Is it the (long overdue) end of the road for on-premises Exchange Servers?

A few weeks ago, I posted a article on my LinkedIn feed entitled “Your Microsoft Exchange Server Is a Security Liability” by Andy Greenburg.

Image Credit – Priasoft

It was a great article that was released on the back of the most recent Exchange security vulnerability: this time the ProxyNotShell Zero-Day which oddly enough took almost 2 months to patch correctly. This has been released as part of the November Patch Tuesday release, and there are a few pre-requisites required (basically, be at the latest CU version for your Exchange environments and then apply the patch).

Image Credit – Microsoft

Its the latest in a long line of Exchange Server vulnerabilities. And its interesting to note this line in the Microsoft Tech Community Article that states:

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.

Well, of course Exchange Online isn’t affected. And in his Wired article, Andy Greenburg makes the point that Microsoft are happy to put all of their security efforts into protecting their Exchange Online services and customers as that makes up the majority of their customer base.

A brief history of Exchange Online

If we look back on the history of Exchange Online, it all started with BPOS way back in 2008. At the time of release, Microsoft had been privately offering customers a hosted email service since early 2007. That was around the time that Exchange Server 2007 was released, and it was also the time when Exchange started to get really complicated as regards the amount of different server roles involved and the overhead involved in maintaining them.

Now lets just put one thing on record. I would never dream of believing that Microsoft would conspire to over-complicate an on-premises solution with the intention of pushing more customers towards a cloud offering. I mean, they wouldn’t, would they?

There was always an option for having a Front-End sever separate, and the solution could sometimes be integrated with the long gone but not forgotten ISA Server.

A look at the diagram below shows us the evolution of how Exchange roles have changed since 2000/2003 versions, and have pretty much rolled back into less complicated instances with the release of 2016/2019 versions:

Image Credit –

Whether Microsoft intended to make Exchange Server more complicated or not, segregation of those roles was was needed due to the evolution of security threats and the rate of attacks that were happening on Exchange Server installations. What it did though was make Exchange a monster to manage from an adminstration perspective. Almost to the point that it made the decision to migrate to Exchange Online easier, as it offset the cost for some organisations of hiring a full time Exchange Administrator to manage that environment.

So I should Migrate?

The easy answer to that is yes, you should migrate. There’s a number of factors to take into consideration in answering that question:

  • As we saw in the recent ProxyNotShell Zero-Day and the length of time it took to remediate, Microsoft really doesn’t care about on-premises Exchange anymore. From Andy’s Wired article, the quote from Microsoft states that: "We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats".
  • The recent announcement that the next CU release will only be for Exchange Server 2019 (CU13). Because 2013 (which goes EOL in April 2023) and 2016 are now in Extened support, there will only be Security Updates released as required (such as the patch for the Zero-Day). But in order to install that and to get support from Microsoft, you must be in the most recent (and last) CU version.
  • There hasn’t been an Exchange Server 2022 release yet. This was touted as being released in late 2021, and early indication were that this would be a subscription based service. The latest update on this was released in this post in June 2022, where the updated roadmap is to release the next Exchange Server version in 2025. Are we really prepared to wait that long if the vulnerabilities continue at this rate? Again, the interesting quote to take ouit of this release is: The next version will require Server and CAL licenses and will be accessible only to customers with Software Assurance, similar to the SharePoint Server and Project Server Subscription Editions.
  • If you decide to migrate to Exchange Online, what does your business want to get out of the migration? Its the question thats rarely asked but its the most important one for any migration scenario. Because unlike 15 years ago when it was hosted Email and SharePoint with Live Meetings thrown in, Microsoft 365 is an extensive offering of Apps, Services and Licencing options and can open a gateway to a full cloud migration if planned correctly.
  • You can go for the Basic plans such as Business Basic or Office 365 E1 and “just” have Email, Sharepoint and Teams if you want. But go a little further, you take Office licensing into the equation, and maybe Defender, and then maybe Azure Virtual Desktop rights. The opportunities are there, it’s not just about lifting and shifting the tech anymore. You can check out my previous post on the different licensing options here.

Why can’t everyone just migrate to Exchange Online?

The majority of companies have already migrated to Exchange – nearly 350 million Office365 users running over 7 billion (yes, billion) mailboxes running on 300,000 Exchange Online instances on servers running in Microsoft Datacenters across the world.

There are those special cases who still need Exchange Servers On-Premises, and those servers need to be hardened or have specialist teams supporting them.

