How to configure Exchange 2013 - 2016 for Office 365 Hybrid

Most of the tutorials I have seen over the years for Office 365 migrations / hybrid configuration etc have never really gone into the little details that make a huge difference to your migration experience. Over the Christmas break I decided to create a new hybrid test environments from scratch and I decided it was the perfect opportunity to fully document the detailed steps to prepare for Office 365 Hybrid.


Pre-Migration Preparation - Exchange Local

Windows Updates on Exchange and Active Directory servers and clients

Check your version of Exchange meets the minimum for the Hybrid Connection Wizard -
As at 7 October, the following are minimum versions of Exchange 2013 and 2016.
- Exchange 2013 - CU7
- Exchange 2016 - RTM


Pre-Migration Preparation - Local Active Directory

Review existing Active Directory Group Policies as cleaning Active Directory may break these.
If you will be creating new OU structures and moving users to the new OU structure, this may break Group Policies that are applied to these users.

Clean Active Directory to ensure all the Exchange Objects that you want synced to Office 365 are in a single AD Organisational Unit, or under that OU.
Understand that DirSync will target the OU you select and syncronise all objects under there. If you have not cleaned up AD, the DirSync process will synchronise everything, including
- Local AD System Accounts
- Local AD Administrator Accounts
- Deprovisioned Users
- Groups that you may want to keep as Local AD only
- Anything else that you may want to keep as Local AD only
--- Move anything not needing to be synced to Office 365 to separate OUs that will not be synced.

My Local Active Directory before the clean-up -
Default Active Directory with new users created in the Users OU by default.
Creation of a new Exchange OU structure -
I have created a new OU named Exchange at the AD Domain root.
I have then created the following OU structure underneath the Exchange OU.
- Contacts - (External email contacts to appear in the GAL)
- Distribution Groups - (Email distribution groups)
- Rooms - (Room mailboxes)
- Security Groups - (Email enabled security groups)
- Shared Mailboxes - (Shared Mailboxes)
- Users - (User mailboxes)

I then moved all the Exchange objects to their associated OU,
Including Exchange Dynamic DLs, Email enabled security groups, external contacts, rooms and shared mailboxes.
In summary, if you want it synched to Office 365, it goes under the Exchange OU.

*** Important ***
You will need to check how the membership of your Dynamic DLs are configured.
Example, the Dynamic DL I created, was configured to look at the Users OU for membership.
If I do not update the membership rule, the DL will break once users are moved to the new OU structure.
To update how the Dynamic DL is populated, you need to edit the properties of the Dynamic DL via Exchange On-premises.

See below for the new Exchange OU structure that I created -

Local Active Directory  Exchange objects have now been organised and all objects to be synched to Office 365 are under the Exchange OU.

Update Active Directory Group Policies if needed.
If you have created new OU structure and moved users to that OU structure, this may break Group Policies that are applied to these users. Review the Group Policies and resolve any issues.


Local Active Directory preparation for Office 365 login
Office 365 logins are usually the email address. Many small businesses have a mismatch between user's email addresses, their UPN and their local AD login. To resolve this conflict, perform the following steps in preparation for users logging in to Office 365 with their email address after migration.

Edit OWA login format to match the email - Link

Add the external domain to allow for login with UPN with external domain name
Add the external domain name to Active Directory Domains and Trusts
- Active Directory Domains and Trusts - Right click - Properties

Add the domain name - Add - Apply - OK

This will update the login options for users in local AD.

User login format will now have two options in the AD logon name drop down.

Set ALL user logins to be the UPN (which will match the email address) - Link
Note the Active Directory path which will be needed in the final script
(work backwards as per example).

Note that this script targets only users in the specific OU and sub-OUs.
This means that after you edit the script to use a SearchBase, only user objects below that OU will be affected.

It is critical to ensure you are not accidentally targeting service accounts, administrator etc, so ensure that they are in other OUs that will NOT be affected.

