• Estimated time to complete: 30 minutes

  Important:

  Configuring the requirements for a hybrid deployment will take considerably longer than the estimated time to complete the Hybrid Configuration wizard procedures outlined in this topic. For example, signing up for Office 365 for enterprises, configuring Active Directory synchronization, and assigning Exchange Online licenses require a larger time investment and may also include network topology changes. You should plan for more than the time listed to complete this procedure for the overall time to complete the end-to-end hybrid deployment configuration.

• You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Hybrid deployments" entry in the Exchange and Shell infrastructure permissions topic.

• We recommend always running the wizard from an Exchange 2013 server whenever possible. The final steps in the Hybrid Configuration wizard for configuring Exchange OAuth authentication require that the steps are performed from an Exchange 2013 server or from any domain-joined server or workstation. Additionally, the OAuth authentication process works best when using the desktop version of Internet Explorer 10.x or greater. Using the Modern version of Internet Explorer included in Microsoft Windows 8 or greater is supported, but doesn’t provide the best configuration performance.

  Important:
  If your Office 365 tenant is hosted by 21Vianet in China, you’ll need to install the .Net 4.5.1 Language Pack to complete the OAuth authentication section of the Hybrid Configuration wizard.

• Review Exchange Server 2013 Hybrid Deployments, and make sure you understand the areas that will be affected by configuring a hybrid deployment.

• Review and complete all hybrid deployment requirements outlined in Hybrid deployment prerequisites.

• The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you’re ready to configure your hybrid deployment. We strongly recommend that you check your on-premises organization with the Remote Connectivity Analyzer tool prior to configuring your hybrid deployment with the Hybrid Configuration wizard. Learn more at Remote Connectivity Analyzer Tool.

• As a recommended option, install and configure single sign-on using Active Directory Federation Services (AD FS). Single sign-on enables users to access both the on-premises and Exchange Online organizations with a single user name and password. Single sign-on also ensures that users aren’t prompted for their credentials when accessing archived content in the Exchange Online organization when using Exchange Online Archiving. To use single sign-on, you'll need to make sure the AD FS requirements are met. Learn more at Prepare for single sign-on.

• For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Use the following procedure to create and configure a hybrid deployment:

1. In the EAC on an Exchange 2013 server in your on-premises organization, navigate to the Hybrid node.

2. In the Hybrid node, click Enable to start the Hybrid Configuration wizard.

   Important:

   If your on-premises organization is located in China and your Office 365 tenant is hosted by 21Vianet, you must select the My Office 365 organization is hosted by 21Vianet check box. If your Office 365 tenant is hosted by 21Vianet and this checkbox isn’t selected, the Hybrid Configuration wizard won’t connect to 21Vianet service, your Office 365 account credentials won’t be recognized and the wizard won’t complete properly.

3. At the prompt to log in to the Office 365 service, select sign in to Office 365 and enter the account credentials

4. Click Yes.

5. Use the Add  or Delete  controls to select the federated and accepted domains for the hybrid deployment configuration. You should select the primary SMTP domain for your organization and any other accepted domains that will be used in the hybrid deployment. If the domains are already populated, use the Add  or Delete  controls to add or remove domains listed for hybrid configuration. After you’ve selected your domain, you also have the option to choose which of these domains should be used as the domain for federated Autodiscover queries. To define a specific domain to be used for Autodiscover, select the domain and click the flag control . If a domain isn’t defined, the first domain in the list will be used for the Autodiscover domain. For example, select “contoso.com” and “sales.contoso.com”. Click “sales.contoso.com” and then click the flag control  to define this domain as the domain for federated Autodiscover queries. Click Next.

   Important:

   This domain selection step of the Hybrid Configuration wizard may or may not appear when you run the wizard. This step won’t appear if: You have only one on-premises accepted domain added to your Office 365 tenant. Because this is the only domain available for hybrid deployment configuration, the domain is automatically selected and the step is skipped in the wizard. There aren’t any on-premises accepted domains added to your Office 365 tenant. In this case, you’ll receive an error and you’ll need to add at least one domain to your Office 365 tenant before continuing. You can do this by using the Office 365 Administrative portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organization. This step will appear if you have more than one on-premises accepted domain added to your Office 365 tenant.

6. Click Click to copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment to your clipboard. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS. Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone. Click Next after the TXT records have been created and the DNS records have replicated.

   Important:
   The TXT proof of ownership wizard page only displays if there is a non-federated domain selected in the previous step.

7. Select which server role you want to configure for bi-directional secure mail transport between the on-premises and Exchange Online organizations and have the option to enable centralized transport for outbound Exchange Online mail transport:

   1. Configure my Client Access and Mailbox servers for secure mail transport (typical)   Select this option to configure your on-premises Client Access and Mailbox servers for secure mail transport with the Exchange Online Protection (EOP) service included with Office 365 for enterprises. (This topic covers selecting this option.)

