A Hybrid Exchange configuration provides integration between an on-premises Exchange organization and Exchange Online (Office 365), allowing the two organizations to appear as one for end users and administrators.

Hybrid Exchange configurations can be used for two scenarios:

  • As a migration path between on-premises Exchange Server and Office 365
  • As a permanent state for your on-premises Exchange and Office 365 organizations

Compared to other native Office 365 migration methods, a Hybrid Exchange deployment quite simply provides the best end user experience. Although the trade-off for IT is a more complex infrastructure than a Staged or Cutover migration requires, the pay-off is well worth it, if you ask me.


Listen to Michael Van Horenbeeck and I discussing Hybrid Exchange on the Exchange Server Pro Podcast.

Benefits of Hybrid Exchange Configuration

Here are five benefits of a Hybrid configuration, and how they make migrations and ongoing co-existence with Office 365 better for your entire organization.


A Hybrid configuration requires a synchronized identity model, which involves the deployment of a directory synchronization tool such as Azure AD Connect. You can deploy directory synchronization with password sync for “Same Sign-On”, or directory synchronization with federated identity (AD FS) for “Single Sign-On”. Either way, the sign-on experience is better for users because they don’t need to manage two sets of credentials.

Read more about planning an identity model for Office 365.

Email Hygiene

Exchange Online Protection is provided with all Exchange Online plans, providing secure mail routing between your on-premises Exchange servers and Exchange Online, and also protecting your organization from spam and malware in emails. You can also enable EOP Advanced Threat Protection for additional protection from zero day attacks and malicious links. As a cloud-based service, EOP eliminates the need to operate a third party email security solution while also offloading the burden of receiving and processing all of that spam and malware traffic from your on-premises network.

Rich Co-Existence

In a Hybrid configuration, on-premises Exchange and Exchange Online mailboxes can collaborate as though they are in the same organization. Outlook calendar and free/busy information is available across both environments, along with a common Global Address List and emails between on-premises and cloud recipients being treated as internal messages.

Remote Mailbox Moves

Move requests between Exchange on-premises and Exchange Online work like mailbox migrations between two on-premises databases, occurring online and non-disruptively to end users. After a mailbox has been moved the Outlook profile is automatically updated, and the OST file does not need to be rebuilt, which removes the burden of deskside support and network traffic that occurs in a Cutover or Staged migration.

Cloud on Your Terms

A Hybrid configuration allows for both on-boarding to Exchange Online, and off-boarding back to Exchange on-premises. This allows an organization to move one, or just a few mailboxes to the cloud for a pilot phase. If any problems are encountered, then the mailboxes can simply be moved back to on-premises Exchange servers, an option that is not possible with Cutover and Staged migrations.

Hybrid Exchange Demonstration

Over a series of upcoming articles, I’ll walk through a Hybrid Exchange deployment scenario for an example organization. The Exchange Server Pro organization has a co-existence on-premises environment of Exchange Server 2010, 2013 and 2016, including the use of Edge Transport servers. Using this example organization I’ll demonstrate how to prepare and establish a Hybrid configuration, perform a variety of administration tasks, and how to leverage Office 365 features in a Hybrid environment.

[adrotate banner=”50″]

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


  1. Mickey

    HI, love your site!

    I have a inherited a current hybrid environment, all mailboxes moved to 365.
    1x 2016 Mailbox role (running Hybrid) – not internet facing (no mailboxes)
    2x 2010 CAS/Mailbox roles – internet facing (no mailboxes)

    I would love to remove hybrid entirely, but if I uninstall Exchange i understand i will lose the attributes that are sync with 365, and hence they will get removed, leaving me a headache of user issues. Such as send on behalf and aliases etc. We can’t remove AD Connect, as we need this to manage our 20k users.

    Can i simplify the above initially, but unisntalling 2010 servers, leaving the 2016, do i need this to be internet facing if we do not need mailbox move ability.

    Also, if anyone has ideas on how to completely remove hybrid, but keep Azure AD Connect… I know what MS says!


  2. Jeff

    Hi Paul,

    I have a question. We are running in Hybrid Mode right now but public folders aren’t accessible to some of our Office 365 users. A couple of O365 users are still able to access but others aren’t any ideas on this would be helpful. I get the error message “The set of folders cannot be opened. The attempt to log on to Microsoft Exchange has failed. “

  3. Jerry

    Hello Paul

    Wanted to get your incite on users who have mailboxes that are the range of 60-80gb. We are planning to setup a DAG environment but worried about the performance of about 15 users who have theses types of sizes in their mailboxes. Do you think it would be wise to house these mailboxes on O365? or setting up a DAG and keeping the higher mailboxes locally on a server.


  4. Phil Ready

    Hi Paul
    You have great stuff here.
    I have hybrid Exchange. In onprem before Hybrid we had a ScriptingAgent run ‘on create’ to set the default calendar permission to Reviewer. How can I achieve this for mailboxes going forward that are provisioned?
    Also with shared mailboxes, can we set the sent as behaviour to save in the shared sent mailbox to be the default? And can we do the same for deleted items?

