Today we are happy to announce an update to the Exchange Hybrid Configuration Wizard (HCW) which enables either a Full or Minimal Hybrid deployment from a single on-premises organization to more than one cloud tenant.

In this release we allow admins to enable Hybrid deployment with up to 5 tenants simultaneously. However, we very recently found an issue with this configuration when Hybrid Modern Auth is also enabled, and currently (and contrary to what was stated in the Exchange – Here, There and Everywhere session as that was recorded before we discovered this issue) HMA is not possible or supported once there is more than one tenant configured for Hybrid. We’ll provide an update once we add support for HMA.

Free/Busy configuration between tenants is not available by default. You can refer to this article for setting it up if you require it.

You can download the HCW version supporting this feature from aka.ms/hybridwizard.

Configuration Pre-Requisites

The updated version of Hybrid Configuration Wizard requires Exchange Server 2016, CU18 or higher or Exchange Server 2019, CU7 or higher to enable this functionality.

Identity

Users in the on-premises Active Directory must not be synchronized to more than one tenant, and so Azure AD Connect must be configured using the Domain/OU filtering option to filter users from your on-premises directory to ensure they appear only in a single online Exchange tenant.

You must also ensure that "Exchange Hybrid" checkbox is selected in Optional Features while configuring directory sync for each tenant. You’ll end up with a sync topology that will be similar to the following:

Ignite 2020 HCW Post Pic 1.png

You can of course synchronize multiple on-premises OU’s to the same tenant, there are many ways to set this up based upon your local AD, but the hard rule is not to overlap the scope of these synchronization relationships, which will ensure on-premises users are associated with only one cloud tenant. (Don't cross the streams!)

For additional information about supported topologies for Azure AD Connect take a look at this page

SMTP Domains

Add all domains, whether custom tenant SMTP domains or tenant coexistence domains as Accepted Domains into your Exchange On-Premises Organization using the Exchange Control Panel (ECP) or Exchange PowerShell.

Create a separate Email Address Policy for each tenant/OU pair. Do this on the email address policy tab in ECP, create a new policy (name it descriptively, unlike our example below), then add the email address format you use and carefully choose the target recipient OU in request container for the tenant.

Ignite 2020 HCW Post Pic 2b.png

Running the Wizard

Now you are ready to run the wizard. On a domain joined machine install the HCW wizard just as you normally would. The credentials you provide for Exchange Online determine if you are adding a tenant or configuring an existing tenant.

When you run the HCW you can select either the Classic or Modern mode. If you choose the Modern option for any or all of the tenants, the Hybrid Agent must be installed on a domain joined machine or on an Exchange 2016 or 2019 server with the Mailbox role. Separate Agents are required for each tenant configured with Modern Hybrid as it’s not possible to install two different agents on the same server.

In you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover. This option will be presented to you while configuring the Hybrid Wizard on the Hybrid Domains page.

Ignite 2020 HCW Post Pic 4.png

That’s it. You simply re-run the HCW for all the tenants you want configured for Hybrid.

Known Issues and Workarounds

There are two issues we want to call out just in case you hit them.

Issue: Creation of Remote User via ECP picks the last configured tenant domain for RemoteRoutingAddress attribute. This will affect free/busy discovery of users. 

Workaround: Use a PowerShell cmdlet to create the remote users with the correct RemoteRoutingAddress or set the right RemoteRoutingAddress after creation of the remote mailbox.

 

New-RemoteMailbox -Name "Megan Bowen" -FirstName "Megan" -LastName "Bowen" -OnPremisesOrganizationalUnit "tailspintoys.com/T1" -UserPrincipalName "meganb@tailspintoys.com" -Password $password -ResetPasswordOnNextLogon $False -RemoteRoutingAddress "meganb@tailspintoys.mail.onmicrosoft.com"

 

Issue: While enabling remote archive for on-premises users using ECP it picks the last configured Tenant domain for ArchiveDomain attribute.

Workaround: Do not enable the remote archive property from ECP for on-premises users, use the following PowerShell cmdlet for this:

 

Enable-Mailbox -Identity "meganb" -RemoteArchive "True" -ArchiveDomain "tailspintoys.mail.onmicrosoft.com"

 

Summary

You can download the HCW version supporting this feature from aka.ms/hybridwizard.

We hope you enjoy this latest addition to the HCW. It’s been something we get asked about a lot, and we want to hear your feedback.

The Exchange Hybrid Configuration Wizard Team

12 Comments
Senior Member

Fun facts:

1. HCW installation only works with Internet Explorer.
2. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.
3. There are no rollback option and I spent couple of hours exploring the HCW logs to undo what was changed after unsuccessful run.

Visitor

[Update] ### Upgrading the Windows Server 2016 included Microsoft .NET Framework 4.6.2. to Version 4.7.2. solved below issue ### 

 

Using the latest version of HCW (getting from: http://aka.ms/hybridwizard with IE) with "Minimal Hybrid configuration - Use Exchange Modern Hybrid Technology" on a Windows Server 2016 Domain Controller with latest "2020-10 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4580346)" we are (still) blocked to move forward by:

 

"Could not load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'"

 

Details:

[..]

