Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes using the Hybrid Configuration wizard to create a hybrid deployment for the following organization configuration:
- The on-premises Exchange organization is in a single Active Directory forest.
- The organization doesn't use the Built-in security add-on for on-premises mailboxes for cloud protection of the on-premises Exchange organization.
- The on-premises Exchange organization doesn't use Edge Transport server. The Hybrid Configuration wizard supports configuring Edge Transport servers as part of a hybrid deployment, but configuring Edge Transport servers in the wizard isn't covered in this article.
A hybrid deployment extends the feature-rich experience and administrative control of your on-premises Exchange organization to the cloud. For more information about hybrid, see Exchange Server hybrid deployments.
Important
You must complete all the prerequisites outlined in Hybrid deployment prerequisites before you use the Hybrid Configuration wizard to create and configure your hybrid deployment.
For more management tasks related to hybrid deployments, see Hybrid Deployment procedures.
What do you need to know before you begin?
Configuring the requirements for a hybrid deployment takes longer than the estimated time to complete the Hybrid Configuration wizard procedures outlined in this article. For example, signing up for Microsoft 365 for enterprises, configuring Active Directory synchronization, and assigning Exchange Online licenses require a larger time investment and might also include network topology changes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Hybrid deployments" entry in the Exchange and PowerShell infrastructure permissions article.
You need to run the Hybrid Configuration wizard from one of the following locations:
- A supported version of Exchange server:
- Exchange 2016 Cumulative Update 8 (CU8) or later.
- Exchange 2013 Cumulative Update 15 (CU15) or later:
- A supported version of Exchange server:
A domain-joined computer capable of establishing remote PowerShell connections to the Client Access Server or Mailbox Server chosen for hybrid configuration.
You need to download the Hybrid Configuration wizard from a browser that supports ClickOnce technology (for example, the latest version of Microsoft Edge).
Review Exchange Server Hybrid Deployments, and make sure you understand the areas affected by configuring a hybrid deployment.
Review and complete all hybrid deployment requirements outlined in Hybrid deployment prerequisites.
The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you're ready to configure your hybrid deployment. We strongly recommend that you check your on-premises organization with the Remote Connectivity Analyzer tool before you configure your hybrid deployment. Learn more at Remote Connectivity Analyzer.
For information about keyboard shortcuts that might apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange Hybrid forum at Exchange | Hybrid management.
Use the Exchange admin center and Hybrid Configuration wizard to create a full classic hybrid deployment
Use the following procedure to create and configure a hybrid deployment:
Download the latest Hybrid Configuration wizard from https://aka.ms/hybridwizard.
Select Install on the Application Install dialog.
Select Run to open the Hybrid Configuration wizard.
The Hybrid Configuration wizard opens. On the fist page, select Next.
On the On-premises Exchange Server organization page, configure the following options:
- Detect the optimal Exchange server is selected by default. If the wizard doesn't detect an eligible Exchange server, or if you want to use a different server:
- Select Specify a server Exchange 2016 or 2019.
- In the Client Access server box, enter or select the detected internal FQDN of an Exchange server:
- An Exchange 2013 Client Access server.
- An Exchange 2016 or 2019 Mailbox server.
- My Office 365 organization is hosted by in the Office 365 Exchange Online section: Select one of the available values from the drop-down list. For example:
- Office 365 Worldwide
- Office 365 China
- Office 365 U.S. Government GCC High
- Office 365 U.S. Government DoD
When you're finished on the On-premises Exchange Server organization page, select Next.
- Detect the optimal Exchange server is selected by default. If the wizard doesn't detect an eligible Exchange server, or if you want to use a different server:
On the page that opens, configure the following options:
- On-premises Exchange account section: Do one of the following steps:
- Do nothing to use current account to access your on-premises Active Directory and Exchange servers.
- Select Change to select a different account. In the dialog that opens, uncheck Use current Windows identity, enter a different account in Domain\username syntax, and then select OK.
- Microsoft 365 Exchange Online Account section: Select Sign in and enter the username and password of a Microsoft 365 account with Global Administrator permissions. Select Next.
Verify the On-premises Exchange account and Microsoft 365 Exchange Online account values are correct, and then select Next.
- On-premises Exchange account section: Do one of the following steps:
On the Gathering configuration information page, the wizard connects to your on-premises organization and your Microsoft 365 organization using the credentials from the previous page. The wizard examines the configuration of both organizations as indicated by individual progress bars.
When the process is complete, select Next.
On the Hybrid Features page, configure the following options:
- Select Full Hybrid Configuration.
- Other options section: Select Organization Configuration Transfer to do a one-time transfer of on-premises organization objects to Exchange Online. For more information, see Hybrid Organization Configuration Transfer V2.
When you're finished on the Hybrid Features page, select Next.
The Hybrid Domains page appears if you have more than one on-premises accepted domain added to your Microsoft 365 organization.
The Hybrid Domains page doesn't appear in the following scenarios:
- You have only one on-premises accepted domain added to your Microsoft 365 organization. Because this domain is the only domain available for hybrid deployment configuration, the domain is automatically selected and the wizard skips this step.
