It’s well documented how Exchange hybrid coexistence with Office 365 enables a smooth migration from Exchange on-premises to Exchange Online. What’s not always understood is why maintaining a single hybrid Exchange server indefinitely is needed. Your biggest mistake would be to decommission your on-premises Exchange, and the reasons are centered around four topics: administrative burden, journaling (for compliance especially), mail relay, and remote mailboxes.
Azure Active Directory (AAD) Connect (directory synchronization) is a requirement for a hybrid coexistence and remote move migrations of mailboxes to Exchange Online. When directory synchronization is implemented, the source of authority for user account provisioning changes from your Office 365 tenant to Active Directory on-premises.
What this means is that user account attributes cannot be added or revised in Office 365. They must be modified in Active Directory, which synchronizes to Office 365. Among these attributes (properties) are:
- First name
- Last name
- Display name
- User Principal Name (UPN) – user logon name
- Proxy addresses – email aliases
- Primary email address
- Target address – routing address for on-premises email flow to Exchange Online
- SIP address – Skype for Business address
- Exchange specific attributes such as recipient type and recipient type details
With Exchange on-premises, it’s a streamlined and semi-automated process to create a mailbox and have much of this auto-populated. In absence of Exchange on-premises, each of these attributes have to be manually edited on each user account each time a user is provisioned or modified. This becomes an additional administrative burden on IT staff.
Additionally, other administrative tasks become unavailable or labor-intensive.
No not this journaling...
Another element of email that many clients need for compliance purposes is journaling. For those not with a strong Exchange background, journaling is essentially a native recording of specific inbound and outbound email communications.
Thankfully, journaling rules can be created in Office 365. The catch is that the journaling mailbox itself cannot exist in Office 365. Therefore, an external mailbox is needed to route mail via the journaling rule.
“In Office 365, you can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service. If you're running an Exchange hybrid deployment with your mailboxes split between on-premises servers and Office 365, you can designate an on-premises mailbox as the journaling mailbox for your Exchange Online and on-premises mailboxes.”
Let’s consider mail relay from on-premises applications and devices to recipients internal and external to the organization. Line of business applications such as human resources often need to relay mail to recipients, yet lack an email engine to do so. Thus, they rely on mail relay to an SMTP server. There is an Office 365 internet relay server, but it requires both TLS capability and authentication. Most legacy applications and devices (e.g. scan to email) do not accommodate for both of these. This is easy to address by using the already present Exchange on-premises server for relay. Chances are the relays are already setup and require no additional effort to transition to Exchange Online.
One of the most difficult tasks to accomplish without Exchange hybrid is creating remote mailboxes and having Active Directory be aware of those recipient mailboxes and how to route mail to them (e.g. for relay). First, there is no way to create a remote mailbox without Exchange via Active Directory alone. Secondly, it hinges on aforementioned attributes, most specifically the target address (routing address). In order for an on-premises relay to correctly route mail, it relies on the target address being in the format of firstname.lastname@example.org. This is automatically generated via email address policies when using Exchange on-premises to provision mailboxes.
One more advantage to maintaining hybrid coexistence is email address policies. Email address policies only apply to Office 365 groups (unified groups). There is currently no way to implement email address policies for primary and proxy email addresses to recipients in Office 365. This makes sense when you recall that Active Directory becomes the source of authority with directory synchronization.
In summary, it’s an administrative nightmare to provision recipients and administer coexistence between Active Directory and Exchange Online without the Exchange on-premises server tools. I hope I’ve impressed upon you the importance of keeping this in your plan for long-term coexistence. For more information, visit https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange.
While you're here - if you find the world of Exchange to be invigorating, here's another one of my musings...