Home » Exchange Server » Creating a Hybrid Configuration with Exchange and Office 365

Creating a Hybrid Configuration with Exchange and Office 365

In the last part of this series we looked at preparing for Hybrid deployment with Office 365. In this article we’re going to create the Hybrid configuration between the on-premises Exchange organization and the Office 365 tenant.

The current on-premises environment is running:

  • 2 x Exchange 2016 Mailbox servers
  • 1 x Exchange 2013 multi-role server
  • 1 x Exchange 2013 Edge Transport server
  • 1 x Exchange 2010 multi-role server

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

The servers can be MRS Proxy enabled by running Set-WebServicesVirtualDirectory.

The Hybrid Configuration Wizard is launched from the Exchange Admin Center, in the hybrid section.


After clicking enable we need to sign in to the Office 365 tenant with a global admin account.


We’re directed to download the Hybrid Configuration Wizard tool. Click on the click here link to download it.


Follow the prompts to install the application.


When the Hybrid Configuration Wizard launches, click Next to begin.


The HCW will detect a server to use automatically, or you can specify one if you need to.


Enter credentials for both the on-premises organization and the Office 365 tenant.


When the connections and credentials have been successfully validated, click Next to continue.


For my scenario I’ll be using the Edge Transport server for secure mail flow, and not enabling centralized mail transport.


There is only one Edge Transport to choose in my environment.


Next we choose a reference server, and then an SSL certificate on that server, to use for secure mail flow.


Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.


After entering all of the information in the wizard click Update to configure and enable Hybrid for your organization. The configuration takes just a few moments as long as there are no errors encountered.

In the next part of this series we’ll look at testing the features of the Hybrid configuration.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. filip says:

    Is it still best to install/run the New HCW on an Exchange server itself?
    Can You please elaborate a bit more about what happens if we select multiple cas servers? And how multiple cas servers act in a Hybrid env.?

  2. ChrisM says:

    I’m tackling my EX2010 migration to O365 now, and the new wizard is GREAT, but I have 3 questions I’m unsure about, because I have a Barracuda spam filter as my MX record, connected to my EX setup via a send connector on the hub transport (smart host).

    EX server1 – Holds Hub Transport, Client Access, and Mailbox roles. (no public IP, CAS pretty much unused)
    EX server2 – Client access server used by all users via OWA or Outlook, has public IP (98% of my users connect remotely via OWA or Outlook over HTTPS)
    Barracuda – MX record, public IP, handles all mail in and out. I’ve been told we wish to keep it.

    Q1: On the Hybrid Config page of the wizard, under advanced, Do I need to check the box to enable centralized mail transport? (Yes, I think, because we want all mail to pass through the Barracuda like it does now)

    Q2: On the Public IP address page of the wizard, Our server with the transport role (Server1) doesn’t have a public IP address, would I put the public IP of the Barracuda here? Also because I enabled centralized mail transport two steps back.

    Q3: On the Organizational FQDN page of the wizard, Should it be the Barracudas FQDN, or our client access server (Server2) that has the public IP address? Server1 also has the client access role, but no public IP.

    I already have used the Azure AD Connect tool to connect my AD to my O365 tenant with great results. I just don’t want to break mail…eeerr…. have been told not to break mail 😮

    Any assistance would be greatly appreciated!!!


    • A non-Exchange server (like your Barracuda) can’t be involved in the mail flow between the on-premises Exchange server(s) and the Exchange Online servers. Exchange Online needs to be able to connect directly to an Exchange server when routing email from a cloud mailbox to an on-prem mailbox, and vice versa.

      So you’re going to need a public IP that NATs to Exchange for that connection to occur. You can lock it down on your firewall so that only the Office 365 IP ranges are allowed to connect in on that IP.

      Centralized transport tells Exchange Online where to send outbound email. With centralized transport enabled, EXO will send route email to the on-premises servers instead of directly out to the internet. This then allows your on-premises servers to apply any journaling, transport rules or other compliance requirements you might have, and then route out to the internet via your Barracuda if you wish to keep using it.

      I hope that is clear. In short, the Barracuda can still be used, but not in between the on-premises Exchange servers and the Exchange Online servers.

      • ChrisM says:

        Thank you Paul, in giving the outside IP to the Exchange server, it looks like it mostly needs access to port 443 from the outside world to get the hybrid setup going for migration. I also see MS is asking me to open up port 25 to it as well. Is this required seeing that I’m keeping the Barracuda as the MX record?


        • Office 365 needs port 25 open to whichever Exchange server will be participating in Hybrid mail flow.

