How to Create a Migration Endpoint in Office 365
Step-by-Step Guide — Endpoint Types, Prerequisites, PowerShell, Concurrency & Troubleshooting
| Migration Endpoint — At a Glance | Details |
| Purpose | Provides Exchange Online with the connection details needed to reach the source mail system during migration. |
| Required for | Hybrid Migration • IMAP Migration • Google Workspace Migration • Cutover and Staged Migration |
| Not required for | EdbMails Office 365 Migration Tool — EdbMails manages source and target connectivity automatically. |
| Configured in | Exchange Admin Center (admin.exchange.microsoft.com) or Exchange Online PowerShell |
| Endpoint types | Exchange Remote • Outlook Anywhere • IMAP • Google Workspace |
What Is a Migration Endpoint?
A migration endpoint is a configuration object stored in Exchange Online that holds everything Microsoft 365 needs to reach your source mail system: the remote server address, the credentials of an admin account with access to source mailboxes, and two throttling values that govern how many mailboxes can be in motion simultaneously.
When a migration batch starts, Exchange Online reads the endpoint to determine where to connect, how to authenticate, and how many simultaneous connections to open. Without a valid endpoint, the migration service has no path to the source and will fail immediately — before any data moves.
Think of an endpoint as a persistent connection profile. You create it once and reuse it across multiple migration batches. If you are migrating from Exchange servers in different geographic locations, or want to distribute load across several source servers, you can create separate endpoints for each and assign batches accordingly.
Migration Endpoint Types in Office 365
Each migration scenario uses a different protocol to move data from the source, and the endpoint type tells Exchange Online which protocol to use. Selecting the wrong type is one of the most common reasons the connection test fails — for example, choosing Exchange Remote for an IMAP server will cause Office 365 to look for an MRS Proxy endpoint that does not exist.
| Endpoint Type | Migration Scenario | MRS Proxy | EdbMails Alternative |
| Exchange Remote | Hybrid migration | Required | EdbMails Exchange to Office 365 Migration |
| Outlook Anywhere | Cutover / Staged (retired May 2025) | Not required | EdbMails Exchange Migration |
| IMAP | Non-Exchange mail servers | Not required | EdbMails IMAP to Office 365 Migration |
| Google Workspace | Google Workspace to Microsoft 365 | Not required | EdbMails Google Workspace to Office 365 |
Important: Microsoft retired Staged Outlook Anywhere onboarding on May 8, 2025. Organizations that did not complete staged migrations before that date must use the hybrid remote onboarding process instead.
Exchange Remote (ExchangeRemoteMove)
Used for hybrid migrations where the on-premises Exchange server (2010 SP3 or later) has MRS Proxy enabled. Highest-performance endpoint type — data moves directly using the native MRS protocol.
Outlook Anywhere
Used for cutover and staged migrations from Exchange 2003–2016. Uses RPC over HTTP. MRS Proxy is not required.
IMAP
Used for any IMAP-compatible source: Gmail, Zimbra, Zoho Mail, Yahoo, Rackspace, or any provider that exposes an IMAP port. Only email and folder structure migrate — calendars and contacts require a separate process.
Google Workspace
Uses the Gmail API, enabling email, contacts, and calendar items to migrate together. Requires a Google service account with domain-wide delegation and specific API scopes in the Google Admin console.
Why Migration Endpoints Are Required
Microsoft 365 is a cloud service with no direct visibility into your on-premises or third-party mail environment. A migration endpoint bridges that gap — it tells Exchange Online where the source system lives, how to authenticate to it, and how aggressively to pull data.
Without an endpoint, the Exchange Online migration service cannot initiate any connection to the source. There is no fallback or default path. Every migration type that uses the native framework — hybrid, cutover, staged, IMAP, and Google Workspace — requires a configured endpoint before the first migration batch can be created.
Endpoints also serve a throttling function. The concurrency values stored on each endpoint prevent the source server from being overwhelmed during a large migration. A source Exchange server that handles its normal workload reliably can still be destabilized by dozens of simultaneous migration connections if no throttling is applied.
Common Migration Endpoint Problems
Most endpoint failures fall into one of five categories. Understanding these upfront saves significant troubleshooting time.