Then there are those companies that have specific Data Residency requirements. And thats really all they say ….. "We're not moving our data into the Cloud". It shows a lack of understanding of how Data Residency in Exchange Online works. Depending on where you are in the world, you can find out on this site the different options for where your Microsoft 365 data would be stored post migration, depending on the options you select at tenant creation and also in what datacenters the services are available around the world (for example, Forms is not available in all datacenters, only some US ones).


Having your data secured by Microsoft is better than having your data potentially exposed because of a mistrust or misunderstanding of what the cloud can offer as regards data residency. You also have the admin overhead of managing and securing your Exchange environment.

I think its the end of the road for Exchange Server – while a migration amy sound painful to some, a compromised server is much worse.

Hope you enjoyed this post, until next time!

100 Days of Cloud – Day 84: MS-220 Exam Review and Study Guide

Its Day 84 of my 100 Days of Cloud Journey, and last week I sat Exam MS-220: Troubleshooting Microsoft Exchange Online (beta).

The reason I chose to take this exam was that I have a number of years of experience in Exchange Online, both migrating from on-premises Exchange environments, working in hybrid environments and managing full Exchange Online deployments from licensing in Microsoft/Office365 (and BPOS back in the old days!!) right up to mailbox management and compliance.

In this post, I’ll attempt to give an NDA-friendly exam review, and also provide a study guide and useful links to enhance your chances of success in this exam.

Exam Overview

According to the official release article on the Microsoft Learn Blog, the MS-220 exam is aimed at:

Support engineers are professionals who have the energy and expertise to resolve difficult technical issues. They also drive the resolution of highly complex support incidents related to solution-specific development and deployment. In addition to collaborating with other technical specialists on case reviews, troubleshooting, and effective customer interaction, support engineers also:

  • Own, troubleshoot, and solve technical issues, using collaboration, best practices, and transparency within and across teams.
  • Identify technical or strategic cases that require escalation.
  • Create and maintain incident management requests for the product group or engineering group.
  • Contribute to case deflection initiatives, automation, and other digital self-help assets to improve customer and engineer experience.

So lets say this straightaway and simplify the statement above – this is a technical exam. It is difficult, and having worked with these technologies for a number of years I can tell you that I found it challenging! Also, because I took it in beta, I don’t know if I’ve passed it yet and like all exams you are never really certain until the screen at the end gives you the result or confirmation email comes in with the beta results.

An NDA-friendly review

I had already tweeted an NDA-friendly thread here, but lets just cover off the highlights and my thoughts on the exam:

  • Firstly, the exam is challenging and is true to the exam objectives and learning paths covered by Microsoft Learn. This is not an exam for beginners – I have over 10 years of experience in managing Exchange On-Prem, Online and Hybrid environments and I found this challenging.
  • Despite the recent “shift to cloud” that happened last year with the cancellation of Server (MCSE) and Exchange certs, Microsoft clearly feels that there is enough merit to introduce certs that cover hybrid scenarios and follows on from the addition of the AZ800/801 certs.
  • The skills measured is fully covered and nicely weighted across the exam.
  • The PowerShell on the exam was complicated and it tests your ability to understand the correct command structure to use, while also testing your real-world experience of using PowerShell commands to diagnose the issues presented in the question set.

Study Guide

So lets put together a Study Guide. The first port of call when studying for this exam should be the Microsoft Learn Modules for Troubleshoot Microsoft Exchange Online.

Now, lets look at the skills measured list to see how the exam objectives are weighted:

  • Troubleshoot mail flow issues (20–25%)
  • Troubleshoot compliance and retention issues (25–30%)
  • Troubleshoot mail client issues (20–25%)
  • Troubleshoot Exchange Online configuration issues (15–20%)
  • Troubleshoot hybrid and migration issues (10–15%)

Lets break down the content in each of these sections and provide links for each of the skills being assessed under each heading:

  • Troubleshoot mail flow issues (20–25%)
  • Troubleshoot compliance and retention issues (25–30%)

  • Troubleshoot mail client issues (20–25%)

  • Troubleshoot Exchange Online configuration issues (15–20%)
  • Troubleshoot hybrid and migration issues (10–15%)


MS-220 is not a beginners exam, you need to have a lot of experience in Exchange Hybrid, On-Premises and Online and in all areas covered in the Skills Measured.

Hope you enjoyed this post and found it useful, until next time!

100 Days of Cloud – Day 76: Exchange Hybrid

Its Day 76 of my 100 Days of Cloud journey, and as promised todays post is taking a closer look at how Exchange Hybrid configuration works.

In the last 2 posts, we’ve looked at the following:

  • The different authentication methods available.
  • Ways to protect both our administrator and user accounts.
  • Preparing the key attributes in our Active Directory for synchronization.
  • Created our Microsoft 365 Trial tenant.
  • Added our production domain and saw how DNS records could be added.
  • Installed and configured Azure AD Connect and looked at the different options for user synchronization and authentication.

While looking at our DNS records, we decided not to implement them as we wanted to configure an Exchange Hybrid environment. This is one of the options available to you once you start to plan your cloud migration journey.

Lets take a look at what the benefits are, and how it works.

Exchange Hybrid explained

There is a saying I’ve heard in the IT industry for years – “Its easy to get your Data into the Cloud, but its not easy to get it out”.

I’ll take a further look at the different migration options available to you in the next post, however all of these option will be “on-board” only, which means that you can only migrate your on-premise mailboxes to Microsoft 365, but cannot migrate them out.

Exchange Hybrid is the only option available were you have the option to both “on-board” and “off-board” users. You maintain at least one of your on-premise Exchange Servers, and install the Hybrid Agent which allows communication between your on-premise environment and Microsoft 365.

The key features offered in a Hybrid deployment are:

  • Secure mail routing between on-premises and Exchange Online organizations.
  • Both on-premises and Exchange Online organizations use the same shared domain namespace or SMTP domain.
  • A unified global address list (GAL), also called a “shared address book.”
  • Free/busy and calendar sharing between on-premises and Exchange Online organizations.
  • Centralized control of inbound and outbound mail flow. All inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the on-premises and Exchange Online organizations.
  • The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
  • Centralized mailbox management using the on-premises Exchange admin center (EAC).
  • Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.

An example of how a typical Exchange Hybrid deployment works is shown in the diagram below:

Image Credit: Microsoft


The following prerequisites need to be in place before creating your Hybrid Deployment:

  • Exchange Server Roles:
    • 2016 and newer: Mailbox Server Role.
    • 2013: At least one instance of Mailbox and Client Access Server roles (preferably on one server).
    • 2010: At least on instance of Mailbox, Hub Transport Client Access Server roles (preferably on one server).
  • Microsoft 365 or Office 365 plan that support Directory Synchronization.
  • Active Directory synchronization: Deploy the Azure Active Directory Connect tool to enable Active Directory synchronization with your on-premises organization.
  • Autodiscover DNS records.
  • Valid digital Certificates from a trusted public CA.
  • EdgeSync is required if you’ve deployed Edge Transport servers in your on-premises organization and want to configure the Edge Transport servers for hybrid secure mail transport.


To install and configure the Exchange Hybrid deployment, you need to firstly go to the Exchange Online admin center, go to the “hybrid” menu and select the option to configure an Exchange Hybrid deployment:

This will redirect you to download the Hybrid Configuration Wizard. The wizard will run through each screen and present you with the options required.

While all of teh options and screens are important during the setup, the main ones to look for are:

  • Choosing a Minimal or Full Hybrid deployment: this provides the option to use the deployment woth minimal configuration for migration purposes only, or else to maximise the full features of the deployment.
  • Bi-directional Transport Configuration for Client Access and Mailbox Servers, and also Edge Servers for secure transport:

Once the wizard completes, you will be able to log onto Exchange Online and complete a migration of an on-premise user by selecting them from the Global Address list. You can also migrate the users back to the on-premise Exchange.

There are some excellent “how-to” articles on how this process works, this article at Azure365Pro is worth a read to see how the process works in full.

Is it worth doing?

And so we come to the main question.

A lot of people either haven’t heard of Hybrid deployments because the assumption is that any migration to Microsoft 365 will be done by the traditional methods (Cutover/Staged/IMAP), or else don’t want to invest in a Hybrid deployent because of the complexity of the environment and also the costs involved in maintaining infrastructure.

We have to remember that one of the drivers for moving to Microsoft 365 is removing the overhead of maintaining an on-premise email environment.

The other point that needs to be made is that when you have migrated all of your mailboxes to Microsoft 365 and want to decommission the Hybrid deployment, all of your mailboxes then need to become fully cloud managed identities. There is also a consideration around 3rd-party services that use Exchange for SMTP communications.


So thats a look at how you can use Hybrid Configuration to enable your on-premise Exchange environment to co-exist with your Microsoft 365 tenant during the migration process.

In the next post, we’ll look at the different mailbox migration options available. Hope you enjoyed this post, until next time!