Enabling secure access to data is top of mind for many organizations. How to achieve this is the troublesome part as there is no one size fits all solution especially surrounding the security of said data and where it should reside. Some organizations are investigating cloud enablement on behalf of their organization but sometimes data restraints mean cloud utilization as a stand alone offering is not an option.
Hybrid deployment offerings, as detailed above by Eric Ivankovich, enable choice of where data will be allowed to reside as chosen by the organization creating and consuming said data. In this scenario, a hybrid link is created between on-premise Exchange 2013 or 2016 server and Office 365 enabling the managing system administrator choice as to where a user’s mailbox will reside. Authentication utilized is that of a single source, namely Active Directory in sync or federated with Azure Active directory, to reduce complexity around user log in. This step-by-step post details how to complete this and requires the following prerequisites to accomplish this:
- An on-premise Exchange 2013 or 2016 deployment
- Preferably a Windows Server 2012 R2 Active Directory implementation synchronized or federated with Azure Active Directory
- An externally accessible FQDN to enable secure mail transport
The following steps are needed to create and configure a hybrid deployment:
- Navigate to the Hybrid node in the on-premises Exchange server admin console
- Click Configure in the Hybrid node to enter the required Office 365 credentials
- Log in to Office 365 with the Global Administrator account credentials
- Click Configure to start the Hybrid Configuration wizard
- Click Here on the Microsoft Office 365 Hybrid Configuration Wizard Download page to download the Hybrid Deployment wizard
- Click Install on the Application Install dialog when prompted
- In the On-premises Exchange Server Organization section click Next
- Select Detect a server running Exchange 2013 CAS or Exchange 2016.
NOTE: Select the required server running Exchange 2016 or Exchange 2013 followed by specifing the internal FQDN of an Exchange Mailbox server should no Exchange server be detected by the wizard or if the use a different server is required.
- Select Microsoft Office 365 and then click Next in the Office 365 Exchange Online screen
- Select Use current Windows credentials to enable the Hybrid Configuration wizard use the account logged into to access said on-premises Active Directory and Exchange servers while on the Enter your on-premises account credentials screen
NOTE: Unselect Use current Windows credentials and specify the username and password an Active Directory account required should a different set of credentials be required. The account provided needs to be a member of the Enterprise Admins security group.
- Specify the required username and password of the Global Administrator Office 365 account and click Next while in the Enter your Office 365 credentials screen
NOTE: The Hybrid Configuration wizard will now connect to the Office 365 organization to the on-premises organization, validate credentials and examine both organizations' current configuration.
- Click Next when the task is completed
- Select the domains to be included in newly enabled hybrid deployment while on the Hybrid Domains screenNOTE: Select True next to a domain only if it is required to force the wizard to use the Autodiscover information from a specific domain.
- Click Next
NOTE: It is possible for the domain selection step not to appear when the wizard is run. This will occur if:
- If no on-premises accepted domains have been added to the Office 365 tenant. An error will be received and at least one domain will need to be added to the Office 365 tenant before moving forward. This can be accomplished by configuring Active Directory Federation Services on-premises or by using the Office 365 Administrative portal.
- The domain is automatically selected and the step is skipped in the wizard since only one on-premises domain is accepted and added to the Office 365 tenant as the only domain available for hybrid deployment configuration.
- Click Enable followed by clicking Next on the Federation Trust page
- Click Click copy to clipboard on the Domain Ownership page to copy the domain proof token information for the selected domains to be included in the hybrid deployment.
- Paste the token information for these domains into a text editor (Notepad) to create a TXT record for each domain in the public DNS
NOTE: Refer to the DNS host's Help for information on adding a TXT record to the required DNS zone.
- Click Next once the DNS records have replicated and the TXT records have been created
- Navigate to the Select a reference server field located in the Transport Certificate page and select the Exchange server that has the certificate configured earlier
- Select the certificate in the Select a certificate field to use for secure mail transport.
NOTE: The digital certificates issued by a third-party certificate authority installed on said Mailbox server selected in the previous step are now displayed.
- Click Next
- Enter the externally accessible FQDN for the Internet-facing Exchange server on the Organization FQDN page.
NOTE: Office 365 uses this FQDN to enable secure mail transport via service connectors between Exchange organizations.
- Click Next.
NOTE: The Exchange services changes and the hybrid deployment configuration can now be completed with the hybrid deployment configuration selections now updated.
- Start the configuration process by clicking Update.
NOTE: The wizard displays the features and services that are being configured for the hybrid deployment while updating.
- Click Close to complete the hybrid deployment configuration process once the wizard displays a completion message