Blog Post

Exchange Team Blog
5 MIN READ

Introducing Cloud-Managed Remote Mailboxes: a Step to Last Exchange Server Retirement

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Aug 20, 2025

Update 10/15/2025: Please see our newer post announcing General Availability of Cloud-Managed Remote Mailboxes.

Background: the “last Exchange server” challenge

Many organizations that moved all mailboxes to Exchange Online keep an on-premises Exchange server solely for managing recipient attributes. In hybrid environments, mailbox attributes of directory-synchronized user accounts cannot be managed from Exchange Online by design – attempts to edit mailbox attributes in the cloud would usually be blocked because the object source of authority (SOA) is on-premises. Administrators must use an on-prem Exchange server to edit mailbox attributes (like email addresses, aliases, or hide-from-address-book flags) in Active Directory (AD), then sync those changes to the cloud – even if the mailbox is in Exchange Online. This requirement created a frustrating dependency on maintaining a “last Exchange server” even after migrating all mailboxes to the cloud.

Back in April 2022, we took the first step to address this by releasing updated Exchange Server 2019 management tools. This update enabled management of Exchange recipients via the Exchange Management Tools on a domain-joined machine, without a running Exchange server. In other words, organizations could shut down their last Exchange server and use the lightweight management tools to maintain recipient changes.

Using this solution was cumbersome as it required PowerShell expertise and it had no logging or audit capabilities. The inability to modify synced users' remote (located in the cloud) mailbox properties directly in Exchange Online remained a pain point. The ideal solution would let administrators manage Exchange attributes of cloud mailboxes entirely in the cloud, while still synchronizing identity data from on-premises AD.

Microsoft has listened to this feedback. A new Exchange Online feature (in preview) helps eliminate the need for an Exchange server for remote mailbox management, by enabling cloud-side management of directory-synchronized user remote mailbox attributes. This capability is a key step toward finally retiring your last Exchange server in a hybrid environment.

Introducing cloud-management of Exchange remote mailbox attributes for hybrid customers

We are excited to introduce a new feature in Exchange Online that allows administrators to manage the Exchange properties of directory-synchronized users with remote mailboxes directly from the cloud. With this feature, you can designate that Exchange-related attributes for a particular user are mastered in Exchange Online, even though the user’s identity still originates in on-premises Active Directory. In practice, this means you’ll be able to edit Exchange attributes (email addresses, mailbox settings, etc.) using Exchange Online PowerShell, Microsoft 365 Exchange admin center or Microsoft 365 admin center, while the core identity attributes (like the user’s name, address, phone etc.) continue to be managed on premises.

Please note: as of right now, this feature is only available for customers in our multi-tenant (WW) cloud. Information on availability in other cloud environments will be available later.

How does this work?

A new mailbox property called IsExchangeCloudManaged is being introduced in Exchange Online and Entra ID. It indicates whether Exchange attributes for a synced user have Source of Authority (SOA) in the cloud or on-premises. By default, for all directory-synced users today, this is False (meaning Exchange attributes are mastered on-premises and are synced to cloud). When you set IsExchangeCloudManaged to True for a particular user, you transfer the “source of authority” for that users Exchange attributes to the cloud. From that point on:

  • Exchange attributes (properties related to the remote mailbox) become editable in Exchange Online (and no longer get overwritten by on-prem sync).
  • Identity attributes (core user object properties like name, department, etc.) remain mastered in on-prem AD and cannot be changed from the cloud (same as before).
  • The feature only supports Exchange attribute SOA transfer of user, shared, equipment or room mailboxes; for Groups and Contacts, you will need to use object level SOA transfer (more on this below).

More details on enabling this feature, and which attributes’ SOA will be transferred to cloud using isExchangeCloudManaged is available in documentation: Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments.

Release plan: phased rollout

Microsoft is delivering this capability in two phases:

  • Phase 1 (Preview – available now) – Introduces per-mailbox control to cloud-manage Exchange attributes. Admins can opt-in individual mailboxes to be cloud-managed (by setting IsExchangeCloudManaged=True). In this phase, admins can also roll back a mailbox to on-prem management (IsExchangeCloudManaged=False). Phase 1 focuses on managing existing user remote mailbox attributes one by one and testing the feature. It will also include an organization-level setting to make all newly synced users Exchange attributes cloud-managed by default (expected in September).
  • Phase 2 – Will add write-back support for specific attributes and Entra ID Cloud Sync integration. In Phase 2, changes to critical Exchange properties made in the cloud will be automatically synced down to on-premises Active Directory (until that time, they might be out of sync). This ensures your on-prem AD remains up to date if, for example, a proxy address is changed in Exchange Online. To leverage Writeback, customers will need to use Entra Cloud Sync. More details of this feature will be provided later. All the attributes supported for writeback are available in the documentation provided above.
A step closer to removing the last Exchange server

With the new cloud-managed mailbox capability, organizations using on-premises AD for identity can finally manage their Exchange Online mailboxes entirely in the cloud. This significantly reduces the need to keep an Exchange server (or even the stand-alone management tools) running on-premises for day-to-day administration.

