In the previous article in this series on Hybrid configuration, we looked at testing a new Hybrid configuration between on-premises Exchange and Office 365.

In this article I’m going to demonstrate the cutover of inbound mail flow from the on-premises Exchange servers to Exchange Online, so that the organization can use Exchange Online Protection (EOP) for email anti-spam and anti-malware protection.

Currently the mail flow looks like the diagram below. The MX records for the domain are pointing to the on-premises environment, which is using an Edge Transport server to receive incoming email.

hybrid-mail-flow-mx-cutover-01

In your own scenario the Edge Transport isn’t mandatory, and could just as easily be a third party email security appliance, a cloud-hosted service, or mail might be going directly to Exchange. Whatever the case, if you’re planning to start using EOP to protect your email then you can still follow this guide.

EOP is already enabled for all Exchange Online tenants, so there’s nothing specifically required from you to turn it on or get it working. However, you might want to spend a little time looking at the EOP configuration, before you cut over mail flow to it. This is especially true if you are switching from a different email security appliance or system. Although all of these products basically do the same thing, they all do it in different ways, and they all have different administrative options and controls.

You can find the Exchange Online Protection settings for your Office 365 tenant by logging in to the Exchange admin center, and then navigating to the protection settings.

Once you’re happy with the EOP settings for your tenant, and assuming that mail flow between the cloud and on-premises servers has been successfully tested, it’s time to change your MX records. The MX record that will point your domain’s email to EOP is found in the Office 365 admin center by navigating to Domains, and then clicking Domain settings for your domain name.

hybrid-mail-flow-mx-cutover-03

DNS changes of this nature can take some time to take effect, even if you have a low TTL set on your DNS records already. I recommend not making any changes to your firewall or any other configuration that might cut off your on-premises server from receiving emails, until perhaps 24-48 hours after the DNS change when you’ve confirmed that mail flow is going via EOP.

The end state will be something like the diagram below. If you don’t have an Edge Transport server, mail flow from EOP will go to one or more of your other Exchange servers.

hybrid-mail-flow-mx-cutover-02

You can test the MX record change by sending emails from external sources, such as Gmail, and then inspecting the headers (ExRCA has an analyzer you can use for this) after the messages arrive. You should see the emails go from Gmail to Microsoft’s EOP servers (with names like DB3FFO11FD931.mail.protection.outlook.com), before they are routed on to your on-premises servers.

hybrid-mail-flow-mx-cutover-04

[adrotate banner=”50″]

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Jerry

    Hello Paul,

    We have an Exchange 2010 Hybrid server with on premise and 356 mail accounts. We thinking about moving the Exchange 2010 to another server that is more up to date. The reason we are is because we have not been able to figure out how to get 1000 users to work with Outlook 2010 on a Citrix environment using published apps. Outlook doesn’t connect and keeps on asking for credentials.
    The question I have is we changing hybrid connector from 1 server to another, during a current mailbox synchronization will we loose the sync’s in progress? We have 150 mailboxes currently syncing. What do you think?

  2. Khai Ly

    I have the problem scenario which I hope you can advise quickly. Our company email flow inbound is Cisco ESA ->EOP->edge->onprem

    Problem is delivery from Cisco ESA to EOP , its being bounce back. Detail showing this in ESA. Error advising the destination server rejecting the stmp transfer. Dont recall the error code but mention in relating the message content. Different external send sent the sample email seems OK (had attachment) file What log, tracing can I get from EOP in O365 to find what is the cause ? Can’t see anything in message trace or quarantine.

    Hope you can help.
    Thanks

    1. Khai Ly

      Problem solve. Issue is with a Cisco ESA bug in August that was putting a large header in the messages when its sent to a large number of recipients.

      1. Raj

        Hi Khai, is the routing working fine from ESA ->EOP ->o365 mbx

        We are planning to implement this.