Example script - edit the red sections to match your AD structure
Get-ADUser -Filter * -SearchBase 'ou=Users,ou=MyBusiness,dc=company,dc=local' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)"}

My real world script to match my Active Directory -
Get-ADUser -Filter * -SearchBase 'ou=User Mailboxes,ou=Exchange,dc=internal,dc=teamterry365,dc=com' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)"}

Account logon name once updated with the script.

Check and Confirm ALL local Exchange objects that are being migrated have the external email address applied to the User Logon Name field.


Exchange Local Configuration -

If you have a non-routable domain name, split brain DNS is most likely already configured. To prepare for the Office 365 migration, please ensure you have DNS host records (A record) pointing to the IP address of the appropriate Exchange server(s).
You will need an A record for both autodiscover and mail host records.

Configure Split Brain DNS if using a non-routable domain name (company.local) Link
Internal DNS -
ServerName - Forward Lookup Zones - New zone -
Add two zones
Host - - Points to the IP address of the Exchange server
Host - - Points to the IP address of the Exchange server

Ensure your Exchange SSL cert is current

Ensure your Exchange URLs are pointing to the external domain - Link
All Exchange internal and external URLs will be pointing to - -
Use the scripts below and update with your domain URL

Outlook Anywhere
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname -InternalHostname -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl -InternalUrl

Outlook Web App
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl -InternalUrl

Exchange Control Panel
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl -InternalUrl

Exchange ActiveSync
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https:/ -InternalUrl

Exchange Web Services
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl -InternalUrl

Offline Address Book
Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl -InternalUrl

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri

Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl -InternalUrl


Office 365 Tenant pre-migration preparation - 
Tenant -

Exchange Online -
Purchase licenses

Verify you own the domain
- Office 365 Portal - Setup - Domains - Add domain -

Edit your DNS txt record for domain verification

DO NOT edit any further DNS records at this time - Save and Close

Wait 15 minutes -

Continue with the Office 365 domain wizard,
Setup - Domains - Select the new domain you added - Continue Setup

I'll add the DNS records myself - Next

Scroll to the bottom of the page - Verify

Verify will advise that records are missing -

Scroll to the bottom of the page - tick the box 'Skip this step' -
Click - 'Skip

You will receive the following advice - Finish

Your domain is now verified and ready for Hybrid configuration


Exchange On-premises pre-migration preparation - 

Using the Hybrid Connection Wizard to create Exchange Online Objects 

Before downloading the HCW - download and install .Net 4.6.2 - Link

Exchange On-premises - Install and configure Hybrid Connection Wizard
Consider what server you would like Azure AD Connect installed on. If possible, install Azure AD Connect on a dedicated server.

On a local domain joined Server - Internet Explorer - Log into the Office 365 Portal -
Setup - Data Migration

Migration Page - Select your data service - Exchange

You will be prompted to download the application - The machine must be domain joined.
Install - (Note that you must be using Internet Explorer, other browsers may fail to run the install).

Note, if the Hybrid Connection Wizard doesn't start to download automatically
As per this article - Link

Open Control Panel - Default Programs - Associate a file type or protocol with a program
Scroll till you find - .application and .appref-ms
Select and change the program to Internet Explorer -

On the pop-up - Click Install - Run - Next -

Hybrid Connection Wizard starts - Next - On-premises Exchange Server Organization -
By default it will pick the optimal server for the migration. - Next

Credentials -
Use current credentials for local Exchange (if appropriate)

Sign in for Exchange Online -
Enter admin credentials for Office 365 -

The Hybrid Configuration Wizard gather information -
Once completed - click Next

Hybrid Features page - Select Minimal Hybrid Configuration - Next -

Ready for update - Update
(This updates your on-premises Exchange environment and cannot be stopped and rolled back)

This process will create connectors and configure Exchange for Hybrid connectivity with Office 365.


Azure AD Connect installation - 

Download the latest version of Azure AD Connect here - Link

Azure AD Connect Wizard
Agree to the terms and select Continue

In this instance I am going to select Express Settings (read the summary of actions performed).

