Microsoft’s plan to stop Exchange Online accepting email from unsupported Exchange Servers caused a lot of fuss and bother. Looking through the commentary and questions about the announcement, I’m not sure if people understand fully what’s happening. It seems clear to me, but as Richard Campbell of RunAs Radio fame wants me to rant about the topic, here’s my measured opinion (not a rant).
Microsoft uses machine learning in Outlook and Exchange Online to create the basis for what they call intelligent technology like suggested replies and text prediction. To generate the language models used to figure out how Outlook should respond to users, Microsoft needs to copy data from user mailboxes for processing. The data is removed and the results stored in user mailboxes once processing is complete. Is this an issue for Microsoft 365 tenants? It all depends on your view of how data should be processed.
Mail contacts have long been used by Exchange organizations to provide an identity for external people. Contacts show up in the GAL to make it easy for users to send messages to external people and they can be included in distribution lists. The downside is that mail contacts are only available to Exchange Online. Perhaps the time is right to consider switching focus to Azure AD guest accounts? We explore the option here.
Exchange Online will create a new inbound connector but won’t activate it until the tenant gives a business justification to Microsoft Support. The restriction applies only to tenants created after January 1, 2023. Microsoft isn’t saying why they implemented the restriction, but it’s likely because of a security concern. In any case, the deafening silence from Microsoft has left ISVs that depend on inbound connectors in a very bad place.
Microsoft announced that the new Message Recall feature is rolling out to tenants worldwide. They hope to increase the success rate for recalls imitated by users from 40% to 90%. Significant limitations exist. Message recall only works from Outlook for Windows and recall can only handle messages that remain within the same Exchange organization. Even so, the prospect of a huge improvement in the success rate will make the new feature very attractive to the people who really need to recall a message.
Room mailboxes are still heavily used for in-person meetings. It’s good to know how often and when rooms are used, which is why we have the room mailbox report script. In the second version of the script, we include code to figure out the daily usage pattern of individual rooms and for all rooms across the organization. The graphics in our bar chart are crude, but the chart is generated with a few lines of PowerShell, so feel free to improve the script.
Microsoft announced support for concurrent Exchange Online license assignments, aka license stacking. This means that the workload can sort out the capabilities made available to a user through multiple licenses and make the maximum functionality available to the user through whatever’s deemed to be the “most superior” license. If that sounds like so much mumbo-jumbo, it might just be, unless you’ve been plagued by people losing access to their mailboxes because of shifting license assignments in the past. If you have, this change will make you very happy.
Azure AD user accounts and Exchange Online mailboxes share many properties, including some for a user’s address. When it comes to countries, Azure AD has the country property while Exchange uses the CountryOrRegion property. Sometimes the two don’t match up. Why does this happen and does it matter in practical terms? What other country or regional settings exist that need to be managed? A simple question sets off a big discussion.
This article explains how to use PowerShell to enable Exchange Online archive mailboxes after primary mailboxes reach a certain size. Some simple PowerShell code checks the mailbox size and if it’s too large, enables the archive and assigns a mailbox retention policy containing a default move to archive tag to move items from the primary to the archive mailbox. Some Azure Automation would make sure that the script runs periodically to keep mailboxes in good health.
Microsoft has announced that Exchange Online will block Remote PowerShell connections from October 1, 2023. Taken in isolation, this is excellent news and it will contribute to the move to use modern authentication for all client connections to Exchange Online. However, things aren’t quite so good when you realize that the final deprecation of the Azure AD and MSOL PowerShell modules take place at the same time. Lots of work to do to upgrade scripts!
Microsoft is deploying a change to the Exchange Online transport server to allow tenants to set the message expiration timeout interval to between 12 and 24 hours. The default for the service remains at 24 hours. Reducing the interval means that users will learn about message failures sooner. The hope is that they’ll be able to respond to those failures and resend messages once they learn about problems.
A question was asked about the best way to find out if shared mailboxes received email from certain domains over the past 60 days. Exchange Online historical message traces can extract trace data to allow us to check, but the process of running the message trace and then analyzing the data is just a little disconnected.
Microsoft is moving the creation and management of mail flow rules to the new EAC from November. The UX in the legacy EAC should disappear in December 2022. The new UX is prettier and works better (apart from the rule wizard), but it’s a little disappointing that we have essentially the same way of managing mail flow rules in 2022 as we had in 2006. You can only hope that things might improve in the future.
Exchange Online historical searches are the way to retrieve message trace information that’s older than 10 days (but less than 90 days). You might not have to run historical searches very often, but when you need to, you’ll be glad that the facility exists.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
Microsoft is moving the listing of archived mailboxes from the Purview Compliance portal to its natural home in the Exchange Admin Center. In this post, we look at how you can report the current status of archive mailboxes (both user and shared mailboxes) in a Microsoft 365 tenant.
Now that October 1 has arrived, Microsoft has started the process to permanently remove basic authentication from 7 email connection protocols. So what happens next? Well, for many organizations, not much. They’re the ones that have already transitioned to modern authentication. For others, some unpleasant surprises might lie ahead as people discover that stuff just doesn’t work anymore.
Microsoft revealed some interesting Exchange Online statistics at the MEC 2022 event. 300 K physical mailbox servers is a staggering amount, but 7.3 billion mailboxes might be even more surprising. Also at MEC we discovered more about the campaign to remove basic authentication from Exchange Online and how well Microsoft’s Greg Taylor can communicate in Irish when he presents about the deprecation of basic authentication.
In March 2020, I wrote about mailbox audit events for Office 365 E3 accounts not showing up in the Office 365 audit log. As far as I can tell, Exchange Online deals with new mailboxes properly now. However, there might be some mailboxes in your organization that aren’t generating the audit records you thought they are… so it’s time to check.
Exchange Online shared mailboxes only need licenses if they have an archive, exceed 50 GB in size, or are on litigation hold. The rules are there, but how many tenants check their shared mailboxes to make sure that they’re in compliance. This article explains how to use PowerShell to detect shared mailboxes that need licenses.
The imminent deprecation of basic authentication for 7 Exchange Online connectivity protocols mean that client updates need to be considered. If you use IMAP4, the Thunderbird client does a good job, but will other clients be able to cope? It’s a good question to ask.
Microsoft has launched application access to Exchange Online via IMAP4 and POP3 using modern authentication. The approach Microsoft takes is reasonable and pragmatic and should be simple enough for app developers to implement. However, with an eye on the future, maybe this isn’t the best strategic choice to make. Moving to the Graph APIs will take more work, but it’s a better long-term solution.
The upcoming removal of support for basic authentication in seven Exchange Online connectivity protocols could mean trouble for some Office 365 tenants if they don’t take care to ensure that modern authentication is used for PowerShell connections. The old-style Remote PowerShell connection must be replaced with the Connect-ExchangeOnline cmdlet from the Exchange Online management module (aka the V2 module). Apart from anything else, this should improve the performance and robustness of scripts, especially after Microsoft finishes the work to remove the WinRM dependency for older cmdlets.
Exchange Online plans to change the format of the Name and Distinguished Name mailbox properties. The idea is to make these properties unique and improve synchronization with Azure AD. It all sounds like a good idea, but these properties have been around in Exchange for a long time, and any change will surface in unexpected places – like the output of many Exchange cmdlets. Which is why Microsoft has paused the plan for further reflection.
A management request came in to report email sent by some users to external recipients. Although you might not agree that this is the right thing for any organization to do, it’s very possible by exploiting the message trace information retained by Exchange Online for 90 days. As a bonus, we email the report generated from message tracing data to the requesting manager. Isn’t PowerShell just wonderful?
Finding and removing unused Exchange Online mailboxes used to be a good way to keep Office 365 licenses costs under control. Given the widespread use of Exchange Online as part of bundles like Office 365 and the effect of Teams on email for internal communication, looking for unused mailboxes might not be so important now. In any case, the techniques of looking for evidence of mailbox under-use are interesting and useful for tenant administrators to understand, which is why we have this article!
Microsoft intends to make the Exchange Online plus addressing feature available by default to all Microsoft 365 tenants after April 17, 2022. If you don’t want this to happen, you need to update the Exchange Online organization configuration to update the DisablePlusAddressInRecipients setting to True. After the opt-out 30-day period finishes, Microsoft will proceed with the deployment, so don’t say you weren’t warned!
