In Microsoft’s world, cloud email still often requires on-premises Exchange. Why? • The register
Comment Microsoft customers who use Exchange Online for all of their email often still need to be running Exchange on-premises to be supported – and that’s a burden they could do without as new vulnerabilities emerge.
“Last week, security researchers discussed several vulnerabilities in ProxyShell, including those that could be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities,” the Microsoft Exchange team. “Keeping your Exchange servers up to date with the latest cumulative (CU) and security (SU) updates available is critical. “
That’s good advice, but many affected organizations prefer not to run Exchange on-premises at all. They do it because Microsoft insists on it, even when all of their mail is handled by Exchange Online.
Customers with a hybrid configuration often find after a while that all of their mailboxes have been moved to Exchange Online
The issue arises for any customer who deploys AD Connect, a service that synchronizes on-premises Active Directory (AD) with the Azure version.
AD Connect is almost a necessity for large organizations, because a local directory is always needed, whether it’s to manage permissions for local resources like printers or for legacy apps that require it (Sage is one example).
Microsoft’s latest big launch, Windows 365 Cloud Desktops, requires AD Connect for Enterprise plans.
On-premise AD is deeply embedded in Microsoft’s platform.
Another example of an application that integrates with AD is Microsoft’s Exchange Server, whether online or on-premises. Part of an Exchange installation is an extension of the AD schema to add data specific to Exchange. Customers without AD Connect don’t have to worry about this as it’s managed internally on Microsoft’s cloud, but once AD Connect is in the picture, syncing only requires Exchange-specific data. exist on site as well as online. Provisioning a new mailbox, for example, means changing that data in AD – and Microsoft has said for years that the only way to do that is to use on-premises Exchange.
“Customers with a hybrid configuration often find after a while that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the on-premises Exchange servers. However, they find they can’t no longer manage their mailboxes in the cloud, ”the docs state.
Is it possible to do this with low level tools like Active Directory Users and Computers (ADUC) or ADSIEDIT? Yes, but it is not supported. “The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is that you can use them, but they are not supported. Exchange Management Console, Exchange Administration Center (EAC) and the Exchange Management Shell are the only supported tools available to manage recipients and Exchange objects. If you decide to use third-party management tools, it would be at your own risk, ”the company explains. .
Those interested in the details will find a discussion here where the implications are debated.
Microsoft will allow customers to have an on-premises Exchange license for free if this scenario applies. However, it is a small convenience if it is the safety rather than the cost of the arrangement that is the center of attention. “It’s time to get rid of unsupported hybrid exchange servers in Microsoft hybrid AD situations!” Said a frustrated administrator in response to the last security post.
They’re right. What is needed are cloud-based tools for mailbox management that work when AD Connect is installed, or failing that, a supported utility that helps manage this on-premises without having to run. Exchange.
The company has made an incredible transition from on-premises computing to providing public cloud, but sometimes the legacy of this technology prevents users from taking full advantage of it. This is one of them. ®