          The Barracuda can’t do this. Whether you keep it as the MX or not is irrelevant to the requirement for Office 365 to talk directly to an Exchange server on-premises.

  3. Mukhan says:

    Hi Paul,

    for Hybrid Configuration,

    Is it possible to speed up the process of syncing/migrating mailboxes from on-premises to office 365 by adding one more internet connection OR are there any other possibility?

    • Available bandwidth is one factor that influences the speed of remote mailbox moves in a Hybrid scenario. There are other factors as well, such as the performance of your servers, and the load on the Exchange Online servers at the time you’re migrating.

  4. Adrian says:

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

    • Ben says:

      We use a kemp in the DMZ as a reverse proxy and a kemp load balancing the multi role exchange servers on the LAN. Works fine for TLS SMTP 🙂

  5. Larry Sullivan says:

    I have a hybrid setup with central transport configured. MX records point to Exchange online and then gets forwarded to my on premise server. I notice that I had been getting a lot of spam. it looks like other mail servers found my IP address and were sending spam directly to my servers. I disabled anonymous connections on the receive connector that has port 25 open. This has helped reduce the spam a lot. I’m not sure if this may cause other potential problems, though. Would it be better to limit the connections in to the O365 IP address range? Is there a easy way to add these?

    • Disabling anon will impact any internal devices or applications that are trying to use the server to send emails to internal recipients (since that scenario doesn’t require a separate “relay” connector be set up). Of course, if you have set up a “relay” connector for those devices/apps to be able to relay externally, then they’ll continue working anyway (for both internal and external).

      Otherwise, yes it’s a good idea to restrict the access to Exchange to only those IP ranges for Office 365.

  6. filip says:

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

  7. Lorenzo says:

    Hi Paul,
    great article, as usual :).
    I need to configure an Hybrid Deployment from Exchange 2010 SP3 to Exchange Online in a shared namespace scenario.
    Actually the Exchange 2010 infrastructure has set the primary SMTP domain as Internal Relay, so when an Exchange user send an email to a recipient that doesn’t exist in Exchange, the email is sent to a Smart Host that deliver the message to a separated mail system.
    I know that the Hybrid configuration creates a Send Connector for the namespace “domain.mail.onmicrosoft.com” and when an onpremise Exchange user is migrated to Exchange Online, the mailbox is converted to a Mail User with a target address that correspond to the “domain.mail.onmicrosoft.com” domain.
    Based on this information, i believe that the hybrid configuration in this scenario is possible without affecting the existing mailflow.
    Are there other things to consider?
    E.g. using an internal relay domain in ad hybrid configuration is supported? And the HCW does change something regarding the scope of domain defined in the onpremise Exchange infrastructure?

  8. Steve says:

    Great article Paul,
    We have a Notes environment and will be migrating to 2016. As such no existing Exchange servers, we are using a 3rd party tool however to stage the migration we are looking to deploy Ex 2016 to host the hybrid environment and enable seamless mailflow between the 365 users and notes users.

    Firstly is 2016 in this environment supported? All documentation I’ve used and seen has always referenced 2013.
    Secondly during the hybrid config wizard should we select “configure edge transport servers with secure mail transport” and tick “Enable Centralised mail transport”?


    • Yes, Exchange 2016 is supported for Hybrid configurations.

      As for the other options, you should use them if you need to use them in your scenario. I can’t really answer that for you. You simply need to read up on what those options do and then decide if that is applicable to your environment.

  9. sarma kumar says:

    Hi paul,
    I have a query, is it possible to exclude the edge server for the mail transport between office 365 and exchange on premises but i want to keep the edge server for external mail communication?

  10. nicholas herbert says:

    Hi Paul –
    quick question – dont understand this statement above ‘ Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. ‘ – I thought this wasnt a requirement only for migrating on prem mailboxes to the tenant?
    Also just to verify in this demo above – your not going to federate the domain as you are not using ADFS just password sync? Will the public DNS record for Autodiscover always resolve to the onprem CAS in a hybrid scenario? RegardsNicholas

  11. Jami says:

    Quick question: I have completed many cutover migrations but never a hybrid. The new company I’m working for is wanting as little impact as possible during the move to hybrid, and then eventually solely Exchange Online. The prerequisites are all set up for the hybrid move. I ran through the hybrid tool yesterday and got to the very end at the “update” button and got scared. Are you aware of any downtime or issues when kicking off the hybrid deployment? Is this something that needs to be done after hours? Any help is greatly appreciated.


    • It doesn’t cause any downtime, and it doesn’t cause any issues if you’ve planned correctly. Establishing the Hybrid configuration can impact your mail flow depending on what you’re trying to achieve.

