Microsoft has pushed Exchange Cloud Managed Mailbox Writeback into public preview as of May 2026, giving hybrid organizations a clear path to permanently shut down their last on-premises Exchange server. The feature, delivered through Entra Cloud Sync, enables Exchange Online to write selected recipient attributes back to on-premises Active Directory, erasing the decades-old requirement for an on-premises Exchange management box in hybrid deployments.

For over a decade, organizations using Exchange Online in a hybrid configuration with on-premises Active Directory were forced to keep at least one Exchange server running purely for recipient management. That server wasn’t handling mail flow—it was a management anchor. Microsoft’s own documentation previously mandated it: “If you plan to manage recipients using the Exchange admin center, you must have an Exchange server on-premises.” Even after moving all mailboxes to the cloud, admins still needed the Exchange management tools to modify recipient attributes because Exchange Online couldn’t write back to on-prem AD. The new writeback capability flips that paradigm.

The Hybrid Exchange Pain Point

In a typical Exchange hybrid setup, the on-premises Active Directory is the source of authority for user objects. When a mailbox is moved to Exchange Online, the on-prem Exchange server creates a remote mailbox object—essentially a pointer to the cloud mailbox—stamped with attributes like targetAddress, remoteRoutingAddress, and the proxyAddresses collection. Without an on-prem Exchange server, these attributes cannot be edited via standard AD tools; trying to do so can break mail flow. Microsoft’s only supported method was to use Exchange admin center (EAC) or the Exchange Management Shell on-premises. That meant keeping a fully patched Exchange server, with all the associated licensing, hardware, and security overhead.

Organizations have long grumbled about this dependency. Security teams saw the on-prem Exchange server as an unnecessary attack surface. Compliance teams struggled with maintaining a server that served no role beyond management. Budget holders questioned the licensing costs. Microsoft acknowledged the pain but offered no viable escape—until now. The Cloud Managed Mailbox Writeback preview changes the equation by letting the cloud become the authoritative management plane.

What Cloud Managed Mailbox Writeback Actually Does

The feature revolves around a new Entra Cloud Sync agent configuration that can push specific Exchange attributes from Exchange Online backward into on-premises Active Directory. When an admin modifies a recipient in the cloud—using Exchange admin center, Exchange Online PowerShell, or Microsoft Graph—the relevant attributes are synced down to the corresponding on-premises user object. This bidirectional sync happens near real-time, with typical latency measured in seconds.

Key attributes written back include:
- targetAddress (SMTP address used for routing to the cloud mailbox)
- remoteRoutingAddress (the tenant.onmicrosoft.com domain address)
- proxyAddresses (all email aliases, including the primary SMTP address)
- msExchRecipientTypeDetails (distinguishes between remote user mailboxes, shared mailboxes, etc.)
- msExchRecipientDisplayType
- showInAddressBook
- mail and mailNickname (when managed in the cloud)

By synchronizing these attributes, the on-premises AD remains consistent with the cloud state, and no on-prem Exchange management tools are required. Mail flow, address book lookups, and cross-premises coexistence work seamlessly because the on-prem AD has accurate pointers to cloud-hosted mailboxes. Organizations can finally uninstall their last Exchange server without losing management functionality or breaking recipient policies.

How It Works Under the Hood

Writeback is built on top of Entra Cloud Sync, Microsoft’s newer lightweight sync engine that complements (and eventually might replace) Azure AD Connect sync. Unlike Azure AD Connect, Cloud Sync agents can be installed on domain-joined machines without full SQL dependencies and are configured through a web-based portal. The writeback component leverages the same agent but adds an Exchange-specific connector that understands the required AD schema attributes.

When an admin enables writeback for a cloud-managed remote mailbox, the following flow occurs:

  1. Admin modifies the recipient in Exchange Online (e.g., adds a new SMTP alias).
  2. Exchange Online detects the change and calculates the resulting on-prem AD state.
  3. A writeback request is queued and picked up by the Entra Cloud Sync agent installed on-premises.
  4. The agent uses AD Permissions (granted through a gMSA or custom service account) to update the on-prem user object with the new attribute values.
  5. A success or failure status is reported back to the Exchange admin center.

The architecture is resilient. If the Cloud Sync agent is temporarily offline, changes are queued for up to 72 hours. Conflict resolution follows a “cloud wins” model—if the same attribute is changed both on-premises and in the cloud within a short window, the cloud change is authoritative once the agent processes the queue.

Microsoft has published a reference topology that shows how a single Cloud Sync agent can serve multiple domain controllers and handle thousands of users. In the preview, the feature supports a single-agent setup, but production-grade guidance is expected before general availability.