MRS Proxy Not Enabled
MRS Proxy is disabled by default on all on-premises Exchange servers. Attempting to create an Exchange Remote endpoint without enabling it first will fail at the connection test — even if the network path and credentials are correct.
EWS Not Externally Accessible
The Exchange Web Services URL must be reachable from Microsoft's IP ranges over the internet. An Exchange server on an internal network segment with no external publishing cannot be used as a migration endpoint source without additional infrastructure changes.
SSL Certificate Problems
The SSL certificate on the source Exchange server must be issued by a public certificate authority, must not be expired, and must include the server's EWS FQDN in the Subject Alternative Name field. Self-signed and internal CA certificates cause the connection test to fail.
Credential Issues
Migration endpoints store credentials at creation time and do not automatically refresh when a password changes or expires. A mid-migration password change, account lockout, or MFA policy applied after the endpoint was created will all cause active migrations to fail silently.
Concurrency Misconfiguration
Setting concurrency too high overloads the source server, causing timeouts and stall-retry cycles. Setting it too low unnecessarily queues mailboxes and extends the migration window. Correct concurrency requires a pilot batch followed by incremental adjustment.
Native Migration Endpoint vs EdbMails
Every problem described in the previous section is an endpoint problem. EdbMails eliminates them entirely by managing its own connections to both source and target environments. No endpoint to create, no MRS Proxy to enable, no EWS URL to publish, no SSL certificate to reissue, and no service account to configure in Google's Admin console.
The table below shows how each migration scenario compares between Microsoft's native endpoint approach and EdbMails.
| Migration Scenario | Native Endpoint Requirement | With EdbMails |
| Hybrid Exchange | MRS Proxy + external EWS + public SSL certificate | Auto-connects to source Exchange. No MRS Proxy, no EWS publishing, no certificate changes. |
| IMAP Migration | Per-user credentials CSV; email only — calendars and contacts excluded | Admin impersonation where supported; migrates email, calendars, contacts, and tasks together in one job. |
| Google Workspace | Service account + domain-wide delegation + API scope configuration | Uses a Google admin account directly. No service account or API scope setup required. |
| Cutover / Staged | Outlook Anywhere endpoint + external RPC access | Auto-manages connectivity. No endpoint configuration required. |
| DAG Environments | One endpoint per server + per-server SSL certificates | Connects to the DAG automatically. No per-server certificates or endpoints needed. |
| Office 365 → Exchange | Not well supported natively | Full support for Exchange 2007–2019 as migration target with complete data fidelity. |
Note: EdbMails migrations do not require any endpoint configuration in Exchange Online. Sections 6 and 7 apply only to Microsoft's native migration framework.
How to Create a Migration Endpoint in Exchange Online
You can create migration endpoints through the Exchange Admin Center at admin.exchange.microsoft.com or via Exchange Online PowerShell.
Prerequisites Before Creating an Endpoint
For Exchange Remote endpoints:
- Enable MRS Proxy on the on-premises Exchange server — disabled by default.
- Confirm Exchange Web Services external URL is accessible from the internet via testconnectivity.microsoft.com.
- Ensure the SSL certificate is from a public CA, not expired, and includes the server FQDN in the SAN field.
- Assign ApplicationImpersonation rights to the migration admin account.
Enable MRS Proxy:
Command: Copy & Paste it
Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)"
-MRSProxyEnabled $true
# Verify
Get-WebServicesVirtualDirectory | Select Identity, MRSProxyEnabled
Assign ApplicationImpersonation:
Command: Copy & Paste it
New-ManagementRoleAssignment -Name:MigrationImpersonation `
-Role:ApplicationImpersonation `
-User:migrationadmin@yourdomain.com
For IMAP Endpoints
- Confirm IMAP port and SSL configuration (port 993 with SSL is standard; some providers use 143 with STARTTLS).
- Prepare a credentials CSV with each user's IMAP username and password.
For Google Workspace Endpoints
- Create a Google service account with domain-wide delegation in the Google Admin console.
- Enable the required API scopes. Missing scopes cause authorization errors during the connection test.
- Have the service account email, private key file, and a Google Workspace admin email ready.
Creating an Endpoint in the Exchange Admin Center
Sign in to admin.exchange.microsoft.com, navigate to Migration > Endpoints, click New endpoint, and select the appropriate endpoint type.
For an Exchange Remote endpoint, the wizard asks for an on-premises email address (for autodiscovery), the migration admin account, and the account password. If auto-detection fails, enter the Remote MRS Proxy server FQDN manually. In multi-server environments, point to an individual server rather than a load balancer.
Creating an Endpoint with PowerShell
Connect to Exchange Online first:
Command: Copy & Paste it
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Exchange Remote (Hybrid)
Command: Copy & Paste it
$credentials = Get-Credential
New-MigrationEndpoint `
-Name "Hybrid-Endpoint-Primary" `
&-ExchangeRemoteMove `
-RemoteServer "mail.yourcompany.com" `
-Credentials $credentials `
-MaxConcurrentMigrations 20 `
-MaxConcurrentIncrementalSyncs 10
IMAP
Command: Copy & Paste it
New-MigrationEndpoint `
-Name "IMAP-Endpoint" `
-IMAP `
-RemoteServer "mail.yourprovider.com" `
-Port 993 `
-Security Ssl `
-MaxConcurrentMigrations 20 `
-MaxConcurrentIncrementalSyncs 10
Verify the endpoint:
Command: Copy & Paste it
Get-MigrationEndpoint | Format-List Identity, EndpointType, RemoteServer, MaxConcurrentMigrations, MaxConcurrentIncrementalSyncs
Test before running a live migration:
Command: Copy & Paste it
Test-MigrationServerAvailability -Endpoint "Hybrid-Endpoint-Primary"
A successful result returns Result: Success. Repeat this test after any network change, certificate renewal, or firewall update.
Editing and Deleting Migration Endpoints
Command: Copy & Paste it
# Update credentials on an existing endpoint
$newCredentials = Get-Credential
Set-MigrationEndpoint -Identity "Hybrid-Endpoint-Primary" -Credentials
$newCredentials
# Confirm no active batches before deleting
Get-MigrationBatch | Where-Object {$_.SourceEndpoint -like
"*Hybrid-Endpoint-Primary*"} | Select Identity, Status
# Remove the endpoint
Remove-MigrationEndpoint -Identity "Hybrid-Endpoint-Primary"
Migration Endpoint Concurrency Settings Explained
Every migration endpoint carries two throttling values that control how data flows through it. Getting them wrong in either direction has real consequences.
| Setting | Default | Practical Range | Notes |
| MaxConcurrentMigrations | 20 | 20–60 per endpoint | Controls the initial sync phase. Increase gradually after a pilot batch. |
| MaxConcurrentIncrementalSyncs | 10 | 25–30% of batch size | Raise before triggering completion on large batches to avoid queue build-up. |
| Tenant MaxConcurrentMigrations | 300 | Up to 1,000 via support | Tenant-wide ceiling. Individual endpoint values cannot exceed this. |
MaxConcurrentMigrations
Controls how many mailboxes can be in their initial bulk data copy phase simultaneously. Start at the default of 20, run a pilot batch, monitor the source server's CPU and IIS connection logs, and increase incrementally. Most environments reach a practical ceiling between 30 and 60.
MaxConcurrentIncrementalSyncs
When you complete a batch, every mailbox needs a final incremental sync simultaneously. Raise this value before triggering completion on any large batch:
Command: Copy & Paste it
# Raise before completing a large batch
Set-MigrationEndpoint -Identity "Hybrid-Endpoint-Primary"
-MaxConcurrentIncrementalSyncs 50
Set this to at least 25–30% of the batch size you are about to complete. Reduce it again afterward for remaining batches.
Why Higher Is Not Always Faster
Increasing concurrency beyond what the source server can sustain causes timeouts and stall-retry cycles. The result is a migration that is slower overall than it would have been at a lower, sustainable value. If you see frequent StalledDueToSource codes, reduce concurrency rather than increasing it.
How to Diagnose and Fix Migration Endpoint Errors
Common Errors During Endpoint Creation
"Failed to connect to the remote server"
The server FQDN is not reachable from Office 365's IP ranges, or MRS Proxy is not enabled. Run the Exchange Web Services Connectivity test at testconnectivity.microsoft.com before retrying.