   2. Configure Edge Transport servers for secure mail transport   Select this option to configure your on-premises Edge Transport servers for secure mail transport with the EOP service included with Office 365 for enterprises. (This scenario doesn’t select this option and the additional steps needed to configure Edge Transport servers as part of a hybrid deployment.)

   3. Enable centralized mail transport   Select this option if you want Exchange Online to send all outbound messages to external recipients to your on-premises transport servers. The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, the Exchange Online organization will bypass the on-premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings. (This topic covers selecting the Enable centralized mail transport check box.) Click Next.

8. Click Browse to display a list of Client Access servers in your on-premises Exchange organization. Select one or more Client Access servers you want to configure a Receive connector for bi-directional secure mail transport between the on-premises Exchange and Exchange Online organizations. Select at least one Client Access server, and click OK and then click Next.

9. Click Browse to display a list of Mailbox servers in your on-premises Exchange organization. Select one or more Mailbox servers you want to configure a Send connector for bi-directional secure mail transport between the on-premises Exchange and Exchange Online organizations. Select at least one Mailbox server, and click OK and then click Next.

10. Use the drop-down control to select the digital certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server(s) selected in the previous step. Click Next.

11. Enter the externally accessible FQDN for the on-premises Client Access server(s). The EOP service in Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter “hybrid.contoso.com”. Click Next.

12. Complete the following fields:

    • Domain\user name   Type the domain and user name for an account that is a member of the Organization Management management role group in the on-premises organization. For example, “corp\administrator”.

    • Password   Type the password for the on-premises account you entered in the Domain\user name text box. Click Next.

13. Complete the following fields:

    • User ID   Type the new domain and user name for an account that is a member of the Organization Management management role group in the Office 365 organization. For example, “administrator@contoso.onmicrosoft.com”.

    • Password   Type the password for the Office 365 account you entered in the previous step. Click Next.

14. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.

15. After the initial hybrid deployment configuration steps are complete, the wizard displays a message to complete the connection with Office 365 and configure Exchange OAuth authentication. Select Configure to connect to Office 365 and start the OAuth configuration wizard.

    Note:
    If you have a mixed Exchange 2013/2010 or Exchange 2013/2007 on-premises organization and your Office 365 tenant isn’t hosted by 21Vianet, this step will be skipped and the wizard displays a completion message and the OK button is displayed. Click OK to complete the hybrid deployment configuration process and to close the wizard.

16. Select configure to start the OAuth authentication configuration wizard.

17. When prompted, select Run to download the Microsoft Office 365 Support Assistant application.

18. When prompted, select Run to run the Microsoft Office 365 Support Assistant application.

19. The wizard displays a completion message and the Done button is displayed. Click Done to complete the hybrid deployment configuration process and to close the wizard.

For mixed Exchange 2013/2010 and Exchange 2013/2007 hybrid deployments, the new hybrid deployment OAuth-based authentication connection between Office 365 and on-premises Exchange organizations isn’t configured by the Hybrid Configuration wizard. These deployments continue to use the federation trust process by default. However, certain Exchange 2013 features such as Message Records Management (MRM), Exchange In-place Archiving, and In-place eDiscovery are only fully available across your organization by using the new Exchange OAuth authentication protocol. We recommend that all mixed Exchange 2013/2010 and Exchange 2013/2007 organizations that wish to implement these features as part of a new hybrid deployment with Exchange Online configure Exchange OAuth authentication after configuring their hybrid deployment with the Hybrid Configuration Wizard.

For detailed configuration steps, see Configure OAuth authentication between Exchange and Exchange Online organizations

For more information about Exchange security and compliance features that use OAuth authentication, see:

• Using OAuth authentication to support Archiving in an Exchange hybrid deployment

• Using OAuth authentication to support eDiscovery in an Exchange hybrid deployment

The successful completion of the Hybrid Configuration wizard will be your first indication the completion of the hybrid configuration steps worked as expected.

To further verify that you have successfully created and configured your hybrid deployment, do the following:

• Run the following command in the Exchange Management Shell for the on-premises organization. This command displays the hybrid deployment configuration values and settings, hybrid features, and transport endpoints. Verify that these values are correct.

  	Copy Code
  Get-HybridConfiguration

• Confirm that the Hybrid Configuration wizard completed all the configuration steps by examining the hybrid configuration log. By default, the log is located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration on the on-premises Mailbox server.

• Move an existing on-premises mailbox to the Exchange Online organization to test the mailbox move feature support, or create a new user mailbox in the Exchange Online organization to test free/busy calendar sharing between the two organizations. Either mailbox action will also allow you to test and confirm that message delivery between the on-premises and Exchange Online organizations is functioning correctly with existing mailboxes and that message delivery is secure and treated as internal messages to the Exchange organization.

  • Use the EAC and navigate to Enterprise > Recipients > Mailboxes to create a new remote mailbox in Exchange Online.

  • Use the EAC and navigate to Office 365 > Recipients > Migration to move an existing mailbox to Exchange Online.