Cloud‑Only Mailboxes: The Exchange Update That Changes Everything!

🚨 My planned follow-up post on AU and RAU will have to wait a little, because this is breaking news!🚨

Exchange admins: On August 20, Microsoft quietly rolled out a long‑awaited capability: The power to convert hybrid mailboxes (migrated or hybrid‑created) into true cloud‑only mailboxes. For the first time, you can manage them entirely in Exchange Online without touching your on‑premises Exchange server.

This feature marks an important milestone in Microsoft’s journey to eliminate the need for on-premises Exchange management once your mailboxes are in Exchange Online. It simplifies administration, reduces infrastructure dependencies, and moves you closer to a truly cloud-native setup.

👉 Beware: This feature is currently in PUBLIC PREVIEW 👈

A quick recap of Exchange mailbox migration

For most organizations which moves from Exchange on-premises to Exchange online, the job goes as follows.

• Establish a hybrid connection between Exchange on-premises and Exchange Online
• Migrate mailboxes to Exchange Online over the hybrid connection
• Remove hybrid connection after the mailboxes are migrated and no SMTP relay or similar features are needed.
• Mailboxes for user accounts synced from AD to Entra must be managed on-premises. Their attributes are read-only in the cloud

This is one of the primary reasons you need to keep an Exchange server remaining on-premises. To make changes to Exchange-related attributes for so-called “Remote mailboxes”. As mentioned, their Exchange-related attributes are read-only in the cloud.

We can now convert a hybrid mailbox to cloud-only!🥳

Prerequisites:

• Microsoft Entra Connect Sync version 2.5.76.0 or higher.
  • Same version as you need when changing the SOA for security groups… 🤔

• No official requirement for a specific version of ExchangeOnlineManagement PowerShell module, and the relevant option “-IsExchangeCloudManaged” does not appear in the release notes and is not listed on Microsoft Learn. But it is tested with version 3.9.0.

I will now walk you through this new feature, using the following environment:

• Exchange hybrid environment
• 2 Mailboxes are migrated to the cloud, 5 remain on-premises
• One of the migrated mailboxes will be made cloud-only and we will look at the difference

In Exchange on-premises we see that 2 mailboxes, Ned Stark and Catelyn Stark, are migrated to the cloud.

We can further prove this with PowerShell and see that they are the type “RemoteUserMailbox” with status “Migrated” and the “Distinguishedname” shows the object are placed in the on-premises AD.

Mailbox conversion is actually a Source of Authority (SOA) change.

This may seem very familiar, because it is very similar to the changing of the security group SOA which I wrote a blog post about two weeks ago. But the whole magic here is a new attribute on the mailbox named “IsExchangeCloudManaged“. By default, this attribute is set to false. Changing it to true updates the mailbox’s Source of Authority (SOA), making it managed by Exchange Online, even though the user account remains synchronized from Active Directory.

While connected with PowerShell to Exchange Online, I check my 2 mailboxes and their status with this PowerShell 1-liner.

Get-Mailbox | where {$_.DisplayName -like "*Stark"}| Select primarysmtpaddress, IsExchangeCloudManaged

Before conversion

So to confirm that these mailboxes are still managed on-premises, I attempt to hide Ned stark from the Global Address list using PowerShell connected to Exchange Online. This is expected to fail.

Set-Mailbox -Identity "Ned.Stark" -HiddenFromAddressListsEnabled $true

This fails as expected because the mailbox’s SOA in Exchange on-premises and it is supposed to be managed from there. (Hence why you need that last Exchange management server on-premises).

Changing the SOA of a mailbox

So let us change SOA for Ned Starks mailbox and try again to hide him from the Global Addresslist.

Set-Mailbox -Identity "Ned.Stark" -IsExchangeCloudManaged $true # This changes the SOA of the specified mailbox
Get-Mailbox | where {$_.DisplayName -like "*Stark"}| Select primarysmtpaddress, IsExchangeCloudManaged # Check status of SOA for the mailboxes

After changing the SOA we can see the “IsExchangeCloudManaged” attribute is now true and we can again try to hide him from the Global Addresslist

Set-Mailbox -Identity "Ned.Stark" -HiddenFromAddressListsEnabled $true

The command succeeds without any error, and we can confirm the setting “HiddenFromAddressListsEnabled” has been changed to True.

Get-Mailbox | where {$_.DisplayName -like "*Stark"}| Select primarysmtpaddress, HiddenFromAddressListsEnabled

We have now verified that Ned is now hidden and the attribute was changed directly in Exchange Online, which previously failed before we changed the SOA of his mailbox.

Which attributes can be changed on Exchange Online?

In general, most Exchange related attributes can be edited in Exchange Online after the SOA of the mailbox has been changed to Exchange Online. Most noticeable is the attribute “mailnickname” which is actually an identity-attribute and not an Exchange-attribute. The complete list from Microsoft is located in this technical article from Microsoft.

Summarized:

• Exchange attributes related to remote mailbox can be edited in Exchange Online. Sync will not overwrite with values on-premises. On-premises Exchange attributes will, for now, NOT be updated with values from Exchange Online.
• User attributes will remain read-only in the cloud and must be managed in Active Directory on-prem.

Notes about the rollout!

According to the announcement from Microsoft this feature is released in two phases:

Phase 1 has started and allows admin to change SOA on a per-mailbox basis, which I demonstrated above. It will also, probably in September, introduce an organization-level settings which can enable cloud-managed Exchange attributes by default for newly synced users. There is no attribute writeback to on-premises, so changes on Exchange attributes in Exchange Online will NOT be reflected in Exchange on-premises! This is a very important detail if you have a mix of on-premises and Online mailboxes.

Phase 2 will add writeback for “critical Exchange properties” back to on-premises. The technical article I linked above also shows which attributes will and will not have this writeback capability. The announcement (linked above) also states that customers will have to use Entra Cloud Sync which suggest Entra Connect Sync will not support this. 😱 Microsoft will release more information on a later time. There are no ETA for phase 2 as of today.

What about contacts, shared mailboxes, meeting rooms, groups etc?

How about mailbox deletion?

To delete a mailbox, you need to remove the user from Active Directory on-prem, regardless if the user has switched Mailbox SOA to Exchange Online or not. The mailbox is then deleted from the cloud at the next synchronization to Entra.

Next steps…

This new capability to convert hybrid mailboxes into cloud-only ones is a major step forward in simplifying Exchange management. By shifting the Source of Authority (SOA) to Exchange Online, admins can finally manage mailboxes directly in the cloud for users synced from Active Directory

That said, the lack of writeback (for now) and the absence of support for contacts or distribution groups are significant gaps Microsoft must address.

Without disciplined routines, it’s all too easy for admins to slip back into old habits of making changes on‑prem when those mailboxes should now be managed in the cloud. Remember: Once the SOA changes, any updates made on‑prem won’t sync to the cloud.

Success with this feature depends on clear processes, updated documentation, and consistent training for your team.