Den här webbläsaren stöds inte längre.
Uppgradera till Microsoft Edge och dra nytta av de senaste funktionerna och säkerhetsuppdateringarna, samt teknisk support.
Summary: What your Exchange environment needs before you can set up a hybrid deployment.
Before you create and configure a hybrid deployment using the Hybrid Configuration wizard, your existing on-premises Exchange organization needs to meet certain requirements. If you don't meet these requirements, you won't be able to complete the steps within the Hybrid Configuration wizard and you won't be able to configure a hybrid deployment between your on-premises Exchange organization and Exchange Online.
The following prerequisites are required for configuring a hybrid deployment:
| On-premises environment | Exchange 2019-based hybrid deployment | Exchange 2016-based hybrid deployment | Exchange 2013-based hybrid deployment | Exchange 2010-based hybrid deployment |
|---|---|---|---|---|
| Exchange 2019 | Supported | Not supported | Not supported | Not supported |
| Exchange 2016 | Supported | Supported | Not supported | Not supported |
| Exchange 2013 | Supported | Supported | Supported | Not supported |
| Exchange 2010 | Not supported | Supported | Supported | Supported |
Exchange server releases: Hybrid deployments require the latest Cumulative Update (CU) or Update Rollup (RU) that's available for your version of Exchange. If you can't install the latest update, the immediately previous release is also supported.
Exchange CUs are released quarterly, so keeping your Exchange servers up-to-date gives you some additional flexibility if you periodically need extra time to complete upgrades.
Exchange server roles: The server roles you need to install in your on-premises organization depend on the version of Exchange you have installed.
Exchange 2016 and newer: At least one Mailbox server.
Exchange 2013: At least one instance of Mailbox and Client Access server roles installed (separately or on one server; we strongly recommend on one server).
Exchange 2010: At least one instance of Mailbox, Hub Transport, and Client Access server roles installed (separately or on one server; we strongly recommend on one server).
Hybrid deployments also support Exchange servers running the Edge Transport server role. Edge Transport servers also need to be updated to the latest CU or RU. We strongly recommend that you deploy Edge Transport servers in a perimeter network. You can't deploy Mailbox or Client Access servers in a perimeter network.
Anteckning
If you already started a migration process with Exchange 2010 Hybrid endpoints and do not plan to keep on-premises mailboxes, continue your migration as-is. If you plan to keep some mailboxes on-premises, we strongly recommend that you introduce Exchange 2016 Hybrid endpoints (because Exchange 2010 has reached its end of support lifecycle). Continue your migration of Exchange 2010 mailboxes to Office 365, and then move the mailboxes that will stay on-premises to Exchange 2016 servers. After you have removed all of your Exchange 2010 servers, you can then introduce Exchange 2019 servers as your new Hybrid endpoints and also move your remaining on-premises mailboxes to Exchange 2019 servers.
Microsoft 365 or Office 365: Hybrid deployments are supported in all Microsoft 365 and Office 365 plans that support Microsoft Entra synchronization. All Microsoft 365 Business Standard, Business Basic, Enterprise, Government, Academic and Midsize plans support hybrid deployments. Microsoft 365 Apps for business and Home plans don't support hybrid deployments.
Learn more at Microsoft 365.
Custom domains: Register any custom domains you want to use in your hybrid deployment with Microsoft 365 or Office 365. You can do this by using the Microsoft 365 portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organization.
Learn more at Add your domain to Microsoft 365 or Office 365.
Active Directory synchronization: Deploy the Microsoft Entra Connect or cloud sync tool to enable Active Directory synchronization with your on-premises organization.
Learn more at Microsoft Entra Connect User Sign-on options and What is Microsoft Entra Cloud Sync?.
Autodiscover DNS records: Configure the Autodiscover record for your existing SMTP domains in your public DNS to point to your on-premises Exchange servers (an Exchange 2010/2013 Client Access server or an Exchange 2016/2019 Mailbox Server).
Certificates: Assign Exchange services to a valid digital certificate that you purchased from a trusted public certificate authority (CA). Although you should use self-signed certificates for the on-premises federation trust with the Microsoft Federation Gateway, you can't use self-signed certificates for Exchange services in a hybrid deployment.
The Internet Information Services (IIS) instance on the Exchange servers that are configured in the hybrid deployment require a valid digital certificate purchased from a trusted CA.
