Helient Blog

Exchange Server Security Changes: What's New for Hybrid Deployments?

Written by Justin Gorgacz | May 2, 2025 2:33:08 PM

Microsoft is introducing updates to improve the security of Exchange Server hybrid deployments, aligning with the Secure Future Initiative (SFI). These changes focus on enhanced protection and modernized functionality for hybrid configurations that utilize features like Free/Busy lookups, MailTips, and profile picture sharing—collectively known as "rich coexistence."

Key Security Changes

1. Transitioning to a Dedicated Exchange Hybrid Application
Exchange Server hybrid deployments have historically relied on a shared service principal for authentication. Starting with the April 2025 Update (HU), Microsoft will transition to a dedicated Exchange hybrid application in Entra ID. By October 2025, all hybrid deployments must switch to this dedicated application, as Exchange Online will no longer support shared service principals.

Administrators need to implement the dedicated Exchange hybrid app by either running the provided PowerShell script or using an updated version of the Hybrid Configuration Wizard (HCW) when it becomes available.

2. Transitioning from EWS Calls to Microsoft Graph API
Exchange Web Services (EWS) in Exchange Online is being retired. To maintain hybrid functionality, Exchange Server will support REST-based Microsoft Graph API calls as a replacement. Updates for Exchange Server SE (Subscription Edition), 2019, and 2016, releasing in Q3 2025, will incorporate this feature. Organizations must switch to Microsoft Graph API by October 2026 to ensure continued functionality.

The dedicated Exchange hybrid application will also adopt more granular Microsoft Graph API permissions, further enhancing security.

Actions to Take
Organizations using Exchange hybrid deployments need to act:

  1. Switch to the dedicated Exchange hybrid application before October 2025. Configure the app using the April 2025 Update and PowerShell script or await the updated HCW in Q2 2025.
  2. Adopt Graph API calls before October 2026. Install the required Exchange updates and update the app's permissions to align with the new Graph API model.

Failure to implement these changes on time could disrupt rich coexistence features, such as Free/Busy lookups and profile picture sharing.

Timeline & Milestones

Milestone Timeline Impact

Release of Exchange Server April 2025 HU and dedicated app configuration script

April 2025 (Available now)

Allows creation of the dedicated Exchange hybrid app

Updated Hybrid Configuration Wizard (HCW) for App Configuration

Q2 2025

Facilitates app setup (alternative to the script)

Exchange Server Update Supporting Graph API

Q3 2025

Enables Microsoft Graph API for hybrid configurations

Retirement of Shared Service Principal

October 2025

Ends support for shared service principal in Exchange Online

EWS Retirement in Exchange Online

October 2026

Requires use of Graph API for rich coexistence

 

Conclusion
Helient strongly recommends customers to review their Exchange Hybrid Configurations and plan for milestone times to avoid potential disruptions to Exchange Hybrid Environments as you continue to migrate to the cloud. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.

 

 

 
View full post