Microsoft has released a per‑mailbox cloud management feature that finally gives hybrid Exchange organizations a clear path to unplugging the last on‑premises Exchange server. With the new IsExchangeCloudManaged flag, administrators can transfer the source of authority (SOA) for Exchange attributes from on‑premises Active Directory to Exchange Online, while identity attributes remain firmly rooted in on‑prem AD. The feature, now generally available in Phase 1, eliminates the long‑standing requirement to keep an Exchange server solely for recipient management.

For years, hybrid deployments have been hamstrung by a fundamental limitation: even after migrating every mailbox to Exchange Online, organizations often needed at least one on‑premises Exchange server to edit mailbox attributes. The on‑prem Exchange was the SOA for directory‑synchronized user objects; any change made in the cloud would be overwritten by the next synchronization cycle. Microsoft’s previous attempt to ease this burden came in April 2022 with the Exchange Server 2019 management tools, which allowed recipient cmdlets on a domain‑joined machine without a full Exchange server. While helpful, the tools still required on‑prem PowerShell skills, lacked integrated audit logging, and prevented direct edits from Exchange Online.

The new cloud‑managed remote mailbox capability changes the equation. It introduces a Boolean attribute—IsExchangeCloudManaged—that, when set to true for a directory‑synchronized mailbox, tells Entra Connect Sync to stop pushing Exchange attributes from on‑prem AD. From that moment on, an administrator can modify proxy addresses, custom attributes, hidden‑from‑address‑list flags, and dozens of other Exchange‑specific properties directly in Exchange Online PowerShell, the Exchange Admin Center, or the Microsoft 365 Admin Center. Reversing the decision is as simple as setting the flag back to false, at which point the next sync cycle restores on‑prem mastery.

Phase 1, which became generally available in late 2024, supports per‑mailbox opt‑in for user, shared, equipment, and room mailboxes. Groups and contacts are not covered; they require a separate object‑level SOA transfer that Microsoft has also recently made generally available. During this phase, organizations can selectively move individual mailboxes to cloud management, validating the process before a wider rollout. Microsoft expects Phase 2—currently in Public Preview—to deliver writeback capability through Microsoft Entra Cloud Sync. This will let changes made in Exchange Online automatically sync back to on‑premises AD for a curated set of attributes, closing the loop and preventing configuration drift. Writeback will support tenants with fewer than 200,000 cloud‑managed mailboxes during preview, with general availability targeted for the end of June 2026.

The operational implications are significant. By embracing cloud‑managed mailboxes, admins can decommission the last Exchange server in many scenarios, slashing on‑prem infrastructure costs, patching overhead, and the privileged attack surface. Service desk staff no longer need on‑premises administrative access just to update an alias or hide a mailbox from the GAL. Automation becomes simpler, too: Azure Automation, Logic Apps, and cloud‑native PowerShell scripts can now directly manage Exchange attributes without reaching back to a legacy management jumpbox.

But the feature isn’t a magic wand. Its biggest risk is attribute divergence. Without writeback, any change made in Exchange Online for a cloud‑managed mailbox won’t appear in on‑prem AD, and vice versa. If different teams use different tools to manage the same user, confusion and misconfigurations can arise. Microsoft explicitly warns admins to back up attribute values before toggling the flag or rolling back. Offboarding a mailbox back to on‑premises becomes more delicate: the flag must be set to false before migration, or synchronization breaks entirely. Governance is equally critical; because IsExchangeCloudManaged is a powerful switch, organizations should create narrow RBAC roles and log every change.

To get started, the prerequisites are clear. Entra Connect Sync must be upgraded to version 2.5.190.0 or later (earlier documentation mentioned 2.5.76.0, but the official requirement has since been raised). For Phase 2 writeback, the Microsoft Entra Cloud Sync provisioning agent must be installed at version 1.1.1107.0 or higher. Admins can verify the Connect Sync version via Control Panel or PowerShell. The necessary roles include Exchange Administrator or a custom role with permission to modify the IsExchangeCloudManaged parameter.

The core PowerShell commands are straightforward:
- Enable: Set-Mailbox -Identity <User> -IsExchangeCloudManaged $true
- Verify: Get-Mailbox -Identity <User> | Format-List Identity, IsExchangeCloudManaged
- Revert: Set-Mailbox -Identity <User> -IsExchangeCloudManaged $false

Microsoft also offers a tenant‑wide setting for new mailboxes: running Set-OrganizationConfig -ExchangeAttributesCloudManagedByDefault makes every newly provisioned mailbox cloud‑managed by default, eliminating the per‑mailbox toggle for future accounts. Existing mailboxes still require individual migration.

A cautious pilot plan is essential. Start by confirming the Entra Connect Sync version and selecting a small cohort of test mailboxes. Wait at least one full sync cycle plus 24 hours after any on‑prem Set-RemoteMailbox changes to avoid race conditions. Export a snapshot of current attributes for reconciliation, then enable cloud management for a single mailbox. Test typical edits (aliases, CustomAttributeX, HiddenFromAddressListsEnabled) and confirm they persist across sync cycles. Finally, practice the rollback procedure. Only after a successful pilot should an organization consider broader rollout—by business unit, region, or OU.

The feature’s arrival marks a turning point for hybrid Exchange. For the first time, the “last Exchange server” is genuinely optional for many organizations that have clung to it solely for management. Phase 2’s writeback will further solidify that position, enabling full two‑way parity without manual intervention. Microsoft’s parallel work on object‑level SOA for users, groups, and contacts—already GA for groups and available for users and contacts—complements this shift, offering a broader path toward eliminating on‑prem Exchange entirely.

Administrators should still exercise patience. The current Public Preview of writeback has a tenant‑size limit, and the exact timeline for GA may shift. Organizations that rely on on‑premises AD as the faithful source of truth for all properties, including Exchange attributes consumed by legacy applications, may want to wait until writeback is proven and stable. But for everyone else, the IsExchangeCloudManaged flag is ready for production today. With careful planning, robust RBAC, and audit logging in place, hybrid shops can finally turn off those lingering Exchange servers and let the cloud take full ownership of their mailbox management.