The EWS external URL and the Autodiscover endpoint that you specified in your public DNS must be listed in the Subject Alternative Name (SAN) field of the certificate. The certificates that you install on the Exchange servers for mail flow in the hybrid deployment must all be issued by the same certificate authority and have the same subject.
Learn more at Certificate requirements for hybrid deployments.
EdgeSync: If you've deployed Edge Transport servers in your on-premises organization and want to configure the Edge Transport servers for hybrid secure mail transport, you need configure EdgeSync prior to using the Hybrid Configuration wizard. You also need to run EdgeSync each time you apply a new CU to an Edge Transport server.
Viktigt
Although EdgeSync is a requirement in deployments with Edge Transport servers, additional configuration settings are required when you configure Edge Transport servers for hybrid secure mail transport.
Learn more at Edge Transport servers with hybrid deployments.
Microsoft .NET Framework: To verify the versions that can be used with your specific version of Exchange, see Exchange Server supportability matrix - Microsoft .NET Framework.
Unified Messaging-enabled (UM) mailboxes: If you have UM-enabled mailboxes and you want to move them to Microsoft 365 or Office 365, you need to meet the following requirements before you move them:
Lync Server 2010, Lync Server 2013, or Skype for Business Server 2015 or later integrated with your on-premises telephony system.
or
Skype for Business Online integrated with your on-premises telephony system.
or
A traditional on-premises PBX or IP-PBX solution.
For more information, check out Telephone system integration with UM in Exchange Online, Plan for Skype for Business Server and Exchange Server migration, and Set up Cloud Voicemail.
You need to configure the following protocols, ports, and connection endpoints in the firewall that protects your on-premises organization as described in the following table.
Viktigt
The related Microsoft 365 and Office 365 endpoints are vast, ever-changing, and aren't listed here. Instead, see the sections Exchange Online and Microsoft 365 Common and Office Online in Microsoft 365 and Office 365 URLs and IP address ranges to identify the endpoints for each port listed here.
Anteckning
The ports required for mail flow and client connectivity in your on-premises Exchange organization not related to the hybrid configuration are described in Network ports for clients and mail flow in Exchange.
| Source | Protocol/Port | Target | Comments |
|---|---|---|---|
| Exchange Online endpoints | TCP/25 (SMTP/TLS) | Exchange 2019/2016 Mailbox/Edge Exchange 2013 CAS/Edge Exchange 2010 Hub/Edge |
On-premises Exchange Servers configured to host receive connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard |
| Exchange 2019/2016 Mailbox/Edge Exchange 2013 CAS/Edge Exchange 2010 Hub/Edge |
TCP/25 (SMTP/TLS) | Exchange Online endpoints | On-premises Exchange Servers configured to host send connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard |
| Exchange Online endpoints | TCP/443 (HTTPS) | Exchange 2019/2016 Mailbox Exchange 2013/2010 CAS |
On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet |
| Exchange 2019/2016 Mailbox Exchange 2013/2010 CAS |
TCP/443 (HTTPS) | Exchange Online endpoints | On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet |
| Exchange 2019/2016 Mailbox/Edge Exchange 2013 CAS/Edge Exchange 2010 Hub/Edge |
80 | ctldl.windowsupdate.com/* | For hybrid functionality, Exchange Servers needs outbound connectivity to various Certificate Revocation List (CRL) endpoints mentioned here. We strongly recommend letting Windows maintain the Certificate Trust List (CTL) on your machine. Otherwise, this must be maintained manually on a regular basis. To allow Windows to maintain the CTL, the URL must be reachable from the computer on which Exchange Server is installed. |
The following table provides more detailed information about the involved on-premises endpoints:
| Description | Port and protocol | On-premises endpoint | Authentication Provider | Authorization Method | Pre-Auth Supported? |
|---|---|---|---|---|---|
| SMTP mail flow between Microsoft 365 or Office 365 and on-premises Exchange | TCP 25 (SMTP/TLS) | Exchange 2019/2016 Mailbox/Edge Exchange 2013 CAS/Edge Exchange 2010 Hub/Edge |
N/A | Certificate-based | No |
| Autodiscover | TCP 443 (HTTPS) | Exchange 2019/2016 Mailbox server: /autodiscover/autodiscover.svc/wssecurity Exchange 2013/2010 CAS: /autodiscover/autodiscover.svc |
