How to secure your Microsoft Exchange Hybrid Environment for 2026

In today's digital landscape, organizations are increasingly adopting hybrid environments to leverage the benefits of both on-premises and cloud-based solutions. Microsoft Exchange Hybrid is a popular choice for businesses seeking to integrate their existing on-premises Exchange infrastructure with Exchange Online.

This article focuses on the security aspects of deploying and managing a hybrid Microsoft Exchange environment. It provides a comprehensive overview of the components involved, best practices for securing each component, and strategies for maintaining a robust security posture.

By following the guidelines outlined in this article, organizations can ensure the seamless and secure operation of their Exchange Hybrid deployments.

Exchange Hybrid enables seamless coexistence between on-premises Exchange servers and Exchange Online. It allows organizations to:

• Maintain a unified global address list (GAL) between both environments.
• Enable smooth and secure mail flow between on-premises and cloud mailboxes.
• Utilize centralized mailbox management with hybrid administrative controls.
• Perform mailbox migrations in stages without disrupting users.
• Retain certain workloads on premise to comply with legal, regulatory, or business requirements.

Organizations choose Exchange Hybrid for several reasons:

• Gradual cloud adoption: Instead of migrating all mailboxes at once, businesses can transition to the cloud at their own pace, reducing risks and operational disruption.
• Compliance and security: Some industries require specific data residency, security, or compliance measures that may necessitate keeping part of the email infrastructure on premises.
• Mail flow control: Organizations may prefer to route emails through on-premises security appliances or gateways before delivering them to the cloud for enhanced security and compliance.
• Legacy application compatibility: Some business applications that rely on on-premises Exchange servers for email delivery may require a hybrid setup before full migration.
• Hybrid modern authentication: Provides a secure authentication mechanism without requiring Basic Authentication, which is being deprecated by Microsoft.

Core components of a secure Exchange Hybrid deployment

A successful Exchange Hybrid deployment requires several key components to function optimally. These include Entra Connect, the Hybrid Configuration Wizard, Mail Flow configuration, Exchange Online, Exchange On-Premises, and Entra ID.

Securing Entra Connect

Entra connect Is a key component In the Hybrid environment, it synchronizes user and computer accounts from your local Active Directory to Entra ID, Exchange hybrid requires that Entra Connect Is configured in a way that it synchronizes attributes related to Microsoft Exchange to the cloud Identities.

Entra connect application needs to be Installed on a domain joined server. Entra Connect will handle synchronization of user Identities to the cloud, and therefore it should be considered a Tier 0 asset and hardening necessary for servers at this layer should be applied, configure the server with well know hardening benchmarks such as CIS or Microsoft Security Baselines, make sure regular patch Installation is happening for the operative system, local administrator password should be unique and access to server should be restricted to only accounts managing Tier 0 assets. Although the application can be Installed on a Domain Controller, is better to Install It on a dedicated server so exposure to Internet won't put domain controllers at risk.

Entra connect requires a SQL server Instance to store Its user data and configuration, SQL server can be Installed on the same server or on a dedicated server, if a dedicated server Is being used you need to consider this server as a Tier 0 asset as well, so apply all the hardening measures that you apply to the Entra Connect application server. Also, If the SQL server Instance Is separated from the application server, use a group managed service account gMSA for running your services.

Because of the sensitive data that this service manages, a privileged access workstation PAW dedicated to Tier 0 assets should be considered to manage this service, this Is also true for managing the database server. Another alternative Is to manage the server using identity management solutions PAM (Privileged Access Management).

Provide fault tolerance capability to Entra Connect configurations by deploying a second server in stage mode, Entra Connect servers become critical for the organization when Hybrid Exchange Is fully functional.

Chose Password Hash Synchronization over Passthrough authentication as authentication mode, Password Hash Synchronization is simpler to deploy and to maintain, and it will not depend on your on-premise domain controllers, this will reduce single point of failures and attach surface, also, you benefit from the Leak Credentials feature in Entra ID. However, if your organization has strict security policies disallowing the store of password hashes outside the on-premises organization, you will need to use Passthrough authentication.

