Microsoft Tells Hybrid Exchange Customers to Get Going with New App
Dedicated Hybrid Connectivity App Fails to Gain Traction
In April 2025, Microsoft announced a dedicated Entra ID app for hybrid connectivity as part of its campaign to dump Exchange Web Services (EWS) from Exchange Online tenants in October 2026. Microsoft has a separate goal to remove EWS from its own apps by October 2025, a move that affects popular apps like Outlook (classic) and Teams.
The dedicated hybrid connectivity app is not an enterprise app created and controlled by Microsoft. Instead, each tenant that runs a hybrid Exchange environment must create a separate tenant-specific version of the app using a Microsoft-provided script.
Once created, the app’s service principal holds the necessary permissions for Exchange Online to use Graph APIs to enable “rich coexistence,” which is code for allowing Exchange Online to act as a broker to fetch data stored in user mailboxes for use by apps, such as the Teams calendar app (in passing, MC1129730 (5 August 2025), says that Microsoft will remove the toggle to allow users to switch between the old and new versions of the Teams calendar app in September 2025).
Power Outages Coming
Unhappily, great plans have a nasty habit of running into problems, which is what has happened here. Tenants are not complying with Microsoft’s wish to create the dedicated hybrid connectivity app, which led to an August 6 EHLO post saying: “the number of customers who have created the dedicated app remains very low.”
To encourage customers to make the switch, Microsoft says that they will “introduce short-term EWS traffic blocks” during the following dates:
| Block starting | Block length | |
| 1st Block | August 19, 2025 | 2 days |
| 2nd Block | September 16, 2025 | 3 days |
| 3rd Block | October 7, 2025 | 3 days |
| Final block | After October 31, 2025 | (block is permanent) |
Crucially, these interruptions in service do not affect tenants that have created the dedicated hybrid connectivity app. Like a flickering alarm light, the time-outs are intended to prompt customers to act. Of course, this depends on tenant administrators or users noticing the effect of an EWS outage and figuring out what happened. You’ve got to assume that even the least attentive administrator will notice a three-day loss of service…
Microsoft says that tenants won’t get exemptions from the time outs and the dedicated hybrid connectivity app needs to be in place before October 31, 2025, before EWS connectivity via the old app is permanently removed.
The New HCW
The good news is that a revamped version of the Hybrid Configuration Wizard (HCW) can configure the dedicated hybrid connectivity app for a tenant. A setting override is still needed to complete the switchover, but all the steps to configure the app with the permissions (EWS for now, Graph API after a future update) and certificates is done.
Security Advisory for EWS Weakness
Microsoft also points out that changing to the new configuration will improve tenant security. EWS is not very secure, and evidence exists that attackers have exploited the protocol in the past in tenant compromises. Indeed, Microsoft cites MSRC advisory CVE-2025-53786 describing an elevation of permission when “an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace. This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.”
Moving to the dedicated hybrid connectivity app addresses the weakness reported in CVE-2025-53786.
Path Forward is Clear
The call to action is clear. Any Microsoft 365 tenant with a hybrid Exchange configuration needs to get with the program and create the dedicated hybrid connectivity app. Failure to do so will only lead to disruption and pain. Don’t put this off: make your tenant more secure and take a positive step to jettison EWS. You know it’s the sensible thing to do.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
