Office 365 Exchange Guide PDF

Contents
Exchange Online
Exchange admin center
Permissions
Feature permissions
Role groups
Role assignment policies
Security and compliance
Modify archive policies
In-Place and Litigation Holds
Create or remove In-Place Holds
In-Place eDiscovery
Assign eDiscovery permissions
Create In-Place eDiscovery search
Export search results
Message properties and search operators
Search limits
Create a discovery mailbox
Create custom management scope
Reduce discovery mailbox size
Delete and re-create default discovery mailbox
Data loss prevention
DLP rule application
Integrate sensitive information rules
DLP policy templates
Create DLP policy from template
Create custom DLP policy
Policy Tips
Manage policy tips
Exchange auditing reports
Export mailbox audit logs
Non-owner mailbox access report
Per-mailbox litigation hold report
Search role group changes
View administrator audit log
View external admin audit log
Messaging records management
Retention tags and policies
Default Retention Policy
Default folders
Retention age
Create a Retention Policy
Add or remove retention tags
Apply retention policy
Mailbox retention hold
Journaling
Manage journaling
Configure Journaling
Mail flow rules
Conditions and exceptions
Mail flow rule actions
Configuration best practices
Inspect message attachments
Enable encryption and decryption
Common attachment blocking scenarios
Disclaimers, signatures, footers, or headers
Mail flow rule procedures
Manage mail flow rules
Test mail flow rules
Use rules to bypass Clutter
Use rules to route email
Use rules to add meetings
Manage message approval
Common message approval scenarios
Recoverable Items folder in Exchange Online
Clean up or delete items from the Recoverable Items folder in Exchange Online
Mail flow best practices
Test mail flow
Troubleshoot mail flow
Use connectors to configure mail flow
Do I need to create a connector?
Set up connectors to route mail
Set up connectors for secure mail flow with a partner
Validate connectors
Conditional mail routing
Integrate Office 365 with an email add-on service
Use Directory Based Edge Blocking
Manage accepted domains
Enable mail flow for subdomains
Remote domains
Manage remote domains
Supported character sets
Message format and transmission
Configure external postmaster address
Manage mailboxes with Office 365
Manage mail flow using third-party cloud
Manage mail flow for multiple locations
Manage mail flow on Office 365 and on-prem
How to set up a multifunction device or application to send email using Office 365
How to configure IIS for relay with Office 365
Fix issues with printers, scanners, and LOB applications that send email using Office
365
Recipients in Exchange Online
Message and recipient limits
Create user mailboxes
Delete or restore mailboxes
Manage user mailboxes
Add or remove email addresses
Change deleted item retention
Configure email forwarding
Configure message delivery restrictions
Convert a mailbox
Enable or disable Exchange ActiveSync
Enable or disable MAPI
Enable or disable Outlook on the wb
Mailbox plans
Automatically save sent items in delegator's mailbox
Clutter notifications in Outlook
Change Clutter notification branding
Enable or disable single item recovery
Recover deleted messages
Use PowerShell to display mailbox information
Manage distribution groups
Create group naming policy
Override group naming policy
Manage dynamic distribution groups
View group members
Manage mail-enabled security groups
Manage group access to Office 365 groups
Manage mail contacts
Manage mail users
Manage room mailboxes
Manage equipment mailboxes
Manage permissions for recipients
Manage Facebook contact sync
Manage LinkedIn contact sync
Configure a moderated recipient
Migrate multiple email accounts
Decide on a migration path
Use Minimal Hybrid to quickly migrate
What to know about a cutover migration
Cutover migration to Office 365
What to know about a staged migration
Perform a staged migration
Convert Exchange 2007 mailboxes
Convert Exchange 2003 mailboxes
Migrating IMAP mailboxes
Migrate G Suite mailboxes
Migrate other types of IMAP mailboxes
IMAP migration in the admin center
Setting up your IMAP server connection
Optimizing IMAP migrations
CSV files for IMAP migrations
Prepare Gmail or G Suite accounts
Migrating your Outlook.com account
Enable 2-step verification for Google apps
Migrate mailboxes across tenants
Migrate from Lotus Notes
Add an SSL certificate to Exchange 2013
Enable Gmail accounts for IMAP
Office 365 migration best practices
Assign permissions for migration
Manage migration batches
Migration users status report
CSV files for migration
Collaboration
Public folders
Public folder procedures
Batch migration of legacy public folders
Batch migration of Exchange 2013 public folders
Roll back Exchange 2013 public folder migration
Migrate your public folders to Office 365 Groups
Batch migration of Exchange Online public folders
Set up legacy hybrid public folders
Set up modern hybrid public folders
Set up EXO hybrid public folders
Set up public folders
Access public folders with Outlook 2016 for Mac
Create public folder mailbox
Create public folder
Recover deleted public folder mailbox
Use favorite public folders