It seems like it should be possible to transfer a membership rule from an Exchange dynamic distribution list to a dynamic Microsoft 365 group/team, but it’s not. Different directories, schemas, properties. and syntax conspire to stop easy conversion. It’s a pity, but that’s the way life and technology sometimes go…
A post by the Exchange development group tried to explain why mailboxes have SharePoint Online proxy addresses. It’s all down to the Microsoft 365 substrate, which needs the proxy addresses to ingest digital twins from SharePoint Online into Exchange Online for use by shared services like Microsoft Search. The upshot is that you can’t remove a mailbox permanently without some background processes kicking in to make sure that SharePoint is taken care of.
Planner now creates digital twins (copies) of tasks in user mailboxes in Exchange Online to make data available for eDiscovery and compliance. Storing items in the Microsoft 365 substrate is the same approach to making data available for search and compliance as taken by Teams and Yammer.
Microsoft is changing the way the Exchange Online transport service resolves the membership of dynamic distribution groups. Instead of doing this when someone sends a message to a dynamic group, Exchange resolves the membership once daily and whenever the recipient filter changes. It’s a reasonable approach designed to make messages move faster and more reliably, and it’s similar to the way that Azure AD dynamic groups maintain their memberships, so it shouldn’t make much difference.
Every Exchange Online tenant has four mailbox plans. Exchange uses the plans to populate some important mailbox settings based on the license assigned to the mailbox owner. This article explains the four mailbox plans, how to update the plan settings, and some of the things you can’t do with mailbox plans. We also include some PowerShell to report the mailbox plans assigned to users in your Office 365 tenant.
A change rolling out in mid-October will remove storage pressure on the Recoverable Items structure in Exchange Online mailboxes by offloading some data to archive mailboxes. The idea is a good one because it means that the storage allocated to Recoverable Items won’t fill up and require intervention so often. Users won’t know anything about what’s happening under the covers as it’s all hidden from view.
A 1.5 TB limit applies to Exchange Online archive mailboxes from November 1, 2021. In this article, we use PowerShell to report how close expandable archives are to the new limit. In reality, not many archive mailboxes will approach the new limit, but it’s nice to know things like the daily growth rate for an archive and how many days it will take for an archive to reach 1.5 TB. All whimsical stuff calculated with PowerShell!
Last week’s announcement that Exchange Online will block basic authentication for multiple protocols on October 1, 2022, got some attention. Now the hard choices of what to do with clients and applications need to be made. To smoothen the path to remove basic authentication, Microsoft is making an exception for SMTP AUTH. Your scripts and multi-function devices will keep working after October 2022, but the writing is on the wall and eventually even SMTP AUTH will stop working.
October 1, 2022 will be a big day for Exchange Online tenants because that’s when Microsoft starts to disable basic authentication for connectivity protocols whether or not tenants want this to happen. This is a huge and fundamental change that’s being driven by the need to increase the overall security of Exchange Online and individual tenants, while also blocking common attacks seeking to compromise user accounts. With only a year to go, it’s time to start work on preparing everything that needs to be in place for the great October 1 switchoff.
By default, Exchange Online allows other users in your tenant to see limited details of your availability when scheduling meetings. More information can be displayed by updating the calendar permissions for mailboxes. This is easy to do with PowerShell, but needs to be done on an ongoing basis because Exchange Online doesn’t have an organization or mailbox plan setting to assign the value to new mailboxes.
Microsoft hopes to accelerate the removal of TLS 1.0 and 1.2 connections from Exchange Online by disabling connectivity in 2022 and forcing organizations which need to use the older protocols to connect to a new “legacy smtp” endpoint. It’s not a bad plan because it transfers responsibility for choosing to use obsolete connections to customers. Most organizations will go with the flow (no pun intended) and use TLS 1.2, but those who need some time to update applications and devices know what they have to do.
Exchange Online already imposes limits on the number of messages a mailbox can receive per hour. New limits will restrict the number of messages individual senders can send to a third of the overall limit. The restriction doesn’t apply to senders with an Exchange Online mailbox in the same tenant. And if a mailbox runs into a limit, it features on the splendidly named Hot Recipients report. What’s not to like about that.
New teams created using Teams clients are hidden from Exchange Online, but those created using administrative interfaces are not. The result is potential confusion. in this post, we describe a PowerShell script to find any team-enabled Microsoft 365 Groups which are visible to Exchange and hide them. It’s easy scripting, but you need to run the script periodically to update the settings for new teams.