Saturday, January 3, 2015

Office 365 - Hybrid Migration - Part 4: Hybrid Configuration Wizard

Now that we have prepared ADFS and DirSync (please see my previous blog posts), we can use the "Hybrid Configuration Wizard" (HCW) to allow interaction between our on-premises Exchange server(s) and Exchange Online (the messaging component of Office 365).

Adding the Office 365 tenant to the EMC

First, it is necessary to add our Office 365 tenant to the Exchange Management Console (EMC). We open the EMC on our Exchange 2010 server (any server if we have several), right-click on the "Microsoft Exchange" icon and select the "Add Exchange Forest" option:

We then provide a name for the new Exchange Forest and select (in this case) "Exchange Online":

Since Office 365 will not recognize my local domain administrator credentials, I have to enter credentials that are valid for my Office 365 tenant. This could be the account used to configure the tenant initially or another account with "Global Administrator" rights:

Note: optionally, we can check "Remember my credentials" so we do not have to enter them each time I open the EMC.

We should then see a new icon in the EMC: Office 365. We can explore the various sections at this point, remarking, for example, that there is only one mailbox entry, a "Discovery Search Mailbox". This is normal since we have not yet migrated any mailboxes to Office 365 / Exchange Online.

Hybrid Configuation Wizard (HCW)

Now that we have added "Office 365" as an additional forest to our EMC, we can execute the HCW.

We right-click on the "Organization Configuration" icon and select the option "New Hybrid Configuration":

We can read a brief description about hybrid configuration:

Note: click "New" (not shown in screenshot above).

The wizard creates a self-signed certificate and a "Federation Trust" with Office 365 (the "Microsoft Federation Gateway" (MFG) acts as a sort of "broker" between the two domains):

Now we will manage the hybrid configuration....

In the EMC, under the Microsoft Exchange On-Premises section, we select Organization Configuration and then right-click on Hybrid Configuration. We select "Manage Hybrid Configuration":

On the Introduction page, we are reminded about prerequisite tasks that must be completed first:

On the page that appears next, we must enter credentials for an account that is a member of the Organization Management role group and then Global Administrator credentials for our Office 365 tenant (for example, the account used to create the tenant would have this role by default):

Note: we can optionally check the boxes "Remember my credentials".

Next, on the "Domains" page, we add the on-premises domain that will be part of the hybrid configuration:

At this point, the configuration becomes somewhat more complex.

Microsoft wants proof that we own the domain that we are adding to the hybrid configuration.

In the screenshot below, we see that the  HCW creates a value (obscured) that we need to paste into a public DNS text record. We do this with the interface used to manage our external DNS records, most likely the same interface where we manage MX records for the domain name.

In my case, I will create a DNS text record in the NO-IP interface:

Some comments:
  • When I first did this, I was not sure if the value should be confidential or not. In the screenshot above, I show most of it but obscure the last part - just in case.
  • I did not provide step-by-step instructions for the creation of a DNS record in NO-IP since many readers will be using some other system, especially in a production environment using a static IP address.
  • In the NO-IP interface, the text records seem to be listed one above in the other in the same text block. I had an SPF record in first position that I removed because the HCW would not complete successfully with this record present. Once again, however, I will not insist on this point since most readers are probably not using NO-IP to manage their DNS. If in fact you are using NO-IP, you can contact their technical support for any questions.

In the following step "Servers", we select the Client Access and Hub Transport servers, which may be the same if we have multi-role servers:

In the "Mail Flow Settings", we indicate the public IP address and the FQDN of the (hybrid) Hub Transport servers. In practice, this will usually be, for the IP address, the external IP address of the on-premises location (often the IP address of an external interface of a firewall) and for the FQDN, the domain name associated with the mail system in external DNS:

Note: to add your IP address, you would click on "Add" (green plus sign) and then enter it. The FQDN can be entered directly.

We still have a couple more steps to complete and then we will have finished...

On this screen, "Mail Flow Security", we indicate the certificate to use for mail transport. I have a third party certificate that I will select:

As for the "Mail Flow Path", I will keep the default selection: mailboxes in Office 365 will send messages directly to external recipients.

We're almost there... We can review the configuration on the following screen and then click on "Manage":

If all goes well, the configuration will complete successfully:


In the following posts, I'll review some of the changes to onsite Exchange, migrate a mailbox to Exchange Online, access the migrated mailbox and send and receive messages.


  1. This document helped tremendously... thank you!

  2. A great article! I would highly recommend EdbMails Edb to PST converter software for its easy to use User interface and fast export performance.EdbMails is a one stop solution for all exchange server recovery needs. It is quick and uses deep scan to recover most data out of even corrupted databases.It supports public, private folder recovery. And also supports migration to Live exchange and Office 365. Archive mailbox migration is also supported by edbmails