cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
September 2020 Hybrid Configuration Wizard Update
By
The_Exchange_Team
Published Sep 22 2020 08:00 AM 50K Views
The_Exchange_Team
Microsoft
‎Sep 22 2020 08:00 AM

September 2020 Hybrid Configuration Wizard Update

‎Sep 22 2020 08:00 AM

Today we are happy to announce an update to the Exchange Hybrid Configuration Wizard (HCW) which enables either a Full or Minimal Hybrid deployment from a single on-premises organization to more than one cloud tenant. Edit: Hybrid Modern Authentication (HMA) can now be configured for Hybrid deployment with multiple tenants. To configure HMA, use the steps mentioned here.

In this release we allow admins to enable Hybrid deployment with up to 5 tenants simultaneously. 

Free/Busy configuration between tenants is not available by default. You can refer to this article for setting it up if you require it.

You can download the HCW version supporting this feature from aka.ms/hybridwizard.

Configuration Pre-Requisites

The updated version of Hybrid Configuration Wizard requires Exchange Server 2016, CU18 or higher or Exchange Server 2019, CU7 or higher to enable this functionality.

Identity

Users in the on-premises Active Directory must not be synchronized to more than one tenant, and so Azure AD Connect must be configured using the Domain/OU filtering option to filter users from your on-premises directory to ensure they appear only in a single online Exchange tenant.

You must also ensure that "Exchange Hybrid" checkbox is selected in Optional Features while configuring directory sync for each tenant. You’ll end up with a sync topology that will be similar to the following:

Ignite 2020 HCW Post Pic 1.png

You can of course synchronize multiple on-premises OU’s to the same tenant, there are many ways to set this up based upon your local AD, but the hard rule is not to overlap the scope of these synchronization relationships, which will ensure on-premises users are associated with only one cloud tenant. (Don't cross the streams!)

For additional information about supported topologies for Azure AD Connect take a look at this page

Separate Certificate for each Send connector sending to each tenant

For proper email attribution to each tenant, make sure you are using separate certificate for each Send connector sending to each tenant. If same certificate is used, then the email to one tenant may attribute to the other tenant. The Certificate that will be used by a Send Connector is controlled by the TlsCertificateName parameter. To know more about message attribution, please refer to the following articles:

SMTP Domains

Add all domains, whether custom tenant SMTP domains or tenant coexistence domains as Accepted Domains into your Exchange On-Premises Organization using the Exchange Control Panel (ECP) or Exchange PowerShell.

Create a separate Email Address Policy for each tenant/OU pair. Do this on the email address policy tab in ECP, create a new policy (name it descriptively, unlike our example below), then add the email address format you use and carefully choose the target recipient OU in request container for the tenant.

Ignite 2020 HCW Post Pic 2b.png

Running the Wizard

Now you are ready to run the wizard. On a domain joined machine install the HCW wizard just as you normally would. The credentials you provide for Exchange Online determine if you are adding a tenant or configuring an existing tenant.

When you run the HCW you can select either the Classic or Modern mode. If you choose the Modern option for any or all of the tenants, the Hybrid Agent must be installed on a domain joined machine or on an Exchange 2016 or 2019 server with the Mailbox role. Separate Agents are required for each tenant configured with Modern Hybrid as it’s not possible to install two different agents on the same server.

In you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover. This option will be presented to you while configuring the Hybrid Wizard on the Hybrid Domains page.

Ignite 2020 HCW Post Pic 4.png

That’s it. You simply re-run the HCW for all the tenants you want configured for Hybrid.

Known Issues and Workarounds

There are two issues we want to call out just in case you hit them.

Issue: Creation of Remote User via ECP picks the last configured tenant domain for RemoteRoutingAddress attribute. This will affect free/busy discovery of users. 

Workaround: Use a PowerShell cmdlet to create the remote users with the correct RemoteRoutingAddress or set the right RemoteRoutingAddress after creation of the remote mailbox.

 

New-RemoteMailbox -Name "Megan Bowen" -FirstName "Megan" -LastName "Bowen" -OnPremisesOrganizationalUnit "tailspintoys.com/T1" -UserPrincipalName "meganb@tailspintoys.com" -Password $password -ResetPasswordOnNextLogon $False -RemoteRoutingAddress "meganb@tailspintoys.mail.onmicrosoft.com"

 

Issue: While enabling remote archive for on-premises users using ECP it picks the last configured Tenant domain for ArchiveDomain attribute.

Workaround: Do not enable the remote archive property from ECP for on-premises users, use the following PowerShell cmdlet for this:

 

Enable-Mailbox -Identity "meganb" -RemoteArchive "True" -ArchiveDomain "tailspintoys.mail.onmicrosoft.com"

 

Summary

You can download the HCW version supporting this feature from aka.ms/hybridwizard.

We hope you enjoy this latest addition to the HCW. It’s been something we get asked about a lot, and we want to hear your feedback.

The Exchange Hybrid Configuration Wizard Team

37 Comments
Mikhail
Brass Contributor
‎Sep 24 2020 02:07 AM
‎Sep 24 2020 02:07 AM

Fun facts:

1. HCW installation only works with Internet Explorer.
2. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.
3. There are no rollback option and I spent couple of hours exploring the HCW logs to undo what was changed after unsuccessful run.

TobiasRedelberger
Copper Contributor
‎Oct 15 2020 02:14 AM
‎Oct 15 2020 02:14 AM

[Update] ### Upgrading the Windows Server 2016 included Microsoft .NET Framework 4.6.2. to Version 4.7.2. solved below issue ### 

 

Using the latest version of HCW (getting from: http://aka.ms/hybridwizard with IE) with "Minimal Hybrid configuration - Use Exchange Modern Hybrid Technology" on a Windows Server 2016 Domain Controller with latest "2020-10 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4580346)" we are (still) blocked to move forward by:

 

"Could not load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'"

 

Details:

[..]

2020.10.15 11:02:45.592 Current Time Zone: W. Europe Standard Time (11:02:45 AM)
2020.10.15 09:02:45.795 10410 [Client=UX, Thread=1]
=========================================================================================================================================================================================================================================================================================================================================================================================================================================
Boot Configuration
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DateTimeUtcTicks | 637383493599047012
IsNetworkDeployed | False
CurrentVersion | 17.0.5494.0
DataDirectory | C:\Users\%username%\AppData\Local\Apps\2.0\Data\B2R6HC0Y.50Q\DV94VHMN.W2H\micr..tion_a7cae1245bd53d87_0011.0000_f53eb8653d2666bb\Data
IsFirstRun | False
TimeOfLastUpdateCheckUtcTicks | 637382817310000000
UpdatedApplicationFullName | https://shcwreleaseprod.blob.core.windows.net/shcw/Microsoft.Online.CSE.Hybrid.Client.application#Mi..., Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil/Microsoft.Online.CSE.Hybrid.Client.exe, Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil, type=win32
UpdatedVersion | 17.0.5494.0
UpdateLocation | https://shcwreleaseprod.blob.core.windows.net/shcw/Microsoft.Online.CSE.Hybrid.Client.application

[..]

