Office 365 Hybrid to On Premises Exchange – Mail Flow How-To

Migrating to Office 365 can be a time consuming endeavor and require that it be conducted in stages.  When moving batches of mailboxes the On-Prem Exchange server shows the mailboxes as “Remote Mailbox” and while appears to be aware of the mailbox, is not immediately able to route mail between the On-Premises Mailboxes and the Remote Mailboxes.

There are a series of steps that must be taken to ensure mail flow:

1. If using Azure AD Connect and filtering by OU or Security Group – make sure all mailbox users AD accounts are synchronized to Azure AD/Office 365
   1. Add all Mail Users
      1. In AD this can be easily accomplished with a simple Powershell script:
         

         Get-ADUser -Filter ‘Enabled -eq $true -and Mail -like “*@*”‘ | ForEach-Object {Add-ADGroupMember -Identity ‘Office365Users’ -Members $_ }

         Where “Office365Users” is your security group

   2. Add all Contacts
   3. Add all Distribution Lists
   4. Add all Mail-Enabled Security Groups

For mail from from Office 365 to Exchange On-Premises (Performed in Office 365 Exchange Admin Center):

1. Create an Internal Relay to On-Prem Exchange connector (in EAC)

For mail to Office 365 from Exchange On-Premises (Performed in On-Premises Exchange Server):

1. Create a tenant.mail.onmicrosoft.com in Accepted Domains and set to Internal Relay
2. Create an “O365 Relay” Send Connector
   1. FQDN of the connector (mail.domain.com – the FQDN public name of the On-Premises Exchange server)
   2. Address Scope – tenant.mail.onmicrosoft.com
   3. Smart Host – the MX provided by Microsoft Office 365 Domains DNS configuration (I.E. domain-com.mail.protection.outlook.com)
   4. Source Server: The On-Premises Exchange server

Make sure to check any firewall rules that restrict WAN to LAN to port 25 to specific addresses.  Use this list https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges to set up your rules to lock down unauthorized access to Port 25 inbound.