Hybrid Configuration wizard
This article gives you an overview of the Exchange hybrid deployment process using the Hybrid Configuration Wizard.
For more information about hybrid deployments, check out Exchange Server Hybrid Deployments.
Hybrid configuration process
Here's a quick overview of what the Hybrid Configuration Wizard does:
- Create the HybridConfiguration object in your on-premises Active Directory. This object stores the hybrid configuration information for the hybrid deployment.
- Complete the following steps:
- Gather existing on-premises Exchange and Active Directory topology configuration data, cloud organization data, and Exchange Online configuration data.
- Define several organization parameters.
- Run an extensive sequence of configuration tasks in both on-premises Exchange and Exchange Online.
There are several important considerations and prerequisites that you need to complete before you use the Hybrid Configuration wizard. These requirements are describe in Hybrid deployment prerequisites. After you meet all of these requirements, you'll be ready to use the Hybrid Configuration wizard.
The general phases of the hybrid deployment configuration process are described in the following:
Verify prerequisites and do topology checks: Verify that your on-premises and Exchange Online organizations can support a hybrid deployment. For example, the following items are checked:
- On-premises Exchange server versions.
- Exchange Online version.
- Active Directory synchronization presence and configuration.
- Federated and accepted domains.
- Existing federation trust and organization relationships.
- Web Services virtual directories.
- Exchange certificates.
Test account credentials: Verify that the on-premises and cloud accounts have the appropriate permissions to connect to both environments. Hybrid deployment management accounts require the following role group memberships:
- Organization Management role group in on-premises Exchange
- Global admins in Microsoft 365.
Hybrid deployment configuration changes: Make the required configuration changes to create and enable the hybrid deployment. All changes are automatically logged in the hybrid configuration log. By default, the hybrid configuration log is located on the on-premises Mailbox server at
%UserProfile%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration.
Inbound mail flow is controlled by your organization's MX record. Inbound internet mail for a hybrid deployment isn't configured by the Hybrid Configuration wizard.
Hybrid configuration features
By default, the Hybrid Configuration wizard automatically enables all hybrid deployment features each time it runs. To disable specific hybrid configuration features, you need to use the Set-HybridConfiguration in the Exchange Management Shell. By default, the following hybrid deployment features are enabled by the wizard:
Free/busy sharing: Enables calendar information to be shared between on-premises and Exchange Online users. Free/busy sharing is enabled as part of the federated sharing and organization relationship configuration for on-premises and cloud environments. Learn more at Sharing.
MailTips: MailTips are informative messages that users see as they compose messages. Users can adjust messages before they're sent to avoid undesirable situations or non-delivery reports (NDRs). For more information, see MailTips in Exchange and MailTips in Exchange Online.
Online archiving: Exchange Online host user email archive for both on-premises and cloud users. For more information, see Configure Exchange Online Archiving.
Outlook on the web redirection: Provides one URL to access both on-premises and Exchange Online mailboxes via Outloo on the web (formerly known as Outlook Web App or OWA). Client Access servers automatically redirect requests to on-premises mailbox servers or provide the link to Exchange Online mailboxes.
Exchange ActiveSync redirection: Most Exchange ActiveSync clients will now be automatically reconfigured when the mailbox is moved to Exchange Online. For more information, see Exchange ActiveSync device settings with Exchange hybrid deployments.
Secure mail: Uses Transport Layer Security (TLS) for secure mail delivery between the on-premises and cloud environments. On-premises Exchange and Exchange Online are mutually authenticated through digital certificate subjects and email headers. Rich-text message formatting is preserved across the organizations.
Hybrid configuration options
The Hybrid Configuration wizard allows a lot of customization for the hybrid deployment. To update a hybrid configuration setting after you initially configured hybrid, you can use the Hybrid Configuration wizard or the Exchange Management Shell.
The following table describes the major options:
|Domains||Adds Exchange Online as accepted domain to on-premises Exchange for hybrid mail flow and Autodiscover requests. By default, this domain is
You can view the accepted domain by running the following command Exchange Online PowerShell:
|Secure mail certificate||Select certificate that was issued by a trusted third-party Certificate Authority (CA). This certificate is used to authenticate and secure mail sent between the on-premises and Exchange Online organizations.|
|Exchange federated sharing||If an existing OAuth relationship or federation trust between Microsoft Entra ID and on-premises Exchange is found, that OAuth relationship or trust is used for the hybrid deployment. If not, the wizard configures OAuth authentication or creates a federation trust between Microsoft Entra ID and on-premises Exchange. Any domains that you selected in the Hybrid Configuration Wizard are added to the federation trust as needed.
The wizard also creates and configures organizational relationships for both the on-premises and Exchange Online organizations. These organization relationships allow the wizard to enable several hybrid deployment features:
Note: GCC High and DoD environments require a different value for the MetadataUrl parameter on the Set-FederationTrust cmdlet. For more information, see Set-FederationTrust.
|Mail flow||Client Access servers
The wizard configures any new and existing connectors as required:
For Exchange Online, you choose how to route outbound messages to the internet:
Important: Mail flow form the internet to recipients in your domain is controlled by the domain's MX record in DNS, not by the Hybrid Configuration wizard.
Hybrid Configuration Engine
The Hybrid Configuration Engine runs the core actions for configuring and updating a hybrid deployment, based on the
Update-HybridConfiguration cmdlet. The Hybrid Configuration Engine compares the state of the HybridConfiguration Active Directory object with current on-premises Exchange and Exchange Online configuration settings. Tasks are run to match the deployment configuration settings to the parameters that are defined in the HybridConfiguration Active Directory object. No changes are made if the current configuration states already match what's defined in the HybridConfiguration Active Directory object.
The Hybrid Configuration Engine does the following steps to compare and update an existing hybrid deployment:
- The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
- The Hybrid Configuration Engine reads the "desired state" stored on the
HybridConfigurationActive Directory object.
- The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization.
- The Hybrid Configuration Engine discovers topology data and current configuration from the Exchange Online organization.
- The Hybrid Configuration Engine establishes the "difference" between the on-premises Exchange and Exchange Online organizations.
- The Hybrid Configuration Engine runs configuration tasks to establish the desired state.
The following figure describes how the Hybrid Configuration Engine retrieves and modifies configuration settings during the hybrid deployment process.