Update 8/18/2025: Based on feedback we received and to give customers more time to prepare, we are cancelling the first planned temporary enforcement (August) and will resume the temporary enforcement schedule in September. Please continue switching your organizations to the dedicated Exchange hybrid app (as applicable to your usage scenarios).
In April 2025, we announced a few changes to Exchange hybrid environments in Exchange Server Security Changes for Hybrid Deployments.
Starting in August 2025, we will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal (which is by default used by some coexistence features in hybrid scenarios). This is a part of a phased strategy to speed up customer adoption of the dedicated Exchange hybrid app and making our customer’s environments more secure.
To simplify the customer experience, we have also released an updated Hybrid Configuration Wizard (HCW).
Why this matters
The dedicated Exchange hybrid app enables hybrid features like calendar availability lookup (free/busy), MailTips, and profile picture sharing between mailboxes hosted on Exchange Server and Exchange Online. We call this rich coexistence experience. These features currently rely on Exchange Web Services (EWS) and using the shared service principal of Exchange Online. As announced, EWS access to shared service principal will be permanently blocked starting in October 2025.
Even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low. To help drive adoption, we will introduce short-term EWS traffic blocks to shared service principal throughout August, September, and October 2025. These blocks are designed to create brief disruptions that prompt customers to complete the required configuration. Without temporary block out periods, it is possible customers could reach the end of October without taking any action and then have no extra time to implement needed configuration changes.
Additionally, moving away from using the shared service principal enhances the security posture of your hybrid environment (please see CVE-2025-53786 – a post exploitation vulnerability for more details). We strongly recommend transitioning to the dedicated Exchange Hybrid app as soon as possible and following the guidance provided in Exchange Server Security Changes for Hybrid Deployments blog post.
Who will be impacted by temporary blocks
While all Exchange Hybrid customers have a shared service principal in their tenant, only the following hybrid customers will be impacted by temporary upcoming blocks:
- User mailboxes are hosted both in Exchange on-premises and Exchange Online, and
- “Rich coexistence” features (free/busy lookups, MailTips, profile picture sharing) are used between on-premises and Exchange online user mailboxes, and
- On-premises Exchange servers were not updated to a version that supports dedicated Exchange hybrid app, and
- Dedicated Exchange hybrid app was not created in the tenant, or was not enabled for Exchange to use (as a part of the script run or settings override)
We sent out a Message Center posts to tenants that we believe will be impacted by this change (MC1085578).
What exactly will break during blocked periods?
The planned blocking schedule (for all our cloud environments), to help you prepare:
|
|
Block starting |
Block length |
|
|
|
|
|
2nd Block |
September 16, 2025 |
2 days |
|
3rd Block |
October 7, 2025 |
3 days |
|
Final block |
After October 31, 2025 |
(block is permanent) |
During the blocked period, for customers who are impacted (see above), the following will not work for on-premises mailboxes when trying to work with Exchange Online mailboxes:
- Free/busy lookups
- MailTips
- Profile picture sharing
Only those 3 features will be impacted, and only in the direction of on-premises mailboxes looking up information for Exchange Online mailboxes. All other Exchange hybrid functionality will not be impacted. Please see the FAQ in the documentation.
Please note: There will be no exceptions granted for these temporary blocks; our support teams cannot grant you an exception. If you need help configuring the dedicated app, please see the documentation or contact Microsoft support.
What you should do
If you use rich hybrid coexistence features:
To continue using rich coexistence hybrid features (free/busy availability, MailTips and profile picture sharing) between on-premises hosted and Exchange Online hosted mailboxes, you must:
- Update your Exchange servers to a version that supports dedicated Exchange hybrid app, and
- Run the script to configure the dedicated Exchange hybrid app in Entra ID and enable your on-premises servers to use it or use the updated Hybrid Configuration Wizard (HCW) and then enable the feature through settings override
- Remove any custom certificates from the shared “Office 365 Exchange Online” application once the above is done. See “Service Principal Clean-Up Mode” in the documentation.
Minimum Exchange Server versions that support the use of dedicated Exchange hybrid app:
|
Version of Exchange |
Name of update |
Version number |
|
Exchange Server 2016 CU23 |
April 2025 HU (or newer) |
15.1.2507.55 (or higher) |
|
Exchange Server 2019 CU14 |
April 2025 HU (or newer) |
15.2.1544.25 (or higher) |
|
Exchange Server 2019 CU15 |
April 2025 HU (or newer) |
15.2.1748.24 (or higher) |
|
Exchange Subscription Edition (SE) RTM |
RTM (or newer) |
15.2.2562.17 (or higher) |
To check the version of Exchange Server you currently have, please see Option 1 or Option 2 in this document.
