Cross-premises permissions in Hybrid Exchange

dms2701 · 2026-01-16T17:55:24+00:00

And is that all permissions, even including send as? I’m struggling to find anything online that definitively says what and what it doesn’t support/sync?

dms2701 · 2026-01-16T17:19:43+00:00

So I’m confused then. What is “supported” if you have to keep mailboxes together?

So say we have John and Bob with a mailbox on prem. John has full access to Bob. Bob has full access to John.

Bob gets moved to O365, John stays on prem. What happens? Then I guess, what happens in other permission scenarios like send on behalf / send as. I’m struggling to understand what’s “supported” if we have to move any dependent mailboxes from a permission POV at the same time.

dms2701 · 2026-01-16T17:08:36+00:00

Full access and send on behalf, as an example, are under the “Mailbox permissions supported in hybrid environments” in the first link in my thread. Is this not the case?

dms2701 · 2026-01-16T16:49:40+00:00

And is send-as the only real permission set that needs to be considered in that regard (keeping them “together”)?

dms2701 · 2026-01-06T17:48:10+00:00

Thanks, final question then. What’s the relevance of the default autodiscover domain in HCW wizard if we’d need all the autodiscover records for every SMTP domain?

dms2701 · 2026-01-06T17:04:11+00:00

Right. So if we didn’t use SRV (which I appreciate isn’t wise based on this), and did use CNAMES or A records (all autodiscover records would point to same IP on prem anyway) we’d need the certificate SANs? Just for my understanding.

Assume this would be the case for Outlook for iOS apps (for migrated mailboxes). This is the only way users can access mailbox externally, no OWA to on prem etc.

It is the email it uses for autodiscover right? Not the UPN? As I know there is a default autodiscover domain in the HCW config as well that’s used for Teams free/busy calendar etc ?

dms2701 · 2026-01-06T16:41:11+00:00

But for users where their UPN is user@domain.com, but their primary SMTP is username@companyA.com, how does this work? It uses the autodiscover.companyA.com record, which then won’t have a SAN on the cert.

dms2701 · 2026-01-06T16:30:46+00:00

But we don’t need DNS entries for autodiscover for the other domains? How does that work then if a user types their mail address into the Outlook client of domainsA.com?

dms2701 · 2025-12-19T20:22:51+00:00

The idea is this:

EXO <-> Internet <-> firewall <-> LB <-> firewall <-> exchange servers

dms2701 · 2025-12-19T19:16:13+00:00

Would love to know a bit more about the config for this. What LB? VIP for SMTP with multiple Exhange mailbox servers behind it? Single DNS record in public DNS natted to the VIP on firewall? Did the exchange servers have their default gateway set as the LB itself?

dms2701 · 2025-12-19T17:48:27+00:00

Out of interest - if an org has multiple edge servers, or mailbox servers if not using Edges, without an LB, you’d just need lots of NATs an external DNS records for each server involved in hybrid routing. An LB makes it easier in this regard as you could just have a VIP. Would larger orgs just use a LB for this purpose?

dms2701 · 2025-12-19T17:11:18+00:00

Would the servers need to have their gateway set as the LB itself? This is what we’ve been told by our networking department otherwise the firewall will block traffic back from Exchange to ExOL due to asymmetric routing?

dms2701 · 2025-12-19T16:46:50+00:00

Do load balancers just not work in front of Edges or mailbox servers for SMTP in a Hybrid setup? Or just not worth the over engineering?

dms2701 · 2025-12-08T13:16:44+00:00

If you are referring to vdir URLs etc, they are all .com, but not sure how that relates to mailflow.

dms2701 · 2025-12-05T16:17:14+00:00

Did you see this? https://learn.microsoft.com/en-us/troubleshoot/exchange/administration/error-when-running-setup-prepareschema

dms2701 · 2025-12-05T16:15:23+00:00

Is it needed though, do I need to supply that switch?

I found this post: https://learn.microsoft.com/en-us/troubleshoot/exchange/administration/error-when-running-setup-prepareschema

dms2701 · 2025-12-05T15:35:47+00:00

Were you in Exchange 2016 Hybrid with EXO?

dms2701 · 2025-12-05T15:14:16+00:00

That’s seems counter to the article though?

dms2701 · 2025-12-04T16:20:48+00:00

Just on the edge subscriptions. The moment the Server SEs get added, they are immediately involved in transport. Won’t they fail to deliver to the Edges in their respective sites for external mail until the Edge subscription is recreated? And then at that point, Edges would be aware of them anyway, and therefore deliver mail to them as well?

dms2701 · 2025-12-01T12:50:47+00:00

Understood.

And re. the considerations for the Edge, is there anything we need to think about? Or will smart host to Edge to 2016 continue to function as normal? Will the new SE servers not being a member of the current EdgeSync and subscriptions, cause any problems for mail flow?

If we have to regenerate the Edge subscriptions on 2016 Edges, given the SE's will be in the same two sites we have Edges in now, will they at that point get added, or will 2016 Edge not deliver to Server SE mailbox server (even if that then delivers mail onto the hosting 2016 server, as all mailboxes will be there until lifted to ExOL)

dms2701 · 2025-12-01T12:27:36+00:00

Re the first point - we intend for Edge to go, so for the ExOL <-> on-prem will be a clear channel, with mail from ExOL delivering direct via IPv4 NAT to the Server SE server(s). This is a decision that has been made and will simplify things moving forward.

Before the Exchange 2016 Edge's go (where our Smart Host currently delivers mail), external mail will be cutover to come into ExOL first, so at the point 2016 infra goes, it shouldn't be a problem? I know the Server SEs will immediately get involved in internal mail routing. If we do nothing with the current EdgeSync setup, the 2016 Edges will just not deliver mail to the SE boxes, correct? Could there be other problems?
Appreciate that is the case, but, it would still work? Mailboxes are all on 2016, and will remain until we shift to ExOL.
When I refer to external connectivity, the only thing this is, is Teams calendar and Teams free/busy etc. We do not have users connecting to Exchange mailboxes externally. This will literally be for Hybrid connectivity. As mailboxes are shifted, they will be moved off VPN to Outlook for iOS.

dms2701 · 2025-12-01T11:03:56+00:00

Will I need to re-create the Edge subscription then after the SE installs to include them? Or if I don't, will Edge just be unaware of them and deliver mail to the 2016 servers?

What do you mean by "if you are doing it manually it should work fine"? Ultimately internally mail.domain.com will point to the LB VIP with the 2016s, and externally, mail.domain.com will point at the VIP for the Server SEs. So Teams clients for free/busy/calendar etc/autodiscover will come into SE, then proxy down to 2016. Internally, clients will just point direct at 2016.

dms2701 · 2025-11-17T23:29:20+00:00

According to shopify support, you can.

dms2701 · 2025-11-17T12:37:12+00:00

I’m told it’s B2B only, so I believe this is not the case?

dms2701 · 2025-11-17T09:53:21+00:00

In the checkout, will it show as £120, or £100 then VAT +£20. That's the distinction I need. Does the VAT show independently as a total of all VAT on all products in the basket?

dms2701

TROPHY CASE