Office 365 hybrid deployment with on-premises Exchange 2013 - overview questions

I'm tentatively proposing that one of my clients implement an Office 365 hybrid deployment.

The client is about ~25 employees. They currently have a pretty nice Microsoft server set up. Two on premises DCs (which replicate to each other), Fileservers (which replicate via DFSR), and two Exchange 2013 Servers (which replicate via a DAG). Each DC/FS/Exchange Server is a VM. They have two physical servers that run Hyper-V.

The problem they're having is that 1) remote users trying to access their mailboxes (via Outlook Anywhere or ActiveSync) are sucking up all the Internet bandwidth, and 2) They're also having trouble with spam issues for inbound/outbound email. Tons of spam arriving for inbound mail and outbound mail gets flagged as spam by other people. This is mostly because the on-premises Exchange Server is delivering outbound mail directly via MX records, and the inbound mail is scanned by an aging commercial anti-spam program (Symantec Mail Security) that does a pretty poor job.

This particular client is a non-profit and it turns out they're eligible to have as many free Office 365 E1 licenses as they want.

So what I'd like to do is deploy a hybrid Office 365 deployment where they can use their on-premises Exchange Server together with Office 365 and AD FS.

I'm hoping the end result will look like this:

1) Active Directory Federation Services provides single-sign-on and directory sync. This means the integration that users enjoy with the on-premises Exchange Server continues to work the same way:  New user accounts that are created in Active Directory / Exchange Management Console have the same credentials as the users in Office 365, Outlook "automagically" configures itself when you open it just like it does with the on-premises Exchange Server. The Global Address Book is populated with the data in the on-premises directory, users don't have to remember two sets of passwords for their workstation + their email.

2) Mailbox data is replicated between the on-premises Exchange Servers and the Office 365 hosted servers

3) Users who are in the office access their mailbox directly via the on-premises Exchange Server like normal

4) Users who are out of the office or using smartphones access the mailbox via Office 365 cloud services

5) Outbound emails are routed through Office 365 and get delivered reliably and don't get flagged as spam by the recipient just like they would in a non-hybrid Office 365 subscription

6) Inbound emails pass through Office 365's anti-spam filters, and spam goes into the user's Junk Email just like they would in a non-hybrid Office 365 subscription

7) This is all doable with Office 365 E1 licenses

Technical implementation details aside.... is this an accurate picture of what the end result is going to look like assuming everything is done correctly?

Secondly... how long would it take to implement this assuming that you know what you're doing?
LVL 31
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
With the exception of Number 3, yes. In order for users to access their mailbox through the on-prem server, their mailbox must be located on-prem. That means that if you migrate all mailboxes to O365, all users will connect to O365's servers to retrieve mail, regardless of whether they are at the office or not. If you have some users that only work remote and some that are on-prem, your number 3 would be correct as long as only the users who remain in the office have their mailbox onprem.
Cliff GaliherCommented:
Prepare for disappointment.   First, one of the things you mentioned in your question is not on your numbered list but requires explanation:

" This is mostly because the on-premises Exchange Server is delivering outbound mail directly via MX records"

*ALL* modern email is delivered by using MX records. This is not a red flag for any antispam product in itself and is how email fundamentally works. If you are getting outbound mail flagged as spam, you have some other problem.

Now for your questions:

1) ....sortof.  You will have user account syncing and true single sign-on. However you asked if they'd have "the same credentials."  That is technically a no.  An account set up to use ADFS will actually contact your ADFS server and check the credentials against your domain controller. Credentials are *not* stored in Azure AD and therefore, if your ADFS or domain infrastructure is unreachable, so is Office 365 accounts that rely on it for the duration.  And since it is still hitting your internal infrastructure, your bandwidth will still matter.

Alternatively, DirSync *without* ADFS can sync credentials, but then you lose true single sign-on. That's the trade-off.

2) No.  In a hybrid deployment, the mailbox lives on-prem *or* in Office 365, And can be freely moved between the two. But it is *not* replicated. It lives in one or the other, not both simultaneously.

3) Only if the mailbox is housed on-premises. Mailboxes homed in O365 will require on-prem users to access O365 servers.

4) This is the inverse of #3.  Only users homed on O365 will access mailboxes via O365. Remote users with mailboxes homed on-premises will still come in over your internet connection.

Both 3 and 4 are the result of the misunderstanding of #2. Since mailboxes are *not* replicated, how users access the mailbox is one or the other, depending on where you homed it.

5) You can route all out-bound mail through O365. Whether it gets flagged as spam depends on why it is getting flagged now. A bad SPF record can still cause spam flagging and routing through O365 wouldn't fix that. Thus my clarification at the start of this response.

6) Correct.

7) Correct.

Timeframe?  Hybrid is fairly easy. A couple days of configuration and testing.  I'd usually quote 30 hours for initial setup and then subsequent mailbox moves can be done at leisure since that is the point of hybrid.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vasil Michev (MVP)Commented:
And to clarify on number 2, mailbox data is NOT replicated between on-prem and O365, only the object attributes are. With the relevant implications to 3 and 4.

Doing a Hybrid and AD FS for just 25 users is overkill imo. Do a simple cutover migration or remote moves, and use dirsync with password sync.
Adam FarageSr. Enterprise ArchitectCommented:
Active Directory Federation Services provides single-sign-on and directory sync.

ADFS is not DirSync, which is now technically called Azure AD Sync. ADFS is Active Directory Federated Services, which allows a web proxy into AD so when an authentication request is handled internally it can be proxy to O365 (and vise versa) for SSO.

Azure AD Sync will do a password sync between O365 Azure AD and on-prem Active Directory of the recipient objects and attributes, along with passwords if you chose (which you need to do for SSO).

As for Outlook automatically configuring itself, that is AutoDiscover not ADFS. AutoDiscover and your namespace might be shifted a bit due to the hybrid mode.

The cost model around 20-30 users using Exchange 2013 / O365 in hybrid model doesn't make any sense. I would recommend simply taking these users and doing a cutover migration. Thats what I would recommend at least..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.