  3. Vivek Kumaresan

    Hello Paul,

    How change mx record pointing from proof point to EOP also how will migrate inbound and outbound rule from Proof point to EOP

  4. Olajide Akinwande

    Hi Paul, I have a rather weird issue. I have configured hybrid for my Exchange organization and Mailflow between O365 and on-premise is fine, however, On-Premise users are not receiving external emails from the internet and cannot send external emails to the internet as well. Is there anything special thing I need to do in O365 Admin center for On-premise users to use EOP?
    Please note that if I switch MX to point to my On-premise exchange emails flow to on-premise users fine. Also, if I enable the send connector to the internet on the on-premise server, on-premise users can send mail to the internet through it.
    The only breakdown is when mail need to flow through EOP > O365 > On-premise and from On-premise > O365 > EOP > Internet.
    Thanks.

    1. Olajide Akinwande

      I just checked this again and email between on-premise and O365 is actually what is broken. Looks like a Unified Address problem. Any clue on additional steps to configure that? thought HCW was supposed to handle everything.

      1. Wali Jan

        check your send Connectors for EOP to OnPrem and wise versa.
        Cheers

  5. Michael T.

    HI Paul, I am moving my clients from Office365 to On-Premise, I currently have a 2019 Exchange Hybrid. I moved one user to on-premise but now this user cannot email the users in the cloud but is able to email any other accounts. This account can also email other test accounts on the On-Premise Exchange server. What is going wrong here?? TIA

  6. Michael

    Hello Paul, thanks for the great article! I was wondering if you can shed some light on this setup.

    Our environment consists of 2 on-prem Exchange 2010 servers, 1 Exchange 2016 VM running Mailbox role, load balancers, Mimecast, External DNS hosting, AAD Synch Connector, and O365. Due to our unique setup, we’re unable to install HCW onto 2010 servers from past configuration changes that may have altered way Exchange processes and routes messages.
    So it was suggested to install 2016 Exchange server with HCW, disconnect user from Exchange 2010, which basically breaks exchange online mailbox, migrate use a 3rd party tool, and reconnect using PS. We followed all procedures, changed MX in External DNS to point to Mimecast, and setup all connectors for routing email on prem and off. The problem is we’re seeing 2 mailboxes setup, on prem and in exchange online, probably due to GUID using AAD connect. Mail flow somewhat worked as we’re still trying to understand and determine where the issue is after we temporarily disconnected the network from 2010 servers. In the end, we’d like to host the mailboxes on Exchange Online while using the Exchange 2016 server as a mail relay for all 3rd party apps running till we find solutions for those. With all the scenarios posted, do you have any recommendations?

    -Thank you

    1. James Jackson

      Hello Michael,
      Just wanted to know if you guys were able to get a solution in place as I’m tasked with removing an Edge Server from our mail flow architecture but allowing On-Prem application to mail relay to internet via an Exchange Server> EOP> Internet. Thanks in advance for your response.

  7. stefano

    Hi Paul,

    thaks for your great post. I’ve a question about a migration i’m going to do in next weeks. In our environment we have two Exchange 2010 in DAG and, since we want to use AAD Connect for single sign-on, we’ll use hybrid migration, move all our users in the cloud and keep an on-prem exchange for management.
    My question is about the on-prem exchange: can we add a VM with exchange 2016 and switch off our two phisical exchange 2010? Does this configuration work? Or should we upgrade our current servers?

    Thanks

  8. Beas

    Paul,

    Once all the mailboxes are migrated to Exchange Online and we have mail flowing to EOP, can we leave ADConnect running but decommission our Exchange 2010 server? Do you have an article explaining how to remove the on-premises Exchange environment after a successful migration?

  9. Tony_Egypt

    Dear Paul;
    we have hybrid scenario with 1 exchange 2010 multi-role server i need any article how to decommission this server with keeping the Adconnect to sync the identity of the new users, and how the new mail boxes will be created after the decommission.

  10. Hal

    Hi Paul,

    Great article, thanks for taking the time to put it together. I have a question if you have time:

    If you get to the point where all your mailboxes are on O365, you’re not using centralised transport and your MX records point to the cloud, can you shut down mail-flow to the on-prem server? Essentially I’m thinking it would be good to be able to reduce attack surface by shutting down port 25 at the firewall.

    Thanks again.

    1. Khai Ly

      I have the problem scenario which I hope you can advise quickly. Our company email flow inbound is Cisco ESA ->EOP->edge->onprem

      Problem is delivery from Cisco ESA to EOP , its being bounce back. Detail showing this in ESA. Error advising the destination server rejecting the stmp transfer. Dont recall the error code but mention in relating the message content. Different external send sent the sample email seems OK (had attachment) file What log, tracing can I get from EOP in O365 to find what is the cause ? Can’t see anything in message trace or quarantine.

