Skype for Business Hybrid deployment guide (with Cloud PBX) Overview: Skype for Business hybrid deployment is mixed environment with Skype for Business Online and On-Premises configuration. In Hybrid environment has existing on-premises deployment with users that were created in your on-premises Active Directory - with Skype for Business Online. Hybrid deployment allows you keep yours users on your Skype for Business or Lync Server on-premises and on Skype for Business Online using the Active Directory Synchronization to keep your on-premises and online users synchronized. Below are the topics are discussed in this document: Sr. No. 1 2 3 4 5 6 7 8

Topics Description Pre-requisite for Hybrid deployment Details steps for Hybrid configuration User migration to Skype for Business Online User migration to Skype for Business Online with Cloud PBX. Auto discover Configure for Hybrid deployment Lesson learned Office 365 health, readiness, and connectivity checks

Author: Balu Ilag Microsoft MVP (Office Servers and Services) © 08.13.2016, Balu Ilag, System Administrator, Microsoft MVP Office Servers and Services. Version 1.0 Contact me at: [email protected] Blog: http://communicationsknowledge.blogspot.com/ . This document covers Skype for Business Hybrid deployment process. Target audience for this admin guide are Skype for Business / Lync Administrator, Skype for Business Online (Office365) Administrator and System Administrator who manages Skype for Business and Lync server 2013 environment.

You must have the following configured in your environment in order to implement and deploy a hybrid deployment: 



 





A Microsoft Office 365 tenant with Skype for Business Online enabled. Note that you can use only a single tenant for a hybrid configuration with your on-premises deployment. A single on-premises deployment (infrastructure) of Skype for Business Server 2015, Lync Server 2013, or Lync Server 2010 that is deployed in a supported topology. Skype for Business Server 2015 administrative tools. If you are using Lync Server 2013 or Lync Server 2010, you can use the Lync Server 2013 administrative tools. To support Single Sign-on with Office 365 so that users can use the same login credentials for signing in to Office as they do on-premises, you can use the password sync features of Azure Active Directory (AAD) Connect. You can also use Active Directory Federation Services (AD FS) for single sign-on with Office 365. A single directory synchronization solution to keep your on-premises and online Active Directory objects synchronized. For details about Directory Synchronization, see Directory Integration Tools. For this document purpose I have used ADFS and DirSync.

Assuming that you already have setup ADFS for Office 365 and single sign-on and your On-prem ADDS accounts synced with Office 365. If not then you can refer below Microsoft article Set up ADFS for Office 365 for Single Sign-On. Skype for Business client supportability: There are some differences in the features supported in clients, as well as the features available in on-premises and online environments. Before you decide where you want to home users in your organization, you should review the Client comparison tables for Skype for Business Server 2015 to determine the client support for the various configurations of Skype for Business Server. The following clients are supported with Skype for Business Online in a hybrid deployment:       

Skype for Business 2015 Skype for Business 2016 Lync 2013 Lync 2010 Lync Windows Store app Lync Web App Lync Mobile

  

Lync for Mac 2011 Lync Room System and Skype for Business Room System Lync Basic 2013

Here are the steps: 1. Install Skype for Business online PowerShell module connector to configure hybrid environment. a. My OS is windows 7 and Service Pack1. With 64 bit operating system. b. Install PowerShell 3.0 or higher. If you have PowerShell 2.0 then install “Windows Management Framework 3.0” URL (https://www.microsoft.com/en-us/download/details.aspx?id=34595) c. Time to install Skype for Business Online, Windows PowerShell Module (https://www.microsoft.com/en-us/download/details.aspx?id=39366) d. Then install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package. e. Check what version PowerShell do you have. Running Get-Host | SelectObject Version

f. Now time to connect PowerShell to Skype for Business Online. Open Windows PowerShell as administrator on computer where you install above pre-requisites. Import-module skypeonlineconnector $cred = Get-Credential

$session = New-CsOnlineSession -Credential $credOverrideAdminDomain "brcd.onmicrosoft.com" Import-PSSession $lyncSession Below is the Result:

2. You must have Hosting provider setup. . Run this command on Skype for Business connector Online PowerShell. To seehosting Provider details: Get-CsHostingProvider If hosting provider is not setup then you have to setup new new hosting provider. I used hosting provider with the Identity "OCO" and VerificationLevel property is set to UseSourceVerification for my environment.

New-CsHostingProvider -Identity OCO -ProxyFqdn "sipfed.online.lync.com" Enabled $True -HostsOCSUsers $True -EnabledSharedAddressSpace $True – VerificationLevel “UseSourceVerification”

You can AutodiscoverUrl later. 3. Enable your Office365 tenant for Skype Meeting Broadcast. [This is optional. Require if you are going to use Skype Meeting Broadcast] make sure EnableBroadcastMeeting should be True. Run this command on Skype for Business connector Online PowerShell. Set-CsBroadcastMeetingConfiguration –EnableBroadcastMeeting $True

4. Now run Get-CsTenantFederationConfiguration - Run this command on Skype for Business connector Online PowerShell.

SharedSipAddressSpace must be True. Run command Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true Run again Get-CsTenantFederationConfiguration to see shared Sip addressSpace is true

5. Currently Presence policy and Meeting configuration not set. All is default.

6. Configure Skype for Business / Lync Server on-premises for Hybrid mode: a. On front End Server, open the PowerShell console of Skype for business/ Lync Server and run: Get-CsAccessEdgeConfiguration Check if the following parameters are enabled:

AllowFederatedUsers : True EnablePartnerDiscovery : True AllowOutsideUsers : True RoutingMethod : UseDnsSrvRouting EnableSharedAddressSpace : True HostsOcsUsers : True

If not, then run the following command: Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true EnablePartnerDiscovery $true -UseDnsSrvRouting -AllowOutsideUsers $True Note: To check if these value was changed to correct values, you can run GetCsAccessEdgeConfiguration again. b. Check if you already have a Hosting providing on premises Skype for Business/ Lync Server. Open Skype for business / Lync management Shell and run Get-Cshostingprovider –Localstore

If the Hosting providing do not exist, then create one typing the following command: New-CsHostingProvider -Identity "LyncOnline" -Enabled $True EnabledSharedAddressSpace $True -HostsOCSUsers $True -ProxyFqdn "sipfed.online.lync.com" -IsLocal $False -VerificationLevel UseSourceVerification If your environment has Exchange Hybrid, then run this command as well: New-CsHostingProvider -Identity "Exchange Online" -Enabled $True EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification If you setup hosting provider then you need initiate the replication, run the below command to invoke replication. Invoke-Csmanagementstorereplication Note: To check the creation of your host providing you can type Get-Cshostingprovider -localstore again to see hosting provider information. 7. As far as Federation policy. Your On-Premises and Skype for Business Online federation policy must be identical. a. Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant. If partner discovery is enabled on the

on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant. b. The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant. c. The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant. d. Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel. 8. What is DNS requirement for Hybrid? When creating DNS records for hybrid deployments, all Skype for Business external DNS records should point to the on-premises infrastructure. DNS record

Resolvable by

DNS requirement

DNS SRV record for _sipfederationtls._tcp. for Edge all supported SIP domains resolving to Access server(s) Edge external IP(s)

Enable federated communication in a hybrid configuration. The Edge Server needs to know where to route federated traffic for the SIP domain that is split between on premises and online.

Internal DNS A record(s) for Edge Web Conferencing corporate Service FQDN, e.g. webcon.contoso.com network resolving to Web Conferencing Edge external connected IP(s) users’ computers

Enable online users to present or view content in on-premises hosted meetings. Content includes PowerPoint files, whiteboards, polls, and shared notes.

Above both are available in my environment. 9. Firewall requirement for Hybrid deployment: Refer complete firewall port requirement for Skype for Business online: complete firewall requirement

In addition to the port requirements for internal communication, you must also configure the following ports. Protocol / Port

Applications Open inbound 

Active Directory Federation Services (federation server role) For more information, see Directory Integration Tools.

TCP 443

    

Active Directory Federation Services (proxy server role) either on-premises or in Azure. Microsoft Online Services Portal My Company Portal Outlook Web App Client (communication between Skype for Business Online and your on-premises deployment.

Open inbound TCP 80 and 443



Microsoft Online Services Directory Synchronization Tool

TCP 5061

Open inbound/outbound on the Edge Server

PSOM/TLS 443

Open inbound/outbound for data sharing sessions

STUN/TCP 443

Open inbound/outbound for audio, video, application sharing sessions

STUN/UDP 3478 Open inbound/outbound for audio and video sessions RTP/TCP 50000Open outbound for audio and video sessions 59999 Verified for my deployment. Now your environment is ready for user migration. Assuming that above steps are completed.

How to move Skype for Business / Lync Server On-premises user to Skype for Business Online (Cloud tenant)?

Requirement: You can move users using either Skype for Business Server Control Panel or Skype for Business Server Management Shell in your on-premises deployment, but you must have administrator credentials for your Office 365 deployment and Skype for Business. Before actually moving the user to Skype for Business Online (O365 cloud), you should first confirm that the user accounts are synchronized to the cloud, and account has required license like E3, E5 etc. Steps: To Move user using Skype for Business / Lync server On-Premises to Skype for Business Online /Cloud: Open the Office 365 admin center for your tenant > click Users> Active Users> Click Search for a User, and type the name of the user. Confirm that you see the user, and that their status is synched with Active Directory. Note: If the user is not yet synchronized, then the next automatic synchronization should happen within three hours per by default schedule. Assuming your users already synchronized and assign appropriate license. Below Image shows how to assign cloud E5 license to user:

Now you can move user to Skype for Business Online, there are two option to move user: 1. Using Skype for Business Control Panel: a. Login to Skype for Business control panel user account that is part of CsUserAdministrator role or the CsAdministrator role. b. Users > Search Users > type First name, last name or SAM account, SIP address > Find

c. Click on Users > Action > Move selected users to Skype for Business Online. d. On the Move users to Skype For Business Online page > Next > Sign in to Office 365 > OK >Next e. On Confirm page > Next > Close. Note: I have not moved user using Skype for Business Control Panel to cloud so don’t know if option available or not above steps written based out of TechNet. Using Lync Server 2013 Control Panel there is no option to move user to cloud that I am sure for. 2. Using Skype for Business /Lync Server Management Shell: You can use this PowerShell command to move usere: Move-CsUser -Identity [email protected] -Target sipfed.online.lync.com Credential $cred -HostedMigrationOverrideUrl -ProxyPool Format of the URL specified for the HostedMigrationOverrideUrl parameter must be the URL to the pool where the Hosted Migration service are running, URL Format: Https:///HostedMigration/hostedmigrationService.svc. Note: The URL is case sensitive so type exactly same what you have. To find Skype for Business online admin URL, you can login to https://portal.office.com/AdminPortal/ then expand 'Admin Centers' > Click on “Skype for Business” > Copy the URL. The SfB Admin URL will looks like below URL. e.g. URL looks like: https://admin0a.online.lync.com/lscp/?language=enUS&tenantID=eb833f80-e9e8-440f-a994-d16889564dd5 Copy the first part of URL till lync.com and add HostedMigration/hostedmigrationService.svc to Complete URL: https://admin0a.online.lync.com/HostedMigration/hostedmigrationService.svc Below is correct command to move user with hosted migration override Url: $cred = Get-Credential Move-CsUser -Identity "[email protected]" -Target "sipfed.online.lync.com" -Credential $creds -HostedMigrationOverrideUrl “https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc" ProxyPool "FEPool.mydomain.com.com"

Wait for 5 min and find user in Skype for Business / Lync Server on-premises and see the hosting provider show as “Sipfed.online.lync.com”.

Our mentioned users move to cloud. Now time to login on Skype for Business and test. I was able to sign-in on Skype for Business client using moved account e.g. [email protected]

Check Skype for Business client configuration information (Press Ctrl button + Right click on SfB icon and click on “Configuration Information”. You can see there Skype for Business Server shows as Microsoft Online pool server “sippoolbl20a06.infra.lync.com” mean our users sign-in on Skype for Business Online pool. Refer the below screenshot.

How to use On-Premises PSTN connectivity for Skype for Business Online users? Simple answer yes, you can use cloud PBX as solution for Skype for Business online user to use your on-premises PSTN connectivity. Details answer is here: Microsoft offers a variety of options for enabling your users to call landlines and mobile phones through the Public Switched Telephone Network (PSTN) whether their accounts exist in Office 365 on Skype for Business Online or in your on-premises Skype for Business Server or Lync Server 2013 deployment. If you want to move users to Skype for Business Online but your organization already invested On-Premises PSTN connectivity then still you can move users to Skype for

Business Online with on-premises PSTN connectivity through Cloud PBX. Your users are actually homed in the cloud and are enabled for Cloud PBX, but their calling is processed through on-premises PSTN connectivity (either through a PBX, Gateway, Session Border Controller, or SIP Trunking connection) to source PSTN for the users who you move to the cloud). There are two option: 1. Skype for Business Cloud Connector Edition (CCE) - Cloud Connector is a hybrid offering that consists of a set of packaged Virtual Machines (VMs) that implement onpremises PSTN connectivity. By deploying a minimal Skype for Business Server topology in a virtualized environment, users in your organization, whether homed in the cloud are on premises, will be able to send and receive calls with landlines and mobile phones through the existing on-premises voice infrastructure. Refer complete article: https://technet.microsoft.com/en-us/library/mt605227.aspx 2. Skype for Business Server existing deployment -This is a hybrid offering that consists of a Skype for Business Server on-premises deployment modified for hybrid PSTN. Users in your organization, whether homed in the cloud or on-premises, will be able to send and receive calls with landlines and mobile phones through the existing on-premises voice infrastructure. This document is focusing on Skype for Business online and Skype for Business / Lync Server On-premises hybrid deployment with On-premises PSTN connectivity through SIP trunk and PSTN Gateways). Pre-requisite: You must have Office 365 Global Administrator role permission and Skype for Business / Lync Server on-premises CsAdministrator and CsServerAdministrator role permission in order to complete the configuration. This is an optional step that is required only if you are moving on-premises users to Skype for Business Online. Before you begin to move users to Skype for Business Online, check that the Skype for Business Online Connector (Windows PowerShell module) is deployed on your Front End Servers. If it isn't, you can download it from the download center. Also, to prepare your AD, you'll need to configure Azure AD Connect. The version of AAD Connect you use must be version 1.0.9125.0 or later. If you are using an earlier version of AAD Connect tools or DirSync, please upgrade to the supported version. You can upgrade your current installation and maintain any custom rules you have defined in your environment. Before moving user to Skype for Business online make sure below:

 Enable user for Enterprise Voice before moving on-premises before moving to cloud.  Setup Line URI for user with E.164 format (e.g. tel:+1234567890;ext=67890) onpremises.  Assign Dial plan and Voice Routing policy in On-Premises.  User must have synced in Cloud and have to have cloud license assigned before moving to the cloud.  Before moving user to Skype for Business Online tenant, assign the E5 license which has cloud PBX feature or you can use Cloud PBX Add-on license if you have existing E3 license. Refer: how to move Skype for Business / Lync server On-Premises user to Skype for Business Online section in this document. Assumption: You already have Skype for Business Hybrid setup (Skype for Business Online and On-Premises setup). How to enable users for Enterprise Voice online and Cloud PBX Voicemail? The final step is to enable users for Cloud PBX and Voicemail, which includes. To enable these capabilities, you must be a user with the Office 365 Global Administrator role, and be able to run remote PowerShell. Assuming that you already have Skype for Business Online, Windows PowerShell Module 1. Open Windows PowerShell and import SkypeOnlineConnector module and get credential which has Office 365 Global Administrator role permission. Import-module skypeonlineconnector $cred = Get-Credential

2. Open new online session with existing credential and import that session. Refer below PowerShell commands. $session = New-CsOnlineSession -Credential $cred -OverrideAdminDomain "brcd.onmicrosoft.com" –Verbose Import-PSSession $session

3. Now enable online user for Enterprise voice and hosted voice mail. You must run this below command on online PowerShell to enable Enterprise voice and hosted voice mail even though you enabled on On-premises.

Command: Set-CsUser -Identity "" -EnterpriseVoiceEnabled $true HostedVoiceMail $true E.g.: Set-CsUser -Identity "[email protected]" -EnterpriseVoiceEnabled $true -HostedVoiceMail $true

After enabling user for EnterpriseVoice and hosted Voice mail, run the Get-CsOnlineUser command to see users enabled for Get-CsOnlineUser -Identity "[email protected]" | fl *voice*,*line*,*dial*

Above Get-CsOnlineUser command result shows ‘HostedVoiceMail: True and EnterpriseVoiceEnabled: True means user is ready to use EV features. In case you have not assigned Dial-plan and Voice Routing Policy to user before moving user to Cloud then assign appropriate voice routing policy (call authorization) and dialplan (Phone number normalization) for user using on-premises Skype for Business/ Lync Server control Panel or Skype for Business/ Lync Power shell.

Login to any Skype for Business / Lync Server Front End Server and open Skype for Business Control Panel using account assigned member of CsAdministrator or CsUserAdministrator Control Panel > Users > Type first name and last name > once user found, double click on it. Then, enable Enterprise Voice, assign Dial plan and Voice Routing policy. Refer the below image.

Enable EV assign Dial plan and Voice Routing policy using Skype for Business or Lync Server Power Shell: Grant Dial Plan: Grant-CsDialPlan -Identity "[email protected]" -PolicyName "US-COBroomfield " Grant Voice Routing Policy:

Cloud PBX users must have a Voice Routing Policy assigned to them for calls to route successfully. This is differs from on-premises Skype for Business voice users who require a Voice Policy to be assigned to them to allow calls to route successfully. The Voice Routing Policy should contain PSTN usages that define authorized calls and routes for Cloud PBX users. If you don't have Voice Routing Policies created then then you can create new Voice Routing policy using existing PSTN usages coping from existing Voice Policies to new Voice Routing Policies. New-CsVoiceRoutingPolicy -Identity "US-CA-SanJose-Hybrid" -Name "US-CA-SanJoseHybrid" -PstnUsages "Long Distance", "Local", "Internal" Now grant above created Voice Routing policy to User. Grant-CsVoiceRoutingPolicy -Identity "[email protected]" -PolicyName "US-CA-SanJose-Hybrid" How to assign Voice routing policy to multiple users? Get-CsUser -LdapFilter "l=SanJose" | Grant-CsVoiceRoutingPolicy -PolicyName "US-CASanJose-Hybrid" How to unassigned or remove Voice Routing Policy? Grant-CsDialVoiceRoutingPolicy -Identity "[email protected]" -PolicyName $Null After you assigned voice routing policy and dial plan you can run Get-CsUser to see policy assigned correctly or not.

Now you can run Get-CsOnlineUser to see user if online user enabled for Enterprise Voice, Hosted Voice Mail and Voice Policy ‘HybridVoice’.

Note: You will not see Voice Routing policy name on online power shell command. You can only see Voice Routing Policy name on On-premises power shell command. Testing:

Login to Skype for Business client using your, SIP address (User which moved to cloud) and password. Refer below Image.

Able to login to Skype for Business and able to make inbound and outbound calls. Refer the below Image.

Able to receive Voice Mail as well which is Awesome!. Refer the below Image.

How to configure Autodiscover service for Hybrid deployment? Hybrid deployments are configurations that use both the Skype for Business Online cloud service (Office 365) and the Skype for Business/ Lync on-premises deployment. This document will talk about Hybrid deployment of Skype for Business online and Skype for Business / Lync Server on-premises, in this type of configuration, the Autodiscover service must be able to locate where the user is actually located. That is to say, Autodiscover aids in finding the user account and where the server that hosts the user’s account is, regardless if it is in the on premises deployment or in the Skype for Business Online deployment. For example, if a user’s account is hosted on a server in Skype for Business Online, the attempt to locate the user will happen as follows, in a process known as discoverability: E.g. [email protected] a. User initiates a connection attempt to the on premises deployment, using domain mydomain.com. b. The attempt is sent to lyncdiscover.mydomain.com, the DNS name associated with the Autodiscover service. c. Autodiscover refers to the assumed registrar pool at the mydomain.com on premises deployment and is given information on the user’s actual home server hosted in Skype for Bsuiness Online. Autodiscover then sends the user a referral to the lync.com online Autodiscover service.

The user initiates a connection attempt to the lync.com online Autodiscover service and is able to locate the user’s account and the user’s home server. To enable mobile clients to discover the deployment where the user home server is located, you must configure the Autodiscover service with a new uniform resource locator (URL). You use Get-CsHostingProvider to retrieve the value of the attribute ProxyFQDN. From the Skype for Business / Lync Server Management Shell, type below command to setup Autodiscover URL. Set-CsHostingProvider -Identity [identity] -AutodiscoverUrl https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root Where [identity] is replaced with the domain name of the shared SIP address space.

