Office 365: Migrating To Exchange Online

KB ID 0001418


This is Part-One of a migration from ‘on-premise’ Microsoft Exchange, to Office 365 (Exchange Online). I’m using my spare ‘test domain’ ( And I’m using the 5 user E3 Office 365 subscription that the good folk at Microsoft let me have, as part of my MVP benefits.

Note: I’m using Exchange 2016, with a ‘full-hybrid’ migration into Office 365.

Step 1: Pre-Requisites

DNS: You will need access to the DNS records for your public domain, both to ‘prove’ it is your domain, and to divert mail flow, and client requests to Exchange online, rather than your on premise Exchange.

Licenses/Subscription: You need an office 365 subscription, and available licences for all the users you want to migrate. At time of writing the minimum subscription level that includes Exchange Online is E3. (Note that’s not strictly true, you do get Exchange online with E1, but you dont get any office products, so I’ve never seen an E1 licensed migration). You’ll need to have access to Office 365 with a ‘global administrator‘ account.

O365 Admin

Backups: Not really a pre-requisite, but how are you going to backup your cloud mailboxes? As far as Microsoft is concerned, your online email gets deleted after its retention period, (amount of time after a user deletes it, i.e. up to 100 days). If your business continuity plan, requires you to keep mail ‘x‘ years, then you will need to think about Azure Backup, or a third party backup solution.

Existing Exchange: Unless you are going to use a third party migration tool, then your on premise Exchange needs to be at Exchange 2010. So if you’re still at Exchange 2007/2003/2000, then you need to either; 1) Upgrade your on-prem Exchange, 2) Do another on-prem migration before you start, or 3) Purchase a third part migration tool. Note: With Exchange 2007 you can add one Exchange 2010 Exchange server, then migrate.

Certificates: You MUST HAVE a certificate on your Exchange that is publicly singed by a third party certificate vendor. There’s no excuse to use self signed certificates these days, (for Exchange). For this exercise I bought a certificate for a year and it cost me less than ten dollars, thats half the price of a one users monthly licence for Office 365? WARNING even with a correctly setup PKI environment with publicly published CRLs etc, your own certificates wont work, and you wont find out what’s wrong, until you have migrated users, and carnage/downtime will ensue! BUY A CERTIFICATE: I’d recommend a wildcard cert for your public mail domain.

O365 Certificates


User UPN’s: I’ve already covered this before in the past, things will be a lot easier, if you change all your users UPN’s to match their Email addresses.

Set UPN Correctly


For more information, see the following article;

Changing Domain Users’ ‘User Logon Names’ and UPN’s

Step 2: Onsite Preparation

Fail to prepare – prepare to fail.

What most people fail to do is make sure both their AD domain, and existing Exchange is healthy, (just because everything appears to be working, doesn’t mean everything is healthy). Install the latest cumulative update for your on-premise Exchange server ,and dig into the logs to make sure everything is as it should be!

Mailbox Replication Proxy Service

MRS Proxy is at the same solution we use for ‘cross-forest’ mailbox migrations, and your on-prem Exchange will act as the MRS proxy for your mailbox migration. To enable MRS Proxy: Exchange Admin Center > Servers > Virtual Directories > EWS > Edit.

EWS Virtual Directory

General > Enable MRS Proxy Endpoint > Save

Exchange 2013 Enable MRS Proxy

You can also check the service is running, (Windows Key +R > Services.msc {Enter}).

Exchange 2013 Check MRS Service

Exchange 2010 Note: If you’re running Exchange 2010, you can enable MRS Proxy with the following PowerShell command;

Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50

Azure Active Directory Connector

You can download the Azure AD connector from Microsoft, it can be installed on any member server. It will replicate your users and groups etc, into Office 365. Download and execute the installer > Tick ‘I agree….’ >  Continue.

Azure AD Connect

Use Express Settings.

