Dude preaching to Tony Redmond about Exchange is like skater preaching to Tony Hawk about skateboarding.

Who knows? Microsoft isn’t saying and we never had very accurate data about the number of Exchange on-premises mailboxes to work with. If pushed into a corner, I’d say maybe 10% of the original base, which could be about 40 million accounts. But this is guessing.

Organizations that only use on-premises servers for mail relay are fine to do that. I am more concerned about mailboxes used by humans. However, it is absolutely critical to keep servers updated and patched, even if they’re only used for mail relay. There are many known vulnerabilities that can affect servers that run outdated software and those servers represent a real risk. So, run Exchange 2016 or Exchange 2019 on your mail relay servers and make sure that you apply cumulative and security updates as Microsoft releases updates and all will be well.

Actually no. Exchange Online is split up across datacenter regions and forests so any compromise won’t penetrate everywhere. Also, compromises tend to rely on access to privileged accounts and there are very few of these, all of which have time-limited access to perform actions. There are other security measures in place that I won’t go into here. In the on-premises world, there are still thousands of unpatched and vulnerable servers in operation (you can’t expect the FBI to patch them all as they did for U.S. servers after Hafnium). That doesn’t happen in the cloud because all servers run the latest software. In comparing the two environments, I see a cloud system operated by the development group and protected by thousands of security professionals where holes like basic authentication are steadily being closed off. Against that, I see on-premises environments that don’t have the same protection and expertise (exceptions do prove the rule, but there are few) where known holes exist. So I conclude that the cloud option is best.

Happy to debate the point at length if you want to attend the TEC Europe Tour event in Frankfurt on April 21. https://www.quest.com/event/tec-talk-five-things-microsoft-365-security-administrators-should-do-in-2023/

“ Although Exchange Online spans over 200,000 physical mailbox servers, the risk of compromise is much lower than for any on-premises environment because of the security resources Microsoft dedicates to protecting its cloud infrastructure.”

When they are compromised then everybody is really fried. Not so much comments about the fact that MS relies also on the security of 3rd parties, just to name Solarwind. It was clear that the hackers who came through that door had access to the sources of Windows and and a few month after we have a zero day like Haffnium. I don’t want to put too much into it but is your recommendation really to put all economical eggs in just one basket?
Your argument is mostly about the complexity’s of maintenance and migration. I agree on that and I know what I’m talking because I work closely with Exchange since 5.5 and developed a lot of bad hacks against every version in order to solve issues or crashes of my clients.
You can’t sell it as a self healing worry free product. But tell everybody go to the cloud?
I’m not convinced…

Some government institutions are definitely among the last hold-outs of on-premises Exchange Server. I just hope that they secure those servers!