Blog Post By Exchange Team
Exchange Server has announced significant changes aimed at enhancing the security of Exchange Server hybrid deployments. The transition involves the implementation of a dedicated Exchange hybrid application, named "Office 365 Exchange Online" with the application ID "00000002-0ff1-ce00-0000-000000000000".
For Exchange Server hybrid customers requiring rich coexistence, the transition to using this dedicated Exchange hybrid application along with the Microsoft Graph API by October 2026 involves several critical steps.
Step 1: Install April 2025 Update Rollup (HU) on Exchange Server
Customers must apply the April 2025 HU or newer on their Exchange Server 2019/2016 to maintain rich coexistence hybrid functionality. This update is mandatory for continued compatibility with Exchange Online hybrid features.
Step 2: Create a Tenant-Specific Dedicated Exchange Hybrid Application in Entra ID
Microsoft requires each hybrid tenant to create a dedicated hybrid connectivity app (an Entra ID app) using a Microsoft-provided script. This app holds the necessary permissions allowing Exchange Online to broker mailbox data access for features like free/busy, MailTips, and user photos.
Step 3: Run the ConfigureExchangeHybridApplication.ps1 Script
This PowerShell script must be run with an account that has the Application Administrator role in Entra ID to:
- Fully configure the dedicated hybrid app and assign correct permissions (initially EWS, later Graph API).
- Clean up legacy credentials and reset the shared service principal key credential.
- Replace all legacy hybrid authentication components with the new dedicated hybrid application credentials.
Step 4: Switch to Using Microsoft Graph API
By October 31, 2025, Microsoft permanently blocks the use of shared service principal configurations, meaning hybrid functionality requires the dedicated app. Starting then and continuing through October 2026, the environment will transition from EWS calls to exclusively using Microsoft Graph API requests for hybrid features.
Step 5: Monitor and Validate the Transition
Administrators should monitor audit logs and verify that the dedicated app is actively being used by hybrid services. Use the Hybrid Configuration Wizard (HCW) where applicable to facilitate setup and switchover.
Step 6: Prepare for Full Enforcement by October 2026
Ensure all hybrid coexistence features work fully with the dedicated hybrid app and Microsoft Graph API by October 1, 2026, when EWS is fully deprecated for hybrid API calls. Organizations not compliant by then will suffer feature breakage in hybrid environments.
The Hybrid Configuration Wizard (HCW) has been updated to support the creation of dedicated Exchange hybrid apps. There is no requirement to install the April HU to clean up the security principal only using the script.
For organizations that ever ran and completed the Exchange Hybrid Configuration Wizard (HCW) or followed the steps outlined in the "Configure OAuth authentication between Exchange and Exchange Online organizations" documentation, it is strongly recommended to use a provided script to remove the organization certificate from the shared "Office 365 Exchange Online" application.
The transition to Microsoft Graph requires the dedicated Exchange hybrid app and will not affect the EWS API availability in Exchange Server (on-premises). There is a FAQ about multi-forest on-premises configuration in the feature documentation, as well as a FAQ about renaming the dedicated hybrid app.
These changes are part of Microsoft's Secure Future Initiative (SFI) prioritizing security. Customers who require rich coexistence between users with on-premises mailboxes and users who have Exchange Online mailboxes must switch to using the dedicated hybrid app before October 2025 and then switch their hybrid to using Graph API before October 2026.
- To maintain the rich coexistence between on-premises and cloud-based Exchange environments, Exchange Server businesses need to install the April 2025 Update Rollup (HU) or a newer version on their Exchange Server 2019/2016.
- For seamless integration with Exchange Online hybrid features, Exchange Server hybrid customers must create a tenant-specific, dedicated Exchange Hybrid Application in Entra ID using a Microsoft-provided script, and then run the ConfigureExchangeHybridApplication.ps1 script to configure the app and assign necessary permissions for the Microsoft Graph API.