Using HCW to configure the dedicated Exchange hybrid app
You can now use HCW to create your dedicated Exchange Hybrid App.
This option is present as part of Classic Full, Modern Full and Choose Exchange Hybrid Configuration. Selecting this option in HCW creates a dedicated Exchange Hybrid application in Microsoft Entra ID. This replaces the legacy shared service principal previously used to enable hybrid features such as calendar availability (free/busy), MailTips, and profile picture sharing - specifically for scenarios where on-premises Exchange Server mailboxes needed to retrieve information from Exchange Online mailboxes.
By default, HCW performs the following actions using Microsoft Graph API calls to create and configure the dedicated Exchange hybrid app:
- Registers a new application in Entra ID named ExchangeServerApp-{Guid of the organization}
- Adds the full_access_as_app EWS API application permission (to be replaced with Graph API permission in future updates)
- Grants tenant-wide admin consent (requires explicit confirmation during HCW runtime)
- Uploads the current Auth Certificate to the application
- Uploads the next Auth Certificate (if available)
- Removes any expired certificates from the application
This configuration enables OAuth-based trust for hybrid features.
When the configuration by HCW is done, it does not automatically enable the feature for your on-premises Exchange Server organization. HCW only creates the application in Entra ID and prepares the Exchange Server configuration. To activate the feature, you need to create a Setting Override. To do so, you can follow the steps outlined in the Deploy dedicated Exchange hybrid app documentation: Deploy dedicated Exchange hybrid app | Microsoft Learn.
For more information visit the updated Hybrid Configuration Wizard documentation:
If you do not use rich hybrid coexistence features:
If the organization ever ran and completed the Exchange Hybrid Configuration Wizard (HCW) or followed the steps outlined in the Configure OAuth authentication between Exchange and Exchange Online organizations documentation – the organization certificate was uploaded to the shared service principal.
To help harden your hybrid configuration, we strongly recommend that you use the provided script, to remove any custom certificates from the shared “Office 365 Exchange Online” application. See “Service Principal Clean-Up Mode” in the documentation. If you're unsure whether any clean-up action is needed, simply run the script in Service Principal Clean-Up Mode to remove any leftover certificates. If no certificates were found, no action will be taken.
You do not need to create the dedicated hybrid app if you don’t need rich coexistence features. Running of the script in clean-up mode does not depend on a specific version of Exchange to be installed on-premises (you can run the script in clean-up mode independent of your Exchange Server version and even on a computer other than an Exchange Server).
An overview of the process
We created the following flowchart that should help you visualize the steps that are needed to switch to the dedicated Exchange hybrid app:
Notes for steps marked on the flowchart:
- Configure OAuth authentication between Exchange and Exchange Online organizations.
- ‘Rich coexistence’ enables Free/Busy lookups, MailTips, and user profile picture sharing between Exchange on-premises and Exchange Online mailboxes.
- Setting the setting override as a separate step needs to be done only if the dedicated hybrid app was created using HCW or you used the script in the Split Execution Configuration mode.
Final enforcement
After October 31, 2025, the use of shared service principal will be permanently blocked. The above-mentioned hybrid features will stop working if the dedicated app is not configured.
FAQs: Temporary rich coexistence disruptions and creation of Dedicated Exchange Hybrid App via HCW
(For a FAQ related to dedicated Exchange hybrid app, please see the feature documentation).
Can we get exceptions for the temporary scheduled disruption to rich coexistence features?
Since this is a security enforcement, exceptions will not be available for this temporary disruption. The recommended path is to update your servers and configure the dedicated Exchange Hybrid App to ensure compliance.
Is it necessary to create the dedicated hybrid app if we do not require rich coexistence features?
No, if you do not need rich hybrid coexistence features, you do not need to create the dedicated hybrid app. However, it is still strongly recommended to remove any custom certificates from the shared service principal using the provided script (“clean-up mode”).
Will the enforcement affect organizations that previously ran the Hybrid Configuration Wizard or configured OAuth authentication?
Yes, after late October 2025, the use of the shared service principal will be permanently blocked. Organizations that previously relied on the shared service principal must configure the dedicated hybrid app to ensure continued functionality of hybrid features.
Do we need to update Exchange Server to run the “clean-up script” or run the script to create the hybrid app?