Prerequisites and Configuration

Admins eager to test the preview need to satisfy several prerequisites:

  • Entra Cloud Sync agent version 2.1.0 or later installed on a Windows Server 2022 or later member server (domain-joined, with AD DS and AD LDS tools available).
  • Exchange Hybrid deployment configured with the Hybrid Configuration Wizard, and all mailboxes moved to Exchange Online (or the deployment is greenfield with remote mailboxes only).
  • Exchange Online tenant with at least one Exchange Online license (any plan that includes Exchange).
  • Active Directory schema extended with Exchange 2019 CU14 or later attributes (the schema version must be Exchange 2019 or higher).
  • Service account permissions: The Cloud Sync agent service account needs “Exchange Recipient Administrators” membership or equivalent delegate permissions in the on-prem domain to write Exchange attributes.
  • Firewall ports: HTTPS outbound to *.msappproxy.net and *.servicebus.windows.net

Configuration is done through the Exchange admin center (EAC) under Hybrid > Cloud Sync. Admins can enable writeback per organizational unit or for specific security groups. The initial sync may take 10–15 minutes per 1,000 users to stamp the baseline attributes. Microsoft recommends running a test with a pilot group before enabling organization-wide writeback.

Real-World Benefits for IT Teams

The business impact of retiring the last Exchange server is substantial. For a mid-sized organization with 5,000 users, maintaining that final server has real costs:

  • Licensing: Exchange Server licenses (Standard or Enterprise) with active Software Assurance, which can run $4,000–$8,000 per year.
  • Hardware/VM resources: 4–8 vCPUs, 32 GB RAM, and significant storage. In Azure or on-prem, that’s money.
  • Patching and security: Cumulative updates every three months, plus emergency patches for critical vulnerabilities like ProxyShell or the 2024 zero-days.
  • Operational overhead: An FTE or partial FTE to monitor, back up, and manage the server.

Beyond cost, security posture improves. Removing the Exchange attack surface reduces the footprint available for lateral movement. Incident response teams no longer need to worry about Exchange-specific exploits on a server that shouldn’t exist. Compliance auditors see one fewer critical system to review.

Moreover, the feature enables purely cloud-native organizations that still need on-prem AD for legacy apps or identity to finally go all-in on Exchange Online management. Previously, these shops had to maintain a lightweight Exchange server or use third-party tools to manipulate attributes—a hacky, unsupported approach. Now, it’s a first-class, Microsoft-supported path.

Limitations to Watch Out For

At public preview, writeback has several gaps that admins should plan for:

  • No support for on-premises public folders or legacy mailboxes still hosted on-prem. All mail recipients must be cloud-hosted remote mailboxes.
  • Hybrid mail flow must be correctly configured; not all transport rules auto-replicate.
  • Certain attributes are deliberately excluded from writeback, including msExchArchiveStatus, msExchLitigationHoldDate, and some audit-related properties. These remain set only on the cloud object.
  • Management of distribution groups that are synced from on-prem is still done on-prem; the writeback is for remote mailboxes only, not for groups synced via Azure AD Connect.
  • Latency is not real-time; under heavy load (e.g., bulk updates to 10,000 mailboxes), delays can extend to 2–5 minutes. For single-user changes, typical latency is 15–30 seconds.
  • The Cloud Sync agent becomes a critical dependency. If the agent fails, management grinds to a halt. A second agent for high availability is recommended but not yet fully supported in preview.
  • Multi-forest scenarios are not yet covered. The writeback targets a single AD forest. Organizations with resource forests or multiple Exchange orgs must wait.

Microsoft has stated that many of these limitations will be addressed before general availability, currently targeted for the second half of 2026.

Moving Forward: The Road to GA

The preview is available now for tenants with an active Exchange Online license and a test on-premises domain. Microsoft has committed to monthly updates to the Cloud Sync agent during the preview, with a feature-complete Release Candidate expected by August 2026. General availability will bring full HA support, broader AD topology coverage, and SLA-backed support.

For organizations still on Exchange 2016 or 2019 on-prem, this writeback capability is a key motivator to finalize the cloud migration. If you’ve been holding onto that last server because you “have to,” the conversation has officially changed. The technology now exists to retire it completely.

Early adopters report that the setup is straightforward, but caution against enabling writeback without thorough schema validation. A misconfigured proxyAddresses writeback can cause email bounce-backs, especially if SMTP domains aren’t correctly verified in the cloud. Microsoft’s Health Check tool, available in the EAC, scans for common misconfigurations before activation.

As hybrid environments evolve, Microsoft is betting that Cloud Sync—not Azure AD Connect—will be the synchronization backbone for Windows and Exchange workloads. The writeback feature is part of a broader strategy to decouple on-premises Exchange from management and eventually deprecate the legacy hybrid configuration wizard entirely.

Conclusion

The public preview of Cloud Managed Mailbox Writeback is more than a feature update; it’s a strategic pivot. For the first time, Microsoft is providing a supported, native method to manage hybrid Exchange recipients entirely from the cloud. Admins can at last power off that lingering Exchange server, reduce their attack surface, and simplify their infrastructure. While the preview has its limits, the direction is clear: the on-premises Exchange management anchor is becoming a relic. Organizations should start testing now, provide feedback, and prepare to dismantle the last of their Exchange server farms.