Exchange migration: Minimal hybrid vs. full hybrid — which is right for you?

Are you planning a migration from an on-premises Exchange email solution to Office 365? If so, you will soon find out that there are several migration options that are available to you. You will find that there are native tools to use, as well as many third-party tools that can help you get to Office 365. Will you be performing a cutover migration? Staged migration? Will you live in a hybrid configuration? Can you finally get rid of your on-premises Exchange server?

Lots of questions…

This article will answer a few of them — because we are going to talk about hybrid. More specifically, we are going to discuss the minimal hybrid approach vs. a full hybrid approach — and when to use each.

A little bit about hybrid


So, what does “hybrid” mean, exactly? A hybrid mail solution is a solution that allows an organization’s mailboxes to live both on-premises and in Exchange Online, either permanently or temporarily. Whether an organization remains in a hybrid configuration permanently or not depends on the long-term plans for email – and on what features are necessary.

Deploying a hybrid email solution as a means of migrating to Exchange Online / O365 allows you to move mailboxes to the cloud. This differs from most third-party products, which “copy” mailbox data to new mailboxes that are deployed in Office 365. The process for moving mailboxes to Office 365 in a hybrid configuration is essentially the same process that you would follow when upgrading Exchange on-prem to a new version. You simply go into the EAC, select mailboxes, and move them to O365. Easy peasy.

A hybrid solution, much like on-prem mailbox moves, also offers the ability to “seed” the cloud mailboxes in the background without impacting users. You can sync the mailboxes to the new destination, and then, when you are ready to cutover, complete the migrations and switch over to O365. The hybrid solution to mailbox migrations to Office 365 is quite elegant.

Is hybrid still scary?

There was a time when deploying a hybrid solution to migrate from on-prem Exchange to Office 365 was stressful and downright scary. There were so many moving parts and so many decisions, that even the most seasoned messaging engineers sometimes had trouble setting it up. With improvements to the process, along with the Hybrid Agent (more on this later), configuring a hybrid solution is not nearly as bad as it once was. However, to be completely honest, the setup of a hybrid solution — especially a full hybrid — is still best left to the experienced messaging engineer. With that said, it’s not as scary and cumbersome as it once was.

What is this ‘minimal hybrid’ that you speak of?


When you run the Hybrid Configuration Wizard, which is called the “HCW” by the cool kids, you’ll immediately notice that you have two main options: minimal hybrid and full hybrid. The easier-to-deploy minimal hybrid option is available for those organizations that are looking to just perform migration and administration in a hybrid deployment. However, a minimal hybrid configuration excludes several security and federation features that are available in a full hybrid configuration. For example, features such as cross-premises Free/Busy availability and TLS secured mail flow between the on-premises environment and Exchange Online are not available. As such, the minimal hybrid configuration is only useful in certain circumstances.

With that said, when should an organization use the minimal hybrid configuration?

The minimal hybrid option is best for small and medium-sized organizations that are looking for a seamless (and quick) migration experience and have no need for any significant term of coexistence. Minimal hybrid is not a good solution in cases where significant coexistence is necessary because enhanced features like cross-premises Free/Busy sharing is unavailable, as is cross-premises eDiscovery. There is no TLS secured mail flow between the on-prem org and Exchange online, nor is there automatic Outlook or ActiveSync redirection for migrated users. Another feature missing from minimal hybrid is automatic retention for Archive Mailboxes.

Only those organizations that are planning on moving to O365 quickly should consider minimal hybrid.

…and what about full hybrid?

The full hybrid option is a full-featured solution for organizations that require long-term coexistence between an on-prem Exchange platform and Office 365. Remember all those features that the minimal hybrid didn’t offer? Well, you get all of them — and more — with a full hybrid configuration.

Full hybrid, in the context of migrations, is intended for organizations with large numbers of users (think thousands) that need to be migrated to O365. In such environments, it can often take weeks or months to complete the migration to Office 365. As such, the security features and federation features that are lost in a hybrid configuration are often required.

Another, lesser understood reason to consider a full hybrid configuration is directory synchronization. While a quick migration from an on-prem Exchange organization to Office 365 often calls for a minimal hybrid solution, which typically includes the deployment of Azure AD Connect and a one-time sync of on-prem AD users to O365, an organization that plans on maintaining an ongoing sync of on-prem AD users to O365 via Azure AD Connect should be considering full hybrid. A full hybrid configuration should be deployed in these cases because, as part of a minimal hybrid solution, Azure AD Connect is actually disabled after the initial sync of on-prem users to O365. Full hybrid, on the other hand, leverages Azure AD Connect in a permanent fashion, ensuring new users created in the on-prem AD are always synced to O365.

