Blog Post

Exchange Team Blog
4 MIN READ

September 2020 Hybrid Configuration Wizard Update

The_Exchange_Team's avatar
The_Exchange_Team
Icon for Microsoft rankMicrosoft
Sep 22, 2020
Today we are happy to announce an update to the Exchange Hybrid Configuration Wizard (HCW) which enables either a Full or Minimal Hybrid deployment from a single on-premises organization to more than...
Updated Aug 30, 2024
Version 8.0
administration
All Posts
announcements
deployment
directory
exchange
exchange 2016
exchange 2019
exchange online
hybrid
wimmernitsche's avatar
wimmernitsche
Copper Contributor
May 25, 2021

Martin_Wildijdixon we have found a way, thanks to someone on the MS Exchange Online escalation team. After hybrid setup, we have to create new authservers on our Exchange on-prem, add our customer's domains to them, create an intraorganizationconnector each in the cloud and on premise and upload the Exchange cert to ExO:

 

# primary domain first in array
$domains = $tenant.domains.split(",")
$tenantServiceDomain = "$($tenant.tenant).mail.onmicrosoft.com"

# Exch on premise:
New-AuthServer -Name "WindowsAzureACS-$($tenant.tenant)" -AuthMetadataUrl "https://accounts.accesscontrol.windows.net/$($domains[0])/metadata/json/1"
New-AuthServer -Name "evoSTS-$($tenant.tenant)" -Type AzureAD -AuthMetadataUrl "https://login.windows.net/$($domains[0])/federationmetadata/2007-06/federationmetadata.xml"

set-authserver "WindowsAzureACS-$($tenant.tenant)" -domainname "$($tenant.domains)"
set-authserver "evoSTS-$($tenant.tenant)" -domainname "$($tenant.domains)"

New-IntraOrganizationConnector -name "ExchangeHybridOnPremisesToOnline $($tenant.tenant)" -DiscoveryEndpoint https://outlook.office365.com/autodiscover/autodiscover.svc -TargetAddressDomains $tenantServiceDomain

# ExO:
Connect-ExchangeOnline
New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint https://$($publicAddressExchangeServerOnPrem)/autodiscover/autodiscover.svc -TargetAddressDomains $domains

# MSOL:
Connect-MsolService

$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
$x.ServicePrincipalnames.Add("$($publicAddressExchangeServerOnPrem)");
$x.ServicePrincipalnames.Add("$($autodiscoverAddressExchangeServerOnPrem)");
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames;

$CertFile = $pathToExchangeCert.cer
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($CertFile)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId $x.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue