Microsoft is changing how hybrid authentication works between on-premises Exchange servers and Exchange Online. The long-standing Shared Service Principal (“Office 365 Exchange Online”, App ID 00000002-0000-0ff1-ce00-000000000000) will no longer be supported. Each tenant must deploy a dedicated Entra enterprise application by October 31, 2025.
If not done, essential hybrid features, such as Free/Busy lookups, MailTips, and profile photos from on-premises mailboxes to the cloud, will cease functioning permanently after October 31st. Additionally, Microsoft will enforce two temporary blocking periods in September and October to encourage organizations to act.
TL;DR: Microsoft is retiring the Shared Service Principal for Exchange Hybrid. By October 31, 2025, you must deploy a dedicated Entra enterprise app or lose hybrid features like Free/Busy, MailTips, and profile photos.
The Shared Service Principal has long been used to streamline hybrid coexistence. However, it relies on shared authentication identifiers and certificates uploaded by customers to a global object in Microsoft Entra. This method introduces a security risk: if certificates are compromised, they could be misused across multiple tenants.
To address this issue, Microsoft now mandates a dedicated enterprise application for each tenant. Each organization will have its own distinct identity object, uploaded keys, and full control over certificate lifecycle management.
This shift achieves:
Tenant isolation: No more shared credentials across customers.
Reduced attack surface: Only your organization’s keys are valid for your tenant.
Operational clarity: Easier to manage, audit, and rotate certificates.
Starting November 1, 2025, if you have not deployed and activated the dedicated Entra app, the following Rich Coexistence features will cease to function in the on-premises environment when accessing Exchange Online:
Free/Busy lookups (on-premises user querying the calendar availability of a cloud mailbox)
MailTips (informational warnings such as “recipient is out of office” or “message size too large”)
Profile photos
Other hybrid features remain fully functional: mail flow, migrations, recipient management, and directory synchronization are not affected.
Important clarification: The reverse direction, from Exchange Online to your on-premises organization, remains unaffected. Exchange Online will continue to query Free/Busy for on-premises mailboxes. The disruption only impacts the on-premises-to-cloud direction.
To ensure organizations cannot overlook the change before it's too late, Microsoft has arranged two temporary blocking periods:
September 16–17, 2025: a 2-day block
October 7–9, 2025: a 3-day block
During these periods, Free/Busy, MailTips, and profile photos will be unavailable if your environment continues to depend on the Shared Service Principal. These blocks serve as intentional “wake-up calls.”
After October 31, 2025, the block will become permanent, with no exceptions or bypasses.
The new dedicated hybrid application is a Microsoft Entra enterprise app created specifically for your tenant. Its name follows the format ExchangeServerApp-{GUID}. This app has a single purpose: to enable your on-premises Exchange servers to securely authenticate with Exchange Online for hybrid coexistence.
There are two supported ways to create and configure this application:
1. PowerShell script (ConfigureExchangeHybridApplication.ps1)
2. Hybrid Configuration Wizard (HCW) (updated version)
Microsoft recommends using the mentioned script because it completes the process end-to-end, including activation and cleanup.
To support the new authentication model, your on-premises Exchange servers must be updated to specific builds:
You need to deploy the dedicated hybrid app if all three conditions apply:
You run a hybrid Exchange environment with both on-premises and cloud mailboxes.
You use (or want to continue using) Rich Coexistence features like Free/Busy, MailTips, or profile photos between environments.
Your servers are on a supported build, but you have not yet created and activated the dedicated app.
If you no longer need Rich Coexistence features, you could technically skip the app deployment. However, Microsoft strongly recommends cleaning up the old Shared Service Principal, even in this case, to eliminate unused certificates and reduce risk.
Once the app has been created and activated, you should:
Successful tests confirm that your Exchange environment is using the dedicated app rather than the Shared Service Principal.
One of the final and crucial security steps is to remove your old certificates from the Shared Service Principal. This process deletes the KeyCredentials that your organization had uploaded to the global “Office 365 Exchange Online” app.
Keeping them in place does not disrupt functionality, but it does leave behind unnecessary attack vectors. Removing them helps you:
“Mail flow will break.” No, mail flow, migrations, and recipient management are unaffected. Only Free/Busy, MailTips, and profile photos from on-premises to cloud are at risk.
“We only use Free/Busy occasionally, so we can ignore this.” Not true, the temporary enforcement windows will disrupt you regardless, and the permanent block is unavoidable.
“The Hybrid Configuration Wizard takes care of everything.” Not quite, it creates the app but does not enable it automatically, and it does not clean up the Shared Service Principal.
“We don’t use HCW at all, so we don’t need the app.” If you have never configured hybrid coexistence and do not require these features, you may not need the app. But double-check your setup before assuming you are exempt.
The dedicated app is not the end of the journey. Microsoft has already announced that Exchange hybrid features will eventually transition from Exchange Web Services (EWS) to Microsoft Graph APIs.
This move will introduce:
The first server updates to support Graph are planned for Q3 2025, and Microsoft intends to enforce the full transition by October 2026. Organizations that deploy the dedicated app now will be well-positioned to adopt Graph when it becomes mandatory.
Update servers: Ensure all hybrid servers are on supported builds.
Choose your method: Use the PowerShell script (preferred) or the updated HCW to create the app.
Grant admin consent: Tenant-wide approval is required for the app to function.
Enable the feature: Confirm that your on-premises Exchange organization is actively using the dedicated app.
Clean up the old principal: Remove legacy certificates from the Shared Service Principal
Test thoroughly: Free/Busy, MailTips, and profile photos must work reliably before the first enforcement window in September.
Document and monitor: Record app IDs, certificate lifetimes, and set reminders for renewals.
Hybrid environments are already complex, and changes like the dedicated Entra app requirement add another moving part that administrators must manage. It is not enough to configure the new application once; you also need visibility into whether Free/Busy lookups, MailTips, and profile photos continue to work reliably after the cutover, if certificates are nearing expiration, and if authentication requests are flowing as expected. This is where ENow’s monitoring solutions for Exchange Server and Exchange Online become invaluable. With real-time insights, proactive alerts, and hybrid-specific health checks, ENow helps you detect issues before users are affected. Instead of waiting for the next enforcement window to find a problem, you can continuously verify that your hybrid coexistence remains healthy and compliant with Microsoft’s evolving requirements.
This change is not optional.
If you still rely on hybrid coexistence features, you must deploy the dedicated Entra app by October 31, 2025.
Failing to do so will not only result in two disruptive enforcement windows in September and October but will also permanently disable key hybrid functionality thereafter. Acting now ensures business continuity, closes a known security gap, and prepares your environment for the next stage of Microsoft’s hybrid evolution.
Additional Resources