- You have no on-premises accepted domains added to your Microsoft 365 organization. You need to add at least one domain to your Microsoft 365 organization before you can continue.
On the Hybrid Domains page, select the domains to include in your hybrid deployment. In most deployments, you can leave Auto Discover set to False for each domain. Only select True for a domain if you need to force the wizard to use the Autodiscover information from a specific domain for all selected hybrid domains.
When you're finished on the Hybrid Domains page, select Next.
The Federation Trust page appears only if your on-premises organization contains Exchange 2010 servers.
On the Federation Trust page, select Enable and then select Next.
The Domain Ownership page appears only if your on-premises organization contains Exchange 2010 servers.
On the Domain Ownership page, select Click copy to clipboard to copy the domain proof token information for the domains you selected to include in the hybrid deployment.
Open Notepad and paste the token information for these domains. Before you continue, use this information to create a TXT record for each domain in your public DNS. Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone.
After you create the required TXT records and allow time for the DNS records to replicate, select Next.
On the Hybrid Topology page, select Use Exchange Classic Hybrid Topology to keep on-premises mailboxes, and then select Next.
On the Transport Certificate page, configure the following options:
- Select a reference server: Select the Exchange server that hosts the certificate you configured earlier in the wizard.
- Select a certificate: Select the certificate to use for secure mail transport. The list displays the digital certificates issued by a commercial certification authority (CA) installed on the Mailbox server you selected in the previous step.
When you're finished on the Transport Certificate page, select Next.
On the Organization FQDN page, enter the externally accessible FQDN for your internet-facing Exchange server. Microsoft 365 uses this FQDN to configure the service connectors for secure mail transport between your on-premises and cloud Exchange organizations. For example, enter "mail.contoso.com."
When you're finished on the Organization FQDN page, select Next.
The hybrid deployment configuration selections are updated.
You're now ready to start the Exchange services changes and the hybrid deployment configuration. Select Update to start the configuration process.
While the hybrid configuration process is running, the wizard displays the feature and service areas as they're configured for the hybrid deployment.
When finished, the wizard displays a completion message. Select Close to complete the hybrid deployment configuration process and to close the wizard.
Tip
For more information on the different Hybrid Configuration wizard options, see the following articles:
Configure OAuth authentication between Exchange and Exchange Online organizations
For mixed Exchange 2013/2010 and Exchange 2013/2007 hybrid deployments, the Hybrid Configuration wizard doesn't configure an OAuth-based authentication connection between Microsoft 365 and on-premises Exchange. By default, these deployments continue to use the federation trust process.
But certain Exchange 2013 features such as Message Records Management (MRM), Exchange In-place Archiving, and In-place eDiscovery are fully available across your organization only by using the new Exchange OAuth authentication protocol.
Mixed Exchange 2013/2010 and Exchange 2013/2007 organizations that want to use these features need to configure Exchange OAuth authentication after configuring their hybrid deployment with the Hybrid Configuration wizard.
For detailed configuration steps, see Configure OAuth Authentication Between Exchange and Exchange Online Organizations
For more information about Exchange security and compliance features that use OAuth authentication, see the following articles:
- Using OAuth authentication to support Archiving in an Exchange hybrid deployment
- Using Oauth Authentication to Support eDiscovery in an Exchange Hybrid Deployment
No Federation Trust (or OAuth) for Exchange Hybrid deployments with Exchange 2013 or later
By default, the Hybrid Configuration wizard enables Federation Trust only if there are Exchange 2010 servers in the on-premises Exchange organization. If no Exchange 2010 servers are detected, organization relationships are created, but the workflow to enable Federation Trust and require proof of domain ownership doesn't run.
In organizations with Exchange 2013 or later and no Federation Trust (either created manually or created during the HCW due to the presence of Exchange 2010 servers), the Hybrid Configuration wizard resets the TargetApplicationUri and TargetAutodiscoverEpr values while creating the organization relationships. If you manually created a Federation Trust or Exchange 2010 servers are detected during the HCW, the existing TargetApplicationUri and TargetAutodiscoverEpr values are preserved.
How do you know you successfully created a hybrid deployment?
Your first indication the hybrid configuration steps worked as expected is the successful completion of the Hybrid Configuration wizard.
To further verify you successfully created and configured your hybrid deployment, do one or more of the following steps:
Run the following command in the Exchange Management Shell in the on-premises organization:
Get-HybridConfiguration
The command displays the hybrid deployment configuration values and settings, hybrid features, and transport endpoints. Verify these values are correct.
Verify the Hybrid Configuration wizard completed all configuration steps by reviewing the hybrid configuration log. By default, the log is located at
%ExchangeInstallPath%Logging\Update-HybridConfigurationon the on-premises Exchange Mailbox server.Take one of the following actions:
- Test the mailbox move feature by moving an existing on-premises mailbox to the Exchange Online organization.
- Test free/busy calendar sharing between the on-premises and cloud organizations by creating a new user mailbox in the Exchange Online organization.
Either action also allows you to test and confirm the following features:
- Message delivery between the on-premises and Exchange Online organizations is functioning correctly with existing mailboxes.
- Message delivery is secure and messages between the on-premises and cloud organizations are treated as internal.