Using the Office 365 Hybrid Configuration Wizard Part 3

So far in this series we’ve ensured pre-requisites are in place for Office 365, checked the environment and took time to understand what changes the Office 365 Hybrid Configuration Wizard will perform. In this part of the series, we’ll optionally enable the Federation Trust and then run the Office 365 Hybrid Configuration Wizard.

Enabling the Federation Trust Feature (Optional)

After making pre-requisite changes performing tests it should be safe to perform the Hybrid Configuration. One feature configured by the Hybrid Configuration Wizard requires DNS records to be added during the Wizard. Many organizations prefer to add the DNS Text records before running the Hybrid configuration wizard so that the wizard will complete without warnings.

To identify the DNS Text records required the Federation Trust can be enabled prior to executing the Hybrid Configuration wizard with little to no risk. After enabling the Federated Trust, an Exchange Management Shell cmdlet can be executed to retrieve the correct DNS record.

Enable the Federation Trust feature in Exchange 2013 or Exchange 2016 by accessing the Exchange Admin Center on-premises and navigating to Organization > Sharing. Underneath the Federation Trust heading choose Enable, as shown below:


Figure 1:Enabling the Federation Trust on Exchange 2013 / 2016

In Exchange 2010, enable the Federation Trust by accessing the Exchange Management Console and navigating to Organization Configuration and selecting New Federation Trust, as shown below:


Figure 2: Enabling the Federation Trust on Exchange 2010

After the Federation Trust is enabled, launch the Exchange Management Shell. Use the Get-FederatedDomainProof cmdlet as shown below to retrieve the Domain Proof:

Get-FederatedDomainProof -DomainName <Accepted Domain>


Figure 3: Obtaining Federation proof records manually

The cmdlet should return a number of records. The record to add as a Text (TXT) record is named Proof and appears as a Base 64-encoded string. This is entered on a single line, with no spaces and ends in two equals signs (==).

As shown in the example DNS control panel below the DNS TXT record is entered for the domain itself rather than a sub-domain. It can replace the Office 365 custom validation text record, which is no longer required:


Figure 4: Updating DNS

Performing the Hybrid Configuration

To begin the Office 365 Hybrid Configuration Wizard, open a web browser on the Exchange Server and navigate to the following URL:


Figure 5: Accessing the Office 365 Hybrid Configuration Wizard using a web browser

The Office 365 Hybrid Configuration Wizard will begin to download. When prompted, choose Install, as shown below:


Figure 6: Launching the HCW Installer

The installation for the Office 365 Hybrid Configuration wizard will begin. The wizard downloads data it needs as part of the installation from a Microsoft domain under

After the Office 365 Hybrid Configuration Wizard completes installation, it will launch automatically. The new wizard will attempt to detect the best server to use within your organization, but also provide you the opportunity to select a preferred server to run the wizard against.

After selecting the On-premises Exchange Server Organization, you’ll be given the opportunity to select the Office 365 Exchange Online option. For most Microsoft customers this will be the default – Microsoft Office 365:


Figure 7: Selecting the Exchange Server to run the HCW against

On the next page of configuration for the Hybrid Configuration Wizard it is necessary to enter credentials for Office 365 and On-Premises. These credentials are only used for the duration of the execution of the Hybrid Configuration Wizard and are not stored within the configuration.

First enter on-premises credentials that possess Organization Management permissions, or if the account you are using has sufficient rights, choose Use current Windows credentials.

For the Exchange Online connection that is used by the Hybrid Configuration Wizard it is necessary to enter a Global Administrator (or technically, user with Organization Management permissions within your tenant). After entering appropriate credentials, choose Next.


Figure 8: Entering the credentials to use with the HCW

On the next page of the wizard the credentials will be tested and the connection tested to ensure that the wizard can continue. As with the subsequent pages in the wizard, should an error be encountered, guidance will be given. In general, if you’ve followed the guidance in this series you should not expect to encounter an issue at this stage:


Figure 9: Validating the credentials against on-premises and online

Next, we’ll select the domains to use for our Exchange Hybrid configuration. These are typically the domains you use for SMTP mail flow and in particular should include addresses uses as primary SMTP addresses. By selecting the correct domains here, you ensure that mail flow to these domains will always flow back to on-premises using the correct connector, and Free/Busy and Sharing will work correctly in both directions.

