I'm looking to decommission my Exchange server after recently discovering a vulnerability that could allow attackers to access our Cloud environment. Currently, we're in a hybrid setup since I primarily use the Exchange Admin Center for user management, but we don't send any emails through the server anymore. Based on Microsoft's guidance, it seems like we fit "Scenario 1" from their instructions, meaning we have all our mailboxes in Exchange Online and don't need to manage users from on-premises anymore.
I'm okay with managing users both in Active Directory (AD) and Entra/Exchange Online (EXO) since our user turnover is extremely low, so removing AD Sync sounds fine to me. I'm currently on Step 5 where I plan to sever the relationship, uninstall AD Sync, and then remove Exchange 2016.
Before I proceed, I'd love to hear from anyone who has gone through this process. Were there any challenges or unexpected issues I should watch out for? Thanks in advance!
2 Answers
I've successfully gone through a similar decommissioning, and while it’s been smooth overall, I’d recommend taking a close look at your SSO setup. Make sure that Entra is fully configured to handle authentication without reliance on the Exchange server. Communication with your team about password changes will also help ease any transition issues you might face.
Managing users in the cloud and on-premises shouldn't be an issue for you, but make sure to consider the implications for single sign-on (SSO) and password management. As long as you have an on-premises AD, it's still the main authority. You might want to keep some form of directory sync if that's a concern. But honestly, if you are okay with manual user management, you can go ahead and disable it. Just remember that disconnections can lead to some hiccups if passwords need to be aligned.
I understand your concern. For us, password changes haven’t been difficult; we just inform users to reset their passwords in both systems when needed.
I'm in the process of doing this as well! I turned off my Exchange server temporarily while I read up more on the decommission process. So far, everything seems to be working well for my users.