2020.10.15 09:05:03.258 10266 [Client=UX, Page=Mode, Thread=1] FINISH Time=35.9s
2020.10.15 09:05:03.274 10302 [Client=UX, Page=Mode, Thread=1]
============================================
Mode
--------------------------------------------
Mode | Minimal Hybrid
HybridConnector.IsInstalled | False
NeedToUnInstall | False
============================================
2020.10.15 09:05:03.289 10443 [Client=UX, Thread=1] Hybrid Connector Availablity: True, Reason: No exclusions found
2020.10.15 09:05:03.305 10265 [Client=UX, Page=HybridConnectorChoice, Thread=1] START via Next
2020.10.15 09:07:27.067 10266 [Client=UX, Page=HybridConnectorChoice, Thread=1] FINISH Time=143.8s
2020.10.15 09:07:27.082 10302 [Client=UX, Page=HybridConnectorChoice, Thread=1]
===================================
HybridConnectorChoice
-----------------------------------
HybridConnectorSelected | True
HybridConnector.IsInstalled | False
NeedToUnInstall | False
===================================
2020.10.15 09:07:28.707 *ERROR* 10042 [Client=UX, Thread=1] Exception Image: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.png
2020.10.15 09:07:28.848 *ERROR* 10251 [Client=UX, Thread=1]
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
at Microsoft.Online.CSE.Hybrid.Common.ConnectorService.GetAgents()
at Microsoft.Online.CSE.Hybrid.App.ViewModel.Pages.HybridAgents.ShowPage(AppData appData)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.Online.CSE.Hybrid.App.PageViewModel.<>c__DisplayClass23_0.<GetShowPageFunc>b__0(AppData a)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.GetNextPage(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.Next(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.<>c__DisplayClass15_0.<Thunk>b__0(Object p)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.Execute(Object parameter)
at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)
at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args)
at System.Windows.Input.InputManager.ProcessStagingArea()
at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input)
at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)
at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)
at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
2020.10.15 09:07:29.816 10044 [Client=UX, Thread=1] Opening C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log

[..]

Source: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log

 

Julie Reusche
Brass Contributor
‎Oct 15 2020 01:57 PM
‎Oct 15 2020 01:57 PM

I would love to see an option in the wizard to just update the certificate.  Like a, "please for the love of all that is holy don't change anything we just renewed the certificate that's all!" option.  That would be amazing.  I don't know why the whole wizard has to run just because we have a new certificate.  Thank you.

kumarmukesh
Microsoft
‎Oct 18 2020 09:42 PM
‎Oct 18 2020 09:42 PM

@Mikhail 

  1. HCW installation only works with Internet Explorer
    1. Edge Browser: HCW works (not by default), but after a small settings change in the browser. To make it work, users need to go to edge://flags/#edge-click-once and enable the same. Following this HCW launches successfully.
    2. Chrome/Firefox: HCW doesn’t work with Firefox and Chrome in general.
  1. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.

             Can you share some more details about this, (what configuration didn’t happen properly, with screenshots if possible). We will have a look at it.

 

  1. There are no rollback op

             Although this was always the case, we have taken this as a feedback. 

0 Likes
Like
kumarmukesh
Microsoft
‎Oct 18 2020 09:48 PM
‎Oct 18 2020 09:48 PM

@TobiasRedelberger 

Thanks for sharing this. 

 

Since version 17.xx HCW has a new dependency of .NET 4.7.2. This was also shared with March Release Blog: 

https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2020-significant-update-to-hybrid-co...

0 Likes
Like
kumarmukesh
Microsoft
‎Oct 18 2020 09:49 PM
‎Oct 18 2020 09:49 PM

@Julie Reusche 

 

Thanks for sharing your feedback. We have noted this as a requirement.

wimmernitsche
Copper Contributor
‎Nov 03 2020 07:46 AM
‎Nov 03 2020 07:46 AM

Hi, thanks for this update. Is the specified limit of 5 tenants per Exchange environment still active? I can't find this limit on the documentation site at https://support.microsoft.com/en-us/help/4583653/september-2020-update-to-exchange-hybrid-configurat.... What was the reason to restrict the count to 5 instead of an arbitrary higher number? We're a medium sized MSP with many customers in separate OUs, all in one big Exchange enviroment, and this restriction prevents us from going to hybrid. Also, will this work with Exchange server 2013 as well?

Thanks

Martin

0 Likes
Like
kumarmukesh
Microsoft
‎Nov 03 2020 08:27 PM
‎Nov 03 2020 08:27 PM

Hi @wimmernitsche, we have tested this feature fully with 5 connected tenants. There might be some unforeseen scenarios that come up when more than 5 tenants are connected. 

How many tenants do you want to connect? Is it way higher than 5? 

 

For this feature to work, you need to atleast have one Exchange 2016 CU18 or 2019 CU7 in your environment and HCW should be run using that server. You can have Exch 2013 in your environment, but there should be atleast one server with latest CU of 2016 or 2019.

 

Hope this helps.

0 Likes
Like
wimmernitsche
Copper Contributor
‎Nov 04 2020 04:04 AM
‎Nov 04 2020 04:04 AM

Hi @kumarmukesh, we currently have around 600 Tenants in our Exchange environment and most of them will at some point want to use Teams with calendars, that's the primary reason for the change. So yes, way higher than 5 I'd say. :)

 

Thanks

Martin

kumarmukesh
Microsoft
‎Nov 24 2020 07:57 AM
‎Nov 24 2020 07:57 AM

@wimmernitsche Yes 600 is a big number and I don't think that many Tenants can be configured into multitenant hybrid. There can be few issues if this is attempted.

0 Likes
Like
Pawel Wróbel
Microsoft
‎Nov 25 2020 06:12 AM
‎Nov 25 2020 06:12 AM

Does this update also enabled connecting multiple tenants with OAuth to allow viewing and creating meetings in Teams app when mailbox is on prem? For example in scenario where one company has two tenants and single Ex srv organization. Is it possible to configure OAuth for both tenants so users from both tenants can see their on-prem mailbox calendars in Teams app? 

0 Likes
Like
kumarmukesh
Microsoft
‎Nov 25 2020 08:46 AM
‎Nov 25 2020 08:46 AM

@Pawel Wróbel : Yes the scenario you mentioned will definitely be supported

0 Likes
Like
wimmernitsche
Copper Contributor
‎Dec 08 2020 02:09 AM
‎Dec 08 2020 02:09 AM

@kumarmukesh can you specify what issues might occur? As far as we can see, that's the only way for us to lift our Exchange environment into hybrid mode.

0 Likes
Like
MisterCloudTech
Brass Contributor
‎Dec 18 2020 04:15 AM
‎Dec 18 2020 04:15 AM

Hi @The_Exchange_Team
We have a case of 10 organizations each with their own tenant, originating from the same AD and Exchange organization. Over a short period all organizations must transition to Exchange Online, using simultaneous multi-tenant mailbox migrations, and with clients switching to modern authentication. Based on the docs this is above the officially tested, but it would definitely be preferable not to get forced into breaking down hybrid configs during the migration process.
From what I understand, the "up to 5 tenants" limitation is not a "hard" limit preventing the sixth configuration, but rather a "soft" limit, based on what Microsoft has currently been officially tested. So we should actually be able to setup 10 multi-tenant hybrid configurations, correct ?

0 Likes
Like
Michael_Larrivee
Brass Contributor
‎Dec 31 2020 09:40 AM
‎Dec 31 2020 09:40 AM

Does the new HCW support multiple tenant where one tenant is commercial and the other tenant is gcc high?

0 Likes
Like
MartinT76
Copper Contributor
‎Jan 28 2021 11:40 AM
‎Jan 28 2021 11:40 AM

Hello All

 

A question regarding the statement "If you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover." under "Running the wizard".

 

Lets assume we have an Exchange on-prem published as webmail.contoso.com with a wildcard certificate for *.consoso.com.

Let's further assume we have three companies in that Exchange org / AD forest: contoso(.com), northwindtraders(.com) and tailspintoys(.com). And every company in that forest wants to sync to it's own tenant.

 

It's straightforward to enable Autodiscover for contoso.com for the first HCW run.

 

But what to do for the second and third run? I don't think it's possible to add contoso.com to all three separate HCW runs / Hybrid config wizards to different tenants to configure Autodiscover so that the implemeted certificate *.consoso.com for the on-prem EWS service matches?

