1. Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Exchange Hybrid: Make Office 365 Work for You
Michael Van Horenbeeck, MVP
Timothy Heeney, Supportability Program Manager

3. 4/16/2017
Why Exchange Hybrid?
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Calendaring & Free/Busy
Microsoft Exchange
4/16/2017
Why Exchange Hybrid?
Address Book
User Experiences
Calendaring & Free/Busy
Messaging
Mail
Migrations
Exchange on-premises
MRS
Mailbox data
Office 365
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Exchange Hybrid Overview
Microsoft Exchange
4/16/2017
Exchange Hybrid Overview
OAUTH / DAUTH
Integrated
admin experience
Native mailbox move
Secure mail flow
Delegated authentication for on-premises/cloud web services
Enables free/busy, calendar sharing, message tracking & online archive
Online mailbox moves
Preserve the Outlook profile and offline folders
Leverages the Mailbox Replication Service (MRS)
Manage all of your Exchange functions, whether cloud or on- premises from the same place: Exchange Admin Center
Authenticated and encrypted mail flow between on-premises and the cloud
Preserves the internal Exchange messages headers, allowing a seamless end user experience
Support for compliance mail flow scenarios (centralized transport)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Hybrid benefits vs. other migration options
Microsoft Ignite 2015
4/16/2017 4:33 PM
Hybrid benefits vs. other migration options
Deployment Complexity
EASY
Really?
Hybrid
Cutover
Staged
DirSync/Identity Management
Hybrid Configuration Wizard, oAuth,MRS, ….
Auto profile updates
Batch Approach
Offboarding
Rich Coexistence
No Additional Servers
Cloud ID’s Only
OST Sync
All at Once…
DirSync needed
No 2010/2013
OST Sync
Batch Approach
Really?
End User Complexity
EASY
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Hybrid Configuration Engine
Microsoft Exchange
Hybrid Configuration Engine
4/16/2017
On-Premises Exchange
Exchange Online
Step 1
The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
Exchange Server Level Configuration
(Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector)
Domain Level Configuration Objects
(Accepted Domains, Remote Domains, & Address Policies)
Organization Level Configuration Objects
(Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector)
Organization Level Configuration Objects
(Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector)
Domain Level Configuration Objects
(Accepted Domains & Remote Domains)
Step 2
The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.
Step 3
The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations.
Internet
Step 4
The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. 4 5
Remote
Powershell 3
Hybrid Configuration Object 2 5
Hybrid Configuration Engine
Desired state
Topology & current configuration state
Execute configuration tasks
Remote
Powershell 3
Step 5
Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”
Exchange Management Tools 1 4
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Exchange Hybrid Scenario
Microsoft Exchange
4/16/2017
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment (Exchange 2007 or later)
Office 365 Active Directory synchronization
Exchange 2013
client access &
mailbox server
Office 365
User, contacts, & groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (free/busy, Mail Tips, archive, etc.)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. 4/16/2017
What's Coming…
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Exchange Hybrid Wizard History
4/16/2017
Exchange Hybrid Wizard History 1 2 3 4 5 1
Exchange 2010 SP1
72 pages of documentation
Exchange 2010 SP2
HCW introduced
Exchange 2013
HCW with web-based UI
Exchange 2013
SP1
Exchange 2013
CU5
Extremely complex and low adoption
Removed confusing requirements for additional domains: exchangedelegation and service.contoso.com
Greatly simplified transport configuration
Multiple exchange organizations now supported
Supports Exchange
2013 Edge
Native OAUTH and Gallatin Support 2
What is coming next? 3 4
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Microsoft Office365
4/16/2017
What is next for Hybrid?
Multi Forest Hybrid with AADSYNC (TAP ongoing)
Resolving the common upgrade issues (upgrade from 2010/2013)
Service Validation for HCW (Hybrid Tested in EVERY forest EVERY day)
HCW updates not tied to CU’s any longer
Improvements to OAUTH to support Multi Forest
Better Diagnostics built in (HCW and other Troubleshooters)
Stand Alone HCW (New Web Based HCW)
HCW looks and feels familiar
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Stand Alone HCW What are the benefits?
Exchange 2013 and E16 can use it
Allows for agility with feature releases
Allows for changes outside of CU’s
Allows for proper piloting of features
Looks and Feels Familiar
Allows us to fix issues quickly
Allows us to add improvements to HCW experience
Newest Version is used by EVERYONE

13. Stand Alone HCW Common Questions
Will I be able to run it on Exchange 2010?
Will I be able to run in on Exchange 2013?
Can I upgrade from Exchange 2010 to newer version?
Can I opt out of the new HCW experience?
Will I need to add any additional URL to my outbound proxy device?
Will running the Stand Alone HCW change any of my settings?