Enable or disable mail for public folder
Update public folder hierarchy
Remove public folder
View public folder statistics
Shared mailboxes
Address books
Address book policies
Address book policy procedures
Turn on address book policy routing
Create an address book policy
Assign an address book policy to users
Change the settings of an address book policy
Remove an address book policy
Address lists
Address list procedures
Manage address lists
Use recipient filters to create an address list
Remove a global address list
Configure global address list properties
Create global address list
Hierarchical address books
Enable or disable hierarchical address books
Offline address books
Offline address book procedures
Create offline address book
Add or remove an address list
Change default offline address book
Provision recipients
Remove offline address book
Sharing
Organization relationships
Create an organization relationship
Modify an organization relationship
Remove an organization relationship
Sharing policies
Create a sharing policy
Apply a sharing policy
Modify a sharing policy
Voice mail: Unified Messaging
Greetings, announcements, menus, and prompts
Set dial plan default language
Select auto attendant language
Enable custom prompt recording
Telephone system integration with UM
Telephony advisor for Exchange 2013
Configuration notes for VoIP gateways
Configuration notes for session border controllers
Connect voice mail system
UM dial plans
UM dial plan procedures
Create UM dial plan
Manage UM dial plan
Change audio codec
Configure maximum call duration
Configure maximum recording duration
Configure recording idle time-out
Configure VoIP security setting
Configure dial plan for users with similar names
Delete UM dial plan
UM IP gateways
UM IP gateway procedures
Create UM IP gateway
Manage UM IP gateway
Enable UM IP gateway
Disable UM IP gateway
Configure fully qualified domain name
Configure IP address
Configure listening port
Delete UM IP gateway
UM hunt groups
UM hunt group procedures
Create UM hunt group
View UM hunt group
Delete UM hunt group
Automatically answer and route calls
DTMF interface
UM auto attendant procedures
Set up UM auto attendant
Create a UM auto attendant
Add an auto attendant extension number
Configure business hours
Create a holiday schedule
Enter a business name
Set a business location
Configure the time zone
Enable a customized business hours greeting
Enable a customized business hours menu prompt
Enable a customized non-business hours greeting
Enable a customized non-business hours menu prompt
Enable an informational announcement
Create menu navigation
Create business hours navigation menus
Create non-business hours navigation menus
Manage UM auto attendant
Configure DTMF fallback auto attendant
Enable UM auto attendant
Disable UM auto attendant
Delete UM auto attendant
Enable or disable speech recognition
Enable or prevent transferring calls
Enable or disable sending voice messages
Enable or disable directory lookups
Configure users that can be contacted
Configure auto attendant for users with similar names
Set up voice mail
UM mailbox policies
UM mailbox policy procedures
Create UM mailbox policy
Manage UM mailbox policy
Delete UM mailbox policy
Voice mail for users
Voice mail-enabled user procedures
Enable a user for voice mail
Include text with email sent when voicemail is enabled
Manage voice mail settings
Assign UM mailbox policy
Change UM dial plan
Enable calls from users who aren't UM-enabled
Disable calls from users who aren't UM-enabled
Allow callers without caller ID to leave voice message
Include text with email sent when voice message Is received
Prevent callers without caller ID from leaving voice message
Disable voice mail
Change SIP address
Change extension number
Add SIP address
Remove SIP address
Add extension number
Remove extension number
Change E.164 number
Add E.164 number
Remove E.164 number
Set up client voice mail features
Set up Outlook Voice Access
Outlook Voice Access commands
Navigating menus with Outlook Voice Access
Play on Phone
Outlook Voice Access procedures
Enable or disable Outlook Voice Access
Configure Outlook Voice Access number
Disable selected features
Set mailbox features for users
Set mailbox features for a user
Enable or disable automatic speech recognition
Enable a customized greeting
Enable or disable Play on Phone
Enable or disable sending voice messages
Enable or prevent transferring calls
Configure the group of users that Outlook Voice Access users can contact
Configure primary search method
Configure secondary search method
Configure number of sign-in failures
Configure number of input failures
Configure personal greetings limit
Protect voice mail
Protected Voice Mail procedures
Configure Protected Voice Mail from authenticated callers
Configure Protected Voice Mail from unauthenticated callers
Enable or disable multimedia playback
Specify text to display for clients that don't support Windows Rights
Management
Allow voice mail users to forward calls
Forwarding calls procedures
Call answering rules
Call answering rules in the same mailbox policy
Create a call answering rule
View and manage a call answering rule