Security advice

• Treat app server and database server as Tier 0 asset. https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
• Use gMSA if SQL Server is separated from app server. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview
• Manage server using PAW or PAM. https://aka.ms/securedworkstation
• Use Password Hash Synchronization. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs

Securing the Hybrid Configuration Wizard (HCW) setup

The Hybrid Configuration Wizard is Microsoft's streamlined solution for configuring hybrid deployments between on-premises Exchange environments and Exchange Online. It automates the complex process of establishing secure connectivity, sharing directory information, and configuring mail flow between these two environments.

Without the wizard, administrators would need to manually configure dozens of individual settings across multiple systems—a process that would be not only time-consuming but also prone to security misconfigurations. The wizard performs crucial tasks including:

• Configuring Exchange Web Services (EWS) and OAuth authentication
• Setting up secure mail routing between environments
• Establishing free/busy calendar sharing
• Configuring Autodiscover services
• Implementing proper certificate validation

One of the most significant security decisions in your hybrid configuration is whether to enable centralized mail transport. Centralized mail transport determines how messages from your Exchange Online users to external recipients are routed. When enabled, these messages are routed through your on-premises Exchange servers before reaching the internet.

Organizations with sophisticated on-premises security solutions or strict compliance requirements should consider enabling centralized mail transport. However, this comes at the cost of creating a dependency on your on-premises infrastructure. The decision should align with your overall security architecture and risk management strategy. 

If possible, don't use centralized mail transport, since this will make your online Infrastructure dependent on the on-premises services, choose Instead cloud software as a service (SaaS) solutions that can replace the mail gateway functionality that you are currently using In your on-premises datacenters, most vendors already offer a cloud version of their products.

The HCW offers two primary deployment options: Full Hybrid and Minimal Hybrid, a full hybrid deployment establishes comprehensive integration between environments, including:

• Bidirectional mail flow
• Free/busy calendar sharing
• Online archive access
• Shared GAL (Global Address List)
• Cross-premises mailbox moves
• Full OAuth integration

A minimal hybrid deployment focuses primarily on directory synchronization and mail routing, excluding features like:

• Free/busy sharing
• Some cross-premise features
• Certain administrative interfaces

From a strict security perspective, minimal hybrid presents fewer potential attack vectors. However, the operational benefits of full hybrid often outweigh these concerns when proper security controls are implemented. Organizations should only deploy what they need, starting with minimal and expanding to full hybrid if operational requirements demand it.

Perhaps the most important security decision is choosing between the modern hybrid and classic hybrid approaches. Classic hybrid requires on-premises Microsoft Exchange HTTPS ports to be available on Internet so Exchange online can connect to them, it also requires an SSL certificate Issued by a trusted third-party certification authority, this Is the hybrid mode that has been available since the beginning of the hybrid Exchange configurations. Modern hybrid instead, won’t require any exposure of your local Exchange Installation, It utilizes an agent called the hybrid agent. This agent will use Azure app proxy technologies to create a connection endpoint on the Microsoft cloud where Exchange online services can communicate to, so only outgoing HTTPS traffic will occur between your on-premises Installation and Microsoft servers, this greatly enhance security by reducing the attack surface of the overall solution. 

Security advice

• Avoid centralized mail transport unless strictly necessary. https://learn.microsoft.com/en-us/exchange/transport-options
• Prefer minimal hybrid over full hybrid unless you require rich coexistence. https://learn.microsoft.com/en-us/exchange/hybrid-configuration-wizard-options
• Use modern hybrid instead of classic hybrid, unless your organization requirements include the specific use cases where classic mode is still useful. https://learn.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-agent

Securing mail flow in hybrid environments

When implementing Exchange Hybrid, security should be a primary consideration in your mail flow design. As your organization operates with both on-premises and cloud components, the attack surface increases substantially, requiring strategic configuration and security controls. 