      As with all changes there are risks. Understand what you’re trying to achieve, what could potentially be impacted, have a test plan, and have a roll back plan.

      If in doubt, create a test environment to run through it all first.

  12. Marc says:

    Hi Paul,

    I’ve read through your O365 ebook and bonuses. Quite a read! We are planning a migration to a hybrid setup running Ex 2013. We are currently still using 2010 for two Edge server that we use for SMTP relay for applications and some internet IPs. I’m not 100% certain that it’s possible to use Edge 2010 servers for a hybrid setup when running Exchange 2013. I may have misread but I’m having a hard time finding anything else online that says otherwise. Can you confirm, please? Thanks so much.

      • Jop Gommans says:

        Yes that is possible, we set up 2 hybrids lately with Ex2010 Edge-servers. Do keep in mind you will need to update your connectors on this machines manually. The wizard will make a note of what changes are needed when you finish it.

  13. John says:

    Hi Paul,

    Thanks for this tutorial.
    My question is, I have 3 servers 01,02,03.
    If I run the HCW using server 03 and then plan to decommission it, Do I need to re-run the HCW and select a different server?


  14. David Abbott says:

    Hi Paul,

    Fantastic article. I have a client that is looking to move to Office 365 Hybrid with Exchange 2010, they already have DirSync in place as they previously deployed Office 2016 and so already have accounts in Office 365 but we are unable to add any Exchange licences to them.

    Would I be able to simply run the Hybrid Wizard even with DirSync already in place or would it be a case of disabling DirSync, deleting their existing Office 365 accounts and then running the Hybrid wizard?

    Many thanks


  15. Andreas says:

    Hi Paul,
    we have another Scenario and i will ask you how we can implement this.
    We moving a half year ago from Provider Mail (POP3/IMAP) direct to Office365 E3 Plan. At the Moment we have no Exchange Server on Premise.
    We only Extended our AD-Schema for Exchange and Syncing it with Azure AD Connect and Manage something over AD-Attributes, which is complicate to administrate.
    Can we install Exchange Hybrid in this Scenario after the using of office365 and how it works, or is there a chance to install only some Tools to manage the Exchange Parameters for Office365

    Many Thanks

  16. Steve says:

    Hi All.

    My scenario is one Exchange 2010 SP3 Edge and One 2010 SP3 Internal with HUB< TRANSPORT _ CAS . When I run the office 365 hybrid config wizard I do not get the option in the Hybrid Configuration to select the Edge Server. I only have the radio button to select configure my client access and mailbox servers for secure main transport (typical) – any idea wwhy?


  17. lloyd parchment says:

    We need to know if there is a GUI, and if not then we need to configure our Edge servers to pass traffic inbound from O365 and outbound to the internal network.

    • A GUI for Edge Transport? No, there isn’t one.

      To use Edge Transport servers for Hybrid mail flow, first subscribe the Edge Transport servers to the AD site, then run or re-run the Hybrid Configuration Wizard and select the Edge Transport servers for mail flow.

  18. Charley Burroughs says:


    I’m getting an error with Hybrid Wizard HCW8057/HCW8078. There are no firewall ports being blocked and DNS is configured correctly. The MRSProxy.svc is enabled but O365 is unable to communicate. I’m at a loss. The only thing I haven’t done is enabled RPC over HTTP and so, would this cause my issue? Thanks for the great work!


    • Charley Burroughs says:

      Follow up: Just in case someone else is having same issue. It turned out to be a Cipher issue in which MS was looking for 1 of 5 Cipher responses that our F5’s had disabled due to vulnerability.
      Basically, go into F5, copy existing SSL profile, modify profile to add “:TLS1” If you have an F5, you will know what I’m talking about.

  19. shahin says:


    Could you tell me what approach is best for this situation?

    Currently we hosting emails for some of our customers, these customers have no access to the on premise exchange server and the address books of each customer is only accessable to that customer.

    office 365 was registered with this domain:

    our own comany email domain is:

    customer 1 email domain:

    customer 2 email domain:

    customer 3 email domain:

    The address books must be segregated from each other.

  20. Josh says:

    We are on office 365 and are migrating to on-site Exchange 2016.
    Exchange 2016 CU3 running on Windows Server 2012 R2.

    When I first installed Exchange 2016 and ran the Hybrid Configuration Wizard – everything went well until the “Update” step at the end. The Error said that I need to update Exchange 2016 to the latest major release.

    So I updated to CU3. And ran the wizard again.

    It still says the same error. And looking into the log – the Hybrid Configuration Wizard is only compatible through CU2. What????? Now I can’t roll back, am stuck on CU3 – and can’t setup the hybrid environment. Help!!