Enable or disable a call answering rule for a user
Remove a call answering rule for a user
Allow users to see a voice mail transcript
Voice Mail Preview advisor
Voice Mail Preview procedures
Configure Voice Mail Preview partner services
Enable Voice Mail Preview
Disable Voice Mail Preview
MWI in Exchange Online
Allow MWI procedures
Allow MWI on UM IP gateway
Prevent MWI on UM IP gateway
Enable MWI for users
Disable MWI for users
Enable missed call notifications
Disable missed call notifications
Allow users to make calls
Dial codes, number prefixes, number formats
Allow users to make calls procedures
Enable outgoing calls on UM IP gateways
Disable outgoing calls on UM IP gateways
Configure dial codes
Create dialing rules
Authorize calls using dialing rules
Set up incoming faxing
Fax advisor for Exchange UM
Faxing procedures
Set the partner fax server URI to allow faxing
Include text with the email sent when a fax message is received
Allow users in the same dial plan to receive faxes
Prevent users in the same dial plan from receiving faxes
Enable faxing for a group of users
Disable faxing for a group of users
Enable a user to receive faxes
Prevent a user from receiving faxes
Set Outlook Voice Access PIN security
PIN security procedures
Set PIN policies
Reset a voice mail PIN
Retrieve voice mail PIN information
Include text in email sent when PIN Is reset
Set minimum PIN length
Set PIN lifetime
Set number of previous PINs to recycle
Disable common PIN patterns
Enable common PIN patterns
Set number of sign-in failures before PIN reset
Set number of sign-in failures before lock out
Run voice mail call reports
UM reports procedures
Review voice mail calls for organization
Review voice mail calls for user
Audio quality of voice calls in organization
Audio quality of voice calls for user
Interpret voice mail call records
UM and voice mail terminology
Clients and mobile in Exchange Online
Exchange ActiveSync
Mobile device mailbox policies
POP3 and IMAP4
Enable or disable POP3 or IMAP4 access
POP3 or IMAP4 settings
Outlook for iOS and Android
Outlook for iOS and Android FAQ
Setup with modern authentication
Manage Outlook for iOS and Android
Secure Outlook for iOS and Android
Deploy app config settings
Outlook for iOS and Android in the Government Cloud
Mobile access
Configure email on mobile phone
Remote wipe on mobile phone
Outlook on the web
Outlook Web App mailbox policies
Outlook Web App mailbox policy procedures
Create Outlook Web App mailbox policy
Apply or remove Outlook Web App mailbox policy
Remove Outlook Web App mailbox policy
Configure Outlook Web App mailbox policy properties
OWA for Devices contact sync
Public attachment handling
Increase the space used by Inbox rules
MailTips
Configure large audience size
Configure custom MailTips
MailTips over organization relationships
Manage MailTips for organization relationships
Add-ins for Outlook
Remote Connectivity Analyzer tests
Client Access Rules
Procedures for Client Access Rules
Disable Basic authentication in Exchange Online
Enable or disable modern authentication in Exchange Online
Monitoring
Use mail protection reports
Customize and schedule mail protection reports
What happened to delivery reports in Office 365?
Trace an email message
Run a Message Trace and View Results
Message Trace FAQ
Back up email
Fix Outlook connection problems in Office 365 and Exchange Online
Fix Outlook and Office 365 issues
Diagnostic log collection in Support and Recovery Assistant
Find and fix email delivery issues as an Office 365 for business admin
About Exchange documentation
Accessibility
Accessibility in Exchange admin center
Get started using screen reader
Keyboard shortcuts in admin center
Use screen reader to add equipment mailbox in Exchange admin center
Use screen reader to add mail contact in Exchange admin center
Use screen reader to add room mailbox in Exchange admin center
Use screen reader to add shared mailbox in Exchange admin center 2016
Use screen reader to add members to a distribution group in Exchange admin
center
Use screen reader to archive mailbox items in Exchange admin center
Use screen reader to configure collaboration in Exchange admin center
Use screen reader to create distribution group in Exchange admin center
Use screen reader to configure mail flow rules in Exchange admin center
Use screen reader to define rules that encrypt or decrypt email in Exchange admin
center 2016
Use screen reader to edit mailbox display name in Exchange admin center
Use screen reader to export and review audit logs in Exchange admin center
Use screen reader to identify admin role in Exchange admin center
Use screen reader to manage anti-malware protection in Exchange admin center
Use a screen reader to manage anti-spam protection
Use screen reader to open Exchange admin center
Use screen reader to run audit report in Exchange admin center
Use screen reader to trace an email message in Exchange admin center
Use screen reader to work with mobile clients in Exchange admin center
Exchange Online Multi-Geo
Exchange Online is part of the Office 365 suite of products.
End users - see Office help and training
Assign admin permissions
Learn about the Exchange admin center
To manage Exchange Online

