Announced: improvements to Hybrid Publishing and Organization Configuration Transfer


What just happened?

During a rousing presentation that was marked by wild cheers and standing ovations, we announced a few features designed to simplify hybrid Exchange deployments and speed onboarding to Exchange Online (EXO).

The features we discussed focused on two key problems, hybrid administration and configuration as customers prepare to move to the cloud and the complexities and security blockers some customers face when publishing their on-premises environments.

Let’s review.

Administration and Configuration

Back in June, we launched Organization Configuration Transfer (OCT). The idea is to take the configurations made in Exchange Server on-premises and transfer them to Exchange Online to reduce the burden of re-configuring all your settings before onboarding. Today we announced OCTv2, due out October 2018.

What does OCTv2 do?

First and foremost, seven additional objects have been added to OCT as part of v2.

OCT OCTv2 (coming soon!) - now released
  • Active Sync Mailbox Policy
  • Mobile Device Mailbox Policy
  • OWA Mailbox Policy
  • Retention Policy
  • Retention Policy Tag
  • All OCTv1 objects
  • Active Sync Device Access Rule
  • Active Sync Organization Settings
  • Address List
  • DLP Policy
  • Malware Filter Policy
  • Organization Config
  • Policy Tip Config

But the real difference in v2 is how we deal with object conflicts.

In OCTv1, we run a bunch of new-* commands and when we find an object on-prem that matches and object with the same name in the cloud, we simple skip over it. As part of v2, if an object with the same name already exists both on-premises and online, you can now choose to either overwrite the values of the objects in EXO or keep them as is. And, just in case you overwrite the cloud settings and didn’t mean to, we’ve provided a rollback script to undo those changes.

What are the Exchange Server Versions supported?

OCT supports Exchange Server 2016, 2013 and 2010. OCT requires the latest cumulative update or update roll-up available for the version of Exchange you have installed in the on-premises organization. But if that’s really too much of a burden, the immediate previous release is also supported. You want to run any other CUs or RUs, you’re out of luck.

Exchange Server 2019 will be supported once it reaches GA.

Hybrid Publishing

To establish a hybrid Exchange environment, customers must publish their on-premises environments. This includes, but is not limited to, adding external DNS entries, updating certificates, and allowing inbound network connections through your firewall. Over time, we’ve learned of two consistent problems here, (1) this is hard for some customers. The number of support cases asking for help in these areas tells us that. And (2) some customers, really their security wonks, do not want to publish their on-premises environments to the internet.

The Microsoft Hybrid Agent

Today, we introduced the world to the Hybrid Agent. Put simply, the goal of the Hybrid Agent is to fix those customer problems. Now, when running the Hybrid Configuration Wizard (HCW) you are presented with the option to use Exchange Modern Hybrid

Hybrid1

This will install an agent, built on the same technology as Azure Application Proxy, this will publish your Exchange on-premises environment to EXO without requiring any of the changes customers have struggled with.

Hybrid2

V1 of the Hybrid Agent will support the core scenarios of mailbox moves and free/busy for your hybrid deployment and is in private preview now. We’re focused on getting to public preview and GA as quickly as possible. In the meantime, we’re also working on additional scenarios we can support with the Hybrid Agent.

What’s next?

Well, if you missed the session at Ignite, go back and watch the replay (when available). Then come back here and stay tuned for updates.

Kavya Chandra, Georgia Huggins

Comments (24)

  1. Neill Tinlin says:

    To really make networks and security happy would it be possible to extend this to inbound to on-premises SMTP traffic as well?

  2. Awesome work, guys! As someone who performed his first hybrid migration with Exchange 2010 SP1 and that very long whitepaper, I really wish we had something like this before. New migrations will definitely be a lot smoother.

    Maybe I missed it, but what Exchange versions are supported with the Hybrid Agent?

    1. justpaul says:

      I have the same question.

      1. Jeff Kizner says:

        Exchange 2010 and higher

  3. Brad Capello says:

    Can you explain what those red arrows are doing? One looks like it’s going through the FW. Does that mean inbound firewall changes are needed? I’m confused.

    1. Ronnie van Buuren says:

      no need for inbound ports. The big green arrow is the connection to the Hybrid Proxy service that the Hybrid Agents keeps open. traffic from the Exchange Online goes to the Hybrid Proxy service, Which uses the reverse open connection of the hybrid agent.

