Home » Exchange Server » Testing a New Exchange Hybrid Configuration with Office 365

Testing a New Exchange Hybrid Configuration with Office 365

In the last part of this series of articles I demonstrated setting up a Hybrid configuration between on-premises Exchange Server and Office 365. With the Hybrid in place it’s time to start planning to migrate mailboxes and cut over services such as mail flow.

Currently the organization is in a state where:

  • All mailboxes are on-premises
  • All remote clients connect to the on-premises servers
  • All mail flow runs through the on-premises Exchange organization, via the Edge Transport server


Where want to be is a state where:

  • Mailboxes can be on-premises or in the cloud, depending on the business needs
  • Cloud mailbox users can connect to their cloud mailbox, but on-premises mailbox users continue to connect to on-premises servers
  • Mail flow is going through Office 365 to take advantage of Exchange Online Protection


Rather than just barrel ahead with changing MX records and migrating production mailboxes, it is a good idea to do some testing first. In this article I’ll test the Hybrid configuration by:

  • Creating a test mailbox in Office 365
  • Verifying mail flow between on-premises Exchange and Exchange Online is working
  • Verifying that the client experience of Exchange Online is working (e.g. GAL visibility, free/busy lookups, ActiveSync device redirection)
  • Moving a test mailbox from on-premises Exchange to Exchange Online

Let’s get started.

Creating a Mailbox in Office 365

With the Hybrid configuration in place we can use the Exchange Admin Center to create new Office 365 mailboxes.


For my environment I just need to make sure that I choose an Organizational Unit that is included in my Azure AD Connect synchronization. Aside from that, fill out the other details such as name and password as you normally would.


Switching to the Office 365 section of the Exchange Admin Center, we can see that the new mailbox is not immediately visible.


Directory synchronization of the new user needs to occur, and an Office 365 license needs to be assigned. We can wait for the next directory synchronization cycle to occur, or force a synchronization immediately to speed things up. I prefer to wait, because it allows me to verify that directory synchronization is working fine on its own.

When directory synchronization has occurred the new user will be visible in the Office 365 admin center, and can be assigned a license there.


Alternatively, use PowerShell to connect to Office 365 and assign the license, by setting the location for the user and then assigning the appropriate SKU.

Within a few minutes the mailbox should be visible in the Exchange Admin Center.


Launching Outlook on a computer will verify whether Autodiscover is able to configure the Outlook profile to connect to the cloud mailbox. Note that the user will need to provide their credentials to authenticate to Exchange Online. Thanks to password synchronization they can use the same email address (which should match their UPN) and password as they use on-premises, and save the credentials to avoid being prompted every time.


Verifying Mail Flow

Now that I’ve got a working mailbox in the cloud it’s time to do some mail flow tests. Simply put, the cloud mailbox should be able to send and receive emails for on-premises mailboxes, as well as external mailboxes.

To test this I’ve added another mailbox to the on-premises environment. I’m using a brand new mailbox for this because I will be migrating it to the cloud later as a test of the migration process, and it’s faster to migrate a nearly empty mailbox. However, if I was interested in testing migration throughput, I would use mailboxes with more content in them.

Keep in mind that any on-premises mailbox user you create needs time to synchronize to Azure AD before the cloud mailbox user will see them in the GAL.

Sending an email from the cloud mailbox to an on-premises and and external recipient should do the trick.


When the emails arrive simply reply to them to confirm the return path is working as well.


You should also run the message headers through the message analyzer at ExRCA.com so you can verify that the path the emails took was the expected path.


Verifying the Client Experience

By testing the mail flow we’ve already confirmed that GAL visibility for the on-premises and cloud mailboxes is working as expected. Another aspect of the client experience is free/busy lookups between on-premises and cloud mailboxes. To test this we can simply create a new meeting request in Outlook, and have each mailbox look up the availability of the other.


If free/busy lookups are working then you shouldn’t see any of the “No Information” indications for any of the recipients. To take it a step further, book one meeting between the two recipients and then create another meeting request, and you should see the existing meeting in their free/busy info.


Note, free/busy lookups need to be working in both directions, so make sure you test this from both sides of the Hybrid environment.