As an administrator for your Office 365 tenant, you manage your organization's Exchange Online service in the Exchange admin
center. Here's how you get there:
1. Sign in to Office 365 using your work or school account, and then choose the Admin tile.
2. In the Office 365 admin center, choose Admin centers / Exchange.
For an introduction, see Exchange admin center in Exchange Online
Help for Office 365 Admins

We're consolidating our content on the Office help and training site. See the following:
Office 365 for business - Admin Help: how to get started with the Office 365 admin center, reset passwords, and more.
Email in Office 365 for business - Admin Help: how to set up email, fix problems, and import email.
Exchange admin center in Exchange Online
3/29/2019 • 4 minutes to read • Edit Online
You use the Exchange admin center to manage email settings for your organization.
Get to the Exchange admin center

You must have Office 365 admin permissions to access the Exchange admin center.
1. Sign in to Office 365 using your work or school account, and then choose the Admin tile.
2. In the Office 365 admin center, choose Admin centers > Exchange.
You can also get to the Exchange admin center directly by using a URL. To do this, go to
https://outlook.office365.com/ecp and sign in using your credentials.
NOTE
Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct
URL. This will prevent the credential that you are currently logged on with from being used. To open an InPrivate
Browsing session in Microsoft Edge or Internet Explorer or a Private Browsing session in Mozilla FireFox, press
CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press
CTRL+SHIFT+N.
Exchange admin center features

Here's what the Exchange admin center looks like.
Feature pane
Here are the features you'll find in the left-hand navigation.
AREA WHAT YOU DO HERE
Dashboard An overview of the admin center.
Recipients View and manage your mailboxes, groups, resource

mailboxes, contacts, shared mailboxes, and mailbox
migrations.
Permissions Manage administrator roles, user roles, and Outlook Web

App policies.
Compliance management Manage In-Place eDiscovery & Hold, auditing, data loss
prevention (DLP), retention policies, retention tags, and
journal rules.
Organization Manage organization sharing and apps for Outlook
Protection Manage malware filters, connection filters, content filters,

outbound spam, and quarantine for your organization.
Mail flow Manage rules, message tracing, accepted domains, remote

domains, and connectors.
AREA WHAT YOU DO HERE
Mobile Manage the mobile devices that you allow to connect to

your organization. You can manage mobile device access
and mobile device mailbox policies.
Public folders Manage public folders and public folder mailboxes.
Unified messaging Manage Unified Messaging (UM) dial plans and UM IP

gateways.
Tabs
The tabs are your second level of navigation. Each of the feature areas contains various tabs, each representing
a complete feature.
Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform a specific action. The
following table describes the most common icons and their actions. To display the action associated with an
icon, simply hover over the icon.
ICON NAME ACTION
Add, New Create a new object. Some of these

icons have an associated down arrow
you can click to show additional
objects you can create.
For example, in Recipients > Groups,
clicking the down arrow displays
Distribution group, Security group,
and Dynamic distribution group as
additional options.
Edit Edit an object.
Delete Delete an object. Some delete icons

have a down arrow you can click to
show additional options.
Search Open a search box in which you can

type the search phrase for an object
you want to find.
n/a Upgrade a distribution group to an

Office 365 group. This icon can be
used only for a distribution group.
Refresh Refresh the list view.
More options View more actions you can perform for

that tab's objects.
For example, in Recipients >
Mailboxes clicking this icon shows the
following options: Add/Remove
columns, Deleted mailboxes, Export
data to a CSV file, and Advanced
search.
ICON NAME ACTION
Up arrow and down arrow Move an object's priority up or down.

For example, in Mail flow > Rules
click the up arrow to raise the priority
of a rule. You can also use these
arrows to navigate the public folder
hierarchy.
Copy Copy an object so you can make

changes to it without changing the
original object.
For example, in Permissions > Admin
roles, select a role from the list view,
and then click this icon to create a new
role group based on an existing one.
Remove Remove an item from a list.