14. Hybrid & authentication
Microsoft Ignite 2015
4/16/2017 4:33 PM
Hybrid & authentication
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Authentication in a hybrid deployment
Cloud ID’s
(online username
& password)
Password Hash Synchronization
(PW Sync)
Active Directory Federation Services
(AD FS)
A lot of organizations deploy AD FS because of different benefits:
Near seamless logons (single sign-on)
Most flexible solution for various clients such as Outlook, EAS etc.
More granular control over authentication
Most organizations deploy Password Hash Synchronization

16. Modern Authentication
Not really a hybrid feature
Benefits for hybrid customers w/ AD FS
True SSO with e.g. Outlook (instead of basic auth)
Will change how clients authenticate and affect custom claim rules

17. Outlook Authentication Today with Office 365
Microsoft Ignite 2015
4/16/2017 4:33 PM
Outlook Authentication Today with Office 365
Windows Azure Active Directory
Exchange Online
Attempt Sign-In
Identity Provider (OrgID)
Directory
Return auth token
Request mail
(incl username/
password)
Success!
Return mail
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. How does Modern Authentication work?
Please update colors to match TR20 pallete
Please make arrows look nicer.
How does Modern Authentication work?
Windows Azure Active Directory
On-Premises
Directory
Exchange Online
Identity Provider (EvoSTS)
Directory
Identity Provider
Attempt
Sign-In
Return auth
token
Success!
Return mail
Need sign-in first
(Passive Auth)
Sync Mail
Sync Mail
(SAML token)

19. 4/16/2017
EAS Redirection
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Back in my day we just shut up and recreated profiles
This Camera is Awesome!
Then one day.. 0x86000C16
Sorry…
Ted is happily using his windows Phone
Ted’s mailbox was move to the cloud
The nerdy admin has no options but to recreate the profile
The Old Way
So what do we do now?

21. User connects seamlessly to the cloud
The user mailbox moves to the cloud
User is connected to on-prem mailbox
User Tries to sync again
Exchange 2013 CU8 and 2010 sp3 RU9
CAS determines the user is Remote (Based on TA), then looks to see if the Domain name is in an Org Relationship. If that exists and there is a Target OWA URL we use that to perform a 451
Unsupported scenarios:
• Mailbox moves from Exchange Server 2007 to Office 365
• Does not support off-boarding
• EAS devices must support 451 redirect (Accompli does not)

22. New Tool for Troubleshooting
4/16/2017
New Tool for Troubleshooting
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. HCW Troubleshooter Next Steps More troubleshooters on the way
….HCW fails so a customer attempts opens a case
Customer is presented with the troubleshooter
Customer is given clear solution ELIMINATING the need for case
Next Steps
More troubleshooters on the way
Feedback is needed to make them better
Support also has immediate access to the HCW log, if the case is still opened

24. http://aka.ms/hcwcheck Exchange Hybrid Configuration Diagnostic
If Failed
Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject name.
You need to fix your obsolete Active Directory Domain Services Federation Objects.
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group.
You need to install Exchange 2010 sp3 RU3 or later
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to rename your existing Organization Relationship
Your Exchange Server 2013 needs to be running a version of CU6 or later, we recommend the latest version available.
Some manual configurations are needed to allow Legacy Free Busy to work as expected
Microsoft Exchange Service Host is not running.
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed.
You need to upgrade your legacy address policy.
You need to address the issues found with the TLS certificate. If running Exchange Server you'll need to acquire a certificate with a name that has less than 256 characters. If running Exchange Server 2013 please install the latest cumulative update.
This was our starting point

25. Hybrid Migration Troubleshooter

26. 4/16/2017
Upgrade Hybrid
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Upgrading hybrid servers?
Short answer:
it depends….
Long answer:
Simple answer:
only upgrade to Exchange 2013 if:
You are already planning to move to Exchange 2013 (on-prem)
You need 2013-specific features

