Introducing Cloud-Managed Remote Mailboxes: a Step to Last Exchange Server Retirement

Background: the “last Exchange server” challenge

Many organizations that moved all mailboxes to Exchange Online keep an on-premises Exchange server solely for managing recipient attributes. In hybrid environments, mailbox attributes of directory-synchronized user accounts cannot be managed from Exchange Online by design – attempts to edit mailbox attributes in the cloud would usually be blocked because the object source of authority (SOA) is on-premises. Administrators must use an on-prem Exchange server to edit mailbox attributes (like email addresses, aliases, or hide-from-address-book flags) in Active Directory (AD), then sync those changes to the cloud – even if the mailbox is in Exchange Online. This requirement created a frustrating dependency on maintaining a “last Exchange server” even after migrating all mailboxes to the cloud.

Back in April 2022, we took the first step to address this by releasing updated Exchange Server 2019 management tools. This update enabled management of Exchange recipients via the Exchange Management Tools on a domain-joined machine, without a running Exchange server. In other words, organizations could shut down their last Exchange server and use the lightweight management tools to maintain recipient changes.

Using this solution was cumbersome as it required PowerShell expertise and it had no logging or audit capabilities. The inability to modify synced users' remote (located in the cloud) mailbox properties directly in Exchange Online remained a pain point. The ideal solution would let administrators manage Exchange attributes of cloud mailboxes entirely in the cloud, while still synchronizing identity data from on-premises AD.

Microsoft has listened to this feedback. A new Exchange Online feature (in preview) helps eliminate the need for an Exchange server for remote mailbox management, by enabling cloud-side management of directory-synchronized user remote mailbox attributes. This capability is a key step toward finally retiring your last Exchange server in a hybrid environment.

Introducing cloud-management of Exchange remote mailbox attributes for hybrid customers

We are excited to introduce a new feature in Exchange Online that allows administrators to manage the Exchange properties of directory-synchronized users with remote mailboxes directly from the cloud. With this feature, you can designate that Exchange-related attributes for a particular user are mastered in Exchange Online, even though the user’s identity still originates in on-premises Active Directory. In practice, this means you’ll be able to edit Exchange attributes (email addresses, mailbox settings, etc.) using Exchange Online PowerShell, Microsoft 365 Exchange admin center or Microsoft 365 admin center, while the core identity attributes (like the user’s name, address, phone etc.) continue to be managed on premises.

Please note: as of right now, this feature is only available for customers in our multi-tenant (WW) cloud. Information on availability in other cloud environments will be available later.

How does this work?

A new mailbox property called IsExchangeCloudManaged is being introduced in Exchange Online and Entra ID. It indicates whether Exchange attributes for a synced user have Source of Authority (SOA) in the cloud or on-premises. By default, for all directory-synced users today, this is False (meaning Exchange attributes are mastered on-premises and are synced to cloud). When you set IsExchangeCloudManaged to True for a particular user, you transfer the “source of authority” for that users Exchange attributes to the cloud. From that point on:

• Exchange attributes (properties related to the remote mailbox) become editable in Exchange Online (and no longer get overwritten by on-prem sync).
• Identity attributes (core user object properties like name, department, etc.) remain mastered in on-prem AD and cannot be changed from the cloud (same as before).
• The feature only supports Exchange attribute SOA transfer of user, shared, equipment or room mailboxes; for Groups and Contacts, you will need to use object level SOA transfer (more on this below).

More details on enabling this feature, and which attributes’ SOA will be transferred to cloud using isExchangeCloudManaged is available in documentation: Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments.

Release plan: phased rollout

Microsoft is delivering this capability in two phases:

• Phase 1 (Preview – available now) – Introduces per-mailbox control to cloud-manage Exchange attributes. Admins can opt-in individual mailboxes to be cloud-managed (by setting IsExchangeCloudManaged=True). In this phase, admins can also roll back a mailbox to on-prem management (IsExchangeCloudManaged=False). Phase 1 focuses on managing existing user remote mailbox attributes one by one and testing the feature. It will also include an organization-level setting to make all newly synced users Exchange attributes cloud-managed by default (expected in September).
• Phase 2 – Will add write-back support for specific attributes and Entra ID Cloud Sync integration. In Phase 2, changes to critical Exchange properties made in the cloud will be automatically synced down to on-premises Active Directory (until that time, they might be out of sync). This ensures your on-prem AD remains up to date if, for example, a proxy address is changed in Exchange Online. To leverage Writeback, customers will need to use Entra Cloud Sync. More details of this feature will be provided later. All the attributes supported for writeback are available in the documentation provided above.

A step closer to removing the last Exchange server

With the new cloud-managed mailbox capability, organizations using on-premises AD for identity can finally manage their Exchange Online mailboxes entirely in the cloud. This significantly reduces the need to keep an Exchange server (or even the stand-alone management tools) running on-premises for day-to-day administration.

It’s important to note that this feature is a step to address the scenario where you still have on-premises AD (because you want to keep using AD as your identity source), but you no longer want an Exchange server. For organizations looking to eliminate on-prem AD dependency entirely, Microsoft is also working on Object-level Source of Authority (SOA) transfer – the ability to move the entire object (user, group, contact) to cloud management in Entra ID. For example, Group SOA (cloud-managed distribution groups) is already in public preview, User SOA (cloud-managed user objects) and Contact SOA are on the roadmap. Those would apply if you planned to eventually manage identities in cloud as well. The Exchange attribute cloud management feature (mentioned in this post) is meant for those who will keep AD around and help them retire the last on-prem Exchange server. It’s an important piece in the puzzle of fully decommissioning on-prem Exchange in a hybrid setup without losing management capabilities.

We hope this feature helps you in your journey to a fully cloud-managed Exchange environment. Phase 1 preview is just the beginning – with your feedback, we will refine it, and Phase 2 will bring even more seamless integration (automatic write-back of attributes, support for Entra Cloud Sync, etc.). The era of maintaining an Exchange server “just because we sync our AD” is coming to an end! 

Exchange Online Management and Exchange Hybrid teams