For mail flow between Exchange online and Exchange on-premises, the recommendation is to deploy an Edge Transport server, the Edge Transport server role provides a dedicated mail relay positioned at the network perimeter. From a security perspective, this separation offers significant advantages:

• It isolates internet-facing mail components from your internal Exchange infrastructure.
• It provides a focused security boundary with limited attack surface.
• It enables more granular control over mail flow policies and filtering.

While Microsoft has made the Edge Transport role optional in newer Exchange versions, from a security standpoint, it remains highly recommended for Hybrid deployments handling sensitive information. Edge Transport servers should be deployed in a demilitarized zone (DMZ) network segment. This architecture:

• Creates a buffer between untrusted internet traffic and your internal network
• Allows for distinct security policies on the DMZ segment
• Reduces the impact of a potential compromise

Edge transport servers should be hardened using recognized security benchmarks like Center for Internet Security (CIS) or Microsoft Security baselines. Activity on the server should be constantly monitored, and a proper antivirus/malware must be used to protect the operative system.

Additionally, make sure to configure the firewall rules allowing connections to the Edge transport servers on port TCP 25 only from Exchange online endpoints.

For external email (Incoming from and outgoing to Internet), as discussed previously, prefer Cloud-based mail gateway technologies that deliver and receive directly to Exchange Online, moving away from on-premises email hygiene technologies, Is the right way to embrace the adoption of a cloud first architecture.

Regarding email authentication, implement restrictive SPF records that explicitly list all authorized sending sources, enable DKIM signing for both on-premises and Exchange Online mail flows and configure a DMARC record that Instructs mail server to quarantine or reject mails coming from our domains that fails email authentication verifications.

Security advice

• Deploy Edge transport servers to protect SMTP traffic between Exchange Online and Exchange On-Premises. https://learn.microsoft.com/en-us/exchange/edge-transport-servers
• Configure Firewall rules to allow connections to Edge Servers only from Microsoft servers. https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#exchange-online
• Use Exchange Online Protection or other cloud technologies for email hygiene. https://learn.microsoft.com/en-us/defender-office-365/eop-about
• Configure SPF and DMARC records, enable DKIM signatures. https://learn.microsoft.com/en-us/defender-office-365/email-authentication-about

Securing Exchange Online

To enhance security in Exchange Online, it is crucial to implement appropriate protective measures. For instance, if Centralized Mail Transport is being used, the Exchange Online receive connector must be configured to accept traffic exclusively from on-premises Exchange servers. This ensures that unauthorized sources cannot relay messages through your cloud environment, reducing the risk of spoofing and malicious email infiltration.

Additionally, configuring Microsoft Defender for Office 365 is essential to safeguarding cloud mailboxes against advanced threats. Leverage key security features such as Safe Links, Safe Attachments, Safe Documents, Anti-phishing policies, and Attack Simulation Training to proactively detect and mitigate phishing attempts, malware, and other malicious activities targeting your users.

To empower employees in identifying and reporting suspicious emails, enable the Report Message button across all Outlook clients, including both desktop and mobile versions. This allows end users to efficiently flag potential phishing attempts or fraudulent communications, contributing to a stronger organizational security posture.

Furthermore, protecting sensitive information is critical. Implement Data Loss Prevention (DLP) policies to automatically classify and secure sensitive emails using Azure Information Protection (AIP). This ensures that confidential data is properly labeled and protected, minimizing the risk of accidental or unauthorized disclosure. 

Additionally, provide end users with the ability to classify sensitive content manually and apply encryption and access controls to emails they send, both internally and externally.

Security advice

• Apply protection to your receive connector if using centralized mail transport. https://learn.microsoft.com/en-gb/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud#best-practices-for-using-a-third-party-cloud-filtering-service-with-microsoft-365-or-office-365
• Configure Defender for Office 365. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-defender-for-office-365-features
• Enable Report Message button in Outlook clients. https://learn.microsoft.com/en-us/defender-office-365/submissions-outlook-report-messages
• Implement DLP policies. https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp

Securing Exchange on premises infrastructure

Exchange on-premises security also needs to be carefully planned, controlling administrative access represents a critical aspect of infrastructure security. Specialized administrative accounts must be created that limit interaction exclusively to authorized Tier 1 asset managers. 

Access should be permitted only through controlled channels, including privileged access workstations or Privileged Access Management solutions that provide granular control and comprehensive auditing capabilities.

The operative system of the Exchange server should also be protected with hardening measures, disks encryption should be implemented by using BitLocker technology in application and operative system disks.  A proper antivirus/antimalware solution compatible with Exchange server must be Installed In the server. 

Only Transport Layer Security (TLS) version 1.2 should be permitted, ensuring encrypted and secure communications. Mailbox server HTTPS ports must be strategically isolated from direct internet exposure, with client connections permitted exclusively through secure virtual private network tunnels.

A proper backup strategy must be Implemented protecting operative system and application data and mailbox databases.

Security advice

• Application server should be treated as Tier 1 asset. https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
• Manage server using PAW or PAM. https://aka.ms/securedworkstation
• Apply hardening to the server. https://www.cisecurity.org/cis-benchmarks
• Install antivirus/antimalware solution.
  Email clients should only connect through VPN.

Securing Entra ID

Microsoft Entra ID (formerly known as Azure Active Directory) is a comprehensive identity and access management solution that enables organizations to securely manage and authenticate users, applications, and devices across both on-premises and cloud environments, it provides a centralized platform to manage user identities, reducing administrative overhead and minimizing the risk of inconsistencies between on-premises and cloud directories. 

Entra ID also enables single sign-on (SSO) capabilities, allowing users to access both on-premises and cloud resources with a single set of credentials, thereby improving productivity and user satisfaction. 

Protect the security of your tenant by applying CIS benchmarks, the Center for Internet Security (CIS) provides benchmarks that offer best practices for securing various technologies, including Entra ID. Adhering to these benchmarks helps organizations establish a robust security posture. 

Key recommendations from the CIS Benchmarks for Entra ID include:

• Blocking legacy authentication: Legacy authentication protocols, such as IMAP, SMTP, and POP3, do not support multifactor authentication (MFA) and are more susceptible to attacks. Implementing policies to block these protocols reduces security risks associated with unauthorized access.
• Implementing risk-based policies: Utilizing Entra ID's risk detection capabilities allows organizations to identify and respond to potentially compromised accounts. For instance, configuring Conditional Access policies to block or challenge high-risk sign-ins enhances security. 

Apply recommendations suggested by the Identity Secure Score, Identity security score is a feature within Entra ID that provides an objective measure of an organization's identity security posture. Presented as a percentage, it reflects how well current configurations align with Microsoft's recommended security best practices.

Replace Security Defaults with Conditional Access policies, while security defaults provide baseline protection, implementing tailored Conditional Access policies offers greater flexibility and control. For example, policies can be configured to require MFA based on specific conditions such as user role, device compliance, or location.

Disable connections to the tenant using legacy authentication protocols, blocking legacy authentication protocols is crucial due to their inability to enforce MFA and their vulnerability to attacks. Transitioning to modern authentication methods enhances security.

Security advice

• Protect tenant by applying CIS benchmarks security recommendations. https://www.cisecurity.org/cis-benchmarks
• Follow suggestions made by Identity Security Score and improve your score. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score
• Implement Conditional access policies based on location, device compliance and user risk and sign in risk. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
• Require MFA for all users. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength
• Require phishing-resistant MFA for administrators. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa
• Disable legacy protocols. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication

Securing Exchange Hybrid administration

Managing an Exchange Hybrid environment requires a comprehensive security strategy to safeguard both on-premises and cloud components. Here are key recommendations to enhance the security of your Exchange Hybrid management: 

• Implement PIM: Limit the number of users with elevated privileges by implementing Entra ID Privileged Identity Management, create dedicated administrative accounts for managing Exchange Online and create Eligible assignments for these users so they can activate their Exchange administrator role only for limited time and after approval from management.
• Enforce Least Privilege Access (RBAC): Use Role-Based Access Control (RBAC) to assign users only the permissions they need to perform their duties. Regularly review and adjust role assignments to ensure compliance with the principle of least privilege. This minimizes the potential impact of compromised accounts.
• Utilize Privileged Access Workstations (PAWs): Require administrators to perform privileged tasks from dedicated, hardened workstations known as PAWs. These workstations should be used exclusively for administrative tasks, reducing exposure to malware and phishing attacks. Implement network controls to ensure that administrative access to Exchange Hybrid components is only possible from PAWs and trusted network locations. This can be achieved through Conditional Access policies that enforce access restrictions based on device compliance and network location.
• Monitor and audit administrative activities: Establish comprehensive logging and monitoring of administrative actions within your Exchange Hybrid environment. Regularly review audit logs to detect and respond to suspicious activities promptly. Implementing a Security Information and Event Management (SIEM) system can aid in correlating and analyzing security events.
• Conduct regular access reviews: Periodically review all access permissions for users to ensure that only authorized personnel have access to critical systems and data. Regular access reviews help identify and revoke unnecessary or outdated permissions, reducing the risk of unauthorized access. This practice is particularly important in hybrid environments where access can be granted from different sources.
• Execute regular phishing simulations: Phishing remains one of the most prevalent attack vectors, often exploiting human vulnerabilities to gain unauthorized access. Implementing regular phishing simulation exercises can help identify susceptible employees and provide targeted training to improve their resilience against such attacks. Microsoft Defender for Office 365 offers an "Attack Simulation Training" feature that allows administrators to create and run realistic phishing attack scenarios, helping to educate users and reduce the organization's overall risk.
• Perform comprehensive penetration testing: Beyond phishing simulations, conducting regular penetration tests is essential to evaluate the security posture of your Exchange Hybrid environment. Penetration testing involves simulating real-world attacks to identify and remediate technical vulnerabilities within your systems and networks. This proactive approach enables you to uncover and address security gaps before they can be exploited by malicious actors.

Security advice

• Implement PIM. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
• Enforce Least Privilege Access. https://learn.microsoft.com/en-us/exchange/permissions-exo/permissions-exo
• Use PAW. https://aka.ms/securedworkstation
  Monitor and audit administrative activities. https://learn.microsoft.com/en-us/defender-office-365/mdo-sec-ops-guide
• Conduct regular access reviews. https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview
• Execute regular phishing simulations. https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations
• Perform penetration testing.

Conclusion

Securing a hybrid Microsoft Exchange environment requires a multifaceted approach that addresses both on-premises and cloud components. This article has outlined key security considerations and best practices for each component of the Exchange Hybrid setup, including Entra Connect, the Hybrid Configuration Wizard, mail flow, Exchange Online, Exchange On-Premises, and Entra ID.

By implementing the recommended security measures, organizations can mitigate potential risks and enhance the overall security of their hybrid deployments. Key strategies include treating critical servers as Tier 0 assets, using modern hybrid configurations, deploying Edge Transport servers, and leveraging advanced security features in Exchange Online and Entra ID. 

Additionally, adopting a proactive stance with regular monitoring, auditing, and penetration testing ensures that the hybrid environment remains resilient against evolving threats.

Ultimately, a well-secured Exchange Hybrid environment not only protects sensitive data and maintains compliance but also supports seamless and efficient business operations. By following the guidelines and best practices detailed in this article, organizations can achieve a robust security posture and confidently navigate the complexities of hybrid Exchange deployments.

Need help securing your hybrid Exchange environment? Contact CPX for expert guidance or explore our Cyber Solutions & Delivery Services.