      Hope you can help.
      Thanks

  11. Rene

    Hi Paul,

    We are running hybrid Exchange 2010 with most of our mailboxes in the cloud. We will be changing our MX to point to EOP to handle all incoming mail.

    We have connectors that the route between on-prem and exchange online that were setup by HCW. We currently route on-prem traffic through a smarthost. I would like all traffic to go through EOP.

    I am unsure about the connectors and mail flow. I presume I would need to remove the default * connector to smarthost on Exchange 2010 after I migrate the MX record to EOP.

    Is that it, or do I need to create a specific connector to route things to EOP? Seems like the connectors are set to use our O365 address space.

    I looked at the link you posted above about Scenario1, but it doesn’t talk about connectors and Internet messages.

    Maybe I am overthinking it.

    I would also like to thank for all of your articles. I have used your information you put online a large number of times.

    I reposted this as it seems it is stuck in moderation.

    Thanks,

    Rene

      1. Rene

        Hi Paul,

        I looked at that, but it doesn’t seem to discuss routing messages to the Internet through EOP from on-prem.

        If I disable the smart host connector to a server we currently use, messages just error out, because the current connector is only scoped to our domain addresses.

        Not sure if I need a specific connector on-prem and in Ex Online to allow internet messages to go through.

        Thanks,

        Rene

  12. Navishkar Sadheo

    Hi Paul

    Thank you for always sharing your knowledge with us.

    I recently changed my domain’s MX to point to EOP. Mail flow is working to my 365 and on prem mailboxes fine however when emailing a 365 mailbox ,the email goes to EOP then on prem which routes it back to EOP. In 365 I set my accepted domains to authoritative however the result is the same so I set them back to internal relay. I have no idea what to do. Please help. In my on premise org those domains are set to authoritative.

    1. Paul Cunningham

      Sounds like you have centralized transport enabled in your hybrid configuration. Re-run the HCW to turn it off if you don’t want that routing any more.

      1. Navishkar Sadheo

        Thank Paul. Will running the HCW again interrupt mail flow? Also should I run it on one of my Exchange 2010 servers or is any domain joined machine fine?

  13. Rene

    Hi Paul,

    We are running hybrid Exchange 2010 with most of our mailboxes in the cloud. We will be changing our MX to point to EOP to handle all incoming mail.

    We have connectors that the route between on-prem and exchange online that were setup by HCW. We currently route on-prem traffic through a smarthost. I would like all traffic to go through EOP.

    I am unsure about the connectors and mail flow. I presume I would need to remove the default * connector to smarthost on Exchange 2010 after I migrate the MX record to EOP.

    Is that it, or do I need to create a specific connector to route things to EOP? Seems like the connectors are set to use our O365 address space.

    I looked at the link you posted above https://technet.microsoft.com/en-us/library/e1da5f2f-c732-4010-85c9-878b2cef3fb3(v=exchg.150)#scenario1 , but it doesn’t talk about connectors and Internet messages.

    Maybe I am overthinking it.

    PS My mom was a Cunningham, so maybe we are cousins. 🙂

    I would also like to thank for all of your articles. I have used your information you put online a large number of times.

    Rene

  14. Marco Mendible

    Hi Paul, I have an issue in a standalone EOP deployment, I’m configured the connectors with successfull test but when I change the mx record point to EOP, the external mails are not received for the onpremise mailbox and the NDR say “Error detectado: 554 5.4.14 Hop count exceeded – possible mail loop ATTR34 [BY2NAM03FT047.eop-NAM03.prod.protection.outlook.com] ”

    How fix this mail loop issue?

    Regards.

    1. Paul Cunningham

      No way for me to diagnose that without seeing it. I recommend you open a support case with Microsoft.

