Microsoft Enforces Dedicated Exchange Hybrid App: Sept 2025 Window

Microsoft is taking the first concrete step in its phased enforcement of the dedicated Exchange hybrid app requirement: on September 16, 2025 at 07:00 UTC Microsoft will temporarily block Exchange Web Services (EWS) traffic that uses the Exchange Online shared service principal for hybrid customers — a 48-hour enforcement window that will disrupt free/busy lookups, MailTips and profile picture sharing between on-premises mailboxes and Exchange Online mailboxes unless organizations have moved to the dedicated hybrid app and installed the April 2025 hotfix. (techcommunity.microsoft.com)

Background​

Microsoft introduced a multi-stage migration away from the Exchange Online first‑party/shared service principal model in its April 2025 security updates. The change moves hybrid authentication to a tenant‑specific dedicated Exchange hybrid app in Entra ID and prepares hybrid tooling to switch EWS calls to the REST‑based Microsoft Graph API in subsequent updates. This redesign is intended to reduce the blast radius of a compromise that starts on an on‑premises Exchange server by eliminating a shared, overly broad trust relationship that linked on‑premises servers and Exchange Online. (techcommunity.microsoft.com)
That redesign became urgent after Microsoft and U.S. government cyber authorities highlighted a high‑severity hybrid vulnerability — tracked as CVE‑2025‑53786 — which can allow an attacker with administrative access to an on‑premises Exchange server to escalate into the connected cloud tenant. CISA issued guidance and an emergency directive to federal agencies to remediate hybrid deployments, and Microsoft released instructions and a hotfix in April 2025. The dedicated hybrid app and the associated service principal cleanup steps are central to those mitigations. (cisa.gov)

What’s happening on September 16, 2025​

• Temporary disruption period: 48 hours.
• Start: September 16, 2025 — 07:00 UTC.
• End: September 18, 2025 — 07:00 UTC.
• Impacted cloud environments: Worldwide (WW), GCC, GCC‑H, DoD, and 21Vianet.
• Direct functional impact: on‑premises mailboxes attempting to query Exchange Online mailboxes will experience failures for free/busy availability lookups, MailTips, and profile picture sharing. Other hybrid capabilities such as migrations, general mail flow and administrative management will not be blocked during this window. (techcommunity.microsoft.com)

Microsoft has framed these short enforcement windows as temporary prompts to accelerate adoption — they are intentionally scheduled before a permanent retirement of shared service principal EWS access and ahead of the final EWS deprecation timeline. Subsequent temporary windows include October 7, 2025 (three days) and a permanent block after October 31, 2025; EWS support in Exchange Online is slated for retirement in October 2026, with a migration to Graph permissions required by then. (techcommunity.microsoft.com)

---

Who will be affected​

This enforcement affects organizations that meet all three of these conditions:

• You run a hybrid deployment (both on‑premises Exchange and Exchange Online user mailboxes exist).
• You have not installed the April 2025 hotfix (HU) or a newer cumulative/update that enables the dedicated hybrid app workflow on all on‑premises Exchange Servers.
• You have not created and enabled the dedicated Exchange hybrid app in your tenant (via the ConfigureExchangeHybridApplication.ps1 script or the updated Hybrid Configuration Wizard once available). (techcommunity.microsoft.com)

If you do not use the rich coexistence features (free/busy, MailTips, profile pictures) between on‑premises and cloud mailboxes, your service will continue functioning for core mail flow and administration even if you don’t switch — but Microsoft still recommends cleaning up the shared principal to reduce risk. There will be no exceptions to the temporary blocking windows; support teams will not grant bypasses. (techcommunity.microsoft.com)

---

Why Microsoft is enforcing this now (security and practical drivers)​

Two forces are driving Microsoft’s schedule:

• Security: Shared, first‑party service principals grant broad privileges across tenants. Public advisories and emergency directives tied to CVE‑2025‑53786 showed how an attacker who controls an on‑premises Exchange server could pivot to cloud resources because of that shared trust. Moving to a tenant‑specific dedicated app reduces that risk. CISA explicitly recommended installing Microsoft’s April 2025 hotfix and creating the dedicated app as part of mitigation. (cisa.gov)
• Adoption gap: Microsoft reported strong uptake of server updates but low adoption of the tenant‑scoped dedicated app itself, so scheduled, short-lived blocks are intended to create visible disruption that motivates final configuration. The temporary blocks in August (cancelled then rescheduled), September and October are a staged nudge; the October end-of-month block is permanent. (techcommunity.microsoft.com)

