Off-boarding email from Office 365 to Exchange 2013 (Part 4)

If you would like to read the other parts in this article series please go to:


The last part of this series covered the testing and configuration of Azure AD Sync and linking of on-premises AD Objects, and moving the AutoDiscover Endpoint to on-premises. In this part of the series, we’ll cover execution of the Hybrid Configuration Wizard.

Pre-creating our Federation Trust and confirming domain ownership

During the Hybrid Configuration Wizard a new Federation Trust is usually created for the Exchange organization if one doesn’t already exist, and during the wizard you’ll be prompted to update DNS records. Therefore it’s not a bad idea to pre-create the trust and validate our domain before we continue.

To perform this, open up the on-premises Exchange Admin Center and navigate to the Organization tab, then choose Sharing. Under the Federation Trust heading, choose Enable:

Figure 1: Pre-creating the Federation Trust

By choosing the enable the Federation Trust, a self-signed certificate and associated Active Directory object will be created, with basic default configuration. This trust certificate will be used as the basis for Hybrid functionality such as Free/Busy and Calendar Sharing.

We then need to obtain the DNS TXT records necessary to validate the Federation Trust for each SMTP domain. This record is called the Federated Domain Proof.

Open the Exchange Management Shell and use the Get-FederatedDomainProof cmdlet to get the DNS Text (TXT) record we’ll need to add to our external DNS zone for

Get-FederatedDomainProof -DomainName | fl Proof

You’ll see the encoded text output, which will be unique for your domain and be used to prove ownership:

Figure 2: Obtaining the Federated Proof record

The full proof string, as a single line, should then be added to the external DNS zone, as shown below:

Figure 3: Adding the Federated Proof record as a TXT entry in external DNS

You might find that we already have an existing TXT record for the Sender Policy Framework (SPF) record recommended by Microsoft when configuring Office 365.

An SPF record let’s receiving mail servers know which sender IP addresses should be trusted for this domain.

It’s advisable to update this to either add the Exchange on-premises outgoing IP addresses (recommended) or remove the SPF record entirely (not recommended, but many organizations don’t use SPF records). In the context of the Federation Proof TXT record, you will be pleased to know that multiple TXT records for one hostname or domain name are valid in DNS and do not affect the validation process.

Running the Hybrid Configuration Wizard

With our pre-requisites checked of and our Federation Trust ready to go, we’re ready to run the Hybrid Configuration Wizard to join up our Exchange on-premises organization with our Office 365 tenant.

The Hybrid Configuration Wizard in Exchange 2016 runs in the web browser and requires both the Exchange Admin Center on-premises and the Exchange Admin Center in Office 365 to be logged in. To ensure this works successfully, open Internet Explorer and ensure that both the URLs for the Exchange Admin Center and Exchange Online are listed in the Local Intranet Zone. This can be found within Internet Options>Security, then under Local Intranet, click Sites to display the following list:

Figure 4: Adding Office 365 sites to the Intranet Zone

In the example above we have included a wildcard entry for

Next we will log into the Exchange Admin Center and select the Hybrid tab from the left-hand side bar. Select Enable under the setup heading:

Figure 5: Starting the process to enable Hybrid

Next, you will be prompted to sign in to Office 365. This will take you to the Office 365 portal, where you should log in with a Global Admin, or a user with the Exchange administrator role.

Figure 6: Sign-in to the Office 365 portal

After login to Office 365, click on the Enterprise tab and then click on the Hybrid section again. Click Enable a second time to launch the Hybrid Configuration Wizard.

Figure 7: Launching the Hybrid Configuration Wizard

This time the web-based Hybrid Configuration Wizard will launch in a new browser window, entitled Set up Exchange Hybrid. This wizard collects information in an number of steps, before making configuration changes to the Exchange 2013 environment and Office 365 tenant so that they can communicate.

On the first page of the wizard, we will be prompted to add the Federation Proof record. As we’ve already performed this step in advance of launching the wizard, simply press Next:

Figure 8: The HCW showing the Federated Domain proofs already added

On the next page of the wizard, we are presented with the option to either use the Client Access and Mailbox Servers for email transport, or Edge Transport servers. For our off-boarding example we are not using Edge servers, so we’ll choose to utilize the combined Client Access and Mailbox servers. Select the most appropriate for your implementation then choose Next.

Figure 9: Selecting key options for Hybrid transport

On the following two pages of the wizard we’ll need to select both the receiving client access servers and the sending mailbox servers. The receiving servers will be configured to trust Office 365 sending email to it as if it were within the organization. Mail from Office 365 will go through these servers, and we will configure appropriate external DNS entries and firewall rules to allow inbound mail on TCP port 25.

The sending servers will relay mail to Office 365. Typically during co-existence whilst offboarding mailboxes this will be used by mailboxes on-premises to send to and reply to mailboxes still in Office 365. These servers need to be able to communicate with the Internet on TCP port 25.

Figure 10: Selecting the receiving client access server

Next we’ll need to choose the certificate to use for Hybrid mail transport. This certificate will already be configured and in use on the Exchange 2013 server and assigned for SMTP usage. The certificate issuer and subject will be stamped onto the associated inbound connector in Office 365 to validate mail from the on-premises server is genuine. Select the appropriate certificate, then choose Next:

Figure 11: Selecting an appropriate SSL certificate

Inbound mail from Office 365 will be directed at a DNS entry that reaches the receiving client access server chosen above. Enter the Fully Qualified Domain Name that will be used, then select Next:

Figure 12: Adding the DNS name for inbound mail from Office 365

On the final two data entry pages of the wizard, we’ll need to enter credentials both for the on-premises Exchange 2013 servers and for Office 365. The Exchange 2013 credentials must be a member of the Organization Management security group and the Exchange Online account is typically a global administrator of the tenant. Enter these credentials, then press Next:

Figure 13: Entering appropriate credentials for the wizard to run as

The Hybrid Configuration wizard will begin. During this process it completes configuration of the tenant and Exchange 2013 environment but, because all mailboxes are located in Office 365, should not risk mail flow or other functionality.

Figure 14: The HCW in progress

After the Hybrid Configuration wizard completes, examine any errors displayed. These may need further troubleshooting. Assuming a successful run of the Hybrid Configuration Wizard, the final step is to perform the OAuth configuration. Choose Configure to begin this process:

Figure 15: The completed HCW

The OAuth configuration will begin. This part of the configuration downloads a support assistant which performs the configuration automatically. When prompted, ensure you choose to Run each download.


In this part of the series, we’ve performed our reverse-Hybrid configuration, creating the foundation required for migrating mailboxes from the cloud to our on-premises Exchange 2013 environment. In the next part of this series we will ensure mail routing is configured correctly and begin moving mailboxes.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top