  15. Roger

    Hi Paul,
    First thanks for your great article ! We are in process of starting a Hybrid deployment with exchange 2016 on premise & 0365. We are not going to completely migrate all our users and we wanted only selected users (Critical users to have 24/7 uptime) to use 0365 and rest to use on premise.
    My doubts are
    1. What happens if on-premises goes down?
    a.Will the mailboxes in office365 continues to send and receive emails?
    b. Will the emails to the mailboxes on-premises stays in the Office365 queue until the mailboxes are available or the on-premises emails rejected to the sender?
    2. How the skype migration works? Is this hybrid, on-premises and Office365 or all have to go to Office365?
    Looking forward to hear from you with your valuable response.
    Thanks,
    Roger

    1. Paul Cunningham

      Cloud mailboxes will continue to receive email as long as the MX points to Office 365 *and* you don’t use centralized transport for your hybrid mail flow.

      Mail for on-prem mailboxes will queue.

      No idea about the Skype question, sorry.

      1. Roger

        Thank You so much Paul for your precious time ! Thanks a lot !

  16. Ben

    Hi Paul

    We have a client with an onsite Exchange server using EoP for Anti-spam protection, we are not using a hybrid solution.

    They would like to have a cloud mailbox (Exchange Online). Considering the MX records already point to EoP, would email flow work for the cloud mailbox automatically?

    Cheers
    Ben

    1. Paul Cunningham

      You’re going to need a hybrid configuration if you want to host mailboxes in both EXO and on-premises.

  17. Ken

    Hi Paul,
    If we switch the Hybrid Mail Flow to Use Exchange Online Protection for Inbound Email, Shall we need the EOP license for on-premises mailboxes?

    1. Paul Cunningham

      You should speak to your licensing provider/reseller for any licensing questions.

  18. Kelvin Lee

    Hi Paul,

    We need help in setting up 365 mail flow. We have our own mail server, we subcribe the F1 licenses for users is because we would like to use the Microsoft Team and also Planner(require exchange online license to leave comment). All of our user have an email address with @abc.com for send/receive email. And we have some user who email address with @abc.onmicrosoft.com, for this kind of email address we use it for automated system like Onedrive alert and Microsoft Flow.

    So now we are looking into this:

    1. User with @abc.com remain using external mail server for send/receive email. We don’t need 365 mailbox because we are not allow user to use it.
    2. User with @abc.com can receive internal email on the external mail server and can use the MS Planner with comment alert.
    3. User with @abc.onmicrosoft.com use 365 mailboxes to send/receive email from internal/external.

    Hope to hear from you soon

  19. Weyland Yutani

    Hi Paul,

    Great article. I have a question about multiple accepted domains.

    If I have 3 accepted domains and redirect the MX for @domainA.com to o365 but leave @domainB.com and @domainC.com going to on-prem how will this affect how client’s connect via Outlook?

    For example, if a user in a remote site currently connects to his local on-prem exchange server to retrieve his @domainA.com mail, will he now be forced to connect to o365 to get his @domainA.com mail?

  20. Alan Wayne

    Hi Paul,

    Exchange 2010 server on prem using EOP standalone. Performed cutover migration to Office 365 Exchange Online, using Mimecast as smart host to replace EOP, for cloud mailboxes. After changing MX records to point to Mimecast, internet emails are being delivered to Office 365 but then bouncing. Message Trace shows error as unable to deliver to “external recipient” and NDR code 5.4.14 loopback error. I previously removed an outbound connector from EOP linking back to Exchange server on prem to try to prevent emails going to local mailboxes but now I am facing this looping issue. Please advise.

    1. Paul Cunningham

      I suggest you point your MX records at EOP. If the problem still occurs, raise a support ticket with Microsoft.

  21. Kristjan Leifsson

    Hi Paul,
    I am a little bit confused now. I recently started working for a company and this is their setup. I have two Exchange 2016 hybrid on premises. The mx record is pointing to Office 365, I have moved all mailboxes to Office 365. So my question is what can I do with the Exchange 2016 servers.? Do I have need for them more?
    Brgds Erro,

    ps:
    I bought your Office 365 for It Professionals, I am on page 222, so far so good 🙂

    1. Paul Cunningham

      Hybrid required directory sync. Directory sync requires an on-premises Exchange server for managing mail attributes on objects that are syncing to the cloud (remember, with dir sync in place your on-premises AD is the source of authority). So you need to retain at least one server for that requirement.

  22. Tony

    I just wanted to confirm that by routing all the emails to Exchange Online instead of on-premise (there will be no on-premise mailboxes) that any Outlook clients will have to be reconfigured if they were initially configured for on-premise. Is that a correct?

    1. Paul Cunningham

      Routing is not the same as where the clients connect. Clients connect to wherever their mailbox is hosted, regardless of how you configure your mail flow.

  23. Daniel Woodward

    How does the existing, in my example Exchange 2010 Server send mail? Does it route everything through Office 365 first?

    I am concerned with this because I am wondering if I need to include my on-site in the SPF/DKIM scheme we will be setting up along with the move to Office 365.

    1. Paul Cunningham

      You have the choice to route outbound email directly or route via EOP. TechNet has detailed guidance for all of those scenarios.

  24. Prabodha

    Hi Paul,
    I followed your article and successfully setup the Hybrid with Exch 2013 (DAG) with Office 365. I want to keep the Hybrid setup for a longer time. I have only few users migrated to Exchange Online, however is it OK to change the MX pointer to Office365 even there are larger mails are still on-premise?

    Second, what about on-premise outgoing mails. Currently we are sending mails through a third party Smarthost. But we want to send mails through Office365. Now after hybrid setup, there are two Send connectors in exchange server. How can I achieve to send mails thru Office 365 only and not use the smarthost for outside mails?

    Thanks
    Prabodh

      1. Prabodh

        Thanks Paul,

        I changed the MX record and it looks fine. And yes I follow the same link when creating the SPF record.

        Best Regards
        Prabodh

  25. Brad

    Paul,
    Hoping you can shed some light on this scenario:
    On-premise (physical) exchange 2013 server (Single Server)
    Migration to O365 completed (using ADSync)
    Has been running smooth for months, ready to decommission on-premise physical Exchange. Read benefits for retaining an on-prem exchange (2010) server for management of the ADsync exchange attributes. I created a new Windows VM to host the Exchange Management functionality, but I cannot find ANY procedure for ensuring this new VM/ExchMgmnt Server will function after decommission of the old on-premise physical Exchange.
    Any guidance is greatly appreciated!

  26. AL NG

    Hi Paul,

    Thank you for the guide. My outbound/inbound for emails going through Proofpoint thus MX records are of theirs. Now some of my mailboxes will be migrated to Exchange Online but I still want to retain Proofpoint for my other on-premise mailboxes

    So, can I add MS MX record to the existing Proofpoint’s and give it higher priority? Or I have to remove Proofpoint MX records completely? Thank you.

    1. Paul Cunningham

      If you want inbound mail to keep going through Proofpoint you’ll need to leave your MX records pointing at Proofpoint.

      MX records can’t be used to differentiate mail for on-prem vs cloud mailboxes. It’s just a DNS record.

  27. James

    Hi Paul,

    Great post.

    Can you please help, my setup is;

    2 x Exchange 2010 servers in a DAG
    Exchange 2010 Hybrid environment
    Running ADConnect for ADFS

    I have migrated all mailboxes to the cloud and changed Autodiscover and DNS to point to Office 365, mail flow is working fine.

    I would like to continue using ADFS and install a single VM Exchange 2016 server only for administration of mailboxes and decommission the Exchange 2010 servers.

    Can you please advise me on the best way i could achieve this?

    Do i still require a Hybrid setup if i am only using Exchange 2016 for admin purposes?

    Much appreciated.

    1. Paul Cunningham

      Do a standard migration from 2010 to 2016. You can re-run the Hybrid Configuration Wizard to update it when the 2016 server is in place. Plan for firewall changes etc for hybrid connectivity to the new server.

      Whether you keep the Hybrid config in place or not is a decision for you. I would keep it in most cases.

  28. Jason Lees

    Thanks Paul, Yes you have answered my questions.

    My understanding is limited to what I have read and interpreted online, I will definitely have to invest in one of your books in future.

    That said I have managed to keep a company’s e-mail working in the last 8 years with only a few hours of down time (I wouldn’t have been employed here long if it were more). Migrating them from Exchange 2003 to 2010 and now completed an office 365 migration for 400 mailboxes who use 4 different company domain names all working from 2 Exchange servers in a DAG…..so I can’t be to bad at this.

