Quicknote: Hybrid Exchange mailbox migration account vs. modern authentication policy

Recently, I came across an uncommon issue while disabling legacy authentication in a hybrid Exchange environment. Since I did not find any exact solutions, I thought I share my story about modern authentication in on-premises Exchange server and how it affects the mailbox migration account. Spoiler: it breaks the mailbox migration

TL;DR
– Exchange Online uses NTLM authentication for MRSProxy
– if you set the Exchange organization config to disable legacy authentication as default authentication policy, the mailbox migration account will not be able to authenticate (except when this account has a dedicated “allow legacy auth” policy assigned)

The story

So the Exchange Team blogged about disabling legacy authentication in Exchange (link) and I thought that this is an easy win: we have HMA enabled, we notified the users about the upcoming change, all we have to do is to create the “Block Legacy Auth” policy, gradually roll it out to users then set it as default (Set-OrganizationConfig -DefaultAuthenticationPolicy “Block Legacy Auth”). Everything went well, but some weeks later a mailbox migration batch to Exchange Online failed with the following error:

Error: CommunicationErrorTransientException: The call to 'https://<exchangeserver>/EWS/mrsproxy.svc' failed. Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.. --> The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate, NTLM'.

We figured it out that it has to do something with the new authenticationpolicy – but every other aspect of the hybrid config was working fine. So as a workaround we created a “Allow legacy authentication” policy (to be honest, it’s more like: “don’t disable any authentication method”) and assigned it to the mailbox migration account:

Get-User _srv_exombxmigr | Set-User -AuthenticationPolicy "Allow legacy authentication"

Authentication policies take up to 30 minutes to apply, or iisreset will reload the config immediately.

To make it more secure, it is sufficient to enable legacy auth for only EWS (omit –BlockLegacyAuthWebServices)

New-AuthenticationPolicy "Enable EWS legacy auth" -BlockLegacyAuthImap -BlockLegacyAuthActiveSync -BlockLegacyAuthOfflineAddressBook -BlockLegacyAuthRpc -BlockLegacyAuthAutodiscover -BlockLegacyAuthMapi -BlockLegacyAuthPop

get-user _srv_exombxmigr | set-user -AuthenticationPolicy "Enable EWS legacy auth"

Also worth checking: troubleshooting guide for hybrid migration

by Daniel Kovacs on September 25, 2025 • Permalink

Posted in Exchange, Exchange Online

Posted by Daniel Kovacs on September 25, 2025

https://f12.hu/2025/09/25/quicknote-hybrid-exchange-mailbox-migration-account-vs-modern-authentication-policy/

Comments are closed.

Archives
Categories
- AlwaysOn VPN
- Android
- AOVPN
- App configuration policy
- AzureAD
- Bitlocker
- Conditional Access
- Defender
- Edge
- Entra Workload Identities
- Exchange
- Exchange Online
- GPO
- GraphAPI
- Intune
- KQL
- MDI
- PowerShell
- SCCM
- SharePoint Online
- Uncategorized
- Windows Hello for Business
Disclaimer

The information on this website is provided for informational purposes only and I make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of my employer.
Social

LinkedIn

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

Recent Comments

Quicknote: Hybrid Exchange mailbox migration account vs. modern authentication policy

Archives

Categories

Disclaimer

Social