Skip to content
All about technology.

Blog Post Shared by the Exchange Group

Implementing stricter measures for promoting the exclusive use of our hybrid application by clients.

 and  Administrator
4 min read
Blog Postings from the Exchange Team
Blog Postings from the Exchange Team

Blog Post Shared by the Exchange Group

Headline: Microsoft Enforces Temporary Blocks on Exchange Web Services for Hybrid Customers Starting August 2025

In a move aimed at enhancing security and promoting the adoption of a dedicated Exchange hybrid app, Microsoft has announced a phased temporary block on Exchange Web Services (EWS) traffic using the legacy shared service principal. This enforcement begins on August 19, 2025, and continues through October of the same year, with some blocks becoming permanent after October 31.

Details

Starting from August 19, Microsoft will implement temporary blocks on EWS traffic that uses the shared service principal on specific dates:

  • August 19–20, 2025 (2-day block)
  • September 16–18, 2025 (3-day block)
  • October 7–9, 2025 (3-day block)

After October 31, these blocks will become permanent for all EWS traffic using the shared service principal.

Impact

During these blocks, critical hybrid features relying on EWS communication between on-premises Exchange servers and Exchange Online will stop working, causing service interruptions for affected tenants. This affects organizations that have not migrated from the shared service principal to the new dedicated hybrid connectivity applications. Tenants that have already created and deployed the dedicated hybrid connectivity app will not experience service disruptions during these enforced blocks.

Required Customer Actions

  1. Install Security Updates: Deploy the April 2025 Exchange Server hotfix or any later version to all on-premises Exchange servers to patch the security vulnerability (CVE-2025-53786) underlying these blocks.
  2. Deploy Dedicated Hybrid App: Migrate from the shared service principal to tenant-specific dedicated hybrid connectivity applications using Microsoft-provided scripts. This application enables secure and modern authentication via Azure AD with Graph API for hybrid coexistence.

Failure to comply not only results in recurring temporary outages but also leads to an indefinite permanent service block after October 31, 2025. This enforcement is driven by a high-severity security vulnerability that allows potential lateral movement from compromised on-premises servers into cloud environments, making this update critical for maintaining hybrid security and service continuity.

Additional Information

  • It is strongly recommended to use a provided script to remove any custom certificates from the shared "Office 365 Exchange Online" application.
  • The updated Hybrid Configuration Wizard (HCW) creates a dedicated Exchange Hybrid Application in Microsoft Entra ID and enables OAuth-based trust for hybrid features.
  • The dedicated Exchange hybrid app enables features like calendar availability lookup (free/busy), MailTips, and profile picture sharing between mailboxes hosted on Exchange Server and Exchange Online.
  • After October 31, 2025, the use of the shared service principal will be permanently blocked, and the above-mentioned hybrid features will stop working if the dedicated app is not configured.
  • Organizations that have previously completed the Exchange Hybrid Configuration Wizard or followed the steps outlined in the "Configure OAuth authentication between Exchange and Exchange Online organizations" documentation have their organization certificate uploaded to the shared service principal.
  • Exceptions will not be available for the temporary disruption to rich coexistence features starting in August 2025.
  • The script to configure and enable the dedicated Exchange hybrid app feature does not depend on a specific version of Exchange being installed on-premises.
  • EWS access to the shared service principal will be permanently blocked starting in October 2025.
  • During blocked periods, free/busy lookups, MailTips, and profile picture sharing will not work for on-premises mailboxes when trying to work with Exchange Online mailboxes.
  • HCW and the script both configure the dedicated Exchange hybrid app, but HCW cannot perform cleanup of the legacy shared service principal or automatically enable the feature on-premises.
  • If you do not need rich hybrid coexistence features, you do not need to create the dedicated hybrid app. However, it is still strongly recommended to remove any custom certificates from the shared service principal using the provided script.
  • Major updates to this blog post were made on August 7, 2025, including the addition of direct links to the ConfigureExchangeHybridApplication.ps1 script in the blog post and a clarification that customers who use rich coexistence should also use the script to remove any custom certificates from the shared "Office 365 Exchange Online" application.
  • In April 2025, changes were announced for Exchange hybrid environments (Exchange Server Security Changes for Hybrid Deployments).
  • If you've never run the Hybrid Configuration Wizard (HCW) and you've never followed the steps as outlined in the "Configure OAuth authentication between Exchange and Exchange Online organizations" documentation, there is no need to configure the dedicated Exchange hybrid application.
  • The minimum Exchange Server versions that support the use of dedicated Exchange hybrid app are Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Subscription Edition (SE) RTM.
  • Customers who have not updated their Exchange servers to a version that supports the dedicated Exchange hybrid app or created the dedicated app may experience temporary blocks in August, September, and October 2025.
  • To continue using rich coexistence hybrid features, customers must update their Exchange servers to a version that supports dedicated Exchange hybrid app and configure the dedicated Exchange hybrid app in Entra ID and enable their on-premises servers to use it or use the updated Hybrid Configuration Wizard (HCW).
  1. To ensure seamless finance operations and avoid potential disruptions, organizations using Exchange hybrid setup with Microsoft must migrate from the shared service principal to the new dedicated Exchange hybrid connectivity applications before October 2025, following the provided script for secure and modern authentication via Azure AD with Graph API.
  2. By leveraging technology, Microsoft's new dedicated Exchange hybrid app enables essential features like calendar availability lookup (free/busy), MailTips, and profile picture sharing, thereby promoting security and service continuity in combined on-premises and cloud environments.

Read also:

    Related

    Latest