    Thanks again.

  29. Jason Lees

    Hi Paul,

    Your answer to Steve has confirmed what I thought, thanks. I have 2 questions about completion to office365, apologies if you have already answered this before.

    Question 1
    I have an on premise Exchange 2010 with HCW deployment using ADFS and have completed migration to Office365. If I remove the HCW does that stop me from administrating/creating future mailbox’s without manually using Office365 and local AD?

    Question 2
    I would like to decommission my current Exchange 2010 server and replace with an Exchange 2016 server and take advantage using the free HCW license offered by Microsoft. I understand that Exchange 2016 does not recognise a 2010 HCW so I would assume that would need to be removed first. Can this been done from Exchange 2016? Would you recommend this as Exchange 2010 is no longer being supported.

    Finally many thanks for your guides that you have posted over the years online they have been a great support and enable me to get this far over the years 🙂

    1. Paul Cunningham

      HCW = Hybrid Configuration Wizard. It’s a tool that you run to configure a hybrid between Exchange on-premises and Exchange Online/Office 365. It’s not a thing that you “remove” or that Exchange 2016 needs to “recognize”.

      To answer what I think are your questions:
      – You can deploy an Exchange 2016 server to facilitate the hybrid functionality.
      – The free license is not applicable to customers who have Exchange 2010 servers, only 2007 or earlier (you can check the TechNet page for more info on that)
      – If you want to deploy Exchange 2016 and have it facilitate the hybrid connectivity, you will need to re-run the HCW to reconfigure the hybrid configuration (among all the other deploy/co-exist/migration/decomm steps to make that 2010 -> 2016 transition).

  30. Steve

    Hey Paul,

    Nice write-up

    I have a question.

    Currently I am in a hybrid with centralized transport enabled. I want to re-direct all inbound & outbound through 365, & not through my on-prem org any longer.

    I am unable to find any information on how to switch/disable the centralized transport.
    Would we have to switch the MX(s) to 365, then re-run the Hybrid config wizard?

    1. Paul Cunningham

      Yes, re-run the HCW to change your centralized transport configuration, and update your MX records.

  31. Mark

    Hello,

    we are in the middle of a hybrid setup between local Exchange 2013 and Office 365. All mail from local exchange mailboxes is routet to the Internet via 3rd party antispam/antivirus appliance. We have configured centralized mail transport for hybrid so all mail from Office 365 mailboxes flows through the on premises exchange organization and then through the 3rd party antispam/antivirus appliance to the internet.
    Only 1/3 of mailboxes are migrated.

    We now need to get rid of the 3rd party antispam/antivirus appliance and want to use EOP completely for incoming (change mx) and outgoing mailflow from either local exchange mailboxes or Office 365 mailboxes.

    There are good documentations about using EOP for incoming mailflow in hybrid (like yours), would work without a problem. But how can we ensure that all outgoing mailflow uses EOP in this hybrid situation? Is this supported, what do we have to do to make it work?

  32. Rini

    Hi Paul,

    Great article.My domain is moved to another office365 tenant. All mailboxes are still on premise, How to reconfigure the existing hybrid setup , Exchange2010. I have Azure AD sync

    Thanks
    Rini

  33. Glenn

    Paul,

    Loved the article! To the point, good image usage, simply awesome! Best one I have seen so far, and I have seen a lot of them.

  34. tariq

    Paul,

    which the kind of change should done in on-prem after point MX record to EOP?

    Thanks

  35. Peter Smith

    Hi Paul, I enjoy your articles and respect your expertise so I followed this article when I wanted to use EOP to protect my on-premise Exchange servers. However, I’ve run into a number of difficulties and I realise I don’t know enough.

    I subscribed to Exchange Online using a ‘spare’domain that I own, let’s call it myO365.com. That was easy and any email sent to me@myO365.com reaches the O365 mailbox. Now to protect my ‘real’ domain: mydomain.com. I added this as a domain in the O365 Admin centre and set DNS records as instructed, specifically changing MX from mail.mydomain.com to my-domain.mail.protection.outlook.com.

    In order to tell O365 where my on-premises servers are, I created a connector in the O365 Exchange mail flow settings to point back to my existing front-end servers. You don’t mention connectors so I was a little confused where you said thet EOP routes email to my on-prem servers (how does it know where these are without a connector?)

