Lead Image © Natee Srisuk, 123RF.com

Lead Image © Natee Srisuk, 123RF.com

Exchange Online migration with the Hybrid Agent

Mailbox Migration

Article from ADMIN 55/2020
Exchange's Hybrid Agent takes the complexity out of migrating from a local Exchange environment to Exchange Online.

When it comes to leveraging the full Office 365 feature set, migrating mailboxes to Exchange Online is one of the greatest challenges. Unlike migrating within an organization, moving to Exchange Online is problematic, because mailboxes are shifted between two separately managed organizations.

This connection between an on-premises Exchange instance and Exchange Online is known as a hybrid connection. Microsoft refers to this connection as the Exchange Modern Hybrid and has extended its Hybrid Configuration Wizard (HCW) with Hybrid Agent (Figure 1) to facilitate the connection. With HCW, Hybrid Agent establishes a connection between the local Exchange and Exchange Online, reducing the requirements for external DNS records, certificate updates, and incoming firewall network connections – all of which made the task complex in the past.

Figure 1: The Exchange Modern Hybrid topology with the new Hybrid Agent removes a number of challenges in the connection between a local installation and Exchange Online.

Multiple Choices

Hybrid Agent does not support Hybrid Modern Authentication, which includes, for example, multifactor authentication and authentication with client certificates. If your setup uses Hybrid Modern Authentication, you need to keep on using the classic Exchange Hybrid topology. Additionally, Hybrid Agent does not cover MailTips, Message Tracking, and Multi-Mailbox Search. If your setup uses these functions across the board, again, keep on using the classic model.

Hybrid Agent is constantly being optimized – improvements to the preview were delivered just two months after the first launch. In its first release in February 2019, Hybrid Agent only supported a single installation, which was a big limitation because it offered no redundancy options, free/busy information could not be viewed in an offline scenario, and move actions were not carried out. With the April 2019 updated version, several agents now can be installed in a local organization, and you can now view status information for Hybrid Agent and use Hybrid Agent instead of specific Exchange servers to address load balancers.

Hybrid Agent Preparation

You can install Hybrid Agent either on a standalone server (agent server) or on an Exchange server with the Client Access Server (CAS) role. Exchange 2010 or newer is required. It must be installed on Windows Server 2012 R2 or 2016 with .NET Framework 4.6.2 or higher. If Hybrid Agent and Exchange are set up on a server, you need to ensure compatibility between Exchange and .NET [1] to avoid the use of an unsupported combination. Beyond this, the server only needs to be a domain member and have access to the Internet.

The only required output connections are ports 443 and 80; the latter is only used for certificate revocation list checks. The agent communicates with Azure Application Proxy, an Azure proxy service with a client-specific endpoint that leads to your online environment. Availability information and mailbox migrations are managed by the Azure Application Proxy. If the agent is not installed on an Exchange server with CAS, you also need to enable ports 5985 and 5986 to the CAS servers so communications actually work. Additionally, all CAS servers need to be able to connect to Office 365 over port 443 to retrieve available/busy information.

Microsoft provides a script [2] for checking the connection settings before installation. Start by integrating the script as follows:

Import Modules .\HybridManagement.psm1

The following call runs the actual test:

Test-HybridConnectivity -testO365Endpoints

For everything to run smoothly, you need to make sure that at least one identical email domain is set up as the accepted domain in each Exchange organization.

Installing the Agent

Hybrid Agent is part of the Office 365 HCW. The installer automatically downloads the latest version of Hybrid Agent in the background. The easiest way to start HCW is in the Exchange Admin Center (EAC) from the Hybrid menu item. HCW (Figure 2) is a click-to-run application that you download directly from Microsoft – the latest version is always launched. To run it, you need to be an Exchange Online global administrator. You can see the HCW version number in the top right corner, and further information is added during the next few steps.

Figure 2: The HCW guides you through the configuration and starts the Hybrid Agent.

After launching, select a local Exchange server that is configured for the hybrid connection. To continue, the server needs to be licensed. You can also license an Exchange Hybrid server at this point. When using the Hybrid license, no mailboxes can reside on the server. You also need to select the target platform, which is where you enter the location of your online environment – this could be a cloud environment or the standard Microsoft environment.

First, you will be prompted to choose your hybrid configuration. Hybrid Agent is available in two variants: minimal and full. The full Hybrid configuration is primarily intended for long-term coexistence and takes the mail flow, eDiscovery, and sharing of available/busy information into account. Because the minimal configuration is mainly designed to transfer mailboxes to Exchange Online seamlessly, I am selecting the minimal configuration here. If you do not see the Hybrid configuration window, you have already successfully set up a hybrid topology.

Next, you need to check the domain ownership. Verification is similar to domain verification in Office 365: Enter the displayed DNS-TXT record in your DNS zone and confirm ownership. Now select the topology. Hybrid Agent is offered to you as part of the Exchange Modern Hybrid topology, which you can download after confirming.

Once this is done, set up the send and receive connectors. Email traffic is secured by TLS; you need to select a valid certificate for this in the next step. The external hostname must be entered in the certificate; it must be possible to resolve this name externally, and it must be accessible over port 25. Hybrid Agent is not responsible for routing email, only for making the appropriate configurations. You can see the result after completion of the configuration in the EAC under mail flow | connectors .

After you have entered the specifications, the corresponding configuration is performed in the Exchange organizations. If all goes well, this completes the hybrid connection between your on-premises Exchange instance and Exchange Online. During the installation, shortcuts are also created on the server; you can use them to restart the HCW in case of changes in your Exchange organization.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Exchange Server through 2025
    The next generation of Exchange 2019 was announced for the second half of 2021, but the release plan was revoked in 2022, and the next Exchange was postponed until 2025. We take an in-depth look at the current timetable.
  • Safely integrating and running Office 365
    A few simple steps can greatly improve the security of cloud applications through encryption, multifactor authentication, and other safeguards.
  • Exchange Web Services for Mailbox Access
    Exchange Web Services (EWS) is an important interface that lets applications access Exchange content. You can access the EWS mailbox via PowerShell or create your own tools.
  • Use PowerShell to manage Exchange Online
    Exchange Online in Office 365 can be managed just like its local counterpart with similar, sometimes identical, PowerShell cmdlets.
  • The Azure Arc multicloud and on-premises management platform
    The Azure Arc cloud service supports centralized management of Windows and Linux servers, Kubernetes clusters, and SQL servers that are not themselves running in Azure, extending Azure management capabilities to servers in traditional data centers or any other cloud environment. We show you how to get Azure Arc up and running and look at its key features.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=