When you configure a hybrid Exchange environment, mail routing can be a challenging topic. How does Exchange know when to send email to Exchange Online? What happens when I change my MX record and point it towards Exchange Online Protection, will email still arrive to my on-premises recipients? Let’s take a deep dive and learn about mail routing between Exchange and Exchange Online.
Do I need to change the MX record after I run the Hybrid Configuration Wizard?
No, you don’t have to, but you can if you want to.
Mailflow can stay the same throughout your migration. Exchange will forward messages to Exchange Online once the mailbox is migrated. Exchange and Exchange Online will use the secure mailflow feature to send messages between each other.
Below image shows a schematic view of the mailflow between the internet and Exchange environment and between the Exchange environment and Exchange Online.
However, once most mailboxes in your organization are migrated, most messages will end up in Exchange Online. This makes your Exchange servers simple pass-through servers. Therefor it is logical to change your mailflow during or right after (most) mailboxes are migrated. Exchange Online will forward messages back to Exchange from this point onward if the mailbox is still hosted on-premises.
Below image shows a schematic view of the mailflow between the Internet and Exchange Online and between Exchange Online and the Exchange environment on-premises.
You can change your MX record right after you completed the HCW to point to Exchange Online Protection if you want to leverage Exchange Online Protection features. If you want to enable this, make sure to synchronize all mail enabled objects to Entra ID via Azure AD Connect before changing the MX record.
How does Exchange and Exchange Online know where a recipient’s mailbox is hosted?
Active Directory, Entra ID and Azure AD Connect plays a key role in this. There are a couple of attributes stored in Active Directory and Entra ID that is used to define the type of a mail enabled object. Azure AD connect makes sure that the attribute values from Active Directory are synchronized to Entra ID.
Attributes stored in Active Directory and used by Exchange:
- msExchRecipientDisplayType – Specifies the recipient type.
- msExchRecipientTypeDetails – Specifies the recipient subtype.
- msExchRemoteRecipientType – Specifies the remote type.
Attribute stored in Entra ID and used by Exchange Online:
- CloudMSExchRecipientDisplayType – Entra ID’s equivalent of msExchRecipientDisplayType
- RecipientTypeDetails – Entra ID’s equivalent of msExchRecipientTypeDetails
The numeric values of these attributes determines if the mail enabled object is e.g., a user mailbox, a shared mailbox, a resources mailbox, or something else and if it is synchronized or not. You can find all the values of each attribute here: Messaging and Collaboration – OnPrem and Cloud: O365: Exchange and AD: How msExchRecipientDisplayType and msExchangeRecipientTypeDetails Relate to Your On-Premises (vermagautam85.blogspot.com).
All mail enabled objects in your Exchange Environment have their msExchRecipientDisplayType, msExchRecipientTypeDetails and msExchRemoteRecipientType attributes set to a value corresponding to the on-premises hosted mailobject. After the migration, the values are modified to the correct corresponding values for migrated mail enabled objects and Azure AD Connect synchronizes the changed attribute value to Entra ID, here Exchange Online will pick up the modified value.
How does Exchange knowns to where to send messages to once the mailbox is migrated?
Once a mailbox is migrated, Exchange uses the Remote Routing Address attribute value, which a proxy-address, to forward e-mail to Exchange Online. The secure mail routing feature configures a send connector during the HCW wizard that ensures that messages send to a @[organisation-domain-name].mail.onmicrosoft.com address are send to Exchange Online.
Therefor it is important to check if the Remote Routing Address is set correctly after migration. For some reason this isn’t always the case. You can check this by executing the following powershell cmdlet in your Exchange Management Shell to find all migrated mail enabled objects without a proper set remote routing address.
Get-RemoteMailbox -ResultSize Unlimited | ?{$_.remoteroutingaddress -notlike '*mail.onmicrosoft.com'}How does Exchange Online knows when to send messages to the Exchange environment?
Exchange Online knows, depending on the value set in the CloudMSExchRecipientDisplayType and RecipientTypeDetails, if the mailbox is hosted online or on-premises. If the recipient’s mailbox isn’t hosted online, Exchange Online will simply use the send connector that points towards your on-premises Exchange environment to forward the message to Exchange.
Will messages arrive if I change the MX record immediately after applying the Hybrid Configuration Wizard?
To ensure that messages are send to your Exchange environment via Exchange Online you’ll need to ensure that all mail enabled objects are synchronized to Entra ID by Azure AD Connect.
Exchange Online won’t be aware of any on-premises mail enabled objects that aren’t synchronized to Entra ID.
If you configure Azure AD Connect to synchronize only objects in a particular Organizational Unit, all mail enabled objects that aren’t part of the OU aren’t synchronized and therefore won’t receive their messages if mail is routed through Exchange Online.
There you have it. Hybrid mail routing between Exchange Online and Exchange. What was your mail routing transition plan during migration and what challenges did you encounter? Leave a comment below and let’s discuss!
Leave a Reply
You must be logged in to post a comment.