The Office 365 for IT Pros eBook team covers a wide range of Exchange Online topics in the book and on our web site. Anything from setting email auto-replies to protecting email with transport rules.
Exchange Online organizations configured with multiple geos (satellite regions) still find it problematic to search for mailbox audit events. Microsoft might have fixed the problem for admin audit events, but mailbox audit events are often more important.
Microsoft has decided to push the final deprecation of client access rules to September 2024. However, only rules that can’t be migrated can be used until then. All other client access rules will stop working in September 2023. Microsoft isn’t clear about what technical limitations might allow rules to work for the extra year, nor do they say how tenants can check except by “opening a support ticket.” Although it’s good to move to conditional access policies, Microsoft really could communicate better.
Microsoft’s plan to stop Exchange Online accepting email from unsupported Exchange Servers caused a lot of fuss and bother. Looking through the commentary and questions about the announcement, I’m not sure if people understand fully what’s happening. It seems clear to me, but as Richard Campbell of RunAs Radio fame wants me to rant about the topic, here’s my measured opinion (not a rant).
Microsoft uses machine learning in Outlook and Exchange Online to create the basis for what they call intelligent technology like suggested replies and text prediction. To generate the language models used to figure out how Outlook should respond to users, Microsoft needs to copy data from user mailboxes for processing. The data is removed and the results stored in user mailboxes once processing is complete. Is this an issue for Microsoft 365 tenants? It all depends on your view of how data should be processed.
Mail contacts have long been used by Exchange organizations to provide an identity for external people. Contacts show up in the GAL to make it easy for users to send messages to external people and they can be included in distribution lists. The downside is that mail contacts are only available to Exchange Online. Perhaps the time is right to consider switching focus to Azure AD guest accounts? We explore the option here.
The Test-Message cmdlet is a useful tool to check if Exchange transport rules and DLP policies work correctly. You can input a test message to see what happens as the Exchange transport service applies transport rules, DLP policies, and auto-label policies based on the message contents and properties. Nice as it is to have the Test-Message cmdlet, human knowledge of what transport rules should do is probably an even more important asset.
Exchange Online will create a new inbound connector but won’t activate it until the tenant gives a business justification to Microsoft Support. The restriction applies only to tenants created after January 1, 2023. Microsoft isn’t saying why they implemented the restriction, but it’s likely because of a security concern. In any case, the deafening silence from Microsoft has left ISVs that depend on inbound connectors in a very bad place.
Microsoft announced that the new Message Recall feature is rolling out to tenants worldwide. They hope to increase the success rate for recalls imitated by users from 40% to 90%. Significant limitations exist. Message recall only works from Outlook for Windows and recall can only handle messages that remain within the same Exchange organization. Even so, the prospect of a huge improvement in the success rate will make the new feature very attractive to the people who really need to recall a message.
Room mailboxes are still heavily used for in-person meetings. It’s good to know how often and when rooms are used, which is why we have the room mailbox report script. In the second version of the script, we include code to figure out the daily usage pattern of individual rooms and for all rooms across the organization. The graphics in our bar chart are crude, but the chart is generated with a few lines of PowerShell, so feel free to improve the script.
Microsoft announced support for concurrent Exchange Online license assignments, aka license stacking. This means that the workload can sort out the capabilities made available to a user through multiple licenses and make the maximum functionality available to the user through whatever’s deemed to be the “most superior” license. If that sounds like so much mumbo-jumbo, it might just be, unless you’ve been plagued by people losing access to their mailboxes because of shifting license assignments in the past. If you have, this change will make you very happy.
Much to our distress, we discovered that the contact form for the Office 365 for IT Pros website was broken. We fixed everything up and use a shared mailbox to receive the contacts logged by people on the website. In fact, we use a distribution list as the first point of contact. Its membership includes the shared mailbox and other user mailboxes. Everything works very nicely now.
Azure AD user accounts and Exchange Online mailboxes share many properties, including some for a user’s address. When it comes to countries, Azure AD has the country property while Exchange uses the CountryOrRegion property. Sometimes the two don’t match up. Why does this happen and does it matter in practical terms? What other country or regional settings exist that need to be managed? A simple question sets off a big discussion.
This article explains how to use PowerShell to enable Exchange Online archive mailboxes after primary mailboxes reach a certain size. Some simple PowerShell code checks the mailbox size and if it’s too large, enables the archive and assigns a mailbox retention policy containing a default move to archive tag to move items from the primary to the archive mailbox. Some Azure Automation would make sure that the script runs periodically to keep mailboxes in good health.
Microsoft announced that they will pause sending the daily Viva Briefing messages to make improvements to the personalized content in the messages. No detail has been revealed about the kind of changes Microsoft is contemplating, so all we can do is write some PowerShell to show which mailboxes are currently enabled to receive the daily briefing.
Microsoft has announced that Exchange Online will block Remote PowerShell connections from October 1, 2023. Taken in isolation, this is excellent news and it will contribute to the move to use modern authentication for all client connections to Exchange Online. However, things aren’t quite so good when you realize that the final deprecation of the Azure AD and MSOL PowerShell modules take place at the same time. Lots of work to do to upgrade scripts!
Microsoft is deploying a change to the Exchange Online transport server to allow tenants to set the message expiration timeout interval to between 12 and 24 hours. The default for the service remains at 24 hours. Reducing the interval means that users will learn about message failures sooner. The hope is that they’ll be able to respond to those failures and resend messages once they learn about problems.
On the surface, it seems easy to report when someone releases a quarantined message. As it turns out, things aren’t quite as easy as it first seems. Audit events are available in the unified audit log, but they don’t tell the full story. But by putting that data together with information about messages in quarantine, we can create a composite view that’s closer to what’s needed.
A question was asked about the best way to find out if shared mailboxes received email from certain domains over the past 60 days. Exchange Online historical message traces can extract trace data to allow us to check, but the process of running the message trace and then analyzing the data is just a little disconnected.
Microsoft will deprecate the Azure AD and MSOL PowerShell modules in June 2023. It’s time to convert scripts that use cmdlets from these modules and the Microsoft Graph PowerShell SDK is probably the best answer. This article explains how to generate a report of Exchange Online distribution list memberships, a task often handled in the past with Azure AD cmdlets.
Several methods exist to add new user accounts to groups automatically. Dynamic group membership is an obvious option, but other choices exist, including org-wide teams (if your organization is under 10,000 accounts) and using PowerShell to manage the automatic addition of new members to a standard distribution list or Microsoft 365 group. This article examines the various methods. Once you understand what’s possible, you can make the right choice.
Microsoft is introducing a block to stop customers attempting to move auto-expanding archives to Exchange Server. No very of the on-premises server has ever supported auto-expanding archives, so it’s reasonable to have a block. It’s still possible to move a primary mailbox back to Exchange Server, but its auto-expanding archive must stay in the cloud. It’s a good factor to take into account if an organization plans to use auto-expanding archives in the future.
Outlook Groups now boast support for folders and rules. In other words, group owners and members (if allowed) can create new folders and move and copy items from the inbox to those folders. They can also create rules to process inbound email arriving into the group inbox. It’s all well and good, but there are a few points to understand about how things work.
Microsoft is moving the creation and management of mail flow rules to the new EAC from November. The UX in the legacy EAC should disappear in December 2022. The new UX is prettier and works better (apart from the rule wizard), but it’s a little disappointing that we have essentially the same way of managing mail flow rules in 2022 as we had in 2006. You can only hope that things might improve in the future.
A November 3 announcement says that Microsoft will deprecate the bulk distribution list migration feature in the legacy EAC on February 1, 2023. Although no one will probably be surprised by the news, it’s disappointing that all Microsoft can suggest is a manual conversion process for those who want to move (simple) distribution lists to Microsoft 365 groups. Is it too much to ask to have a PowerShell script to do the job?
Exchange Online historical searches are the way to retrieve message trace information that’s older than 10 days (but less than 90 days). You might not have to run historical searches very often, but when you need to, you’ll be glad that the facility exists.
Users will soon have the option to use Outlook reactions to respond to emails received from people inside the same tenant (well, it also works with some other tenants). It’s the same kind of feature that already exists in Yammer and Teams, but whether this kind of response works with email remains to be seen. It’s a cultural thing!