Microsoft Entra authentication system | WS-Security Authentication | No |
| Free/busy, MailTips, and message tracking (EWS) | TCP 443 (HTTPS) | Exchange 2019/2016 Mailbox or Exchange 2013/2010 CAS: /ews/exchange.asmx/wssecurity |
Microsoft Entra authentication system | WS-Security Authentication | No |
| Multi-mailbox search (EWS) | TCP 443 (HTTPS) | Exchange 2019/2016 Mailbox or Exchange 2013/2010 CAS: /ews/exchange.asmx/wssecurity /autodiscover/autodiscover.svc/wssecurity /autodiscover/autodiscover.svc |
Auth Server | WS-Security Authentication | No |
| Mailbox migrations (EWS) | TCP 443 (HTTPS) | Exchange 2019/2016 Mailbox or Exchange 2013/2010 CAS: /ews/mrsproxy.svc |
NTLM | Basic | No |
| OAuth (Autodiscover and EWS) | TCP 443 (HTTPS) | Exchange 2019/2016 Mailbox or Exchange 2013/2010 CAS: /ews/exchange.asmx/wssecurity /autodiscover/autodiscover.svc/wssecurity /autodiscover/autodiscover.svc |
Auth Server | WS-Security Authentication | No |
| AD FS (Windows Server) | TCP 443 (HTTPS) | Windows 2012 R2/2016 Server: /adfs/* | Microsoft Entra authentication system | Varies per config. | 2-factor |
| Microsoft Entra Connect | TCP 443 (HTTPS) | Windows 2012 R2/2016 Server (AD FS): /adfs/* | Microsoft Entra authentication system | Varies per config. | 2-factor |
For even more detail about this information, see Deep Dive: How Hybrid Authentication Really Works, Demystifying and troubleshooting hybrid mail flow: when is a message internal?, Transport routing in Exchange hybrid deployments, Configure mail flow using connectors, and Manage mail flow with mailboxes in multiple locations (Exchange Online and on-premises).
The following tools and services are beneficial when you're configuring hybrid deployments with the Hybrid Configuration wizard:
Mail migration advisor: Gives you step-by-step guidance to configure a hybrid deployment between your on-premises organization and Microsoft 365 or Office 365, or migrate completely to Microsoft 365 or Office 365.
Learn more at Use the mail migration advisor.
Remote Connectivity Analyzer tool: The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you're ready to configure your hybrid deployment. We strongly recommend that you check your on-premises organization with the Remote Connectivity Analyzer tool prior to configuring your hybrid deployment with the Hybrid Configuration wizard.
Learn more at Microsoft Remote Connectivity Analyzer.
Single sign-on: Single sign-on enables users to access both the on-premises and Exchange Online organizations with a single username and password. It provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools.
You have a couple of options when deploying single sign-on: password synchronization and Active Directory Federation Services. Both options are provided by Microsoft Entra Connect. Password synchronization enables almost any organization, no matter the size, to easily implement single sign-on. For this reason, and because the user experience in a hybrid deployment is significantly better with single sign-on enabled, we strongly recommend implementing it. For very large organizations, such as those with multiple Active Directory forests that need to join the hybrid deployment, Active Directory Federation Services is required.
Learn more at Single sign-on with hybrid deployments.
Utbildning
Modul
Implementera och hantera hybrididentitet - Training
Det kan vara svårt att skapa en hybrididentitetslösning för att använda din lokala active directory. Utforska hur du implementerar en säker hybrididentitetslösning.
Certifiering
Som Windows Server-hybridadministratör integrerar du Windows Server-miljöer med Azure-tjänster och hanterar Windows Server i lokala nätverk.
Dokumentation
Exchange Server hybrid deployments
Summary: What you need to know to plan an Exchange hybrid deployment.
Create a hybrid deployment with the Hybrid Configuration wizard
By establishing a hybrid deployment, you can extend the feature-rich experience and administrative control you have with your existing on-premises Exchange Server organization to the cloud. A hybrid deployment also offers support for a cloud-based archiving solution for your on-premises mailboxes with Exchange Online Archiving and may also serve as an intermediate step towards a complete migration of your on-premises mailboxes to Exchange Online.
Admins can learn about Exchange Hybrid configuration and the Hybrid Configuration wizard.