September 2020 Hybrid Configuration Wizard Update

Published Sep 22 2020 08:00 AM 32.9K Views

Today we are happy to announce an update to the Exchange Hybrid Configuration Wizard (HCW) which enables either a Full or Minimal Hybrid deployment from a single on-premises organization to more than one cloud tenant. Edit: Hybrid Modern Authentication (HMA) can now be configured for Hybrid deployment with multiple tenants. To configure HMA, use the steps mentioned here.

In this release we allow admins to enable Hybrid deployment with up to 5 tenants simultaneously. 

Free/Busy configuration between tenants is not available by default. You can refer to this article for setting it up if you require it.

You can download the HCW version supporting this feature from

Configuration Pre-Requisites

The updated version of Hybrid Configuration Wizard requires Exchange Server 2016, CU18 or higher or Exchange Server 2019, CU7 or higher to enable this functionality.


Users in the on-premises Active Directory must not be synchronized to more than one tenant, and so Azure AD Connect must be configured using the Domain/OU filtering option to filter users from your on-premises directory to ensure they appear only in a single online Exchange tenant.

You must also ensure that "Exchange Hybrid" checkbox is selected in Optional Features while configuring directory sync for each tenant. You’ll end up with a sync topology that will be similar to the following:

Ignite 2020 HCW Post Pic 1.png

You can of course synchronize multiple on-premises OU’s to the same tenant, there are many ways to set this up based upon your local AD, but the hard rule is not to overlap the scope of these synchronization relationships, which will ensure on-premises users are associated with only one cloud tenant. (Don't cross the streams!)

For additional information about supported topologies for Azure AD Connect take a look at this page

Separate Certificate for each Send connector sending to each tenant

For proper email attribution to each tenant, make sure you are using separate certificate for each Send connector sending to each tenant. If same certificate is used, then the email to one tenant may attribute to the other tenant. The Certificate that will be used by a Send Connector is controlled by the TlsCertificateName parameter. To know more about message attribution, please refer to the following articles:

SMTP Domains

Add all domains, whether custom tenant SMTP domains or tenant coexistence domains as Accepted Domains into your Exchange On-Premises Organization using the Exchange Control Panel (ECP) or Exchange PowerShell.

Create a separate Email Address Policy for each tenant/OU pair. Do this on the email address policy tab in ECP, create a new policy (name it descriptively, unlike our example below), then add the email address format you use and carefully choose the target recipient OU in request container for the tenant.

Ignite 2020 HCW Post Pic 2b.png

Running the Wizard

Now you are ready to run the wizard. On a domain joined machine install the HCW wizard just as you normally would. The credentials you provide for Exchange Online determine if you are adding a tenant or configuring an existing tenant.

When you run the HCW you can select either the Classic or Modern mode. If you choose the Modern option for any or all of the tenants, the Hybrid Agent must be installed on a domain joined machine or on an Exchange 2016 or 2019 server with the Mailbox role. Separate Agents are required for each tenant configured with Modern Hybrid as it’s not possible to install two different agents on the same server.

In you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover. This option will be presented to you while configuring the Hybrid Wizard on the Hybrid Domains page.

Ignite 2020 HCW Post Pic 4.png

That’s it. You simply re-run the HCW for all the tenants you want configured for Hybrid.

Known Issues and Workarounds

There are two issues we want to call out just in case you hit them.

Issue: Creation of Remote User via ECP picks the last configured tenant domain for RemoteRoutingAddress attribute. This will affect free/busy discovery of users. 

Workaround: Use a PowerShell cmdlet to create the remote users with the correct RemoteRoutingAddress or set the right RemoteRoutingAddress after creation of the remote mailbox.


New-RemoteMailbox -Name "Megan Bowen" -FirstName "Megan" -LastName "Bowen" -OnPremisesOrganizationalUnit "" -UserPrincipalName "" -Password $password -ResetPasswordOnNextLogon $False -RemoteRoutingAddress ""


Issue: While enabling remote archive for on-premises users using ECP it picks the last configured Tenant domain for ArchiveDomain attribute.

Workaround: Do not enable the remote archive property from ECP for on-premises users, use the following PowerShell cmdlet for this:


Enable-Mailbox -Identity "meganb" -RemoteArchive "True" -ArchiveDomain ""



You can download the HCW version supporting this feature from

We hope you enjoy this latest addition to the HCW. It’s been something we get asked about a lot, and we want to hear your feedback.