28. Microsoft Ignite 2015
Hybrid Upgrade issues 1
4/16/2017 4:33 PM
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFrom14Task.UpgradeFopeConnectors‎
Solution:
[PS] C:\> Get-OrganizationConfig | fl Guid
[PS] C:\> Rename the organization relationship to "O365 to On-premises - <GUID>.
(Fixed in CU5)
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Microsoft Ignite 2015
Hybrid Upgrade issues 2
4/16/2017 4:33 PM
The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<ServerName>’ isn’t running Exchange 2013 or a later version.
Solution:
[PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt
[PS] C:\> Set-HybridConfiguration -ClientAccessServers $null `
-ReceivingTransportServers $null -SendingTransportServers $null
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Microsoft Ignite 2015
Hybrid Upgrade issues 3
4/16/2017 4:33 PM
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or
ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange   No Inbound connector found on the Office 365 tenant.
Solution:
1. Remove hybrid configuration through ADSI edit.
ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration
2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed)
3. Rerun HCW from Exchange 2013
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. 4/16/2017
Hybrid Validation
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Hybrid Stability is overall good, but…
Microsoft made changes in the service that broke customer using the Federation Gateway
Microsoft introduced a new feature that broke Free Busy for Hybrid Customers
Microsoft made changes in the service that prevent all 2013 customers from running the HCW
Bottom Line – we needed to be better at finding issues with CU/Service updates
Microsoft introduced a CU that prevented the ability to create and manage users accounts
Microsoft made changes in the service that broke customer using the Federation Gateway

33. Active Monitoring for HCW
HCW tested in every forest throughout the day
Cause of this we found the issue before ANY customers reported the problem

34. So does the monitoring work?
Let’s review a recent issue…
Activating Directory Sync kicks off an important process for Hybrid
The new routing domain gets created in MSO
Because we messed this up
A new certificate is created that includes the new name
This Failed
The new domain is forward sync’d to EXO
Then we create the AutoD and MX DNS records

35. Migration Message Size
4/16/2017
Migration Message Size
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. Message Size Limits for Migration
Awareness

37. Message Size Limits for Migration FAQ Awareness
What Migration types will be able to take advantage of this new limit (with caveats)?
Will I be able to forward, resend, or move the item after the Migration is complete?
Will message size limit be increased so we can start sending larger messages?
When should I expect to see message size increase for Hybrid Migrations?
What do I need to do to enable this new limit?
Does it matter if I am moving the mailboxes from 2007, 2010 or 2013?

38. 150 Message Size increase
We can now increase the message size restrictions for a user, after the mailbox plan is associated
Configurable in
EAC per user
EAC multiple user
Shell with Set-Mailbox Max Send/receive settings

39. Migration Throughput?
Max default Concurrent moves 100 (exceptions can be made)
Item count is a factor with migration performance
0.3–1.0 GB/hour range per mailbox
Firewall configuration on the on-premises organization
Multiple concurrent moves allows for optimized migrations
Source Side performance is a COMMON factor
Migration are not considered “User Expected” (WLM)
Network Latency is a Factor

40. Alternate ID and Hybrid
Microsoft Ignite 2015
4/16/2017 4:33 PM
Alternate ID and Hybrid
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. What is an Alternate ID
This is used to allow for a different UPN for ADFS in on-premises vs Office 365
Install updates
Adjust claim rule
Update the Management Agent in FIM
Documented on TechNet   
Old Claim Rule
c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = (" ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query="samAccountName={0};userPrincipalName, objectGuiD; (1)", param = regexreplace(c.Value, "(?<domain>[’\\)+)\\(?<user>.+)", "${user)"),param = c.Value);
New Claim Rule
c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = (" ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query="samAccountName={0};mail, objectGuiD; (1)", param = regexreplace(c.Value, "(?<domain>[’\\)+)\\(?<user>.+)", "${user)"),param = c.Value);
On-premises
Office 365

42. Alternate ID with Hybrid?
On-premises
Outlook connected to corp 1
Autodiscover connects to SCP and is automatically authenticated    1 2 1
Autodiscover redirects the client to the Target Address stamped on the user 2 2 3
User Provides Cloud UPN and password 3 3
Outlook connected External 1
Autodiscover connects from external machine (User provides on-premises UPN)
Autodiscover redirects the client to the Target Address stamped on the user 2
Office 365 3
User Provides Cloud UPN and password

