Offboarding Microsoft 365 Hybrid – Move to Cloud Only
Print
Modified on: Thu, 20 Jul, 2023 at 1:28 PM
Introduction
But first what is a Microsoft 365 Hybrid environment?
In a Microsoft 365 Hybrid environment, your on-premise Active Directory is connected with your Azure AD in Microsoft Azure.
Further we have Exchange Server mailboxes on our on-premise Exchange Server and in Exchange Online with a shared namespace, shared addressbook and free-busy coexistence. We can also move mailboxes from on-premise to cloud and vice versa.
An Exchange serverhybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchangeorganization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
And last also your on-premise Skype for Business environment is configured for Skype for Business hybrid by using the hybrid setup wizard as shown in my post below.
Even Skype for Business Online is been retired since July 31, 2021, you can still use it to move users between Skype for Business on-premise and Microsoft Teams if needed.
The hybrid configuration can be long-term used for step by step to migrate fully to Exchange Online, Teams and finally cloud only with just Azure AD in place as identity service.
If you have moved all your on-premises mailboxes to Exchange Online, the first question is how and when can we get rid of the on-premise Exchange Server?
To tell it right away, if you plan keep using Azure AD Connect in place to sync on-premise objects to Azure AD, Microsoft is recommending to notremove the lastExchange server.
If the last Exchange server is removed, you cannot make changes to the mailbox object in Exchange Online because the source of authority is defined as on-premises. The source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a hybrid deployment. If you needed to edit most mailbox settings, you would have to be sure the Active Directory schema was extended on-premises and use unsupported tools such as Active Directory Service Interfaces Editor (ADSI Edit) for common administrative tasks. For example, adding a proxy address or putting a mailbox on litigation hold when there isn’t an Exchange Management Console (EMC) or Exchange Management Shell (Shell) on-premises becomes difficult and these simple (and other more complex) tasks cannot be done in a supported way.
In most cases, we recommend that you leave at least one Exchange Server on-premises for mailbox management unless you are getting rid of the on-premises messaging and identity management dependencies all together.
Since Exchange 2019 Cumulative Update 12, the Exchange Management Tools gets updated and you can use Windows PowerShell to manage recipients and therefore can shutdown optional also the lastExchange Server in your on-premise environment.
!!! DO NOT uninstall the last server. You can choose to shut down the server, and use the script to clean up, but DO NOT uninstall. Uninstalling the server removes critical information from Active Directory that breaks the ability of the management tool package to manage Exchange attributes. Learn more here: Important: Be Aware
More about these management tools and the PowerShell cmdlets you will find in the following article.
So if we have moved all our on-premises mailboxes to Exchange Online, further doesn’t need to manage our users from on-premises and no longer have a need for directory synchronization or password synchronization, we can start removing our hybrid configuration.
Why you may not want to decommission Exchange servers from on-premises
Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes.
When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, you can’t manage most attributes from Exchange Online. Instead, you must manage those attributes from on-premises. This requirement isn’t due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud. For more information, see this blog article.
2. Assuming that you have already moved all of the mailboxes to Exchange Online, you can point the MX and Autodiscover DNSrecords to Exchange Online, instead of to on-premises. For more information, see External Domain Name System records for Office 365.
Make sure to update both the internal and external DNS, or you may have inconsistent client connectivity behavior.
For the MX record it is by the way also for the hybrid configuration recommended to set it to Exchange Online instead to the on-premise Exchange servers.
The preferred method is to configure your MX record to point to Exchange Online Protection (EOP) in Microsoft 365 as this configuration provides the most accurate spam filtering.
3. Next, you should remove the Service Connection Point (SCP) values on your Exchange servers. This step ensures that no SCPs are returned, and the client will instead use the DNS method for Autodiscover.
4. There are inbound and outbound connectors created by the Hybrid Configuration Wizard that you’ll want to delete. Use the following steps to do this:
You can now disable or delete the inbound and outbound connectors. The HCW creates connectors with unique namespace inbound from <unique identifier> and outbound from <unique identifier> as shown in the graphic below.
5. Remove the organization relationship created by the Hybrid Configuration Wizard. Use the following steps to do this:
Under Organization Sharing, remove the organization named O365 to On-Premises – <unique identifier> as shown in the graphic below.
6. If OAuth is configured for an Exchange hybrid deployment, you’ll want to disable the configuration from both on-premises and Microsoft 365 or Office 365.
To disable the on-premises configuration:
From an Exchange server, open the Exchange Management Shell.
More about the IntraOrganizationConnector you will find in the following article.
Get-IntraOrganizationConnector
Intra-Organizational connectors enable features and services between divisions in your Exchange organization. It allows for the expansion of organizational boundaries for features and services across different hosts and network boundaries, such as between Active Directory forests, between on-premises and cloud-based organizations, or between tenants hosted in the same or different datacenters.
7. Disable directory synchronization for your tenants. When this step is completed, all user management tasks will be done from the Microsoft 365 or Office 365 management tools. In other words, you’ll no longer use the Exchange Management Console or Exchange admin center (EAC). For more information on how to disable directory synchronization, see Turn off directory synchronization for Microsoft 365 or Office 365.
You can use PowerShell to turn off directory synchronization and convert your synchronized users to cloud-only.
8. You can now safely uninstall Exchange from the on-premises servers.
Decommission on-premise Skype for Business
If your organization uses Teams with an on-premises deployment of Skype for Business Server, you can migrate these environments fully to the cloud, and then retire your on-premises deployment of Skype for Business Server.
This process is described in detail in the following article.