Microsoft is introducing updates to improve the security of Exchange Server hybrid deployments, aligning with the Secure Future Initiative (SFI). These changes focus on enhanced protection and modernized functionality for hybrid configurations that utilize features like Free/Busy lookups, MailTips, and profile picture sharing—collectively known as "rich coexistence."
Key Security Changes
1. Transitioning to a Dedicated Exchange Hybrid Application
Exchange Server hybrid deployments have historically relied on a shared service principal for authentication. Starting with the April 2025 Update (HU), Microsoft will transition to a dedicated Exchange hybrid application in Entra ID. By October 2025, all hybrid deployments must switch to this dedicated application, as Exchange Online will no longer support shared service principals.
Administrators need to implement the dedicated Exchange hybrid app by either running the provided PowerShell script or using an updated version of the Hybrid Configuration Wizard (HCW) when it becomes available.
2. Transitioning from EWS Calls to Microsoft Graph API
Exchange Web Services (EWS) in Exchange Online is being retired. To maintain hybrid functionality, Exchange Server will support REST-based Microsoft Graph API calls as a replacement. Updates for Exchange Server SE (Subscription Edition), 2019, and 2016, releasing in Q3 2025, will incorporate this feature. Organizations must switch to Microsoft Graph API by October 2026 to ensure continued functionality.
The dedicated Exchange hybrid application will also adopt more granular Microsoft Graph API permissions, further enhancing security.
Actions to Take
Organizations using Exchange hybrid deployments need to act:
- Switch to the dedicated Exchange hybrid application before October 2025. Configure the app using the April 2025 Update and PowerShell script or await the updated HCW in Q2 2025.
- Adopt Graph API calls before October 2026. Install the required Exchange updates and update the app's permissions to align with the new Graph API model.
Failure to implement these changes on time could disrupt rich coexistence features, such as Free/Busy lookups and profile picture sharing.
Timeline & Milestones
| Milestone |
Timeline |
Impact |
|
Release of Exchange Server April 2025 HU and dedicated app configuration script
|
April 2025 (Available now)
|
Allows creation of the dedicated Exchange hybrid app
|
|
Updated Hybrid Configuration Wizard (HCW) for App Configuration
|
Q2 2025
|
Facilitates app setup (alternative to the script)
|
|
Exchange Server Update Supporting Graph API
|
Q3 2025
|
Enables Microsoft Graph API for hybrid configurations
|
|
Retirement of Shared Service Principal
|
October 2025
|
Ends support for shared service principal in Exchange Online
|
|
EWS Retirement in Exchange Online
|
October 2026
|
Requires use of Graph API for rich coexistence
|
Conclusion
Helient strongly recommends customers to review their Exchange Hybrid Configurations and plan for milestone times to avoid potential disruptions to Exchange Hybrid Environments as you continue to migrate to the cloud. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.
2 minute read
