Microsoft’s new writeback feature lets Exchange‑online‑managed mailboxes push attribute changes back to on‑premises AD via Entra Cloud Sync, closing a long‑standing hybrid gap and paving the way for a documented, end‑to‑end decommission of the last Exchange Server.

Writeback for Cloud‑Managed Remote Mailboxes Enters Public Preview

Microsoft has moved the Writeback for Cloud‑Managed Remote Mailboxes capability into public preview, and simultaneously published a step‑by‑step guide for retiring the final on‑premises Exchange Server. For organizations that have already flipped the Source of Authority (SOA) for Exchange attributes to Exchange Online, this preview resolves the biggest operational friction: keeping on‑premises Active Directory (AD) in sync with cloud‑edited Exchange attributes.

What changed?

When a mailbox is marked IsExchangeCloudManaged = True in a directory‑synchronized environment, the Exchange‑related attributes (proxy addresses, hideFromAddressLists, custom attributes, etc.) are now owned by Exchange Online. Previously, those attributes could be edited only in the cloud and never flowed back to the on‑prem AD. Applications that read directly from AD – for example line‑of‑business (LOB) systems that rely on proxyAddresses for routing or custom attributes for licensing – would see stale data, forcing many customers to keep a “ghost” Exchange server just to maintain attribute parity.

The new writeback feature uses Microsoft Entra Cloud Sync to push changes made in Exchange Online back to the on‑prem AD. The result is a true single source of truth for Exchange attributes, even after the SOA has moved to the cloud.

Provider comparison: Writeback vs. traditional sync models

Feature	Traditional Azure AD Connect (AAD Connect)	Entra Cloud Sync (Writeback)
Direction of attribute flow	AD → Azure AD only (cloud‑only edits do not sync back)	Bidirectional for supported Exchange attributes (cloud → AD)
Installation footprint	Requires Azure AD Connect server (Windows Server)	Lightweight provisioning agent, runs alongside existing Connect sync
Impact on existing sync	Must pause or re‑configure for attribute changes	Runs in parallel – Connect continues handling password hash sync, group sync, etc.
Supported mailbox count (preview)	Unlimited (subject to Connect limits)	< 200,000 cloud‑managed mailboxes (GA target > 200k)
Pricing	Included with Azure AD Premium (no extra cost)	No additional licensing; uses existing Entra Cloud Sync capacity
Migration complexity	Requires custom scripts to back‑populate AD after cloud edits	Out‑of‑the‑box writeback job; only configuration steps needed

For most enterprises already running Azure AD Connect, the decision is straightforward: keep Connect for the bulk of directory sync and add the Cloud Sync provisioning agent solely for Exchange attribute writeback. This avoids any disruption to password hash sync, group membership sync, or device writeback that may already be in production.

How writeback works – a technical walk‑through

Enable cloud‑managed mailbox – Set IsExchangeCloudManaged = True on the target mailbox via PowerShell or the Exchange admin center. This flips the Exchange attribute SOA to Exchange Online.
Deploy Entra Cloud Sync agent – Download the agent from the Microsoft Entra Cloud Sync documentation and install it on a Windows server that can reach both Azure and your on‑prem AD.
Create a writeback synchronization rule – In the Entra portal, define a rule that maps the Exchange attributes you need (e.g., proxyAddresses, customAttribute1‑15, msExchHideFromAddressLists) from the cloud object to the corresponding AD attributes.
Run a provisioning cycle – Cloud Sync reads the changed attributes from Exchange Online, transforms them per the rule, and writes them back to the on‑prem AD using LDAP over a secure channel.
Verify round‑trip – Use Get-ADUser on the on‑prem side and Get‑Mailbox in Exchange Online to confirm the values match. The documentation includes a PowerShell script that automates this validation.

Tip: If you already run Azure AD Connect, you do not need to uninstall it. Cloud Sync operates independently, so you keep your existing password hash sync and group writeback pipelines untouched.

Business impact: Faster, cleaner Exchange decommissioning

1. Eliminates the “last Exchange server” hold

Many organizations kept a minimal Exchange installation solely because LOB apps required up‑to‑date proxy addresses or custom attributes from AD. With writeback, those attributes stay current without any on‑prem Exchange component, removing the primary technical blocker to full decommission.

2. Reduces operational overhead

No custom sync scripts – Writeback is a supported, Microsoft‑maintained feature.
Simplified monitoring – Cloud Sync exposes health metrics in the Entra portal, allowing the same alerting framework you already use for Azure AD Connect.
Lower risk – Because the writeback path is unidirectional (cloud → AD) and scoped to Exchange attributes only, there is no chance of accidental on‑prem changes overwriting cloud data.

3. Cost considerations

There is no extra licensing fee for the writeback capability; it runs on the same Entra Cloud Sync capacity you already allocate. The main cost is the provisioning server (often the same VM used for Azure AD Connect) and the operational time to configure the rule set – typically a half‑day effort for a medium‑size tenant.

Decommissioning the last Exchange Server – the new end‑to‑end guide

Microsoft has published a comprehensive Decommission the last Exchange Server after transferring SOA to cloud guide. The workflow is split into three logical phases:

Pre‑removal verification – Confirm that every mailbox and public folder resides in Exchange Online, that DNS MX records point to Exchange Online, and that any SMTP relay scenarios have been migrated.
Hybrid cleanup while Exchange is still running – Remove the Hybrid Configuration object, intra‑organization connectors, organization relationships, federation trust, OAuth service principal, and the Hybrid Agent. This step eliminates lingering hybrid objects that could cause mail flow or free/busy issues later.
Uninstall the on‑prem Exchange server – Run Setup /m:Uninstall after a final checklist, then clean up orphaned hybrid objects in Exchange Online (e.g., stale connectors, transport rules).

The guide includes PowerShell snippets for each verification step, a checklist PDF, and a troubleshooting matrix for common post‑uninstall issues such as lingering MSExchangeTransport services on the former server.

Public preview limits and GA timeline

Preview limit: 200,000 cloud‑managed mailboxes per tenant. Organizations exceeding this should submit a request via the feedback form linked in the announcement.
General Availability: Targeted for end of June 2026, with an anticipated increase in the mailbox limit (exact number TBD).
Supported attributes: See the Identity, Exchange Attributes and Writeback reference for the full list of attributes that flow back and those that remain cloud‑only.

Getting started today

Review the Writeback setup walkthrough and confirm the attribute list matches your LOB requirements.
Follow the decommission guide to map out the remaining hybrid components in your environment.
Deploy the Cloud Sync agent in a test tenant first; validate round‑trip sync before scaling to production.
If your mailbox count exceeds the preview cap, file a request through the feedback form linked in the announcement.

With writeback in public preview, the era of maintaining an on‑prem Exchange server merely to keep AD attributes current is drawing to a close. Organizations can now move fully to Exchange Online, keep their on‑prem AD accurate for legacy applications, and finally retire the last Exchange instance with confidence.