Running the script to configure and enable the dedicated Exchange hybrid app feature depends on specific versions of Exchange being installed on-premises (see documentation or table in this blog post). However, you can run the script to clean-up shared service principal's keyCredentials independently of Exchange Server updates and even from a non-Exchange computer.
How is HCW for dedicated Exchange hybrid app different from the previously released PowerShell script?
While both HCW and the script configure the dedicated Exchange hybrid app, there are key differences:
|
Feature |
PowerShell Script |
HCW |
|
Creates app in Entra ID with Admin consent |
Yes |
Yes |
|
Uploads auth certificates |
Yes |
Yes |
|
Cleans up the shared service principals keyCredentials |
Yes (Optional) |
No |
|
Enables feature via settings override |
Yes |
No |
HCW cannot perform cleanup of the legacy shared service principal or automatically enable the feature on-premises. You must run the New-SettingOverride cmdlet manually.
Please refer to the documentation for more information.
Why do we need to provide tenant-wide admin consent during HCW setup?
Admin consent is required to grant the dedicated hybrid app access to necessary APIs. Without this consent, hybrid features with a dedicated app will not function properly.
What happens if we don’t provide admin consent?
HCW will complete with a warning:
HCW8126 - Admin consent was not granted during the configuration of the dedicated application for Exchange Server.
The application will be created but will not function until consent is provided. Please re-run HCW or grant consent via the Microsoft Entra ID portal before you start using the application.
Hybrid features such as Free/Busy, MailTips, and profile photo sharing will not work using the dedicated hybrid app until all the steps (such as consent grant) are all completed.
What happens if we revoke dedicated Exchange hybrid app admin consent later?
Revoking admin consent disables the hybrid app’s ability to access Exchange Online resources. This will break hybrid features for on-premises mailboxes accessing online mailboxes.
Can we manually provide admin consent through Microsoft Entra ID?
Yes, you can manually grant admin consent via the Entra ID portal. However, HCW is designed to prompt and guide you through this during setup.
Why can’t HCW clean up the shared service principal?
HCW focuses on creating and configuring the new dedicated app. Cleanup of the legacy shared service principals keyCredentials must be done via the script to ensure removal of outdated credentials and permissions. Please refer to the documentation for steps to clean-up shared service principal.
What if we already have a hybrid app configured?
HCW checks for existing apps and avoids duplication. Please refer to the documentation for more information.
Is rollback from dedicated Exchange hybrid app supported in HCW?
Rollback is not supported in HCW. We strongly recommend not rolling back, as Microsoft will permanently block traffic by using the shared service principal starting October 31, 2025. To roll back, you will have to use the script.
We use Microsoft Entra Connect (previously Azure AD Connect) for directory synchronization. All our mailboxes are hosted on-premises. Is it necessary to create the dedicated Exchange hybrid application?
If you've never ran the Hybrid Configuration Wizard (HCW) and you've never followed the steps as outlined in the "Configure OAuth authentication between Exchange and Exchange Online organizations" documentation, there is no need to configure the dedicated Exchange hybrid application. However, if you ran HCW and intend to use rich coexistence hybrid features such as Free/Busy, MailTips, and profile picture sharing, creating the dedicated Exchange hybrid application is required.
How can we confirm certificate state on the shared service principal or the dedicated Exchange hybrid app?
- For certificate on the shared service principal, run the following while connected to Entra using Microsoft Graph PowerShell:
Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'" | select -ExpandProperty KeyCredentials | Format-List *
- For the certificate on the dedicated Exchange hybrid app, run the following while connected to Entra using Microsoft Graph PowerShell:
Get-MgApplicationByAppId -AppId ((Get-MgApplication -Filter "startswith(DisplayName,'ExchangeServerApp-')").AppId) -Property id,keyCredentials | select -ExpandProperty KeyCredentials | Format-List *
Major updates to this blog post:
- 8/20/2025: Added FAQ on checking certificate status on shared service principal and dedicated hybrid app
- 8/18/2025: The schedule for temporary blocks has been changed
- 8/11/2025: Added a flowchart with the overview of the process to enable the dedicated Exchange hybrid app
- 8/7/2025: Added direct links to the ConfigureExchangeHybridApplication.ps1 script in the blog post
- 8/7/2025: Under "what you should do", added a step to clarify that customers who use rich coexistence should also use the script to remove any custom certificates from the shared “Office 365 Exchange Online” application.
The Exchange Team
