Hybrid Agent and Root Certificate Changes
Published Oct 22 2020 11:34 PM 14.9K Views

You may have already seen this message from the Azure team, but given this impacts customers who use the Exchange Hybrid Agent, we just wanted to make sure those following this blog also were aware of this news.

Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. 

This change will ONLY impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates and will need to be updated to trust the new certificate issuers.

This change will result in disruption of service if proper action is not taken. 

These agents include Application Proxy connectors (which includes the Exchange Hybrid Agent, which you will have if you are running Modern Hybrid) for remote access to on-premises, Passthrough Authentication agents that allows your users to sign in to applications using the same passwords, Cloud Provisioning Preview agents that perform AD to Azure AD sync.

Required Action

If you have an environment where firewall rules are set to allow outbound calls to only specific Certificate Revocation List (CRL) download and/or Online Certificate Status Protocol (OCSP) verification locations, you will need to allow the following CRL and OCSP URLs;

If your environment allows access to the URLs above, no action is needed.

If you already completed the required actions based on prior instructions, no further action is needed.

If your environment doesn't allow access to the URLs, consider allowing temporary access. This enables the Site Recovery configuration server/process server (VMware/physical machine replication), or Hyper-V host servers/VMM servers, to automatically update certificates once the update is available in your region. After the update you can turn off access to the URLs.

If your environment doesn't allow access and you don't want to enable temporary access, then follow these steps to manually install certificates on the relevant servers. You don't need to do anything on replicated machines.

We recommend you make these changes as soon as possible to avoid service disruption.

For full details on the change and steps to take, Azure TLS certificate changes.

The Exchange Team


Version history
Last update:
‎Nov 05 2020 08:05 AM
Updated by: