Add a new domain to an existing Hybrid Exchange configuration

Let`s assume you are running a Hybrid Exchange configuration with one domain configured. You use this domain as logon domain (part of the User Principal Name) and your email reply address. For some reason a new domain needs to be added to your existing Hybrid Exchange configuration so you can you this domain in new email addresses.
The steps involved to add this new domain are described in this article, but before you begin you need to make sure how this new domain will be used. If you need the new domain to be added to the user mailboxes only as a mail alias, than the figuration is pretty straight forward. But if this domain needs to be used as the reply address, you also need to to decide if you keep your existing domain as part of the logon name or you also need to change that domain.

Add the new domain to Office 365

The first thing we need to do is add the new domain to Office 365. Logon to the Office 365 Admin center, go to Setup and click on Domains. Choose Add domain, enter your new domain (in this example and click Next.

Add a domain

You need to prove your are the owner of the domain by adding a TXT record to your external DNS. The required value to add as TXT record is found on the Verify Domain page.
After you have added the DNS record to your external DNS click Verify.

Verify domain

After your domain is verified, the domain is added to Office 365. Now you should also add other DNS records, like the MX-record, SPF en a CNAME for Autodiscover. Depending on your mailflow configuration your MX-record should point to your on-premises Exchange Server or to Exchange Online.

On-premises Exchange configuration

We also have to add the new domain to the on-premises Exchange, because from their we control the email addresses for local en online mailboxes in a Hybrid Configuration.
Switch to your on-premises Exchange server and open the Exchange Admin Center (in case of Exchange 2013 or 2016). Go to Mailflow and choose the Accepted domains tab. Click the plus sign.

Exchange admin center

Add your new domain as Authoritative.

Add new domain

After the domain is added, it`s time to run the Office 365 Hybrid Configuration wizard. After verifying your credentials for the local domain and Exchange online, click Next till you see the Hybrid Domains screen. Make sure you check the newly added domain.

Hybrid domains

Again you need to verify you own the domain by adding a TXT record to your external DNS.

Domain ownership

Don`t make any changes to the rest of the configuration and choose Next on all the screens till you see below screen. Check Yes, upgrade the current configuration.

Upgrade configuration

The wizard will upgrade your existing configuration, for example it adds the domain to the mailflow connector between your Exchange Server and Exchange Online. When the wizard is finished you can add an email address with your new domain to your users mailboxes.

Adding the new domain to your mailboxes

The new domain is added to Exchange Online and your on-premises Exchange, now it needs to be added to the mailboxes. Depending your needs you can add a new email address with the domain manually to the mailboxes using the on-premises Exchange Admin Center (or Powershell) or by changing the Email Address Policy (or add a new policy.

Add new domain

After you have added new email addresses via the on-premises Exchange and performing an Azure AD Connect sync the new email address is added to the Exchange Online mailbox.
Keep in mind when you set the new email address as reply address and don`t change the User Principal Name, those are not equal anymore, like the example below.
In the example below my UPN contains my old (existing) domain and my new reply address contains the new domain.

User properties

Add the new domain to the User Principal Name

When you also want to add the newly added domain to the User Principal Name, you first need to add a new UPN Suffix. On your local Domain Controller open Active Directory Domains and Trust, right click on AD Domains and Trust en choose Properties. Here you can add an alternative UPN Suffix (your new domain).

Add UPN suffix

After you have added the UPN suffix, you are able to change the UPN of your users to contain the new domain. You can do this manually by changing the domain in the User account properties.

Change UPN

You can also do this in bulk. To change all existing UPN`s (in this example contoso.local) to contain the new domain (

$LocalUsers = Get-ADUser -Filter {UserPrincipalName -like '*contoso.local'} -Properties userPrincipalName -ResultSetSize $null
$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("contoso.local",""); $_ | Set-ADUser -UserPrincipalName $newUpn}

Or you can change the suffix for all users in a OU (the OU is Users under the OU DeKlapwijken in the domain

$LocalUsers = Get-ADUser -LDAPFilter '(userPrincipalName=*)' -SearchBase "OU=Users,OU=DeKlapwijken,DC=deklapwijken,DC=nl" -Properties userPrincipalName
$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("contoso.local","; $_ | Set-ADUser -UserPrincipalName $newUpn}

After performing another sync both your User Principal Name and reply address are changed to contain the new domain and are now equal again.

UPN and email addresses


  1. I have a wierd issue. I followed what you did here exactly, and when I run the HCW, the domain doesn’t show up in the list of domains to select and proceed. I rebooted the mail servers, ran the wizard all the way through, changing nothing. Nothing seems to work. Logs don’t show anything except that under potential hybrid domain, it is missing from there. The domain shows as authoritative in both on-prem and o365. It worked 6 months ago when I had to add a new domain at that time.

    • Hi Adam,
      Sorry for the late reply. I have no idea. I have added an extra domain in a few Exchange setups lately, that`s why I wrote this article, and all through these steps. Maybe it`s a bug in the current HCW (the one you`re running)? Think you should contact Microsoft support, if it`s still not visible for you.

      • Found issue, just firstly needed to add to o365 admin portal and on local exchange /ecp, then run hybrid wizard and picks up new domain.
        hope that helps if you havent found the solution yet.

    • I am having exactly same issue now, hybrid wizard doesnt see new domain in the list, and Hybrid Wizard was just updated when launched, guessing its same version 16.0.2417.0
      Have you found a solution to this?

      I have opened up a case with MS, but afraid its not going to be fast find.

        • Found issue, just firstly needed to add to o365 admin portal and on local exchange /ecp, then run hybrid wizard and picks up new domain.
          hope that helps if you havent found the solution yet.

  2. Peter
    Thanks so much for this article! I’ve been googling for this some days ago!
    Nice and easy steps!

    This one will go to my favorites!

  3. When I run the Hybrid Configuration Wizard I am able to check the new domain I am adding, but if I keep all my other domains checked, it says I need a TXT record for those domains too. So, should I de-select the other domains? In your screen shot you have both domains checked. If I run Get-FederatedDomainProof for my other domains it shows they are good and finds the DNS TXT records for them. Is there any harm verifying those domains again by adding another TXT record? Thanks for this write-up.

    • Hi Chris,
      It`s been a while since I have added a new domain to an existing deployment, but as far as I remember the existing domain was already checked and I needed to check the new domain. But I just needed to verify the new domain. Maybe this is changed since that time, the Wizard received a lot of updates since that date.
      I cannot image it harms your deployment when you verify the existing domains again.

  4. Hi,

    I have 200 plus accepted domains but only my primary domain is selecting when run the HCW?

    Do i have to select all.



  5. We are running exchange 2016 hybrid with central mail routing which means all emails are using in-Prem before going to exchange online, do you need to add the new domain to the SAN certificate?

  6. Do I need to change the certificate to a multidomain one before I run the hybrid? I have already imported the cert on the on prem exchange server, but I have not applied it any services. Do I need to do that beforehand? Or will that happen during the hybrid wizard that I can change the cert?

Leave a Reply

Your email address will not be published.