Remove Exchange Hybrid Configuration

After decommissioning the Resource Forest I still have an Exchange 2016 environment on-premises, but all my mailboxes are in Office 365. Users are provisioned in Active Directory, Remote Mailboxes are provisioned in Exchange 2016 and everything is synchronized to Office 365 using Azure AD Connect.

Do I still need an Exchange Hybrid Configuration? Unless there are plans to move resources back to Exchange on-premises there’s no need for a Hybrid Configuration. To stay in a supported configuration, an Exchange server on-premises is still needed for management purposes, but only Azure AD Connect is needed and not a full hybrid configuration.

Note. If you want to use the on-premises Exchange server for SMTP relay purposes you don’t need the Hybrid configuration either. Just make sure you have a SMTP Send Connector that points to Exchange Online Protection and you’re good.

Removing the Hybrid configuration consists of the following steps:

  • Disable Autodiscover SCP in Exchange
  • Remove the Hybrid Configuration from Active Directory
  • Remove Connectors in Exchange Online
  • Remove the Organization Sharing from Exchange Online
  • Disable OAuth

Disable Autodiscover SCP in Exchange

When all Exchange resources are in Exchange Online you no longer need the on-premises Service Connection Points (SCP) for Autodiscover. But make sure you have the correct CNAME records for Autodiscover that point to Autodiscover.outlook.com.

To disable the SCP records in Active Directory, execute the following command in Exchange Management Shell:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null

Remove the Hybrid Configuration from Active Directory

Removing the Hybrid Configuration from Active Directory is just one PowerShell command in Exchange Management Shell:

Remove-HybridConfiguration -Confirm:$false

There’s one pitfall here, this will also remove the outbound to Office 365 Send Connector from Exchange. If you want to keep SMTP relay from on-premises to your mailboxes in Exchange Online you have to manually recreate this connector (use yourdomain-com.mail.protection.outlook.com as a smarthost for this)

Remove Connectors in Exchange Online

In the Exchange Online Admin Center, remove the outbound SMTP connectors that point from Exchange Online to your on-premises Exchange organization. If you want to keep SMTP routing, keep the inbound SMTP connector, otherwise you can remove this as well.

Remove the Organization Sharing from Exchange Online
To remove the Hybrid Organization Sharing from Exchange Online navigate to Organization | Sharing in the Exchange Admin Center and remove the organization sharing.

Disable OAuth on-premises

When used before you can disable the OAuth configuration as well from Exchange on-premises and Exchange Online.

In Exchange on-premises Management Shell, execute the following command:

Get-intraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $False

And to do this in Exchange Online Management Shell, execute the following (same) command:

Get-IntraorganizationConnector | Set-IntraOrganizationConnector -Enabled $False

These are the steps needed to remove the Hybrid Configuration from your Exchange environment.

Note. Microsoft recommends to leave the Exchange Hybrid option in Azure AD Connect.

Summary

In this blogpost I explained how to remove the Hybrid Configuration from your Exchange environment after you have moved all resources to Exchange Online.

The on-premises Exchange server is still needed for management purposes. After removing the Hybrid Configuration you can still manage your recipient Exchange Online using the on-premises Exchange server, all changes are replicated through Azure Active Directory.

Is that last Exchange server on-premises still needed? Yes, you need it for managing your recipients in Exchange Online. When you have Azure AD Connect running in your environment, the objects are managed in on-premises Active Directory. The source of authority is Active Directory. As long as Microsoft hasn’t fixed the source of authority problem, an Exchange server on-premises is still needed.

14 thoughts on “Remove Exchange Hybrid Configuration”

  1. Hello, nice blog post. Only one question: how do you to create a “new-remotemailbox” without hybrid?

    Thanks

    Like

    1. Hi Nicolas,
      On your on-premises Exchange server you use the New-RemoteMailbox command and this will populate all properties in Active Directory. Azure AD Connect will synchronise these to Azure AD and the mailbox in Exchange Online will be created (don’t forget the license of course)

      Like

  2. Hi, but this command is not depending from HCW? . After i remove it, i’ve found that this command it’s no longer availbable, isn’t it?

    Like

      1. I just checked, the New-RemoteMailbox and Enabled-RemoteMailbox are available on a non-hybrid Exchange 2019 server.
        You only need Azure AD Connect for this to work, a hybrid configuration is not needed.

        Like

  3. Hi!

    If you would remove all onPrem exchange servers after you had removed the hybrid deployment wouldn’t you just be able to create a new user in the onPrem AD, give it the correct mail attribute for your organisation and proxyaddresses via AD let it sync to the cloud and then give it a license for a mailbox and that would work?

    Liked by 1 person

    1. That’s correct. Pay attention to a few other attributes and that’s it. Remember that changes are always on-premises, so if you want to change for example an email address, use ADSIE Edit and let it replicate to Azure AD. The only thing is that it is not formally supported (but it does work)

      Like

  4. Is there a list of Exchange attributes you should worry about, when creating a user on-prem and let it sync with AD connect, when all your on-prem Exchange servers are decommissioned?
    Are there known PS scripts to do this? And how about creating shared mailboxes on-prem and ‘Enable-Mailbox’ them?

    Like

    1. Hi Ronald,
      The officially supported way is to keep one Exchange server on-premises for management purposes, this will take care of the Exchange attributes. You can decommission the very last Exchange server (not supported, but working) and edit the on-premises attributes with ADSI Edit and have these replicated.
      Maybe this can help you here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

      Like

  5. Hello
    after no mailboxes are hosted on the Onpremise Exchange Server and I have resolved the hybrid configuration, can I also delete the Exchange databases?
    The Onpremise Server runs in version 2013.
    I want to keep the resources needed for the OnPrem server as low as possible. Which services on the server can I still uninstall?
    May and should the OnPrem 2013 server for managing mailboxes be raised to version 2019?

    Thank you

    Like

    1. Hello Franz,
      I always keep one mailbox database on-premises, circular logging enabled, where the system mailboxes are hosted.
      Your question regarding the services is more difficult, never thought about that or had the question before. Of course IIS must be running and the Information Store, otherwise logging on to EAC will not work (I think, never tested). If you have removed hybrid configuration, I assume you don’t have any SMTP relay so SMTP services can be stopped. Search, UM, Replication, Compliance can be stopped (again, I think). If you go down this path you must disable health manager, otherwise this will start all other services.
      But to be honest, I would not this myself. Why would you do this?
      The on-premises 2013 server can be upgraded to Exchange 2019, but I would upgrade to Exchange 2016 since this is a free hybrid license (which is not available for Exchange 2019)

      Like

      1. Thanks for your answer!
        I want to keep the attack surface as low as possible. Also, I don’t want to waste unnecessary IT resources (CPU,RAM, storage) for Exchange.
        How do I get the free hybrid license?
        Do I have to install them again on a new machine?

        Like

      2. That makes sense. What you can do is not publish the Exchange server to the internet, or at least do not publish EAC to the internet. Another option is to isolate the Exchange server on a seperate network segment where only you can access it.
        I can understand your thoughts about the IT resources, but it still is a regular Exchange server and as such needs resources. You can throttle it down to only one virtual disk, one vCPU and 8GB of memory. Or, you can completely remove the Exchange server, and continue working with ADSI Edit, but you must make sure you thoroughly understand what’s going on in Active Directory. I know customers that do this, it is not supported but can work well.
        As for the free license, check https://aka.ms/hybridkey

        Like

Leave a Reply to jaapwesselius Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s