Microsoft announced support for concurrent Exchange Online license assignments, aka license stacking. This means that the workload can sort out the capabilities made available to a user through multiple licenses and make the maximum functionality available to the user through whatever’s deemed to be the “most superior” license. If that sounds like so much mumbo-jumbo, it might just be, unless you’ve been plagued by people losing access to their mailboxes because of shifting license assignments in the past. If you have, this change will make you very happy.
Much to our distress, we discovered that the contact form for the Office 365 for IT Pros website was broken. We fixed everything up and use a shared mailbox to receive the contacts logged by people on the website. In fact, we use a distribution list as the first point of contact. Its membership includes the shared mailbox and other user mailboxes. Everything works very nicely now.
Azure AD user accounts and Exchange Online mailboxes share many properties, including some for a user’s address. When it comes to countries, Azure AD has the country property while Exchange uses the CountryOrRegion property. Sometimes the two don’t match up. Why does this happen and does it matter in practical terms? What other country or regional settings exist that need to be managed? A simple question sets off a big discussion.
This article explains how to use PowerShell to enable Exchange Online archive mailboxes after primary mailboxes reach a certain size. Some simple PowerShell code checks the mailbox size and if it’s too large, enables the archive and assigns a mailbox retention policy containing a default move to archive tag to move items from the primary to the archive mailbox. Some Azure Automation would make sure that the script runs periodically to keep mailboxes in good health.
Microsoft announced that they will pause sending the daily Viva Briefing messages to make improvements to the personalized content in the messages. No detail has been revealed about the kind of changes Microsoft is contemplating, so all we can do is write some PowerShell to show which mailboxes are currently enabled to receive the daily briefing.
Microsoft has announced that Exchange Online will block Remote PowerShell connections from October 1, 2023. Taken in isolation, this is excellent news and it will contribute to the move to use modern authentication for all client connections to Exchange Online. However, things aren’t quite so good when you realize that the final deprecation of the Azure AD and MSOL PowerShell modules take place at the same time. Lots of work to do to upgrade scripts!
Microsoft is deploying a change to the Exchange Online transport server to allow tenants to set the message expiration timeout interval to between 12 and 24 hours. The default for the service remains at 24 hours. Reducing the interval means that users will learn about message failures sooner. The hope is that they’ll be able to respond to those failures and resend messages once they learn about problems.
On the surface, it seems easy to report when someone releases a quarantined message. As it turns out, things aren’t quite as easy as it first seems. Audit events are available in the unified audit log, but they don’t tell the full story. But by putting that data together with information about messages in quarantine, we can create a composite view that’s closer to what’s needed.
A question was asked about the best way to find out if shared mailboxes received email from certain domains over the past 60 days. Exchange Online historical message traces can extract trace data to allow us to check, but the process of running the message trace and then analyzing the data is just a little disconnected.
Microsoft will deprecate the Azure AD and MSOL PowerShell modules in June 2023. It’s time to convert scripts that use cmdlets from these modules and the Microsoft Graph PowerShell SDK is probably the best answer. This article explains how to generate a report of Exchange Online distribution list memberships, a task often handled in the past with Azure AD cmdlets.
Several methods exist to add new user accounts to groups automatically. Dynamic group membership is an obvious option, but other choices exist, including org-wide teams (if your organization is under 10,000 accounts) and using PowerShell to manage the automatic addition of new members to a standard distribution list or Microsoft 365 group. This article examines the various methods. Once you understand what’s possible, you can make the right choice.
Microsoft is introducing a block to stop customers attempting to move auto-expanding archives to Exchange Server. No very of the on-premises server has ever supported auto-expanding archives, so it’s reasonable to have a block. It’s still possible to move a primary mailbox back to Exchange Server, but its auto-expanding archive must stay in the cloud. It’s a good factor to take into account if an organization plans to use auto-expanding archives in the future.
Outlook Groups now boast support for folders and rules. In other words, group owners and members (if allowed) can create new folders and move and copy items from the inbox to those folders. They can also create rules to process inbound email arriving into the group inbox. It’s all well and good, but there are a few points to understand about how things work.