The Exchange Hybrid Configuration Wizard Team

Senior Member

Fun facts:

1. HCW installation only works with Internet Explorer.
2. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.
3. There are no rollback option and I spent couple of hours exploring the HCW logs to undo what was changed after unsuccessful run.

Senior Member

[Update] ### Upgrading the Windows Server 2016 included Microsoft .NET Framework 4.6.2. to Version 4.7.2. solved below issue ### 


Using the latest version of HCW (getting from: with IE) with "Minimal Hybrid configuration - Use Exchange Modern Hybrid Technology" on a Windows Server 2016 Domain Controller with latest "2020-10 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4580346)" we are (still) blocked to move forward by:


"Could not load file or assembly 'System.Net.Http, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'"




2020.10.15 11:02:45.592 Current Time Zone: W. Europe Standard Time (11:02:45 AM)
2020.10.15 09:02:45.795 10410 [Client=UX, Thread=1]
Boot Configuration
DateTimeUtcTicks | 637383493599047012
IsNetworkDeployed | False
CurrentVersion | 17.0.5494.0
DataDirectory | C:\Users\%username%\AppData\Local\Apps\2.0\Data\B2R6HC0Y.50Q\DV94VHMN.W2H\micr..tion_a7cae1245bd53d87_0011.0000_f53eb8653d2666bb\Data
IsFirstRun | False
TimeOfLastUpdateCheckUtcTicks | 637382817310000000
UpdatedApplicationFullName |, Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil/Microsoft.Online.CSE.Hybrid.Client.exe, Version=17.0.5494.0, Culture=neutral, PublicKeyToken=a7cae1245bd53d87, processorArchitecture=msil, type=win32
UpdatedVersion | 17.0.5494.0
UpdateLocation |


2020.10.15 09:05:03.258 10266 [Client=UX, Page=Mode, Thread=1] FINISH Time=35.9s
2020.10.15 09:05:03.274 10302 [Client=UX, Page=Mode, Thread=1]
Mode | Minimal Hybrid
HybridConnector.IsInstalled | False
NeedToUnInstall | False
2020.10.15 09:05:03.289 10443 [Client=UX, Thread=1] Hybrid Connector Availablity: True, Reason: No exclusions found
2020.10.15 09:05:03.305 10265 [Client=UX, Page=HybridConnectorChoice, Thread=1] START via Next
2020.10.15 09:07:27.067 10266 [Client=UX, Page=HybridConnectorChoice, Thread=1] FINISH Time=143.8s
2020.10.15 09:07:27.082 10302 [Client=UX, Page=HybridConnectorChoice, Thread=1]
HybridConnectorSelected | True
HybridConnector.IsInstalled | False
NeedToUnInstall | False
2020.10.15 09:07:28.707 *ERROR* 10042 [Client=UX, Thread=1] Exception Image: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.png
2020.10.15 09:07:28.848 *ERROR* 10251 [Client=UX, Thread=1]
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Net.Http, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
at Microsoft.Online.CSE.Hybrid.Common.ConnectorService.GetAgents()
at Microsoft.Online.CSE.Hybrid.App.ViewModel.Pages.HybridAgents.ShowPage(AppData appData)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.Online.CSE.Hybrid.App.PageViewModel.<>c__DisplayClass23_0.<GetShowPageFunc>b__0(AppData a)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.GetNextPage(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.App.MainViewModel.Next(Type viewModelType)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.<>c__DisplayClass15_0.<Thunk>b__0(Object p)
at Microsoft.Online.CSE.Hybrid.Windows.Commando.Execute(Object parameter)
at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)
at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args)
at System.Windows.Input.InputManager.ProcessStagingArea()
at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input)
at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)
at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)
at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
2020.10.15 09:07:29.816 10044 [Client=UX, Thread=1] Opening C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log


Source: C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration\20201015_090239.log


Senior Member

I would love to see an option in the wizard to just update the certificate.  Like a, "please for the love of all that is holy don't change anything we just renewed the certificate that's all!" option.  That would be amazing.  I don't know why the whole wizard has to run just because we have a new certificate.  Thank you.



  1. HCW installation only works with Internet Explorer
    1. Edge Browser: HCW works (not by default), but after a small settings change in the browser. To make it work, users need to go to edge://flags/#edge-click-once and enable the same. Following this HCW launches successfully.
    2. Chrome/Firefox: HCW doesn’t work with Firefox and Chrome in general.
  1. It contains hardcoded mail.<mydomain.tld> as on-premises server name, so if you use a different name, half of the configurion needs to be done manually.

