Upcoming Changes for Exchange Hybrid Deployments: What You Need to Know

Organizations utilizing hybrid deployments of Microsoft Exchange should brace for significant changes set to take place in the coming months. In an announcement by Microsoft, starting in August 2025, there will be a temporary block on Exchange Web Services (EWS) traffic that relies on the Exchange Online shared service principal in specific hybrid environments.

Impact of the Changes

The forthcoming transition primarily affects businesses that leverage "rich coexistence" features. This includes functionalities such as free/busy calendar lookups, MailTips, and profile picture sharing between on-premises Exchange Server and Exchange Online mailboxes. Traditionally, these services have been facilitated through EWS using the shared service principal.

However, it’s vital to note that this method will be permanently disabled after October 31, 2025. To assist organizations in migrating smoothly, Microsoft will implement temporary disruptions throughout August, September, and October 2025. This approach will help ensure that organizations take the necessary steps before the final deadline.

Enhancing Security

Microsoft emphasizes that these changes aim to bolster security. Transitioning away from the shared service principal helps reduce the organization’s vulnerability to known risks, such as CVE-2025-53786, a post-exploitation vulnerability that underscores the need for improved authentication controls.

Identifying Affected Organizations

It’s important to recognize that not every hybrid Exchange environment will experience disruptions; only those meeting specific criteria will be impacted. Organizations can expect service interruptions if they:

• Host mailboxes in both on-premises Exchange and Exchange Online.
• Utilize rich coexistence features like free/busy status, MailTips, and user profile pictures between on-prem and cloud environments.
• Have not updated their on-premises Exchange servers to versions compatible with the dedicated hybrid application.
• Lack the creation or appropriate configuration of the dedicated Exchange hybrid app.

Actions Needed to Prevent Functionality Loss

Organizations meeting the above criteria must act promptly to prevent loss of functionality. Microsoft has also disseminated a Message Center notification, MC1085578, to inform impacted tenants.

What Features Will Be Affected?

The changes will specifically interrupt access to rich coexistence features for users on on-premises mailboxes attempting to connect with Exchange Online users. The following services will be disrupted during the scheduled blocking periods:

• Free/busy calendar lookups
• MailTips notifications
• Profile picture sharing

It’s crucial for organizations to understand that these disruptions will primarily affect on-premises users accessing cloud services, while most other hybrid functionalities will remain operational. Microsoft support teams will not entertain exceptions to these blocks, so organizations needing assistance should consult the appropriate documentation or contact Microsoft support.

Steps for Organizations to Take

For organizations currently using rich coexistence features, Microsoft recommends two essential actions:

1. Update Exchange Server: Ensure your system is running a version that supports the dedicated hybrid application.
2. Create and Enable the Dedicated App: Use the new Hybrid Configuration Wizard (HCW) or follow a provided configuration script to set this up.

Minimum Supported Exchange Versions

Organizations should be aware of the minimum supported versions required to facilitate this transition:

• Exchange Server 2016: CU23 or newer (Version 15.1.2507.55 or newer)
• Exchange Server 2019: CU14 or newer (Version 15.2.1544.25) and CU15 (Version 15.2.1748.24)
• Exchange Subscription Edition (SE): Version 15.2.2562.17 or newer

The updated Hybrid Configuration Wizard is designed to simplify the setup of the dedicated app. When selected during the HCW process, it performs several critical tasks, including registering a new application in Entra ID and adding the necessary permissions. Moreover, it handles certificate uploads and requests tenant-wide admin consent.

However, it’s essential to note that the HCW does not automatically enable the dedicated app in the on-premises Exchange environment. A separate Setting Override must be created, and detailed instructions can be found in the documentation for deploying the dedicated app.

Conclusion: Importance of Transitioning

While the immediate changes primarily impact hybrid Exchange environments using rich coexistence features, it’s prudent for all organizations to conduct a thorough security review. Running the Exchange Hybrid Configuration Wizard or configuring OAuth may have resulted in custom certificates remaining on the shared service principal. These should be removed using the appropriate scripts, which can be executed from any Windows machine without requiring a specific Exchange version.

With Microsoft planning to permanently block EWS traffic via the shared service principal after October 31, 2025, transitioning to the dedicated Exchange hybrid app is a crucial step for securing hybrid deployments. Organizations should take action now to ensure that all environments are updated and compliant with the latest guidelines, leveraging the updated Hybrid Configuration Wizard and official resources to mitigate any potential disruptions.