Back on April 18, 2025, Microsoft announced a change to the security model for Microsoft Exchange hybrid deployments and released a non-security related hotfix. If you aren’t aware of this guidance, have a hybrid deployment, and use “rich coexistence” features, you’d want to read the article because there are changes that have to be made by October 2025 and October 2026.
On August 6, 2025, Microsoft announced a vulnerability with hybrid deployments because of a shared service principal between the Exchange on-premises deployment and Exchange Online. The vulnerability is found in the on-premises side. Basically, if a threat actor can gain administrative rights to an on-premises Exchange server, they can privilege escalate to the cloud environment through that shared service principal. This ties in to the change in the security model because implementing the hotfix and switching to the dedicated Exchange hybrid app breaks the ability to privilege escalate from on-premises to Exchange Online because there will no longer be a shared service principal.
On a related note, if you are synchronizing accounts from on-premises Active Directory (AD) to Entra ID, do not synchronize highly privileged accounts from on-premises as per best practices guidance on identity and access management (IAM). Taking it a step further, it’s better to ensure highly privileged accounts for Azure access are native to Entra ID and not synchronized Active Directory accounts. After all, if a threat actor compromises the Active Directory domain where those accounts originate, the threat actor can take over those accounts just as they could any AD user accounts. Multifactor authentication (MFA) can help protect those accounts, but if we think defense-in-depth, better to ensure they aren’t in AD to begin with.