’ve read through your O365 ebook and bonuses. Quite a read! We are planning a migration to a hybrid setup running Ex 2013. We are currently still using 2010 for two Edge server that we use for SMTP relay for applications and some internet IPs. I’m not 100% certain that it’s possible to use Edge 2010 servers for a hybrid setup when running Exchange 2013. I may have misread but I’m having a hard time finding anything else online that says otherwise. Can you confirm, please? Thanks so much.

    1. Avatar photo
      Paul Cunningham

      The new HCW is compatible with Exchange 2010, so my assumption is it will work, but I haven’t tried it myself.

      1. Jop Gommans

        Yes that is possible, we set up 2 hybrids lately with Ex2010 Edge-servers. Do keep in mind you will need to update your connectors on this machines manually. The wizard will make a note of what changes are needed when you finish it.

  58. Jami

    Quick question: I have completed many cutover migrations but never a hybrid. The new company I’m working for is wanting as little impact as possible during the move to hybrid, and then eventually solely Exchange Online. The prerequisites are all set up for the hybrid move. I ran through the hybrid tool yesterday and got to the very end at the “update” button and got scared. Are you aware of any downtime or issues when kicking off the hybrid deployment? Is this something that needs to be done after hours? Any help is greatly appreciated.


    1. Avatar photo
      Paul Cunningham

      It doesn’t cause any downtime, and it doesn’t cause any issues if you’ve planned correctly. Establishing the Hybrid configuration can impact your mail flow depending on what you’re trying to achieve.

      As with all changes there are risks. Understand what you’re trying to achieve, what could potentially be impacted, have a test plan, and have a roll back plan.

      If in doubt, create a test environment to run through it all first.

  59. nicholas herbert

    Hi Paul –
    quick question – dont understand this statement above ‘ Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. ‘ – I thought this wasnt a requirement only for migrating on prem mailboxes to the tenant?
    Also just to verify in this demo above – your not going to federate the domain as you are not using ADFS just password sync? Will the public DNS record for Autodiscover always resolve to the onprem CAS in a hybrid scenario? RegardsNicholas

    1. Avatar photo
      Paul Cunningham

      In this example scenario, mailbox migrations will be performed, AD FS is not being used, and AutoD will point to on-prem as long as there are still mailboxes on-prem.

  60. sarma kumar

    Hi paul,
    I have a query, is it possible to exclude the edge server for the mail transport between office 365 and exchange on premises but i want to keep the edge server for external mail communication?

    1. Avatar photo
      Paul Cunningham

      Yes. You’ll need to run your public MX on a different namespace that resolves to a different IP address than what Office 365 is configured to use for mail flow.

  61. Steve

    Great article Paul,
    We have a Notes environment and will be migrating to 2016. As such no existing Exchange servers, we are using a 3rd party tool however to stage the migration we are looking to deploy Ex 2016 to host the hybrid environment and enable seamless mailflow between the 365 users and notes users.

    Firstly is 2016 in this environment supported? All documentation I’ve used and seen has always referenced 2013.
    Secondly during the hybrid config wizard should we select “configure edge transport servers with secure mail transport” and tick “Enable Centralised mail transport”?


    1. Avatar photo
      Paul Cunningham

      Yes, Exchange 2016 is supported for Hybrid configurations.

      As for the other options, you should use them if you need to use them in your scenario. I can’t really answer that for you. You simply need to read up on what those options do and then decide if that is applicable to your environment.

  62. Lorenzo

    Hi Paul,
    great article, as usual :).
    I need to configure an Hybrid Deployment from Exchange 2010 SP3 to Exchange Online in a shared namespace scenario.
    Actually the Exchange 2010 infrastructure has set the primary SMTP domain as Internal Relay, so when an Exchange user send an email to a recipient that doesn’t exist in Exchange, the email is sent to a Smart Host that deliver the message to a separated mail system.
    I know that the Hybrid configuration creates a Send Connector for the namespace “” and when an onpremise Exchange user is migrated to Exchange Online, the mailbox is converted to a Mail User with a target address that correspond to the “” domain.
    Based on this information, i believe that the hybrid configuration in this scenario is possible without affecting the existing mailflow.
    Are there other things to consider?
    E.g. using an internal relay domain in ad hybrid configuration is supported? And the HCW does change something regarding the scope of domain defined in the onpremise Exchange infrastructure?

  63. filip

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

      1. filip

        May I ask how you fix this/is recommended?
        I read that it is also possible to use fqdn and create multiple mx records. This requires multiple external ips. Btw is it then also required to put all mx record names on the ssl cert?

  64. Larry Sullivan

    I have a hybrid setup with central transport configured. MX records point to Exchange online and then gets forwarded to my on premise server. I notice that I had been getting a lot of spam. it looks like other mail servers found my IP address and were sending spam directly to my servers. I disabled anonymous connections on the receive connector that has port 25 open. This has helped reduce the spam a lot. I’m not sure if this may cause other potential problems, though. Would it be better to limit the connections in to the O365 IP address range? Is there a easy way to add these?

    1. Avatar photo
      Paul Cunningham

      Disabling anon will impact any internal devices or applications that are trying to use the server to send emails to internal recipients (since that scenario doesn’t require a separate “relay” connector be set up). Of course, if you have set up a “relay” connector for those devices/apps to be able to relay externally, then they’ll continue working anyway (for both internal and external).

      Otherwise, yes it’s a good idea to restrict the access to Exchange to only those IP ranges for Office 365.

  65. Adrian

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

    1. Ben

      We use a kemp in the DMZ as a reverse proxy and a kemp load balancing the multi role exchange servers on the LAN. Works fine for TLS SMTP 🙂

  66. Mukhan

    Hi Paul,

    for Hybrid Configuration,

    Is it possible to speed up the process of syncing/migrating mailboxes from on-premises to office 365 by adding one more internet connection OR are there any other possibility?

    1. Avatar photo
      Paul Cunningham

      Available bandwidth is one factor that influences the speed of remote mailbox moves in a Hybrid scenario. There are other factors as well, such as the performance of your servers, and the load on the Exchange Online servers at the time you’re migrating.

  67. ChrisM

    I’m tackling my EX2010 migration to O365 now, and the new wizard is GREAT, but I have 3 questions I’m unsure about, because I have a Barracuda spam filter as my MX record, connected to my EX setup via a send connector on the hub transport (smart host).

    EX server1 – Holds Hub Transport, Client Access, and Mailbox roles. (no public IP, CAS pretty much unused)
    EX server2 – Client access server used by all users via OWA or Outlook, has public IP (98% of my users connect remotely via OWA or Outlook over HTTPS)
    Barracuda – MX record, public IP, handles all mail in and out. I’ve been told we wish to keep it.

    Q1: On the Hybrid Config page of the wizard, under advanced, Do I need to check the box to enable centralized mail transport? (Yes, I think, because we want all mail to pass through the Barracuda like it does now)

    Q2: On the Public IP address page of the wizard, Our server with the transport role (Server1) doesn’t have a public IP address, would I put the public IP of the Barracuda here? Also because I enabled centralized mail transport two steps back.

    Q3: On the Organizational FQDN page of the wizard, Should it be the Barracudas FQDN, or our client access server (Server2) that has the public IP address? Server1 also has the client access role, but no public IP.

    I already have used the Azure AD Connect tool to connect my AD to my O365 tenant with great results. I just don’t want to break mail…eeerr…. have been told not to break mail 😮

    Any assistance would be greatly appreciated!!!


    1. Avatar photo
      Paul Cunningham

      A non-Exchange server (like your Barracuda) can’t be involved in the mail flow between the on-premises Exchange server(s) and the Exchange Online servers. Exchange Online needs to be able to connect directly to an Exchange server when routing email from a cloud mailbox to an on-prem mailbox, and vice versa.

      So you’re going to need a public IP that NATs to Exchange for that connection to occur. You can lock it down on your firewall so that only the Office 365 IP ranges are allowed to connect in on that IP.

      Centralized transport tells Exchange Online where to send outbound email. With centralized transport enabled, EXO will send route email to the on-premises servers instead of directly out to the internet. This then allows your on-premises servers to apply any journaling, transport rules or other compliance requirements you might have, and then route out to the internet via your Barracuda if you wish to keep using it.

      I hope that is clear. In short, the Barracuda can still be used, but not in between the on-premises Exchange servers and the Exchange Online servers.

      1. ChrisM

        Thank you Paul, in giving the outside IP to the Exchange server, it looks like it mostly needs access to port 443 from the outside world to get the hybrid setup going for migration. I also see MS is asking me to open up port 25 to it as well. Is this required seeing that I’m keeping the Barracuda as the MX record?


        1. Avatar photo
          Paul Cunningham

          Office 365 needs port 25 open to whichever Exchange server will be participating in Hybrid mail flow.

          The Barracuda can’t do this. Whether you keep it as the MX or not is irrelevant to the requirement for Office 365 to talk directly to an Exchange server on-premises.

          1. Nam

            Hi Paul,

            As far as I know, if the hybrid setup includes Edge Transport, then we only need to open port 25 on the Edge server?

  68. Barr

    Why did you select only one cas? Can you elaborate what happens if you select two cas in HCW?

      1. Barr

        if you select 2 CAS will both be configured identical (receive connector with TLS, EWS MRS Proxy, wssecurity, oauth etc…)? And can both accept TLS mail from o365?

        1. heythere


  69. heythere

    Hi Paul
    as far as I know EWS will be configured by wizard itself
    so you don’t have to touch it…

      1. heythere

        you are right , I never noticed that:)
        I never used it either and never had a problem
        the wizard will enable it if its not enabled and configured it according to instructions you enter in wizard.
        ill definitely change my docs to reflect it anyway

  70. filip

    Is it still best to install/run the New HCW on an Exchange server itself?
    Can You please elaborate a bit more about what happens if we select multiple cas servers? And how multiple cas servers act in a Hybrid env.?

Leave a Reply