How IsExchangeCloudManaged can finally liberate you from the Last Exchange Server

For years, IT administrators have been stuck in a frustrating paradox: all their mailboxes live happily in Exchange Online, yet they are forced to maintain that one stubborn Exchange server on-premises. Why? Just to manage email addresses and mailbox attributes. It’s like keeping a whole car in your garage just to use the radio.

That is changing now.

Microsoft has introduced a revolutionary feature that’s about to make your “last Exchange server” obsolete; IsExchangeCloudManaged – a boolean property that packs the power to transform how you manage Exchange attributes in hybrid environments.

The problem we have been struckling with

In traditional hybrid Exchange deployments, directory-synchronized users have their Source of Authority (SOA) firmly planted on-premises. This means that even though your mailboxes are enjoying the cloud life in Exchange Online, you can’t edit their attributes directly from the cloud.

Every single change to email addresses, aliases, or even something as simple as hiding a user from the address book requires you to:

1. Fire up your on-premises Exchange server admin portal (or management tools).
   
   
2. Make the change in the on-premises Active Directory.
   
   
3. Wait for synchronization to push those changes to the cloud.
   
   
4. Hope nothing breaks in between …

Until now, that is.

Enter the solution: IsExchangeCloudManaged

The IsExchangeCloudManaged attribute is simple but powerful.

The attribute is by default set to False, but when changed to True for a directory-synchronized user, it transfers the Source of Authority for the Exchange attributes of the user from on-premises to the cloud, despite that the user object is still managed by the on-premises Active Directory.

IsExchangeCloudManaged covers all the key mailbox types – user, shared, equipment, and room.
Need to also cloud-manage Groups or Contacts? These require the object-level SOA transfer approach (Group SOA transfer is already in preview, and Contact SOA transfer is on the roadmap).

What this really means

When you enable this feature:

• Exchange attributes (email addresses, custom attributes, mailbox settings) become fully manageable in Microsoft 365 admin center, Exchange admin center or Exchange Online PowerShell.
  
  
• Identity attributes (name, department, phone number, address) remain under on-premises AD control.
  
  
• You get the best of both worlds without the complexity.
  
  

Two-phase rollout

Microsoft is rolling this out intelligently in two phases:

Phase 1: Available now (Preview)

• Per-mailbox control:
  Enable cloud management for individual mailboxes by setting IsExchangeCloudManaged = $true
  
  
• Reversibility: Roll back to on-premises management if needed.
  
  
• Organization-level settings:
  Coming in September, you’ll be able to make all newly synced users cloud-managed by default.
  
  

Phase 2: The complete solution

• Write-back support:
  Key Exchange properties modified in the cloud automatically get synchronized back to on-premises AD. Write-back functionality requires Entra Cloud Sync.
  
  
• Complete attribute parity:
  Ensuring your on-premises AD stays updated even when changes are made in the cloud.
  
  
• Object-Level SOA management:
  Enables the Source of Authority change of User, Group, and Contact objects – and opens for migration to the cloud at the object level. This will ease the path for organizations seeking to decommission both their on-premises Exchange Servers and Active Directory forest.
  

---

How can I configure Group SOA ?

Microsoft have a introduced the option for changing the Source of Authority of your synchronized groups. It makes it possible for you to change the management of selected groups from on-premises AD to the cloud.

With this change, you can either delete the groups that is no longer required on-premises, or reverse the synchronization, allowing you to manage your groups entirely in the cloud while changes are automatically synchronized, using Entra Connect Sync or Entra Cloud Sync, back to the on-premises Active Directory.

More information:

• Configure Group Source of Authority (SOA)
  https://learn.microsoft.com/en-us/entra/identity/hybrid/how-to-group-source-of-authority-configure
  
  
• Guidance for using Group Source of Authority (SOA)
  https://learn.microsoft.com/en-us/entra/identity/hybrid/concept-group-source-of-authority-guidance
  

---

How to get started with IsExchangeCloudManaged

Prerequisites

Before you embark on this journey, ensure you have:

1. Microsoft Entra Connect version 2.5.76.0 or higher
   – This is important! Older versions will attempt to write your cloud-managed attributes but will fail.
   
   
2. Proper RBAC roles
   – Organization Management, Recipient Management, or Exchange Administrator roles provide the required access by default.
   
   
3. Patience for initial sync
   – After updating the mailbox attributes on-premises, wait for your regular sync cycle plus 24 hours before switching to cloud management.
   
   

The magic commands

Enabling cloud management is refreshingly simple:

# Transfer Exchange attributes SOA to the cloud
Set-Mailbox -Identity userA@companyX.dk -IsExchangeCloudManaged $true

# Verify the change
Get-Mailbox -Identity userA@companyX.dk| Format-List Identity, IsExchangeCloudManaged

# Find all cloud-managed mailboxes
Get-Mailbox | Where-Object { $_.IsDirSynced -eq $true -and $_.IsExchangeCloudManaged -eq $true }

Rolling Back

Need to revert the change of SOA ?
No problem:

Set-Mailbox -Identity userA@companyX.dk -IsExchangeCloudManaged $false

Just remember to document/backup any cloud-side changes you want to preserve before rolling back!

Which Exchange attributes can be managed ?

Once IsExchangeCloudManaged is enabled, you gain control over 65+ Exchange attributes including:

• ProxyAddresses (email addresses)
• extensionAttribute1-15 (with write-back support!)
• msExchExtensionCustomAttribute1-5 (also with write-back)
• HiddenFromAddressListsEnabled
• Forwarding configurations
• Mailbox audit settings
• Resource mailbox properties
• User and S/MIME certificates
  
  

Some attributes stays managed from on-premise:

Identity attributes like displayName, department, telephoneNumber, and manager remain under control of the on-premises AD.

Real-world scenarios

Scenario 1: Change the primary email address

Before: Log into Exchange server → Modify proxy addresses → Wait for sync → Verify in cloud
Now: Open Exchange Admin Center → Make the change → Done

Scenario 2: Mass update custom attribute

Before: PowerShell on Exchange server → Bulk updates → Sync delays → Troubleshooting sync conflicts Now: Exchange Online PowerShell → Direct updates → Immediate results

Scenario 3: Onboard new mailbox user

Before: Create AD user → Assign attributes on-premises → Create remote mailbox → Sync → Verify
Now: Create AD user → Sync → Assign license → Set IsExchangeCloudManaged → Manage everything from the cloud

The journey to full cloud management

This feature is a crucial stepping stone in Microsoft’s broader strategy to enable complete cloud management while respecting existing infrastructure investments. It works alongside:

• Object-level SOA transfers – Groups already in preview, Users and Contacts coming soon.
  
• Entra Cloud Sync for modern synchronization.
  
• Exchange Management Tools for those rare on-premises tasks.
  
  

Best practices for implementation

Start small, think big

1. Pilot with non-critical mailboxes – Test the new options with room mailboxes or test accounts.
   
2. Document your current processes – Know what changes before you change it.
   
3. Plan your rollback strategy – Hope for the best, prepare for… learning opportunities.
   
4. Monitor the first sync cycles – Watch for any unexpected behavior.
   
   

Communication is Key

• Involve the service desk team – They will need to know where to make changes moving forward.
  
• Update your documentation – Your procedures and automation just got simpler.
  
• Train your colleagues – Show them the new, easier way.
  
  

What this means for your organization

Immediate benefits:

• Reduced infrastructure footprint – Finally decommission that last Exchange server.
  
• Simplified management – One console to rule them all.
  
• Faster changes – No more waiting for sync cycles for Exchange attributes.
  
• Lower maintenance overhead – No more Exchange patches, certificates, or hardware refreshes.
  
  

Long-term advantages:

• Cloud-first operations while maintaining hybrid identity.
  
• Reduced technical debt from legacy infrastructure.
  
• Improved agility for mailbox management.
  
• Better alignment with modern IT practices.
  
  

Common questions and gotchas

“Can I migrate mailboxes back on-premises while IsExchangeCloudManaged is true?”

No! Set it to false first, or you’ll break synchronization.
The mailbox offboarding process requires on-premises SOA.

“What about Groups and Contacts?”

For now, use object-level SOA transfers for these.
User mailboxes are currently the focus of IsExchangeCloudManaged.

“Is this available with Entra Cloud Sync?”

Phase 1 requires Entra Connect Sync.
Phase 2 will bring full Entra Cloud Sync support with write-back capabilities.

It’s time to cut the cord

The IsExchangeCloudManaged attribute represents more than just a technical feature – it’s Microsoft acknowledging and solving a real pain point that’s plagued hybrid deployments for years.
It’s elegant in its simplicity: flip a switch, and suddenly your cloud mailboxes are truly cloud-managed.

For organizations that have been maintaining an Exchange server solely for attribute management, this is your ticket to freedom. The era of the “last Exchange server” is finally coming to an end.

Your Next Steps

1. Verify your Entra Connect version – Upgrade to 2.5.76.0 or higher if needed
   
2. Review the attribute list – Understand what you’ll be able to manage
   
3. Plan your pilot – Start with a small group of test mailboxes
   
4. Set your timeline – Phase 2 features are coming, plan accordingly
   
5. Celebrate – You’re about to make your infrastructure significantly simpler

The future of Exchange hybrid management is here, and it’s cloud-powered. The question isn’t whether you should adopt IsExchangeCloudManaged – it’s how quickly you can start enjoying the freedom it provides.

Your last Exchange server’s retirement party starts now.

References

Introducing Cloud-Managed Remote Mailboxes: a Step to Last Exchange Server Retirement
https://techcommunity.microsoft.com/blog/exchange/introducing-cloud-managed-remote-mailboxes-a-step-to-last-exchange-server-retire/4446042

Cloud-based management of Exchange attributes for Remote Mailboxes in hybrid environments (Preview)
https://learn.microsoft.com/en-us/exchange/hybrid-deployment/enable-exchange-attributes-cloud-management