In Microsoft's world, cloud email still often requires on-premises Exchange. Why?
Use third-party tools 'at your own risk' – but what of the risk of Exchange itself?
Comment Microsoft customers who use Exchange Online for all their email still often have to run on-premises Exchange to be supported – and that is a burden they could do without as new vulnerabilities appear.
"This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities," warned Microsoft's Exchange team yesterday. "It is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU)."
It's good advice, but many affected organisations would rather not run Exchange on-premises at all. They do so because Microsoft insists on it – even when all their mail is handled by Exchange Online.
Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online
The problem arises for any customer that deploys AD Connect, a service which synchronises on-premises Active Directory (AD) with the Azure version.
AD Connect is almost a necessity for larger organisations, since a local directory is still needed, whether to manage permissions for local resources like printers, or for legacy applications that require it (Sage is an example).
Microsoft's latest big launch, Windows 365 cloud desktops, requires AD Connect for the Enterprise plans.
On-premises AD is deeply embedded in Microsoft's platform.
Microsoft's Exchange Server, whether online or on-premises, is another example of an application that integrates with AD. Part of an Exchange installation is an extension of the AD Schema to add Exchange-specific data. Customers without AD Connect do not need to worry about this since it is managed internally on Microsoft's cloud, but once AD Connect is in the picture, the synchronisation requires that Exchange-specific data exists on-premises as well as online. Provisioning a new mailbox, for example, means editing that data in AD – and Microsoft has said for years that the only way to do this is with Exchange on-premises.
"Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes," say the docs.
- Microsoft, flush with cash, raises cloud office suite prices for businesses
- Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
- Microsoft abandons semi-annual releases for Windows Server
- Brit reseller given 2022 court date for £270m Microsoft SaaS licence sueball's first hearing
Is it possible to do with low-level tools like Active Directory Users and Computers (ADUC) or ADSIEDIT? Yes – but it is not supported. "The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange admin center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk," says the company.
Those interested in the details will find a discussion here where the implications are debated.
Microsoft will let customers have an on-premises Exchange licence for free if this scenario applies. However, that is small comfort if it is the security rather than the cost of the arrangement that is the focus. "Time to get rid of the hybrid exchange servers without being unsupported in hybrid AD situations Microsoft!" said a frustrated administrator in response to the latest security post.
They're right. What is needed is either cloud-based tools for mailbox management that work when AD Connect is installed, or failing that, a supported utility that enables this to be managed on-premises without the burden of running Exchange.
The company has made an amazing transition from on-premises computing to public cloud provision, but there are times when the legacy of that technology prevents users from taking full advantage. This is one of them. ®