Note: You would only NOT use Express settings if you only wanted to replicate certain groups or sub domains, or if you wanted to use ADFS, (for example because you already had Azure secured services).

Azure AD Connect Express

Provide your office 365 logon details > Next.

Azure AD Connect Remote Credentials

Provide logon details for your on-premise domain > Next.

Azure AD Connect Local Credentials

You will probably only see your local domain, and it will be flagged ‘Not Added’ that’s fine, below you can see my public domain because it’s already been added to office 365, (I’ll cover that later) > Next.

Azure AD Connect Sign In Config

Tick ‘Exchange hybrid deployment’ > Install.

Azure AD Connect Exchange Hybrid

Read and act on any warnings > Exit.

Azure AD Connect Complete

Note: If, (as above) it asks you to enable the ‘AD Recycle bin’, see the following post;

Windows Server 2016: Active Directory Recycle Bin

It will take a while, (depending on the size of your AD,) to replicate.

Azure AD Connect Syncing

After a while you will start to see all your users appear in your office 365 portal, as they are replicated across.

AD Users Synced to O365

Enable Exchange Hybrid Deployment

Back in Exchange admin Center > Hybrid > Configure > Sign into Office 365.

Exchange Hybrid Setup

Once authenticated, notice the URL changes to Exchange online! > Configure.

Hybrid Office 365

Click here > Install.

Launch Exchange Hybrid Wizard


Configure Office 365 Exchange Hybrid


Hybrid connection wizard

I only have one on-premise Exchange server, so that’s selected,( if you had multiple servers, choose the one you want to use) > Next.

Hybrid onsite Connector

Sign in.

Hybrid Exchange Connecto Office 365

Once authenticated > Next.

Hybrid Office Online Account

Full Hybrid > Next.

Full Hybrid Configuration

Enable.Office 365 Enable Federation Trust

You need to create a ‘text’ record in your public DNS to proceed.

Office 365 Hybrid Verify Doamin Ownership

So I’ve jumped on my public DNS host management portal, and created the text record required.

Create Hybrid Exchange DNS Record

Tick ‘I have created…..’ > Verify > Next.

Hybrid Fereated daomin verified

I dont have any ‘Edge Transport Servers’ > Next.

Configure CAS and Mailbox for Hybrid

Again I only have one, if you have multiple CAS servers, select the one you want > Next.

Hybrid Receive Connector

And again for the ‘Send Connector’ select the CAS server that will connect to Office 365 > Next.

Hybrid Send Connector

Select your certificate. MAKE SURE it has selected a publicly signed one, NOT a self signed one! > Next.

Hybrid Exchange Transport Certificate

Enter the correct public FQDN for your on-prem Exchange > Next.

Note: This must match either the CN on your certificate, or if it’s a wildcard certificate, the domain must be the same.

Hybrid Exchange Onsite FQDN


Office 365 Hybrid Configuration


How To Configure Office 365 Hybrid

So far so good, in Part Two, I’ll add my public domain to my Office 365 account and start migrating some users.


Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. It made my day.
    Though I have completed my current project using a third party named Shoviv email migration.
    But this step by step guide helps to clarify every concerns and proceed further in safer way.

    Post a Reply
    • Click the link above that says Part Two ?


      Post a Reply
  2. if you do have Edge Transport server, what to do when you get to that step above?
    click next to go thru all the process and do it again for Edge Transport?

    Post a Reply
    • You simply need to tick that you have a Edge Transport connector?

      Post a Reply
  3. This worked very well for me. Just a few comments: I was using Firefox as my default browser and when I clicked the “Configure” tab it was trying to download the files instead of running the configuration tool. I had to install Edge and then use that to launch the hybrid configuration wizard.

    Also, the pattern of dialog boxes that appeared during the configuration was slightly different. I think this was because I had a tenant already set up with the company domain connected and set as the default domain (i.e., instead of So I didn’t need to go through that part of the configuration.


    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *