This chapter covers Hybrid Exchange deployments and mail migration strategies for Microsoft 365, which is a key topic in MS-900 objective 2.2. You will learn about the architecture of hybrid deployments, the different migration paths (cutover, staged, IMAP, and hybrid), and how mail flow works in a hybrid environment. Expect 10-15% of exam questions to touch on these concepts, especially the differences between migration types and the prerequisites for a hybrid configuration.
Jump to a section
Imagine your company is moving from one office building to another. You have a large filing cabinet of mail (on-premises Exchange). The new office (Exchange Online) is modern, but you can't move everything overnight. You hire a mail forwarding service (Hybrid Deployment) that connects both offices. During the move, you set up a shared receptionist (the Hybrid Server) that knows where each employee sits. When a customer sends a letter to the old address, the receptionist forwards it to the new office if the employee has moved; otherwise, it stays in the old filing cabinet. The receptionist also ensures that if an employee sends a letter from the new office, it appears to come from the old address so customers aren't confused. Over time, you move more employees to the new office, and the receptionist updates her records. Eventually, everyone is in the new office, and you cancel the forwarding service. This mirrors how Hybrid Exchange synchronizes mailboxes, routes mail, and allows a gradual migration without disrupting communication.
What is Hybrid Exchange and Why Does It Exist?
Hybrid Exchange is a configuration that connects an on-premises Exchange organization to Exchange Online in Microsoft 365, allowing mailboxes to exist in both environments while maintaining a unified global address list, free/busy calendar sharing, and seamless mail flow. It exists because most organizations cannot migrate all mailboxes at once due to business continuity, regulatory requirements, or complex integrations. A hybrid deployment provides a bridge, enabling a phased migration over weeks or months.
How Hybrid Exchange Works Internally
The core of a hybrid deployment is the Hybrid Configuration Wizard (HCW), which runs on an on-premises Exchange server (typically Exchange 2013 or later). The HCW performs the following:
Creates a federation trust between the on-premises organization and Microsoft 365 using Azure Active Directory (Azure AD).
Configures OAuth authentication for secure token-based communication.
Sets up an organization relationship that defines sharing policies for free/busy, mailbox moves, and message tracking.
Installs the Hybrid Agent (for newer deployments) or configures the Edge Transport server to handle secure mail flow.
Mail flow in a hybrid deployment uses centralized mail transport by default. Outbound mail from Exchange Online is routed through the on-premises Exchange server, which then delivers it to the internet. This ensures compliance with on-premises policies (e.g., journaling, transport rules). Inbound mail first arrives at on-premises, then is routed to Exchange Online if the recipient's mailbox is there. This is achieved by configuring the on-premises server as a smart host for Exchange Online.
Key Components and Defaults
Hybrid Configuration Wizard (HCW): The tool that configures all hybrid settings. It must be run from an on-premises Exchange server that can communicate with Exchange Online.
Hybrid Agent: A lightweight service that replaces the need for an Edge Transport server in newer hybrid deployments (Exchange 2019 CU10+). It runs on-premises and forwards mail to Microsoft 365 via HTTPS.
Organization Relationship: Defines sharing settings between on-premises and Exchange Online. Default settings include:
Free/busy access: Enabled with time slot details.
Mailbox moves: Enabled for cross-premises moves.
Message tracking: Enabled for cross-premises message tracing.
Federation Trust: Required for the organization relationship. Uses the Azure AD federation service.
OAuth: Used for authentication between on-premises and Exchange Online. Requires an authorization policy.
Configuration and Verification Commands
To verify a hybrid deployment, an administrator can use the following PowerShell commands:
# Check organization relationship
Get-OrganizationRelationship | Format-List Name, DomainNames, FreeBusyAccessEnabled, MailboxMoveEnabled
# Check federation trust
Get-FederationTrust | Format-List Name, NamespaceProvisioner, TokenIssuerURI
# Check hybrid configuration status
Get-HybridConfiguration | Format-ListFor mail flow verification, use message trace in the Exchange admin center or Get-MessageTrackingLog on-premises.
Migration Paths
Cutover Migration: For small organizations (fewer than 150 mailboxes). All mailboxes are migrated in a single batch over a few days. The on-premises Exchange server is decommissioned after migration. Requires all users to reconfigure their Outlook profiles.
