HCW, HMA, OLM – Oh My!

I’ve been working with a few customers lately on integration between Office 365 and on-premises Exchange.  My goal in this post is to give a foundational understanding of the technologies that can be enabled for co-existence between Office 365 and on-premises, and new features that can be enabled for your on-premises mailboxes. In this post I will cover:

  • Exchange Hybrid
  • Hybrid Modern Authentication (HMA)
  • Outlook Mobile (OLM)

Below is a very busy chart that illustrates the dependencies and requirements to enable these features.  I’ll go though each topic individually.

Hybrid explained

Exchange Hybrid

Not to be confused with Hybrid Modern Auth, Exchange Hybrid configuration is used to support coexistence between on-premises Exchange and Exchange Online.  This configuration is required at a minimum to be able to move a mailbox from on-prem to EXO.  The only supported mechanism to do this hybrid configuration, is by using the Hybrid Configuration Wizard (HCW) found in the Exchange Management Console.  There are actually multiple choices when running the HCW: Full Hybrid, Minimal Hybrid, and Express Migration.  For more information see New Exchange Online migration options.  To keep it simple, I’m assuming Full Hybrid is desired.  This enables the richest set of features and is required if we are going to be deploying the other features later.

Also note, there is a new architecture for Exchange hybrid, named the hybrid agent.  Currently, this feature is in public preview – see The Microsoft Hybrid Agent Public Preview post.  Again, since ultimately the goal here is to enable other features that build upon the hybrid architecture – we must choose the “legacy” (is it really legacy if the new one has not shipped?) hybrid architecture.  As you can see, this requires publishing the internal Exchange servers to Office 365.  The new hybrid agent is exciting as it removes this requirement (for the most part) and makes the hybrid configuration much simpler.

This is probably the biggest challenge with hybrid architecture – how to securely restrict access to your internal Exchange infrastructure.  This goes beyond the discussion in this post, but maybe in the future this would be a good topic.

Hybrid Modern Authentication (HMA)

Once we have established hybrid connectivity – you may think wouldn’t it be great if my on-premises mailboxes could leverage the same authentication flow as my cloud mailboxes?  This means my on-premises mailboxes could have the same policies using Azure Conditional Access and Azure Multifactor Authentication applied.  That is where Hybrid Modern Authentication comes in. For a high level view of the feature – click on this link for Announcing Hybrid Modern Authentication for Exchange on-premises.

The key for this post is understanding that to enable HMA, there are quite a bit of requirements – one of the more challenging for some organizations is fully retiring Exchange 2010 (which should already be on your plan, as its end of life is approaching (Exchange 2010 End of Support Is Coming)

Another key thing that confuses many is that enabling HMA does not block other (legacy) authentication types.  Currently, it is not possible on-premises to do this.

Outlook Mobile (OLM)

Now that you have Hybrid and Hybrid Modern Auth configured, you may want to enforce the Outlook Mobile client as your mobile mail client.  This client can work with Microsoft Intune to protect corporate data with app protection policies.  This feature prevents an employee from copying corporate data into non-corporate applications.  This is just one benefit there are many more that the Outlook Mobile client has. For a more detailed look at enabling OLM – visit Using hybrid Modern Authentication with Outlook for iOS and Android.  Keep in mind how Outlook Mobile works – it synchronizes a portion of the mailbox to Office 365.  Your OLM client does not get its mail from the on-premises server directly. For customers who are leaving mailboxes on-premises this could be an issue, or it may just be considered  transient or ephemeral data.

Conclusion

Most customers are looking at hybrid as part of their journey to Office 365.  One nice benefit of having deployed a hybrid Exchange configuration is that by satisfying a few additional requirements, you can also enable hybrid modern authentication and Outlook Mobile.  If you choose to sequence the deployment of HMA and Outlook Mobile before moving mailboxes, end-users will have a very consistent experience as they on-onboard to Office 365.  You also get the benefit of deploying a more secure platform if used with Intune app policies for those mailboxes that may either take a long time to get to EXO, or may stay behind.  One consideration for companies that do envision 100% cloud mailboxes – HMA and Outlook Mobile require the ‘legacy’ hybrid configuration (i.e. you cannot use the Hybrid agent currently in preview).  This approach means you must have a solution to publish your internal Exchange servers, which is the major benefit of the new approach.