Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
If you have an on-premises Exchange server for recipient management only, you might be able to shut down your last Exchange server and manage recipients using PowerShell. For more information, see Manage recipients in Exchange Hybrid environments using Management tools.
Read this article if you're ready to move from an Exchange hybrid deployment to a full cloud implementation.
Exchange Server hybrid deployments describes one of the most attractive options for getting a company to Exchange Online. This method is the only option that allows you to easily onboard and offboard mailboxes. All other native options are onboard only. A hybrid configuration also has the following key options.
- Cross-premises availability: See user free/busy information while scheduling a meeting, regardless of where their mailbox is located.
- Cross-premises archive: Move only a user's archive mailbox to the cloud. This move is often the first step for customers to try Microsoft 365 and Exchange Online.
- Cross-premises discovery searches: With OAuth authentication, you can do eDiscovery searches in mailboxes and archives in both environments.
- Outlook on the web URL redirection: Users are redirected to the proper environment for Outlook on the web (formerly known as Outlook Web App or OWA).
- No profile recreation after move: Unlike other migration options, the mailbox GUID doesn't change. In other words, users don't need to recreate their Outlook profiles or redownload their OST files after a mailbox move.
Depending on your organization's needs, a hybrid deployment is the best option for providing the most seamless user and coexistence experience.
This article helps you understand the options for decommissioning Exchange hybrid, and when you should use those options. There are many variances in when and how to decommission Exchange hybrid servers. Taking the time to understand the implications and properly plan the full or partial decommissioning of on-premises servers is important.
Other methods to migrate to Exchange Online
A hybrid deployment isn't for everyone. Many organizations that chose to deploy a hybrid configuration have fewer than 50 users. While the advantages of a hybrid deployment are attractive, hybrid comes with a hefty price in complexity. Many smaller organizations use a cutover, staged, or IMAP migration. A program called FastTrack can help you decide on your best migration option. Information on FastTrack is described on the Microsoft 365 FastTrack page.
Use the following table to decide what type of migration works for your organization. For more information, see Ways to migrate multiple email accounts to Microsoft 365 or Office 365.
| Existing organization | Number of mailboxes to migrate | Manage user accounts in your on-premises organization? | Migration type |
|---|---|---|---|
| Exchange 2003 or later | Less than 2,000 mailboxes | No | Cutover Exchange migration |
| Exchange 2007 or Exchange 2003 | Less than 2,000 mailboxes | No | Staged Exchange migration |
| Exchange 2007 or Exchange 2003 | More than 2,000 mailboxes* | Yes | Staged Exchange migration or remote move migration in an Exchange hybrid deployment |
| Exchange 2010 or later | More than 2,000 mailboxes* | Yes | Remote move migration in an Exchange hybrid deployment |
| Exchange 2000 Server or earlier versions | No maximum | Yes | IMAP migration |
| Non-Exchange on-premises messaging system | No maximum | Yes | IMAP migration |
*Some organizations with fewer than 2,000 mailboxes might benefit from features and capabilities available only with a hybrid deployment. Carefully consider the benefits of a hybrid deployment with the inherent complexity. We strongly recommend consideration of cutover or staged migration for organizations with fewer than 2,000 mailboxes.
Why you might not want to decommission on-premises Exchange servers
Many hybrid organizations eventually move all mailboxes to Exchange Online. At this point, they probably think it's time to remove their on-premises Exchange servers. But, it's not a good idea as removing on-premises Exchange servers in a hybrid deployment prevents the management of cloud mailboxes. The culprit is directory synchronization.
When directory synchronization is enabled and a user is synchronized from the on-premises environment to the cloud, you can't manage most user properties from Exchange Online; you must manage those properties in the on-premises environment. Even if you configured directory synchronization without running the Hybrid Configuration wizard (HCW), you still can't do most recipient management tasks in the cloud. For more information, see this blog post.
Can I use non-Microsoft tools to manage Exchange objects in a hybrid deployment?
Yes, but they aren't supported. Microsoft supports the following tools to manage Exchange recipients and objects:
- The Exchange Management Console.
- The Exchange admin center (EAC).
- The Exchange Management Shell.
Non-Microsoft tools or even ASDIEDIT aren't supported tools for managing Exchange users, and you use them at your own risk. These tools often work fine, but we don't validate these tools.
