Blog Post

Exchange Team Blog

6 MIN READ

Exchange Server Security Changes for Hybrid Deployments

Platinum Contributor

Apr 18, 2025

As a part of Microsoft's Secure Future Initiative (SFI), security remains our top priority. In alignment with SFI, Exchange Server is implementing several changes to enhance the security of Exchange Server hybrid deployments. This blog post outlines the current and upcoming changes that apply specifically to Exchange Server hybrid deployments. If your organization does not have any form of Exchange hybrid configured, this post does not apply to you.

Change 1: Transitioning to a dedicated Exchange hybrid application

To enable Exchange hybrid deployment features such as calendar Free/Busy, MailTips, and user profile picture sharing (we call this “rich coexistence”), Exchange Server currently uses a shared service principal with the same application as Exchange Online. The name of this application is Office 365 Exchange Online, and it has the application ID 00000002-0000-0ff1-ce00-000000000000. This configuration is put in place by initial run of Hybrid Configuration Wizard (HCW) and is used to authenticate and secure the communication between Exchange Server and Exchange Online.

Beginning with the April 2025 HU release, Exchange Server is starting the transition to using a dedicated Exchange hybrid application in your tenant’s Entra ID. By October 2025, all current and new Exchange Server hybrid deployments that require rich coexistence features must move to using the dedicated Exchange hybrid app, as Exchange Online service will no longer allow the use of shared service principals beyond that date.

There are changes that administrators will need to make to enable and use the dedicated Exchange hybrid app. Please refer to the documentation for more information.

Change 2: Deprecation of EWS calls and switch to REST-based Microsoft Graph API calls for Exchange hybrid

The retirement of Exchange Web Services (EWS) in Exchange Online is coming. To maintain Exchange hybrid features, Exchange Server will (later this year) start supporting Microsoft Graph API as a replacement for EWS calls from Exchange Server to Exchange Online. This feature will release through an update for Exchange Server 2019 and Exchange Server 2016 in Q3 2025. In line with the transition to Microsoft Graph, the API permissions of the dedicated Exchange hybrid application will be revised to utilize more granular Graph API permissions. A blog post and documentation containing additional information will be published once that release is available.

Important: Microsoft Graph for Exchange Server hybrid requires the dedicated Exchange hybrid app (see Change 1 above) and will not use the current shared service principal approach. This change doesn’t affect the EWS API availability in Exchange Server (on-premises) and will only replace EWS calls from Exchange Server to Exchange Online with REST-based Microsoft Graph API calls.

Who needs to take action, and when?

If your organization uses the following Exchange hybrid functionality…

The action you should take is…

Customers who require rich coexistence between users with on-premises mailboxes and users who have Exchange Online mailboxes (specific features: Free/Busy lookups, MailTips and profile picture sharing).

You MUST take the steps outlined in the documentation and switch to using the dedicated hybrid app (before October 2025) and then switch your hybrid to using Graph API (when available but before October 2026), or else rich coexistence features will break.

After all servers are updated and are using the dedicated app, run “Service Principal Clean-Up Mode”.

Customers using any other hybrid features only (migrations, SMTP relay, recipient management etc.) – but no rich coexistence required

To help harden your hybrid configuration, we recommend that you use the provided script, to remove the organization certificate from the shared “Office 365 Exchange Online” application. See “Service Principal Clean-Up Mode” in the documentation.

You do not need to create the dedicated hybrid app if you don’t need rich coexistence features.

Exchange Hybrid customers who require rich coexistence must act

Step 1 – Switching your Exchange hybrid from using the shared service principal to using the dedicated Exchange hybrid app, before October 2025. This change can be done in two different ways:

Option 1 (recommended): configure the dedicated Exchange hybrid app by installing April 2025 HU (or later) and running the ConfigureExchangeHybridApplication.ps1 script to switch Exchange hybrid from current “shared principal” configuration to using the dedicated Exchange hybrid app. Please see documentation.
Option 2: we released an updated version of the Hybrid Configuration Wizard (HCW). Re-run HCW to configure the dedicated Exchange hybrid app. Please note that the script (Option 1) remains a more robust solution for working with the new hybrid app.

Step 2 – Changing Exchange hybrid to use Graph API calls and updating dedicated app permissions to a more granular Graph permission model, before October 2026:

In Q3 2025, when Graph API update for Exchange Server is made available, all customers who require rich coexistence (even those who already performed the above Step 1) will need to install an Exchange 2016/2019 update and switch the dedicated Exchange hybrid app permissions to a more granular Graph API permission model. This must be done before October 2026. Documentation will be provided at release.

The following illustration shows what will be needed for organizations that use rich hybrid coexistence and when, related to Changes 1 and 2 mentioned above:

Exchange hybrid customers who require rich coexistence with Exchange Online must act between April 2025 HU release and October 2025. Unless you follow the steps to update to dedicated Exchange hybrid app (before October 2025) and then update it to Graph permission model (before October 2026), some Exchange hybrid functionality will break (Free/Busy sharing between on-premises and Exchange Online users, MailTips, profile picture sharing).

We strongly recommend that other Exchange hybrid customers do the following

Even if rich coexistence features are not in use, if the organization ever ran and completed the Exchange Hybrid Configuration Wizard (HCW) or followed the steps outlined in the Configure OAuth authentication between Exchange and Exchange Online organizations documentation – the organization certificate was uploaded to the shared service principal as a part of the HCW run.

To help harden your hybrid configuration, we strongly recommend that you use the provided script, to remove the organization certificate from the shared “Office 365 Exchange Online” application. See “Service Principal Clean-Up Mode” in the documentation.

You do not need to create the dedicated hybrid app if you don’t need rich coexistence features. Running of the script does not depend on a specific version of Exchange to be installed on-premises (you can run the script independently from installing Exchange Server updates on premises).

An overview of the process

We created the following flowchart that should help you visualize the steps that are needed to switch to the dedicated Exchange hybrid app:

Notes for steps marked on the flowchart:

Configure OAuth authentication between Exchange and Exchange Online organizations.
‘Rich coexistence’ enables Free/Busy lookups, MailTips, and user profile picture sharing between Exchange on-premises and Exchange Online mailboxes.
Setting the setting override as a separate step needs to be done only if the dedicated hybrid app was created using HCW or you used the script in the Split Execution Configuration mode.

Frequently Asked Questions

The Frequently Asked Questions (FAQ) on this subject have now been moved to feature documentation.

Major changes to this blog post:

8/11/2025: Added a flowchart with the overview of the process
8/7/2025: Added direct links to the ConfigureExchangeHybridApplication.ps1 script in the blog post
8/6/2025: Hybrid Configuration Wizard (HCW) is now updated to support creation of dedicated Exchange hybrid app; relevant updates done
8/4/2025: We moved the FAQ on the subject to feature documentation
7/31/2025: Clarified the recommendation for customers who do not use "rich coexistence" features
5/16/2025: Added a FAQ about multi-forest on-premises configuration
4/24/2025: Added a FAQ about renaming of the dedicated hybrid app
4/22/2025: Added a FAQ about no requirement to install April HU to clean up security principal only using the script