    Anyway, this connector fails validation, reporting back error smtp;550 5.1.10 RESOLVER.ADR.RecipientNotFound. However, the chosen email address DEFINITELY exists. To prove this, I changed the MX back and used Microsoft testexchangeconnectivity.com to prove that it does and test emails are received. Indeed, if I intentionally give this utility a non-existent address in the domain, it returns smtp error 550 5.1.1 – NOT 5.1.10. Technet articles haven’t been much help with this error, insisting that I must have the wrong email address but I haven’t.

    Am I completely on the wrong track with this connector? What else might cause it to fail validation? Can you offer any further advice how to get EOP to protect my on-prem servers.

    Many thanks for any help you can give.

  36. Tom

    Paul,
    My company is currently planning to migrate to Office 365, We have Exchange 2010 with Outlook 2007 SP3 – 2016 RTM.
    Our mail flow is currently routing through EOP and out to ON-Prem.

    On Plan is to do a Hybrid migration.
    Question – Since our MX records already point to EOP do we need to make changes to them?
    Question 2 – What changes do we make in EOP to get the messages to flow into the online mailboxes?
    Question 3 – Since we are in a hybrid migration, and during the migration, will mail flow into the on-prem servers and them to O365?

    Thanks

    1. Paul Cunningham

      1. No
      2. If you use the same tenant, nothing to do except create/move mailboxes to EXO.
      3. Only if you point your MX records there or use centralized transport.

  37. Nagaraj

    Hello Paul,

    I have one Question, we are planning to moved to my all Mailbox’s On-Premises to office 365 (hybrid Inverolment) . At On-Premises configuration we have Iron port and McAfee saas modual (Email Security), My Question is after moved my mailbox’s to could the email routing also same configuration ….? (Like McAfee –> Ironport –> Exchange) or i need to change the email routing on Direct to Office 365 …? which one Secure

  38. Sharath

    Paul,
    A query related to the EOP licensing… I am undertaking a hybrid deployment with O365 and Exchange 2013. Out of 1500 users, 500 will move to O365 enterprise, the rest will remian on-premise. Do i need to procure additional EOP licenses for the on-premise users. I already have a Barracuda serving for on-premise antispam filters.

    The MX is to point to the O365/EOP instance.

  39. Nathan

    Paul,

    We have an Exchange 2010 Hybrid server with on premise and 356 mail accounts.

    Would internal mail still be delivered if the internet connection went down?

    Thanks

    1. Paul Cunningham

      If on-premises mailbox users can still connect to their on-premises mailboxes, then yes they can continue to email each other.

  40. jay c

    Paul,

    I’ve moved all of the mailboxes for one email domain (I have multiple accepted domains in my Exchange org) to the cloud and I’ve changed my MX record to point to protection.outlook.com. Messages are going to outlook.com as intended, but then they’re routed to my on-premise servers before being sent right back to outlook.com. How can I prevent messages destined for this one domain from routing through my on-premise servers?

    1. Paul Cunningham

      That would be expected behaviour if centralized transport was enabled when running the HCW. If you don’t want centralized transport you can re-run the HCW and remove that option.

      1. Resonate

        DO you have to re-run the HCW tto remove centralised mailflow? Ill be honest, it scares the hell out of me!

        1. Nonis

          Well, the wizard only runs some powershell commands on the backend.
          Running it is quite simple, just go next next next until you reach the option to disable the “enable centralized mail trasport” and then next next again and that’s it.

          The only problem the wizard will give you is if you make any changes to it, as it overrides connectors; but if you leave everything there as it is, there will be no issues at all.

  41. filip

    If mx points to o365 it is necessary that domain in o365 is internal relay domain.
    Also check the OOF config as external OOF message will be send to * domain and thus also to internal users.

    1. Paul Cunningham

      No, the domain does not need to be an internal relay in Office 365 for a Hybrid configuration.

      1. filip

        Thank you for your answer. Can you have MX to o365 and centralized mail?

          1. filip

            Last question. Can we have a.com and b.com in hybrid and point a.com mx to exchange2013 and b.com to office365 ?

Leave a Reply