Overview of Hybrid Mail Flow
The Hybrid deployment between Exchange Server (on-premises) and Exchange Online provides secure mail routing between on-premises and Exchange Online organization with t...
Updated Jun 13, 2025
Version 3.0
Blog Post
The maximum certificate lifetime is going down:
- From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
- As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
- As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
The Microsoft procedure to update the TLS certificate is very manual.
We are Hybrid, with all mailboxes in the cloud. We are planning on removing mail relay from our Exchange servers within 12 months. All that will remain is the ability to update user and DL properties such as email addresses. When is Microsoft going to allow Hybrid customers the ability to remove on-prem Exchange servers entirely?
Following this procedure every month is not sustainable. It is not just the commands (they can be scripted to make it easier), but you need to raise a purchase order through Finance, order the new certificate from your certificate provider, download it once it has been approved. Then finally you can run the commands to install it.
The process needs to be changed by Microsoft to accommodate the changes to TLS certificate lifetime.
You already can, though?...
Scenario 2 of -> https://learn.microsoft.com/en-us/exchange/decommission-on-premises-exchange
Permanent shutdown and cleanup:https://learn.microsoft.com/en-us/exchange/manage-hybrid-exchange-recipients-with-management-tools
Just make sure you read all of the warnings, they're kind of important...
Managing smtp addresses and other mail-related user stuff using powershell or the attribute editor is mildly annoying but hardly a showstopper.