 

The only solution I come upon is to replace the wildcard certificate with a SAN certificate that contains webmail.contoso.com, autodiscover.contoso.com, autodiscover.northwindtraders.com and autodiscover.tailspintoys.com. And create DNS A-Records for all four names to point to the same Public IP where the Exchange is published.

 

If that is correct, that might be a reason why too many simultaneous hybrid deployments might be a complicated thing anyway. Besides that we need to buy simple certificates for each company for the send connectors additionally, that's 3 new certificates just for this example (the SAN could be used for contoso send connector, northwindtraders.com/tailspintoys.com need their own for their send connector).

 

Am I thinking in the right direction, or am I missing something?

 

Cheers,
Martin

MartinT76
Copper Contributor
‎Jan 28 2021 11:49 AM
‎Jan 28 2021 11:49 AM

Addendum: Above scenario is valid as long as Autodiscover points to on-prem, it changes when all mailboxes are migrated to EXO and the existing Autodiscover records are replaced with the CNAME to autodiscover.outlook.com.

 

But every migration starts on-prem, and usually people want to use Teams with on-prem calendar integration asap instantly, so...

 

@kumarmukesh Is it possible to clarify?

kumarmukesh
Microsoft
‎Feb 03 2021 05:56 AM
‎Feb 03 2021 05:56 AM

@MisterCloudTech : Yes 5 is soft limit based on our testing and configuring 10 multi-tenant hybrid should just be fine.

0 Likes
Like
kumarmukesh
Microsoft
‎Feb 03 2021 05:58 AM
‎Feb 03 2021 05:58 AM

@Michael_Larrivee : Yes again this is a scenario we haven't tested. But the way this feature is designed this should work

0 Likes
Like
wimmernitsche
Copper Contributor
‎Feb 03 2021 06:46 AM
‎Feb 03 2021 06:46 AM

@kumarmukesh: Are there any plans for MSPs like us who have hundreds of tenants within a single AD/Exchange structure who all want to be using Hybrid mode at some point? Or will there simply be no way for our customers to use Exchange Hybrid features? Exchange Online directly without Hybrid is not a possible option for us.

0 Likes
Like
kumarmukesh
Microsoft
‎Feb 03 2021 06:58 AM
‎Feb 03 2021 06:58 AM

@wimmernitsche : I would advise you to post this request in https://office365.uservoice.com, so that we can actually gauge how many such customers are there by looking at upvotes. Also if you share approx. number of users in these 600 orgs, that would bring more weight to this request as well.

0 Likes
Like
kumarmukesh
Microsoft
‎Feb 04 2021 12:28 AM
‎Feb 04 2021 12:28 AM

@MartinT76 for the example you shared, you are correct you would need atleast three certificates (1 for autodiscover of all orgs & send connector of contoso.com and 2 more for send connector of other orgs)

0 Likes
Like
dwhyatt
Copper Contributor
‎Feb 10 2021 07:14 PM
‎Feb 10 2021 07:14 PM

@The_Exchange_Team: "HMA is not possible or supported once there is more than one tenant configured for Hybrid. We’ll provide an update once we add support for HMA."

 

Is there any reasonable time-frame that can be assumed for the release of multi-tenant support for HMA? 

0 Likes
Like
kumarmukesh
Microsoft
‎Apr 14 2021 11:30 PM
‎Apr 14 2021 11:30 PM

@dwhyatt : HMA is now available for multi tenant Hybrid.. You need to use latest HCW (there is a new version released in March) and Exchange Server should be either 2019 CU8 or later. Or for Exch 2016 CU19 or later. For additional HMA configuration details please use: https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-moder... 

0 Likes
Like
Martin Wildi
Brass Contributor
‎May 06 2021 01:09 AM
‎May 06 2021 01:09 AM

@wimmernitsche did you do any progress on this? we're also an MSP, and we face the same problem (but not with that big number of customers and mailboxes). Did you open a uservoice?

0 Likes
Like
wimmernitsche
Copper Contributor
‎May 06 2021 02:14 AM
‎May 06 2021 02:14 AM

@Martin Wildi we haven't yet managed to get everything in Hybrid running, still having issues with OAuth. We have a few tickets open with MS and are still working on the fix, but in principle hybrid works now for a few of our customers. I did open a uservoice, but I don't expect any response, it seems MSPs with one AD/Exchange environment for multiple customers is still very rare.

0 Likes
Like
jdixon
Copper Contributor
‎May 11 2021 07:28 AM
‎May 11 2021 07:28 AM

@wimmernitsche I wouldn't say it is very rare but we are in a situation where we can't get customers to Office 365 easily. I am in the same situation and there are certain features that customers want (like MFA) but silly limitations keep us from doing it. In the end Microsoft doesn't really want any MSP's doing any sort of hosting and want it completely hosted with them.

0 Likes
Like
wimmernitsche
Copper Contributor
‎May 25 2021 05:15 AM
‎May 25 2021 05:15 AM

@Martin Wildi@jdixon we have found a way, thanks to someone on the MS Exchange Online escalation team. After hybrid setup, we have to create new authservers on our Exchange on-prem, add our customer's domains to them, create an intraorganizationconnector each in the cloud and on premise and upload the Exchange cert to ExO:

 

# primary domain first in array
$domains = $tenant.domains.split(",")
$tenantServiceDomain = "$($tenant.tenant).mail.onmicrosoft.com"

# Exch on premise:
New-AuthServer -Name "WindowsAzureACS-$($tenant.tenant)" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/$($domains[0])/metadata/json/1"
New-AuthServer -Name "evoSTS-$($tenant.tenant)" -Type AzureAD -AuthMetadataUrl "https://login.windows.net/$($domains[0])/federationmetadata/2007-06/federationmetadata.xml"

set-authserver "WindowsAzureACS-$($tenant.tenant)" -domainname "$($tenant.domains)"
set-authserver "evoSTS-$($tenant.tenant)" -domainname "$($tenant.domains)"

New-IntraOrganizationConnector -name "ExchangeHybridOnPremisesToOnline $($tenant.tenant)" -DiscoveryEndpoint https://outlook.office365.com/autodiscover/autodiscover.svc -TargetAddressDomains $tenantServiceDomain

# ExO:
Connect-ExchangeOnline
New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint https://$($publicAddressExchangeServerOnPrem)/autodiscover/autodiscover.svc -TargetAddressDomains $domains

# MSOL:
Connect-MsolService

$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
$x.ServicePrincipalnames.Add("$($publicAddressExchangeServerOnPrem)");
$x.ServicePrincipalnames.Add("$($autodiscoverAddressExchangeServerOnPrem)");
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames;

$CertFile = $pathToExchangeCert.cer
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($CertFile)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId $x.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue
MisterCloudTech
Brass Contributor
‎Jun 14 2021 01:16 AM
‎Jun 14 2021 01:16 AM

When running the HCW for additional tenants on the same on-prem Exchange 2016, we experienced the following issues:

 - If using a multi-SAN certificate, the SMTP mail flow is interrupted, because HCW appears to update the certificate on both the on-prem Receive Connector and the EXO Outbound Connector. A solution should be by switching to a single-SAN certificate, which we will verify for the next tenant.

 - HCW changed the EXO Outbound connector (From O365 to on-prem EXH), and we had to update the connector with the correct smart host and certificate SAN FQDN.

 

 - HCW replaced the certificate on the on-prem EXH Send Connector, and we had to revert it back to restore SMTP mail flow.

 

 - HCW add and enables a new intra-organization connector but at the same time disables existing intra-organization connectors, witch interferes with authentication. So after running the HCW for the second tenant, we had to re-enable the original connectors both on-prem and in EXO
(Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $True).

We are aware that Microsoft recommends using a separate on-prem Exchange server for each tenant, but have agreed with MS to try out using shared servers instead.

0 Likes
Like
daniloromelli
Copper Contributor
‎Nov 29 2022 05:30 AM
‎Nov 29 2022 05:30 AM

Hi all
I'm in the process to implement a hybrid configuration over multi-tenant.
The process and the logic behind it seem to be straight forward. But I have a doubt regarding LegacyExchangeDN attribute.

I mean, since 2 recipients are booth on-prem, they will use LegacyExchangeDN to communicate each other with Outlook once the recipient in cached, but once they are on 2 separates tenants?
In a standard configuration, AADConnect will take in charge to cross configure LegacyExchangeDN and X500 proxy addresses between UserMailbox and MailUser, but in a multi-tenant scenario, how this will be managed?

 

thanks
 

0 Likes
Like
Josie5
Copper Contributor
‎Dec 18 2022 07:18 AM
‎Dec 18 2022 07:18 AM

resolved

0 Likes
Like
Timo_Strueber
Copper Contributor
‎Nov 22 2023 01:17 AM
‎Nov 22 2023 01:17 AM

Hi @daniloromelli,

did you find a solution to that issue?

I have setup a environment with 3 separate tenants and migrated the first test users and we ran into the LegacyExchangeDN issue.

My only solution approach at the moment is to manually create contacts the tenant that will get the X500 of the mailboxes assigned that are not synchronized / migrated in the specific tenant.

I look forward to further ideas...

Thanks!

0 Likes
Like
daniloromelli
Copper Contributor
‎Nov 22 2023 03:37 AM
‎Nov 22 2023 03:37 AM

@Timo_Strueber when we implemented the muli-tenant scenario there was no need to perform any action about "cross-tenant" LegacyExchangeDN.

In fact we noticed that once recipients has been moved to different tenants, even when replying to old messages, received once everybody were in same on-prem environment. Outlook used the smtp address in any case.

So no need to deal with x500 and legacy addresses.

We have found only an exception with calendar/Teams meeting. If a calendar was sent before the migration and after the migration a user fwd or reply to it. It was looking for the LegacyExchangeDN of the original sender generating NDR. But in our project we have considered this specific use case an accepted risk.

 

 

Timo_Strueber
Copper Contributor
‎Nov 22 2023 04:13 AM
‎Nov 22 2023 04:13 AM

@daniloromelli thank you for the quick reply and the clarification!

0 Likes
Like
cengizyilmaz
Brass Contributor
‎Dec 18 2023 11:33 AM
‎Dec 18 2023 11:33 AM

is the 5 tenant limit specified here still valid? I am drawing a Hybrid Exchange environment and the number of tenants I need to use is more than 20 for now. is there any specific information for the limit of 5? @kumarmukesh 

0 Likes
Like
kumarmukesh
Microsoft
‎Jan 25 2024 01:09 AM
‎Jan 25 2024 01:09 AM

@cengizyilmaz we have verified the multi tenant hybrid with >50 tenants, feel free to setup hybrid for 20 tenants. I will get the blog updated.

Stefano Colombo
Brass Contributor
‎Feb 11 2024 11:04 PM
‎Feb 11 2024 11:04 PM

we have a scenario where an exchange organization has to be split up because of company spin-off of part of it.

The Exchange organization, which is running Exchange 2010, have several accepted domains that need to "follow" the "main" mail domain for each company.

The 2 mail domains will be companyA.com and companyB.com, also the AD domain is going to be duplicated and separated from each other.

The questions about the availability of HCW that supports multiple tenants is as follows.

- Is mentioned that Exchange 2016 is needed to run the HCW in a multi tenant scenario. Does it mean that exchange 2016 is required AS mailbox server or is only needed as hybrid "gateway" to exchange 2010 ? Is it supported to still have exchange 2010 "behind" the exchange 2016 hybrid server ?

- HCW has to be run several times for each Tenant to be configured ? What about the "local" configuration of the exchange server in terms of certificates ( wildcards for each mail domain ) ?

- What about the configuration of autodiscover for each mail domain?

 thanks 

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Jul 20 2021 05:38 AM
Updated by: