August 2025: Dedicated Hybrid App for Skype for Business Hybrid - Act by Oct 15

Microsoft’s August 2025 hotfixes for Skype for Business Server introduce a security-first change that will force organizations with hybrid deployments to act quickly: a new, customer-managed Dedicated Hybrid Application model replaces the long-standing Microsoft-managed shared service principal for Exchange Online integration, and failure to adopt it will degrade or disable hybrid features — with a hard functional cutoff looming in mid-October 2025 that also affects the Skype Meetings Application.

Background​

For years, on-premises Skype for Business Server environments that integrated with Exchange Online relied on a Microsoft-managed, shared service principal and Exchange Web Services (EWS) access to provide hybrid features such as archiving to Exchange Online, calendar-based presence (free/busy), and profile picture synchronization. In light of security concerns in hybrid architectures, Microsoft has moved to a model where each customer creates and manages a dedicated application in their Microsoft Entra ID tenant — the Dedicated Hybrid Application — for secure, auditable, and private authentication between on-premises Skype for Business components and Exchange Online.
The change is being driven by a larger security hardening effort across Microsoft’s hybrid products that includes temporary enforcement actions and the rollout of updated Hybrid Configuration Wizards. Microsoft has published Hotfix Updates (HUs) for supported Skype for Business Server versions in August 2025 to enable support for this dedicated app model, and administrators are being urged to implement the new configuration immediately to avoid interruption of hybrid functionality.

---

What changed: Dedicated Hybrid Application explained​

Why the change matters​

The previous shared service principal model centralized access under Microsoft-managed credentials. While simple for customers, that model created a trust surface that could be abused in complex hybrid topologies. The Dedicated Hybrid Application model reduces risk by:

• Removing reliance on a multi-tenant, shared identity controlled by Microsoft.
• Giving each organization control over the app identity and credentials inside their own Entra ID tenant.
• Improving auditability, credential lifecycle management, and the ability to apply Conditional Access and other tenant-level security controls.
• Enabling Microsoft to phase out legacy shared-principal access and impose temporary blocks until customers migrate.

This is not a cosmetic change: hybrid features that depend on EWS and the shared identity will stop working unless the new model is implemented and the August 2025 HUs are installed on the respective Skype for Business Server installations.

Supported server builds and minimum versions​

Microsoft’s August 2025 hotfix release introduces minimum builds that enable Dedicated Hybrid Application support. The minimum supported builds are:

• Skype for Business Server 2015 — minimum build 6.0.9319.881
• Skype for Business Server 2019 — minimum build 7.0.2046.553
• Skype for Business Server Subscription Edition (SE) — minimum build 7.0.2046.820

Administrators must ensure their servers meet or exceed these builds before proceeding with Dedicated Hybrid Application configuration.

---

Immediate operational impact and timelines​

Functional cutoff windows and temporary enforcements​

Microsoft has signaled a phased enforcement strategy: starting in August 2025, temporary EWS traffic blocks may be applied to the Exchange Online shared service principal to accelerate customer adoption of the dedicated hybrid app. These temporary blocks are intended to create short disruptions that prompt action before a permanent cutoff. A critical date for admins is October 15, 2025 — after this date the Skype Meetings Application and other hybrid capabilities may not function correctly unless the hotfixes and configuration changes are in place.
Because Microsoft also published end-of-support (EOS) milestones for Skype for Business Server 2015 and 2019 — and introduced an Extended Security Update (ESU) program to offer limited additional security coverage for customers who need more time — organizations that are still on older builds face a compressed window to upgrade, apply hotfixes, and implement the dedicated app.

Extended Security Update option​

For organizations that cannot complete migration or configuration changes prior to EOS, a one-time ESU program is available for qualifying customers. The ESU provides critical and important security updates for a limited period beyond EOS and must be procured through Microsoft account teams. ESU coverage is not a substitute for implementing the dedicated hybrid app; it is a stop-gap intended strictly for security updates.

---

What IT administrators must do now — prioritized checklist​

Below is a practical, prioritized checklist for IT teams responsible for Skype for Business Server hybrid deployments. Treat this as an operational playbook that can be adapted to your change control processes.

