New Features in Office 365 Message Encryption
I have long been interested in encryption. I started off my IT career in the United States Marine...
Michel de Rooij
In February, Microsoft released the initial public preview version of the Hybrid Agent, about which was written here. The purpose of the Hybrid Agent, also branded as the “Exchange Modern Hybrid Topology”, is to simplify the process of setting up and deploying Microsoft Exchange Hybrid for Exchange 2010 and later deployments, where full “classic” Exchange Hybrid is not an option.
It can also address scenarios where deploying the Hybrid Agent would satisfy organizational migration requirements. For example, moving mailboxes between Exchange Online and Exchange on-premises while providing rich-coexistence features, but without requiring (re)configuration of the publishing of Exchange services. Another functionality the Hybrid Agent doesn’t contain is mail transport. Future builds of the Hybrid Agent might also enable cross-premises functionality such as Send As delegations, as demonstrated at Microsoft Ignite last year.
This week, the Hybrid Agent Public reached General Availability status. In this article, we will discuss the major changes in the agent since the initial Preview release.
Availability
Regarding availability of Exchange Hybrid deployments leveraging the Hybrid Agent, the updated Hybrid Agent now supports installing and running multiple instances of the Hybrid Agent. This is similar to what running multiple Pass-Through Authentication (PTA) agents does for authentication.
To install additional agents, you have two options:
- Installation through opening the Hybrid Configuration Wizard (HCW) on the server where you would like to deploy another agent. In the Hybrid Agents overview screen choose ‘Install an additional agent’. Note that it is not required to deploy the Hybrid Agent on Exchange servers, as any member server from Windows Server 2012 R2 or up with internet access should suffice.
- Manual installation by downloading the Hybrid Agent installer from https://aka.ms/hybridagentinstaller, followed by executing msiexec /I MSHybridService.msi. When asked, provide the credential of a Global Admin in your tenant.
Note that when inspecting the Hybrid Configuration Wizard logs, the Hybrid Agent is referred to as Hybrid Connector, as it’s an Azure AD Application Proxy Connector. The installation logs for the Hybrid Agent are logged separately in the same folder where HCW stores its logs (Use F12 in the HCW to open the shortcut menu, and select Open Logging Folder), in a file named <timestamp>.hybridconnector.log
Management
The Hybrid Agent comes with a PowerShell module, which depends on the Azure module. Use Install-Module Azure to install the Azure module from the PowerShell Gallery. After this, you can import the Hybrid Agent module using:
Import-Module Azure
Import-Module ‘C:\Program Files\Microsoft Hybrid Service\HybridManagement.psm1’
The status of the currently registered Hybrid Agents can be retrieved by running
$Credential= Get-Credential
Get-HybridAgent -Credential $Credential
The Hybrid Agent module provides the following interesting, yet undocumented cmdlets:
|
GetAuthHeader |
Get authentication head for specified token, e.g. GetAuthHeader -Token $token -Credentials $cred |
|
GetAuthToken |
Get token for specified credential, e.g. $token= GetAuthToken -Credentials $cred |
|
Get-HybridAgent |
Shows status of registered Hybrid Agents |
|
Get-HybridApplication |
Used to manage the registered Hybrid Agent application in the tenant. |
|
Test-HybridConnectivity |
Test Hybrid Agent connectivity. |
|
TestProxySettings |
Test Proxy Settings |
|
TestTLSSettings |
Test TLS Client configuration |
Load-Balancing
The Hybrid Agent endpoint can be configured to connect to a load balanced endpoint instead of default Client Access server specific endpoint. In order to accomplish this, we first need to determine the AppId of the Hybrid Agent. After connecting to Exchange Online Management shell, run:
(Get-MigrationEndpoint 'Hybrid Migration Endpoint - EWS (Default Web Site)').RemoteServer.Split('.')[0]
Then, on a server containing the Hybrid Agent PowerShell module, take this/these Guid(s), and run the following cmdlet, specifying the desired load balanced name space as targetUri (internalUrl) in combination with each AppId:
Update-HybridApplication -AppId <AppId> -targetUri https://mail.contoso.com
The module is still an early version, as not all parameters and properties have been aligned yet, and not all cmdlets follow the verb-noun PowerShell directive. But this is a minor inconvenience, as they allow you to script the deployment and configuration of the Hybrid Agent.
Final Note
Even with the Hybrid Agent reaching GA status, you might want to get acquainted with the Hybrid Agent in a lab environment first, before implementing it in production.
Meanwhile, the Exchange team is still looking for feedback and continues to work on updates in functionality. Note that when required, you can always reconfigure Exchange hybrid to use Exchange Classic Hybrid Topology mode. Unfortunately, the other way around is not possible.
Monitor Your Hybrid Environment with ENow
Monitoring a Hybrid deployment is complex. Administrators that use ENow are confident their entire system is functioning correctly as they begin transitioning into using Office 365. See why top trusted brands such as Experian, Facebook, VMware, and Barclay's use ENow's personalized monitoring dashboard and reporting to self-generate the most crucial, current, and accurate data.
