Why you may not be able to decommission on-premises Exchange even with cloud solutions

[German]If I understand correctly, many companies are moving towards the cloud. The hope is that once the on-premises Exchange functions are moved to the cloud in Exchange Online, the on-premises solutions will be gone. The other day I came across an interesting article whose message was simply "you will continue to rely on on-premises Exchange".


With the cloud, it's one of those things. While Microsoft never tires of extolling the virtues of the Azure cloud, and also hints that they are scaling back maintenance and development of on-premises offerings. Vulnerabilities such as ProxyShell in Microsoft Exchange encourage many customers to seek their salvation in an escape to Exchange Online. The idea: Then no on-premises Exchange server needs to be administered and patched anymore. However, I had already pointed out the pitfalls of migrating on-premises Windows servers to the cloud in the blog post Why you shouldn't use Azure AD Domain Services as a Windows AD replacement

On-premises Exchange is still needed

I don't have any Exchange-related activities, but the post In Microsoft's world, cloud email still often requires on-premises Exchange. Why? on The Register immediately got my attention. The message of the article: in some cases, Microsoft requires that on-premises Exchange continue to be used, even if all email mailboxes are handled by Exchange Online. The problem arises for customers who need or use AD Connect. This is a service that synchronizes on-premises Active Directory (AD) with the Azure version.

AD Connect is pretty much mandatory for larger enterprises, as on-prem Active Directory is still needed, whether to manage permissions for local resources such as printers, or for legacy applications that require it (Sage is an example). The Register writes that on-premises AD is deeply embedded in Microsoft's platform. For example, Microsoft's Windows 365 cloud desktops requires AD Connect for enterprise plans.

Microsoft's Exchange Server (cloud or on-premises) is another example of an application that integrates with AD. Part of an Exchange installation is an extension to the AD schema to add Exchange-specific data. So once AD Connect is in play, synchronization requires Exchange-specific data to exist both on-premises (On-Premises) and online (Exchange Online). This Microsoft document states:   

Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes.

When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud.

Customers with a hybrid configuration face the problem that the mailboxes are moved to Exchange Online. But if they then turn off the on-premises Exchange servers, they find that they can no longer manage their cloud mailboxes.


If needed, you can read the post In Microsoft's world, cloud email still often requires on-premises Exchange. Why? on The Register for more details. For a discussion, see the Sept. 2018 article Exchange Online and Azure AD Connect on Techcommunity. Microsoft even lets customers use a free on-premises Exchange Server license in such scenarios, according to The Register.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *