Deploying an Exchange 2013 Hybrid Lab Environment in Windows Azure (Part 25)

If you would like to read the other parts in this article series please go to:


In part 24 of this article series revolving around what the Windows Azure service is all about as well as how you deploy an Exchange hybrid deployment in Windows Azure, we took a look at the existing mail flow and the mail flow options we have in an Exchange hybrid deployment.

In this part 25, we will continue where we left off in part 24.

Figure 1

Let’s get going…

Enabling Exchange Hybrid

In part 24 of this article series, I took you through the different mail routing options we have when it comes to Exchange hybrid deployments and told you which mail routing option we will choose for this specific scenario. In this article series, we will have inbound messages route through Exchange Online Protection (EOP) before they reach Exchange Online as well as Exchange on-premises mailboxes. For outbound message routing, we will choose the non-centralized mail transport option, which allows outbound messages from Exchange Online to go directly to external recipients instead of through the hybrid servers in the on-premises Exchange organization.

Let’s get going with enabling hybrid mode. To do so, first logon to one of the Exchange 2013 servers that are to act as hybrid servers. Then open the “Exchange admin center” and click “hybrid” in the bottom of the left pane.

Under the “hybrid” page, click the “Enable” button.

Figure 2:
Enabling Hybrid Mode using the Hybrid Configuration wizard

You will then be asked to login to Office 365 before you can continue. Do so by click on “sign in to Office 365”.

Figure 3: Signing into Office 365 with a global admin account

We will be taken to the Office 365 sign in page as shown in Figure 4.

Figure 4:
Signing into the tenant using the Office 365 login page

If you now get an error message about cookies not being enabled for your Exchange Administration Center URL, you will need to add it to the local intranet zone or trusted zones in your browser. In addition, I suggest you add the Office 365 login page URL and the Office 365 portal to this zone.

Figure 5:
Cookies disabled error

Figure 6: Adding used URLs to the local intranet zone in Internet Explorer

After having added the respective URLs to the local intranet zone, try to authenticate against the Office 365 tenant again. This time it should go a little better. Now you should be able to switch between the “Enterprise” and “Office 365” modes without the need to authenticate.

Let us continue with enabling and configuring hybrid mode by clicking “Yes” on the “Set up Exchange Hybrid”.

Figure 7:
Set Up Exchange Hybrid page

On the next page, we see our custom domain we are to configure Exchange federation for listing. Before clicking “Next” on this page, we need to copy the token and add it as a TXT record in external DNS in order to confirm ownership of the domain.

Figure 8:
Confirming domain ownership using a TXT record

When you have added the TXT record to external DNS, go back and click the “Next” button shown in Figure 9.

Figure 9: TXT record added to external DNS

On the next page, we need to specify whether we have Edge Transport server in the perimeter network to route through or if it should go directly to the Client Access server (hybrid servers) on the internal network. In addition, this is where we can choose to use centralized transport (routing mail from Exchange Online through the on-premises hybrid servers).

Since we do not have any Edge Transport servers in this specific scenario or have a need for centralized transport, we will select the first option and leave centralized transport unticked.

Figure 10:
Configuring mail routing options

On the next page, we need to specify one or more Client Access servers (hybrid servers) in which the receive connectors for bi-directional mail transport with Exchange Online will be created and configured.

In this specific scenario, we will add both our Exchange 2013 multi-role servers.

Figure 11: Adding Exchange 2013 Client Access servers as bi-directional transport servers

Click “Next”.

Now we need to add the Exchange 2013 Mailbox servers that should host the send connectors used for bi-directional transport with Exchange Online. Since we use multi-role Exchange 2013 servers as hybrid servers in this specific scenario, we will add the same servers as those we added to host the receive connectors.

Figure 12:
Adding the servers that should host send connectors

When the servers have been added, we can click “Next”.

On the appearing page is where we should specify the certificate to be used with the hybrid configuration. In this specific scenario, we use the wildcard certificate that was also used for the ADFS based federation.

The certificate should be issued by a trusted CA provider. When the respective certificate has been selected, click “Next”.

Figure 13: Specifying the certificate to be used for Exchange hybrid

If you are planning to add more than one domain to the Exchange hybrid, you can take advantage of the Exchange hybrid autodiscover domain feature. For details, see this column I wrote for TechNet Magazine.

We now have to specify the FQDN (in this case “”, which is our MX record pointing directly to the Exchange 2013 Client Access servers) to which the Exchange Online Protection (EOP) service in Office 365 should connect for secure mail transport to the on-premises Exchange organization.

After having entered the FQDN, click “Next”.

In the following figures, it says “Modify Exchange hybrid” and not “Set up Exchange Hybrid” as I had to re-run the wizard and had not taken screenshots prior to this.

Figure 14:
Specifying the FQDN for secure mail transport to the on-premises Exchange organization

We now need to specify the credentials for an on-premises AD user member of the Organization Management group.

Do so and click “Next”.

Figure 15:
Specifying the credentials for an on-premises AD user member of the Organization Management group

Then we need to specify the credentials for a global admin account in Office 365.

Do so and click “Next.

Figure 16:
Specifying the credentials for a global admin account in Office 365

We have now completed the hybrid configuration and all there is left to do is to click “Update” in order for the specified hybrid servers on-premises, Exchange Online and Exchange Online Protection to be updated with the specified configuration settings.

17: Updating the Exchange hybrid configuration and enabling hybrid features

The update process will go through several processes. It will connect to the Office 365 tenant, configure recipient settings, create the organization relationships, configure free/busy mail flow and enable the MRS Proxy sub-service.

Figure 18:
Configuration steps for the hybrid wizard

After a few minutes, it should complete with the page shown in Figure 20.

Figure 19:
Exchange hybrid deployment configuration almost complete

Notice I got a warning that the wizard was unable to communicate with the on-premises autodiscover endpoint. This was due to the fact the VIP address for my Exchange load balancing set had changed in Azure IaaS and I had to update the public DNS record accordingly.

Also notice that the button in this page does not say “Finish” but configure. This is because we are not completely done with the hybrid configuration yet.

This concludes part 24 of this multi-part article in which I provide you with an explanation of what Windows Azure is and how you configure an Exchange 2013 hybrid lab environment in Windows Azure.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top