Migrating to hosted Exchange: Do’s and don’ts

When it’s time to move your company’s on-premises Exchange mail to the cloud, keep in mind these tips and warnings.

Oatawa / Shutterstock

Make no mistake: moving from an on-premises Microsoft Exchange deployment to Exchange in the cloud is a gargantuan undertaking. Earlier this year, I explored the major issues you’ll need to consider and decisions you’ll need to make when moving to hosted Exchange.

But for most folks, further guidance is necessary. What are some of the gotchas to watch out for? What are some best practices to factor into your planning? Here, I’ll take a look at several important do’s and don’ts when it comes to getting your organization into Exchange Online.

Note: This story focuses on migrating from Exchange Server on-premises to some version of Microsoft’s hosted Exchange service (under an Exchange Online, Office 365, or Microsoft 365 subscription), or to a hybrid configuration with the “365” apps in the cloud and Exchange remaining in some fashion on-premises in production. It is not intended to apply to migrations to other providers’ services.

Don’t underestimate the time it will take to move all of your data over.

Depending on a number of factors, including how many users you have, how much data each mailbox has stored, bandwidth constraints, and more, migrating email to the cloud can take anywhere from a few days to several weeks. One unexpected slowdown may come from Microsoft itself: a non-obvious protective feature of Exchange Online is that it throttles inbound sustained connections in order to prevent a small number of bad actors from overwhelming the system.

Once you’re up and running and fully in the cloud for production, you will come to appreciate this defense, which works for the benefit of the general subscription base. But when you are trying to ingest data you will see transfer rates sometimes slow to a crawl. There's unfortunately little you can do about this other than simply endure. Be sure to include this in your planning, as moving hundreds or thousands of multi-gigabyte mailboxes into Exchange Online may take a lot longer than you might expect.

Do use a delta-pass migration.

Reduce the time pressure on yourself, if you can, by using a delta-pass migration rather than a strict cutover migration. With delta-pass migration, multiple migration attempts are made while mail is still being delivered on-premises. The first pass might move everything from Sunday, May 1 backward, for example, and then another pass is made later in the week to move the “delta” — or changes — from Sunday, May 1 through Wednesday, May 4, and then another and another until essentially the mailboxes are up to date.

This is a useful technique, as each successive migration batch is smaller than the last. Typically over a weekend, your last delta batch will finish in a few minutes, and then your moves are complete and you can throw your MX records over to Exchange Online. Your users never experience missing historical mailbox data, because until the mailboxes are identical, they use the mailbox that already holds their data.

Don’t forget to configure edge devices and intrusion detection systems to recognize Exchange Online as a trusted partner.

If you forget this all-important step, your migrations may be interrupted because your IDS thinks that a denial-of-service attack is happening. Conveniently, Microsoft makes available a regularly updated list of IP addresses used by all 365 services to use specifically when configuring your edge devices to trust traffic where necessary.

Do run the Office network health and connectivity tests ahead of time.

Microsoft has developed a comprehensive tool that can alert you to routing or latency issues between you and the Microsoft 365 data centers. The tool runs a suite of tests of speed, routing, latency, jitter, and more on your network connection to identify and isolate common issues that could lead to a degraded experience — especially with voice applications — for Microsoft 365 users.

Any performance issues the tool finds will almost certainly have a negative impact on the speed of your migration attempts and passes. Solving or mitigating any issues you find will speed up the entire project.

In a hybrid environment, do use the EAC in Exchange Online to initiate mailbox moves.

If you choose a hybrid model for your deployment, then you will by definition have some mailboxes on-premises (at least for a time) and some in the cloud. In this scenario, it can be tempting to trust your old go-to Exchange Management Console to do all of your mailbox move work, shifting mailboxes to and fro. Don’t give in to that temptation; it’s best to pull mailboxes into the cloud from the web-based EAC in the Microsoft 365 administration center, rather than using outdated on-premises tools.

Don’t forget about Outlook client version updates.

Updating an office suite across a large enterprise is no easy task and takes a while, which means there’s often a prevalence of older copies of Outlook among your users. When you control your Exchange deployment, that’s fine, because you control the timing of your moves.

But one of the “side gotchas” that comes with using the cloud is that someone else gets to decide the baseline level of software that will work with its services. Microsoft is really pushing everyone toward the subscription-based Office suite (Microsoft 365 or Office 365) and away from the old per-user perpetual volume licenses with the year attached (Office 2013, 2016, or 2019, for example).

In fact, as of October 2020, the company declared that Outlook 2013 and older versions are no longer supported for connecting to Office 365 and Microsoft 365 services. While it won’t actively block these older clients, they “may encounter performance or reliability issues over time.” And there’s no telling when Microsoft will pull the plug entirely.

So don’t forget about developing a plan to update your clients to Office 2016 or beyond, or move to a subscription license and deploy those apps instead of the volume license editions.

Do plan to implement two-factor authentication.

One of the biggest advantages to moving to Exchange Online and Microsoft 365 is the ability to use all of the new security features available in the cloud, the most important of which by far is the ability to turn on two-factor authentication. 2FA reduces your attack surface significantly as soon as you turn it on, and since Microsoft has done all of the rewiring of the directory and Exchange security model on its servers to make it work, all you have to do is flip the switch and show your users where to plug in their mobile phone numbers.

Better yet, use the Microsoft Authenticator app to reduce the security and social engineering risks of using SMS text messages. But don’t let the perfect be the enemy of the good. Deploying Authenticator across tens of thousands of phones can be difficult, especially with BYOD setups and remote-work environments where employees don’t have access to an in-person help desk. In contrast, setting up SMS requires nothing from the end user and can be done entirely by IT. So if the choice is between two-factor authentication with SMS and no two-factor authentication, then by all means turn on 2FA and use SMS.

In a hybrid environment, don’t remove your last Exchange Server.

One cardinal rule of operating a hybrid Exchange environment is that you must keep at least one Exchange Server running on premises in order to manage users. There exists a way to continue to use the Active Directory attribute editing functionality to manage recipients, but it’s not really supported — and if it breaks, you’ll have to file a ticket with Microsoft, wait three days, and maybe, just maybe, it’ll come back.

It is much easier to use the Exchange admin console of your on-premises server to manage recipients in a hybrid environment, and you can’t do that unless you leave an Exchange Server running in your on-premises deployment. Microsoft has repeatedly said it’s working on a solution to this issue of having to have an existing licensed server on-prem with hybrid deployments, but even after several years there's been little progress toward solving that problem.

The last word

A transition time is always challenging, and that's certainly true when migrating your organization to Exchange Online. By factoring in the advice and warnings above, you’ll make that path smoother and reach the finish line more quickly.