Get-CsHostingProvider

Now you are seeing correct AutodiscoverURL for user. Reference articles: Plan: https://technet.microsoft.com/en-us/library/mt455212.aspx Deploy: https://technet.microsoft.com/en-us/library/mt634319.aspx

https://technet.microsoft.com/en-us/library/mt612869.aspx

Lesson Learned: Below are the lesson learned while moving Skype for Business / Lync Server OnPremises user to Cloud (Skype for Business Online). You may see below error when you have multiple federated Edge servers and you have not specified the proxy pool FQDN.

When you don’t specify the correct proxy pool name as your registrarpool (FE) instead of edgepool (Edge) then you will see below error. To resolve add correct front end pool name.

You will see below error when you don’t have live Id module install on your FE server from where you are running command. (Module called as “Microsoft Online Services Sign-In Assistant for IT Professionals RTW”) Download from URL: https://www.microsoft.com/enus/download/details.aspx?id=28177

You are seeing below warning message because when you move user from On-Prem to Cloud (tenant) your existing meetings and recurring meetings will get affected. Or your old meetings will not available in cloud because your registrarpool will be different where meeting hosted.

If user do not have cloud license assign and you are moving that user to cloud then you endup with below error. So before moving user assign the appropriate cloud license to the user.

Issue: Move-CsUser: Unable to locate Windows Live ID token from the provided credentials, or from Active Directory Federation Services (AD FS) credential cache. If you don’t put credential of Office365 Admin then you may see below error. Before moving user must put credential of Office365 Admin and then run move command. You write credential which has Office365 tenant admin permission then move user to cloud.

All Cloud PBX users are assigned the same Voice Policy named BusinessVoice which defines the calling features allowed; for example, Allow Simultaneous Ring.

Error: Call was not completed or has ended.

When you move user to cloud and assign required policy with cloud PBX license and make outbound call however call not complete and gives above error. Then make sure you have assign the Voice Routing policy to user on on-premises to route call. Cloud PBX users must have a Voice Routing Policy assigned to them for calls to route successfully. You can grant voice routing policy using below power shell command: Grant-CsVoiceRoutingPolicy -Identity "Balu Ilag" -PolicyName "US-CA-SanJose-Hybrid. Now you can make outbound call and checks. You will be able to make outbound call.

How to run Office 365 health, readiness, and connectivity checks? I would recommend that you run Office365 health, readiness, and connectivity checks before you set up Office 365, Skype for Business Online or Office 365 hybrid environment.  This test can find settings in your current environment that might cause problems when you start to set up or use your services.  If you know where the potential roadblocks are before you start, you can fix or work around them to make your deployment path easier to complete. The readiness checks are looking at settings in your current local network environment and anything you’ve already set up in Office 365. The checks use

your credentials to make their inspection. Run the checks while connected to your current local network and logged in as an admin. Check results are sorted into these categories: Passed: the setting that we checked is correct for Office 365. You might want to review passed items to see what we looked at, but these results are informational only. Warning: the setting that we checked won't break anything, but isn't optimized for Office 365. You can review the results to see if this is an important setting for you. If you want to learn more about the warning, or learn how to change the setting, you can get help from the panel to the right. Error: the setting that we checked will negatively affect your setup and should be fixed before you continue. Definitely review these results and make changes as needed. Help on how to fix issues is available from the panel to the right. If you see an error for something you haven't set up yet, such as DNS records, you can ignore the error for now. But, we recommend you run the readiness checks again after you get set up. How to run HRC? Go to URL: Run HRC Login with your tenant admin account. The HRC (check advanced) should be run from a regular user PC. It will check for outbound ports for Office 365 services.

Click on Next

Click Next.

Once you click on “Run checks”, You may see security warning say “Run” on security warning to check your environment health.

Click on “Run” This test basically checks User Principle Name, Proxy Address, mailnickename, mail attribute for each AD users. Additionally it will check Directory Synchronization for AD DS objects. Below is the RESULT:

https://support.microsoft.com/en-us/kb/2409256 Thank you.