Table of Contents
300K Physical Mailbox Servers
Among the fun and games at the online MEC 2022 conference this week was the revealing of new statistics about Exchange Online, the largest workload within Office 365. The data (Figure 1) is quite staggering in terms of the size of the infrastructure supporting Exchange Online.
Mailboxes – Lots of Mailboxes
Every Exchange Online server is a physical Windows server, and there’s 300,000 of them to support 7.3 billion mailboxes. That’s not a typo. As of April; 2022, the latest number for Office 365 monthly active users is 345 million users (maybe 375 million now). The number of mailboxes might seem surprising, but there’s many other types of mailboxes in use within Exchange Online than a simple user count. The mailboxes include:
- Group mailboxes.
- System mailboxes like arbitration mailboxes.
- Shared mailboxes.
- Archive mailboxes.
- Scheduling mailboxes (used by the Microsoft Booking app).
- Cloud-only mailboxes used to hold compliance data for apps like Teams generated by hybrid accounts and guest users.
- Audit mailboxes used to hold Office 365 unified audit log records.
Many of the mailboxes hold substrate data necessary to support Microsoft 365 services like search, eDiscovery, and compliance processing.
Each mailbox is in a mailbox database within a Database Availability Group (DAG). The DAG keeps three active copies and one lagged copy of each mailbox database. Deploying Native Data Protection protects that 1.4 exabytes of data spanning 42 trillion mail items (messages, calendar items, and so on).
The Joy of MEC
It was nice to be back presenting at a MEC event, even if it was a virtual event. Everything seemed to run smoothly and I only noticed one network hiccup during the sessions I attended. Microsoft has published session recordings on YouTube. Links to the decks and recordings for my sessions are at the end of this post.
I had planned to use PowerPoint Live when presenting my sessions but discovered that this facility isn’t available when presenting using a guest account in another tenant. I had to use the tried-and-trusted method of sharing a screen in the Teams meetings. However, I did see luminaries like Greg Taylor present using PowerPoint Live and enjoyed changing Greg’s slides about the details of removing basic authentication for Exchange Online connection protocols into different languages, including Irish (Figure 2). It’s amazing what cloud translation services can do these days.
Speaking about the campaign to remove basic authentication, it seems like everything is going OK with the possible exception of IMAP4 and POP3 clients and apps. Figure 3 shows some interesting information shared by Greg, this time in English. To put this information in a sharper context, consider the number of Exchange connections and mailboxes listed above.
There still seems to be a lot of connections using basic authentication from these sources that could be surprised when the hammer drops. It’s time to upgrade to clients that use modern authentication like the latest Thunderbird client.
Implement an Authentication Policy
A good suggestion that I heard is that tenants can take control of the switch-off by deploying an authentication policy to block basic authentication to see what apps and clients are effected. If some apps and clients need a little extra time to prepare, you can deploy another authentication policy that allows selective access to specific protocols to those accounts.
The great advantage of an authentication policy is that it blocks incoming connections before any authentication processing happens. In other words, if an attacker attempts a password spray to guess the credentials of an account using a protocol like POP3, the attempt fails immediately if the policy blocks POP3 connections. The attacker doesn’t get the chance to know that credentials work, even if they possess valid account credentials obtained in some manner.
On to TEC for Even More Exchange Online Statistics!
I had a great time talking about how to turbo-charge Exchange Online PowerShell using the Microsoft Graph APIs. What was nice about the session was the number of well-known individuals from the Exchange community in the audience. My sole regret was that I couldn’t mingle with people after the presentation as you can during an in-person conference. I’ll get that at The Experts Conference (TEC) in Atlanta next week. I am really looking forward to the event, even if Greg Taylor will be there (only kidding…)
Exchange PowerShell Examples
During my session about Exchange Online PowerShell and the Microsoft Graph (PPTX below), I published a list of articles for people to check out to learn more. Some people might have missed the information that I posted in the meeting chat, so here it is for everyone (alternatively, read the 110-page PowerShell chapter in the Office 365 for IT Pros eBook).
- Mailbox Cleanup using the Microsoft Graph https://practical365.com/mailbox-clean-up-script/
- Figuring out Graph permissions https://practical365.com/microsoft-graph-api-permission/
- Azure Automation and Exchange Online https://practical365.com/use-azure-automation-exchange-online/
- Azure Automation Managed Identities and Exchange Online https://practical365.com/azure-automation-managed-identity-exo/
- •Azure Automation and Microsoft Graph PowerShell SDK https://practical365.com/microsoft-graph-sdk-powershell-azure-automation/
- License management https://practical365.com/microsoft-365-license-graph-sdk/
- Generate licensing report https://practical365.com/create-licensing-report-microsoft365-tenant/
- Creating a new Azure AD group (and team-enable new group) https://practical365.com/create-new-microsoft-365-group-sdk/
- Basic User management with Microsoft Graph PowerShell SDK https://office365itpros.com/2022/03/24/azure-ad-user-account-powershell/
- Basic group management with Microsoft Graph PowerShell SDK https://office365itpros.com/2022/03/29/azure-ad-group-management/
- Assign Azure AD roles with the Microsoft Graph PowerShell SDK https://office365itpros.com/2022/03/30/azure-ad-role-assignments/
- Ups and downs of connecting to the Microsoft Graph PowerShell SDK https://practical365.com/connect-microsoft-graph-powershell-sdk/
Worked out examples
- Reporting the activity of Microsoft 365 Groups and Teams.
- Reporting user activity across multiple workloads.
- Decrypting SharePoint Online documents protected with sensitivity labels.
- Calculate counts of distribution list members.
- Sending email with the Graph.
- Creating organization contacts in user mailboxes.