Just a few weeks ago, Microsoft announced a new feature in its line-up of hybrid Exchange capabilities: the Minimal Hybrid Configuration option. With the introduction of this new capability, Microsoft seems to have responded to a long-standing question from customers who can now move mailboxes to Office 365 without the need to deploy a ‘full’ Hybrid configuration.
What is the Minimal Hybrid Configuration?
As the name already somewhat implies, the Minimal Hybrid Configuration only configures the bare essentials for you so you can move a mailbox to Office 365 and benefit from the goodies a hybrid mailbox move brings. Without any doubt, the biggest advantage of a hybrid mailbox move is that it does not require Outlook’s offline cache to be resynchronized once it’s moved to Office 365. That is also one of the main reasons why a lot of organization choose a hybrid deployment, even if their organization is quite small or don’t need any of the additional hybrid functionalities.
When selecting the Minimal Configuration, the following features are NOT configured:
- Secure cross-premises mail flow
- Cross-premises Free/Busy, e-Discover or Archiving
- OWA redirection for migrated users
Does this mean that you are confined to only moving mailboxes in a Minimal Configuration? Not exactly! It’s not because the wizard does not take care of, for example, cross-premises mail flow, that you can’t do it yourself. In fact, cross-premises mail flow might not be the best example as it will work out of the gate. This is because the on-premises Mail-Enabled User object will get stamped with a target address pointing to your Office 365 tenant after it’s been migrated. As such, emails will automatically be forwarded to the recipient in Office 365. The biggest difference between the Minimal Configuration and the Full Configuration is that, in this Minimal Configuration case, no explicit TLS is configured; messages could be traveling across the internet in plain SMTP. If you really worry about your messages potentially traveling in plain SMTP, you can always configure connectors in your on-premises organization and Office 365 to require TLS yourself. You could also configure cross-premises Free/Busy yourself. But ask yourself this: if you plan on configuring those features anyway, why not choose the full hybrid option in the first place?
Why would I want to use the Minimal Hybrid Configuration?
As stated earlier, smaller organization that do not need any of the advanced hybrid features can take advantage of the Minimal Configuration because it requires less preparation and less time to execute, and could therefor speed up your migration to Office 365.
Another great reason I can think of are organizations that have to deal with multiple on-premises forests and just care about on-boarding their partner organization to a single, shared, Office 365 tenant as quickly as possible. This would for example be the case during mergers and acquisitions. Although in the latter scenarios co-existing is often important too, there is something to be said for speeding up the onboarding process!
If you have read between the lines, the scenario of mergers and acquisitions means that you can, indeed, use the Minimal Configuration to set up “multi-forest” hybrid connections to a single tenant. Although you also have that option with the Full Hybrid option, it is much more cumbersome to implement.
Preparing for a Minimal Configuration
Because the Minimal Configuration does not configuration any cross-premises functionality, or TLS for mail flow, it does not require a specific SMTP certificate to be available on all Exchange servers that will be part of the hybrid configuration.
On the other hand, you still need a valid 3rd party certificate to secure communications between Office 365 and your on-premises organization. The Minimal Configuration also does not change how you should treat your user identities. The same guidelines and requirements apply.
Similar to the full hybrid configuration, you should ensure that all email domains you intend to use with Office 365 (e.g. email domains in use as a primary or secondary address on a mailbox you intend to move) must be registered and verified.
Under the hood
During my testing, I configured two different on-premises Exchange organization in a minimal Hybrid configuration with a single tenant in no time. This is because there isn’t much to be configured. In that regard, the Minimal Configuration is very much like the “Simple MRS” migration that I’ve talked about before, albeit being support now. That’s always a good thing!
So, what does the Minimal Configuration configure if it doesn’t take care of all the nifty hybrid features? The initial phase of the wizard is very similar. The Minimal Configuration will go out and fetch information about your current configuration so that it can intelligently build a list of actions to perform. In a pristine environment, the following items are configured.
In the on-premises organization:
- Two remote domains: one for the hybrid coexistence domain (tenant.mail.onmicrosoft.com) and one for the tenant domain name (tenant.onmicrosoft.com)
- A new accepted domain which matches the hybrid coexistence domain (tenant.mail.onmicrosoft.com); this is needed to allow emails to continue to be delivered before/after a mailbox move. As part of this process, the email address policy is also applied to update the various recipient’s proxyAddresses. Please note that this will only happen if recipients are marked to automatically updated their email address based on email address policies. If you have disabled the option, you must manually add a coexistence address to those recipients (if you ever want to move them to Office 365, that is).
- The MRS proxy is enabled on Client Access Servers
In Office 365:
- An object to identify the on-premises organization (New-OnPremisesOrganization)
As part of the actions above, the wizard will also execute some additional tasks. In these, I found the following particularly interesting and a bit odd at the same time. I’ve reached out to Microsoft and asked for a bit more information:
- Create a default migration endpoint. Currently, this step failed in all my testing attempts. This is because the Test-MigrationServerAvailability command is called immediately after activating the MRS Proxy on all EWS virtual directories. However, in my experience the MRS Proxy doesn’t start to work until after performing an IIS Reset. As a result, a warning was displayed on the final page, accompanied with the error below in the log file. This is not such a big deal as you can always create a migration endpoint yourself, later.
CW8078 Migration Endpoint could not be created. Microsoft.Exchange.Migration.MigrationServerConnectionFailedException
The connection to the server ‘mail.lab1.hybridexlab.com’ could not be completed.
- Right before completion, the wizard creates two “temporary” connectors in Office 365 and then removes them again. I suspect this is because the New-OnPremisesOrganization cmdlet requires you to specify both an Inbound and Outbound connector. It would otherwise fail to be created. Again, I don’t see any big problem in this approach as both connectors are disabled, configured with a non-existent namespace and only exist for a very short time. You would probably only notice when browsing through the log files (like I did!).
Enabling a “Minimal Configuration”
To access the Minimal Configuration option, you start the Hybrid Configuration Wizard as you would normally do, and select the Minimal Hybrid Configuration option on the new “Hybrid Features” page:
Notice the mention of this option being “Recommended“; this is likely because the size of my Office 365 trial tenant is less than 20 users. Although I’m not a big fan to limit a full Hybrid configuration to larger customers only, I do think that there is something to be said in guiding people to selecting the suitable option.
I really like the Minimal Configuration option, not in the least because I can now go to customers and offer them a simple migration method, with the benefits of a hybrid mailbox move and remain in a totally supported situation! Even though it might seem as another item that Microsoft can cross of it’s to-do list, it’s another potential deployment blocker that has been removed. That can only be a good thing, right?