Office 365 Insight into the Hybrid Configuration Wizard Part 2

I decided to extend the Insight into the Hybrid Configuration Wizard article into another 2 parts. I've been getting numerous requests on troubleshooting the dreaded Get-FederationInformation Exception.

Let’s recap on what the high level steps for the HCW are:

  1. Global Prerequisites task – prerequisite check (covered here).
  2. Legacy Exchange Support Task – Legacy Exchange requirements (covered here).
  3. Recipient Configuration Task – Accepted domains and email address policy changes.
  4. Organization Relationship Task – Federation configuration.
  5. On Off Settings Task – Organization Relationship config like Availability Address Space, Free Busy Access, TargetOWAURL etc.
  6. Hybrid mail flow task – Creates send and receive connectors for Hybrid mail flow.

I’m going to skip the Recipient Configuration Task here and cover that in my next article. I want to focus on step 4, the Organization Relationship Task for this article.

So let’s get right into it.

As the task name suggests, this step will:

  1. Create the Federation Trust with the Microsoft Federation Gateway,
  2. Add federated domains and
  3. Create the organizational relationships between the two environments.

Now, from the things I’ve seen and heard in the field is that most of the issues occur at step 3.

Step 3 uses a process called ProvisionOrganizationRelationship. The very first step that this function does is it tries to get the federation information for the domain for the organization relationship settings – let’s use

  • First, it will initiate the following from the On-premise session:
Get-FederationInformation –domainname –BypassAdditionalDomainValidation $True
  • Then create the Organizational Relationship to Exchange Online using the results from the above:
New-OrganizationRelationship -Name -TargetApplicationUri * -TargetAutodiscoverEpr <the Exchange Online Autodiscover URL> -Enabled:$True -DomainNames
  • The next step will be to initiate Get-FederationInformation from the TenantSession. This is where everything breaks for most people:
Get-FederationInformation –domainname –BypassAdditionalDomainValidation $True

Let’s pause here for a moment.

So why is the code doing this. Well, it’s simple. By using Get-FederationInformation, it’s very easy to get the correct values for TargetApplicationURI, TargetAutodiscoverEPR and DomainNames which is required for the New-OrganizationRelationship task.

The issues occur, because many customers have different ways of doing things, like Autodiscover, Certificates and Reverse Proxy etc.

Let’s take an example – Autodiscover:

  • You implement Autodiscover on the Public DNS by using a SRV record and you don’t specify an A record for
  • You run remote connectivity analyzer and everything seems to be working fine.
  • Then, you run the Hybrid Configuration Wizard and it bombs out at Get-FederationInformation with the following 
Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings. 

Federation information could not be received from the external organization.
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)

See, the way Get-FederationInformation cmdlet works is that the discovery process only uses the following logic to determine the correct settings (in this order):


So as you can see from the above, you need to have the correct DNS record’s in public DNS for this step to work.

Here are some more tips on what to check for when you run into this problem:

  • Ensure Autodiscover is working as described above. Autodiscover DNS needs to point to the Hybrid Servers. Use remote connectivity analyzer to confirm that the steps are as per above.
  • Confirm that the svc-Integrated handler mapping is not missing in IIS on the Hybrid CAS - 
  • Confirm WSSecurity is enabled on the Hybrid Server Autodiscover virtual directories –
Get-autodiscovervirtualdirectory –server <hybridcas>|Set-AutodiscoverVirtualDirectory –WSSecurityAuthentication $true 
  • Confirm federation information results on the on-premise Hybrid server is working for the tenant target delivery domain.
Get-FederationInformation –domainname -BypassAdditionalDomainValidation $True
  • Disable Pre-Authentication on TMG if you are using it – by default TMG will also block traffic to Autodiscover.svc. This can be solved by creating separate rules (higher order) in TMG for the following sites:


Allow All users and No Authentication, users can authenticate directly.
TMG will need to passthrough the traffic directly to the Hybrid CAS instead of authenticating as specified above.
Confirm that traffic is not being blocked to Autodiscover.svc by checking the TMG logs.
See this article on TMG -

  • Open Exchange Online PowerShell session and confirm federation information results can be retrieved from the tenant shell – this is the remote check that Hybrid Config also does.
Get-FederationInformation -domainname -BypassAdditionalDomainValidation $True 
  • Re-run Hybrid wizard, if you still get the same problem double check everything as above and wait a few hours to rerun.

Phew, I think that’s that for this article. Good luck with your hybrid configurations, I hope the above helps.

Until next time,

Michael Hall

Comments (11)
  1. Thanks Aleksandar! I hope the article helps people!


  2. Brian says:

    Hi Michael,

    thanks for your great article, but the HCW still fails here. I noticed TargetAutodiscoverEpr has a wrong value when I Get-FederationInformation, I don't have an A record for which is the value actually set but a SRV record with points to All the remote connectivity analyzer tests are passed and on premises external clients (OA/activesync) fully working with autodiscover.

  3. Hi Brian,

    You will have to create a Autodiscover A record. As described in the article, the Get-Federationinformation cmdlet will not check for SRV. So you need to have the correct A record in DNS.

    Hope that helps,


  4. Tony Baker says:

    Error in listing of Autodiscover process. the third line should read:

  5. JT says:

    Great article Michael. Thanks.

  6. Maddy says:

    When I run Get-FederationInformation -verbose internally or externally, it fails. Error is regarding autodiscover.svc endpoint. When I try to access I get the error code 600 which is correct. However when I try to access https://FQDN of CAS/autodiscover/autodiscover.svc
    externally, I get 404 not found error. I am able to get the desired response internally. svc-integrated handler is present in the IIS. No firewall.

  7. zeeshan says:

    I am able to access all the above link for my domain except second one "" and hybrid error logs also showing this error that it start get-federation
    cmd for this link and gives error.

    Can you please advice how can we resolve this issue?

  8. David Sampson says:


    Great article thanks, I’ve encountered the dreaded Federation error a number of times now and normally find that it’s just a case of waiting a little while for MFG to update. If you run get-federationinformation -domainname %hybriddomain% -verbose look to see
    if it says "Domain not federated" in the output. This suggests that the MFG hasn’t caught up and normally waiting about an hour resolves this issue.


  9. Lourh says:

    Thanks you for this Great article,
    I unterstand my issue, for our web service we have added a third name: Domain:, we added service to all Exchange web service URL. and the autodiscover is configured as than If there is a way to get
    this command working without reconfigure Exchange URLs.


  10. Michael says:

    Thanks for confirming what I was discovering myself. The newer HCW will not throw an error but will give a warning that it can’t connect to the autodiscover endpoint. It sets the Autodiscover endpoint in O365 side to, this can be manually changed to the value that your regular SRV record points to and it then appears to work. However, any time you run the HCW it will overwrite this and break your Hybrid Free-Busy.

Comments are closed.

Skip to main content