New Hybrid Configuration Wizard supports Dedicated Hybrid App

New Hybrid Configuration Wizard supports Dedicated Hybrid App

Hi All,

Just a few days ago, Microsoft has announced that the updated Hybrid configuration Wizard (HCW) now supports the Configuration of the Dedicated Hybrid App.

Microsoft has also announced some block Tests. As the Adoption of Dedicated Hybrid App does not seem at the Level Microsoft is expecting.

Block Block starting Block length
1st Block August 19, 2025 2 days
2nd Block September 16, 2025 3 days
3rd Block October 7, 2025 3 days
Final block After October 31, 2025 (block is permanent)

During the blocked period, for customers who are impacted (see above), the following will not work for on-premises mailboxes when trying to work with Exchange Online mailboxes:

  • Free/busy lookups
  • MailTips
  • Profile picture sharing

When you look at the Timeline they stated in April, Admin Action is required in Q3. In my humble opinion that starts in September. So i was a little bit shocked they, already start blocking periods in August. Anyway, that’s how Microsoft has deciced. I think the time between the Release of the HCW and the blocking period is a little bit too short.

On the other hand, you could argue that you had time since April to figure all out. So you had 5 Months to do the Task.

Dedicated Hybrid App

Here are some additional Links for Dedicated Hybrid App

I’ve covered the Dedicated Hybrid App already in my Exchange Server April 2025 Hotfix Update Article

Permission

The required Permissions for the Hybrid Configuration Wizard are documented here. If you want to configure OAuth or Dedicated Hybrid App, then you need to run ist with the “Global Administrator” Entra Role.

Hybrid Configuration Wizard

Download the updated HCW

Select “Install”

Now the Updated Hybrid Configuration Wizard with the Version 17.1.3443.0 or higher should start

Let’s run the HCW with Global Admin

Select “Choose Exchange Hybrid Configuration

There is a new Option “Dedicated Exchange Server Application in Entra ID”

As i already did Configure this in April the Dedicated Hybrid Application is detected

The HCW has successfuly configured everything

Message Attribution

There are some strange behaviours, when someone sends a Mail from a 3rd Party (Internet) with the Senderaddress of one of your Accepted Domains to another Exchange Online Recipients. Sometimes in the Message Trace it looks like it was sent from your Tenant (witch is not true in fact).

To fix this, it’s recommended to change the TlsSenderCertificateName of your Hybrid Inbound Connector from *.domain.tld to fqdn.domain.tld.

That’s something i would recommend to everybody. Except you really have a wildcard Certificate for Exchange Hybrid Mailflow (would not recommend that).

Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"}
Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"} | fl

Set TlsSenderCertificateName to FQDN

Set-InboundConnector -Identity "Inbound from b96bdae2-5722-45d3-b38c-8dca846c63ba" -TlsSenderCertificateName mail.icewolf.ch
Get-InboundConnector | where {$_.ConnectorSource -eq "HybridWizard"} | fl

Tipps

If you run HCW with only “Exchange Administrator” Role and you DON’T disselect OAuth and Dedicated Hybrid App

you will end up here

If you run HCW with only “Exchange Administrator” Role and you DISSELECT OAuth and Dedicated Hybrid App

You end up here 😊

If you run HCW with only “Exchange Administrator” Role and you DISSELECT OAuth, Dedicated Hybrid App and Inbound Connector

You end up here

And don’t have to fix “TLSSenderCertificate” every time you run HCW 😎

Regards
Andres Bohren

Exchange Logo

Security Logo