The core concepts of Exchange Hybrid migrations have remained similar over the last ten years and share many similar concepts to on-premises migrations of Exchange; fundamentally, a Hybrid migration is a mailbox move rather than simply and export and re-import of data and allow for a straightforward experience for users with minimal client reconfiguration needed.

It isn’t Hybrid that’s changed; it’s everything around it

While that hasn’t changed much, everything around Exchange Hybrid migrations has changed. Today, when an organization buys Microsoft 365 they rarely do this for technical reasons, such as Exchange Server 2010 nearing the end of support or hardware going out of warranty.

A vision of a modern workplace usually drives migrations to Microsoft 365. That’s not simply remote workers using Teams for meetings, but one where data is stored in SharePoint Online and OneDrive for real-time collaboration, where VPN clients are no longer needed and PCs and mobile devices alike are managed and secured using Microsoft 365.

If you haven’t experienced this yet, you will; if you are either buying or implementing point-solutions alongside Microsoft 365, then you are in an ever-shrinking niche. Microsoft 365 is an excellent suite of applications and IT increasing work with the business, not just for the business, to pick a productivity suite that includes good security and management capabilities baked-in.

This impacts Exchange Online migrations in a way that can surprise you.

Read more: Steve gives five good reasons ‘Why you shouldn’t install an Exchange Hybrid Server.’

Microsoft Teams kept the status-quo

The accepted order of implementation used to be reasonably straightforward and went something like – implement Azure AD Connect, implement Exchange Hybrid, then migrate to Exchange Online (alongside patching and remediation, of course). Often this would be down on the list as Phase One of the Office 365 project, and Phase two might pick up an as-yet-undetermined SharePoint implementation or including a Skype for Business implementation.

Ironically, Microsoft Teams did little to change the order of implementation, primarily because Microsoft Teams is heavily reliant on Exchange for aspects like Calendaring, something users take for granted in the Teams client. For the many organizations running Exchange 2010 or 2013, a move to Exchange Online as a first step made sense. There are exceptions to the rule, and over the last year, many organizations rolled out Teams without migrating any data for operational reasons.

Security and Compliance Change Fundamental Assumptions

In the background, though several changes have happened, that mean more fundamental changes to the way Microsoft 365 gets deployed.

Firstly, security is no longer something you do after migration; it is a prerequisite. New Microsoft 365 tenants include Security Defaults switched on by default. Unless you are implementing conditional access, then you shouldn’t be switching off this capability.

Users will onboard to Microsoft 365 and shortly begin using Multi-Factor Authentication, and will access the service using Modern Authentication.

When implementing those technologies, it also makes sense to perform prerequisite works to ensure devices are ready.

At a minimum, you will be implementing Hybrid Azure AD Join, and in many cases rolling out Microsoft Intune for at least some PC management and to validate device compliance for Conditional Access.

The impact of work like this changes some fundamental assumptions for Exchange Hybrid migrations, primarily the assumption that Outlook will seamlessly reconfigure post-migration. With Conditional Access and Multi-Factor authentication in the mix, this isn’t assured and must be taken into account.

A similar story persists across most implementations with mobile devices. A move to Microsoft 365 is to improve, not just remove the technical maintenance of a commodity email service. It is strikingly rare to keep a legacy MDM solution in place, and it is becoming rare to allow users to continue to use ActiveSync after migration. Post-migration, reconfiguring email on mobile devices was already expected, and it is an excellent opportunity to move people to use the native Outlook apps, protected by Intune’s App Protection capabilities.

A secondary aspect is compliance. It was once common to migrate to Exchange Online and maintain the existing In-Place Hold and Retention Policies, or adjust the policies so that mail was held in Exchange Online to meet factors like existing journaling and backup retention schedules.

The sea-change here is a desire to improve the compliance posture as early on as possible. Issues resulting from unclassified or leaked data have been drivers for the purchase of Microsoft 365 – often including the Security and Compliance uplifts or E5 SKU. Therefore, decisions for the overall Microsoft Information Protection configuration begin earlier on, often in an agile, evolving manner that improves the compliance posture immediately and provides improvements over time.

Day one implementation of core Data Loss Prevention Policies, Sensitivity Labels, and Retention Configuration that are designed to work across Microsoft 365 form a core part of a modern Microsoft 365 deployment. This means that migrating mailboxes to the cloud will have an impact on the way people use the service from either day one or very early into the project. This means that not only does it need to be part of technical planning, but it also needs to be part of user communications too.

Exchange isn’t always the first to migrate

One reason to rethink your approach for Exchange Hybrid migrations shouldn’t surprise you. Five years ago, the sync client for OneDrive for Business was not as robust as today, nor was it as straightforward to deploy and manage.

The SharePoint Online service, which includes OneDrive for Business had legacy limitations that made it challenging to migrate files to the service in the same way competitors like Box allow. For collaboration, a few years ago SharePoint Online was still the unloved cousin of Exchange for most IT professionals and users.

Modern SharePoint features have gone a long way to making file-based collaboration on-par with competitor products, and a migration of traditional file shares into SharePoint Online (with some information architecture work and remediation of files) is a well-trodden path with plenty of success stories.

Therefore it isn’t unusual to begin an Exchange Hybrid project and find that Azure AD Connect is in place with good network connectivity. You’ll often find Microsoft 365 Security and Compliance tooling is implemented and working well, and users are happily working in OneDrive and using both Teams and SharePoint for file-based collaboration.

This means that even aspects like establishing the Hybrid relationship – often a task that includes little risk – can potentially mean mail flow issues for mail from SharePoint Online. Changes to the configuration of Azure AD Connect to ensure all recipients are in-scope can have far-reaching impacts. Rather than being the first to onboard to the service and having the ability to implement changes with little to no chance of user impact, any changes can have far-reaching effects.

Additionally, with the use of SharePoint Online, the migration of Exchange immediately opens up additional opportunities for users, such as using Modern Attachments. The service itself will offer up these capabilities to users. Because they are already in use in OneDrive, there’s little point or opportunity to clamp down on these capabilities for Exchange Online. Instead, you are better off planning and aligning your OneDrive and SharePoint external sharing model to mirror what is allowed over email.

Exchange Security Issues Mean Tighter Security Rules

Finally, recent security issues have meant that many of the already complex discussions about exposing Exchange to the internet have become more complex. The relatively good security record for Exchange Server has been tarnished recently, and IT security teams will wisely want to scrutinize any change to internet publishing.

This primarily means that using the Hybrid Agent, rather than traditional firewall rules for Classic Hybrid publishing will be your go-to solution for simpler environments. More complex environments where throughput is crucial will already have competent security teams, and these conversations will be familiar to most consultants. But a willingness on the part of security teams to compromise for the project’s sake will be unlikely, and tightly scoped rules will be the norm.

While fundamentally not much has changed with Exchange migrations – everything around it is, so be prepared to encounter these in your next migration.

For more on what to consider when planning your migration, check out 5 Tips for Planning an Exchange Online Migration.  

About the Author

Steve Goodman

Technology Writer and Chief Editor for AV Content at Practical 365, focused on Microsoft 365. A 12-time Microsoft MVP, author of several technology books and regular Microsoft conference speaker. Steve works at Advania in the UK as Field Chief Technology Officer, advising business and IT on the best way to get the most from Microsoft Cloud technology.

Leave a Reply