Microsoft is moving the creation and management of mail flow rules to the new EAC from November. The UX in the legacy EAC should disappear in December 2022. The new UX is prettier and works better (apart from the rule wizard), but it’s a little disappointing that we have essentially the same way of managing mail flow rules in 2022 as we had in 2006. You can only hope that things might improve in the future.
A November 3 announcement says that Microsoft will deprecate the bulk distribution list migration feature in the legacy EAC on February 1, 2023. Although no one will probably be surprised by the news, it’s disappointing that all Microsoft can suggest is a manual conversion process for those who want to move (simple) distribution lists to Microsoft 365 groups. Is it too much to ask to have a PowerShell script to do the job?
Exchange Online historical searches are the way to retrieve message trace information that’s older than 10 days (but less than 90 days). You might not have to run historical searches very often, but when you need to, you’ll be glad that the facility exists.
Users will soon have the option to use Outlook reactions to respond to emails received from people inside the same tenant (well, it also works with some other tenants). It’s the same kind of feature that already exists in Yammer and Teams, but whether this kind of response works with email remains to be seen. It’s a cultural thing!
A reader asked how to update user email addresses and UPNs. As it turns out, this is not a very difficult technical challenge. The problem lies in the aftermath. It’s easy to update the primary SMTP address for a mail-enabled object or assign a new user principal name to an Azure AD account. Then problems might come into view, like needing to adjust the Microsoft Authenticator app to make MFA challenges work for the new UPN.
An October 14 report says that Office 365 Message Encryption shouldn’t be used because its encryption scheme might reveal email content. Well, that might be the case if an attacker can hijack connectivity from Office 365 to another email service. But the relatively low levels of OME usage and the difficulty of acquiring enough email to understand message structure makes this a less than practical attack in the wild.
This article describes how to use the Exchange.ManageAsApp permission to allow Azure AD apps to run Exchange Online PowerShell cmdlets. You can do this in the Azure AD admin center for registered apps, but when the time comes to allow Azure Automation runbooks to sign into Exchange Online with a managed identity, you must assign the permission to the automation account with PowerShell. Easy when you know how, hard when you don’t!
The Outlook Sweep feature is available in OWA and the Outlook Monarch client. The idea is that you clean up your mailbox by ‘sweeping’ unwanted items into somewhere like the Deleted Items folder. As it turns out, the Sweep feature uses both Inbox and Sweep rules to get its work done. Overall, Sweep is a pretty useful piece of functionality.
External tagging has been available for OWA, Outlook mobile, and Outlook for Mac since 2021. Now it’s coming to Outlook for Windows. Some might wonder about why it’s taken Microsoft so long to add external tagging to the Windows client. It might be that they’re waiting for the Monarch client, but it’s more likely the difficulty of retrofitting new features into the Outlook GUI.
Microsoft is moving the listing of archived mailboxes from the Purview Compliance portal to its natural home in the Exchange Admin Center. In this post, we look at how you can report the current status of archive mailboxes (both user and shared mailboxes) in a Microsoft 365 tenant.
Hidden membership is supported for Microsoft 365 Groups and distribution lists. Hidden membership means that no one except members and admins can see who’s in a group. It’s a useful feature if you don’t want people poking around to find out who’s in a group or distribution list. One thing to be aware of is that once a Microsoft 365 group has hidden membership, it has it forever. Distribution lists on the other hand can flip between hidden and visible membership.
Now that October 1 has arrived, Microsoft has started the process to permanently remove basic authentication from 7 email connection protocols. So what happens next? Well, for many organizations, not much. They’re the ones that have already transitioned to modern authentication. For others, some unpleasant surprises might lie ahead as people discover that stuff just doesn’t work anymore.
Microsoft revealed some interesting Exchange Online statistics at the MEC 2022 event. 300 K physical mailbox servers is a staggering amount, but 7.3 billion mailboxes might be even more surprising. Also at MEC we discovered more about the campaign to remove basic authentication from Exchange Online and how well Microsoft’s Greg Taylor can communicate in Irish when he presents about the deprecation of basic authentication.
