Exchange Hybrid Configuration Wizard (HCW) version 17.0.5494.0 was released on September 21, 2020. This update includes the Single On-Premises Multi-Tenant feature and other fixes in Exchange Hybrid.
Note Download Microsoft Office 365 Hybrid Configuration Wizard with Internet Explorer.
Single On-Premises Multi-Tenant Exchange Hybrid feature
This version of Hybrid Configuration Wizard supports Full Hybrid and Minimal Hybrid configurations from a single on-premises organization to two or more tenants.
Prerequisites of this Multi-Tenant Hybrid (in addition to Single Tenant Hybrid prerequisites)
Supported Exchange Server versions:
Upgrading all servers versus upgrading some servers
The upgrade process to the latest CU in Exchange Server 2016 or 2019 differs depending on whether you are upgrading all servers across the organization or only some servers.
If you upgrade all servers, any of these servers can be used to configure Hybrid by using HCW. To load balance the servers, you can publish a load balancer URL to the M365 tenant.
If you upgrade only one server or a subset of servers, HCW must be configured by using the upgraded servers. In this case, load balancing is not supported.
Azure Active Directory Connect must be configured to sync users of the on-premises organization that have multiple tenants by using the Domain/OU filtering option for each specific Exchange Hybrid organization that's desired. When you configure DirSync for each tenant, make sure that the Exchange hybrid deployment check box is selected in optional features. We recommend that you use separate servers and other devices to configure AD Connect for each tenant. The configured AD (Active Directory) topology should resemble the following diagram.
Note A single OU (Organization Unit) or Multiple OUs can be grouped through Directory Synchronization (DirSync) to an M365 tenant. For example: OU1 and OU2 can be synced to Tenant 1 and OU3 can be synced to Tenant 3. Alternatively, OU1 can be synced to Tenant1, OU2 can be synced to Tenant2, and OU3 can be synced to Tenant3.
Add all domains, tenant domains and tenant coexistence domains as accepted domains in the Exchange on-premises environment in Exchange Control Panel (ECP) or Exchange PowerShell.
Configure different SMTP domains for each tenant that you configure in a Multi-Tenant Hybrid environment. Two tenants can’t share same SMTP domain.
Separate certificate for each send connector sending to each tenant
For proper email attribution to each tenant, make sure you are using separate certificate for each send connector sending to each tenant. If same certificate is used, then the email to one tenant may attribute to the other tenant. The certificate that will be used by a send connector is controlled by the TlsCertificateName parameter. For more information about the message attribution, see the following articles:
Create a separate email address policy for each Tenant/OU pair. To do this, create a policy (name it appropriately) on the email address policies tab in ECP, add the email address, and then carefully select the correct OU in a request container for the tenant.
Create a Hybrid environment that has multiple tenants by using the latest HCW application
Note Repeat the following steps for all the tenants that are to be configured in the Hybrid environment.
On a domain-joined computer, install HCW with Modern/Classic Full Hybrid or Minimal Hybrid, and install a hybrid environment that has a tenant.
If the Modern option is selected for any or all the tenants, the hybrid agent must be installed. Agent installation and the configuration of a hybrid environment through HCW is supported on either a domain-joined computer that's configured as an agent server or on an Exchange Server 2019 or 2016 server that has the mailbox role.
Separate agents are needed for each tenant that's configured by using Modern Hybrid.
Note When you configure Multi-Tenant Hybrid for Exchange Server, you might have a mix of Minimal Classic, Minimal Modern, Full Classic, and Full Modern Hybrid configurations. Admins can choose any mode for an Exchange Hybrid tenant regardless of how other tenants are configured.
Make sure to use separate computers for an HCW configuration when you set up Hybrid for the tenants.
The Hybrid Domains window lists the accepted domains that are available to add to an online tenant. If more than one domain is available, select the check box for each domain that you want to configure for Autodiscover.
Known issues and workarounds
When you create a remote user through the graphical user interface (GUI) in ECP, ECP sometimes picks the last configured tenant domain for the RemoteRoutingAddress attribute. This issue affects free/busy discovery of users with wrong RemoteRoutingAddress values.
Workaround for Issue 1
Use the PowerShell cmdlet to create remote users by using the RemoteRoutingAddress attribute, or set the RemoteRoutingAddress attribute after you create the remote mailbox. For example, see the following cmdlet:
New-RemoteMailbox -Name "Megan Bowen" -FirstName "Megan" -LastName "Bowen" -OnPremisesOrganizationalUnit "tailspintoys.com/T1" -UserPrincipalName "firstname.lastname@example.org" -Password $password -ResetPasswordOnNextLogon $False -RemoteRoutingAddress "email@example.com"
When you enable remote archiving for on-premises users in ECP, ECP picks the last configured tenant domain for the ArchiveDomain attribute.
Workaround for Issue 2
Don't enable the remote archive property for on-premises users in ECP. Instead, run the following PowerShell cmdlet:
Enable-Mailbox -Identity "meganb" -RemoteArchive "True" -ArchiveDomain "tailspintoys.mail.onmicrosoft.com"
If you are running Exchange Server 2016 CU18 or Exchange Server 2019 CU7, and you have recently used HCW to configure or reconfigure Hybrid for the tenant, be aware that Cross Premise ELC MRM archiving is broken because of a new domain parameter in AuthServer.
Workaround for Issue 3
Remove the domain name from the AuthServer Object by running the following PowerShell cmdlet:
Set-AuthServer -domain ""
Other restrictions and notes
See this page information about how to set the Azure AD topology that has a tenant.
HMA (Hybrid Modern Authentication) isn't supported in the Multi-Tenant Hybrid environment.
By default, free/busy configuration between tenants is not available. To make this configuration, see this Exchange Team Blog article.
Issues that are fixed in this update
HCW incorrectly sets the externalEmailAddress parameter during OCT (Object Configuration Transfer). OCT is used to break mailflow.
HCW detects an incorrect value for some Exchange Server versions.
HCW does not handle the switch between Classic and Modern for some scenarios.
HCW incorrectly disables switching to Minimal Hybrid even before a Full Hybrid configuration is done.
HCW cannot connect to Exchange PowerShell, and returns the following error message:
ADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'a0c73c16-a7e3-4564-9a95-2bdf47383716'.
HCW is a standalone and stateless application that collects configuration information. It applies the necessary changes to make the topology into the desired state. These changes are applied at the Exchange Organization level (both in on-premises and the cloud-tenant configuration). Those settings aren't stored or managed by the HCW after the operation is completed. As soon as The hybrid agent is installed and configured, it runs on the specified computer. It is not connected to the HCW application after the installation is completed.
Unless there is a need to rerun HCW, you don't have to uninstall and reinstall the latest version.