Staged Migration: For medium organizations (up to 2000 mailboxes). Users are migrated in batches. Requires directory synchronization with Azure AD Connect. Each batch requires updating DNS records for MX and autodiscover.
IMAP Migration: For organizations migrating from non-Exchange systems (e.g., Gmail, Lotus Notes). Only migrates email, not calendar or contacts. Requires manual configuration of Outlook profiles.
Hybrid Migration: For any size organization that needs coexistence. Uses the hybrid deployment to move mailboxes seamlessly with a single click in the Exchange admin center. Users retain their Outlook profile and credentials.
How Hybrid Migration Works Step-by-Step
Prerequisites: Azure AD Connect is installed and syncing identities. A hybrid deployment is configured via HCW. The on-premises Exchange server must be at least Exchange 2013 CU5.
Initiate Move: In the Exchange admin center (EAC), select the mailbox and choose 'Migrate to Exchange Online'. This creates a move request.
Synchronization: The mailbox content is copied to Exchange Online while the on-premises mailbox remains active. Users can continue working.
Finalization: Once synchronization is complete, the mailbox is switched to Exchange Online. Users are automatically redirected via Autodiscover.
Decommission: After all mailboxes are moved, the hybrid configuration can be removed, and the on-premises Exchange server can be decommissioned.
Interaction with Related Technologies
Azure AD Connect: Synchronizes on-premises Active Directory with Azure AD. Required for all hybrid deployments to ensure a single identity for each user.
Autodiscover: Used by Outlook and mobile devices to locate the correct mailbox location. In a hybrid deployment, Autodiscover must point to on-premises, which then redirects to Exchange Online for migrated users.
Microsoft 365 Defender: Protects mail flow. In a hybrid deployment, both on-premises and Exchange Online benefit from Defender policies if configured.
Exchange Online Protection (EOP): The cloud-based filtering service. In a hybrid setup, EOP can be configured to protect both environments.
Trap Patterns on the Exam
Confusing cutover and staged migrations: Cutover is for small orgs (<150 mailboxes) and moves all at once; staged is for up to 2000 mailboxes and moves in batches.
Thinking IMAP migration migrates all mailbox data: It only migrates email, not contacts or calendar items.
Assuming hybrid migration requires a full hybrid deployment: Actually, you can do a hybrid migration without full coexistence if you only need to move mailboxes, but the HCW is still required for the move request.
Forgetting that Autodiscover must point to on-premises: In a hybrid deployment, Autodiscover should point to the on-premises Exchange server, which then redirects to Exchange Online for cloud mailboxes.
Prerequisites and Identity Synchronization
Before any migration, you must synchronize your on-premises Active Directory with Azure AD using Azure AD Connect. This ensures each user has a unique identity in the cloud. You must also ensure your on-premises Exchange server meets the minimum version (Exchange 2013 CU5 or later) and that you have a valid SSL certificate for federation. Run the Hybrid Configuration Wizard (HCW) to establish the federation trust and organization relationship. This step is critical for enabling mailbox moves and mail flow.
Choose Migration Strategy
Select the appropriate migration type based on your organization size and requirements. For small orgs (<150 mailboxes), cutover migration is simplest. For medium orgs (up to 2000), staged migration with batches is suitable. For any size requiring coexistence, choose hybrid migration. If you are migrating from a non-Exchange system, use IMAP migration (email only). The exam tests your ability to recommend the correct migration type based on scenario.
Configure Mail Flow
In a hybrid deployment, mail flow is centralized through on-premises by default. Update your MX record to point to on-premises, and configure the on-premises server to forward mail for cloud mailboxes to Exchange Online. Alternatively, you can use decentralized mail flow where each environment sends mail directly, but this requires more configuration. The HCW automatically sets up the necessary connectors (Inbound and Outbound) for secure mail flow.
Migrate Mailboxes
For hybrid migration, use the Exchange admin center to initiate mailbox moves. The move request synchronizes mailbox data in the background. Users can continue working with no interruption. Once synchronization is complete, the mailbox is switched to Exchange Online. For staged migration, you must update the Autodiscover DNS record to point to Exchange Online for each batch. For cutover, all mailboxes are moved at once.
Post-Migration Verification
After migration, verify that users can access their mailboxes in Outlook and OWA. Use the Exchange admin center message trace to confirm mail flow. For hybrid deployments, verify that free/busy sharing works cross-premises. Remove the hybrid configuration only after all mailboxes are moved and you are ready to decommission on-premises. Update DNS records (MX, Autodiscover, SPF) to point exclusively to Exchange Online.