             Can you share some more details about this, (what configuration didn’t happen properly, with screenshots if possible). We will have a look at it.


  1. There are no rollback op

             Although this was always the case, we have taken this as a feedback. 



Thanks for sharing this. 


Since version 17.xx HCW has a new dependency of .NET 4.7.2. This was also shared with March Release Blog:


@Julie Reusche 


Thanks for sharing your feedback. We have noted this as a requirement.

New Contributor

Hi, thanks for this update. Is the specified limit of 5 tenants per Exchange environment still active? I can't find this limit on the documentation site at What was the reason to restrict the count to 5 instead of an arbitrary higher number? We're a medium sized MSP with many customers in separate OUs, all in one big Exchange enviroment, and this restriction prevents us from going to hybrid. Also, will this work with Exchange server 2013 as well?




Hi @wimmernitsche, we have tested this feature fully with 5 connected tenants. There might be some unforeseen scenarios that come up when more than 5 tenants are connected. 

How many tenants do you want to connect? Is it way higher than 5? 


For this feature to work, you need to atleast have one Exchange 2016 CU18 or 2019 CU7 in your environment and HCW should be run using that server. You can have Exch 2013 in your environment, but there should be atleast one server with latest CU of 2016 or 2019.


Hope this helps.

New Contributor

Hi @kumarmukesh, we currently have around 600 Tenants in our Exchange environment and most of them will at some point want to use Teams with calendars, that's the primary reason for the change. So yes, way higher than 5 I'd say. :)





@wimmernitsche Yes 600 is a big number and I don't think that many Tenants can be configured into multitenant hybrid. There can be few issues if this is attempted.


Does this update also enabled connecting multiple tenants with OAuth to allow viewing and creating meetings in Teams app when mailbox is on prem? For example in scenario where one company has two tenants and single Ex srv organization. Is it possible to configure OAuth for both tenants so users from both tenants can see their on-prem mailbox calendars in Teams app? 


@Pawel Wróbel : Yes the scenario you mentioned will definitely be supported

New Contributor

@kumarmukesh can you specify what issues might occur? As far as we can see, that's the only way for us to lift our Exchange environment into hybrid mode.

Hi @The_Exchange_Team
We have a case of 10 organizations each with their own tenant, originating from the same AD and Exchange organization. Over a short period all organizations must transition to Exchange Online, using simultaneous multi-tenant mailbox migrations, and with clients switching to modern authentication. Based on the docs this is above the officially tested, but it would definitely be preferable not to get forced into breaking down hybrid configs during the migration process.
From what I understand, the "up to 5 tenants" limitation is not a "hard" limit preventing the sixth configuration, but rather a "soft" limit, based on what Microsoft has currently been officially tested. So we should actually be able to setup 10 multi-tenant hybrid configurations, correct ?


Does the new HCW support multiple tenant where one tenant is commercial and the other tenant is gcc high?

Regular Visitor

Hello All


A question regarding the statement "If you have two or more accepted domains for any particular online tenant you must choose the domain that you want to be configured for Autodiscover." under "Running the wizard".


Lets assume we have an Exchange on-prem published as with a wildcard certificate for *

Let's further assume we have three companies in that Exchange org / AD forest: contoso(.com), northwindtraders(.com) and tailspintoys(.com). And every company in that forest wants to sync to it's own tenant.


It's straightforward to enable Autodiscover for for the first HCW run.


But what to do for the second and third run? I don't think it's possible to add to all three separate HCW runs / Hybrid config wizards to different tenants to configure Autodiscover so that the implemeted certificate * for the on-prem EWS service matches?


The only solution I come upon is to replace the wildcard certificate with a SAN certificate that contains,, and And create DNS A-Records for all four names to point to the same Public IP where the Exchange is published.


If that is correct, that might be a reason why too many simultaneous hybrid deployments might be a complicated thing anyway. Besides that we need to buy simple certificates for each company for the send connectors additionally, that's 3 new certificates just for this example (the SAN could be used for contoso send connector, need their own for their send connector).


Am I thinking in the right direction, or am I missing something?



Regular Visitor

Addendum: Above scenario is valid as long as Autodiscover points to on-prem, it changes when all mailboxes are migrated to EXO and the existing Autodiscover records are replaced with the CNAME to


But every migration starts on-prem, and usually people want to use Teams with on-prem calendar integration asap instantly, so...


@kumarmukesh Is it possible to clarify?


@Jakob Østergaard Nielsen : Yes 5 is soft limit based on our testing and configuring 10 multi-tenant hybrid should just be fine.


