New Hybrid Configuration Wizard supports Dedicated Hybrid App

Hi All,
Just a few days ago, Microsoft has announced that the updated Hybrid configuration Wizard (HCW) now supports the Configuration of the Dedicated Hybrid App.
- Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions
- CVE-2025-53786 Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
Microsoft has also announced some block Tests. As the Adoption of Dedicated Hybrid App does not seem at the Level Microsoft is expecting.
Block | Block starting | Block length |
---|---|---|
1st Block | August 19, 2025 | 2 days |
2nd Block | September 16, 2025 | 3 days |
3rd Block | October 7, 2025 | 3 days |
Final block | After October 31, 2025 | (block is permanent) |
During the blocked period, for customers who are impacted (see above), the following will not work for on-premises mailboxes when trying to work with Exchange Online mailboxes:
- Free/busy lookups
- MailTips
- Profile picture sharing
When you look at the Timeline they stated in April, Admin Action is required in Q3. In my humble opinion that starts in September. So i was a little bit shocked they, already start blocking periods in August. Anyway, that’s how Microsoft has deciced. I think the time between the Release of the HCW and the blocking period is a little bit too short.
On the other hand, you could argue that you had time since April to figure all out. So you had 5 Months to do the Task.
Dedicated Hybrid App
Here are some additional Links for Dedicated Hybrid App
I’ve covered the Dedicated Hybrid App already in my Exchange Server April 2025 Hotfix Update Article
Permission
The required Permissions for the Hybrid Configuration Wizard are documented here. If you want to configure OAuth or Dedicated Hybrid App, then you need to run ist with the “Global Administrator” Entra Role.
Hybrid Configuration Wizard
Download the updated HCW
Select “Install”
Now the Updated Hybrid Configuration Wizard with the Version 17.1.3443.0 or higher should start
Let’s run the HCW with Global Admin
Select “Choose Exchange Hybrid Configuration
There is a new Option “Dedicated Exchange Server Application in Entra ID”
As i already did Configure this in April the Dedicated Hybrid Application is detected
The HCW has successfuly configured everything
Message Attribution
There are some strange behaviours, when someone sends a Mail from a 3rd Party (Internet) with the Senderaddress of one of your Accepted Domains to another Exchange Online Recipients. Sometimes in the Message Trace it looks like it was sent from your Tenant (witch is not true in fact).
To fix this, it’s recommended to change the TlsSenderCertificateName of your Hybrid Inbound Connector from *.domain.tld to fqdn.domain.tld.
That’s something i would recommend to everybody. Except you really have a wildcard Certificate for Exchange Hybrid Mailflow (would not recommend that).
Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"}
Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"} | fl
Set TlsSenderCertificateName to FQDN
Set-InboundConnector -Identity "Inbound from b96bdae2-5722-45d3-b38c-8dca846c63ba" -TlsSenderCertificateName mail.icewolf.ch
Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"} | fl
Tipps
If you run HCW with only “Exchange Administrator” Role and you DON’T disselect OAuth and Dedicated Hybrid App
you will end up here
If you run HCW with only “Exchange Administrator” Role and you DISSELECT OAuth and Dedicated Hybrid App
You end up here 😊
If you run HCW with only “Exchange Administrator” Role and you DISSELECT OAuth, Dedicated Hybrid App and Inbound Connector
You end up here
And don’t have to fix “TLSSenderCertificate” every time you run HCW 😎
Regards
Andres Bohren