Migrating to Office 365 can be a time consuming endeavor and require that it be conducted in stages. When moving batches of mailboxes the On-Prem Exchange server shows the mailboxes as “Remote Mailbox” and while appears to be aware of the mailbox, is not immediately able to route mail between the On-Premises Mailboxes and the Remote Mailboxes.
There are a series of steps that must be taken to ensure mail flow:
- If using Azure AD Connect and filtering by OU or Security Group – make sure all mailbox users AD accounts are synchronized to Azure AD/Office 365
- Add all Mail Users
- In AD this can be easily accomplished with a simple Powershell script:
Get-ADUser -Filter ‘Enabled -eq $true -and Mail -like “*@*”‘ | ForEach-Object {Add-ADGroupMember -Identity ‘Office365Users’ -Members $_ }
Where “Office365Users” is your security group
- In AD this can be easily accomplished with a simple Powershell script:
- Add all Contacts
- Add all Distribution Lists
- Add all Mail-Enabled Security Groups
- Add all Mail Users
For mail from from Office 365 to Exchange On-Premises (Performed in Office 365 Exchange Admin Center):
- Create an Internal Relay to On-Prem Exchange connector (in EAC)
For mail to Office 365 from Exchange On-Premises (Performed in On-Premises Exchange Server):
- Create a tenant.mail.onmicrosoft.com in Accepted Domains and set to Internal Relay
- Create an “O365 Relay” Send Connector
- FQDN of the connector (mail.domain.com – the FQDN public name of the On-Premises Exchange server)
- Address Scope – tenant.mail.onmicrosoft.com
- Smart Host – the MX provided by Microsoft Office 365 Domains DNS configuration (I.E. domain-com.mail.protection.outlook.com)
- Source Server: The On-Premises Exchange server
Make sure to check any firewall rules that restrict WAN to LAN to port 25 to specific addresses. Use this list https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges to set up your rules to lock down unauthorized access to Port 25 inbound.
10 | Allow Required |
Yes | *.mail.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 |
TCP: 25 |