@Michael_Larrivee : Yes again this is a scenario we haven't tested. But the way this feature is designed this should work

New Contributor

@kumarmukesh: Are there any plans for MSPs like us who have hundreds of tenants within a single AD/Exchange structure who all want to be using Hybrid mode at some point? Or will there simply be no way for our customers to use Exchange Hybrid features? Exchange Online directly without Hybrid is not a possible option for us.


@wimmernitsche : I would advise you to post this request in, so that we can actually gauge how many such customers are there by looking at upvotes. Also if you share approx. number of users in these 600 orgs, that would bring more weight to this request as well.


@MartinT76 for the example you shared, you are correct you would need atleast three certificates (1 for autodiscover of all orgs & send connector of and 2 more for send connector of other orgs)

Occasional Visitor

@The_Exchange_Team: "HMA is not possible or supported once there is more than one tenant configured for Hybrid. We’ll provide an update once we add support for HMA."


Is there any reasonable time-frame that can be assumed for the release of multi-tenant support for HMA? 


@dwhyatt : HMA is now available for multi tenant Hybrid.. You need to use latest HCW (there is a new version released in March) and Exchange Server should be either 2019 CU8 or later. Or for Exch 2016 CU19 or later. For additional HMA configuration details please use: 

Senior Member

@wimmernitsche did you do any progress on this? we're also an MSP, and we face the same problem (but not with that big number of customers and mailboxes). Did you open a uservoice?

New Contributor

@Martin Wildi we haven't yet managed to get everything in Hybrid running, still having issues with OAuth. We have a few tickets open with MS and are still working on the fix, but in principle hybrid works now for a few of our customers. I did open a uservoice, but I don't expect any response, it seems MSPs with one AD/Exchange environment for multiple customers is still very rare.

Occasional Visitor

@wimmernitsche I wouldn't say it is very rare but we are in a situation where we can't get customers to Office 365 easily. I am in the same situation and there are certain features that customers want (like MFA) but silly limitations keep us from doing it. In the end Microsoft doesn't really want any MSP's doing any sort of hosting and want it completely hosted with them.

New Contributor

@Martin Wildi@jdixon we have found a way, thanks to someone on the MS Exchange Online escalation team. After hybrid setup, we have to create new authservers on our Exchange on-prem, add our customer's domains to them, create an intraorganizationconnector each in the cloud and on premise and upload the Exchange cert to ExO:


# primary domain first in array
$domains = $",")
$tenantServiceDomain = "$($tenant.tenant)"

# Exch on premise:
New-AuthServer -Name "WindowsAzureACS-$($tenant.tenant)" -AuthMetadataUrl "$($domains[0])/metadata/json/1"
New-AuthServer -Name "evoSTS-$($tenant.tenant)" -Type AzureAD -AuthMetadataUrl "$($domains[0])/federationmetadata/2007-06/federationmetadata.xml"

set-authserver "WindowsAzureACS-$($tenant.tenant)" -domainname "$($"
set-authserver "evoSTS-$($tenant.tenant)" -domainname "$($"

New-IntraOrganizationConnector -name "ExchangeHybridOnPremisesToOnline $($tenant.tenant)" -DiscoveryEndpoint -TargetAddressDomains $tenantServiceDomain

# ExO:
New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint https://$($publicAddressExchangeServerOnPrem)/autodiscover/autodiscover.svc -TargetAddressDomains $domains


$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames;

$CertFile = $pathToExchangeCert.cer
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId $x.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue

When running the HCW for additional tenants on the same on-prem Exchange 2016, we experienced the following issues:

 - If using a multi-SAN certificate, the SMTP mail flow is interrupted, because HCW appears to update the certificate on both the on-prem Receive Connector and the EXO Outbound Connector. A solution should be by switching to a single-SAN certificate, which we will verify for the next tenant.

 - HCW changed the EXO Outbound connector (From O365 to on-prem EXH), and we had to update the connector with the correct smart host and certificate SAN FQDN.


 - HCW replaced the certificate on the on-prem EXH Send Connector, and we had to revert it back to restore SMTP mail flow.


 - HCW add and enables a new intra-organization connector but at the same time disables existing intra-organization connectors, witch interferes with authentication. So after running the HCW for the second tenant, we had to re-enable the original connectors both on-prem and in EXO
(Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $True).

We are aware that Microsoft recommends using a separate on-prem Exchange server for each tenant, but have agreed with MS to try out using shared servers instead.

Version history
Last update:
‎Jul 20 2021 05:38 AM
Updated by: