Free/busy often fails to work out-of-the-box after configuring Hybrid Exchange with Office 365. Here are my top ten fixes:

1. Set the sharing policy to match on-premises and cloud.
   

   First, Connect to Exchange Online Remote Powershell and run get-sharingpolicy
   

   Then connect to on-premises Exchange Management Shell and run get-sharing policy
   

   Then make the two match on both sides.
   

Set-SharingPolicy -Identity SharingPolicy01 -Domains ‘contoso.com: CalendarSharingFreeBusySimple’, ‘atlanta.contoso.com: CalendarSharingFreeBusyReviewer’, ‘beijing.contoso.com: CalendarSharingFreeBusyReviewer’

1. Set the organization relationship domains to include all accepted domains on both on-premises and cloud (always requires an IISRESET for it to take effect)
   This script helps identify missing domains in an existing relationship:
   

    

   if ( (Get-OrganizationRelationship).DomainNames -contains (Get-Mailbox user).PrimarySmtpAddress.Domain) { write-host “The domain was found” -ForegroundColor Green } else { write-host (Get-Mailbox user).PrimarySmtpAddress.Domain “was not found” -ForegroundColor Yellow}
   

    

   $OrgRel = Get-OrganizationRelationship Contoso
   

   $OrgRel.DomainNames += “contoso.com”
   

   Set-OrganizationRelationship $OrgRel.Name -DomainName $OrgRel.DomainNames
   

    

    

   1. If the autodiscover DNS name is not published in external DNS, and if the client doesn’t want to do that, then manually configure TargetSharingEpr to use the published EWS path
      

      Get-OrganizationRelationship -Identity “O365 to On-premises – (GUID)” | Set-OrganizationRelationship -TargetSharingEpr https://mail.contoso.com/ews/exchange.asmx
      

   4) For ‘401 errors’ try disabling the IOC connector in Exchange 2013 to have oAuth fall back to dAuth
   

   
   

   5) Sometimes it’s necessary to set the on-premises EWS virtual directory “WSSecurityAuthentication” value back to defaults (some clients change this if they do load balanced CAS)
   (this is commonly a last resort)
   

   Need to change WSSecurityAuthentication to False for EWS Virtual directory.
   

       a.       Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $false
   

       b.      Need to Stop MSExchangeServicesAppPool.
   

       c.       Need to Start  MSExchangeServicesAppPool.
   

    

     Need to change WSSecurityAuthentication to True again for EWS Virtual Directory.
   

       a.       Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $True
   

       b.      Need to Stop MSExchangeServicesAppPool.
   

       c.       Need to Start  MSExchangeServicesAppPool.
   

    

     Need to change WSSecurityAuthentication to False for Autodiscover Virtual directory.
   

       a.       Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $false
   

       b.      Stop MSExchangeAutodiscoverAppPool.
   

       c.       Start  MSExchangeAutodiscoverAppPool.
   

    

     Change WSSecurityAuthentication to True again for Autodiscover Virtual Directory.
   

       a.       Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $true
   

       b.      Stop MSExchangeAutodiscoverAppPool.
   

       c.       Start  MSExchangeAutodiscoverAppPool.
   

    

   6) If the Exchange Server is behind a web proxy then it is usually necessary to configure InternetWebProxy Set-ExchangeServer <Server Name> -InternetWebProxy:http://<Proxy Address>:<Proxy Port>
   

    

   7)  Verify the availability address space and see required SMTP domain with access method.
   

       Get-AvailabilityAddressSpace (Run this on-prem)
   

    

   8) Try running diagnostic commands:
   You can also use the Test-FederationTrust (on prem only) and Test-OrganizationRelationship  (run this both on prem and in cloud too)
   

   And you can also use this website to run tests: https://www.testexchangeconnectivity.com/
   

   9) Make sure that the cloud user you are searching for has a valid (tenant).mail.onmicrosoft.com alias on their target mailbox (make sure Azure AD Connect is properly replicating that attribute, and/or, that the Exchange Address Policy is not blocking inheritance on that particular user/object).
   

    

   10) Run these commands to gather diagnostic information:
   

   Onpremises:
   

   Start-Transcript
   

   Get-FederationTrust | fl
   

   Get-FederatedOrganizationIdentifier | fl
   

   Get-OrganizationRelationship | fl
   

   Get-WebServicesVirtualDirectory | Export-Clixml C:\temp\WebVdir.xml
   

   Get-AutoDiscoverVirtualDirectory | Export-Clixml C:\temp\AutoDVdir.xml
   

   Get-RemoteMailbox bobc_sync | fl
   

   Get-Mailbox “on-premises John Doe User” | fl
   

   Test-FederationTrust -UserIdentity [email protected] | fl

   Test-FederationTrustCertificate | fl
   

   Get-IntraOrganizationConnector | fl
   

   Stop-Transcript
   

    

   Online:
   

   Start-Transcript
   

   Get-FederationTrust | fl
   

   Get-FederatedOrganizationIdentifier | fl
   

   Get-OrganizationRelationship | fl
   

   Get-MailUser “on-premises John Doe User” | fl
   

   Get-Mailbox “Cloud user” | fl
   

   Get-IntraOrganizationConnector | fl
   

   get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity “cloud user”
   

   Stop-Transcript
   

    

    

    

   And when all else fails I reference these two blog articles:
   

   https://blogs.technet.microsoft.com/exchange/2018/02/06/demystifying-hybrid-freebusy-what-are-the-moving-parts/
   

   and 
   

   https://blogs.technet.microsoft.com/exchange/2018/03/02/demystifying-hybrid-freebusy-finding-errors-and-troubleshooting/