Exchange Hybrid Free/Busy Explained!

Dive into the simplicity of scheduling in a mixed environment of on-premises and cloud-based Microsoft Exchange. Discover how Exchange hybrid free busy allows users to effortlessly coordinate meetings and plan activities by checking the availability of others. Say goodbye to scheduling headaches and hello to a smoother workflow with Exchange Hybrid Free/Busy.

Watch the video

Watch this video to learn how does free/busy works in Exchange hybrid deployment.

What is Exchange hybrid Free Busy

Free/Busy is a feature that shows whether someone is available or busy during specific time slots. It helps people check when others are free or occupied. This way, users can coordinate and plan activities more effectively by avoiding conflicting schedules.

Exchange Hybrid Free Busy simplifies scheduling in a mixed environment of on-premises Exchange server and Exchange online. It lets users easily see if others are available or busy, making it hassle-free to plan meetings and coordinate activities. This feature ensures smooth collaboration between on-premises and cloud users, promoting efficient scheduling and teamwork.

In Exchange hybrid deployment few mailboxes reside in on-premises Exchange server and some of them are migrated to Microsoft 365. When an on-premises user wants to schedule a meeting with migrated user or vice-versa, that is called Exchange Hybrid Free Busy look ups. Free/Busy is a feature that allows you to check if someone is free, busy or Out of Office at a particular time so that you can schedule a meeting with him/her.

To see if someone is free or busy at a particular time, go to Outlook client or OWA, create new meeting and click scheduling assistant.

You will add the user under Add required attendee as shown in above image and you will be able to see if that user’s availability.

Let’s understand how to identify if someone is free or busy.

When you will add a user under Add required attendee, you will see few icons as shown above for that user’s calendar. If you see blue color blocks, that means user is not available or he has another meeting during that time. If you see blocks with blue color lines, that indicates the attendee has received your meeting invite but he hasn’t accepted the meeting yet. These type of meetings are called tentative meetings. Out of Office means you are trying to reach someone when he is on vacation or he is not in office and he has enabled Out of Office feature in Outlook or OWA. Working elsewhere indicates that the user might be working from a different location. No Information indicates that free/busy is not able to retrieve the availability for that particular user. So in this scenario you might have to troubleshoot why free/busy is not working. Outside of working hours indicates that you are trying to check someone’s availability outside his working hours.

How Free/Busy works in Hybrid deployment

Before we jump into Exchange Hybrid Free Busy, let’s discuss few important concepts.

Microsoft Federation Gateway (MFG) or Azure Authentication System: Microsoft Federation Gateway (MFG) or Azure Authentication System is a cloud based service that acts like a mediator between two different organizations. When we create a Microsoft 365 tenant, a trust is created automatically between Microsoft 365 Tenant and Microsoft Federation Gateway. When this trust is created, Microsoft Federation Gateway assigns certain values to this federation trust.

You can check these values by running Get-FederationTrust | FL in Exchange online PowerShell. For every Microsoft 365 tenant you will see 260563 value in ApplicationIdentifier attribute, and ApplicationURI will have a value Outlook.com. If you see a different value for Application Identifier, it means your Tenant has an old reference pointing to MFG and Free/Busy look ups will fail. In this case you need to open a support request with Microsoft to get it resolved.

But when we install on-premises Exchange server, a trust between Exchange server and Microsoft Federation Gateway is not created automatically. We can create a federation trust between on-premises Exchange server and Azure Authentication System (MFG) by running HCW, or it can be created with the help of PowerShell commands.

If you run Get-FederationTrust | FL in on-premises Exchange Management Shell, you will see ApplicationIdentifier value and ApplicationURI that is assigned by the Microsoft Federation Gateway to your on-premises Exchange organization. The initial part of the ApplicationURI (highlighted in the above image) will remain same for every on-premises Exchange organization. Only the domain name will differ.

Intra-Organization Connector. Intra-Organization Connector (IOC) is a connector which enables features and services availability between two different organizations. IOC can be created manually or through running HCW and is created on Exchange Server 2013 and later.

Organization Relationship. Organization relationship is a relationship between two different organizations to share calendar related information.

Free/Busy look ups. In Exchange Hybrid, there are 2 free/busy look ups. When an on-premise user wants to see if Office 365 user is free or busy, this look up is called on-premise to Office 365 look up, and when Office 365 user wants to see free/busy status of an on-premise user, this look up is called Office 365 to on-premise look up.

How Free/Busy works in background.

Now let us discuss how Free/Busy look ups work in the background.

