[German]Microsoft unveiled its "Cloud-Managed Remote Mailboxes" on August 20, 2025. This is an attempt to free companies that have moved all their mailboxes to Exchange Online in the cloud from the Microsoft Exchange servers they still operate on-premises. These Exchange servers are still running in order to manage recipient attributes, as this is not possible with Exchange Online, or only with considerable effort.
Exchange server still needed despite Exchange Online?
If I understand correctly—and I'm no Exchange expert—many companies that have migrated all their mailboxes to Exchange Online still operate a local Exchange server. This on-premises Exchange server has only one purpose: it is used exclusively for managing recipient attributes.
This is because in hybrid environments, the attributes of mailboxes belonging to so-called "directory-synchronized user accounts" cannot be managed from Exchange Online. Attempts by Exchange Online administrators to edit mailbox attributes in the cloud are usually blocked because the source object authority (SOA) is located locally.
Administrators then have to rely on a local Exchange server to edit mailbox attributes (such as email addresses, aliases, or flags for hiding from the address book) in Active Directory (AD) and then synchronize these changes with the cloud. This applies even if the mailbox is located in Exchange Online.
This is the dependency that companies that have migrated to Exchange Online in the cloud find themselves in. However, the company continues to run an on-premises Microsoft Exchange Server to manage the aforementioned mailbox attributes.
Early attempts to replace local Exchange servers
With support for Microsoft Exchange Server 2016 and 2019 set to expire in October 2025, the local Microsoft Exchange Server should finally be replaced. But the dependencies outlined above stand in the way of this.
Back in April 2022, Microsoft released updated Exchange Server 2019 management tools via an update (see Manage recipients in Exchange Hybrid environments using Management tools). This enabled the management of Exchange recipients via the Exchange management tools on a domain-joined computer without having to run an Exchange server. This gave administrators a tool to shut down the last Exchange server in the company and instead use the management tools to change recipient attributes.
The downside was that this was a cumbersome solution, as it required PowerShell knowledge and did not offer any logging or monitoring functions. There was no way to change the properties of synchronized user remote mailboxes (located in the cloud) directly in Exchange Online. The goal had to be for administrators to manage the Exchange attributes of cloud mailboxes entirely in the cloud, while synchronizing identity data from the local Active Directory (AD).
Cloud-Managed Remote Mailboxes
The solution now comes in the form of a new feature in Exchange Online that allows customers with hybrid Exchange environments to manage mailbox attributes in AD remotely from the cloud.
Microsoft announced this on August 20, 2025, in a Techcommunity post titled Introducing Cloud-Managed Remote Mailboxes: a Step to Last Exchange Server Retirement. The new feature in Exchange Online allows administrators to specify that Exchange-related attributes for a specific user are managed in Exchange Online. This also applies if the user's identity continues to originate from the local Active Directory.
In practice, Exchange attributes (email addresses, mailbox settings, etc.) can be edited using Exchange Online PowerShell, the Microsoft 365 Exchange Admin Center, or the Microsoft 365 Admin Center, while central identity attributes (such as the user's name, address, phone number, etc.) continue to be managed locally.
In Exchange Online and Entra ID, a new mailbox property IsExchangeCloudManaged is being introduced. This property indicates whether the Exchange attributes for a synchronized user have their source of authority (SOA) in the cloud or locally. By default, this value is set to "False" for all currently directory-synchronized users (meaning that the Exchange attributes are managed locally and synchronized with the cloud).
If IsExchangeCloudManaged is set to 'True' for a specific user, this transfers the "Source of Authority" for that user's Exchange attributes to the cloud. From this point on, the following applies:
- Exchange attributes (properties that relate to the remote mailbox) can be edited in Exchange Online (and are no longer overwritten by local synchronization).
- Identity attributes (core object properties such as name, department, etc.) continue to be managed locally in AD and cannot be changed via the cloud (as before).
- The feature only supports SOA transfer of Exchange attributes for user, share, device, or room mailboxes. For groups and contacts, administrators must use object-level SOA transfer.
More details can be found in the support article Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments. Microsoft is rolling out this feature in two phases:
- Phase 1 (Review, now available): Introduction of per-mailbox control for cloud management of Exchange attributes. Administrators can enable individual mailboxes for cloud management (by setting IsExchangeCloudManaged=True). During this phase, administrators can also reset a mailbox to local management (IsExchangeCloudManaged=False). Phase 1 focuses on managing existing remote mailbox attributes for individual users and testing the feature. It also includes an organization-level setting that defaults all newly synchronized user Exchange attributes to be managed in the cloud (expected in September).
- Phase 2: Adds writeback support for certain attributes and integration with Entra ID Cloud Sync. In phase 2, changes to critical Exchange properties made in the cloud are automatically synchronized with the local Active Directory (until this point, they may not be synchronized). This ensures that your local AD remains up to date when, for example, a proxy address is changed in Exchange Online. To use writeback, customers must use Entra Cloud Sync.
Microsoft plans to provide further details on this writeback feature at a later date. All attributes supported for writeback are listed in the documentation provided above.