    Can I manually setup the hybrid environment with 2016 and office 365? Or should I export PST files from each user on 365 and then import them into ons-te 2016 environment.

    Thanks for any help or direction anyone can provide.

    (reason for moving from 365 to on-site exchange: nested contact/distribution lists in public folder. Not available on 365.)

  21. Henry says:

    Hi Paul,

    Great document, I am in a situation where my CAS and HUB Servers are on different Servers, and I plan on keeping them like. Its eExchange 2010 SP3 with latest CU…we are also using SSL Offloading which isn’t supported for AutoDiscover and EWS (both will be changed to ssl bridging) but there are no third part certs on my Servers and I recently installed a wild card on my hub transport Servers only…is this enough? or do I need to install on my CAS as well? SSL offloading/bridging will be used…

    Thanks Henry

  22. Tony says:

    Hi Paul,

    Thanks for the informative article. In the step where you mentioned “Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.”

    When you entered mail.practical365.com, does this point to the Edge server or Exchange 2016 server?


  23. Administrator says:

    Hi Paul,

    Following running the HCW, i gather i am meant to see new Send and Receive connectors in the EAC for the on premise server but this hasnt happened. Should i create them manually? Is there a way to find out why the HCW hasnt added them automatically? The wizard completed without errors.


  24. Vemaiah Bandi says:

    Hello Paul,

    I have seen some where in Microsoft documentation, they say we should not keep any server or device in between Office 365 and Hybrid servers , that causes some issues for SMTP traffic. But in this case a load balancer has been placed, will it not create in issues for SMTP traffic? please clarify can we place any firewalls or load balancers in between them , if not how can we protect our connection from external attacks?

  25. Zamir Mushtaq says:

    HI Paul,

    We have deployed hybrid environment in which some users are on premises and few on O365. Currently MX record and autodiscover is pointing On premises server. We are planning to Shift MX records to O365. What should we do with autodiscover record. Should it still point to On premises server or to O365? . We have to provide email access on outlook , owa and mobile devices for both users.
    Please advise. Thanks

  26. Colin says:

    Hi Paul,

    I am trying to run the HCW from a single Exchange 2010 SP3 server and am immediately getting an error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I can’t see too much online around it and was wondering if you have ever experienced it?


    • Kevin Eyer says:

      I am having this exact same error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I too can’t see too much online around it and was wondering if you have ever experienced it?

  27. James says:


    Cannot get a clear answer on this from anyone, or any article…

    We know we need to open up port 80/443 – but to everyone? Or just the list of O365 IP ranges?

  28. GCPatrick says:

    When we run “Update” after following the wizard, we are getting an error:

    HCW0000 PowerShell failed to invoke ‘Set-FederatedOrganizationIdentifier’: No federation trust is configured for this organization or no domain is federated as the account namespace.

    Any ideas? We have had Azure AD Connect in place for a few months, with no issues, but we receive this error when we go through HCW.

  29. DK says:

    We are currently in the process of going through a hybrid configuration to O365, and although we can change our MX to point to O365, due to security compliancy we *cannot* bypass our on-prem 3rd party SMTP gateway and go direct to Edge or Mailbox backend Exchange.

    What are the implications of using O365 hybrid in this case? MS white papers suggest ‘information’ is lost going through 3rd party SMTP gateways, but don’t specify what that is.

    From what I gather, the “X-MS-Exchange-Organization-AuthAs” is seen as Anonymous instead of Internal.

    Any other issues anyone is aware of apart from this??

    • It breaks internal mail flow. Being able to differentiate between internal and external mail flow is important for features such as Out-of-Office, Transport Rules, and so on.

      It’s not supported to add a non-Exchange SMTP gateway into the hybrid mail flow, and I’m not aware of any compliance regulations that would require it. Every customer I work with accepts the supported topology.

  30. Logan says:

    Hi, we are in the process of setting up our Office 365 environment. We are currently a Notes shop and have installed our very first Exchange server (2016). Our On-prem Exchange server will be used as the first stop in our mail migration. The migrated mail will then be migrated to our Exchange Online with a mailbox move. It is our intent that with the exception of that quick touch during the migration process that our on-prem Exchange will not house mailboxes and will only be used for administration activities.

    We have some confusion about the 3rd party certificates requirement for the hybrid configuration. All documentation that I read indicates that a 3rd part cert is required but in many places the documentation indicates, or implies, that the mail flow is bidirectional.

    So, in the scenario described above are 3rd party certs still a requirement or can self-signed certs be used?



Leave a Reply

Your email address will not be published. Required fields are marked *