Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments

Overview

In an Exchange Hybrid environment, the management of Exchange attributes for directory-synchronized users is restricted in Exchange Online (EXO). Organizations are required to utilize their on-premises Exchange Server, sometimes referred as Last Exchange Server (LES), to modify these attributes within Active Directory (AD), synchronizing any changes to the cloud through Cloud Sync or Connect Sync. As a result, although mailboxes are located in the cloud, organizations remain dependent on their on-premises Exchange Server for managing cloud mailboxes by executing Exchange Server cmdlets that update on-premises Active Directory, which then synchronizes the updates to the cloud.

A new capability in Exchange Online now allows administrators to manage Exchange attributes for directory-synchronized users with mailboxes hosted in the cloud. With this update, the Source of Authority (SOA) for Exchange-specific attributes can be transferred to the cloud, while the SOA for identity-related attributes remains under the control of the on-premises Active Directory. After moving the SOA for Exchange attributes to the cloud, these details can be managed using EXO PowerShell, the Microsoft 365 Admin Centre, or the Exchange Admin Centre, whereas identity attributes are still modified through on-premises Active Directory only. This document provides detailed instructions for activating this feature for users whose mailboxes are located in the cloud, as well as the process of shifting the SOA for Exchange attributes to the cloud environment.

After a user's Exchange attribute SOA is transferred to the cloud, editing the user's first name and last name requires using on-premises Active Directory. To modify Exchange attributes such as HiddenFromAddressListsEnabled or CustomAttribute(x), administrators need to use Exchange Online PowerShell or Microsoft 365 Exchange Admin Center (EAC).

We will offer functionality to synchronize updates to essential Exchange attributes, such as proxyAddresses, CustomAttributes(1-15), extensionAttribute(1-5), RecipientType, and others, back to the on-premises Active Directory.

Feature Availability

Microsoft is providing this feature in two phases:

Phase 1 (now GA) introduces per-mailbox control for cloud management of Exchange attributes. Administrators can opt in individual mailboxes for cloud management by setting IsExchangeCloudManaged to true. During this phase, mailboxes may also be rolled back to on-premises management if required (IsExchangeCloudManaged set back to false). Phase 1 is intended for managing existing user mailbox attributes individually and for feature validation.

Phase 2 will introduce write-back support for designated attributes, as well as Entra Cloud Sync integration. During this phase, modifications to key Exchange properties made in the cloud will be automatically synchronized to on-premises Active Directory. This process ensures that your on-premises AD is consistently updated; for instance, any changes to a proxy address in Exchange Online will be reflected accordingly. To utilize writeback functionality, customers are required to implement Entra Cloud Sync. Additional information regarding this capability will be shared as part of the documentation once phase 2 is about to start.

We are in the process of developing Object-Level SOA management for Users, Groups, and Contacts. This functionality is intended to assist organizations seeking to decommission both on-premises Exchange Servers and Active Directory. With this feature, the SOA of individual objects - such as Users, Groups, and Contacts- can be migrated to the cloud at the object level. Comprehensive support for User SOA, Group SOA, and Contact SOA will enable full cloud-based management of entities originally created on-premises, once migration is complete. Although User and Contacts SOA are not yet available, Group SOA - which enables you to migrate the SOA of an entire group to the cloud - is now available for you to try.

Identity, Exchange Attributes and Writeback

The following table contains a comprehensive table detailing which attributes can be edited following the Exchange Attribute SOA transfer and whether these updates will be written back to the on-premises Active Directory after the SOA transfer.

Prerequisites

Before transferring the SOA from on-premises to Exchange Online, certain prerequisites must be met.

Microsoft Entra Connect version

To enable this feature, install the latest version of Entra Connect Sync. Download and install version 2.5.76.0 or higher of the Entra Connect Sync build prior to use. For detailed instructions on upgrading from older versions, refer to the Microsoft Entra Connect: Upgrade from a previous version to the latest documentation. If you use an older version of Entra Connect Sync than 2.5.76.0, the sync client will try to push Exchange attributes of already SOA transferred mailboxes to Entra ID but will fail. Upgrading to newer version will resolve this issue.

To confirm successful installation of the Entra Connect Sync build, navigate to Programs within the Control Panel and verify that the Microsoft Entra Connect Sync version is 2.5.76.0 or higher. Alternatively, this information may be obtained using PowerShell:

(Get-ADSyncGlobalSettings).Parameters['Microsoft.Synchronize.ServerConfigurationVersion']

Role requirements

By default, the IsExchangeCloudManaged parameter in Set-Mailbox is available to administrators with roles such as Organization Management, Recipient Management, or any custom roles derived from these. The Entra ID role Exchange Administrator also provides access to Exchange RBAC roles that include this parameter. Anyone with Exchange Administrator permissions can run Set-Mailbox -IsExchangeCloudManaged unless the parameter is specifically removed from their RBAC roles.

To manage access to this parameter, organizations should determine which roles provide access, remove the parameter from broad role groups, and create custom roles that grant or deny IsExchangeCloudManaged according to business requirements.

How to transfer Exchange attributes SOA to the cloud

A new parameter, IsExchangeCloudManaged, has been added for Exchange Online users. This property indicates whether a directory-synchronized user's Exchange attributes are managed in the cloud or on-premises. By default, the IsExchangeCloudManaged value is set to false. Note that this parameter is applicable only to mailboxes with a user whose IsDirSynced status is true. It should not be used together with any other parameters.

To configure Exchange attributes for a directory-synchronized user's mailbox to be managed in the cloud, change the user's parameter value to true. To accomplish this, open an Exchange Online PowerShell session and execute the following command for a mailbox that is located in the cloud.

Set-Mailbox -Identity <User> -IsExchangeCloudManaged $true

The status of this change can be verified by executing the following cmdlet:

Get-Mailbox -Identity <User> | Format-List Identity, IsExchangeCloudManaged

When IsExchangeCloudManaged is set to true for a mailbox synced via Entra Connect Sync, Exchange Attributes stop updating from on-premises. You can then edit these attributes directly in the cloud, which was previously restricted.

Set-Mailbox -Identity <User> -CustomAttribute1 "ModifiedInTheCloud"

To find all users whose Exchange attribute SOA has been transferred to the cloud, retrieve the accounts where the IsExchangeCloudManaged property is set to true. You can use the following command:

Get-Mailbox | Where-Object { $_.IsDirSynced -eq $true -and $_.IsExchangeCloudManaged -eq $true }

How to transfer Exchange attributes SOA back to on-premises

To change the management of a user's Exchange attributes from cloud-managed to on-premises-managed, set IsExchangeCloudManaged to false. After this setting is updated, the next synchronization cycle will update the user's cloud Exchange attributes with the values from the on-premises environment.

Prior to implementing this change, ensure that any modifications made in the Cloud which must be retained in the on-premises Active Directory are properly backed up. Utilize cmdlets such as Get-Mailbox and Get-User to save relevant values, allowing for manual restoration to the on-premises environment when required.

The following command transfers the SOA for a mailbox back to on-premises-managed:

Set-Mailbox -Identity <User> -IsExchangeCloudManaged $false

How to create new mailboxes

New mailboxes may continue to be created using the on-premises New-RemoteMailbox cmdlet, which provisions mailboxes in the cloud, until the final Exchange Server is decommissioned or shut down. However, as the objective of this feature is to accelerate the decommissioning process for the last Exchange Server, the recommended approach for creating new mailboxes is outlined here:

1. Create an Active Directory user in the on-premises environment and assign the required identity attributes. If a custom source anchor is used, ensure the property is assigned in the on-premises Active Directory.
2. Entra Connect Sync will then synchronize the identity to the cloud.
3. Use the Microsoft 365 Admin Center to assign an Exchange Online license to the user. This action provisions a mailbox in Exchange Online.
4. Finally, use Set-Mailbox to set IsExchangeCloudManaged to true. This transfers the SOA for this user to the cloud.

How to delete an existing mailbox

To delete a user and their mailbox, the process requires removing the user from on-premises Active Directory, even if the attributes are managed in the cloud. When the deletion is synchronized to the cloud through Entra Connect Sync, the user's mailbox is also deleted from the cloud.

Frequently Asked Questions