Scenario 1: Large Enterprise with Compliance Requirements
A multinational bank with 50,000 mailboxes wants to move to Exchange Online but must keep some mailboxes on-premises due to regulatory data residency requirements. They deploy a full hybrid configuration using Exchange 2019 and Azure AD Connect. The hybrid deployment allows them to move 90% of mailboxes to the cloud while keeping 5,000 mailboxes on-premises in specific regions. Mail flow is centralized through on-premises to enforce compliance policies like journaling and retention. The IT team uses the Hybrid Configuration Wizard to set up the federation trust and organization relationship. They experience some challenges with Autodiscover redirection for mobile devices, which requires updating the Autodiscover DNS record to point to on-premises and ensuring the on-premises server redirects cloud mailboxes. The migration takes six months, moving 1,000 mailboxes per week. The key performance consideration is bandwidth for mailbox synchronization; they throttle the move requests to avoid saturating the WAN link.
Scenario 2: Small Business Cutover Migration
A 50-person architecture firm wants to move to Exchange Online quickly. They have a single Exchange 2013 server. They choose cutover migration because they have fewer than 150 mailboxes. They run the Hybrid Configuration Wizard to prepare the environment, then use the Exchange admin center to perform a cutover migration. The entire migration takes a weekend. They update their MX record to point to Exchange Online and reconfigure Outlook profiles for all users. The biggest challenge is user training; some users have issues with OWA access. The migration is successful, but they forget to update their SPF record, causing some external emails to be marked as spam. They later add the required include:spf.protection.outlook.com to their SPF record.
Scenario 3: Non-Profit Migrating from Google Workspace
A non-profit organization with 200 users is migrating from Google Workspace to Exchange Online. They cannot use hybrid migration because they don't have an on-premises Exchange server. They choose IMAP migration, which migrates only email. They use the Exchange admin center IMAP migration feature, specifying the Google Workspace IMAP server settings. The migration takes several days because each mailbox must be connected and downloaded. After migration, users must set up new Outlook profiles and manually migrate their calendar and contacts using the Outlook desktop client's import/export feature. The organization realizes too late that meeting invitations are lost; they should have used a third-party tool for a full migration. This scenario highlights the limitation of IMAP migration: it only handles email, not calendar or contacts.
MS-900 Objective 2.2: Describe the migration and hybrid deployment options
This objective asks you to differentiate between migration methods (cutover, staged, IMAP, hybrid) and understand the purpose of a hybrid deployment. The exam will not test the detailed technical steps of running the HCW, but you must know:
Which migration type is appropriate for given scenarios (e.g., cutover for <150 mailboxes, staged for up to 2000, hybrid for coexistence).
That IMAP migration only migrates email, not calendar or contacts.
That hybrid deployment requires Azure AD Connect, a federation trust, and an organization relationship.
That Autodiscover must point to on-premises in a hybrid deployment.
Common Wrong Answers and Why Candidates Choose Them
Choosing staged migration for an organization with 100 mailboxes: Candidates often pick staged because they think it's safer, but cutover is appropriate and simpler for small orgs. The exam specifies cutover for <150 mailboxes.
Thinking IMAP migration migrates entire mailbox data (including calendar): Candidates assume IMAP is a full migration, but IMAP only handles email. The exam explicitly tests this limitation.
Believing that hybrid migration requires on-premises Exchange to remain after migration: Hybrid migration can be used to move mailboxes, and the on-premises server can be decommissioned later. The hybrid configuration is temporary.
Confusing 'hybrid deployment' with 'hybrid migration': Hybrid deployment is the configuration that enables coexistence; hybrid migration is one of the migration methods that uses that configuration.
Specific Values and Terms That Appear on the Exam
Cutover migration: maximum 150 mailboxes.
Staged migration: maximum 2000 mailboxes.
IMAP migration: only email, no calendar/contacts.
Hybrid deployment prerequisites: Azure AD Connect, Exchange 2013 CU5+, federation trust.
Autodiscover: must point to on-premises in hybrid deployment.
Centralized mail transport: default in hybrid; outbound from cloud goes through on-premises.
Edge Cases and Exceptions
If an organization has more than 2000 mailboxes, they cannot use staged migration; they must use hybrid migration or a third-party tool.
If the on-premises Exchange version is older than 2013, a hybrid deployment is not supported (except with additional configuration using Exchange 2010 with SP3).
For a cutover migration, the on-premises Exchange server can be decommissioned after migration, but you must first ensure all mailboxes are moved and mail flow is redirected.
How to Eliminate Wrong Answers
If the question mentions 'coexistence' or 'phased migration', eliminate cutover and IMAP.
If the question says 'migrating from Gmail', only IMAP is possible (or third-party), so eliminate hybrid and staged.
If the question says 'less than 150 mailboxes', cutover is the simplest and correct choice.
If the question says 'must retain on-premises Exchange for some time', the answer is hybrid deployment/migration.
Cutover migration is for organizations with fewer than 150 mailboxes.
Staged migration is for organizations with up to 2000 mailboxes.
IMAP migration only migrates email, not calendar or contacts.
Hybrid deployment requires Azure AD Connect, a federation trust, and an organization relationship.
In a hybrid deployment, Autodiscover must point to on-premises.
Centralized mail transport is the default in hybrid deployments; outbound from cloud goes through on-premises.
The Hybrid Configuration Wizard (HCW) automates the setup of federation and organization relationships.
Hybrid migration allows seamless mailbox moves with no user interruption.
After migration, update MX, Autodiscover, and SPF records to point to Exchange Online.
Hybrid deployment is temporary and can be removed after migration.
These come up on the exam all the time. Here's how to tell them apart.
Cutover Migration
For <150 mailboxes
All mailboxes moved in one batch
No coexistence period
Requires Outlook profile reconfiguration
Simple and fast
Staged Migration
For up to 2000 mailboxes
Mailboxes moved in batches
Coexistence between batches
Requires directory synchronization
More complex but less disruptive
Mistake
Hybrid deployment requires an on-premises Exchange server to remain forever.
Correct
Hybrid deployment is a temporary configuration to facilitate migration. Once all mailboxes are moved to Exchange Online, the hybrid configuration can be removed and the on-premises server decommissioned.
Mistake
IMAP migration migrates all mailbox content including calendar and contacts.
Correct
IMAP migration only migrates email. Calendar, contacts, and tasks must be migrated separately using other tools (e.g., Outlook export/import, third-party migration tools).
Mistake
Staged migration is suitable for organizations with more than 2000 mailboxes.
Correct
Staged migration is limited to 2000 mailboxes. For larger organizations, use hybrid migration or a third-party solution.
Mistake
In a hybrid deployment, Autodiscover must point to Exchange Online.
Correct
Autodiscover must point to the on-premises Exchange server, which then redirects cloud mailboxes to Exchange Online. This ensures that on-premises users can still discover resources.
Mistake
Cutover migration allows a phased move over weeks.
Correct
Cutover migration moves all mailboxes in a single batch over a few days. It is an all-or-nothing approach, not phased.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A hybrid deployment is the configuration that connects on-premises Exchange to Exchange Online, enabling features like free/busy sharing and mail flow. Hybrid migration is a migration method that uses this configuration to move mailboxes seamlessly. Hybrid migration is one of several migration options, but it requires a hybrid deployment to be in place.
Yes, but it is not recommended because IMAP migration only migrates email, not calendar or contacts. Also, it requires users to reconfigure Outlook. For Exchange to Exchange migrations, cutover, staged, or hybrid migration are better choices.
Staged migration is designed for organizations with up to 2000 mailboxes. For larger organizations, use hybrid migration or a third-party tool.
Yes, Azure AD Connect is required to synchronize on-premises Active Directory with Azure AD. This ensures that each user has a single identity and can be authenticated in both environments.
Mail flow is typically centralized through the on-premises server. Inbound mail arrives at on-premises and is routed to Exchange Online for cloud mailboxes. Outbound mail from cloud mailboxes is sent through on-premises. This ensures compliance with on-premises policies.
Yes, you can use cutover, staged, or IMAP migration without a full hybrid deployment. However, these methods have limitations (e.g., no coexistence, only email migration). Hybrid deployment is only required for hybrid migration.
The time depends on the mailbox size and network bandwidth. For a hybrid migration, the initial synchronization may take hours to days. The final switchover is usually fast (minutes). Microsoft recommends throttling migration batches to avoid network congestion.
You've just covered Hybrid Exchange and Mail Migration — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?