• Inventory and assess
• Identify all Skype for Business Server instances and note versions/build numbers.
• Identify hybrid features in use that depend on Exchange Online integration (archiving, calendar presence, profile photos, MailTips).
• Document any integrations that leverage EWS or the shared service principal.
• Backup and change windows
• Schedule maintenance windows and backups for configuration and database state.
• Notify stakeholders that hybrid features may experience brief disruptions during configuration and HU installation.
• Install required hotfix updates
• Upgrade Skype for Business servers to at least the minimum builds listed above.
• Apply the August 2025 hotfix updates appropriate to each server role (Core, Front End, Edge, Web Components, Enterprise Web App).
• For Skype for Business Server 2015, obtain the CU13 update packages before proceeding.
• Configure a Dedicated Hybrid Application in Entra ID
• Create a new application registration in your Microsoft Entra ID tenant for the Skype for Business hybrid integration.
• Grant the application the minimal delegated and application permissions required by the configuration guidance.
• Grant consent at tenant level or apply the permissions as instructed by the configuration steps.
• Update your hybrid configuration (Hybrid Configuration Wizard or manual steps) to reference the newly created app and its credentials.
• Run post-update scripts and validate
• If running Skype for Business Server 2015, execute the add_sfbassets.ps1 or the specific script recommended after HU installation to ensure Skype Meetings Application assets are updated correctly.
• Validate hybrid features end-to-end: test calendar lookups, archiving to Exchange Online, profile photo sync, and Skype Meetings client behavior.
• Harden and monitor
• Rotate and securely store application secrets or certificates used by the Dedicated Hybrid Application.
• Apply Conditional Access, logging, and least-privilege principles to the new app registration.
• Monitor logs, EWS traffic, and Microsoft 365 audit trails for unexpected behaviors.
• Contingency planning
• If unable to implement the dedicated app before October enforcement windows, engage Microsoft account team about ESU options and track the schedule for temporary EWS blocks.
• Prepare rollback steps for any configuration that causes service degradation.

---

How the change affects Skype Meetings Application​

The August hotfix release also includes updates specifically for the Skype Meetings Application. Microsoft warns that the application may not function correctly after October 15, 2025 unless the required hotfixes and post-update actions are completed.
For administrators of Skype for Business Server 2015, an additional manual step is required: run the vendor-supplied add_sfbassets.ps1 script after the hotfix install to refresh web assets used by the Skype Meetings Application. Failure to run this script can leave meeting join flows broken for attendees using the Skype Meetings App.
Administrators should test meeting joins from multiple endpoints (Windows, macOS, mobile, web) after applying updates and running scripts. If the Skype Meetings Application is in active use by external participants, update communication to stakeholders and provide fallback join options (browser-based join or Teams redirection if applicable).

---

Security perspective: strengths and remaining risks​

Clear security wins​

• Tenant-controlled identity: The Dedicated Hybrid Application model returns control to the customer’s Entra ID tenant, enabling better credential governance and tenant-level security policies.
• Auditability: Customer-managed app registrations improve logging and allow security teams to monitor and alert on unusual authentication or token usage.
• Least privilege: Administrators can grant the minimum required permissions to the dedicated app and remove broad, shared trust relationships.
• Mitigation of CVE-style issues: The change addresses a class of hybrid authentication risks that were highlighted by vulnerabilities in shared identity models and EWS trust assumptions.

Remaining or introduced risks​

• Implementation complexity: Creating and configuring a dedicated app, granting the right permissions, and updating hybrid components introduces operational complexity and room for misconfiguration.
• Credential management: Customer-managed app secrets or certificates become additional secrets to protect. Poor secret rotation or storage practice could undermine security gains.
• Temporary service disruption: The phased enforcement and temporary EWS blocks may cause intermittent disruptions during the August–October enforcement window if organizations delay action.
• Compatibility and legacy scripts: Older management scripts or third-party integrations that implicitly relied on the shared principal may require updates.
• Human error: If the new app is mis-permissioned (over-permissioned or under-permissioned), either security guarantees are reduced or hybrid features will fail.

---

Real-world operational pitfalls and mitigation​

Pitfall: Missing the October 15 functional cutoff​

Mitigation: Prioritize hotfix installation and dedicated app configuration now; do not assume a grace period. Use test tenants or pilot groups to validate before tenant-wide rollout.

Pitfall: Misconfigured Entra app permissions​

Mitigation: Follow Microsoft’s documented permission sets exactly; grant only required privileges and use tenant-level admin consent per change-control rules.