Note - You can you Express Settings if your internal domain is routable. In this instance, the internal domain is - - and this is an Internet routable domain.


If your internal domain is non-routable, you will need to choose Customize. An example of a non-routable domain would be - company.local - see image below


As this domain is Internet routable, I will continue with Express Settings -

Enter the Office 365 credentials - Next

Enter your local Active Directory credentials

As this is a routable domain, the Azure AD sign-in configuration will show the domain is verified.
- Click - Next

The default configuration will start the synchronization after configuration is complete.
If you need Exchange Hybrid deployment, select that box and then click 'Install'.
In this tutorial, I will be selecting - Exchange Hybrid deployment -

The wizard will continue.

Once the wizard is complete, you will see a summary.


Now that Hybrid has been enabled and configured with default settings, we need to update those settings to target our specific OU.

To see what objects have been targeted for sync in the initial configuration, log into the Office 365 portal and select - Users - Active Users. As you can see, the default configuration has selected all objects to be synced, including Health Mailboxes.

To remove them properly, we will reconfigure Azure AD Connect to target the specific OU in local Active Directory that we want.

Re-configuring Azure AD Connect -
Log on to the server that has Azure AD Connect installed.
Select the application - Azure AD Connect

Azure AD Connect will load and advise that the sync service scheduler is suspended.
Select - Configure -

Under - Additional Tasks - Select - Customize Synchronization options - Next

Enter the Office 365 credentials - Next

As our local Active Directory is already connected - click next (do not click Add Directory)

Now we can select the OU we want to target -
Select - Sync selected domains and OUs - then expand the domain and select the OU
In the image below, I have expanded the domain -
I have then selected ONLY the OU named - Exchange -
I have expanded the Exchange OU and confirmed all sub-OUs are selected. - Next

Next - Select your optional features.
Note that Azure AD constantly updates these features, so choose which suits your Organization the best. I have selected the default for this tutorial. - Next

Azure AD Connect configuration will complete after you click - Configure
Click Configure.

The configuration will commence and take some time depending on the size of your Organization.

Once completed, review the results and click Exit.


Office 365 objects after sync

Azure AD Connect should update your synchronized objects automatically, but if you would like to manually force a sync on Azure AD Connect, perform the following - Link

On the server where Azure AD Connect is installed - PowerShell
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

As you can see, Azure AD Connect has now only synchronized objects in the targeted OU.
Note that as no licenses have been assigned at this stage, and no mailboxes have been moved either, all the user, shared and resource / room mailboxes are created as unlicensed users in the Office 365 Admin portal.

- Admin Portal Objects -

The users selected in Blue have been created in Office 365 - Sync Type - In Cloud
The users selected in Red have been synced with local Active Directory - Sync Type - Synced with...

Select Users - Contacts - to show the contacts that have been synced via DirSync

Groups -
 - The Distribution group has been synched correctly
- Note - Dynamic Distribution groups created in local Active Directory will need to be recreated.

- Office 365 - Exchange Admin Center Objects -

Mailboxes in Office 365 -
Only mailboxes created in Office 365 will show in the Exchange Online mailboxes view

Contacts in Office 365 -
Office contacts have been created in Office 365 that sync with on-premises user mailboxes, rooms and shared mailboxes. External contacts created in local Exchange will also show here.

Groups in Office 365
Only the Distribution Group created in local Exchange has been created in Office 365.
Note that mail enabled security groups will also be created in Office 365 via the sync.
Note that Dynamic Distribution Groups are NOT synced successfully and will need to be recreated in Office 365.

Resources and Shared -
Only Office 365 created resource and shared mailboxes will appear in the Office 365 EAC.


Congratulations -
You have successfully configured your Exchange 2013 - 2016 Organization for Hybrid.


Related Tutorials -

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to get a 180 day trial tenant in Office 365 for testing - Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link


  1. Sync Server need to be setup before run the Hybrid wizard.. just to correct here

    1. As per the Microsoft support article - -

      Azure AD Connect is downloaded and installed AFTER the Hybrid Connection Wizard.