For years, maintaining a hybrid Exchange environment has meant one frustrating dependency: keeping at least one on-premises Exchange Server running. Why? Because it held the Source of Authority (SOA) for managing critical Exchange attributes—like email addresses, aliases, and address list visibility—for your cloud mailboxes.
That era is ending. Microsoft has rolled out a groundbreaking feature that shifts the SOA for these attributes to Exchange Online, giving admins true cloud-first management capabilities aimed at enabling the decommissioning of the Last Exchange Server (LES). This advancement is especially valuable in IT Services Mergers and Acquisitions projects, where organizations need to streamline hybrid Exchange dependencies and simplify post-migration environments.
The Big Win: Pros of Cloud Management
This is great news for organizations looking to simplify infrastructure and operations.
| Benefit | Why It Matters |
|---|---|
| Retire the Last Exchange Server (LES) | Eliminates the need to maintain an on-premises Exchange server solely for recipient management, significantly reducing local footprint and maintenance overhead. |
| Streamlined Workflow | Administrators can manage attributes directly using Exchange Online PowerShell (EXO PowerShell) or the Exchange Admin Center (EAC), moving most recipient management tasks to a single, modern interface. |
| Faster, Safer Delegation | Faster, Safer Delegation You can delegate tasks like managing aliases in the cloud, limiting the number of people who require high-level access to on-premises AD or the Exchange Management Shell. |
Secure Deployment: The Power of Per-Mailbox Control
A key design element is the ability to enable this feature on a per-mailbox basis, which allows for a secure and staged deployment.
- Pilot Group Testing: You can select a small, non-critical group of users and set their IsExchangeCloudManaged property to $true.
- Secure Validation: This allows you to thoroughly test the cloud management workflow (changing addresses, updating custom attributes) and ensure these changes are not overwritten by the regular on-premises sync process.
- Minimal Risk: Since only the pilot group is affected, any unexpected behavior is isolated, protecting the vast majority of your production users who remain under the traditional on-premises SOA.
Crucial Operational Procedures
The management shift requires strict adherence to specific operational steps:
1. The Mandatory Waiting Period (Existing Users)
Before transferring the SOA to the cloud for an existing user whose attributes were recently changed on-premises:
Important: After updating dir-synced users’ mailbox attributes on-premises with Set-RemoteMailbox, allow for the usual Microsoft Entra Connect Sync cycle plus an additional 24 hours before switching Exchange attributes to Cloud Managed. This prevents a race condition where the on-premises update might conflict with the SOA transfer.
2. The Cloud-First Approach for New Mailboxes
While you can still use New-RemoteMailbox until the LES is gone, the recommended method to align with the goal of decommissioning the LES is:
- Create an Active Directory user in the on-premises environment (and assign identity attributes).
- Allow Microsoft Entra Connect Sync to synchronize the identity to the cloud.
- Use the Microsoft 365 Admin Center to assign an Exchange Online license, which provisions the mailbox.
- Finally, use Set-Mailbox to set IsExchangeCloudManaged to $true, transferring the SOA for the new user directly to the cloud.
How to Transfer SOA
Transferring SOA to the Cloud (Enable)
The feature is enabled on a per-mailbox basis for users whose IsDirSynced status is $true.
- Connect to EXO PowerShell.
- Set SOA to Cloud: Run the following command
Set-Mailbox -Identity <User> -IsExchangeCloudManaged $true
- Verification: You can verify the status with:
Get-Mailbox -Identity <User> | Format-List Identity, IsExchangeCloudManaged
Once set to $true, Exchange attributes (like CustomAttribute1) can be edited directly in the cloud:
Set-Mailbox -Identity <User> -CustomAttribute1 “ModifiedInTheCloud”
Transferring SOA Back to On-Premises (Disable)
To revert the mailbox to on-premises management:
- Backup Data: Before reverting, ensure any critical modifications made only in the cloud (like new aliases or custom attributes) are backed up for manual restoration to the on-premises AD, as the next sync cycle will overwrite them.