Outlook automapping is usually a good thing. Exchange marks a mailbox after a user receives full access permission for the mailbox. Autodiscover publishes details of the new access, and Outlook adds the mailbox to its resource list. But Some downsides exist, like the size of the OST, which mean that sometimes it’s better to add a mailbox manually to Outlook and forget about automapping.
Over the next two weeks, I’ll attend and present at the Microsoft Exchange Conference and The Experts Conference (MEC and TEC). It should be fun! It’s nice to see conferences gradually returning to normal. I prefer in-person events and am looking forward to TEC in Atlanta on September 20-21. Before then, there’s the small matter of presenting two sessions at MEC 2022.
Outlook boasts a useless Archive folder. At least, I can’t come up with any good reason to use the Archive folder. It only confuses people in discussions about archiving. The one good thing I discovered when I revisited the topic is that a registry key exists to stop Outlook moving items into the Archive folder with the backspace key.
In March 2020, I wrote about mailbox audit events for Office 365 E3 accounts not showing up in the Office 365 audit log. As far as I can tell, Exchange Online deals with new mailboxes properly now. However, there might be some mailboxes in your organization that aren’t generating the audit records you thought they are… so it’s time to check.
Exchange Online shared mailboxes only need licenses if they have an archive, exceed 50 GB in size, or are on litigation hold. The rules are there, but how many tenants check their shared mailboxes to make sure that they’re in compliance. This article explains how to use PowerShell to detect shared mailboxes that need licenses.
Microsoft plans to reduce the recovery period for inactive mailboxes newly released from retention holds and policies from 183 to 30 days. The change will be implemented worldwide by the end of September. The reduction in recovery time sounds seriously but it’s really not. If you haven’t figured out that you need to recover some data from an old inactive mailbox within 30 days, the data probably isn’t needed. And anyway, if you really want to, you can keep inactive mailboxes forever.
Outlook’s new Booking with Me feature is rolling out worldwide. Any user with an Exchange Online license can create a personal bookings page to allow other internal and external people to book meetings with them. It’s a nice idea and a good example of how Microsoft can use its software toolkit to create new solutions.
The Microsoft Bookings app is available to many Office 365 users. The app is designed to host a shared calendar for a group of people. The calendars are in special scheduling mailboxes that are created by the Microsoft 365 substrate. Appointments in the calendar can be scheduled by people through a bookings page, which can be on the internet or confined within an organization. It’s a neat way to run an online business – if only Bookings could take in some money for all that scheduled work.
Microsoft promises they will deliver the long-awaiting Outlook roaming signatures feature in October 2022. There are signs of progress in Outlook beta builds, but the development of the feature has caused some disruption for Microsoft 365 tenants because it broke the cmdlet that updates HTML signatures for OWA. Oh well, it will all be OK in October. At least, that’s the plan.
The imminent deprecation of basic authentication for 7 Exchange Online connectivity protocols mean that client updates need to be considered. If you use IMAP4, the Thunderbird client does a good job, but will other clients be able to cope? It’s a good question to ask.
Loop components are now supported in OWA. The implementation is reasonably close to that of Teams chat, but has some essential differences due to the nature of email. The current state of Loop components mean that they are highly suited for internal communication but not for collaboration outside an organization.
Microsoft has launched application access to Exchange Online via IMAP4 and POP3 using modern authentication. The approach Microsoft takes is reasonable and pragmatic and should be simple enough for app developers to implement. However, with an eye on the future, maybe this isn’t the best strategic choice to make. Moving to the Graph APIs will take more work, but it’s a better long-term solution.
Microsoft is introducing new controls for delegate access to encrypted emails accessed via Outlook clients other than Outlook for Windows. The controls are implemented in three new PowerShell cmdlets which can block, validate, and allow delegate access to encrypted messages. It’s nice to see some coherence being introduced for almost all the Outlook clients, even if Outlook for Windows does its own thing.
Exchange Online tenants have a choice between inactive mailboxes and shared mailboxes when the need arises to keep “leaver” data like that belonging to ex-employees. Inactive mailboxes are essentially a compliance tool and sometimes shared mailboxes are better choices. We explore both in this short article.