Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 3)

If you would like to read the other parts in this article series please go to:

Basic changes to perform manually to complete Hybrid configuration

After the completion of the Hybrid Configuration Wizard most organisations need to make additional changes. These changes include:

  • Update of on-premises and Office 365 Sharing Policies to allow maximum sharing between both parts of the Hybrid Exchanged organization.
  • Creation of a Migration Endpoint to allow moves of mailboxes to and from Office 365.
  • Update of mailbox email addresses that do not use Email Address Policies.
  • Copy and configure on-premises policies in Office 365.
  • Configure and enable Public Folder co-existence.

Before we begin let’s take a moment to familiarise ourselves with the main change to the Exchange Admin Center after configuring Hybrid. As shown below the Exchange Admin Center enables both the Enterprise and Office 365 tabs for use.

Figure 1: Managing both Exchange and Office 365 from one session

This means that as an administrator it is possible to manage both on-premises and Exchange Online from a single browser session. Both environments look very similar so ensure you check which environment you are making changes to so as to avoid any mistakes.

Update Sharing Policies

Sharing policies are used to define the limits for Calendar and Contact sharing. By default the policies set up do not allow Exchange sharing using the native Federated Sharing features. To allow native Calendar and Contact sharing between all users, it is necessary to alter the default policies, or create new policies.

To allow sharing between all users in Office 365 and Exchange 2013 (and vice-versa) we will update the default sharing policies both on-premises and in Office 365. Start by navigating to the Enterprise tab, then select Organization. Select the Sharing tab and then scroll down to Individual Sharing. Choose Default Sharing Policy (DEFAULT) from the list, then choose Edit:

Figure 2: Updating the Sharing Policy

The Sharing Policy will open. Edit the Sharing with all domains rule to allow both the Calendar and Contact calendar to be shared. Typically organizations will want to allow All calendar appointment information to be shared between on-premises and Office 365.

Figure 3: Allowing all calendar appointment information to be shared

After making the changes, choose Save. To perform the same change in Office 365, select Office 365 from the top navigation bar, then repeat the same procedure within Organization>Sharing:

Figure 4: Updating the Office 365 sharing policy

After this change is complete, users will be able to re-share their calendars between cloud and on-premises. Remember that this is only read-only access, and users who are migrated will need to re-share their calendar if the person they collaborate with is not also moved to Office 365.

Creation a Migration Endpoint

Without a Migration Endpoint it is not possible to move mailboxes to and from Office 365 using the Exchange Admin Center. Instead the New-MoveRequest cmdlets are required.

A migration endpoint allows a definition to be created in Office 365 that includes the on-premises Hybrid server name and a stored set of credentials that can be used to perform the move. This makes it easy to allow multiple administrators to perform migrations without knowing the on-premises migration account password.

First we will create the account that will be used with the Migration Endpoint. Note that you can use an Exchange administrative account, but it is best practice to create an account possessing the minimum permissions required.

Create the account using Active Directory User and Computers. In our example we have created an account name MigUser and set the account password to Never Expire. Next, we’ve added the account to the Microsoft Exchange security group Recipient Management, as shown below:

Figure 5: Granting permissions to the migration user in the on-premises Ad

Next, we’ll navigate back into the Exchange Admin Center, and then select Office 365. After choosing Office 365 select Recipients, then choose the Migration Tab. Select the more (…) menu, then select Migration Endpoints:

Figure 6: Navigating to the Migration Tab of the Office 365 Exchange Admin Center

We’ll then see the list of currently defined Migration Endpoints. For a new tenant with a freshly ran Hybrid Configuration wizard, nothing should be shown. The next step is to begin the Migration Endpoint Wizard by choosing Add (+), as shown below:

Figure 7: Creating a new Migration Endpoint

After the New Migration Endpoint Wizard launches three options are shown; Exchange Remote, Outlook Anywhere and IMAP. For Hybrid configurations, Exchange Remote will always be used, so select it from the list, then press Next.

Figure 8: Selecting a Hybrid “Exchange Remote” endpoint

The Migration Endpoint Wizard will use Autodiscover to lookup the Migration Endpoint address. Enter both the email address to use for Autodiscover and then enter the account created in the previous steps as the Account with privileges.

Figure 9: Entering Autodiscover and migration user credentials

Depending on your configuration for other services like Outlook Anywhere the Migration Endpoint name may be automatically populated. If it is not then the Confirm the Migration Endpoint step of the wizard allows the opportunity to enter a server name. This will typically be the same FQDN used for Exchange Web Services. Enter the server name if necessary, then choose Next:

Figure 10: Checking and specifying the Hybrid Server external HTTPS name

Finally, we’ll give the Migration Endpoint an identifying name and specify the Maximum concurrent migrations and Maximum concurrent incremental syncs. Across all Migration Endpoints (for example if you have multiple Hybrid Servers in different sites) you can have a maximum combined total of 100 concurrent migrations.

Figure 11: Completing settings for the new Migration Endpoint

Update Mailboxes that don’t use Email Address Policies

As part of the Hybrid Configuration Wizard, Email Address Policies are updated to include an additional address which will be used for co-existence. Each mailbox that will be migrated needs this address added, which is in the form of <alias>@<tenantname>

Mailboxes that do not automatically update email addresses based on the email address policy will not have this additional address added.

Figure 12: Checking mailboxes that do not automatically update email addresses based on an email address policy

For each mailbox that does not have the email address policy automatically applied, there are two ways to add the missing address. The first method is to manually add a new SMTP address, as shown below:

Figure 13: Manually adding a new proxy address

The second, simpler way, is to change the mailbox back to Automatically update email addresses based on the email address policy applied to this recipient, as shown below:

Figure 14: Enabling automatic update of email address policies

Configure Public Folder Coexistence

If you are using Public Folders on-premises, and plan to either maintain access to Public Folders during Hybrid Co-existence; or migrate Public Folders to Office 365 from a legacy version of Exchange then you will want to configure access from Office 365 to on-premises.

Providing access to clients is relatively straightforward. For a pure Exchange 2013 environment then navigate to Public Folders and make a note of all Public Folder mailboxes. These names will be used by Office 365 to return an address for the clients to use to discover the right location to connect to:

Figure 15: Listing Public Folder Mailboxes on-premises

Next, login to Exchange Online PowerShell. Connect to Office 365, then use the Set-OrganizationConfig cmdlet to enable Remote Public Folders and then enter a comma-separated list of Public Folder mailboxes:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PFMailbox01,PFMailbox02

To ensure that mail-enabled Public Folders are listed in the Office 365 Global Address List and / or can be sent email from Office 365 mailboxes you can use Microsoft-provided scripts to create equivalent contact records in your Office 365 tenant. These do not work in pure Exchange 2013 environments and are intended to complement guidance on providing access to legacy Public Folder environments.

Instead we must use a different approach to ensure Office 365 users can email mail-enabled Public Folders on-premises.

The first available approach, changing domains to Internal Relay, is straightforward and allows mail flow but does not list the mail-enabled Public Folders in the Global Address List. It also means all unresolved email addresses within your Hybrid domains will be sent to the on-premises servers.

To configure this, navigate to Mail Flow and then choose Accepted Domains. Select the custom domains that include mail-enabled Public Folders and choose Edit. Change the Domain Type to Internal Relay, as shown below.

Figure 16: If necessary configuring a domain as internal relay

The second available approach uses a custom script to provide similar behaviour to the Microsoft script download above, creating contacts using the same approach. This is unsupported by Microsoft and provided in this article to use at your own risk.

From the Exchange Management Shell on the Exchange 2013 server we will connect both to on-premises and Exchange Online, then after retrieving information about Mail-Enabled Public Folders create equivalent addresses:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -Prefix Cloud

# Get On-Premises Exchange 2013 Mail-Enabled Public Folders

$MailPublicFolders = Get-MailPublicFolder

foreach ($MailPublicFolder in $MailPublicFolders)


# Create equivalent sync folders in Office 365

$EmailAddresses = @()

foreach ($EmailAddress in $MailPublicFolders.EmailAddresses)




$EmailAddresses+= “X500:$($MailPublicFolder.LegacyExchangeDN)”

New-CloudSyncMailPublicFolder -Name $MailPublicFolder.Name -Alias $MailPublicFolder.Alias -EntryId $MailPublicFolder.EntryId -EmailAddresses:$EmailAddresses -HiddenFromAddressListsEnabled:$MailPublicFolders.HiddenFromAddressListsEnabled

Set-CloudMailPublicFolder $MailPublicFolder.Name -DisplayName $MailPublicFolder.DisplayName -WindowsEmailAddress   $MailPublicFolder.WindowsEmailAddress.ToString()


You will notice in the script above, when using Import-Session to complete the connection to Exchange Online the Prefix parameter is used. This is important to note. Because we have opened an Exchange Management Console all standard cmdlets like Get-Mailbox are already loaded and relate to on-premises. By setting a Prefix to Cloud we can import Exchange Online cmdlets within the same session. They appear with a Cloud prefix, for example Get-CloudMailbox rather than Get-Mailbox.

Re-Create On-Premises Policies and RBAC in Office 365

Finally it is important to understand that the Hybrid Configuration Wizard does not connect or re-create on-premises policies within Office 365.

The following policies should be re-evaluated to see which features are required after migration to Office 365, then changed if required:

  • Outlook Web App policies enable features such as the premium client, signatures, access to recover deleted items, the new groups features in Office 365 and areas of OWA such as the calendar, IM, people and tasks.
  • In-place hold policies are used to configure how long mailbox items should be kept, even after changes are made. Most organizations migrating to Office 365 who have compliance requirements will need to create relevant polices here, or configure journal recipient addresses to an on-premises or third-party system.
  • Mobile device mailbox policies are primarily used to manage ActiveSync devices, but also manage the OWA App for Devices. The key change most organizations make is to require devices to be locked with a secure PIN code.
  • Unified Messaging Mailbox Policies should be configured in combination with UM Dial Plans and modifications to the on-premises Lync environment.

If Roles Based Access Control is used to manage delegated rights, or restrict user access to features in Exchange, then equivalent admin roles and user roles should be configured. In a Hybrid Environment it makes sense to use the same synced admin accounts used on-premises to perform equivalent administrative tasks in Office 365.


In part three of this series we have performed a number of post-configuration tasks that the Hybrid Configuration Wizard does not perform but most organizations need. In the final part of this series, part four, we will perform a number of basic tests to validate functionality.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top