Let’s assume, User1@domain.com is hosted in on-premise. User2@domain.com was in on-premise but now he is migrated to Office 365. User1@domain.com is synced to Office 365 as a mail-enabled Mail User. User2@domain.com is migrated to Office 365 and has a Target Address assigned as user2@domain.mail.onmicrosoft.com and is added as a secondary address in his mailbox.

On-premise to Office Free/Busy Look-up: User1@domain.com wants to see if user2@domain.com (migrated user) is free or busy on a particular time so that he can schedule a meeting with User2.

1. User1 will login to Outlook or OWA and will add User2 as an attendee in the meeting.
2. The on-premises Exchange server in will find that User2 is not a local mailbox and has a different domain name of domain.mail.onmicrosoft.com set as the Target Address.
3. The Availability Service on the on-premises Exchange will then check to see if there is a path to query User2’s Free/Busy information for Office 365 side.
4. Next query will look for Intra-Organization Connector (for Exchange Server 2013 and 2016) with the domain name domain.mail.onmicrosoft.com.
5. If an Intra-Organization Connector is not found, then query will look for Organization Relationship.
6. If both Intra-Organization Connector and Organization Relationship are not found, then query will go to Availability Address Space.
7. E.g., If we have Exchange Server 2010, we will have Organization Relationships created for on-premise to Office 365 and from Office 365 to on-premise when we ran HCW.
8. In on-premise Organization Relation, Target ApplicationUri is set to Outlook.com, which is an identifier for the Office 365 tenant in the Azure Authentication System or MFG.
9. Then a request will be made to MFG for a delegation token (because in order to speak with Office 365 tenant, on-premise exchange server will have to go through the MFG)
10. MFG will give a delegation token to the on-premise exchange server, and exchange server will make an Autodiscover request to Exchange Online.
11. If Autodiscover request passes, an EWS request will be made to Exchange Online to check User2’s availability.
12. The Exchange Online server will validate the token provided by MFG, once it is validated it will return the availability status of User2’s mailbox.
13. User1 will be able to see if user2 is free or busy in that particular time slot.

Office 365 to On-premise Free/Busy look-up: User2@domain.com wants to see if user1@domain.com is free or busy in a particular time so that he can schedule a meeting with User1. (User2 is migrated from on-premise and User1 is in on-premise but is synced to Office 365 as Mail User)

1. User2@domain.com will login to Outlook client or OWA and will add user1@domain.com as an attendee.
2. Exchange Online server will find that User1 is a Mail User and he does not has a mailbox in Office 365 but has a Target Address user1@domain.mail.onmicrosoft.com
3. Availability service on Exchange Online will try to find a path to check availability for User1.
4. First query will go to Intra-Organization Connector (if exchange server version is 2013 or 2016).
5. If there is no Intra-organization connector, query will go to Organization Relationship.
6. If no IOC or Organization Relations is found for on-premise, then query will go to Availability Address Space.
7. As we have Exchange Server 2010 in on-premise and HCW was ran, we will have Organization Relationship and Federation Trust.
8. The Target ApplicationURI in the Office 365 tenant Organization Relationship is set to FYDIBOHF25SPDLT.domain.com, which is an identifier for the on-premises organization trust in the Azure Authentication System or MFG.
9. A request will be made to MFG for a delegation token.
10. Once MFG will issue a delegation token to Exchange Online server, Exchange Online server will send an Autodiscover request to on-premise exchange server.
11. Once Autodiscover request passes, Exchange Online server will make EWS request to check User1’s availability.
12. On-premise Exchange Server will validate the delegation token issued by MFG and once it is validated, will share User1’s availability.
13. User2 will be able to see if User1 is free or busy in that particular time.

Troubleshoot Free Busy Scenarios

Now let’s understand how you can troubleshoot Free/Busy. What things you need to consider before troubleshooting such scenarios, and what PowerShell commands you can run to collect logs to investigate the issue further.

1. Check which look up is failing, Office 365 to On-premise or from On-premise to Office 365.
2. What is the behavior in Outlook client and OWA.
3. What is the error message while looking for free/busy information (hover mouse on greyed lines and collect screenshot).
4. Check if Office 365 to Office 365 and on-premise to on-premise Free/Busy is working or not
5. Collect output of below commands:

Run below commands in on-premises Exchange Management Shell:

