What's new in Exchange 2013 hybrid deployments


Applies to: Exchange Server 2013, Exchange Online

Microsoft Exchange Server 2013 offers several improvements to configuring and managing hybrid deployments between on-premises Exchange organizations and Exchange Online organizations in Microsoft Office 365.

Improvements to the Hybrid Configuration wizard

The Hybrid Configuration wizard was introduced in Service Pack 2 (SP2) for Exchange Server 2010, and it vastly simplified the hybrid deployment configuration process for Exchange administrators. The original Hybrid Configuration wizard reduced what had been approximately 50 manual steps to just a few simple steps and the automated configuration of hybrid configuration parameters. With Exchange 2013, the Hybrid Configuration wizard improves upon the success of the original wizard in several important areas:

  • Reduction of configuration tools   In Exchange 2010 SP2, configuring the hybrid deployment was a two-step process and involved using the New Hybrid Configuration wizard and then using the Manage Hybrid Configuration wizard to complete the hybrid deployment configuration process. In Exchange 2013, these wizards have now been combined into a single Hybrid Configuration wizard that creates the HybridConfiguration Active Directory object and configures the hybrid deployment properties and services.

  • Streamlined wizard process   In Exchange 2010 SP2, the Manage Hybrid Configuration wizard separated the selection of Client Access and Hub Transport servers into different areas, making it less intuitive for Exchange organizations that had combined both server roles on single servers. In Exchange 2013, the Hybrid Configuration wizard deletes the requirement for administrators to select Client Access servers. The wizard now requires only the selection of Mailbox or Edge Transport servers for the hybrid deployment mail flow configuration.

  • Enhanced secure mail   Secure mail between the Exchange on-premises and Exchange Online organizations is much simpler to configure now that it's no longer dependent on using static IP addresses for connector selection. The Exchange Online Protection (EOP) service in the Office 365 tenant is the endpoint for hybrid transport connections originating from the on-premises organization, and it's the source for hybrid transport connections to the on-premises organization from Exchange Online. Instead of using static IP addresses in the EOP connectors, the EOP service and the Hybrid Configuration wizard use the certificate both organizations use for transport layer security (TLS). This process eliminates the need for administrators to manage a list of static IP addresses on the EOP connectors.

  • Improved centralized mail transport   Centralized mail transport, the hybrid configuration in which all Exchange Online inbound and outbound Internet messages are routed via the on-premises Exchange organization, has been updated and doesn’t limit how inbound Internet mail flow may be configured. Previously, centralized mail transport wasn’t supported in a hybrid deployment when organizations pointed their mail exchanger (MX) to the EOP service instead of the on-premises organization. Centralized mail transport now supports all inbound Internet mail flow options.

  • Integrated Edge Transport server support   Configuring an Edge Transport server in a hybrid deployment in Exchange 2010 SP2 is cumbersome and also requires extensive manual configuration of several hybrid deployment transport parameters. Although there are still a few required manual steps to complete configuring Edge Transport servers in a hybrid deployment configuration in Exchange 2013, we fully support Exchange 2013 and Exchange 2010 Edge Transport servers in Exchange 2013 hybrid deployments. The Hybrid Configuration wizard supports selecting one or more Exchange 2013 or 2010 Edge Transport servers and automates more of the Edge Transport server configuration steps.

    Learn more at Edge Transport servers with hybrid deployments.

  • Improved support for Exchange Online Protection   Hybrid mail flow configuration now supports updating your MX record and directing all inbound Internet mail for your organization to EOP at any stage of your hybrid deployment, including before, during or after hybrid configuration. It’s even easier to have EOP filter your inbound and outbound Internet email for both the on-premises and Exchange Online organizations and route your hybrid mail flow traffic.

  • Detailed status in the configuration process   When using the Manage Hybrid Configuration wizard in Exchange 2010 SP2, the wizard only showed administrators the overall hybrid configuration progress, but not what specific areas were being updated when they were being configured. In Exchange 2013, the Hybrid Configuration wizard now displays information about each area while it’s being configured by the wizard.

  • Improved Hybrid Configuration log   In Exchange 2013, the Update Hybrid Configuration log has been improved and now separates each hybrid configuration step into a clearly delineated section to simplify review or troubleshooting. The log also now identifies where each hybrid configuration task is performed, either in the on-premises Exchange organization or in the Exchange Online organization.

  • OAuth federation support   New in Exchange 2013 Cumulative Update 5 (CU5), the Hybrid Configuration wizard supports automatically configuring Exchange OAuth authentication with Office 365 and Exchange Online. The Exchange OAuth authentication process is automated with a configuration wizard and replaces the traditional Exchange federation trust configuration process used in previous versions of the Hybrid Configuration wizard for certain deployments. Exchange OAuth authentication is required for configuring a hybrid deployment for Exchange 2013-only organizations. However, mixed Exchange 2013/2010 and Exchange 2013/2007 organizations configuring Exchange 2013-based hybrid deployments are supported using the legacy federation trust authentication process and skip the OAuth configuration process. Configuring OAuth authentication for these mixed Exchange organizations is an optional, manually-configured process and is only needed for organizations also configuring Exchange In-place Archiving and/or In-place eDiscovery features.


    For organizations configuring an Exchange 2013-based hybrid deployment with Office 365 tenants hosted by 21Vianet in China, OAuth authentication is used in all hybrid deployments. For more information, see Learn about Office 365 operated by 21Vianet.

Learn more about the Hybrid Configuration wizard at Hybrid Configuration wizard.