We still want to test ActiveSync redirection for mailbox users. ActiveSync redirection will automatically reconfigure an on-premises mailbox user’s mobile device to point to Exchange Online after they are migrated to the cloud. So in order to test this, we need a mailbox with a mobile device already connected to it (which I have already set up), and then we need to perform a mailbox migration.

Migrating a Mailbox to Exchange Online

Since I already have a test mailbox, Hybrid Test 1, on-premises with an Outlook profile and a mobile device connected, it will be a good candidate to test the mailbox migration process.

To initiate a mailbox migration use the Exchange Admin Center. Select the Office 365 section, and navigate to Recipients -> Migration.

Start a new migration batch to “Migrate to Exchange Online”.


The migration type is a “Remove move migration”. Step through the wizard, adding the test mailbox to the migration batch, creating a migration endpoint if necessary, and giving the migration batch a name. You will also need to specify an email address to be notified when the batch has completed. For test migrations I prefer to simply allow the migration batch to automatically complete.


Wait for the migration batch to complete, then restart the Outlook client for the migrated mailbox user. Autodiscover should reconfigure them to connect to Exchange Online, and their mobile device should also be automatically updated the next time it tries to connect. In reality this may not work immediately, but should begin working after a short wait.

After completing the migration you might also like to re-test mail flow and free/busy, just to be sure there’s no lingering issues.


In this article I’ve demonstrated techniques for testing a Hybrid configuration, so that you can be confident that the end user experience will be good when you perform your mailbox migrations to the cloud. In the next part of this series, I’ll move the organization another step closer to the end goal by demonstrating the cut over of mail routing to Exchange Online Protection.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Mukhan says:

    Hi Paul,

    good job just right on time.

    I am using this guide to test our HCW,

    I used to track messages through Get-MessageTrackinglog cmdlets, are these commands still valid in Office 365??

    Please reply

  2. Brad Parsons says:

    We have been following these steps but just thus week have started to receive this error

    “Unsupported recipient type ‘Mailbox’ provided. Only ‘Mailuser’ is supported for this migration type.”

    Any insight would help.

    Thank you

      • Kevin says:

        This is happening to me to. This is occurring when trying to migrate from OnPrem Exchange 2013 to O365.

        One article said to remove the license from the user, migrate, then re-license the user. This did not work for me. I have also tried to remove the license from the user, let it set for an hour, relicense, let it set for another hour, then try to migrate. Again it fails with this error.

        When I login as the user to their O365 account, and try to click on mail, it simply states that ‘The mailbox isn’t available. This may have occurred because the license for the mailbox has expired. To find out how to gain access to this mailbox again, contact the person who manages your email account.’

      • Kevin says:

        I fixed this. Essentially I had to move the users in question to a non-sync’d OU in AD, then perform a directory sync. Once O365 removed the users, I had to remove them from the O365 Recycle bin with ‘Get-MsOLUser -all -returndeletedusers | Remove-MsOLUser -removefromrecyclebin -force’

        Once they were permanently deleted from O365, I put them back in their original OU and again, I sync’d. I looked in two places to verify. 1: Unlicensed Users and 2: Contacts. You must wait until they show up in Contacts. Do not license them yet.

        The GUI migration mechanism has a flaw/bug in it so you have to do it via Powershell.
        I issued the following:
        $O365Cred = Get-Credential
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365Cred -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        $OnPremCred = Get-Credential

        import-csv migrate.csv | foreach {New-MoveRequest -Identity $_.UPN -Remote -RemoteHostName ‘nameofmyserver.mydomain.com’ -RemoteCredential $onpremcred -TargetDeliveryDomain ‘domain.mail.onmicrosoft.com’}

        It then migrated them appropriately. Once their migrations have completed then you can license them appropriately.

        in the migrate.csv I just had one column which was their full UPN user@mydomain.com.

  3. Kurbo says:

    Thanks for the help. I would like to clarify the following questions

    1- Where do i have to point my MX recods, can i leave them pointing to my on-prem Exchange and also can i point on O365 with higher priority and on prem with lower?

    2- Can mailboxes reside on both exchanges and will it update automatically on each side? Thanks in advance

  4. Saul says:

    Hi Paul,

    When testing “Federation trust” it seems to fail on the last part. It failed to request delegation token. Microsoft wasn’t able to help us on this case. Maybe you can enlighten us with this.

