Designed and delivered hybrid identity architecture, Exchange hybrid coexistence, and a two-tier PKI rebuild for a 40,000-user European Commission platform.
The European Commission operated a unified communications platform serving approximately 40,000 users across multiple directorates-general, spanning on-premises Exchange, Exchange hybrid with Exchange Online, Skype for Business Server, and a multi-forest Active Directory structure inherited from successive organisational consolidations. The platform had grown to institutional scale without a corresponding evolution in its governance model — administrative roles were assigned on a standing basis, service accounts had accumulated permissions well beyond their original scope, and there was no documented ownership model for the directory objects that underpinned the hybrid configuration.
Exchange hybrid coexistence had drifted from its original design. Autodiscover service connection points, the Hybrid Configuration Wizard OAuth trust, and the send/receive connector pair had all been subject to ad hoc modifications over time. The result was a hybrid topology that worked in its primary mail-flow paths but exhibited intermittent failures in Free/Busy lookups, EWS cross-premises requests, and Autodiscover resolution for clients roaming between on-premises and Exchange Online. These failures were not consistently reproducible, which had made them difficult to trace to their root causes under normal operational conditions.
The PKI infrastructure presented a related but distinct problem. The certificate chain supporting Exchange services, Skype for Business TLS federation, internal IIS endpoints, and Active Directory Certificate Services had accumulated certificates from multiple issuing CAs across different validity periods and subject alternative name configurations. Some certificates had been renewed without updating all dependent service bindings. Others had been issued with incorrect SANs that worked only because clients were not enforcing strict name checking. The root CA certificate was approaching expiry on a timeline that would begin affecting service validation before a planned replacement could be completed through normal procurement channels.
The Skype for Business Server deployment covered instant messaging, presence, and voice — including integration with the Commission's telephony infrastructure. Topology changes and pool migrations had been executed piecemeal over the preceding years, leaving the deployment in a state where the Central Management Store, front-end pool assignments, and Edge Server configuration were inconsistent with the documented topology. Several components were running on server versions that had reached or were approaching end of support.
The identity architecture was designed around three goals: stabilise the hybrid coexistence configuration to a known-good and documented baseline, replace standing admin assignments with a scoped role model that could be audited and maintained, and establish a PKI chain that could be operated and renewed through a repeatable process independent of the original implementers.
A multi-forest hybrid identity model aligned Entra ID sync, Exchange hybrid, and PKI governance so coexistence, certificate lifecycle, and privileged access could be operated as one controlled platform.
For hybrid identity, the multi-forest environment required careful scoping of the Entra ID Connect synchronisation topology. Each forest had its own synchronisation server; the configuration had to be reviewed for attribute-level conflicts, UPN routing decisions, and the handling of resource mailboxes and shared accounts that existed in multiple forests with different anchor attributes. The design consolidated the synchronisation architecture around a primary sync server per forest with a staging server for failover, with explicit filtering rules to exclude service accounts and administrative objects from synchronisation scope — objects that had no legitimate reason to exist as cloud identities.
The Exchange hybrid scoping addressed the coexistence failures by treating the Hybrid Configuration Wizard output as a baseline to be audited rather than trusted. The OAuth configuration was verified end-to-end using the Remote Connectivity Analyser and manual token inspection. Autodiscover SCP records were corrected in Active Directory and validated against the Autodiscover lookup sequence for both domain-joined and non-domain-joined clients. The send and receive connector pair was documented with explicit address space scoping, TLS certificate requirements, and the correct smart host configuration for hybrid mail routing through Exchange Online Protection.
The PKI design produced a two-tier hierarchy — offline root CA with a ten-year validity and an online issuing CA with a five-year validity — following Microsoft's recommendations for enterprise CA deployment. The design included certificate templates for each service category: Exchange internal transport, Exchange IIS endpoints, Skype for Business internal services, Skype for Business Edge TLS federation, domain controller Kerberos authentication, and LDAPS. Each template was scoped to the appropriate security group for auto-enrolment or manual issuance, with a documented renewal calendar and service binding checklist for each certificate type. The role model for PKI administration was defined separately from the general Active Directory admin role — an explicit CA administrator group with scoped permissions to the CA object and the issuing CA server, with no other directory rights.
The engagement was structured as a multi-project programme running across the platform's annual maintenance cycle. Infrastructure changes at this scale could not be treated as a single delivery sprint — each workstream had its own change control process, approval chain, and rollback requirements. The programme was organised with a shared risk register and a consolidated change calendar to prevent conflicting maintenance windows across the four workstreams.
Exchange hybrid stabilisation was the first priority, as the coexistence failures were affecting a visible subset of users and generating escalations through the Commission's service desk. The OAuth trust was rebuilt from scratch — the existing application registrations for the on-premises Exchange organisation were removed from Entra ID and re-registered through the Hybrid Configuration Wizard running against a known-clean Exchange 2016 environment. The process required coordinated downtime for the hybrid mail-flow connectors, executed during a Saturday maintenance window with a tested rollback that could restore the previous connector configuration within thirty minutes. After the OAuth rebuild, Free/Busy lookups were validated for a representative sample of mailboxes across both on-premises and Exchange Online, including resource mailboxes, room lists, and distribution groups that had previously been the most reliable indicators of coexistence failures.
Skype for Business topology remediation ran in parallel with the Exchange stabilisation work, using separate change windows to avoid compounding risk. The Central Management Store was backed up and the topology document was corrected to reflect the actual deployed state — pool FQDNs, SIP domains, Edge Server external interfaces, and the PSTN gateway configuration. Front-end pool assignments for users who had been incorrectly homed due to previous migrations were corrected in batches, validated by confirming presence and IM functionality for a pilot group before bulk remediation. The Edge Server TLS federation certificates were among the first to be replaced under the new PKI chain, as they represented the highest-visibility external-facing dependency and had the shortest remaining validity.
The PKI rebuild was sequenced to minimise the window during which any service held a certificate from the legacy chain. The new offline root CA was brought online in an air-gapped environment, its root certificate distributed to all Active Directory-joined machines through Group Policy, and its trust confirmed in the certificate stores of all Exchange and Skype servers before any certificates were issued from the new chain. The issuing CA was then brought online and the certificate templates configured. Renewal was executed service by service, with each service's binding updated and validated before moving to the next. The legacy issuing CA was kept in read-only mode — capable of serving certificate status requests but not issuing new certificates — until all bindings had been migrated, then formally decommissioned. Active Directory maintenance sprints covered domain controller OS refresh, SYSVOL replication health, and the removal of stale objects — computer accounts, service accounts, and group memberships — that had accumulated over the preceding institutional refresh cycle.
The Exchange hybrid platform reached a stable coexistence state for the first time in several years. Free/Busy lookups and EWS cross-premises requests operated reliably across the full user population after the OAuth rebuild and Autodiscover remediation. The hybrid send/receive connector pair was fully documented with its certificate dependencies, address space scoping, and routing logic — enabling the Commission's internal team to perform future Hybrid Configuration Wizard updates without reintroducing the configuration drift that had caused the original failures.
The PKI modernisation resolved the impending root CA expiry risk and established a chain that could be maintained through a repeatable, documented process. All Exchange, Skype for Business, IIS, domain controller, and LDAPS certificates were migrated to the new issuing CA before the legacy chain's expiry became operationally relevant. The renewal calendar and service binding checklist produced during the design phase were handed to the Commission's infrastructure team as standing operational documentation — not engagement-specific artefacts, but procedures written to be followed by engineers who had not been part of the original design.
The standing admin model was replaced with a documented role assignment structure. Global Administrator and Exchange Administrator standing assignments were scoped down to operational roles with documented justification for each assignment. The CA administrator role was defined as a separate group, cleanly separated from Exchange and directory administration. The Active Directory maintenance sprints removed over four hundred stale computer accounts, sixty service accounts with no current owner, and corrected group membership for forty-three objects that had been assigned permissions inconsistent with their documented purpose. The resulting directory state was exported as a baseline configuration record, establishing a reference point against which future audits could be measured.
The Skype for Business platform was stabilised with a consistent topology document, correctly homed users, and Edge Server certificates renewed under the new PKI chain. The PSTN integration was validated against the corrected topology. The platform continued to operate through the Commission's subsequent evaluation of Microsoft Teams migration options — the stabilisation work preserved the existing investment while the longer-term migration roadmap was developed through a separate programme.
The engagement gave the Commission more than a repaired hybrid platform. It established a governable operating baseline across identity, messaging, PKI, and collaboration services, with explicit ownership boundaries and procedures that could survive team changes and future infrastructure refresh cycles.
From a programme perspective, the work also reduced delivery risk for the Commission's next decisions. Exchange coexistence, PKI renewal, and Skype for Business stability were no longer blocking issues consuming leadership attention; they became controlled foundations on top of which broader cloud migration and collaboration roadmap decisions could be made with far better confidence.
Book a discovery call to discuss your Microsoft environment.