Zero Downtime · Zero Data Loss · Full Coexistence

Exchange to Office 365 Migration
Planned, Executed, Secured

Move from on-premises Exchange to Microsoft 365 with hybrid coexistence, Azure AD Connect, public folder migration, and post-migration security hardening. Ogma handles every phase from discovery to decommission.

Explore Methods

Why Move Exchange to the Cloud

On-premises Exchange requires constant patching, hardware refresh cycles, and dedicated admin overhead. Each missed CU or SU expands your attack surface. Exchange Server has been the target of Hafnium, ProxyLogon, ProxyShell, and ProxyNotShell — all exploiting unpatched on-prem infrastructure.

Microsoft 365 eliminates this burden. Microsoft handles patching, capacity, and compliance certifications. You get 50-100 GB mailboxes, built-in archiving, Defender for Office 365 threat protection, DLP, and eDiscovery — all included in E3/E5 licensing.

But migration is not trivial. Misconfigured Azure AD Connect, botched MX cutover, or forgotten public folders can cause mail flow failures and data loss. That is where Ogma's proven migration methodology comes in.

200+
Mailbox Migrations Completed
0
Data Loss Incidents
<15m
MX Cutover Downtime
E3/E5
License Optimisation

Migration Methods Compared

We recommend the right approach based on your Exchange version, mailbox count, and coexistence requirements.

Method Best For Exchange Version Coexistence Downtime Complexity
Cutover Migration <150 mailboxes, simple setup 2010, 2013, 2016, 2019 None — all-at-once Hours (MX + sync) Low
Staged Migration 150-2000 mailboxes, phased rollout 2010, 2013 Partial — batch by batch Minutes per batch Medium
Hybrid Migration Enterprise, long coexistence needed 2013, 2016, 2019 Full — seamless GAL, free/busy Near-zero High
Minimal Hybrid Fast hybrid without full on-prem 2013, 2016, 2019 Full — reduced on-prem footprint Near-zero Medium
Third-Party (BitTitan, Quest) Cross-platform, tenant-to-tenant Any + non-Exchange sources Varies by tool Minutes Medium

Our Migration Methodology

1

Discovery & Assessment

Inventory all mailboxes, distribution groups, public folders, shared mailboxes, and resource rooms. Identify mail flow rules, connectors, third-party integrations, and compliance requirements. Map Exchange version, CU level, and AD topology.

2

Azure AD & Identity Setup

Deploy Azure AD Connect with password hash sync or pass-through authentication. Configure OU filtering, attribute mapping, and group writeback. Set up conditional access, MFA for admins, and emergency access accounts. Validate directory sync health.

3

Hybrid Configuration

Run the Hybrid Configuration Wizard (HCW) to establish federation trust, configure send/receive connectors for secure mail flow between on-prem and Exchange Online. Set up OAuth for cross-premises free/busy and mailbox moves. Validate autodiscover split.

4

Pilot Migration & Testing

Migrate a pilot batch (IT team, early adopters) to validate the process. Test Outlook profile recreation, mobile device reconfiguration, shared calendar access, delegate permissions, and third-party application connectivity. Document and resolve issues before bulk migration.

5

Bulk Migration & Cutover

Execute batch migrations in waves (departments, locations, or priority groups). Monitor migration health dashboard, address failed items, and perform incremental syncs. Once all mailboxes are moved, update MX records, disable on-prem mail flow, and complete the final delta sync.

6

Post-Migration Hardening

Enable Defender for Office 365 (Safe Links, Safe Attachments), configure anti-phishing policies, DLP rules, and retention policies. Disable legacy protocols (POP3, IMAP, SMTP AUTH) where not needed. Set up audit logging, mailbox auditing, and compliance holds.

Everything Gets Migrated

User Mailboxes

All emails, contacts, calendar items, tasks, notes, and rules. Mailbox permissions (Full Access, Send As, Send on Behalf) are preserved. Mailbox sizes up to 100 GB supported natively.

Shared & Resource Mailboxes

Shared mailboxes retain all delegate permissions. Room and equipment mailboxes maintain booking policies, resource delegates, and scheduling restrictions. No license required for shared mailboxes under 50 GB.

Public Folders

Full hierarchy and content migration to Exchange Online public folder mailboxes. We also evaluate conversion to Microsoft 365 Groups or SharePoint document libraries where appropriate for better governance.

Archives & PSTs

On-premises archives migrate to Exchange Online archive mailboxes (auto-expanding up to 1.5 TB). Orphaned PST files can be ingested via network upload or Azure Import for centralised compliance.

Distribution & Security Groups

Distribution groups, mail-enabled security groups, and dynamic distribution groups are synced via Azure AD Connect. Membership, moderation settings, and delivery restrictions carry over automatically.

Mail Flow & Transport Rules

Transport rules, connectors, accepted domains, and email address policies are recreated in Exchange Online. Disclaimer rules, journaling, and compliance tagging are mapped to Exchange Online equivalents.

Azure AD Connect — The Identity Bridge

Seamless identity synchronisation between your on-premises AD and Microsoft Entra ID (Azure AD).

