Exchange Server End of Life: Migrate, Move to Microsoft 365, or Run SE?

Since October 2025, Exchange Server 2016 and 2019 no longer receive security updates. Any business still running one of these servers in-house – and there are more of them in the Berchtesgaden and Traunstein region than you might think – now faces a decision that cannot be postponed much longer. A mail server without patches is not a theoretical risk. Exchange has been one of the most popular attack targets of recent years, from ProxyLogon to the Hafnium waves. An unpatched Exchange facing the internet is an open door.

We are currently handling a whole series of migrations around exactly this topic, and one thing stands out: the situation has become more confusing than it needed to be. Alongside the end of support, Microsoft introduced a new product – Exchange Server Subscription Edition (SE) – while at the same time pushing harder towards the cloud. This article sorts out the options and says plainly what makes sense for whom.

What exactly has ended

14 October 2025 was the official end-of-support date for Exchange Server 2016 and 2019. From that point on there are no security updates, no bug fixes and no technical support from Microsoft. The servers of course keep running – but every new vulnerability stays open. For a mail server, which by its nature is connected to the outside world, that is a different class of risk than an internal file server.

One point of clarity: this concerns the locally installed Exchange servers. Anyone whose mailboxes already live in Microsoft 365 / Exchange Online is not affected. The ones affected are the classic on-premises installations that have grown over the years in many mid-sized businesses.

The new Subscription Edition – not a new product, but a subscription model

In summer 2025, Microsoft released Exchange Server Subscription Edition (SE). The name sounds like a major version leap, but deliberately is not. At its initial release, Exchange SE is essentially code-identical to the final cumulative update of Exchange Server 2019. So Microsoft did not primarily build new features here – it changed the licensing and servicing model.

Three things matter in practice:

• Subscription licensing: Instead of a one-off licence, you now need either server licences plus client access licences (CALs) with active Software Assurance, or coverage through cloud subscription licences. Anyone without Software Assurance will not avoid a fresh purchase.
• Modern Lifecycle: SE no longer has a fixed end-of-support date in the old style. Instead, only those who stay current stay supported. Updating therefore becomes an ongoing duty, not something you do every few years.
• Upgrade path: From a current Exchange 2019 installation, you can move to SE in a process Microsoft itself describes as "about as involved as a normal cumulative update". That is far gentler than the old version changes that required building parallel new servers.

One thing we are keeping an eye on: with the updates announced for SE in 2026, coexistence with the old, no-longer-supported versions is being restricted further. So if you want to stay on-premises, do not sit on a mixed environment for too long.

Option A: Move to Exchange Online / Microsoft 365

For most of the SMEs we look after, migrating to Exchange Online is the obvious answer – but not automatically for everyone. The benefits are real:

• No more mail server in-house that needs patching, monitoring and protecting against outages. Patch management and availability sit with Microsoft.
• Predictable per-mailbox costs instead of investment spikes every few years for hardware and licences.
• Modern features – Teams integration, mobile access, protection against phishing and malware – are included and continuously updated.

Two things argue against the cloud in practice. First, recurring costs: with many mailboxes the monthly licences add up, and over a ten-year horizon the cloud is not necessarily cheaper than a well-maintained server of your own. Second, data protection and data residency. This deserves an honest look.

Data protection: Microsoft 365 is workable, but not GDPR-compliant by itself

We often hear the concern that email in the Microsoft cloud is "not GDPR-compliant". Put that bluntly, it is not true – but it is equally untrue that it just falls into place. For business customers Microsoft offers EU data regions and a data processing agreement. That is the foundation. Responsibility for the correct configuration, for documented consent, for the deletion concept and for assessing third-country transfers still rests with the business itself.

If you want to do this cleanly, combine the migration with a data-protection stocktake. The points that most often go wrong in practice we have collected in our GDPR checklist for SMEs. Third-country transfers and your technical and organisational measures are best reviewed together with the migration, not afterwards. That interlock is part of our IT security consulting.

Option B: Stay on-premises with Exchange Server SE

There are good reasons to stay on your own mail server – we are not talking those down. If you have strict requirements for full data control, if regulation forces you to keep data on your own premises, or if you run a large, stable mailbox estate with existing Software Assurance, SE can be the more sensible choice both commercially and organisationally.

The flip side belongs in the picture too:

• You stay responsible for patching. Under the Modern Lifecycle model, updating is no longer a rare event but an ongoing task. An Exchange server that is only half-heartedly maintained is exactly the risk the end of support was meant to warn against.
• Licence costs and Software Assurance must be in place or newly acquired – depending on your starting point, a noticeable line item.
• Running it needs know-how. High availability, backup, spam protection, certificates, monitoring – none of that happens on the side.

The middle path: hybrid

Many of the migrations we run do not happen overnight but go through a hybrid phase. The local Exchange and Exchange Online coexist for a while, mailboxes move across step by step, and the shared address book stays consistent. That takes pressure out of the project and allows a controlled move instead of a big-bang weekend.

The one rule: hybrid is a transition, not a permanent state. Leaving the old, no-longer-supported Exchange running indefinitely "just for the hybrid link" is a common mistake. And these mixed setups will increasingly be held back technically by the coming SE updates.

Our practical recommendation

For the typical business with 10 to 80 mailboxes in the Berchtesgaden and Traunstein region, with no hard regulatory requirement to keep data local, migrating to Exchange Online / Microsoft 365 is usually the right call. You take the patch responsibility for an exposed server off your plate and gain features you would otherwise have to laboriously build yourself.

Stay on Exchange Server SE if at least one of these applies: you have hard requirements for local data residency, you already run a stable, well-maintained Exchange estate with active Software Assurance, or the recurring cloud licence costs would be substantially more expensive over the years at your mailbox count than running it yourself – and you have the know-how to operate a mail server securely over the long term.

What we advise against in every case: doing nothing and simply letting the old server run on. That is the one option guaranteed to get expensive – at the latest with the first security incident.

If you are unsure which path fits your business, we will look at your specific situation: mailbox count, licence status, data-protection requirements, existing infrastructure. From that comes a recommendation with numbers, not a gut feeling. That is part of our IT consulting and digitalisation advisory – and we see the implementation through, not just the slide deck.

---