43. So what are we doing about it?
Microsoft Ignite 2015
4/16/2017 4:33 PM
So what are we doing about it?
We added a warning to content
We have no timeline to share but we are working aggressively to make AltID a reality for Hybrid customers, we know it is important
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. OAUTH and Federation Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45. Microsoft Federation Gateway
Microsoft Exchange
4/16/2017
DAuth vs OAuth
Microsoft Federation Gateway
Organization
Relationships
AuthServer
Intraorg
Connectors
DAuth
OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy, mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors /Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46. Configure OAuth for Hybrid
4/16/2017
Configure OAuth for Hybrid
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross- premises archive moves
Can be used for much more like free/busy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. Configure OAuth for Hybrid
4/16/2017
Configure OAuth for Hybrid
If you click this…
We will launch this
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48. eDiscovery Scenarios and OAuth
4/16/2017
eDiscovery Scenarios and OAuth
eDiscovery scenario
Requires OAuth?
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49. Free/Busy using OAuth Free/Busy works through a series of checks
CAS finds that Joe’s mailbox is external and there is an IOC
Free/Busy works through a series of checks
1st we check to see if we can find free/busy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
Ben requests free/busy info for Joe
Exchange Server passes the token and requests Joe’s free/busy on behalf of Ben
Free/Busy info is returned
Free
Request
Busy
From Ben
To Joe
Exchange connects to the Azure OAUTH endpoint
WAAD returns a Delegation Token
Joe’s free/busy is returned to the Outlook client

50. Public Folders Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. Hybrid Public Folder Options
4/16/2017
Hybrid Public Folder Options
Option 1: Office 365 mailboxes accessing legacy PFs on-premises
Option 2: Office 365 mailboxes accessing modern PFs on-premises
Option 3: Exchange 2013 on-premises mailboxes accessing modern PFs in Office 365
Mailbox Version
PF Location
2007 On-Premises
2010 On-Premises
2013 On-Premises
Exchange Online
Exchange 2007
Yes No
Exchange 2010
Exchange 2013
Yes*
*Requires use of Outlook for Windows
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. Hybrid PF access
Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com 1
Exchange Online
Autodiscover responds with the Target address for the cloud mailbox 2 4
Outlook does AutoD for TA Contoso.mail.onmicrosoft.com 3 3
EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox: <PublicFolderInformation>
   
</SmtpAddress> 4
On-premises
Outlook performs and AutoD against 5 7 1
Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray
Proxy to PF server (running CAS role) 6 2 5 6
Auth as user over Public MBX auth 7
When PF access is initiated you then make a connection 7

53. Question or Common Issues

54. Were is the Activate button for sync?
Why the Change?
UPN mismatches and changes are costly for support
UPN mismatches cause a poor user experience
If you perform dirsync before adding the domain you see issues
We have now prevented this in the portal
If Accepted Domain was not added
On-Premises
Office 365
DirSync
Onmicrosoft.com

55. Mailbox Recovery changes
In the past the behavior was…
Mailbox would become Hard Deleted
Restore needed? run Get- RemovedMailbox to find Deleted mailbox GUID
Create a new mailbox using the proper switches and guid
Cloud user with Mailbox
User deleted and removed from Recycle Bin
Today
To recover use New-MailboxRestoreRequest
Do not Hard Delete a user
That mailbox will not be recoverable
In the future we may add a soft delete buffer, but today….

56. HCW Domain limit 250 Error When running HCW:
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Organization Relationship Execution of the New-OrganizationRelationship cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. The total number of explicit and implicit subfilters exceeds maximum allowed number of 250. Processing stopped. at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand‎(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'.
Cause:
Org Relationships allow up to 250 domains
Resolution:
Manually create additional Org Relationship and add the additional domain over 250
This is being added to the HCW troubleshooter along with a ton more!