What We Configure

  • OU-based filtering (sync only required OUs)
  • Password hash synchronisation (PHS) for SSO
  • Pass-through authentication (PTA) if PHS is not permitted
  • Seamless SSO for domain-joined devices
  • Device writeback for Conditional Access
  • Group writeback for hybrid Microsoft 365 Groups
  • Exchange hybrid writeback for mail attributes
  • Self-service password reset (SSPR) writeback

Security Best Practices

  • Dedicated service account with minimum permissions
  • Staging mode server for disaster recovery
  • Health alerts via Azure AD Connect Health
  • Automatic upgrade enabled for security patches
  • TLS 1.2 enforced for all sync traffic
  • Export deletion threshold (prevents accidental mass delete)
  • Sync cycle monitoring (default 30-minute intervals)
  • Azure AD Connect V2 migration if running V1

Post-Migration Security Hardening

Migration is not complete until your new environment is hardened. We configure these security controls as standard.

Defender for O365

Safe Links, Safe Attachments, anti-phishing policies with impersonation protection for executives and domains.

Conditional Access

Block legacy authentication, enforce MFA, restrict access by location and device compliance. Named locations for office IPs.

DLP & Retention

Data Loss Prevention policies for PII, PCI, and regulatory data. Retention labels and litigation holds for compliance.

Audit & eDiscovery

Unified audit logging, mailbox auditing, content search, and eDiscovery cases for legal and compliance investigations.

Challenges We Solve

Autodiscover Split-Brain

Outlook clients must resolve to the correct autodiscover endpoint (on-prem or cloud) based on mailbox location. We configure SCP objects, DNS records, and the hybrid autodiscover virtual directory to ensure seamless client connectivity.

Large Mailbox Throttling

Microsoft throttles migration bandwidth per mailbox. For 50+ GB mailboxes, we use incremental sync with multiple seed passes, schedule migrations during off-peak hours, and request temporary throttling policy increases from Microsoft support when needed.

Third-Party App Dependencies

CRM systems, helpdesk tools, and line-of-business apps often use EWS or SMTP relay. We map every integration, test against Exchange Online, and migrate from Basic Auth to Modern Auth (OAuth 2.0) where required.

Multi-Domain & Multi-Forest

Organisations with multiple AD forests or email domains need careful UPN suffix routing, domain verification, and potentially multiple Azure AD Connect instances or GALSync. We design the topology to support unified or separated tenants.

We Migrate From Every Version

Whether you are on Exchange 2010 or Exchange 2019, we have a proven path to Office 365.

2010
End of Support
Cutover / Staged + Hybrid Server
2013
End of Support
Full Hybrid Supported
2016
Extended Support
Full Hybrid + Minimal Hybrid
2019
Mainstream Support
Full Hybrid + Modern Auth

Frequently Asked Questions

Timeline depends on mailbox count, data volume, and complexity. A 100-mailbox migration with simple cutover typically completes in 2-4 weeks including planning and testing. Hybrid migrations for 500+ mailboxes with public folders, shared mailboxes, and compliance requirements usually take 6-12 weeks. We provide a detailed project plan with milestones after the initial assessment.

With hybrid and staged migration methods, users experience near-zero downtime. Mailboxes are synced incrementally while users continue working on the source server. The final switchover (MX record change and last delta sync) typically causes less than 15 minutes of mail flow interruption, usually scheduled outside business hours.

Public folders are migrated using Microsoft's batch migration process. We create migration requests that copy public folder hierarchy and content to Office 365 public folder mailboxes. Users retain access throughout the process. We recommend evaluating whether some public folders should be converted to Microsoft 365 Groups or SharePoint for better long-term manageability.

Azure AD Connect is required for hybrid deployments and recommended for all migrations involving more than 50 mailboxes. It synchronises your on-premises Active Directory with Azure AD, enabling single sign-on, unified address book, and seamless coexistence during migration. We handle the installation, filtering configuration, and password hash sync or pass-through authentication setup.

Yes. Exchange 2013 and 2016 support hybrid mode directly. Exchange 2010 requires a hybrid server (typically Exchange 2016) to broker the migration. We deploy and configure this intermediate server as part of the project. Exchange 2007 and earlier require a staged or cutover approach since hybrid is not supported.

Large mailboxes (50GB+) and archives are migrated using incremental sync — an initial seed followed by regular delta syncs. This avoids bandwidth saturation and reduces final switchover time. For extremely large mailboxes, we may recommend PST export/import for historical data combined with online migration for recent mail. Exchange Online archiving can be enabled post-migration for ongoing archive needs.

We inventory all applications using Exchange Web Services (EWS), SMTP relay, IMAP/POP, and ActiveSync during the discovery phase. Each integration is mapped to its Office 365 equivalent — Microsoft Graph API, SMTP relay via Exchange Online connector, or OAuth-based modern authentication. Legacy apps using Basic Auth require migration to Modern Auth before October 2026.

All data in transit is encrypted using TLS 1.2+. Azure AD Connect uses encrypted channels for directory synchronisation. Migration endpoints use HTTPS exclusively. We follow Microsoft's security best practices including conditional access policies, MFA enforcement for admin accounts, and audit logging throughout the migration. No mailbox data is stored on intermediate systems.

Ready to Migrate Exchange to Office 365?

Get a free migration assessment. We will map your environment, recommend the right method, and provide a detailed project plan with timeline and costs.

Microsoft 365 Services