Security researchers and industry reporting estimate tens of thousands of Exchange servers remained unpatched in August 2025, reinforcing the urgency for many organizations. These estimates are external research snapshots and should be treated as approximate; they do, however, underscore the scale of the exposure. (techradar.com)

---

Technical summary: What you must do now​

The following actions are the minimum to avoid the September 16 disruption, restore secure posture, and prepare for the full migration to Graph API later:

• Inventory: Identify every Exchange server in your environment (use Microsoft’s Exchange Health Checker and other discovery tooling). This must include any internet‑facing servers and older versions. CISA and Microsoft both stress immediate inventory as the first step. (cisa.gov)
• Patch/update: Install the April 2025 hotfix (HU) or a later cumulative update that includes the hybrid application support on each Exchange server that participates in hybrid functionality. Verify each server is on a supported CU and the hotfix applied. (techcommunity.microsoft.com)
• Create the dedicated app: Run Microsoft’s ConfigureExchangeHybridApplication.ps1 script to create and enable the dedicated Exchange hybrid app in Entra ID, or re‑run the updated Hybrid Configuration Wizard (HCW) once it is validated for your environment. This switches hybrid features to target the tenant‑scoped application instead of the shared first‑party principal. (learn.microsoft.com)
• Run Service Principal Clean‑Up Mode: After you create the dedicated app, run the script’s Service Principal Clean‑Up Mode to remove residual keyCredentials and certificates from the shared Exchange Online service principal. This reduces leftover trust paths that could be abused. (learn.microsoft.com)
• Validate: Use the Health Checker and targeted tests (free/busy lookups between on‑prem and cloud mailboxes, MailTips, profile photo lookups) to ensure the dedicated app is being used and the shared principal no longer holds legacy credentials. Maintain logs of tests and remediation steps. (techcommunity.microsoft.com)
• Rotate credentials and monitor: Rotate any credentials that were associated with prior shared-principal workflows and ensure monitoring/alerting is in place for anomalous activity coming from on‑prem Exchange servers. Strengthen endpoint detection, audit collection, and conditional access on critical identities. (bleepingcomputer.com)
• Plan Graph migration: Expect a second stage where EWS is replaced by Microsoft Graph calls and the dedicated app’s permissions will be converted to a more granular Graph API model; that work has deadlines through October 2026. Design a project plan for permission changes and additional CU patches required to enable Graph. (techcommunity.microsoft.com)

---

A practical, prioritized checklist (quick reference)​

---

• Inventory completed using Exchange Health Checker.
• Host‑level and CU versions on all Exchange servers verified.
• April 2025 HU (or later) installed on all hybrid servers.
• Dedicated Exchange hybrid app created in Entra ID (or HCW re-run with updated HCW).
• Service Principal Clean‑Up Mode executed to remove certificates from shared principal.
• Validation of rich coexistence features done in lab before September 16.
• Alerting and credential rotations scheduled.
• Test and rollback plan documented.
• Communication to end users (briefing about potential brief disruptions if last‑minute remediation is required).
• -

---

Deployment and testing guidance​

• Start in a non‑production pilot: Create and enable the dedicated app for a pilot tenant or a subset of test mailboxes to validate the process. Confirm free/busy, MailTips and photos work both directions before touching production.
• Document rollback: If unexpected behavior occurs, document exact steps to revert server changes (e.g., re-apply previous configuration backups) and ensure you can re‑enable previous settings. Note: re‑enabling the shared principal by re‑running older HCW may reintroduce security risk if clean‑up hasn’t been done properly. (techcommunity.microsoft.com)
• Schedule maintenance: If any servers remain behind or require more time, schedule updates well before September 16 or prepare for localized user impact during the enforcement window. The 48‑hour window is limited but could coincide with critical business activities if not planned. (techcommunity.microsoft.com)

---

What changes — and what does not — during the temporary enforcement?​

• Will break (directional): On‑premises mailboxes looking up Exchange Online mailbox information — free/busy lookups, MailTips, and profile picture sharing will fail if the tenant has not moved to the dedicated hybrid app. (techcommunity.microsoft.com)
• Will not break: Mail flow, migration operations, and general management of Exchange hybrid setups; other administrative and mail transport capabilities continue to function. The disruption is limited to the specific EWS/ rich‑coexistence functions described. (techcommunity.microsoft.com)
• Support exceptions: Microsoft has stated there will be no exceptions granted during these temporary enforcement windows. If you are impacted, the only remedy is the remediation steps above. (techcommunity.microsoft.com)