Common hybrid to cloud only scenarios
While there are issues, creating a hybrid deployment is a relatively easy, wizard-based process that we took the time to get right. But going from hybrid to cloud only isn't as easy, and requires careful planning.
This section contains three common hybrid to cloud only scenarios along with our recommendations. Find the scenario that best fits your situation and use it to formulate a plan to keep or decommission your hybrid and/or on-premises Exchange environment.
Scenario 1: All mailboxes and all cloud management
Scenario: My organization has a hybrid configuration and now all mailboxes are in Exchange Online. We don't need to manage users in the on-premises environment and we don't need directory synchronization or password synchronization.
Solution: Since all users will be managed in Microsoft 365 and there are no other directory synchronization requirements, you can safely disable directory synchronization and remove Exchange from the on-premises environment.
Disable directory synchronization and uninstall Exchange hybrid
Run the following command in the Exchange Management Shell to verify the PublicFoldersEnabled value isn't 'Remote':
Get-OrganizationConfig | Format-List PublicFoldersEnabledIf the PublicFoldersEnabled value is 'Remote' and you need to access public folders, you need to migrate them to Exchange Online. For more information, see Use batch migration to migrate Exchange Server public folders to Exchange Online.
Since all mailboxes are in Exchange Online, you can point your MX and Autodiscover record in DNS to Exchange Online. For more information, see External Domain Name System records for Office 365.
Important
Be sure to update both internal and external DNS. Otherwise, you might have inconsistent client connectivity.
Use the Set-ClientAccessServer or Set-ClientAccessService cmdlet in the Exchange Management Shell to remove the Service Connection Point (SCP) values from your Exchange servers. This step ensures no SCPs are returned, and the client instead uses the DNS method for Autodiscover.
Exchange 2010 or 2013:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $NullExchange 2016 or later:
Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $NullNote
If you have Exchange 2007 servers, you need to run the
Get-ClientAccessServer | Set-ClientAccessServer...command on those servers.Do the following steps to delete the inbound and outbound connectors created by the Hybrid Configuration wizard:
- Open the Exchange admin center at https://admin.exchange.microsoft.com as an Exchange Administrator and go to Mail Flow > Connectors. Or to go directly to the Connectors page, use https://admin.exchange.microsoft.com/#/connectors.
- On the Connectors page, disable or delete the inbound and outbound connectors created by the Hybrid Configuration wizard:
- Inbound from <unique identifier>
- Outbound from <unique identifier>
Remove the organization relationship created by the Hybrid Configuration wizard:
- Open the Exchange admin center at https://admin.exchange.microsoft.com at https://admin.exchange.microsoft.com as an Exchange Administrator and go to Organization > Sharing. Or, to go directly to the Sharing page, use https://admin.exchange.microsoft.com/#/organizationsharing.
- On the Sharing page, remove the O365 to On-Premises - <unique identifier> relationship created by the Hybrid Configuration wizard.
Disable the OAuth configuration from the on-premises environment and Microsoft 365:
On-premises Exchange: Run the following command in the Exchange Management Shell:
Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $FalseExchange Online: Run the following command in Exchange Online PowerShell:
Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False
Note
The Identity parameter value assumes you used the Hybrid Configuration wizard to configure OAuth. If not, you might need to use a different Identity value.
Disable directory synchronization. For instructions, see Turn off directory synchronization for Microsoft 365 or Office 365.
When you complete this step, you do all user management tasks in Microsoft 365. You no longer use the Exchange Management Console or Exchange admin center in on-premises Exchange.
You can now safely uninstall Exchange from the on-premises servers.
Scenario 2: All cloud mailboxes with AD FS
Scenario: My organization has a hybrid configuration and now all mailboxes are in Exchange Online. We plan to keep Active Directory Federation Services (AD FS) for user authentication of Exchange Online mailboxes.
Important
This scenario applies to hybrid organizations that plan to keep directory synchronization and use the Exchange admin center in on-premises Exchange to manage recipients. If you don't require the on-premises EAC to manage recipients, you can remove the last on-premises Exchange server and still keep directory synchronization. For more information, see Manage hybrid exchange recipients with management tools.
Solution:
- Since you're keeping AD FS, you also need to keep directory synchronization as a prerequisite.