A reader asked how to update user email addresses and UPNs. As it turns out, this is not a very difficult technical challenge. The problem lies in the aftermath. It’s easy to update the primary SMTP address for a mail-enabled object or assign a new user principal name to an Azure AD account. Then problems might come into view, like needing to adjust the Microsoft Authenticator app to make MFA challenges work for the new UPN.
An October 14 report says that Office 365 Message Encryption shouldn’t be used because its encryption scheme might reveal email content. Well, that might be the case if an attacker can hijack connectivity from Office 365 to another email service. But the relatively low levels of OME usage and the difficulty of acquiring enough email to understand message structure makes this a less than practical attack in the wild.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
The Outlook Sweep feature is available in OWA and the Outlook Monarch client. The idea is that you clean up your mailbox by ‘sweeping’ unwanted items into somewhere like the Deleted Items folder. As it turns out, the Sweep feature uses both Inbox and Sweep rules to get its work done. Overall, Sweep is a pretty useful piece of functionality.
External tagging has been available for OWA, Outlook mobile, and Outlook for Mac since 2021. Now it’s coming to Outlook for Windows. Some might wonder about why it’s taken Microsoft so long to add external tagging to the Windows client. It might be that they’re waiting for the Monarch client, but it’s more likely the difficulty of retrofitting new features into the Outlook GUI.
Microsoft is moving the listing of archived mailboxes from the Purview Compliance portal to its natural home in the Exchange Admin Center. In this post, we look at how you can report the current status of archive mailboxes (both user and shared mailboxes) in a Microsoft 365 tenant.
Hidden membership is supported for Microsoft 365 Groups and distribution lists. Hidden membership means that no one except members and admins can see who’s in a group. It’s a useful feature if you don’t want people poking around to find out who’s in a group or distribution list. One thing to be aware of is that once a Microsoft 365 group has hidden membership, it has it forever. Distribution lists on the other hand can flip between hidden and visible membership.
Now that October 1 has arrived, Microsoft has started the process to permanently remove basic authentication from 7 email connection protocols. So what happens next? Well, for many organizations, not much. They’re the ones that have already transitioned to modern authentication. For others, some unpleasant surprises might lie ahead as people discover that stuff just doesn’t work anymore.
Microsoft revealed some interesting Exchange Online statistics at the MEC 2022 event. 300 K physical mailbox servers is a staggering amount, but 7.3 billion mailboxes might be even more surprising. Also at MEC we discovered more about the campaign to remove basic authentication from Exchange Online and how well Microsoft’s Greg Taylor can communicate in Irish when he presents about the deprecation of basic authentication.
Outlook automapping is usually a good thing. Exchange marks a mailbox after a user receives full access permission for the mailbox. Autodiscover publishes details of the new access, and Outlook adds the mailbox to its resource list. But Some downsides exist, like the size of the OST, which mean that sometimes it’s better to add a mailbox manually to Outlook and forget about automapping.
Over the next two weeks, I’ll attend and present at the Microsoft Exchange Conference and The Experts Conference (MEC and TEC). It should be fun! It’s nice to see conferences gradually returning to normal. I prefer in-person events and am looking forward to TEC in Atlanta on September 20-21. Before then, there’s the small matter of presenting two sessions at MEC 2022.
Outlook boasts a useless Archive folder. At least, I can’t come up with any good reason to use the Archive folder. It only confuses people in discussions about archiving. The one good thing I discovered when I revisited the topic is that a registry key exists to stop Outlook moving items into the Archive folder with the backspace key.
In March 2020, I wrote about mailbox audit events for Office 365 E3 accounts not showing up in the Office 365 audit log. As far as I can tell, Exchange Online deals with new mailboxes properly now. However, there might be some mailboxes in your organization that aren’t generating the audit records you thought they are… so it’s time to check.
Exchange Online shared mailboxes only need licenses if they have an archive, exceed 50 GB in size, or are on litigation hold. The rules are there, but how many tenants check their shared mailboxes to make sure that they’re in compliance. This article explains how to use PowerShell to detect shared mailboxes that need licenses.