  5. Ricardo

    Hi Paul,
    I have two Exchange 2016 hybrid servers with a DAG. Currently the FSW is on a file server we are decommissioning. Can I move the FSW to a netapp cifs share and what would be the process?
    Thank you, Ricardo

  6. Daniel Bruss


    I have scoured my trusty copy of “Office 365 for IT Pros 5th Ed.” as well as loads of blog and forum posts and cannot seem to find my answer so I’m hoping someone here might be able to shed some light.

    I am getting ready to set up a Hybrid solution between on-prem 2016 and O365 and my client raised a question about logon time restrictions. My client would like the ability to set logon time restrictions for AD user account but does NOT want those time restrictions to affect O365 logons. We are planning to use the Azure AD Connect with pass-through authentication (PTA) because we are leery about password hashes being stored in the cloud. Since we plan to use PTA over PHS, it is my understanding that things like time restrictions could potentially affect O365 logons because the authentications will happen on-prem but I can’t seem to find a straight answer on that. If using PTA would subject the O365 logons to the time restrictions, we may punt and accept the risk of using PHS instead.

    Thanks for taking the time to read this post!

  7. Frans

    Can we get rid of our on prem Exchange servers and migrate to Exchange Online cloud only?
    We have hosted multiple domains on our Exchange Environment which should be migrated to multiple tenants. We have setup our Exchange environment with one of the tenants, but it seems we never get rid of hybrid. We want to fully migrate one domain, disconnect hybrid, setup hybrid to other tenant and so on. We now are in a nasty situation where we have to set up multiple Exchange environments to migrate. Please advice!

  8. Tim

    Hello Paul,

    I have successfully migrated 500+ users over from Exchange 2007 to Office 365 using the staged method. The plan is to keep all mailboxes in the cloud but now the more I read, it seems I will still need to keep the Exchange server active for management purposes. Should I now look at upgrading Exchange and configuring Hybrid mode just for the sake of ongoing user management? We are using AD sync. Can I follow the same guide as preparing for a hybrid migration? Do I risk breaking anything?

  9. Edwin Kok

    Hi Paul

    I am in the middle of getting familiar with hybrid setups and migration by following some MS Courses and I want to test things out before I am actually going to help some clientsin their production environment. Do you know what O365 plan I need for testing purposes only? I think i only need it for a couple of weeks or so.

    After that I have no problem removing / stopping the subscription and loose the test setup

    Edwin Kok

  10. SAT


    I am looking step by step guide to introduce exchange 2013 Hybrid server in our existing exchange 2010 Hybrid setup. Can any one help me on this?


  11. Muhammad Omer

    Dear Paul,

    Can you please help me with the current scenario customer is having and I need to migrate to office 365 using exchange 2016 hybrid which I already installed in their environment but do not know now what to do next can you help please

    Current Scenario:

    1. Customer have a google apps portal with 320 users ( 100 IMAP directly) +220 Emails in google and using a pop downloaders forwarding to their on premise Exchange Server ( 2010).
    2. Exchange Server 2010 with 420 users ( 220 users which is part of google , Example : if google apps have a user abc@domain.com and exchange have same mailbox with abc.local and using a forwarder it is forwarding the email.
    3. Currently customer have .local as Authorative domain and other domains are using as internal Relay.
    4. Currently few domains are added in google apps and Created SMTP relay to send the same to external users ( only send + Receiving using POP forwarders providing the creditionals in the application)
    5. Currently there are group mailboxes which is “ email@domain.local “ and users are added in the same.
    6. Currently only SMTP alias is email@domain.Local but AD &Exchange Servers are joined to the domain “domain.com” itself .
    7. Currently using On premise GFI essentials on premise for AntiSpam ( Mail flow – Google ( User@domain.com ) – Pop forwarder ( User@domain.local) – GFI Essential in Same Server for AntiSpam- CAS & User Mailboxes.

    1. Avatar photo
      Paul Cunningham

      Hi Muhammad, it’s not possible for me to advise on complex scenarios like this, especially here in the comments of a blog post. I recommend you engage a consultant to help you plan and run the migration.

  12. Caleb Stanley

    Hey Paul,

    We are getting this error (about 3 hours after trying to send an email):

    Diagnostic information for administrators:

    Generating server: EX-C.pinelake.local
    Receiving server: pinelake-mail-onmicrosoft-com.mail.protection.outlook.com (
    Remote Server at pinelake-mail-onmicrosoft-com.mail.protection.outlook.com ( returned ‘400 4.4.7 Message delayed’
    5/1/2018 12:17:09 AM – Remote Server at pinelake-mail-onmicrosoft-com.mail.protection.outlook.com ( returned ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was’

    I have refreshed the certificates that are associated with the receive connectors on the Exchange server that we are using (EX-C) per a MS article.