For example, in the Public Folder
Permissions dialog box, you can
remove users from the list of users
allowed to access the public folder by
selecting the user and clicking this
icon.
List view
When you select a tab, in most cases you'll see a list view. The list view in Exchange admin center is designed to
remove limitations that existed in Exchange Control Panel.
In Exchange Online, the viewable limit from within the Exchange admin center list view is approximately 10,000
objects. In addition, paging is included so you can page to the results. In the Recipients list view, you can also
configure page size and export the data to a CSV file.
Details pane
When you select an item from the list view, information about that object is displayed in the details pane.
To bulk edit several items: press the CTRL key, select the objects you want to bulk edit, and use the options in
the details pane.
Centers, Me tile, and Help
The Centers tile allows you to change from one admin center to another. The Me tile allows you to sign out of
the EAC and sign in as a different user. From the Help drop-down menu, you can perform the following
actions:
Help: Click to view the online help content.
Disable Help bubble: The Help bubble displays contextual help for fields when you create or edit and
object. You can turn off the Help bubble help or turn it on if it has been disabled.
Supported browsers
See the following articles:
Office 365 System Requirements: lists supported browsers for Office 365 and the Exchange admin
center.
Supported Browsers for Outlook on the web.
Related articles
Are you using Exchange Server? See Exchange admin center in Exchange Server.
Are you using Exchange Online Protection? See Exchange admin center in Exchange Online Protection.
Permissions in Exchange Online
Exchange Online in Office 365 includes a large set of predefined permissions, based on the Role Based Access
Control (RBAC ) permissions model, which you can use right away to easily grant permissions to your
administrators and users. You can use the permissions features in Exchange Online so that you can get your new
organization up and running quickly.
RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of the links in this topic refer
to topics that reference Exchange Server. The concepts in those topics also apply to Exchange Online.
For information about permissions across Office 365, see Permissions in Office 365
NOTE
Several RBAC features and concepts aren't discussed in this topic because they're advanced features. If the functionality
discussed in this topic doesn't meet your needs, and you want to further customize your permissions model, see
Understanding Role Based Access Control.
Role-based permissions
In Exchange Online, the permissions that you grant to administrators and users are based on management roles.
A management role defines the set of tasks that an administrator or user can perform. For example, a
management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes,
contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is
granted the permissions provided by the management role.
Administrative roles and end-user roles are the two types of management roles. Following is a brief description of
each type:
Administrative roles: These roles contain permissions that can be assigned to administrators or specialist
users using role groups that manage a part of the Exchange Online organization, such as recipients,
compliance management, or Unified Messaging.
End-user roles: These roles, which are assigned using role assignment policies, enable users to manage
aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix
My .
Management roles give permissions to perform tasks to administrators and users by making cmdlets available to
those who are assigned the roles. Because the Exchange admin center (EAC ) and Exchange Online PowerShell use
cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to
perform the task in each of the Exchange Online management interfaces.
Exchange Online includes approximately 45 roles that you can use to grant permissions. For a list of roles, see
Built-in Management Roles.
NOTE
Some management roles many be available only to on-premises Exchange Server installations and won't be available in
Exchange Online.
Role groups and role assignment policies
Management roles grant permissions to perform tasks in Exchange Online, but you need an easy way to assign
them to administrators and users. Exchange Online provides you with the following to help you make
assignments:
Role groups: Role groups enable you to grant permissions to administrators and specialist users.
Role assignment policies: Role assignment policies enable you to grant permissions to end users to
change settings on their own mailbox or distribution groups that they own.
The following sections provide more information about role groups and role assignment policies.
Role groups
Every administrator who manages Exchange Online must be assigned at least one or more roles. Administrators
might have more than one role because they may perform job functions that span multiple areas in Exchange
Online. For example, one administrator might manage both recipients and Unified Messaging features in the
Exchange Online organization. In this case, that administrator might be assigned both the Mail Recipients and
Unified Messaging roles.
To make it easier to assign multiple roles to an administrator, Exchange Online includes role groups. When a role
is assigned to a role group, the permissions granted by the role are granted to all the members of the role group.
This enables you to assign many roles to many role group members at once. Role groups typically encompass
broader management areas, such as recipient management. They're used only with administrative roles, and not
end-user roles. Role group members can be Exchange Online users and other role groups.
NOTE
It's possible to assign a role directly to a user without using a role group. However, that method of role assignment is an
advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.
The following figure shows the relationship between users, role groups, and roles.
Roles, role groups, and role group members
Exchange Online includes several built-in role groups, each one providing permissions to manage specific areas in
Exchange Online. Some role groups may overlap with other role groups. The following table lists each role group
with a description of its use.
Built-in role groups
ROLE GROUP DESCRIPTION
Discovery Management Administrators or users who are members of the Discovery

Management role group can perform searches of mailboxes in
the Exchange Online organization for data that meets specific
criteria and can also configure legal holds on mailboxes.
Help Desk The Help Desk role group, by default, enables members to
view and modify the Microsoft Outlook Web App options of
any user in the organization. These options might include
modifying the user's display name, address, and phone
number. They don't include options that aren't available in
Outlook Web App options, such as modifying the size of a
mailbox or configuring the mailbox database on which a
mailbox is located.
Help Desk Administrators (HelpdeskAdmins_ <unique The Help Desk Administrators role group doesn't have any
value>) roles assigned to it. However, it's a member of the View-Only
Organization Management role group and inherits the
permissions provided by that role group.
This role group can't be managed in Exchange Online. You can
add members to this role group by adding users to the
Password administrator Office 365 role.
Organization Management Administrators who are members of the Organization

