‘Last Exchange Server’ Scenario Feedback

For me, the documentation has been pretty good. There were a couple of commands I had to adapt for our environment related to oAuth.

Using the EMT has been fine for us, so I am going through the permanent shutdown process - there's an error in the PowerShell commands in the documentation related to finding the KeyId (Step 5b) for oAuth.

The $true I don't think is supposed to be there, and I suspect $.Value no longer exists as Get-member doesn't show that attribute and there's also a syntax error related to brackets.

Question #3 (how many mailboxes in your on-premises environment) does not have 0 as a possible answer, although question 5 seems to acknowledge the case of a server for doing recipient-management only.  It has been unclear to me if we need to remain in hybrid mode, now that all of our mailboxes are moved to the cloud, when we are still using on-prem AD as the identity source.  I would like to eliminate the hybrid connectors, as the certificate used on those is creating issues for us because the same certificate is also used on other email-sending devices, but I have been afraid undoing it would break something.  I would appreciate an article that clarifies whether the hybrid configuration and connectors can be removed as an initial step toward removing the on-prem server altogether, or if that cleanup can only happen more-or-less simultaneously with removal of the on-prem server.

Are the results of this survey going to be made available to the public?  Thank you.

StephanGee SMTP in IIS is deprecated since 2012 and the feature is removed in Windows Server 2022 completely - this is not a solution at all for secure environments.

We solved the SMTP Relay with 1 IIS Server with SMTP Role installed and scoped on IPs

Works great (for printers that send PDF scans)

All other tasks are done by scripting and automation. We will get rid of it this year.

We are currently utilizing the Exchange Admin Center on-premises for our desktop team to create, modify and delete users.  It is nice to have a clean, simple web interface for their whole team to use.  As mentioned in one of the previous comments, we are also utilizing an Email Address Policy to ensure standardized email addresses.  Ideally - there could be an installable version of ONLY the Recipient portion of the Exchange Admin Center to still provide that inferface on-premises.

SMTP relay is a big one for us.

You really need to make the whole process for de-comissioning the last exchange server much easier. You have to go through a thousand steps 

DustinDortch 

"If you're looking to remove the last Exchange Server and you're still maintaining Hybrid Identity, you're not the "average" customer, in that situation."
I don't know if thats true. At least from what i've seen, the majority of the customers want's to either get proper access to Teams/SharePoint, or they want to get rid of their Exchange Server. Most of them are very disappointed when all mailboxes are migrated and i say: "Yes we can remove the Exchange server but...". Most of them use 3rd party Software which needs a local AD. Yes, in a perfect world the software would be able to use the Azure AD but thats not always possible. I've migrated around 40 customers to Exchange Online, 2 of them are Azure only, 2 of them have the Exchange Management Tools, around 6 or 7 had no Exchange before, but most of them still have one even if they don't want it.

"If you want an ECP and still also need SMTP relay, then not eliminating your last Exchange Server is really the way to go."
Exchange is way too huge for these two things. There are 3rd party GUI solutions for the Exchange Management Tools, even the 3rd party integration into the AD directly (Easy265Manager). You could even adjust it with ADSI Edit only, but no we should get a full server for this task? I think Microsoft could write a tool for that in 2 weeks which replaces the local ECP standalone. Same thing for Mail relay, the GraphAPI is so good, creating an SMTP Server which accepts unauthenticated SMTP locally from whitelisted IPs and pushing the mails through the GraphAPI should be possible for one of the biggest companys in the world.

I accept your answer regarding the sync back to the AD since this is definitly not so easy. But there is device, group and password writeback, i see no reason why it's not possible to write back a user aswell. This would eliminate the need of a local ECP aswell. When you need to move the user from some sync OU to the destination OU, that would be a manual task which is way faster for some customers.

To finish this: I have no problem on how it is, but a lot of my customers don't like it, and there is 3rd party software which solves all problems. I think Microsoft could copy/buy these within a few months instead of forcing customers to Azure only while not everything is possible there.

100% SMTP Relay. Relaying to Office 365 is (1) Just too cumbersome because every device and app might have different capabilities for relay, and (2) why would I allow and continue to manage hundreds of outbound IPs on my firewall to lock down port 25 when I can use a known set of Exchange Server IPs?