Exchange Online Statistics Revealed at MEC 2022

300K Physical Mailbox Servers

Among the fun and games at the online MEC 2022 conference this week was the revealing of new statistics about Exchange Online, the largest workload within Office 365. The data (Figure 1) is quite staggering in terms of the size of the infrastructure supporting Exchange Online.

Exchange Online statistics (source: Microsoft)
Figure 1: Exchange Online statistics (source: Microsoft)

Mailboxes – Lots of Mailboxes

Every Exchange Online server is a physical Windows server, and there’s 300,000 of them to support 7.3 billion mailboxes. That’s not a typo. As of April; 2022, the latest number for Office 365 monthly active users is 345 million users (maybe 375 million now). The number of mailboxes might seem surprising, but there’s many other types of mailboxes in use within Exchange Online than a simple user count. The mailboxes include:

  • Group mailboxes.
  • System mailboxes like arbitration mailboxes.
  • Shared mailboxes.
  • Archive mailboxes.
  • Scheduling mailboxes (used by the Microsoft Booking app).
  • Cloud-only mailboxes used to hold compliance data for apps like Teams generated by hybrid accounts and guest users.
  • Audit mailboxes used to hold Office 365 unified audit log records.

Many of the mailboxes hold substrate data necessary to support Microsoft 365 services like search, eDiscovery, and compliance processing.

Each mailbox is in a mailbox database within a Database Availability Group (DAG). The DAG keeps three active copies and one lagged copy of each mailbox database. Deploying Native Data Protection absorbs that 1.4 exabytes of data spanning 42 trillion mail items (messages, calendar items, and so on).

The Joy of MEC

It was nice to be back presenting at a MEC event, even if it was a virtual event. Everything seemed to run smoothly and I only noticed one network hiccup during the sessions I attended. Microsoft has published session recordings on YouTube. Links to the decks and recordings for my sessions are at the end of this post.

I had planned to use PowerPoint Live when presenting my sessions but discovered that this facility isn’t available when presenting using a guest account in another tenant. I had to use the tried-and-trusted method of sharing a screen in the Teams meetings. However, I did see luminaries like Greg Taylor present using PowerPoint Live and enjoyed changing Greg’s slides about the details of removing basic authentication for Exchange Online connection protocols into different languages, including Irish (Figure 2). It’s amazing what cloud translation services can do these days.

The deprecation of basic authentication in Exchange Online (in Irish)
Figure 2: The deprecation of basic authentication in Exchange Online (in Irish)

Speaking about the campaign to remove basic authentication, it seems like everything is going OK with the possible exception of IMAP4 and POP3 clients and apps. Figure 3 shows some interesting information shared by Greg, this time in English. To put this information in a sharper context, consider the number of Exchange connections and mailboxes listed above.

The state of the great basic authentication turn-off campaign
Figure 3: The state of the great basic authentication turn-off campaign

There still seems to be a lot of connections using basic authentication from these sources that could be surprised when the hammer drops. It’s time to upgrade to clients that use modern authentication like the latest Thunderbird client.

Implement an Authentication Policy

A good suggestion that I heard is that tenants can take control of the switch-off by deploying an authentication policy to block basic authentication to see what apps and clients are effected. If some apps and clients need a little extra time to prepare, you can deploy another authentication policy that allows selective access to specific protocols to those accounts.

The great advantage of an authentication policy is that it blocks incoming connections before any authentication processing happens. In other words, if an attacker attempts a password spray to guess the credentials of an account using a protocol like POP3, the attempt fails immediately if the policy blocks POP3 connections. The attacker doesn’t get the chance to know that credentials work, even if they possess valid account credentials obtained in some manner.

On to TEC for Even More Exchange Online Statistics!

I had a great time talking about how to turbo-charge Exchange Online PowerShell using the Microsoft Graph APIs. What was nice about the session was the number of well-known individuals from the Exchange community in the audience. My sole regret was that I couldn’t mingle with people after the presentation as you can during an in-person conference. I’ll get that at The Experts Conference (TEC) in Atlanta next week. I am really looking forward to the event, even if Greg Taylor will be there (only kidding…)


Exchange PowerShell Examples

During my session about Exchange Online PowerShell and the Microsoft Graph (PPTX below), I published a list of articles for people to check out to learn more. Some people might have missed the information that I posted in the meeting chat, so here it is for everyone (alternatively, read the 110-page PowerShell chapter in the Office 365 for IT Pros eBook).

Worked out examples

PowerPoint Decks and Session Recordings

Admin’s Guide to the Microsoft 365 substrate

Master the Graph for Exchange PowerShell

One Reply to “Exchange Online Statistics Revealed at MEC 2022”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.