This document discusses several challenges that can arise when implementing an Exchange hybrid environment in a complex scenario with multiple independent infrastructures and organizations. It covers topics like Azure Active Directory Connect configuration, free/busy lookups across organizations, mail routing considerations, and managing Office 365 groups in a shared tenant environment. Specific solutions and recommendations are provided for issues like setting the sourceAnchor attribute, initial Azure AD Connect setup, and ensuring proper mail flow and SPF configuration.

1. Exchange Hybrid in a complex
environment
1

2. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
About me:
Ingo Gegenwarth
IT Principal Consultant @SAP
MCM Exchange 2010
Office Server and Services MVP
Blog:
https://ingogegenwarth.wordpress.com/
Twitter:
@IngoGegenwarth
E-mail:
ingo@thecluelessguy.de

3. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Agenda
• Azure Active Directory Connect (AAD Connect)
• Free/Busy lookups
• Cross-Premises access
• Mail Routing
• Office 365 Groups
• Public Folders
• Security & Compliance
• Q&A

4. Azure Active Directory
Connect

5. What are we talking about?

6. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Sample Configuration
• 2 independent infrastructures
• Both have MX and Autodiscover pointing to on-premises
• Only one company all mailboxes in O365
• SPF record not including spf.protection.outlook.com
• Centralized routing configured

7. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Simple
Scenario
Fabrikam Corp.
fabrikam.onmicrosoft.com
mail.fabrikam.onmicrosoft.com
fabrikam.com
Azure
AD Connect
One forest with only one
Active Directory Domain
Standard setup with one sync
server
Optional additional server in
“staging mode”

8. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Complex
Scenario
At least two forests with one
or multiple Active Directory
Domain
Non-standard setup with one
sync server and multiple
connectors
Optional additional server in
“staging mode”
Non-existing trust on Forest
level

9. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Challenges
• SourceAnchor
In-depth planning about what to use as sourceAnchor. Think about
users moving within the organization. Updating ImmutableID using Set-
MSOLUser is NOT possible anymore since 5/15/2017.
• Initial setup
• Only Forest can be added
AAD Connect uses System.DirectoryServices.ActiveDirectory.Forest.GetForest,
when connecting to Active Directory Forest
• AAD Connect server needs access to any DC

10. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Possible solutions
• SourceAnchor
Use mS-DS-ConsistencyGuid as sourceAnchor and populate with unique
values from leading systems (e.g.: HR) or ObjectGUID
• Initial setup
A connector can only be scoped AFTER initial setup. Thus means you
need to trick AAD Connect server:
Create a DNS zone with a subset of entries for the forest for which a
connector needs to be created

11. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Possible solutions
Note: With version 1.1.524.0 released in May, AAD Connect started to
use mS-DS-ConsistencyGuid as sourceAnchor by default for new
deployments. It will also populate if empty. This might cause AD
replication issues in larger environments. Existing setups are not
changed.
https://docs.microsoft.com/azure/active-directory/connect/active-
directory-aadconnect-version-history

12. Free/Busy lookups

13. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
shared
tenant
Contoso Ltd. Fabrikam Corp.
Org.
Relationship
IntraOrganizationConnector(IOC)
PrimarySmtpAddress:
bill@fabrikam.com
targetAddress:
$null
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
PrimarySmtpAddress:
joe@fabrikam.com
targetAddress:
joe@contoso.com
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
$NULL
PrimarySmtpAddress:
joe@contoso.com
targetAddress:
$null
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
PrimarySmtpAddress:
bill@contoso.com
targetAddress:
bill@fabrikam.com

14. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
F/B lookup
Org. Relationship
shared
tenant
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
$NULL
Contoso Ltd.
PrimarySmtpAddress:
joe@contoso.com
targetAddress:
$null
PrimarySmtpAddress:
bill@contoso.com
targetAddress:
bill@fabrikam.com
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
Fabrikam Corp.
PrimarySmtpAddress:
bill@fabrikam.com
targetAddress:
$null
PrimarySmtpAddress:
joe@fabrikam.com
targetAddress:
joe@contoso.com
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
1
2
Org.
Relationship
3
4
5
6
9
7
8
10
1. Joe wants to retrieve F/B for Bill
2. Local server found MEU with
targetAddress bill@fabrikam.com
3. Local server found Org. Relationship
4. + 5. Local server contact MFG to
retrieve token
6. Local server send request to remote
server
7. + 8. Remote server pulls data from
mailbox
9. + 10. Remote server sends data back
to local server, which sends them to
Joe

15. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
F/B lookup
IOC (OAuth)
shared
tenant
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
$NULL
Contoso Ltd.
PrimarySmtpAddress:
joe@contoso.com
targetAddress:
$null
PrimarySmtpAddress:
bill@contoso.com
targetAddress:
bill@fabrikam.com
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
Fabrikam Corp.
PrimarySmtpAddress:
bill@fabrikam.com
targetAddress:
$null
PrimarySmtpAddress:
joe@fabrikam.com
targetAddress:
joe@contoso.com
PrimarySmtpAddress:
jane@fabrikam.com
targetAddress:
jane@mail.fabrikam.onmicrosoft.com
Azure
Authentication
System
1
2
3
IOC
IntraOrganizationConnector(IOC)
45
7 6
8
IOC
1. Bill wants to retrieve F/B for
Jane
2. Local server found MEU with
targetAddress
jane@mail.fabrikam.onmicrosoft
.com
3. Local server found
IntraOrganizationConnector
4. + 5. Local server contact Azure
to retrieve ACSToken
6. + 7. Local server retrieves data
8. Local server sends data to Joe

16. Mail routing

17. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
Mail routing heavily depends on your scenario and affects at least
the following topics:
• Centralized Mail Transport (CMT) either On-Premises or EOP
• Journaling
• OneDrive for Business
• Office 365 Groups and Microsoft Teams

18. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Mail routing
Centralized
Mail Transport
If you have multiple
organizations in your
tenant CMT can be
achieved only by
Transport Rule.
Note: You need to make
sure that an exception is
in place to avoid loops!

19. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
Understand the importance of your Send Connector and the
certificates used to secure communications

20. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Mail routing
In a Hybrid environment at least
2 send connectors exists:
• For internet (AddressSpaces:*)
• For mail flow between On-
Premises and your tenant
(AddressSpaces:
fabrikam.mail.onmicrosoft.com)
AddressSpaces:
SMTP:*
AddressSpaces:
SMTP:fabrikam.mail.onmicrosoft.com

21. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
A Hybrid configuration contains:
• Send/Receive-Connector in On-Premises
• Inbound/Outbound-Connector in Office 365
If Centralized Mail Routing done through On-Premises, Inbound-
Connector can cause issues related to SPF:
• Match based on used certificate/IP address
• Cannot distinct, which Send-Connector was used On-Premises
• If match, message get attributed to your tenant(originating vs.
incomingSPF check)

22. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Mail routing
w/o InboundConnector
• Message sent to your tenant
• Treated as incoming by EOP
• SPF check performed against On-
Premises servers IP address
• Messages sent to another Office
365 customer
• Treated as incoming by EOP
• SPF check performed against On-
Premises servers IP address
1
SPF check successful2
SPF check successful

23. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Mail routing
InboundConnector
Message sent to another Office 365
customer
• EOP finds a matching connector
• EOP attributes the message to
your tenant
• EOP routes message to other
customer in different EOP region
• EOP in customer region performs
SPF check against EOP IP
address, which fails*
1
SPF check successful
Attributed to your Org
2
SPF check fail
* If SPF record doesn’t include EOP

24. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
Journaling
• Do journaling based on group membership
• Use a dedicated SMTP namespace
• Dedicated outbound connector

25. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
OneDrive for Business
• SPO doesn’t support CMT, when using web interface

26. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Mail routing
Office 365 Groups and Microsoft Teams
• Microsoft Teams doesn’t support CMT
• Messages will be send via dedicated infrastructure (not EOP)

27. Office 365 Groups

28. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
By having multiple organizations in a single tenant, you might
face some challenges to stay on top of creation of Office 365
Groups.
Recommendations:
• Restrict group creation
• Usage of dedicated SMTP namespace (also for each
organization)
• Email address policies for each SMTP namespace

29. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
Restrict group creation
• Create a Security group in your tenant
• Create in each organization a Security group, which should be
able to create Office 365 Groups, and let them sync
• Add these groups to the previous created group in the tenant

30. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
“old” style
Connect-MsolService
$Policy = Get-MsolSettingTemplate –TemplateId 62375ab9-6b52-47ed-
826b-58e47e0e304b
$Setting = $Policy.CreateSettingsObject()
$Setting["EnableGroupCreation"] = "false"
$Setting["GroupCreationAllowedGroupId"] = (Get-MsolGroup -SearchString
"AllowedtoCreateGroups").ObjectId
New-MsolSettings –SettingsObject $Setting

31. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
“new” style
Get-AzureADGroup -SearchString "AllowedtoCreateGroups"
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq
'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where
-Property DisplayName -Value "Group.Unified" -EQ).Id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString
"AllowedtoCreateGroups").ObjectId
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property
DisplayName -Value "Group.Unified" -EQ).Id -DirectorySetting $Setting

32. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
Note: Restricting group creation can affect other features e.g. :
Microsoft Teams, Planner. Therefore make sure that “creators”
have the needed permissions and licenses.

33. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
Configure email address policies
#Fabrikam
New-EmailAddressPolicy -Name FabrikamGroups -
IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates
"SMTP:@groups.fabrikam.com" -ManagedByFilter {((EmailAddresses -like
'*@fabrikam.com') -and (ExternalEmailAddress -like '*@fabrikam.com')) -or
((EmailAddresses -like '*@fabrikam.com') -and (ExternalEmailAddress -eq
$null))}

34. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Office 365 Groups
Configure email address policies
#Contoso
New-EmailAddressPolicy -Name ContosoGroups -
IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates
"SMTP:@groups.contoso.com" -ManagedByFilter {((EmailAddresses -like
'*@contoso.com') -and (ExternalEmailAddress -like '*@contoso.com')) -or
((EmailAddresses -like '*@contoso.com') -and (ExternalEmailAddress -eq
$null))}

35. Public Folders

36. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Public Folders
Challenges
• No control in EXO for which PF mailbox is associated to a
mailbox (EffectivePublicFolderMailbox)
• Built-in algorithm responsible for load balancing
• No policy (e.g.: New-PublicFolderPolicy) to assign PF
mailboxes to mailboxes
• Autodiscover look-ups cause possible prompts for credentials
for cross-org PF mailboxes and performance issues
(continuously requests sent by Outlook)

37. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Public Folders
Possible solutions
• Assign PF mailboxes to mailboxes as part of user provisioning
• Create a “Nirvana” PF folder with a non-existing email address
and use this one for assignment for organizations without any
PF

38. Security & Compliance

39. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Security & Compliance
Challenges
• RBAC exists, but is not as flexible and granular as needed:
1. Think about your organizational structure. You might have dedicated
teams for Exchange, Skype for Business, OneDrive for Business ….
Are all teams allowed to search and modify content from different
workloads?
2. In our scenario are Contoso administrator allowed to do so with
Fabrikam user data and vice versa?
• Permissions needs to be assigned on organization or team level
and scoped to their area of responsibility

40. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Security & Compliance
Possible solutions
• Create own RBAC role groups (this will not solve the scoping
issue)
• Scoping can be done via New/Get/Set/Remove-
ComplianceSecurityFilter

41. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Security & Compliance
Examples
#restrict all search actions for Contoso mailboxes
New-ComplianceSecurityFilter -FilterName ContosoMailboxFilter -
Users Contoso_eDiscovery -Filters "(Mailbox_EmailAddresses -like
'*@contoso.com')" -Action All
#restrict all search actions for Contoso OneDrive for Business
sites
New-ComplianceSecurityFilter -FilterName ContosoODFBFilter -Users
Contoso_eDiscovery -Filters “Site_Site –eq https://contoso-
my.sharepoint.com" -Action All

42. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Summary
• AAD Connect
• Free/Busy data look-ups
• Mail routing
• Office 365 Groups
• Public Folders
• Security & Compliance Center

43. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Related sessions
• What You Need to Know About Migrating to Exchange Online in
2017
• Steve Goodmann – 20 June, 10:15 – 11:30 Room D
• The Latest and Greatest on Hybrid Exchange
• Siegfried Jagott – 20 June, 14:15 – 15:30 Room D
• How to Prepare, Build, and Manage Real-Life, Complex Hybrid
Deployments
• Michael Van Horenbeeck, 22 June 10:45 – 12:00 Room B

44. Exchange Hybrid in a complex environment | Ingo Gegenwarth | 13:15 – 14:30 June 21, 2017
Follow us:
#O365ENGAGE17
Questions? | Thank You!
Ingo Gegenwarth
ing@thecluelessguy.de
We’d like to know what you think!
Please fill out the evaluation form you
received at the registration desk for this
session
Session recordings and materials:
Materials will be available on
Office365Engage.com soon