I am also struggling with this. We are in hybrid mode and need to start moving our mailboxes to O365. Do I need to stand up another SEG for O365 traffic or should the existing SEG forward the email to Exchange, and then Exchange sends the email to the online mailbox? My test user gets authenticated but gets an error within Boxer that the folders cannot be displayed. SEG shows 401 unauthorized. No entries in Exchange IIS logs.