"The credentials didn't work"
Verify account format — Outlook Anywhere expects domain\username; Exchange Remote accepts UPN format. Check for account lockout from repeated failed attempts. Confirm Basic authentication is not disabled:
Command: Copy & Paste it
Get-WebServicesVirtualDirectory | Select Identity, BasicAuthentication
"The certificate is not valid"
The certificate must be from a trusted public CA, not expired, and include the server FQDN in the SAN field. Self-signed certificates always fail this check in production environments.
"HCW8078" during the Hybrid Configuration Wizard
MRS Proxy not enabled, or EWS external URL not configured. Create the endpoint manually via PowerShell rather than re-running the wizard.
Endpoint shows "NeedsToConnect"
Credentials are no longer valid — password expiry, account lockout, or MFA policy applied after endpoint creation. Update without deleting:
Command: Copy & Paste it
$newCredentials = Get-Credential
Set-MigrationEndpoint -Identity "Hybrid-Endpoint-Primary"
-Credentials $newCredentials
To prevent mid-migration failures: use a dedicated service account with a non-expiring password excluded from MFA policies.
Stall States During Migration
Stall states are not failures. Mailboxes will resume automatically once the underlying condition clears. Identify them with:
Command: Copy & Paste it
Get-MoveRequest | Where-Object {$_.Status -eq 'InProgress'} |
Get-MoveRequestStatistics |
Where-Object {$_.StatusDetail -like 'Stalled*'} |
Select DisplayName, StatusDetail, PercentComplete
| Stall Code | What It Means and What to Do |
| StalledDueToSource_EndpointCapacityExceeded | Queue, not a failure. More mailboxes waiting than concurrency settings allow. Raise MaxConcurrentMigrations or MaxConcurrentIncrementalSyncs. |
| StalledDueToSource_MrsProxyTransientError | Transient connectivity failure to on-premises MRS Proxy. Auto-retries. If persistent, check the EWS virtual directory and the network path. |
| StalledDueToTarget_MdbAvailability | Exchange Online is managing its replication queue. Resolves automatically. Contact Microsoft support if it persists for several hours. |
| StalledDueToTarget_BigFunnel | Exchange Online content indexing pipeline is backed up. Auto-recovers within minutes to a few hours. |
| StalledDueToMailboxLock | Source mailbox locked by another on-premises process. Brief. Moves typically resume within a few minutes. |
Frequently Asked Questions (FAQ)
What is a migration endpoint in Office 365?
Where are migration endpoints created?
Can I edit a migration endpoint?
Can I delete a migration endpoint?
How do I test a migration endpoint?
Why does a migration endpoint fail?
Is MRS Proxy required for all migration endpoints?
Do I need a new migration endpoint for every migration batch?
Can I use the same endpoint for cutover and staged migrations?
Does EdbMails require migration endpoints?
Which migration scenarios does EdbMails support?
EdbMails covers every major migration and backup scenario for Microsoft 365 and Exchange environments:
| Migration Scenario | EdbMails Product |
| Exchange to Office 365 | EdbMails Exchange to Office 365 Migration |
| Office 365 Tenant to Tenant | EdbMails Office 365 Migration Software |
| Office 365 to Exchange | EdbMails Office 365 to Exchange Migration |
| IMAP to Office 365 | EdbMails IMAP to Office 365 Migration |
| Google Workspace to Office 365 | EdbMails Google Workspace to Office 365 |
| Office 365 to PST | EdbMails Office 365 to PST Export |
| Public Folder to Office 365 | EdbMails Public Folder to Office 365 Migration |
| SharePoint / OneDrive / Teams | EdbMails SharePoint Online Migration |
Summary
Migration endpoints are the foundation of Microsoft's native migration framework. The endpoint type must match the source system, concurrency must be calibrated to what the source server can handle, and credentials must remain valid throughout — a password expiry or new MFA policy applied weeks after endpoint creation will stop active migrations silently.
For organizations using Microsoft's native tools: enable MRS Proxy before attempting a hybrid endpoint, verify external EWS connectivity before testing, start at default concurrency and adjust after a pilot batch, and use a dedicated service account excluded from password rotation and MFA policies.
For organizations where the native endpoint framework creates friction — EWS not externally publishable, DAG environments with per-server certificate constraints, IMAP sources needing calendars and contacts, Google Workspace without service account setup, or reverse migrations from Office 365 back to Exchange — EdbMails handles the full migration automatically, with no endpoint configuration required in Exchange Online.