2020.10.15 11:02:45.592 Current Time Zone: W. Europe Standard Time (11:02:45 AM)
2020.10.15 09:02:45.795 10410 [Client=UX, Thread=1]
=========================================================================================================================================================================================================================================================================================================================================================================================================================================
Boot Configuration
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DateTimeUtcTicks | 637383493599047012
IsNetworkDeployed | False
CurrentVersion | 17.0.5494.0
DataDirectory | C:\Users\%username%\AppData\Local\Apps\2.0\Data\B2R6HC0Y.50Q\DV94VHMN.W2H\micr..tion_a7cae1245bd53d87_0011.0000_f53eb8653d2666bb\Data
IsFirstRun | False
TimeOfLastUpdateCheckUtcTicks | 637382817310000000
UpdatedApplicationFullName | https://shcwreleaseprod.blob.core.windows.net/shcw/Microsoft.Online.CSE.Hybrid.Client.application#Mi..., Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil/Microsoft.Online.CSE.Hybrid.Client.exe, Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil, type=win32
UpdatedVersion | 17.0.5494.0
UpdateLocation | https://shcwreleaseprod.blob.core.windows.net/shcw/Microsoft.Online.CSE.Hybrid.Client.application

[..]

2020.10.15 09:05:03.258 10266 [Client=UX, Page=Mode, Thread=1] FINISH Time=35.9s
2020.10.15 09:05:03.274 10302 [Client=UX, Page=Mode, Thread=1]
============================================
Mode
--------------------------------------------
Mode | Minimal Hybrid
HybridConnector.IsInstalled | False
NeedToUnInstall | False
============================================
2020.10.15 09:05:03.289 10443 [Client=UX, Thread=1] Hybrid Connector Availablity: True, Reason: No exclusions found
2020.10.15 09:05:03.305 10265 [Client=UX, Page=HybridConnectorChoice, Thread=1] START via Next
2020.10.15 09:07:27.067 10266 [Client=UX, Page=HybridConnectorChoice, Thread=1] FINISH Time=143.8s
2020.10.15 09:07:27.082 10302 [Client=UX, Page=HybridConnectorChoice, Thread=1]
===================================
HybridConnectorChoice
-----------------------------------
HybridConnectorSelected | True
HybridConnector.IsInstalled | False
NeedToUnInstall | False
===================================
2020.10.15 09:07:28.707 *ERROR* 10042 [Client=UX, Thread=1] Exception Image: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.png
2020.10.15 09:07:28.848 *ERROR* 10251 [Client=UX, Thread=1]
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
at Microsoft.Online.CSE.Hybrid.Common.ConnectorService.GetAgents()
at Microsoft.Online.CSE.Hybrid.App.ViewModel.Pages.HybridAgents.ShowPage(AppData appData)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.Online.CSE.Hybrid.App.PageViewModel.<>c__DisplayClass23_0.<GetShowPageFunc>b__0(AppData a)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.GetNextPage(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.Next(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.<>c__DisplayClass15_0.<Thunk>b__0(Object p)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.Execute(Object parameter)
at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)
at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args)
at System.Windows.Input.InputManager.ProcessStagingArea()
at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input)
at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)
at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)
at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
2020.10.15 09:07:29.816 10044 [Client=UX, Thread=1] Opening C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log

[..]

Source: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log

 

Senior Member

I would love to see an option in the wizard to just update the certificate.  Like a, "please for the love of all that is holy don't change anything we just renewed the certificate that's all!" option.  That would be amazing.  I don't know why the whole wizard has to run just because we have a new certificate.  Thank you.

Microsoft

@navion 

  1. HCW installation only works with Internet Explorer
    1. Edge Browser: HCW works (not by default), but after a small settings change in the browser. To make it work, users need to go to edge://flags/#edge-click-once and enable the same. Following this HCW launches successfully.
    2. Chrome/Firefox: HCW doesn’t work with Firefox and Chrome in general.
  1. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.

             Can you share some more details about this, (what configuration didn’t happen properly, with screenshots if possible). We will have a look at it.

 

  1. There are no rollback op

             Although this was always the case, we have taken this as a feedback. 

Microsoft

@TRedelberger 

Thanks for sharing this. 

 

Since version 17.xx HCW has a new dependency of .NET 4.7.2. This was also shared with March Release Blog: 

https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2020-significant-update-to-hybrid-co...

Microsoft

@Julie Reusche 

 

Thanks for sharing your feedback. We have noted this as a requirement.

Senior Member

Hi, thanks for this update. Is the specified limit of 5 tenants per Exchange environment still active? I can't find this limit on the documentation site at https://support.microsoft.com/en-us/help/4583653/september-2020-update-to-exchange-hybrid-configurat.... What was the reason to restrict the count to 5 instead of an arbitrary higher number? We're a medium sized MSP with many customers in separate OUs, all in one big Exchange enviroment, and this restriction prevents us from going to hybrid. Also, will this work with Exchange server 2013 as well?

Thanks

Martin

Microsoft

Hi @wimmernitsche, we have tested this feature fully with 5 connected tenants. There might be some unforeseen scenarios that come up when more than 5 tenants are connected. 

How many tenants do you want to connect? Is it way higher than 5? 

 

For this feature to work, you need to atleast have one Exchange 2016 CU18 or 2019 CU7 in your environment and HCW should be run using that server. You can have Exch 2013 in your environment, but there should be atleast one server with latest CU of 2016 or 2019.

 

Hope this helps.

Senior Member

Hi @kumarmukesh, we currently have around 600 Tenants in our Exchange environment and most of them will at some point want to use Teams with calendars, that's the primary reason for the change. So yes, way higher than 5 I'd say. :)

 

Thanks

Martin

Microsoft

@wimmernitsche Yes 600 is a big number and I don't think that many Tenants can be configured into multitenant hybrid. There can be few issues if this is attempted.

Microsoft

Does this update also enabled connecting multiple tenants with OAuth to allow viewing and creating meetings in Teams app when mailbox is on prem? For example in scenario where one company has two tenants and single Ex srv organization. Is it possible to configure OAuth for both tenants so users from both tenants can see their on-prem mailbox calendars in Teams app? 

Microsoft

@Pawel Wróbel : Yes the scenario you mentioned will definitely be supported