It’s important to note that this feature is a step to address the scenario where you still have on-premises AD (because you want to keep using AD as your identity source), but you no longer want an Exchange server. For organizations looking to eliminate on-prem AD dependency entirely, Microsoft is also working on Object-level Source of Authority (SOA) transfer – the ability to move the entire object (user, group, contact) to cloud management in Entra ID. For example, Group SOA (cloud-managed distribution groups) is already in public preview, User SOA (cloud-managed user objects) and Contact SOA are on the roadmap. Those would apply if you planned to eventually manage identities in cloud as well. The Exchange attribute cloud management feature (mentioned in this post) is meant for those who will keep AD around and help them retire the last on-prem Exchange server. It’s an important piece in the puzzle of fully decommissioning on-prem Exchange in a hybrid setup without losing management capabilities.

We hope this feature helps you in your journey to a fully cloud-managed Exchange environment. Phase 1 preview is just the beginning – with your feedback, we will refine it, and Phase 2 will bring even more seamless integration (automatic write-back of attributes, support for Entra Cloud Sync, etc.). The era of maintaining an Exchange server “just because we sync our AD” is coming to an end! 

Exchange Online Management and Exchange Hybrid teams

Updated Oct 15, 2025
Version 5.0

61 Comments

  • praveenkba's avatar
    praveenkba
    Brass Contributor

    This is a great feature and a great update! 

    Got a stupid question: If IsExchangeCloudManaged is set to True for a mailbox in Exchange Online, does this allow tools such as ADSIEdit or Active Directory Admin Center to modify the Exchange attributes on the user object from the on-premises Active Directory, or is this functionality completely blocked?

    • Nino_Bilic's avatar
      Nino_Bilic
      Icon for Microsoft rankMicrosoft

      This will not make your AD attributes non-editable. Rather, the sync of any changes made in AD will not happen to the cloud. In other words - objects would diverge possibly causing confusion. In a later stage, when writeback of Exchange attributes from cloud materializes, my expectation is that changes made in AD would be lost.

      • AlbertoP's avatar
        AlbertoP
        Icon for Microsoft rankMicrosoft

        Not to mention making changes outside EMS or EAC (this is ADSI Edit, Set-ADUser, ADUC attribute editor, 3rd party, etc...) is unsupported.

  • swida's avatar
    swida
    Copper Contributor

    What about cases where the last Exchange on premises server was removed? Can  this still be used?

    • Nino_Bilic's avatar
      Nino_Bilic
      Icon for Microsoft rankMicrosoft

      Do you mean if you switched to currently released "server-less" management with PowerShell only but the organization kept Entra ID sync in place and identity is handled on-premises? I do not see an issue with this; you would still change the settings on remote mailboxes. But make sure to follow the prerequisites which includes updated sync from on-premises as otherwise you'll have issues with sync...

  • Laurie_Aldam's avatar
    Laurie_Aldam
    Brass Contributor

    This is good stuff! The object level SOA changes are great features that will really accelerate our journey towards a cloud first approach.

  • This is truly a huge leap forward for recipient management! But if you still need to do internal relay (correctly), you still need Exchange Server.

    • evepanics's avatar
      evepanics
      Copper Contributor

      Not really. Can do that with "other Tools". Theres just no Microsoft alternative anymore after killing IISsmtp. 

  • I am delighted hearing that, a long awaited feature for sure!

    Will that mean On-Prem will be blocked changing any attributes from various Exchange Mgmt Shell?

  • Walbert's avatar
    Walbert
    Copper Contributor

    Is this also working with shared mailboxen. They are already synced to the cloud but leave the userattribute onpremise. 

  • Jpanski's avatar
    Jpanski
    Brass Contributor

    Congratulations! Thank you for the hard work. Looking forward to this next evolution.

    Now we just need a solution for SMTP relay 🙂

    • kobid84's avatar
      kobid84
      Copper Contributor

      yep! this is the final stage.

      currently using linux-based postfix

       

      but also - looking for solution from MS

  • This is great news! Thank you for bringing such a needed feature to Exchange Online and hybrid identity.