Microsoft just introduced the new Hybrid Agent Public Preview. This represents a small, but important, step toward making it easier for on-prem organizations to implement a hybrid configuration with Exchange Online.
Work on the new hybrid agent was announced at Microsoft Ignite 2018 in Orlando, FL to great fanfare. In this article, I’ll discuss what it all means and caveats for this implementation.
Hybrid Configuration Can Be Hard
Exchange hybrid configurations allow customers to use the Mailbox Replication Service (MRS) to move mailboxes between Exchange on-premises and Exchange Online using the native tools built into Exchange. A full hybrid configuration also allows users to share calendar free/busy information and provides secure mail flow between on premises and the Office 365 tenant. When implemented properly, a hybrid environment allows on-prem and cloud users to have very similar client experiences even though they are essentially in two distinctly different environments.
Microsoft recognizes that some customers find it difficult to implement an Exchange hybrid environment since it usually requires firewall and network changes to allow the inbound connectivity required for MRS moves. The newly introduced hybrid agent utilizes the same technology as Azure Application Proxy to make it easier for customers to move mailboxes. Microsoft calls this an “Exchange Modern Hybrid Topology."
How Exchange Modern Hybrid Works
I won’t repeat everything in the EHLO Blog post that introduces the new Modern Hybrid Topology, but here are the highlights:
- The new modern hybrid topology is only available for new hybrid Exchange configurations. You can’t use the new topology unless it’s the first time you run the Hybrid Configuration Wizard (HCW) or you remove your existing hybrid configuration.
- The HCW will create a secure Azure App Proxy configuration in Azure Active Directory.
- The HCW will walk you through installing the hybrid agent on the Exchange server you are running the HCW from.
- Once configured, the hybrid agent will poll Exchange Online for inbound MRS and free/busy requests to service. Since inbound connections from Office 365 to on-prem are being completed using an outbound connection from the Exchange server, you don’t need to modify your firewall or network connections for this traffic.
What it Doesn’t Do
First and foremost, the new Exchange hybrid agent only solves the issue of configuring inbound client access connections from Office 365. It does not work for SMTP mail flow, so you’re still going to need to configure and secure that on your external firewall(s) and configure certificates. Well over half of the work HCW does is to configure and secure mail flow, so this is important to understand.
Since a single Exchange hybrid agent services inbound connections using an outbound connection, it cannot be load balanced. If the server where the hybrid agent is installed becomes unavailable, MRS and free/busy requests cannot be serviced. Some measure of fault tolerance can be achieved by installing additional hybrid agents on other Exchange servers, but this is not supported yet. Of course, this isn’t an issue if you’re a small customer with a single Exchange server.
The Modern Hybrid Topology does not support hybrid modern auth, since HMA requires an interactive sign-in session. Customers frequently use HMA to implement multi factor authentication (MFA) on-prem. HMA is also required by the Outlook mobile app for the best experience and features. If you need HMA, go with the Classic Hybrid Topology.
MailTips, message tracking and multi-mailbox search do not traverse the hybrid agent. These features are typically required by larger organizations. If you need these features during coexistence you should use the Classic Hybrid Topology.
As mentioned, the new Modern Hybrid Topology is currently in preview. The Hybrid Team is actively working on improving functionality to fill some of the gaps mentioned above. Eventually, the Modern Hybrid Topology is expected to be extended to allow multiple agents for redundancy and fault tolerance
If you’re a customer who wants or needs the ability to move mailboxes from Exchange on-prem and Office 365 and vice versa, Exchange hybrid is the only way to go. If you’re a small customer who can get by with the limitations listed above, I encourage you to give Modern Hybrid Topology a try. If you find out later that Modern Hybrid isn’t working for you, you can always reconfigure Exchange hybrid with the Classic Hybrid Topology.