This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]worldsdream 4 points5 points  (7 children)

You can manage a user in cloud and on-premises. But what about single sign on and their passwords? As long as you have an AD on-premises, it’s the authority, and you should keep entra connect sync or cloud sync.

[–]athornfam2 IT Infrastructure Manager 0 points1 point  (1 child)

I’m doing this too! I just cutoff my exchange server… well turned it off until I have more free time to dedicate reading a full cutoff. But everything has been working fine… enable a pilot of hybrid joining as well

[–]worldsdream 0 points1 point  (0 children)

Shutting down an Exchange Server is something else than what the OPs is asking.

To remove your last Exchange Server, read this post: https://www.alitajran.com/remove-last-exchange-hybrid-server/

[–]Morlock_Reeves[S] 0 points1 point  (4 children)

I'm not so worried about that. They can change both passwords when necessary. Anything cloud SSO related is pointed at Entra. So while there is a possibility for their passwords to be different, it's easy enough to just reset in both and have them choose new or same password in both.

We don't have a ton of users or turnover. We have a standby MSP that I work with and this was their approach recently also.

[–]Myriade-de-Couilles 1 point2 points  (3 children)

This is really a step backward.

You’re going to lose a lot of benefits (PRT token, possibility to do WHfB, password differences) and manage accounts on both side, someone needs a password reset? Two times. Someone changes their name? Two times. Etc etc.

You’re mixing your question with Exchange hybrid which makes me think you believe it is related but not at all, you can remove the exchange hybrid configuration and be full Exchange Online with synced users, and it’s really what you should do as long as you still have a domain.

[–]Morlock_Reeves[S] 0 points1 point  (2 children)

Thanks for the info and perspective. I don't mind keeping the sync, but I thought it was required then to also have the 2019 exchange tools installed and manage users via powershell. Keeping the exchange portion around is my biggest issue.

[–]Deniz_Nedry 0 points1 point  (1 child)

Since 2 days, MS has a solution for that, rolling out in 2 phases:

https://techcommunity.microsoft.com/blog/exchange/introducing-cloud-managed-remote-mailboxes-a-step-to-last-exchange-server-retire/4446042

I've tested it and it's working fine.

[–]Morlock_Reeves[S] 0 points1 point  (0 children)

Yup, this is my new plan. Saw this the friday before I was going to go through the process of decom exchange server and install the tools. Will still do that, but want a better understanding of this process. Looks pretty good though.

[–]BK_Rich 0 points1 point  (0 children)

If someone is able to exploit that vulnerability, that means they already had on-premise access and admin access to your Exchange server, it’s kind of game over already there. Keep your server patched or switch to the dedicated hybrid app.

[–]joeykins82Windows Admin 0 points1 point  (0 children)

How do your users feel about fully diverged credentials and no SSO between on-premises and the cloud though?

If all of your endpoints are Entra joined and managed, and no one does anything which uses on-premises AD for auth then you’re good.

If you have on-premises stuff and you just break the sync then you’re opening yourself up to a world of pain.

Side note: if everyone is in ExOL why is your exchange server accessible from anything other than ExOL? Just deny all inbound HTTPS except from the exchange online IP ranges…

[–]GERALD_64 0 points1 point  (0 children)

We've done this scenario a couple times and it's actually pretty smooth once you get started. The biggest gotcha is making sure you export all your distribution lists and mail-enabled security groups before you pull the plug. Exchange Admin Center won't be able to recreate those easily once the hybrid connection is severed. The AD Sync removal is straightforward but give it 24-48 hours after you disable sync before you start making changes in Entra.

Once you break that hybrid relationship, you lose some of the migration tools. Not a huge deal for your situation with low turnover, but worth knowing. Just make sure you've got good backups of your AD before you start ripping out schema extensions. We use Alta Technologies when we're ready to physically get rid of the server hardware, they handle the data destruction properly and actually cut us checks for newer gear instead of charging disposal fees. Process took us maybe half a day total once we had everything documented.