Microsoft wants you to keep Exchange on-premise mostly to be sure none of the cloud attributes that route email to and from Office 365 get removed from AD. On paper, they would not help you with support if you got in a bind with your on-premise AD and anything Office 365 / Exchange related as it is not "best practice."
Other options include PowerShell scripts to handle any AD-related functions related to Exchange Online. If you put back an on Premise Exchange, use 2013 / 2016 to run the upgrade to the Schema and prepAD.
Multi tenant Exchange 2019 and Hybrid O365 deployment
I am looking into doing an O365 Hybrid deployment to our multi-tenant Exchange 2019 so that we can do MFA. Our Exchange tenants are separated by OU, separate GAL, separate name space, and such so that they are completely separate but share the same AD. They have no access to each other in anyway. My question is that if I do a hybrid deployment how will that affect the Exchange org as a whole and per tenant? Will it force user changes for each tenant or can I limit the deployment to only affect specific tenants? Can do hybrid deployment per tenant?
Thanks!!
4 answers
Sort by: Most helpful
-
Amit Singh 4,901 Reputation points
2021-08-23T11:57:55.767+00:00 -
KyleXu-MSFT 26,266 Reputation points
2021-07-29T02:25:55.597+00:00 Do you mean that you have multiple Exchange servers coexist in one domain and those Exchange divided by OU. Now, you have an Office 365 want to hybrid with them to use MFA, are you worried about whether it affects Exchange on-premises?
This topology isn't supported, you can double check whether is this your AD topology: Single forest, multiple sync servers to one Azure AD tenant. If your AD in other supported topology, you could deploy hybrid for your Exchange servers, it will not effect the use of Exchange on-premises.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
David McBride 301 Reputation points
2021-08-09T13:13:30.89+00:00 Sorry if I am repeating something you already asked but I just need to make sure I have explored all options.
If I enable ADFS and use Azure AD connect to only sync a single OU of users then will only those users in the sync'd OU be required for 2FA and not the users that are not sync'd with Azure AD Connect?
A second possibility I have seen some mention is to create a second virtual directory for OWA that requires 2FA. That way it depend on what URL the users goes to if they need to use 2FA. Will a second OWA virtual directory work?
Thank you for your patience. -
David McBride 301 Reputation points
2021-08-12T13:59:57.31+00:00 So are you saying that to accomplish 2FA for OWA in On-Prem Exchange I would have to setup ADFS with AAD Connect to Azure AD? Then I could use 2FA with phones?
Thank you for your patience