- Even though you have no on-premises mailboxes, you can't fully remove all Exchange servers from the on-premises environment. But you can remove most of them. You need to leave one or more on-premises Exchange servers (which can be virtual machines) for user management, because the source of authority is still in on-premises Exchange.
Tip
If you choose to remove AD FS from your infrastructure, cloud sync or Microsoft Entra Connect synchronizes your on-premises credentials with the cloud. Each service authenticates users independently:
- Microsoft 365 identity services manages online authentication requests.
- Active directory manages the internal authentication.
Keep AD FS and decommission most Exchange servers
Run the following command in the Exchange Management Shell to verify the PublicFoldersEnabled value isn't 'Remote':
Get-OrganizationConfig | Format-List PublicFoldersEnabledIf the PublicFoldersEnabled value is 'Remote' and you need to access public folders, you need to migrate them to Exchange Online. For more information, see Use batch migration to migrate Exchange Server public folders to Exchange Online.
If you need to keep public folders and migrating them to Exchange Online isn't an option, go to Scenario 3: All cloud mailboxes with some on-premises email services.
Since all mailboxes are in Exchange Online, you can point your MX and Autodiscover record in DNS to Exchange Online. For more information, see External Domain Name System records for Office 365.
Important
Be sure to update both internal and external DNS. Otherwise, you might have inconsistent client connectivity.
Use the Set-ClientAccessServer or Set-ClientAccessService cmdlet in the Exchange Management Shell to remove the Service Connection Point (SCP) values from your Exchange servers. This step ensures no SCPs are returned, and the client instead uses the DNS method for Autodiscover.
Exchange 2010 or 2013:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $NullExchange 2016 or later:
Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $NullNote
If you have Exchange 2007 servers, you need to run the
Get-ClientAccessServer | Set-ClientAccessServer...command on those servers.To prevent hybrid configuration objects from being recreated in the future, run the following command in the Exchange Management Shell:
Remove-HybridConfigurationRemove all on-premises Exchange servers except for one (OK) or two (better) for user management.
Tip
You don't need a Database Availability Group (DAG) or other high availability options for the remaining Exchange servers.
Disable the OAuth configuration from the on-premises environment and Microsoft 365:
On-premises Exchange: Run the following command in the Exchange Management Shell:
Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $FalseExchange Online: Run the following command in Exchange Online PowerShell:
Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False
Note
The Identity parameter value assumes you used the Hybrid Configuration wizard to configure OAuth. If not, you might need to use a different Identity value.
Do the following steps to delete the inbound and outbound connectors created by the Hybrid Configuration wizard:
- Open the Exchange admin center at https://admin.exchange.microsoft.com as an Exchange Administrator and go to Mail Flow > Connectors. Or to go directly to the Connectors page, use https://admin.exchange.microsoft.com/#/connectors.
- On the Connectors page, disable or delete the inbound and outbound connectors created by the Hybrid Configuration wizard:
- Inbound from <unique identifier>
- Outbound from <unique identifier>
Remove the organization relationship created by the Hybrid Configuration wizard:
- Open the Exchange admin center at https://admin.exchange.microsoft.com at https://admin.exchange.microsoft.com as an Exchange Administrator and go to Organization > Sharing. Or, to go directly to the Sharing page, use https://admin.exchange.microsoft.com/#/organizationsharing.
- On the Sharing page, remove the O365 to On-Premises - <unique identifier> relationship created by the Hybrid Configuration wizard.
Note
We recommended leaving the Exchange Hybrid Deployment feature enabled in cloud sync or Microsoft Entra Connect.
Scenario 3: All cloud mailboxes with some on-premises email services
Scenario: My organization has a hybrid configuration and now all mailboxes are in Exchange Online. I want to remove our on-premises Exchange servers, but we use Exchange for the following services:
- SMTP relay for on-premises applications.
- Access to public folders in on-premises Exchange.
Solution: We recommend against removing Exchange and the hybrid configuration in this scenario.
Pointing your Autodiscover DNS records to Exchange Online breaks features like hybrid public folder access.
You can point your MX record to Microsoft 365 and reduce the number of on-premises Exchange servers. However, you need to keep enough on-premises Exchange servers to handle the remaining hybrid functions. And you need to maintain or migrate Exchange-only services and features (for example, public folders).
If you plan to keep identity synchronization from Active Directory, you need to maintain one (OK) or two (better) on-premises Exchange servers for user management.