    STEP 5 of 6: Requesting delegation token…
    RESULT: Success. Token retrieved.

    Closing Test-FederationTrust…

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : FederationTrustConfiguration
    Type : Success
    Message : FederationTrust object in ActiveDirectory is valid.

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : FederationMetadata
    Type : Success
    Message : The federation trust contains the same certificates published by the security token service in its
    federation metadata.

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : StsCertificate
    Type : Success
    Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : StsPreviousCertificate
    Type : Success
    Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : OrganizationCertificate
    Type : Success
    Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

    RunspaceId : 49a4a988-df50-4c56-9e1a-c76876d3e0ce
    Id : TokenRequest
    Type : Error
    Message : Failed to request delegation token.

    Error. Attempted to get delegation token, but token came back as null.
    + CategoryInfo : NotSpecified: (:) [], LocalizedException


  5. Olaf says:

    What if the admin has created the mailbox in Office 365 instead of in the EAC on the Hybrid? How can I match this with the On Prem environment?

    • shahin says:

      Hi Olaf,

      Did you run this command to enable EAP?

      Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

      When ABP routing is turned on, users that are assigned to different GALs appear as external recipients and won’t be able to view external recipients’ contact cards.

  6. Scott says:

    Hi Paul,

    I have a question regards the “MIGRATING A MAILBOX TO EXCHANGE ONLINE” part.

    Will the mailbox be offline/unavailable during this migration as well just like when we migrate users from a local Exchange 2013 to local Exchange 2016?

  7. Em-em says:

    Hi Paul,

    This is one flawless Hybrid Migration guide you have here.

    I was wondering, do you have a separate article for a fallback plan if ever something comes up with exchange online?

    • If you leave the hybrid configuration in place you can easily off board the mailboxes. If you remove the hybrid, it can be re-established reasonably easily. If you remove directory sync, it gets a lot harder to re-establish hybrid.

  8. Jean-Luc says:

    Hi Paul,
    And thank you, once again for this article.
    Do you think hybrid configuration is adapted to Exchange mailboxes migration from O365 to Exchange on premises? On the AD Infrastrucure, there is not yet Exchange Organization.
    Do you mentions this scenario on the 3rd edition of” office 365 for exchange professionals”?
    Best regards

    • Hybrid is the only supported method of off-boarding mailboxes from EXO to on-premises Exchange. The challenge is with the directory synchronization part. When you build a brand new Active Directory and sync it up to an existing Office 365 tenant, you have to be very careful to ensure the accuracy of the attributes and values of the on-premises AD objects (e.g. names, email addresses), because they will overwrite the values in Office 365 when directory sync begins.

  9. Tony says:

    Hi Paul,

    Since running the Hybrid wizard and completed, i noticed that when i click the Office 365 Cross Premise link in EAC, i am taken to the MS website rather than the control panel for O365. Do i need to allow time for this to take effect once i have run the wizard?

  10. Tony says:

    One last query here, am i right that following this method of Hybrid (ie not Full Hybrid) means that O365 migrated users wont be able to access Public Folders from on Premise?

    Is there a way around this without a federation trust?

  11. Scott says:

    Good Afternoon,

    We are an office 365 shop. We currently have an exchange 2003 server in our environment that we are looking to decommission. Our goal is to get to 2016 in hybrid mode so we can manage our office 365 mailboxes via the EAC. Does this make sense? We are never going to have on premise exchange however since we need to get rid of exchange 2003 we need an exchange server to take its place. Any help would be appreciated

    • From 2003 the furthest you can migrate in one hop is 2010, so that’s your first step.

      2010 is capable of hybrid but long term I believe you’re better off with 2016 anyway. So from 2010 you can migrate to 2016, or just introduce 2016 for the hybrid functionality and move the mailboxes from 2010 -> Exchange Online, then decommission the 2010 server.

      Our Office 365 for IT Pros book has a lot of detail on hybrid.

  12. HSC-TSA says:

    Hi Paul,
    And thank you, once again for this article.

    I’ve migrated all mailboxes from Exchange 2013 to Exchange Online, then upgraded the Exchange 2013 to 2016 having two server on-premises, and successfully run “Microsoft Office 365 Hybrid Configuration Wizard”.