- Set SOA to On-Premises:
Â
Set-Mailbox -Identity <User> -IsExchangeCloudManaged $false
The next synchronization cycle will then update the user’s cloud Exchange attributes with the values found in the on-premises environment.
Current Limits & The "Gotchas": Cons of Phase 1 (GA)
| Limitation | Impact in Phase 1 (GA) |
|---|---|
| No Write-Back (Yet) | Crucial: Changes made in Exchange Online DO NOT sync back to your on-premises AD. If LOB applications query local AD for attributes (like aliases), they will be using stale data. |
| Split Source of Authority | Exchange attributes are mastered in the cloud, but core Identity attributes (like displayName, department, UPN) remain mastered on-premises. |
The Future: Phase 2 and Object-Level SOA
The future phases of this development are focused on two major areas: ensuring directory consistency and moving beyond the last Exchange Server to address the last Active Directory.
Phase 2: Write-Back and Directory Consistency
Phase 2 will introduce write-back support for designated attributes and Microsoft Entra Cloud Sync integration.
- Write-Back: Modifications to key Exchange properties (e.g., proxyAddresses) made in the cloud will be automatically synchronized down to on-premises Active Directory. This ensures that your on-premises AD remains consistently updated, removing the main limitation of Phase 1.
- Requirement: To utilize writeback functionality, customers are required to implement Microsoft Entra Cloud Sync.
- Availability: Additional information and timelines for this feature will be shared as part of the documentation once Phase 2 is about to start.
Object-Level SOA (The Long-Term Vision)
Microsoft is also developing Object-Level SOA management for Users, Groups, and Contacts. This functionality is intended to assist organizations seeking to decommission both on-premises Exchange Servers AND Active Directory, especially during complex IT Services Mergers and Acquisitions
where multiple environments need to be unified under a single Microsoft 365 tenant.
- Goal: To migrate the SOA of entire objects to the cloud at the object level, enabling full cloud-based management of entities originally created on-premises.
- Current Status:
- Group SOA (for distribution and security groups) is available for you to try.
- User SOA and Contact SOA are in development.
Identity, Exchange Attributes and Writeback
The table below outlines which attributes can be modified after the Exchange Attribute SOA transfer and indicates whether these changes will sync back to the on-premises Active Directory.
| No. | Attribute | Type | Can be edited in EXO |
|---|---|---|---|
| 1 | accountEnabled | Identity | No |
| 2 | C | Identity | No |
| 3 | Cn | Identity | No |
| 4 | Co | Identity | No |
| 5 | company | Identity | No |
| 6 | countryCode | Identity | No |
| 7 | department | Identity | No |
| 8 | displayName | Identity | No |
| 9 | facsimileTelephoneNumber | Identity | No |
| 10 | givenName | Identity | No |
| 11 | homePhone | Identity | No |
| 12 | info | Identity | No |
| 13 | initials | Identity | No |
| 14 | l | Identity | No |
| 15 | mailNickname | Identity | No |
| 16 | manager | Identity | No |
| 17 | mobile | Identity | No |
| 18 | msDS-HABSeniorityIndex | Identity | No |
| 19 | msDS-PhoneticDisplayName | Identity | No |
| 20 | objectSID | Identity | No |
| 21 | otherFacsimileTelephone | Identity | No |
| 22 | otherHomePhone | Identity | No |
| 23 | otherTelephone | Identity | No |
| 24 | pager | Identity | No |
| 25 | physicalDeliveryOfficeName | Identity | No |
| 26 | postalCode | Identity | No |
| 27 | pwdLastSet | Identity | No |
| 28 | sn | Identity | No |
| 29 | sourceAnchor | Identity | No |
| 30 | st | Identity | No |
| 31 | streetAddress | Identity | No |
| 32 | telephoneAssistant | Identity | No |
| 33 | telephoneNumber | Identity | No |
| 34 | title | Identity | No |
| 35 | usageLocation | Identity | No |
| 36 | userPrincipalName | Identity | No |
| 37 | wWWHomePage | Identity | Â |
| No. | Attribute | Type | Can be edited in EXO | Writeback to On-prem | Cmdlet to Modify | Parameter |
|---|---|---|---|---|---|---|
| 38 | altRecipient | Exchange | Yes | No | Set-Mailbox | ForwardingAddress |
| 39 | authoring | Exchange | Yes | No | Set-Mailbox | AcceptMessagesOnlyFrom |
| 40 | dLMemRejectPerms | Exchange | Yes | No | Set-Mailbox | RejectMessagesFromDLMembers |
| 41 | dLMemSubmitPerms | Exchange | Yes | No | Set-Mailbox | AcceptMessagesOnlyFromDLMembers |
| 42 | extensionAttribute1 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute1 |
| 43 | extensionAttribute10 | Exchange | Exchange | Yes | Set-Mailbox | CustomAttribute10 |
| 44 | extensionAttribute11 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute11 |
| 45 | extensionAttribute12 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute12 |
| 46 | extensionAttribute13 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute13 |
| 47 | extensionAttribute14 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute14 |
| 48 | extensionAttribute15 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute15 |
| 49 | extensionAttribute2 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute2 |
| 50 | extensionAttribute3 | Exchange | Yes | Yes | Set-Mailbox | extensionAttribute3 |
| No | Attribute | Type | Can be edited in EXO | Writeback to On-prem | Cmdlet to modify | Parameter |
|---|---|---|---|---|---|---|
| 50 | extensionAttribute3 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute3 |
| 51 | extensionAttribute4 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute4 |
| 52 | extensionAttribute5 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute5 |
| 53 | extensionAttribute6 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute6 |
| 54 | extensionAttribute7 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute7 |
| 55 | extensionAttribute8 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute8 |
| 56 | extensionAttribute9 | Exchange | Yes | Yes | Set-Mailbox | CustomAttribute9 |
| 57 | legacyExchangeDN | Exchange | Yes | No | Not editable in cloud by default. | |
| 58 | Exchange | Yes | No | Set-Mailbox | WindowsEmailAddress | |
| 59 | msExchArchiveGUID | Exchange | Yes | No | Enable-Mailbox | Archive |
| 60 | msExchArchiveName | Exchange | Yes | No | Set-Mailbox | ArchiveName |
| 61 | msExchAssistantName | Exchange | Yes | No | Set-User | AssistantName |
| 62 | msExchAuditAdmin | Exchange | Yes | No | Set-Mailbox | AuditAdmin |
| 63 | msExchAuditDelegate | Exchange | Yes | No | Set-Mailbox | AuditDelegate |
| 64 | msExchAuditDelegateAdmin | Exchange | Yes | No | Set-Mailbox | AuditDelegate |
| 65 | msExchAuditOwner | Exchange | Yes | No | Set-Mailbox | AuditOwner |
| 66 | msExchBlockedSendersHash | Exchange | Yes | No | Set-MailboxJunkEmailConfiguration | BlockedSendersAndDomains |
| 67 | msExchBypassAudit | Exchange | Yes | No | Set-MailboxAuditBypassAssociation | AuditBypassEnabled |
| 68 | msExchDelegateListLink | Exchange | Yes | No | Add-MailboxPermission | AccessRights, User, InheritanceType |
| 69 | msExchELCExpirySuspensionEnd | Exchange | Yes | No | Set-Mailbox | EndDateForRetentionHold |
| 70 | msExchELCExpirySuspensionStart | Exchange | Yes | No | Set-Mailbox | StartDateForRetentionHold |
| 71 | msExchELCMailboxFlags | Exchange | Yes | No | Set-Mailbox | SingleItemRecoveryEnabled, LitigationHoldEnabled, RetentionHoldEnabled |
| 72 | msExchEnableModeration | Exchange | Yes | No | Set-Mailbox | ModerationEnabled |
| 73 | msExchExtensionCustomAttribute1 | Exchange | Yes | Yes | Set-Mailbox | ExtensionCustomAttribute1 |
| 74 | msExchExtensionCustomAttribute2 | Exchange | Yes | Yes | Set-Mailbox | ExtensionCustomAttribute2 |
| 75 | msExchExtensionCustomAttribute3 | Exchange | Yes | Yes | Set-Mailbox | ExtensionCustomAttribute3 |
| 76 | msExchExtensionCustomAttribute4 | Exchange | Yes | Yes | Set-Mailbox | ExtensionCustomAttribute4 |
| 77 | msExchExtensionCustomAttribute5 | Exchange | Yes | Yes | Set-Mailbox | ExtensionCustomAttribute5 |
| 78 | msExchHideFromAddressLists | Exchange | Yes | No | Set-Mailbox | HiddenFromAddressListsEnabled |
| 79 | msExchImmutableID | Exchange | Yes | No | Set-Mailbox | ImmutableId |
| 80 | msExchLitigationHoldDate | Exchange | Yes | No | Set-Mailbox | LitigationHoldDate |
| 81 | msExchLitigationHoldOwner | Exchange | Yes | No | Set-Mailbox | LitigationHoldOwner |
| 82 | msExchMailboxAuditEnable | Exchange | Yes | No | Set-Mailbox | AuditEnabled |
| 83 | msExchMailboxAuditLogAgeLimit | Exchange | Yes | No | Set-Mailbox | AuditLogAgeLimit |
| 84 | msExchMailboxGuid | Exchange | Yes | No | Not editable in cloud by default. | |
| 85 | msExchModeratedByLink | Exchange | Yes | No | Set-Mailbox | ModeratedBy |
| 86 | msExchModerationFlags | Exchange | Yes | No | Set-Mailbox | SendModerationNotifications, ByPassModerationFromSendersOrMembers, ModerationEnabled |
| 87 | msExchRecipientDisplayType | Exchange | Yes | Yes | Set-Mailbox | Type |
| 88 | msExchRecipientTypeDetails | Exchange | Yes | Yes | Set-Mailbox | Type |
| 89 | msExchRemoteRecipientType | Exchange | Yes | No | Set-Mailbox | RemoteRecipientType |
| 90 | msExchRequireAuthToSendTo | Exchange | Yes | No | Set-Mailbox | RequireAllSendersAreAuthenticated |
| 91 | msExchResourceCapacity | Exchange | Yes | No | Set-Mailbox | ResourceCapacity |
| 92 | msExchResourceDisplay | Exchange | Yes | No | Set-Mailbox | ResourceCustom |
| 93 | msExchResourceMetaData | Exchange | Yes | No | Set-Mailbox | ResourceCustom |
| 94 | msExchResourceSearchProperties | Exchange | Yes | No | Set-Mailbox | ResourceCustom |
| 95 | msExchRetentionComment | Exchange | Yes | No | Set-Mailbox | RetentionComment |
| 96 | msExchRetentionURL | Exchange | Yes | No | Set-Mailbox | RetentionUrl |
| 97 | msExchSafeRecipientsHash | Exchange | Yes | No | Set-MailboxJunkEmailConfiguration | Reserved for internal use |
| 98 | msExchSafeSendersHash | Exchange | Yes | No | Set-MailboxJunkEmailConfiguration | TrustedSendersAndDomains |
| 99 | msExchSenderHintTranslations | Exchange | Yes | No | Set-Mailbox | MailTipTranslations |
| 100 | msExchUserHoldPolicies | Exchange | Yes | No | Set-Mailbox | LitigationHoldEnabled |
| 101 | proxyAddresses | Exchange | Yes | Yes | Set-Mailbox | EmailAddresses and WindowsEmailAddress |
| 102 | publicDelegates | Exchange | Yes | No | Set-Mailbox | GrantSendOnBehalfTo |
| 103 | unauthOrig | Exchange | Yes | No | Set-Mailbox | RejectMessagesFrom |
| 104 | userCertificate | Exchange | Yes | No | Set-Mailbox | UserCertificate |
| 105 | userSMIMECertificates | Exchange | Yes | No | Set-Mailbox |