…and what about that on-prem Exchange server?

Once you’ve moved all your mailboxes to O365, you might be tempted to decom your on-premises Exchange servers.

Not so fast! Doing so might be a bad idea.

Even if all mailboxes live in O365, you may be surprised to know that you still need to keep an on-prem Exchange server around. Yes, really.

Why? The answer is Synchronized AD Accounts.

Most organizations that leverage Exchange Online / O365 will also be using an on-prem Active Directory. In such cases, Azure AD Connect is probably humming along as well — syncing users from on-prem to O365 on an ongoing basis. This is a typical configuration because organizations want to ensure that all new users in AD are also created in O365 (and all users deleted from on-prem AD are deleted from O365). Such a configuration results in a requirement that Exchange remain in the mix because when an on-prem AD account is synced, the on-prem account is considered the authoritative source for all AD attributes. As such, if you try to modify an attribute such as a user’s name or proxy address in O365, you’ll be treated to an unpleasant surprise. Office 365 is going to tell you that you need to make the change to the on-prem account and then let the change sync to O365.

Bleh…

Back to the on-prem Exchange Admin Center (which is run from the Exchange server that needs to remain in place).

While many organizations work around this by decommissioning the on-prem Exchange server and then managing such attributes via Attribute Editor in Active Directory Users and Computers (or even via, shudder, ADSIEDIT), these types of workarounds are NOT supported by Microsoft. Sure, they work, but when you call Microsoft for help with an issue, they are going to turn you away.

So, the next time someone tells you that you can get rid of your on-prem Exchange server after your migration to O365 is complete, you’ll know better.

So which solution should I ultimately choose?

Choosing a solution, ultimately, isn’t difficult — especially if you are using Azure AD Connect to sync your on-prem users to O365. Your existing environment is going to largely dictate which solution you go with, taking much of the decision-making out of your hands.

If you are managing your users on-prem via local Active Directory, a full hybrid solution is going to be the required solution. Full hybrid is required in this case because Minimal hybrid disables Azure AD Connect synchronization once the initial sync of users to O365 is complete. Obviously, this would be a problem if users are provisioned on-prem AFTER the sync has been disabled.

Key reasons to choose a full hybrid solution include:

  • You need to ensure email sent between on-prem users and cloud users is secure.
  • You need to see free/busy for both on-prem and cloud mailboxes (this is usually a big one).
  • You require advanced sharing, like Full Access permissions across Exchange and Office 365 mailboxes.
  • You require certain integrations, including Skype for Business presence and Teams integration into Exchange 2016 mailboxes.
  • You require cross-premises eDiscovery functionality.

Key reasons to choose a minimal hybrid solution include:

  • You are migrating quickly to O365 and have fewer than 1000 mailboxes to migrate.
  • You wish to perform a “cutover migration” to Office 365.

Minimal hybrid vs. full hybrid: Final thoughts

If you look closely at the lists of key reasons for each solution above, you should quickly notice that the minimal hybrid approach is essentially built for speed, whereas the full hybrid is built for longer-term coexistence. So, as a general rule of thumb, the fewer users that need to migrate to O365, the more likely a minimal hybrid is the right approach — unless you are synchronizing users to O365 in an ongoing fashion via Azure AD Connect. Also, keep in mind that regardless of which solution you choose, you are going to need to keep that pesky on-prem Exchange server around if you are (you guessed it) synchronizing on-prem AD users to O365 in an ongoing fashion.

Surprising, isn’t it? All this information about which solution to choose and it almost always comes down to synchronization anyway.

Thomas Mitchell

I am a 25+ year veteran of the IT industry and a subject matter expert in multiple disciplines, including Microsoft Exchange, Active Directory, and Microsoft Azure. My in-depth knowledge of these and other disciplines allows me to not only design and implement solutions based on these technologies but to also teach them. I hold the Cloud Platform and Infrastructure MCSE, as well as several other certifications.

Share
Published by
Thomas Mitchell

Recent Posts

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

9 hours ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

13 hours ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

16 hours ago

An overview of PCI DSS and a guide to compliance

PCI DSS is the globally recognized security standard for any business that processes credit card payments. Are you in compliance…

1 day ago

Quick tip: Runbook script to start and stop your Azure Firewall

In this blog post, we are going over a simple script that can be used as an Azure runbook to…

2 days ago

Private 5G networks: Everything you need to know

We are on the verge of the rollout of public 5G networks. And following close behind is the reality of…

2 days ago