Today we are happy to announce an update to the Exchange Hybrid Configuration Wizard (HCW) which enables either a Full or Minimal Hybrid deployment from a single on-premises organization to more than one cloud tenant.
In this release we allow admins to enable Hybrid deployment with up to 5 tenants simultaneously. However, we very recently found an issue with this configuration when Hybrid Modern Auth is also enabled, and currently (and contrary to what was stated in the Exchange – Here, There and Everywhere session as that was recorded before we discovered this issue) HMA is not possible or supported once there is more than one tenant configured for Hybrid. We’ll provide an update once we add support for HMA.
Free/Busy configuration between tenants is not available by default. You can refer to this article for setting it up if you require it.
Users in the on-premises Active Directory must not be synchronized to more than one tenant, and so Azure AD Connect must be configured using the Domain/OU filtering option to filter users from your on-premises directory to ensure they appear only in a single online Exchange tenant.
You must also ensure that “Exchange Hybrid” checkbox is selected in Optional Features while configuring directory sync for each tenant. You’ll end up with a sync topology that will be similar to the following:
You can of course synchronize multiple on-premises OU’s to the same tenant, there are many ways to set this up based upon your local AD, but the hard rule is not to overlap the scope of these synchronization relationships, which will ensure on-premises users are associated with only one cloud tenant. (Don’t cross the streams!)
For additional information about supported topologies for Azure AD Connect take a look at this page
Add all domains, whether custom tenant SMTP domains or tenant coexistence domains as Accepted Domains into your Exchange On-Premises Organization using the Exchange Control Panel (ECP) or Exchange PowerShell.
Create a separate Email Address Policy for each tenant/OU pair. Do this on the email address policy tab in ECP, create a new policy (name it descriptively, unlike our example below), then add the email address format you use and carefully choose the target recipient OU in request container for the tenant.
Running the Wizard
Now you are ready to run the wizard. On a domain joined machine install the HCW wizard just as you normally would. The credentials you provide for Exchange Online determine if you are adding a tenant or configuring an existing tenant.
When you run the HCW you can select either the Classic or Modern mode. If you choose the Modern option for any or all of the tenants, the Hybrid Agent must be installed on a domain joined machine or on an Exchange 2016 or 2019 server with the Mailbox role. Separate Agents are required for each tenant configured with Modern Hybrid as it’s not possible to install two different agents on the same server.
In you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover. This option will be presented to you while configuring the Hybrid Wizard on the Hybrid Domains page.
That’s it. You simply re-run the HCW for all the tenants you want configured for Hybrid.
Known Issues and Workarounds
There are two issues we want to call out just in case you hit them.
Issue: Creation of Remote User via ECP picks the last configured tenant domain for RemoteRoutingAddress attribute. This will affect free/busy discovery of users.
Workaround: Use a PowerShell cmdlet to create the remote users with the correct RemoteRoutingAddress or set the right RemoteRoutingAddress after creation of the remote mailbox.
New-RemoteMailbox -Name "Megan Bowen" -FirstName "Megan" -LastName "Bowen" -OnPremisesOrganizationalUnit "tailspintoys.com/T1" -UserPrincipalName "email@example.com" -Password $password -ResetPasswordOnNextLogon $False -RemoteRoutingAddress "firstname.lastname@example.org"
Issue: While enabling remote archive for on-premises users using ECP it picks the last configured Tenant domain for ArchiveDomain attribute.
Workaround: Do not enable the remote archive property from ECP for on-premises users, use the following PowerShell cmdlet for this:
Enable-Mailbox -Identity "meganb" -RemoteArchive "True" -ArchiveDomain "tailspintoys.mail.onmicrosoft.com"
We hope you enjoy this latest addition to the HCW. It’s been something we get asked about a lot, and we want to hear your feedback.
The Exchange Hybrid Configuration Wizard Team