Mark Brezicky / / Categories: Exchange Online, Microsoft Exchange Hybrid

Microsoft Exchange Hybrid Agent

Microsoft Exchange Hybrid Agent – New method available for email migrations

Exchange Hybrid environments have been around for years and continue to be the primary method to migrate mailboxes to Office 365 Exchange Online.  However, with each new deployment comes a similar set of challenges that can significantly delay migrations due to impact to the production environment  including, 

  • Adding additional servers to environment
  • Additional firewall rules exposing more areas to the Internet
  • External DNS entries
  • Public Certificates
  • Load Balancer configurations (SSL Offloading)
    • MRSProxy does not support SSL Offloading 

To solve these recurring challenges, Microsoft has created the Microsoft Exchange Hybrid Agent.  This agent is built on the same technology as the Azure Application Proxy, which utilizes Azure as a reverse proxy to process external traffic through a secure inbound TLS connection using the agent.  All firewall requirements are for outbound connections only.  Therefore, using this agent, you bypass existing network configurations, including firewall and/or load balancers.  The hybrid agent is only used for mailbox migrations and Free/Busy requests.  All other hybrid capabilities, including mail flow, are not included in the agent and function separately as they do in a traditional hybrid deployment. 

The hybrid agent is installed using the same Hybrid Configuration Wizard for a traditional hybrid deployment.  You can install the agent on a standalone server, or it can also be installed on an existing Exchange 2010 or later server with the CAS role installed. 



  • The computer it's installed on needs to be:
    • Running Windows Server 2012 R2 or 2016 with .NET Framework 4.6.2 (or later, as supported by the Exchange version you are installing on)
    • Active Directory domain-joined
    • TLS 1.2 enabled
  • Firewall Requirements
    • Capable of establishing outbound HTTPS connections to the Internet
      • Outbound TCP Ports 80 and 443
    • Capable of establishing HTTPS and remote PowerShell connections to the Client Access Server (CAS) chosen for hybrid configuration.
      • TCP ports 80, 443, 5985, and 5986
    • All CAS servers must be able to reach outbound HTTPS (TCP 443) Office 365 Endpoints for Free/Busy requests
      • These requests do not use the Hybrid agent
    • Use a browser, like Microsoft Edge, that supports ClickOnce technology.
    • Administrative Permissions
      • On-Premises:
        • Be a member of the Organization Management role group in your on-premises Exchange organization
        • Be a member of the local Administrators group on the computer where you're installing the Hybrid agent.
      • Office 365
        • The account you use to connect to your Office 365 tenant must be a Global Administrator.
      • Enable MRSProxy
        • Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true




The deployment of the Hybrid agent is almost the same as a traditional Exchange Hybrid configuration.  You still use the Hybrid Configuration Wizard to perform the agent installation.  Once you run the HCW, you still connect to Exchange On-premises and Online environments, choose Full or Minimal Hybrid configuration, setup Federation, but there will be a new screen shown below.  Select Use Exchange Modern Hybrid Topology to deploy the agent. 

Mark B pic 1

This process can take a few minutes, but follows this process:

  • Downloads and Installs the agent on the local computer
  • Registers the agent in Azure. Creates a URL in the format of
  • Tests connectivity from Office 365 to your on-premises Exchange environment via the agent 

Assuming the installation succeeds, the rest of the HCW is exactly the same as a traditional hybrid deployment.  The HCW will create a Migration Endpoint using the custom URL and will set the TargetSharingEpr as well, both on the Office 365 side.  Once complete, you can verify the service is running in the Services console. 

Mark B pic 2

You can now begin migrating your mailboxes to the cloud using the same commands or processes as a traditional hybrid, just select the correct Migration Endpoint.  You can test the availability at any time with the following command where the credentials are for your on-premises environment: 

Test-MigrationServerAvailability -ExchangeRemoteMove: $true -RemoteServer '<GUID>' -Credentials (Get-Credential) 


With new technology also comes additional issues to consider.  They are as follows: 

  • In preview as of this writing
  • Hybrid Modern Authentication not supported
  • MailTips, Message Tracking, and Multi-mailbox search not supported
  • Single Agent only, redundancy not available yet.
    • If offline, Free/Busy lookups (cloud to on-prem) and mailbox migrations won’t work
    • Registers with a single CAS server.
    • Can be reinstalled or registered to a different CAS in the event of failure using HCW


This deployment option is available for new hybrid configurations.  If you have already established a hybrid configuration (Full or Minimal), this option will not be available.  Ideally, this deployment method seems well suited for customers with short-term migration goals (under 6 months).  Hybrid deployments meant for long-term or indefinite hybrid environments should configure the traditional hybrid deployment.  This may change depending on any feature updates for General Availability.

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.


Search by Category or Author: