Configuring federated sharing (free/busy calendar information) between Exchange Hybrid Organizations
In my last post we saw, how to configure federated sharing between two on-premise Exchange organizations.
Now in this post I want to do the same but for Exchange Hybrid Organizations where mailboxes hosted in both organizations, on-premise and Exchange Online.
More about Exchange Hybrid Organizations and in specific Exchange classic full hybrid, you can read in my following post.
In contrast to on-premise organizations, for Exchange Online organizations we do not need to create a federation trust, the trust here is already in place. So we just have to create the organization relationship in both Exchange Online organizations.
About Exchange on-premise and how to create the federation trust, you can read my following post.
In this post I want to show how to configure the relationship in case both hybrid organizations want to share free/busy calendar information only for their Exchange Online mailbox users.
If you want to be able to share free/busy calendar information from your on-premise organization as well as your Exchange Online organization, you need put a lot of effort into and the whole configuration is really cumbersome.
The following two articles describes how you can implement this scenario by using for the on-premise and Exchange Online organization a separate namespace, to say it right away, if not really necessary, I would avoid this configuration.
The Hybrid Mesh
https://techcommunity.microsoft.com/t5/exchange-team-blog/the-hybrid-mesh/ba-p/605910?WT.mc_id=M365-MVP-6771Hybrid FreeBusy
https://www.msxfaq.de/cloud/exchangeonline/hybrid/hybrid_freebusy.htm
Further, the article above, The Hybrid Mesh, describes the scenario with a separate namespace where only one organization is hybrid and the other is just on-premise.
In case you want to configure this when both organizations are hybrid, the way by using a separate namespace just for the organization relationship and targetAddress for the requested mailbox, won’t work, here also the primary smtp address from the user who is requested free/busy needs to be configured with the separate namespace (domain), which for sure isn’t desirable!
The separate namespace (domain) for the on-premise and Exchange Online organization, also needs to be configured as primary smtp address, because the organization relationship not just using this domain to forward free/busy requests, but also using it to verify users from the organization who are requested free/busy.
I will show this in detail in my following post.
Configure the Organization Relationship in Exchange Online for Hybrid Organizations
So in this post we will configure the relationship for hybrid organizations, they want to share free/busy calendar information only for their Exchange Online mailbox users.
It’s the same as for on-premise, in the Exchange admin center under Organization -> Sharing, click on the plus icon to create a new organization relationship.
First just add the native Microsoft domain <Tenant Name>.mail.onmicrosoft.com from the external organization in the Domains to share with field as shown below and click on Save.
This here is my lab environment and I will configure the organization relationship with my prod environment.
This will ensure that the Application URI is set to outlook.com and the Autodiscover endpoint is set to Exchange Online https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
As you can see there is already an organization realationship between the online and the on-premise organization configured.
This will take a moment as in the background all domains from the external organization which are in state healthy will be determined and added automatically to the Domains to share with.
Application URI
outlook.comAutodiscover endpoint
https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
In the screenshot above you can see as mentioned, that a bunch of further domains which are all in state healthy, from the external organization was added automatically.
Below you can see the domains and healthy state from the external organization (my prod environment).
Healthy in this context just means, can the three DNS records shown below resolved to the suggested Microsoft values.
Here e.g., the CNAME DNS record autodiscover, for the primary smtp domain braincourt.com from the external organization, doesn’t point to the Exchange Online value autodiscover.outlook.com.
Therefore the domain isn’t shown up in state healthy. In public DNS the autodiscover CNAME Record here is pointing to the on-premise Exchange from the external organization.
For hybrid organizations where mailboxes are hosted in on-premise and online, the autodiscover dns record must point to the on-premise organization.
That’s exactly the reason, why we need to add by hand the primary smtp domain braincourt.com from the external organization, we used for requesting free/busy calendar information, to the Domain to share with field below.
Note: Check that the Application URI and Autdiscover endpoint is matching the values for the Exchange Online organization as shown below.
Application URI
outlook.com
Autodiscover endpoint
https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurityOtherwise if here are values for the on-premise organization listed, all requests would be forwarded to the on-premise organization, for which we don’t have configured a realtionship and therefore the delegation tokens are not valid neither the on-premise organization will proxy the requests to Exchange online, where the requested mailbox is hosted.
Exchange 2013 doesn’t support functionality to proxy these availability requests through the on-premises organization to the Microsoft 365 or Office 365 service.
That’s all, the same now also needs to be configured of course at the other organization, you want to share free/busy calendar information with.