    Q. How often the sync run between the Exchange 2016 and Exchange Online, as all mailboxes reside on O356? And how to check the sync status?


    • Exchange itself doesn’t run any synchronization. The synchronization that is performed is the directory synchronization, which is handled by whichever directory sync tool you deployed (ideally Azure AD Connect).

  13. TeamTerry says:

    Note that there is a known issue with Exchange 2013 CU-13 and CU-14

    Issue with Free-Busy in Exchange 2013 – CU13 and CU14
    Free-Busy was not working in the new Hybrid configuration.
    A failure in the Exchange Remote Connectivity Analyzer had this error –
    — The remote user mailbox must specify the the explicit local mailbox in the header —

    Resolution – https://social.technet.microsoft.com/Forums/office/en-US/f96cb52f-5b72-4815-b871-4c5364c1e07a/the-remote-user-mailbox-must-specify-the-the-explicit-local-mailbox-in-the-header?forum=exchangesvrclients

    Other Information – https://support.microsoft.com/en-sg/kb/3001281

    Resolution (from the TechNet link above
    I opened a case with Office 365 Support and this was my resolution:
    1. Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -OAuthAuthentication $False
    2. Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -OAuthAuthentication $False
    3. Post disabling, perform IISRESET and test.
    4. You need to do this when users are accessing emails and IISRESET may interrupt the email delivery.
    5. Disable OAuth on Exchange Online also, as per article – https://support.microsoft.com/en-sg/kb/3001281
    Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $false

    Once I did this, my Free-Busy worked.

  14. MARIUS says:

    hELLO Paul ,
    (exchange hybrid migration)

    sorry can you help me to solve mail flow problem ?

    after migrating two mails box to office 365 , those user’s can send email from 365 to external users, but theire can not receive email .

  15. Juan Villarreal says:

    So I’ve read up on Offboarding from O365 to on-prem and it seems like a fairly simple process if you have a brand new spanking AD.
    I have a company that has been acquired and is merging. They have on premise exchange server with an existing domain and users. They will add 9 additional domains as aliases. 2 of those domains are different Office365 tenants. How do you handle the migration of something like this? How does the Exchange Guid handle the import of a user that already has a viable mailbox? Is there a way to just mass import all the mailboxes and then just attach them to an AD user later?

  16. Roberto Oviedo says:

    Hello Paul, you can orientate me on a little problem that seems insignificant but always worked until we updated the last CU of EX2013 and enabled Group WriteBack in ADConnect to synchronize the groups of Office 365.

    The problem is that when I enter the ECP of my Hybrid server and I want to switch to the tab Office 365 sends me to the page to compare plans and not to the login of my tenant.

    Everything seems to be working only that specific point is the one we have not found that may be happening.

    Thanks in advance.

  17. Yam says:

    Hey Paul, If you can please clarify my below query-

    We are planning Migration from Exchange 2010 to Office 365 with Exchange 2016 Hybrid, currently all the mailboxes reside on 2010, 2016 will be introduces as new server into the same Exchange organization

    When planning the mailbox migration, i should first move them from 2010 to 2016 and then to Office 365 or i Can directly move from Exchange 2010 to Office 365

  18. Ram says:

    Hi Paul – Excellent document. I am following your document to convert my home exchange 2016 lab to hybrid. So far, I have done the following:
    1. Completed Azure AD
    2. Have access to Office 365 Admin Center
    3. Completed Hybrid configuration
    4. Office 365 Admin Center has all AD account info (that is users)

    In order to test hybrid configuration – I need to sign up for O365 license for the users. Since this is home lab – which license, I should go for so, I can complete hybrid test by following your document? As, I see you are using EnterprisePack license.



  19. Ram says:

    Hi Paul – Thanks for the info. I did sign up for trial Enterprise E3 with 25 Lic. Completed EX2016 Hybrid and tested everything. All working fine. My setup is single EX2016 without Edge.

    My question – If there are multiple EX2016 server within the network (Say DAG – 2 Servers) – what is the procedure to complete Hybrid configuration?

Leave a Reply

Your email address will not be published. Required fields are marked *