Pitfall: Secrets leaked or not rotated​

Mitigation: Use certificate-based authentication where supported, rotate secrets on schedule, and store secrets in a secure vault (e.g., Azure Key Vault or equivalent).

Pitfall: Third-party integrations fail silently​

Mitigation: Audit all integrations that call EWS or rely on Exchange hybrid features and update their authentication flows to use the new dedicated app where applicable.

Pitfall: Administrators overwhelmed by simultaneous EOS and dedicated-app migration​

Mitigation: If migration time is insufficient, engage Microsoft account teams to discuss ESU options and create a staged upgrade plan; treat ESU as a last-resort safety net, not a migration plan.

---

Technical how-to (high-level): creating the Dedicated Hybrid Application​

The precise commands and UI screens vary between tenants and Microsoft updates, but the high-level steps are:

• In the Microsoft Entra ID admin center, register a new application (App registrations → New registration).
• Note the Application (client) ID and Directory (tenant) ID.
• Create a client secret or upload a certificate and securely record the secret’s expiration.
• Under API permissions, add the minimal Exchange/Graph permissions required by the Skype for Business hybrid integration (as described in the official configuration guidance).
• Grant tenant admin consent for the permissions.
• Run the updated Hybrid Configuration Wizard or follow the product-specific instructions to point Skype for Business Server at the dedicated app credentials.
• Confirm that tokens issued to the dedicated app are accepted by Exchange Online by performing test hybrid operations (presence lookups, archiving, etc.).
• Remove or rotate the shared service principal credentials per guidance if still present and no longer required.

Note: Many organizations prefer certificate-based authentication for machine-to-service scenarios to avoid dealing with expiring client secrets. Where supported, certificates provide stronger assurance and simpler rotation procedures.

---

Testing and validation checklist​

• Verify server build versions and confirm hotfix installation.
• Confirm successful app registration and tenant consent.
• Test calendar/free-busy lookups across mailboxes (on-prem ↔ cloud).
• Test archiving workflows to Exchange Online (if used).
• Validate Skype Meetings Application joins from external and internal endpoints.
• Monitor authentication logs for failures and unusual token requests.
• Confirm that EWS traffic flows using the new dedicated app and that shared principal requests are failing (this indicates successful cutover if intentionally blocked).

---

Vendor guidance and documentation gaps​

Microsoft has published product-specific guidance, hotfix packages, and Tech Community posts describing the dedicated hybrid app and the August 2025 hotfixes. However, companies with heavily customized environments may encounter edge cases not exhaustively covered in public documentation. When documentation does not directly address a unique integration scenario, engage Microsoft Support or a trusted partner to avoid risky guesswork.
If any claim or configuration step in third-party news coverage cannot be directly mapped to official guidance or reproducible in a test tenant, treat it as unverified until confirmation is obtained from the product documentation or Microsoft support channels.

---

Governance, compliance, and audit considerations​

• Update change logs and configuration baselines to reflect the new dedicated app identity and permissions.
• Include the dedicated app in security reviews, penetration tests, and compliance assessments.
• Ensure audit and logging policies capture application authentication events, and store logs per your retention and SIEM policies.
• If regulatory controls require strict segregation of duties, implement role-based approvals for app registration and secret handling.

---

Conclusion​

Microsoft’s August 2025 Skype for Business Server hotfixes mark a decisive shift in how hybrid integration will be secured going forward: the Dedicated Hybrid Application model returns control and accountability to individual tenants and removes the fragile reliance on Microsoft-managed shared identities. For organizations still operating Skype for Business Server in hybrid mode, this change requires prompt action — install the August hotfixes, create and configure the dedicated app in Entra ID, run the recommended post-update scripts (notably for Skype for Business Server 2015), and validate hybrid features well before October 15, 2025.
The security benefits are material: better audit trails, tenant-level control, and a reduced attack surface. The trade-offs are operational: a short, non-trivial migration and configuration effort, new secrets and lifecycle responsibilities, and the possibility of temporary disruption during Microsoft’s phased enforcement. For most enterprises, the path is clear — treat the August hotfix and dedicated app configuration as a priority, protect the new app’s credentials, test thoroughly, and document the changes for security and compliance teams. Failure to act is likely to result in degraded hybrid capabilities and avoidable business impact.

---

Source: Neowin Latest updates for Skype for Business Server include breaking changes