Jul 31 2021 11:03 AM
There is really very little difference. Here are some tips: Don't enable Dynamic Delivery for the Safe Attachment Policy, since this requires the mailbox to be in the cloud. Instead use the "Block" policy. And understand the ZAP feature will not work. Lastly, understand that if the Accepted Domain is set to Internal, then the Directory-based-edge filtering feature will not work (you need to set it to Authoritative for that feature to work). However, before setting it to Authoratative, you should first make sure that all your mail enabled objects on-premises are represented as mailuser object types in the cloud otherwise inbound mail flow won't reach the on-premises object if it is not found in the directory. In the past this used to be a problem for mail-enabled public folders, but there is now a checkbox to enable that in Azure AD Connect.