57. HCW Domain limit 64
Issue:
HCW fails with the following issue
"The length of the property is too long. The maximum length is 64 and the length of the value provided is 68."
Cause:
We allow up to a 32 character length domain name to be added to the service
When the routing domain is created for that domain it makes the length longer but still shorter than the 64 overall hard limit
When HCW created the remote domain we prepend “Hybrid Domain-” to the identity for the remote domain
This can put us over the limit
Resolution:
Still investigating but if we simply change the remote domain to only Prepend “Hybrid-” we will allow for all 32 character domain names… currently still being investigated

58. Certificate field is empty
Certificate field is empty when running the HCW
Certificate not correctly installed
Required on selected CAS & MBX
CAS are used for Receive Connectors
MBX are used for send Connectors
Both need same cert installed, else HCW won’t show.
Third Party
Proper SAN
Assigned to SMTP Service
Private Key
Certificate requirements not met
Need access to CRL url over 80 from all servers
CRL Blocked

59. Challenges managing hybrid recipients
Dirsync adds complexity for managing objects:
Cross-premises permissions are not supported:
User/Mailbox Management
Converting mailboxes
Group self-service management
Inactive mailboxes
(Procedures?)
DirSync delay
(e.g. archive creation)
Inconsistent experience
Migrated permissions vs new permissions
Full Access, Send-As, Receive-as….

60. Microsoft Ignite 2015
Hybrid Upgrade issues 1
4/16/2017 4:33 PM
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFrom14Task.UpgradeFopeConnectors‎
Solution:
[PS] C:\> Get-OrganizationConfig | fl Guid
[PS] C:\> Rename the organization relationship to "O365 to On-premises - <GUID>.
(Fixed in CU5)
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61. Microsoft Ignite 2015
Hybrid Upgrade issues 2
4/16/2017 4:33 PM
The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<ServerName>’ isn’t running Exchange 2013 or a later version.
Solution:
[PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt
[PS] C:\> Set-HybridConfiguration -ClientAccessServers $null `
-ReceivingTransportServers $null -SendingTransportServers $null
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62. Microsoft Ignite 2015
Hybrid Upgrade issues 3
4/16/2017 4:33 PM
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or
ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange   No Inbound connector found on the Office 365 tenant.
Solution:
1. Remove hybrid configuration through ADSI edit.
ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration
2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed)
3. Rerun HCW from Exchange 2013
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63. Microsoft Exchange
4/16/2017
Common Issues – HCW
“The HCW failed to complete”
Cause: Timeout issues are not handles well by the HCW (we are getting better)
Running the HCW a second time is often all that is needed…
HCW fails with "InvalidUri: Passed URI is not valid“
Cause: There are certain words such as “bank”, profanity, and large org names that are blocked from federating
Calling Support is the only option to resolve issue
Documented:
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64. CU6 issues Cannot create users mailboxes Cannot move mailboxes
Microsoft Exchange
4/16/2017
CU6 issues
Recipient Management
Cannot create users mailboxes
Cannot move mailboxes
Cannot change user attributes
Cause: there is an issue with the backlink with EAC to EXO that prevents the proper connection
Resolution: download a script that will fix the file or install CU7 when avail
Centralized MailFlow (CMC) broken
Cannot send mail from cloud user to the internet when CMC is enabled
Resolution: call support for an IU or wait for CU7
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

65. Session Objectives And Takeaways
Tech Ready 15
4/16/2017
Session Objectives And Takeaways
Session Objective(s):
Understand how Exchange Hybrid is different from other migration methods
Understand latest issues around Hybrid scenarios
Hybrid is not for everyone
We are investing in diagnostic tools and wizard enhancements to remove friction from hybrid configuration and migrations
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

66. Pre-Release Programs Be first in line!
Microsoft Ignite 2015
Pre-Release Programs
Be first in line!
4/16/2017 4:33 PM
Exchange & SharePoint On-Premises Programs
Customers get:
Early access to new features
Opportunity to shape features
Close relationship with the product teams
Opportunity to provide feedback
Technical conference calls with members of the product teams
Opportunity to review and comment on documentation
Get selected to be in a program:
Sign-up at Ignite at the Preview Program desk OR
Fill out a nomination:
Questions:
Visit the Preview Program desk in the Expo Hall
Contact us at:
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

67. Please evaluate this session
4/16/2017 4:33 PM
Please evaluate this session
Your feedback is important to us!
Visit Myignite at or download and use the Ignite Mobile App with the QR code above.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.