Office 365
Skype Academy: Hybrid and Online Migration

Skype Academy: Hybrid and Online Migration

The Skype Academy has published the ‘how to’ high level video on the Hybrid and Online migration process, this is based off the SOF (Skype Operations Framework) and is pretty concrete when it comes to actually doing it.

Microsoft Published: January 2017

SOF Cloud Migration Workflow:

REMEMBER: This whole lineup experience is rather new when it comes to Skype Online, things change, Microsoft change and not all this information maybe relevant when you come to copy and paste the quick steps into powershall (shame on you, SHAME)

The Goal:

High Level Structure:

  • Topology Requirements
  • Identity Requirements
  • AADC / ADFS / Dirsync Options
  • Network / Firewall Options / Requirements (Very High Level)
  • Get Hybrid Sorted (Your copy and paste section right here)
  • Basic what-if’s and troubleshooting (Coming Soon)

Why Hybrid:

  • Gradual Transition of Users on-prem to online
  • Shared SIP space – Domains on-prem and online
  • Early Features (you can get your hands on them)
  • Cloud PBX (the biggie) with on-prem PSTN calling (Breakouts, Sonus, Gateways etc)

Basic Requirements (more available, popular ones here):

  • Full S4B 2015 Server Deployment or
  • Full Lync Server 2013 Deployment or
  • Full Lync Server 2010 deployment (latest CU’s needed)

  • O365 Tenant (must have S4B Online Licences)
  • Directory Synchronization
  • User Authentication (AADC or ADFS/DirSync)

Advanced Requirements (some of…):

  • Hybrid Cloud PBX with on-prem PSTN connectivity (the most popular at the moment)

  • S4B (as above) deployed matching version requirements WITH edge and federation connectivity
  • UM/Exchange Interoperability: Mailbox must be online in O365 if OWA integration is required / VM can be delivered on-prem (Exchange requirements minimum to be met)
  • Networking – Firewalls to O365, DMZ network configuration via edge tested and working
  • Network Bandwidth Tests – Please, please, please get these done, usually this is done at the top, whats the point if you haven’t got the bandwidth!


High Availability / DR within a Hybrid Scenario (IMPORTANT):

The whole point of the Hybrid is to enable smooth transition with Online, that being said it still heavily relies on your on-prem environment, all your public DNS records will still point to on-prem then the redirect will happen to Online (if the account is moved).

High Level Flow of a Hybrid Deployment (Client Registration):

a. Client registration goes to do a DNS lookup which will resolve the on-prem reverse proxy
b. redirection happens back-end – internal to external (client location dependent)

c. REGISTER occurs for respective location

The saying goes – get your HA sorted if you want to be back online, ok I made that up, but it is important.

 Network / Firewall:


  1. Combination of both requirements – Include on-prem and online for all your firewall requirements, don’t miss any (countless times we blame firewalls, and we’re usually right)
  2. Check Edge servers, reverse proxy’s for ports also, most miss this.

On-Prem Edge Requirements:

O365 Firewall Ranges:

Hybrid Connectivity Ports / Requirements (Server to O365):

Hybrid Connectivity Ports / Requirements (Clients):

Identity Requirements for Hybrid:

  • High level view only
  • Needs some know-how guru’s

Re-Cap: What is Identity Management:

The identity part of a hybrid comes with 2 options, Synchronized Identity or Federated Identity, there is  3rd (Cloud Identity but this doesn’t allow the Hybrid model)

This is where the guru comes with with identity’s, the ADFS option (Federated) is the hardest to setup but is the most resilient, in this model you only have the one directory to maintain, and this can also be used for other applications you possibly would think if moving up to Azure / O365 at a later date – Longest / Hardest but preferred

The alternative option is the Synchronized identity, this is what it sounds like, passwords / ID attributes are just syned up into the Azure AD cloud using AADC, it’s a very quick process to implement, lower foot print with deployment options but it can be maintaining two directory’s (remember the sync part?!) and limits you for options later down the line – Quickest, Easiest but limited in future functionality.

I have no preference, usually a customer will have at least ‘something’ in place, and if it were down to me and timelines and targets are in effect then AADC would be my preferred choice, mainly because you can use this for the User authentication piece in the deployment phase below, don’t take me as the finger point, do some research on this one!

Hybrid Deployment:

The one you really have been waiting for, the gold, the guide, the next, next finish with screenshot’s to get it off the ground.

All off the prerequisites are above but here again is the high level for you:


Configuring AAD Connect (AADC):

AADC contains various tools and features all bundled into one product, for the easiest deployment


The install of this product is actually straight forward, follow the steps (express settings) and then go back at a later date if you need to add more functionality into the pull and sync to Azure. (Not going to bother you will basic screenshots of an installation here…)

Skype for Business Federation / Tenant Split Domains

Online and On-Prem need to be configured the same, this is to keep the Hybrid as close to each other as possible, the follow are high level of requirements for this:

  • Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant.
  • The Blocked domains list in the on-premises deployment must exactly match the blocked domains list for your online tenant.
  • The Allowed domains list in the on-premises deployment must exactly match the allowed domains list for your online tenant.
  • Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel.


For the on-prem side of things you have two options, good old powershell or if you have a S4B Server Deployment you can do this from the GUI and cheat a little and a one liner for the Online side of things (Remote Connection)

Powershell On-Prem:

Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery 1

New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl

Powershell Online ( – Remote Powershell Tools):


$credential = Get-Credential
$session = New-CsOnlineSession -Credential $credential -Verbose
Import-PSSession $session


Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true


In case you missed it, the big red box… Yes your front ends need internet access

That in a nutshell is Hybrid enabled and setup, now wasn’t that just an easy few steps… Get linking your servers up to the cloud (yes, it really is someone else’s computer)

Placeholder for Moving Users (Coming Soon)

Placeholder for What-If’s / Troubleshooting (Coming Soon)

Leave a Reply