Management role group have administrative access to the
entire Exchange Online organization and can perform almost
any task against any Exchange Online object, with some
exceptions, such as the Discovery Management role.
Important: Because the Organization Management role
group is a powerful role, only users that perform
organizational-level administrative tasks that can potentially
impact the entire Exchange Online organization should be
members of this role group.
Recipient Management Administrators who are members of the Recipient

Management role group have administrative access to create
or modify Exchange Online recipients within the Exchange
Online organization.
Records Management Users who are members of the Records Management role
group can configure compliance features, such as retention
policy tags, message classifications, and mail flow rules (also
known as transport rules).
UM Management Administrators who are members of the UM Management

role group can manage features in the Exchange Online
organization such as UM properties on mailboxes, UM
prompts, and UM auto attendant configuration.
View-Only Organization Management Administrators who are members of the View Only
Organization Management role group can view the properties
of any object in the Exchange Online organization.
Compliance Management Users who are members of the Compliance Management role
group are responsible for compliance, to properly configure
and manage compliance settings within Exchange in
accordance with their policy.
If you work in a small organization that has only a few administrators, you might need to add those administrators
to the Organization Management role group only, and you may never need to use the other role groups. If you
work in a larger organization, you might have administrators who perform specific tasks administering Exchange
Online, such as recipient or organization-wide Unified Messaging configuration. In those cases, you might add
one administrator to the Recipient Management role group, and another administrator to the UM Management
role group. Those administrators can then manage their specific areas of ExchangeOnline, but they won't have
permissions to manage areas they're not responsible for.
If the built-in role groups in Exchange Online don't match the job function of your administrators, you can create
role groups and add roles to them. For more information, see the Work with role groups section later in this topic.
Role assignment policies
Exchange Online provides role assignment policies so that you can control what settings your users can configure
on their own mailboxes and on distribution groups they own. These settings include their display name, contact
information, voice mail settings, and distribution group membership.
Your Exchange Online organization can have multiple role assignment policies that provide different levels of
permissions for the different types of users in your organizations. Some users can be allowed to change their
address or create distribution groups, while others can't, depending on the role assignment policy associated with
their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated
with one role assignment policy at a time.
Of the role assignment policies in your organization, one is marked as default. The default role assignment policy
is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're
created. The default role assignment policy should contain the permissions that should be applied to the majority
of your mailboxes.
Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant
permissions for users to manage only their mailbox or distribution groups they own. They can't be used to
manage any other mailbox. Only end-user roles can be assigned to role assignment policies.
When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role
assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to
sets of users without having to configure individual mailboxes. The following figure shows:
End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-
user roles. For details about the end-user roles that are available in Exchange Online, see Role assignment
policies in Exchange Online.
Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role
assignment policy.
After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox.
The permissions granted by the roles are granted to the user of the mailbox.
Roles, role assignment policies, and mailboxes
The Default Role Assignment Policy role assignment policy is included with Exchange Online. As the name
implies, it's the default role assignment policy. If you want to change the permissions provided by this role
assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in
this topic.
Office 365 permissions in Exchange Online

When you create a user in Office 365, you can choose whether to assign various administrative roles, such as
Global administrator, Service administrator, Password administrator, and so on, to the user. Some, but not all,
Office 365 roles grant the user administrative permissions in Exchange Online.
NOTE
The user that was used to create your Office 365 tenant is automatically assigned to the Global administrator Office 365
role.
The following table lists the Office 365 roles and the Exchange Online role group they correspond to.
OFFICE 365 ROLE EXCHANGE ONLINE ROLE GROUP
Global administrator Organization Management
Note: The Global administrator role and the Organization

