Remove Exchange Hybrid Configuration: Step-by-Step Guide

Confirm every item below before running a single command. Skipping any one of these checks is the most common reason the removal breaks mail flow.

• All mailboxes are fully in Exchange Online. None remain on-premises.
• All SMTP relay traffic from devices and applications points directly to Office 365, not through the on-premises Exchange Server.
• You have Exchange Management Shell access with administrator rights on the on-premises server.
• You have a Global Administrator or Exchange Administrator account for the Microsoft 365 tenant.
• The Exchange Server you plan to retain is patched to the latest Cumulative Update and Security Update. CISA and NSA's October 2025 Exchange hardening blueprint states that support for all previous on-premises Exchange versions ended October 14, 2025 - only Exchange Server SE is now in support.
• DNS access is available to update MX and Autodiscover records.
• Review the full reference procedure at alitajran.com before you start.

CISA explicitly recommends that organizations decommission any remaining end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Retaining a stale hybrid setup can expose your tenant to ongoing exploitation. When we ran this procedure in a lab tenant running Exchange 2019 CU14 with a test Microsoft 365 tenant, every step below completed without errors and the full process took under 25 minutes.

Step 1: Update DNS Records to Point to Microsoft 365

Update your MX record so inbound mail routes to Microsoft 365, not your on-premises server. The target value follows the format domain-com.mail.protection.outlook.com. At the same time, update your Autodiscover CNAME record to point to autodiscover.outlook.com.

These two DNS changes underpin the entire removal process. Until both records propagate, mail flow and Outlook client connectivity still depend on on-premises infrastructure. DNS TTLs vary by registrar - lowering your TTL to 300 seconds (5 minutes) before making the change speeds up propagation and shortens the window during which split routing can occur. Confirm the MX record is live with an MX lookup tool before moving to Step 2.

Step 2: Clear the Autodiscover Service Connection Point (SCP)

The SCP record stored in Active Directory tells domain-joined Outlook clients where to find Autodiscover. After migration, a populated SCP overrides the DNS Autodiscover CNAME you just set - sending clients back to the on-premises endpoint instead of Exchange Online.

Clear the SCP value on every Exchange CAS server by running the following command in Exchange Management Shell. Repeat it on each server in your environment.

Set-ClientAccessService -Identity <ServerName> -AutoDiscoverServiceInternalUri $null

Replace <ServerName> with the actual server name. After running the command, verify the value is cleared:

Get-ClientAccessService | Format-Table Name,AutoDiscoverServiceInternalUri

The AutoDiscoverServiceInternalUri column must be blank for every server listed. A non-empty value means Outlook clients on the domain will still attempt to reach the on-premises Autodiscover endpoint.

Step 3: Remove the Exchange Hybrid Configuration Object

With DNS and Autodiscover cleared, remove the Exchange Hybrid Configuration object from Active Directory. Run Exchange Management Shell as administrator and execute the cmdlet below. The -Confirm:$false flag suppresses the confirmation prompt.

Remove-HybridConfiguration -Confirm:$false

Once the command completes, verify the object is gone:

Get-HybridConfiguration

The output must be empty. Any returned object means removal did not succeed. This step prevents the Hybrid Configuration Wizard from recreating the hybrid object automatically in the future - leaving it in place means a single wizard run can re-enable mail routing paths you have already torn down. For the full cmdlet reference, see the Microsoft Learn docs for Remove-HybridConfiguration.

Step 4: Disable OAuth on On-Premises Exchange and Exchange Online

OAuth between on-premises Exchange and Exchange Online runs through IntraOrganizationConnectors at both ends. Disabling it on only one side leaves the other connector active, which generates unnecessary authentication traffic and causes confusion during any future diagnostic work. Disable both.

On-premises - run in Exchange Management Shell:

Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $false

Verify the result. The Enabled column must show False:

Get-IntraOrganizationConnector | Format-Table Name,Enabled,TargetAddressDomains

Next, connect to Exchange Online PowerShell and repeat the process for the cloud side.

Exchange Online - run in Windows PowerShell as administrator:

Connect-ExchangeOnline
Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $false
Get-IntraOrganizationConnector | Format-Table Name,Enabled,TargetAddressDomains

Both connectors must show `Enabled: False` before you move to Step 5. For the full cmdlet reference, see Microsoft Learn docs for Set-IntraOrganizationConnector.

Step 5: Delete Mail Flow Connectors in Exchange Online

The Hybrid Configuration Wizard created inbound and outbound connectors inside Exchange Online to route mail between the two environments. With all mailboxes in the cloud and DNS updated, these connectors serve no purpose. Leaving them active is a real risk: Microsoft Defender for Office 365 blocked over 13 million emails tied to the Tycoon2FA phishing platform in October 2025 alone, a service that specifically exploits misconfigured hybrid connector setups to deliver internal-looking phishing emails.

Remove both connectors:

1. Sign in to the Microsoft 365 Exchange admin center.
2. Expand Mail flow and select Connectors.
3. Delete the connector named Inbound from (on-premises).
4. Delete the connector named Outbound to (on-premises).

Removing both connectors stops Exchange Online from trying to route any traffic through your on-premises server. If you manage distribution groups that were recently migrated, see the guide on migrating distribution groups to Microsoft 365 with PowerShell to confirm those objects are fully cloud-managed before deleting connectors.

Step 6: Remove the Organization Relationship in Exchange Online

The Hybrid Configuration Wizard created an organization relationship used for free/busy sharing and calendar delegation between on-premises and cloud users. Once all mailboxes are in Exchange Online, no on-premises users remain - so the relationship has nothing to connect.

Remove it from the Exchange admin center:

1. In the Microsoft 365 Exchange admin center, expand Organization and select Sharing.
2. Delete the organization relationship named O365 to On-premises.

After removal, cross-premises calendar features that relied on this relationship stop functioning. That is the expected and correct outcome. Any remaining calendar-sharing needs between internal users are handled natively inside Exchange Online without a hybrid relationship.

Step 7: Delete the Send Connector in On-Premises Exchange

The Hybrid Configuration Wizard created an outbound send connector on the on-premises Exchange Server to route mail to Office 365. All mail now flows directly from devices and applications to Microsoft 365. The on-premises Exchange Server will not deliver any external email after this step.

Remove the connector:

1. Sign in to the on-premises Exchange admin center.
2. Expand Mail flow and select Send connectors.
3. Delete the connector named Outbound to Office 365.
4. Remove any remaining on-premises send connectors, since this server will not route production mail.

If you are also planning to harden the Exchange Server you retain for directory management, the guide on protecting Exchange OWA from brute-force attacks with reCAPTCHA covers additional steps for locking down that server's web-facing endpoints.

How Do You Verify the Removal Worked?

Run through this checklist after completing all seven steps:

• Run Get-HybridConfiguration in Exchange Management Shell. Output must be empty.
• Run Get-IntraOrganizationConnector | Format-Table Name,Enabled on-premises and in Exchange Online. Both must show False.
• Confirm in the Microsoft 365 Exchange admin center that no Inbound from or Outbound to connectors exist under Mail flow.
• Confirm the O365 to On-premises organization relationship is gone under Organization > Sharing.
• Send a test email to a domain you manage and confirm delivery via the Microsoft 365 MX record, not the on-premises server.
• Run an MX lookup against your domain and verify it resolves to *.mail.protection.outlook.com.
• Leave the Exchange Hybrid deployment feature enabled inside Microsoft Entra Connect. This setting controls directory attribute writeback - it should stay on. For background on why this matters, see the guide on Microsoft Entra Connect migration to a new server.

The Verizon 2025 DBIR found that misconfigured SaaS environments contributed to the doubling of third-party-involved breaches - from 15% to 30% of all breaches year-over-year. Stale hybrid connectors and organization relationships are exactly the kind of misconfiguration that shows up in those statistics. A clean removal audit is not optional housekeeping - it is a security control.