Organizations using Exchange hybrid deployments should prepare for new changes taking effect over the next few months. Microsoft has announced that beginning in August 2025, it will temporarily block Exchange Web Services (EWS) traffic that uses the Exchange Online shared service principal in certain hybrid environments.
The change primarily impacts organizations using “rich coexistence” features such as free/busy calendar lookups, MailTips, and profile picture sharing between on-premises Exchange Server and Exchange Online mailboxes. These features rely on EWS and have traditionally functioned through the shared service principal in Exchange Online.
However, Microsoft will permanently disable this method starting October 31, 2025. In preparation, temporary disruptions will occur throughout August, September, and October 2025 to prompt customers to make the necessary updates. These blocks are designed to ensure that affected organizations don’t overlook the October deadline.
The company stresses the security benefits of this shift. Moving away from the shared service principal reduces exposure to known risks, including CVE-2025-53786, a post-exploitation vulnerability that highlights the need for stronger authentication controls.
Who Will Be Affected by Exchange Web Services (EWS) Discontinuation?
Not all hybrid Exchange environments will be impacted by these disruptions. Only organizations meeting the following criteria will experience feature breaks during the temporary blocks:
- Mailboxes are hosted both in Exchange on-premises and Exchange Online.
- Rich coexistence features (free/busy, MailTips, profile pictures) are in use between on-prem and cloud users.
- On-premises Exchange servers are not updated to a version that supports the dedicated hybrid app.
- The dedicated Exchange hybrid app has not been created or properly enabled.
Organizations meeting these conditions should act immediately to avoid functionality loss. Microsoft has also issued Message Center notification MC1085578 to affected tenants.
What Will Break and When?
The impact is limited but specific. During blocked periods, on-premises mailboxes will be unable to access rich coexistence features for Exchange Online mailboxes. These include:
- Free/busy calendar lookups
- MailTips
- Profile picture sharing
It’s important to note that these disruptions are one-way only, they affect on-premises users accessing cloud data, not vice versa. All other hybrid features will continue to work.
Support teams will not grant exceptions for these blocks. Organizations needing assistance should consult the documentation or reach out to Microsoft support.
What Organizations Need to Do
For organizations using rich coexistence features, Microsoft recommends two primary actions:
- Update Exchange Server to a version that supports the dedicated hybrid app.
- Create and enable the dedicated Exchange hybrid application using the new Hybrid Configuration Wizard (HCW) or a provided configuration script.
Supported minimum Exchange versions include:
- Exchange Server 2016 CU23 – Version 15.1.2507.55 or newer (April 2025 HU)
- Exchange Server 2019 CU14 – Version 15.2.1544.25 or newer (April 2025 HU)
- Exchange Server 2019 CU15 – Version 15.2.1748.24 or newer
- Exchange Subscription Edition (SE) – Version 15.2.2562.17 or newer
The updated Hybrid Configuration Wizard simplifies the setup of the dedicated app. When selected during the HCW process (Classic Full, Modern Full, or Choose Exchange Hybrid Configuration), the wizard:
- Registers a new application in Entra ID with a unique identifier.
- Adds EWS permissions (to be replaced with Microsoft Graph permissions in the future).
- Uploads current and future authentication certificates.
- Removes expired certificates.
- Requests tenant-wide admin consent.
However, HCW does not automatically enable the dedicated app within the on-premises Exchange environment. A separate Setting Override must be created to fully activate the feature. Instructions are available in the Deploy dedicated Exchange hybrid app documentation.
Conclusion
Even for organizations not using rich coexistence features, it’s important to perform a security cleanup. Running the Exchange Hybrid Configuration Wizard or configuring OAuth may have left custom certificates on the shared service principal, which should be removed using the provided script in Service Principal Clean-Up Mode. This process can be carried out from any Windows machine and does not require a specific Exchange version or server.
As Microsoft moves toward permanently blocking Exchange Web Services (EWS) traffic via the shared service principal after October 31, 2025, transitioning to the dedicated Exchange hybrid app is a critical step in securing hybrid Exchange deployments. Administrators should act now to ensure their environments are fully updated and aligned with the latest guidance, using the updated Hybrid Configuration Wizard and official documentation to avoid any disruption.
Source: Read More