Troubleshooting free/busy time with Fiddler
In order to determine the reason why free/busy calendar information not working as expected, you can use Fiddler to get more information whats going on behind the scene.
Below I will capture some requests after I made some changes to the organization relationship configuration.
Capture from a successful free/busy time request
In order sharing free/busy calendar information for your online mailboxes will work, you also need to include the primary smtp domain from the external organization who is requested free/busy time in the Domains to share with field, in my case this is braincourt.com (prod environment).
Below you can see the settings in Exchange Online for my lab environment.
Below I was capturing a free/busy calendar information request with Fiddler for the user John.Doe@braintesting.net (my lab environment), from my Exchange Online account in my prod environment.
Response Code NoError when it works and you will see the FreeBusyView xml informations.
Missing Primary SMTP Domain in the Organization Relationship
When I now remove the primary smtp domain from my prod environment (braincourt.com), in the organization relationship from my lab environment, the user from the prod environment which is requested free/busy time, won’t see it anymore.
Also users in the lab environment won’t be able to request from now on free/busy time from the prod environment users, so not just one site is affected.
Changes to the organization relationship will take some minutes to take effect!
Below I want to request free/busy time from John Doe in the lab environment.
No information. No free/busy information could be retrieved.
You do not have permissions to see the recipient’s free busy.
Autodiscover failed for email address john.doe@braintesting.net with error Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverInvalidUserException: The response from the Autodiscover service at https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc …
In contrast if John Doe in the lab environment now tries to request free/busy time from a user in the prod environment and the braincourt.com domain, the following error will appear.
No information. No free/busy information could be retrieved.
The recipient’s server could not be determined. Contact your administrator.
Unable to resolve e-mail address jos.joskes@braincourt.com to an Active Directory object.
Wrong Application URI and Autodiscover Endpoint in the Organization Relationship
Now I will change the Application URI and Autodiscover endpoint for the organization relationship in the lab environment for the prod environment, from Exchange Online to the on-premise Exchange organization from the prod environment.
So free/busy time requests for Exchange Online mailboxes form the prod environment, now will be forwarded to the on-premise prod Exchange organization and will fail because Exchange on-premise cannot proxy the requests to Exchange Online.
But let’s see what Fiddler is capture here.
Because we changed the Application URI and Autodiscover endpoint into the on-premise Exchange organization but the requested mailbox is hosted in Exchange Online, the on-premise Exchange Server used the remote routing address (targetAddress) to redirect the request to the Exchange Online organization.
AutoDiscoverFailedException: Exceed the number of Autodiscover redirections for e-mail jjoskes@BraincourtGmbH.mail.onmicrosoft.com. The maximum allowed redirections are 3.
Remote Routing Address on the on-premise Exchange Server.
Address Space Not Found Exception: Configuration Information for forest/domain not found in Active Directory
The following error appears in case the domain used to request free/busy calendar information isn’t configured in the organization relationship.
In the organization relationship is only the address space (Domains to share with) for the domain onprem.braintesting.net configured but not braintesting.net.
Free/Busy Time Permissions in Outlook for Anonymous
Keep in mind, that free/busy information when you configure an organization relationship, nevertheless only will work, if the requested user calendar had set its permissions for anonymous to free/busy time. In case set to None as below, no free/busy information could be retrieved.
Links
Configuring federated sharing between Exchange organizations
https://learn.microsoft.com/en-us/exchange/configuring-federated-sharing-between-exchange-organizations-exchange-2013-helpOrganization relationships in Exchange Online
https://learn.microsoft.com/en-us/exchange/sharing/organization-relationships/organization-relationshipsFederation procedures
https://learn.microsoft.com/en-us/exchange/federation-procedures-exchange-2013-helpShared free/busy in Exchange hybrid deployments
https://learn.microsoft.com/en-us/exchange/shared-free-busyAdvanced Sharing Scenarios with Exchange Hybrid Deployments
https://www.enowsoftware.com/solutions-engine/m365-exchange-online-center/advanced-sharing-scenarios-with-exchange-hybrid-deploymentsHybrid FreeBusy
https://www.msxfaq.de/cloud/exchangeonline/hybrid/hybrid_freebusy.htmDemystifying Hybrid Free/Busy: what are the moving parts?
https://techcommunity.microsoft.com/t5/exchange-team-blog/demystifying-hybrid-free-busy-what-are-the-moving-parts/ba-p/607704?WT.mc_id=M365-MVP-6771
The best home for modern WordPress sites built on the Google Cloud Platform