Management role group are tied together using a special
Company Administrator role group. The Company
Administrator role group is managed internally by Exchange
Online and can't be modified directly.
Billing administrator No corresponding Exchange Online role group.
Password administrator Help Desk administrator.
Service administrator No corresponding Exchange Online role group.
User management administrator No corresponding Exchange Online role group.
For a description of the Exchange Online role groups, see the table "Built-in role groups" in Role groups.
When you add a user to either the Global administrator or Password administrator Office 365 roles, the user is
granted the rights provided by the respective Exchange Online role group. Other Office 365 roles don't have a
corresponding Exchange Online role group and won't grant administrative permissions in Exchange Online. For
more information about assigning an Office 365 role to a user, see Assigning admin roles.
Users can be granted administrative rights in Exchange Online without adding them to Office 365 roles. This is
done by adding the user as a member of an Exchange Online role group. When a user is added directly to an
Exchange Online role group, they'll receive the permissions granted by that role group in Exchange Online.
However, they won't be granted any permissions to other Office 365 components. They'll have administrative
permissions only in Exchange Online. Users can be added to any of the role groups listed in the "Built-in role
groups table" in Role groups with the exception of the Company Administrator and Help Desk Administrators role
groups. For more information about adding a user directly to an Exchange Online role group, see Work with role
groups.
Work with role groups

To manage your permissions using role groups in Exchange Online, we recommend that you use the EAC. When
you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and
copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role
group dialog box, shown in the following figure, to perform these tasks.
New role group dialog box in the EAC
Exchange Online includes several role groups that separate permissions into specific administrative areas. If these
existing role groups provide the permissions your administrators need to manage your Exchange Online
organization, you need only add your administrators as members of the appropriate role groups. After you add
administrators to a role group, they can administer the features that relate to that role group. To add or remove
members to or from a role group, open the role group in the EAC, and then add or remove members from the
membership list. For a list of built-in role groups, see the table "Built-in role groups" in Role groups.
IMPORTANT
If an administrator is a member of more than one role group, Exchange Online grants the administrator all of the
permissions provided by the role groups he or she is a member of.
If none of the role groups included with Exchange Online have the permissions you need, you can use the EAC to
create a role group and add the roles that have the permissions you need. For your new role group, you will:
1. Choose a name for your role group.
2. Select the roles you want to add to the role group.
3. Add members to the role group.
4. Save the role group.
After you create the role group, you manage it like any other role group.
If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then
make changes to create a role group. You can copy an existing role group and make changes to it, without
affecting the original role group. As part of copying the role group, you can add a new name and description, add
and remove roles to and from the new role group, and add new members. When you create or copy a role group,
you use the same dialog box that's shown in the preceding figure.
Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and
remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By
adding and removing roles to and from role groups, you turn on and off administrative features for members of
that role group.
NOTE
Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role
groups, modify the role group copy, and then add members to the role group copy. > The Company Administrator and Help
Desk administrator role groups can't be copied or changed.
Work with role assignment policies

To manage the permissions that you grant end users to manage their own mailbox in Exchange Online, we
recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles,
remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog
boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.
Role assignment policy dialog box in the EAC
Exchange Online includes a role assignment policy named Default Role Assignment Policy. This role assignment
policy enables users whose mailboxes are associated with it to do the following:
Join or leave distribution groups that allow members to manage their own membership.
View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk
mail settings, and Microsoft ActiveSync devices.
Modify their contact information, such as work address and phone number, mobile phone number, and
pager number.
Create, modify, or view text message settings.
View or modify voice mail settings.
View and modify their marketplace apps.
Create team mailboxes and connect them to Microsoft SharePoint lists.
Create, modify, or view email subscription settings, such as message format and protocol defaults.
If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment
policy, you can use the EAC. The dialog box you use is similar to the one in the preceding figure. When you open
the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the
check box next to the roles you want to remove. The change you make to the role assignment policy is applied to
every mailbox associated with it.
If you want to assign different end-user permissions to the various types of users in your organization, you can
create role assignment policies. When you create a role assignment policy, you see a dialog box similar to the one
in the preceding figure. You can specify a new name for the role assignment policy, and then select the roles you
want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with
mailboxes using the EAC.
If you want to change which role assignment policy is the default, you must use Exchange Online PowerShell.
When you change the default role assignment policy, any mailboxes that are created will be associated with the
new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with
existing mailboxes doesn't change when you select a new default role assignment policy.
NOTE
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the
check box for a role with child roles, the check boxes for the child roles are also cleared.
For detailed role assignment policy procedures, see Role assignment policies in Exchange Online.
Permissions documentation
The following table contains links to topics that will help you learn about and manage permissions in Exchange
Online.
TOPIC DESCRIPTION
Understanding Role Based Access Control Learn about each of the components that make up RBAC and
how you can create advanced permissions models if role
groups and management roles aren't enough.
Manage role groups in Exchange Online Configure permissions for Exchange Online administrators
and specialist users using role groups, including adding and
removing members to and from role groups.
Role assignment policies in Exchange Online Configure which features end-users have access to on their
mailboxes using role assignment policies, view, create, modify,
and remove role assignment policies, specify the default role
assignment policy, and apply role assignment policies to
mailboxes.
View Effective Permissions View who has permissions to administer Exchange Online
features.
Feature permissions in Exchange Online Learn more about the permissions required to manage
Exchange Online features and services.
Feature permissions in Exchange Online
The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the
procedure being performed or the cmdlet you want to run.
For information about Exchange Online Protection (EOP ) permissions, see Feature Permissions in EOP.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to
see its management roles. If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
Exchange Online permissions

