Moving a deployed Exchange hybrid environment to a brand new tenant is not something that is typically done. In all of the years that I've worked with customers on hybrid, a second hand is not needed to count those instances. The biggest reason for customers doing it was they did not like the tenant name, and wanted to change it.
In this case it was becase the tenant was being forcibly removed due to Microsoft's Secure Future Initiative (SFI). SFI forced not only stale tenant clean up, but it meant moving all test tenants to a new management solution. Thus the old tenant had to be removed. The VMs that represent the on-premises servers were moved to a different Azure subscription, but the issue of having to un-hook from one tenant and re-attach to a brand new one remained.
This is just a quick outline of the process, with some notes in case it has to be done again.
Exchange Work Items
Consider all of the work that was done to deploy hybrid using the Hybrid Configuration Wizard (HCW) , that needs to be undone. All refernces to the old tenant will have to be removed, and ultimately replaced with the new tenant. The removal is manual, see note below, but the HCW can lay down the new settings.
- Move all mailboxes back on-premises
- No Public folders present
- Remove distribution groups
- Remove organisation relationship
- Remove federation
- Remove IntraOrganizationConnectors
- Remove availability addressspace - if applicable
- Remove old tenant onmicrosoft.com from Email Address Policies
- Remove accepted domain for the old tenant onmicrosoft.com
- Remove old scoped send connector to the old tenant
- Remove vanity domain (tailsintoys.ca) from old tenant
- DNS records required to validate new environment
- Review/Update send connector to Internet (if sending via EOP) may need to be updated
Remove Hybrid Configuration
Note that running the cmdlet to remove hybrid configuration does NOT remove all of the hybrid things. It just removes the object that stores the responses to the steps in the HCW. See this post for details and examples.
Remove-HybridConfiguration Cmdlet - 250 Hello
OAUTH Note
After moving everything to the new tenant, there was an on-going issue with cross-premises free/busy. This was actually caused by the AUTH certificate. EXO still had the certificate present that was uploaded as part of the original HCW.
Since there are two AUTH certificates by design, needed to generate a new AUTH certificate twice. This pushed the original AUTH certificate off the stack and only the two certificates that were created in the new tenant are present.
After running the HCW to push this new AUTH certificate to the new tenant, everything worked.
Cheers,
Rhoderick