  4. Kyle says:

    I hope the hybrid agent will finally bring the long awaited support of managing on premise distribution groups!

  5. Priit says:

    Still hoping there will be an option to remove the last local Exchange server but keep AD Synced to the Office 365

    1. hggn says:

      Agree with Priit, it would be awesome to confirm that the Hybrid Agent will allow us to decommission the last Exchange OnPrem :)

      I would speculate that it should be possible, as the mailbox migration already implies the local Active Directory being updated from the cloud. Having an Exchange OnPrem for editing Exchange attributes is the reason to keep it, but if the Hybrid Agent already edits (at least some) of those attributes, it should be straightforward enough :)

      1. Brian Reid says:

        With an MRS migration, Active Directory is not updated from the cloud when the move completes. The AD changes are made by the Exchange Server that is the source of the move. This change is not synced back from the cloud after migration (that would take too long, the mailbox needs to be changed into a mail user object immediately migration completes or the user would have two mailboxes)!

    2. Minkin says:

      Of course you can remove the last exchange server. Attributes will just need to be edited manually via ADSI edit or attribute editor tab in AD. You may just have to run Exchange schema updates to get new attributes as they are released.

      1. Søren Greenfort Lindevang says:

        Which is totally supported – right? :-)

      2. Brian Reid says:

        Though using ADSIEdit etc. is not supported, and if and when Microsoft are able to build a unified management system, which is clearly very complex or it would have been done already, its highly likely that you would need to have consistent attribute edits and changes and not miss any required values or introduce duplicate or inconsistent settings before it would work, and so to be in that position now means using an Exchange Server on premises for cloud attribute management when AADConnect is in place. You can view my Ignite session on this topic at https://myignite.techcommunity.microsoft.com/sessions/66438

  6. Xchg says:

    Can we use an internal pki cert on Exchange virtual directories with this Agent cause the Agent will use msappproxy cert.

    1. Jeff Kizner says:

      The agent component that runs on a server in you environment acts as a client connection to your Exchange servers. It needs to trust the certificate used on those vDirs. As long as that’s done, you can use an internal PKI.

  7. Steve says:

    How does OCTv2 handle a Multi-Org Hybrid configuration? Are the configurations combined in one objects or is one object created per organization? Last HCW run wins?

  8. Michael says:

    When will the updated HCW be released which has the modern deployment option?

    1. Henrik Damslund says:

      Jeff Kizner – When will this be released? I am working with a client where we would really like to use the Hybrid Agent.

      1. Yes. Should we try to use the current HCW (without the agent – but with more complication) or wait for the agent (but possibly delaying one’s migration to Exchange Online)? Waiting a month? OK. Waiting a year… maybe not worth waiting. It would be nice to have an ETA. Thanks!

        1. HenrikD says:

          As posted in this thread by Greg Taylor: https://blogs.technet.microsoft.com/exchange/2018/11/12/released-hybrid-organization-configuration-transfer-v2/
          “We’re in Private Preview for the agent as we announced at Ignite – once that’s done we’ll move on to a Public Preview. That’s planned for the first quarter of next year”

  9. 365 Guy says:

    Is it possible to use the HPS to publish EWS for on-premise mailboxes to external apps that want to make EWS calls? i.e. we have a scenario where an organization has no external EWS published and will maintain a %age of mailboxes on-prem for the foreseeable. Is it possible to point the cloud application at the EO EWS and it use the HPS to make the call using the hybird?

    1. 365 Guy says:

      Is it possible to use HPS to make EWS available for cloud apps to on-prem mailboxes without publishing the on-prem EWS service to the internet?

  10. 365 Guy says:

    Is it possible to use HPS to make EWS available for cloud apps to on-prem mailboxes without publishing the on-prem EWS service to the internet? I have a scenario where a customer wants no external publishing of EWS for on-prem Exchange but wish to retain a %age of mailboxes on-prem long term. A new cloud application is being evaluated which will use EWS to read/write calendar entries for all mailboxes. Is it possible to use the EO EWS and use the HPS to reach the on-prem mailboxes?

  11. Mitch Skrove says:

    It would be nice if the HCW version/build number would have been identified for support of Modern Hybrid connectivity. Any chance that can still be provided?

Skip to main content