O365 Hybrid – Exchange Federation Trust

Today’s article explores a part of the O365 Hybrid Configuration called Exchange Federation Trust. The Exchange Federation Trust is automatically created when the Exchange Hybrid Configuration Wizard (HCW) is used. It is nevertheless useful to understand what exactly is happening behind the scenes. As I already mentioned, the federation trust is just a part of the whole configuration which is set up by the HCW.

Exchange Hybrid Configuration Wizard

For anybody who would like to know where to find the Exchange Hybrid Configuration Wizard, you can start the HCW download by clicking on the link below:

http://aka.ms/HybridWizard

Exchange Federation Trust

The Exchange Federation Trust creates a connection to the Microsoft Exchange Federation Gateway. The Federation Gateway is provided by Microsoft and is used as a sort of mediator.

If you compare the Exchange Federation Trust with an Active Directory Domain Trust you will come to the following conclusion:

• An AD trust is established directly between two domains, whereas
• the Exchange Federation Trust is created with the Microsoft Federation Gateway.

An additional organization sharing has to be set up if a connection to another exchange organisation is required. I will tell you more about this later. 

 

As a result, various exchange organisations from different companies connect with the same Microsoft Federation Gateway. Even the exchange organisation behind O365 is connected to the Federation Gateway and therefore also every O365 Tenant.

Organization sharing

Once the Federation Trust is established, two exchange organisations can connect with each other via organization sharing. Each organization sets up its own trusted connection with the Federation Trust. Users can then exchange free/busy information with users in the other organisation through organization sharing. Additionally, the so-called Outlook MailTips can be activated to show, for example, if someone is out of the office. 

Functions of organization sharing:

• Free / Busy queries
• MailTips
• Out of office status
• Profile pictures

DNS-Creation

To establish the Federation Trust, the exchange organisation must be published on the internet. Services such as autodiscover, OWA, EWS etc. must be set up correctly with the required certificates for remote access. However, I will not go into more detail about this topic in my article. To set up a Federation Trust, Microsoft requires a type of proof that the exchange organisation that needs to be connected is my “own” organization. This proof is created in a similar way DNS zones are registered in AzureAD. As soon as the Federation Trust is activated (ECP>Organization>Sharing), the so-called DomainProof can be generated via PowerShell. The string below must be defined as a TXT record in the external DNS Zone. As a result, Microsoft considers it confirmed that the organization can be trusted.

Configuration check

After setting up both the federation trust and organization sharing (in this example with HCW and O365), the configuration can be tested via PowerShell.

Testing Federation Trust

As we see here, both the on-premises organization and O365 trust the same Federation Gateway:

MicrosoftOnline

On-premise

O365

Testing organization sharing

Below you can see the DNS e-mail domains of the Exchange organisations which trust each other.

On-premise

The on-premise organisation trusts the O365 tenant with the name “jkuenzlergmx.mail.onmicrosoft.com”.

O365

At the same time, the O365 tenant trusts the on-premise organisation “univice.net”.

Testing sharing policies

It is important that both sides have the same sharing policy settings. It can be easily checked like this:

On-premise

O365

Summary

I hope that my explanations of Exchange Hybrid, Federation Trust and Organization Sharing helped you to understand how they are connected with each other. Should you need advice with your O365 transition project, please contact us. 

---