    Any ideas on this would be greatly appreciated! Thanks in advance!

    1. Avatar photo
      Paul Cunningham

      Outbound mail from on-prem to O365? Sounds like a certificate problem with the send connector that is used for hybrid mail flow. If you’ve made certificate changes to try and fix it you would also need to re-run the HCW.

      1. Caleb Stanley

        It’s for both outbound from O365 and inbound from an external email to O365… the MS support article had me set the certificate to $null via the PS on the RECEIVE connector… do you think I need to do it on the SEND connector as well?

          1. Avatar photo
            Paul Cunningham

            The article says set the tlscertificatename to null, then re-run the HCW. Did you re-run the HCW?

          2. Caleb Stanley

            I did re-run the HCW after setting to null… I made sure that I selected the new certificate as well.

          3. Avatar photo
            Paul Cunningham

            Ok. I recommend you open a support ticket with Microsoft then. I can’t see your environment so even if it’s something obvious I would only be guessing at possible solutions.

          4. Caleb Stanley

            Yeeeaaaahhhh… I’ve done that and they’re stumped too 😀 Thank you for your insight Paul! I can’t for the life of me figure out this one little thing.

          5. Caleb Stanley

            After many hours of trial/error… I have FINALLY gotten email to work in both arenas… our primary domain had to be set as “internal relay” on both ends, I had to disable ESMTP inspection on our Cisco ASA, and I think a couple more things.

          6. Avatar photo
            Paul Cunningham

            Oh! That SMTP inspection on Cisco devices breaks TLS, yeah. That’s been an issue forever. Always turn that off.

  13. Juan M


    I have to do a proof of concept in my environment. In short, we have multiple Exchange 2010 forests and FIM. Only one is going to be a Hybrid in one tenant.
    What about Free/Busy and GALSync in a multiple forest scenario and one tenant?


    1. Avatar photo
      Paul Cunningham

      I don’t have any experience with complex multi-forest scenarios like that to share, sorry. Perhaps post on Reddit on the Microsoft Tech Community to see who can offer their advice. If you don’t have any luck with that, you may need to hire a consultant who specialises in complex scenarios.

      1. JuanM

        I will do it. When I have the possible solution, I will publish too for future references.

        Thanks Mate

  14. Russell

    Hi Paul,
    I’ve struggled to find an answer to my question with Hybrid. Using a couple of Exchange 2013 servers on-prem setup in DAG, and looking to Hybrid migrate to Office 365.
    To secure the data, I wish to use conditional access to meeting the requirement of securing access to Exchange Online only from my offices/datacentres.
    I do however want to still allow activesync to be accessible by the wider public. There is an MDM solution involved which is onsite with Exchange 2013.

    Can I ask:
    1. Is this possible to secure access to a site for Outlook/Email access, however still allow activesync anywhere access?
    2. Is this possible using AAD Connect and not ADFS?
    3. Have you seen any documentation for this?
    4. Finally, any caveats?

    Thanks muchly!

  15. Shane Landmeier

    Can you implement a Hybrid Exchange Server with no cost and no existing Exchange server if you are an Office 365 enterprise customer?

    1. Avatar photo
      Paul Cunningham

      Assuming “no cost” means “without paying for an Exchange license”, no.

  16. Natalie

    I have Exchange 2013 in co-existence with Office 365, I have moved all mailboxes over to 365. Any changes to anything has to be done on prem, mailboxes are created on premise and then migrated over to 365. I want to be able to make most changes and creation from 365. How do I best approach this?

    1. Avatar photo
      Paul Cunningham

      You can create the mailboxes as remote mailboxes/O365 mailboxes so that they are created in Exchange Online. No need to have them created on-premises and then migrate them, except for shared mailboxes which are a different story. Documentation for creating mailboxes in hybrid environments is on TechNet and other sources available via a Google search.

  17. Dhanu

    Is it possible to use hybrid deployment for high availability solution? when exchange on premise down, we can still send/receive email with office 365.

    1. Avatar photo
      Paul Cunningham

      No. The mailbox can only exist on-premises or in the cloud, not in both at once. If you have availability concerns about your on-premises servers then I would suggest to you that Office 365 is the better place to put your mailboxes.

  18. Femi

    Thanks for this article. We are planning a migration to O365 come first quarter of 2016. I can’t await to see your guide on the deployment process.

    Once again, thanks for time to write and research on these articles.


  19. Iamli Bapen

    AD FS for “Single Sign-On”.

    Is not completely true for Outlook clients as Office 365 Exchange uses basic authentication. So it will prompt you for credentials (yes you can select remember your password but next time you change it is popups again). Solution is to ask Microsoft for preview ADAL authentication for your O365 tenant. This way outlook benefits from ADFS SSO.

  20. Jackie von Baren


Leave a Reply