During the wizard, tests are performed to look up Autodiscover information against each Hybrid domain. If you do not have Autodiscover configured correctly for all these domains, select a domain that does have Autodiscover correctly configured. This is typically your primary domain and your Microsoft Connectivity tests earlier should have identified at least one such domain:


Figure 10: Selecting Hybrid domains and, optionally, selecting a single Autodiscover domain

On the next page of the wizard the Federation Trust will be created if it wasn’t created in the previous step. If you didn’t choose to pre-create and register the entries earlier in this guide, then select the copy to clipboard option and add to your external DNS. After ensuring that the records are in the external DNS, select I have created a TXT record for each token in DNS, then choose Verify domain ownership to perform pre-requisite lookup tests. Once the tests are successful, choose Next:


Figure 11: Verification of Federation Proof records

The Hybrid Configuration Wizard will next require input to choose the types of servers to use for SMTP mail transport, and whether to route mail through on-premises, known as Centralized Mail Transport within the wizard or deliver mail directly.


Figure 12: Selecting options for mail transport

If you need to use Centralized Mail Transport, select Advanced and then select Enable Centralized Transport:


Figure 13: Options to enabled Centralized mail transport

Once you have selected the correct option, based on the decisions made earlier in this series select the relevant option, then choose Next.

On the next page of the Wizard it is necessary to select the servers used for receiving mail from Office 365. As mentioned in the first part of the series these will typically be the organization’s Internet-facing servers that are the target of the inbound SMTP DNS name.

For Exchange 2010, these will be servers with the Transport role. For Exchange 2013, these will be servers with the Client Access role and for Exchange 2016 – these will be servers with the Mailbox role.

Select the servers and choose Next:


Figure 14: Selecting the servers for Hybrid receive connectors

For outbound mail, select the Exchange servers that will be bound to the Office 365 Send Connector. Often in a best practices multi-role deployment these will be the same servers. With Exchange 2010 these will be servers hosting the Transport role, and for Exchange 2013 and 2016 these will be servers hosting the Mailbox role.

After selecting the servers, choose Next:


Figure 15: Selecting the servers for the Hybrid send connector

In the next step the SSL certificate to use with the Hybrid Send and Receive connectors must be selected. The wizard will store the Thumbprint of the certificate.

The list will show the SSL certificates that have been installed on all Exchange Hybrid servers selected in the previous two steps. Select the SSL certificate decided upon in part one of the series and choose Next.


Figure 16: Selecting the SSL certificate for Hybrid mail transport

To match the SSL certificate enter the FQDN that will be used for mail from Office 365 destined to flow through or into Exchange, then choose Next:


Figure 17: Entering the Hybrid mail transport DNS name

After entering all configuration details within the wizard choose Update to apply the configuration:


Figure 18: Confirming details and choosing to update or create the Hybrid configuration

The Office 365 Hybrid Configuration will be applied. This can typically take between 10 minutes to upwards of 30 minutes depending on the size of your organization the first time it is executed. Tasks that delay execution include the enablement of organization customization, which is only performed once and update of Email Address Policies.


Figure 19: Showing the HCW in progress

After the Hybrid Configuration Wizard completes all settings listed in the Understanding the changes the Hybrid Configuration Wizard makes should be applied, and you can choose to close the wizard:


Figure 20: A successful HCW completion screen

If any errors occurred or any warnings were generated, these will be listed. You will see a description of any errors, alongside a link to read more about the error and aid troubleshooting:


Figure 21: Errors generated by the HCW along with potential solutions

After closing the wizard, you will also see a newly installed application, with a link configured on the desktop. You can use this to re-launch the Office 365 Hybrid Configuration Wizard at a later date:


Figure 22: HCW Icon


In this part of the series, we’ve successfully executed the Office 365 Hybrid Configuration Wizard. In the next part of this series, we’ll begin post-configuration changes to Exchange.