Exchange Hybrid Keys

Share This Post

When identities (users) have been synchronized from on-premise to Azure AD using Azure AD Connect, an on-premise Exchange Server is required for managing these users. Why? Microsoft only officially supports modifications that are done through the Exchange Admin Center or through the Exchange PowerShell module. Manipulation through attributes in Active Directory (such as the proxyaddresses attribute) does technically work (at least most of the time) but is not officially supported.

Microsoft provides a free Hybrid Key so that a single server can remain on-premise without cost, for management purposes only. In order to qualify for this license there must not be any mailboxes on the Exchange Server. Previously Microsoft had a website that customers could access and claim a Hybrid Key for Management. From 2018 Hybrid Keys are automatically installed by running the Microsoft Office 365 Hybrid Configuration Wizard (HCW).

However the HCW only provides Hybrid Keys for Exchange Server 2010, 2013 and 2016. For Exchange Server 2019 a full license is required. I have not found any documented reasons for this, but my best guess would be that Microsoft targets Exchange Sever 2019 for customers that dont want/cannot migrate to Exchange Online.

The Exchange Server Licensing FAQ does not currently elaborate as to why Hybrid Keys are not provided for Exchange Server 2019. Also have a look that the following blog post for the Exchange Team.

Want To See More?

Azure AD

Access Reviews with On-Premise Groups

In some of my earlier post I have talked about Access Reviews that are part of the Identity Governance tools in Azure AD. One of


Access Reviews: Manage Guest Users

Azure AD’s B2B (Business to Business) functionality allows organizations to invite external users into their organization so that they can collaborate. However, very few of