The Part of Your Exchange Migration You Put Off Is Now a Security Liability

,

The Exchange Server Nobody Wants to Touch

For many organizations, the move to Microsoft 365 is largely complete. Mailbox migration is done, users are operating in Exchange Online, and day-to-day administration has shifted to the cloud. Yet public folder migration is often the piece that was deferred — and the Exchange server it left behind is now a growing liability.

Yet one component often remains on-premises: public folders.

Public folder migration gets deferred during the initial project due to complexity, competing priorities, or unexpected errors mid-migration. What begins as a short delay often extends into months or years, leaving an Exchange server running solely to support legacy folder data.

That server is no longer a temporary dependency. And as of right now, it has a clock running against it.

Microsoft Is Already Blocking Email From Unpatched Servers

This is not a future risk. Exchange Online’s transport enforcement system is live and actively flagging on-premises servers it considers “persistently vulnerable.” The process works in three stages: reporting, throttling, then a full block on inbound email. Once your server is flagged, you have a 90-day remediation window. After that, mail stops flowing.

Any server running an end-of-life Exchange version qualifies — Exchange 2013 and earlier are already in scope. Exchange 2016 and 2019 servers that are significantly behind on security updates are next.

Which brings us to April 14, 2026.

The Patch Window Just Closed — Permanently

Exchange 2016 and Exchange 2019 Extended Security Updates ended on April 14, 2026 — eight days ago. Microsoft will not issue another security patch for either version. Every vulnerability discovered from this point forward goes unaddressed on your server.

This is the trigger that changes the calculation. A server that was “behind on patches” is manageable. A server that cannot be patched will eventually trip Microsoft’s enforcement system with no remediation path except migration.

The 90-day clock, once it starts, ends with your on-premises Exchange server losing the ability to deliver mail to Exchange Online. For organizations in a hybrid configuration — which describes almost every organization that still has public folders on-premises — that means disrupted mail flow for real users.

More Deadlines Hitting in 2026

The mail flow block is the most immediate risk, but it is not the only one:

  • SMTP AUTH Basic authentication — retired March 2026. Exchange Online permanently removed Basic auth for client submission. Hybrid configurations using it for SMTP relay stopped working last month.
  • Legacy ActiveSync clients — blocked March 1, 2026. Exchange Online now requires EAS version 16.1 or higher. Older mobile clients lose access to Exchange Online mailboxes.
  • Exchange Web Services (EWS) — retirement begins October 1, 2026. EWS access to Exchange Online is being disabled. Hybrid environments where applications access cloud mailboxes via EWS will break. Full shutdown completes April 2027.

Each of these affects hybrid environments differently. But every one of them is a reason the on-premises Exchange server that exists only for public folders is now actively working against you.

Why Public Folder Migrations Stall

Public folder migrations fail or stall for predictable reasons — and they are rarely the same reasons mailbox migrations fail:

  • Mail-enabled public folders require preparation steps that native tooling handles poorly
  • Large or deeply nested hierarchies hit quota and performance limits mid-migration
  • Complex permission models — nested groups, anonymous access, legacy role assignments — do not transfer cleanly
  • Native tooling provides poor diagnostics when errors occur, leaving migrations stopped with no clear path forward

Most organizations that stalled got to 60–70% and stopped. That is a recoverable position — but only if you act before Microsoft’s enforcement system acts for you.

Start with Accurate Visibility

Before resuming or reattempting a migration, you need a complete inventory: total size and item count, active versus inactive folders, permission structures, mail-enabled status, and any non-standard content types. Without that baseline, you will hit the same issues that caused the stall.

Priasoft’s Public Folder Analyzer runs against Exchange 2010 through 2019 and produces a complete inventory — size, item count, permissions, mail-enablement, cleanup candidates — in about an hour. It exports to CSV and it’s free. Run this before scoping anything else.

What Completing the Migration Involves

Public folder migration is distinct from mailbox migration and requires a structured approach:

  1. Discovery and inventory — establish a complete view before anything moves
  2. Cleanup — remove stale folders and resolve broken permissions on the source
  3. Hierarchy and content synchronization — migrate in stages with validation between each phase
  4. Mail-enablement alignment — configure mail-enabled folders in the target before cutover
  5. Delta synchronization and cutover — capture changes and finalize the transition
  6. Decommission — remove the source server and close out the project

Many stalled migrations can be resumed rather than restarted, provided the current state is understood.

When Native Tools Are Not Enough

In environments with cross-forest migrations, tenant-to-tenant moves, multi-server public folder deployments, or complex permission hierarchies, Public Folder Migration Manager provides the control, visibility, and permission fidelity that standard tooling lacks. If your migration stalled at 60–70% and you are not sure why, this is where to look.

For a complete technical walkthrough of every phase, the complete public folder migration guide covers it end to end. Free to access.

The Clock Is Running

If Exchange remains on-premises only because of public folders, the migration is not complete — it is paused. With Extended Security Updates now closed, Microsoft’s enforcement system already active, and three additional deprecation deadlines hitting in 2026, the cost of continuing to defer is no longer theoretical.

Speak with a Priasoft engineer about your specific environment. Bring what you know — Exchange version, folder count, where the migration stalled — and we will tell you what the path forward looks like.

Free trial downloads at priasoft.com/register-for-a-free-trial-download.