$FormatEnumerationLimit = -1
Start-Transcript
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-OrganizationRelationship | fl
Get-WebServicesVirtualDirectory | fl
Get-AutoDiscoverVirtualDirectory | fl
Get-HybridConfiguration | fl
Get-RemoteMailbox "migrated user" | fl
Get-Mailbox "on-premise user" | fl
Test-FederationTrust -UserIdentity "on-premise mailbox" -Verbose
Test-FederationTrustCertificate | fl
Get-AvailabilityAddressSpace | fl
Get-IntraOrganizationConnector | fl
Get-IntraOrganizationConfiguration | fl
Get-FederationInformation -Domainname domain.mail.onmicrosoft.com
Get-ExchangeServer | Format-List
Test-OrganizationRelationship –Identity "On-premises to O365*" -UserIdentity "on-premise mailbox" -Verbose
Test-OrganizationRelationship –Identity "On-premises to O365*" -UserIdentity "on-premise mailbox"
Stop-Transcript

$FormatEnumerationLimit = -1
Start-Transcript
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-OrganizationRelationship | fl
Get-WebServicesVirtualDirectory | fl
Get-AutoDiscoverVirtualDirectory | fl
Get-HybridConfiguration | fl
Get-RemoteMailbox "migrated user" | fl
Get-Mailbox "on-premise user" | fl
Test-FederationTrust -UserIdentity "on-premise mailbox" -Verbose
Test-FederationTrustCertificate | fl
Get-AvailabilityAddressSpace | fl
Get-IntraOrganizationConnector | fl
Get-IntraOrganizationConfiguration | fl
Get-FederationInformation -Domainname domain.mail.onmicrosoft.com
Get-ExchangeServer | Format-List
Test-OrganizationRelationship –Identity "On-premises to O365*" -UserIdentity "on-premise mailbox" -Verbose
Test-OrganizationRelationship –Identity "On-premises to O365*" -UserIdentity "on-premise mailbox"
Stop-Transcript

Run below commands in Exchange Online:

$FormatEnumerationLimit = -1
Start-Transcript
Get-OrganizationRelationship | FL
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-MailUser "on-premise user" | fl
Get-Mailbox "migrated user / office 365 user" | fl
Get-AvailabilityAddressSpace | fl
Get-IntraOrganizationConnector | fl
Get-FederationInformation -Domainname bonadio.com
Test-OrganizationRelationship –Identity "O365 to On-premises*" -UserIdentity “office 365 mailbox”-Verbose
Test-OrganizationRelationship –Identity "O365 to On-premises*" -UserIdentity “office 365 mailbox”
Stop-Transcript

$FormatEnumerationLimit = -1
Start-Transcript
Get-OrganizationRelationship | FL
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-MailUser "on-premise user" | fl
Get-Mailbox "migrated user / office 365 user" | fl
Get-AvailabilityAddressSpace | fl
Get-IntraOrganizationConnector | fl
Get-FederationInformation -Domainname bonadio.com
Test-OrganizationRelationship –Identity "O365 to On-premises*" -UserIdentity “office 365 mailbox”-Verbose
Test-OrganizationRelationship –Identity "O365 to On-premises*" -UserIdentity “office 365 mailbox”
Stop-Transcript

Once you have collected output of above PowerShell commands from on-premises and Exchange Online side, now its time to ensure all the attributes are set up correctly.

Analyze PowerShell Output for Exchange Online and Exchange On-Premises

Exchange Online PowerShell Output:

Get-IntraOrganizationConnector | fl
TargetAddressDomains : {contoso.com}
DiscoveryEndpoint : https://autodiscover.contoso.com/autodiscover/autodiscover.svc *
Enabled : True

The On-Premises Discovery Endpoint (Autodiscover) is more likely to be found in the format https://mail.contoso.com/autodiscover/autodiscover.svc because of the EWS External URL, so pay attention to this Autodiscover URL and replace it if needed with the autodiscover.yourdomain.tld on the IOC present in the Cloud Side (Reference Set-IntraOrganizationConnector).

Get-IntraOrganizationConfiguration | fl
OnPremiseTargetAddresses : {contoso.com}

• TargetAddressDomains – This should be your federated domains. Example: contoso.com
  • You can find the domains name by cross-checking Exchange Online’s (Get-IntraOrganizationConfiguration).OnPremiseTargetAddresses
• TargetDiscoveryEndpoint – This should be the address of the On-Premises Autodiscover Endpoint. Example: https://autodiscover.contoso.com/autodiscover/autodiscover.svc/.If you paste the URL in IE, you should receive a regular windows authentication security prompt
• Enabled – This must be True.