---

Risk analysis: strengths, limitations and residual risks​

Strengths of Microsoft’s approach​

• Security hardening: Tenant‑specific apps reduce shared privileges and make lateral escalation from a compromised on‑prem server harder. This is aligned with least‑privilege and isolation principles. (techcommunity.microsoft.com)
• Clear timeline: Publishing explicit enforcement windows and final retirement dates gives organizations windows to plan and prioritize. Temporary blocks act as a forcing function where passive advisories were previously ignored. (techcommunity.microsoft.com)
• Tooling provided: Microsoft publishes scripts (ConfigureExchangeHybridApplication.ps1), health checker tooling, and updated HCW flows to operationalize the migration path. (learn.microsoft.com)

Limitations and operational risks​

• User disruption risk: Short enforcement windows can still cause meaningful business interruptions for organizations that don’t remediate in time, particularly global companies that operate on regional schedules. Even a 48‑hour outage of free/busy lookups and MailTips can burden large support desks. (techcommunity.microsoft.com)
• Unpatched estate scale: Independent scans and reporting in August 2025 suggested a large number of Exchange servers remained unpatched; these external estimates are approximate but indicate many organizations may still be vulnerable and underprepared. Treat these figures as industry estimates rather than exact counts. (techradar.com)
• Complex environments: Large, segmented enterprises with third‑party appliances, legacy integrations, or specialized HCW workflows may need extra coordination across teams (network, identity, Exchange, security) to avoid misconfiguration and service impacts. (techcommunity.microsoft.com)
• Detection gaps: Microsoft and CISA noted that malicious activity originating on‑prem Exchange may not surface in cloud audit logs in the same way as cloud-originated events. That makes proactive prevention and host‑level detection more critical, and highlights the need to rotate and clean up keys/certificates. (cisa.gov)

---

Recommended governance and post‑migration steps​

• Establish an internal cutoff: set a firm, internal deadline ahead of Microsoft’s enforcement windows to ensure the entire hybrid estate is patched and the dedicated app is configured and tested. This avoids last‑minute emergency work.
• Maintain runbooks: keep a step‑by‑step remediation and validation runbook, including the exact HCW/script versions used, the test scripts run, and screenshots or logs demonstrating success.
• Audit the cleanup: after creating the dedicated app, audit the shared service principal in Entra ID for stray certificates or keyCredentials and confirm Service Principal Clean‑Up Mode removed them.
• Monitor telemetry: supplement Microsoft Defender and Purview with host telemetry and SIEM alerts for anomalous administrative activity on Exchange servers. Be skeptical of cloud‑only detection for on‑prem origin attacks. (bleepingcomputer.com)

---

If you cannot update everything before September 16​

If your organization cannot complete the transition for all Exchange servers by the September 16 window, prioritize:

• Critical or internet‑facing Exchange servers.
• Servers that are in hybrid trust relationships with the cloud that hold large user populations.
• Environments where attackers would have the highest reward — domain controllers, admin workstations, or servers with legacy integrations.

For the remainder, prepare internal communications explaining the functional limitations during the enforcement window and pre‑position temporary manual scheduling procedures for calendar planning since free/busy lookups may fail. Also use this time to accelerate patching and remediation after the window. (techcommunity.microsoft.com)

---

Final timeline recap and call to action​

• April 2025: Microsoft released hotfix guidance and recommended the dedicated Exchange hybrid app workflow. (techcommunity.microsoft.com)
• September 16, 2025 07:00 UTC — September 18, 2025 07:00 UTC: First temporary enforcement window (48 hours). If you haven’t created and enabled the dedicated hybrid app and patched to April 2025 HU (or newer), expect free/busy, MailTips and photo sharing disruptions. (techcommunity.microsoft.com)
• October 7, 2025: Second temporary enforcement (three days). (techcommunity.microsoft.com)
• After October 31, 2025: Permanent block of EWS using the shared service principal for hybrid coexistence. (techcommunity.microsoft.com)
• October 2026: EWS retirement and full Graph API migration target for Exchange hybrid features. Plan and schedule accordingly. (techcommunity.microsoft.com)

Act now: inventory servers, install April 2025 hotfixes or later cumulative updates, create the dedicated Exchange hybrid app and run the Service Principal Clean‑Up Mode, validate rich coexistence functionality, and strengthen host‑level detection and credential hygiene. These steps will both avoid the September 16 disruption window and materially reduce the hybrid attack surface highlighted by CVE‑2025‑53786 and government advisories. (cisa.gov)

---

The coming enforcement is both a security imperative and an operational challenge; organizations that take the recommended steps now will avoid short‑term disruptions and position themselves for the longer‑term Graph migration roadmap.

---

Source: Microsoft Exchange Team Blog The first temporary enforcement of dedicated hybrid app use is coming on September 16 | Microsoft Community Hub