Office 365 Hybrid Agent – An Overview

If you have set up a new Hybrid configuration with Office 365 lately, you will notice a new option in the Hybrid Config Wizard, the Hybrid Agent. Before I go into my personal views on this new option and whether you should use it, let me first explain what this agent does. Note: Before I start, I should state that I have not had an opportunity to test the Hybrid agent’s features yet, so there are still a few questions I have about it. I’ll point out areas that I question during my analysis.

How the Hybrid Agent Works

The hybrid agent is an attempt to reduce the complexity and difficulty associated with migrating to Office 365. It is not meant for general use and the use cases for it are few. First, we’ll go over how it works:

  1. The Hybrid Configuration Wizard installs an “agent,” or small application, on an Exchange server. The purpose of this server is to publish an HTTP proxy between the agent and Office 365.
  2. Once the agent is installed, it will connect to the Office 365 servers and allow reverse proxied communication.
  3. The communication mechanism allows Office 365 to meet the more common requirements of Office 365 Hybrid deployments without needing to allow access through firewalls, valid certificates, and federated login configuration.

The agent works similarly to Azure AD Connect’s Pass-through Authentication, but does slightly different work.

What the Hybrid Agent Does

The hybrid agent provides a couple of benefits:

  1. The most beneficial feature is its ability to perform mailbox migrations without needing to fully configure and use the Mailbox Replication Service. This means you can install the Hybrid Agent and start moving mailboxes immediately.
  2. The Hybrid Agent also allows free/busy sharing, mail tips, and other features that normally require federated identify exchange to function.

What the Hybrid Agent Doesn’t Do

At the writing of this article (April of 2019), the Hybrid Agent does not provide the following features:

1. Identity Synchronization is not possible through the Hybrid agent. This means you still need to deploy Azure AD Sync if you want to have your Active Directory identity data copied or synced with Office 365’s Azure AD Back End.

2. SMTP traffic does not flow through the agent. Sadly, this means that you must open SMTP ports up to allow mail flow to and from Office 365, and configure Exchange connectors to do the work.

My analysis

The hybrid agent does allow admins to reduce some of the complexity of Office 365 Hybrid migration, and should help reduce the amount of troubleshooting required to complete these migrations, but the lack of SMTP routing through the agent’s tunnel significantly limits its usefulness. I would be much more willing to recommend this feature if it had SMTP capability, but without that I have a much harder time recommending it. This is not to say that this is an oversight on Microsoft’s part, because it isn’t. Exchange mail flow is fairly complicated when you get into the guts, so there probably isn’t an easy way to do mail transport to and from Office 365 through an agent. I am, however, curious about what use cases there are for a Hybrid Agent that only implements half of the Hybrid capabilities.

I do suspect that Microsoft’s intention with this application is to speed up cloud first migrations that will be moving mailboxes and escaping the on-prem world entirely. If that’s the case, I think the Hybrid Agent is a good solution, but the limitations will result in a bit of downtime and significant desk-side support requirements for users. Without AD sync capabilities, mailboxes that are migrated to the cloud will need to have new passwords set and will likely need to be pre-staged before migration. Without a good test of the tool, I can’t say which of those is true.

If it works as I think, migrations that use the Hybrid agent would need to be done in more of a cutover fashion than a traditional Hybrid Move. Mailflow would need to be pointed over to Office 365 before moving mailboxes, and any mail sent between the time the migration starts and finalizes would require mail spooling or hard downtime where mail is not deliverable. This assumes that hybrid email connectors aren’t set up manually, but that adds some complexity that would negate the gains of this tool. Hybrid mail-flow is a little confusing for some environments, so the ability to proxy SMTP would be useful.

Recommendation

Based only on my initial examination of the Hybrid Agent tool, I can’t yet recommend it for any situation I can think of. I should be able to test it eventually and will update my findings once I do, but the features this tool is currently lacking are extremely important for any hybrid migration to be successful. I honestly can’t see many organizations finding much use for the Hybrid Agent as it is now. Only Microsoft really knows where they are going with this, but despite the rather lackluster capabilities it has now, I can see some of what they may be planning. If I’m right, this should be an extremely useful tool in the future.

Leave a Reply