Get-OrganizationRelationship | fl
DomainNames : {contoso.com}
FreeBusyAccessEnabled : True
FreeBusyAccessLevel : LimitedDetails
FreeBusyAccessScope :
TargetApplicationUri : FYDIBOHF25SPDLT.contoso.com
TargetSharingEpr :
TargetOwaURL :
TargetAutodiscoverEpr : https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity
Enabled : True

• DomainNames – This should be your federated domains. Example: contoso.com
  • You can find the domains name by cross-checking On-Premises’ (Get-FederatedOrganizationIdentifier).Domains
• TargetAutodiscoverEPR – This should be the address of the On-Premises Autodiscover Endpoint. Example: https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity. If you paste the URL in IE, you should receive a regular windows authentication security prompt
• TargetSharingEPR – Ideally this is blank. If it is set, it should be the On-Premises Exchange servers EWS ExternalUrl endpoint. Example: https://server.contoso.com/EWS/Exchange.asmx
  • You can find the URL by cross-checking On-Prem’s Get-WebServicesVirtualDirectory ExternaUrl. If you paste the URL in IE with /WSSecurity at the end (https://server.contoso.com/EWS/Exchange.asmx/WSSecurity), you should receive a regular windows authentication security prompt
• TargetApplicationURI – This must match the ApplicationUrI from On-Prem. Example: FYDIBOHF25SPDLT.contoso.com
  • You can find the value by cross-checking On-Prem’s (Get-FederationTrust).ApplicationUri
• FreeBusyAccessEnabled – This must be True.
• FreeBusyAccessLevel – This should be either AvailabilityOnly or LimitedDetails.
  • AvailabilityOnly: Free/Busy access with time only
  • LimitedDetails: Free/Busy access with time, subject, and location
• FreeBusyAccessScope – This is typically blank. The FreeBusyAccessScope parameter specifies a security distribution group in the internal organization that contains users that can have their Free/Busy information accessed by an external organization.
• Enabled – This must be True.

Exchange On-Premises PowerShell Output:

Get-IntraOrganizationConnector | fl
Name : ExchangeHybridOnPremisesToOnline
TargetAddressDomains : {contoso.mail.onmicrosoft.com}
DiscoveryEndpoint : https://outlook.office365.com/autodiscover/autodiscover.svc
Enabled : True

• TargetAddressDomains – This should be your tenant.mail.onmicroosft.com name. Example: ‘contoso.mail.onmicrosoft.com’
• TargetDiscoveryEndpoint – This should be the address of EXO Autodiscover endpoint. Example: https://outlook.office365.com/autodiscover/autodiscover.svc
• Enabled – This must be True.

Get-OrganizationRelationship | fl
DomainNames : {contoso.mail.onmicrosoft.com}
FreeBusyAccessEnabled : True
FreeBusyAccessLevel : LimitedDetails
FreeBusyAccessScope :
TargetApplicationUri : Outlook.com
TargetSharingEpr :
TargetOwaURL : https://outlook.com/owa/contoso.onmicrosoft.com
TargetAutodiscoverEpr : https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
Enabled : True

Both Autodiscover and EWS virtual directories must be enabled for WSSecurity authentication and/or OAuth. For example, if using OAuth, you should have OAuth listed as Authentication Methods, whereas if using only DAuth (Exchange 2010 for example), you would see only WSSecurity. Example of virtual directories authentication methods for an Exchange 2013 Hybrid Organization:

Get-AutodiscoverVirtualDirectory | fl
Name : Autodiscover (Default Web Site)
AdminDisplayVersion : Version 15.0 (Build 1044.25)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

Get-AutodiscoverVirtualDirectory | fl
Name : Autodiscover (Default Web Site)
AdminDisplayVersion : Version 15.0 (Build 1044.25)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

Get-WebServicesVirtualDirectory | fl
Name : EWS (Default Web Site)
AdminDisplayVersion : Version 15.0 (Build 1044.25)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

As we discussed above, there are some situations where Free/Busy from on-premises to cloud is going via Availability Address Space. Below would be the expected configuration for Availability Address Space in Exchange on-premises (Exchange Management Shell):

Get-AvailabilityAddressSpace | fl
ForestName : contoso.mail.onmicrosoft.com
UserName :
UseServiceAccount : True
AccessMethod : InternalProxy
ProxyUrl : https://server01.contoso.com/EWS/Exchange.asmx
Name : contoso.mail.onmicrosoft.com

• ForestName – The should be the tenant.mail.onmicrosoft.com domain name. This should also match the domain name of RemoteRoutingAddress of remote mailboxes. Example: contoso.mail.onmicrosoft.com
• UserName – This should be blank.
• UserServiceAccount – This must be True.
• AccessMethod – This should be InternalProxy.
• ProxyUrl – This should be the Exchange 2013/2016 Exchange Web Services Virtual Directory URL. The address could be the internal FQDN or load balancing EWS URL. Example: https://server01.contoso.com/EWS/Exchange.asmx

Join us on YouTube for the latest videos on the Cloud technology and join our Newsletter for the early access of the blogs and updates.

Happy Learning!!