The Exchange Team

Updated Aug 11, 2025

Version 11.0

Platinum Contributor

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

79 Comments

WhoIsHomer35
Copper Contributor
Aug 19, 2025
What impact will this have where an on prem organization is sharing calendar free/busy status with another organization that is running exchange cloud?
AegonsDragons
Copper Contributor
Aug 15, 2025
I received this after running the script. Performing operation: ConfigureAuthServer - We did not find an Auth Server object - script can't continue. I am unsure on how to continue.
- Nino_Bilic
  Microsoft
  Aug 15, 2025
  One thing to mention here is - this could be expected if HCW was never run in the past; in which case, you do not need to be creating the dedicated hybrid app at all. We do not understand the environment, but if HCW was not run, nothing to do (please see the flowchart in the post).
- LukasSMSFT
  Microsoft
  Aug 15, 2025
  If the script can't find a matching EvoSTS auth server, it stops processing. The script expects a proper hybrid configuration. Since the EvoSTS auth server is missing, it looks like the hybrid configuration is incomplete. You should run HCW as this will create the expected auth server objects. If you can't run HCW (for whatever reason), you can create the auth server as described here: https://learn.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help#step-1-create-the-authorization-server-objects-for-your-exchange-online-organization
Pankaj_Messaging_Specialist
Brass Contributor
Aug 13, 2025
The_Exchange_Team LukasSMSFT I see it says harden your hybrid configuration, so what it will harden and once we remove only cert from shared service principal and how this will communicate between Exchange Server and Exchange online in future if needed.
To help harden your hybrid configuration, we strongly recommend that you use the https://aka.ms/ConfigureExchangeHybridApplication, to remove the organization certificate from the shared “Office 365 Exchange Online” application. See “Service Principal Clean-Up Mode” in the https://aka.ms/ConfigureExchangeHybridApplication-Docs.
- Nino_Bilic
  Microsoft
  Aug 13, 2025
  In the context of this whole thing, the shared service principal is used ONLY for rich coexistence features between on-premises and online mailboxes. There are no other "communications" that this. This is the only thing that is impacted. Mailflow, management etc. (read: anything other than rich coexistence features) are not impacted. The reason why certificate removal is recommended as a "hardening step" is because it removes a possible path for abuse if someone elevated an on-prem admin account. Seeing that the app (and the cert) are not used unless for rich coexistence, removing it "hardens" the configuration. It is not used for anything else.
Gagan3496
Copper Contributor
Aug 11, 2025
Is there a way to find out if someone already exploited this vulnerability?
In this link, https://cert.europa.eu/publications/security-advisories/2025-030/ they show a KQL but i guess its a custom schema table in their space. Would looking into azure sign in logs of this service principal using 'user' filter to 'Office 365 Exchange Online' be enough to validate?
cmallvin
Copper Contributor
Aug 08, 2025
I want to clarify a couple of things, how does running this affect Centralized Mail, we have a requirement to run all incoming and outgoing mail through our on-premises servers. Once this script is run and the cleanup is done, the only time the script will need to be run again would be if the certificate needs updated, is that correct.
- Nino_Bilic
  Microsoft
  Aug 15, 2025
  THis whole thing has nothing to do with mail flow. It only impacts 'rich coexistence' features as defined in the post.
Damon Villar
Copper Contributor
Aug 07, 2025
Where is the script to remove the organization certificate from the shared 'Office 365 Exchange Online' application? The documentation points me to Service Principal Clean-Up Mode section, but I do not see a script for me to download and run. The document says to use this script .\ConfigureExchangeHybridApplication.ps1 -ResetFirstPartyServicePrincipalKeyCredentials - but where is the script ConfigureExchangeHybridApplication.ps1??
I have installed the April 2025 HU1 on my on-prem Exchange 2019 CU15 servers and we do not require the rich coexistence, so all I need to do is run the powershell script to remove the org certificate right? Also, when I look in Entra Id under applications I do not see an application named 'Office 365 Exchange Online'. Should I?
- LukasSMSFT
  Microsoft
  Aug 07, 2025
  You can find the script here: https://aka.ms/ConfigureExchangeHybridApplication
  - Damon Villar
    Copper Contributor
    Aug 07, 2025
    Thank you.
    I have installed the April 2025 HU1 on my on-prem Exchange 2019 CU15 servers and we do not require the rich coexistence, so all I need to do is run the powershell script to remove the org certificate right?
    Also, when I look in Entra Id under applications I do not see an application named 'Office 365 Exchange Online'. Should I?
alex kim
Copper Contributor
Aug 07, 2025
Just to let you know, FAQ on this page says "8/6/2025: Hybrid Configuration Wizard (HCW) is now updated to support creation of dedicated Exchange hybrid app; relevant updates done" but FAQ on "Deploy dedicated Exchange hybrid app | Microsoft Learn" says "Will the experience to configure the new dedicated Exchange hybrid app be available in the Hybrid Configuration Wizard (HCW)?
An update to include this feature in HCW is expected to be released soon."
- Nino_Bilic
  Microsoft
  Aug 07, 2025
  Yup, thanks. We will get this sorted.
poluland
Copper Contributor
Aug 01, 2025
In this document: "In Q2 2025, we will release an updated version of the Hybrid Configuration Wizard (HCW). "
It has already been a month since Q3 started, but has HCW not been released yet?
I apologize if I missed the announcement that it has already been released.
- Nino_Bilic
  Microsoft
  Aug 01, 2025
  You did not miss it; we are days away from releasing at this point.
Pankaj_Messaging_Specialist
Brass Contributor
Jul 28, 2025
Nino_Bilic Hello, we do not host any on-premises mailbox all are on O365, also we only Online Archive from on-premise which I believe would not impact in this change?
I would like to know in this case, I do not need to do anything if I am only using Exchange server as SMTP relay and recipient management?
what about Shared O365 Exchange Online? what will happen to that ? I am asking because We have few CA policy configured directing to this application like PowerShell block, would that be running or not?
I just want to understand if I dont run Dedicated Hybrid application which is not application in my case, so would there be any impact to those environments either Exchange on-premise or Exchange Online in any context?
Please advise and help to understand the impact if any.
- Nino_Bilic
  Microsoft
  Jul 28, 2025
  The only features impacted here are: free/busy lookups, MailTips and profile picture sharing / lookups between user mailboxes on-premises and Exchange online.
  
  No other scenarios are impacted if you do not create the Dedicated Hybrid App after October 2025.
Ken_Harrell1145
Brass Contributor
Jul 23, 2025
What does "Do you want to grant EWS - full_access_as_app permission to all accounts in your tenant?
This action will update any existing admin consent records for this application." really mean? Is it truly all account in our tenant will get "EWS - full_access_as_app" permissions?
- Nino_Bilic
  Microsoft
  Jul 23, 2025
  The misunderstanding, I think, is not that all accounts in the tenant will get the full_access_as_app permission. Rather, the new app will be given that right to access all accounts in the tenant (similarly what the shared principal has today, and permissions to be lowered once we switch to Graph permissions).