You can use the features in the following table to manage your Exchange Online organization and recipients.
Users who are assigned the View -Only Management role group can view the configuration of the features in the
following table. For more information, see View -only Organization Management.
FEATURE PERMISSIONS REQUIRED
Anti-malware Organization Management

Hygiene Management
Anti-spam Organization Management

Hygiene Management
Data loss prevention Organization Management

Compliance Management
Office 365 connectors Organization Management
Journal archiving Organization Management

Recipient Management
FEATURE PERMISSIONS REQUIRED
Linked user Organization Management

Mail flow Organization Management
Mailbox settings Organization Management

Microsoft Office 365 Message Organization Management

Encryption (OME) Compliance Management
Records Management
Message trace Organization Management

Compliance Management
Help Desk
Organization configuration Organization Management
Outlook on thew web mailbox policies Organization Management (http://technet.microsoft.com/library/6

[Recipient Management 69d602e-68e3-41f9-a455-
b942d212d130.aspx)
POP3 and IMAP4 permissions Organization Management
Quarantine Organization Management

Hygiene Management
Subscriptions Organization Management

Note: A user can create subscriptions
in their own mailbox. An administrator
can't create subscriptions in another
user's mailbox, but they can modify or
delete subscriptions in another user's
mailbox.
Supervision Organization Management
View reports Organization Management - users

have access to mailbox reports and
mail protection reports.
View-Only Organization Management
- users have access to mailbox reports.
View-Only Recipients - users have
access to mail protection reports.
Compliance Management - users have
access to mail protection reports and
Data Loss Prevention (DLP) reports (if
their subscription has DLP capabilities).
Manage role groups in Exchange Online
A role group is a special kind of universal security group (USG ) that's used in the Role Based Access Control
(RBAC ) permissions model in Exchange Online. Management role groups simplify the assignment and
maintenance of permissions to users in Exchange Online. THe members of the role group are assigned the same
set of roles, and you add and remove permissions from users by adding them to or removing them from the role
group. For more information about role groups in Exchange Online, see Permissions in Exchange Online.
What do you need to know before you begin?

Estimated time to complete each procedure: 5 to 10 minutes
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To open
Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
The procedures in this topic require the Role Management RBAC role in Exchange Online. Typically, you get
this permission via membership in the Organization Management role group (the Office 365 Global
administrator role).
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
View role groups

Use the EAC to view role groups
1. In the EAC, go to Permissions > Admin Roles. All of the role groups in your organization are listed here.
2. Select a role group. The Details pane shows the Name, Description, Assigned roles, Members,
Managed by, and Write scope of the role group. You can also see this information by clicking Edit .
Use Exchange Online PowerShell to view role groups
To view a role group, use the following syntax:
Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]
This example returns a summary list of all role groups.
Get-RoleGroup
This example returns detailed information for the role group named Recipient Administrators.
Get-RoleGroup -Identity "Recipient Administrators" | Format-List
This example returns all role groups where the user Julia is a member. You need to use the DistinguishedName
(DN ) value for Julia, which you can find by running the command:
Get-User -Identity Julia | Format-List DistinguishedName .
Get-RoleGroup -Filter {Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted

Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'}
For detailed syntax and parameter information, see Get-RoleGroup.
Create role groups

When you create a new role group, you need to configure all of the settings yourself (during the creation of the
group or after). To start with the configuration of an existing role group and modify it, see Copy existing role
groups.
Use the EAC to create role groups
1. In the EAC, go to Permissions > Admin Roles and then click Add .
2. In the New role group window that appears, configure the following settings:
Name: Enter a unique name for the role group.
Description: Enter an optional description for the role group.
Write scope: The default value is Default, but you can also select a custom recipient write scope
that you've already created.
Roles: Click Add to select the roles that you want to be assigned to the role group in the new
window that appears.
Members: Click Add to select the members that you want to add to the role group in the new
window that appears. You can select users, universal security groups (USGs), or other role groups
(security principals).
When you're finished, click Save to create the role group.
Use Exchange Online PowerShell to create a role group
To create a new role group, use the following syntax:
New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...> -ManagedBy
<Managers> -Members <Members> -CustomRecipientWriteScope "<Existing Write Scope Name>"
The Roles parameter specifies the management roles to assign to the role group by using the following
syntax "Role1","Role1",..."RoleN" . You can see the available roles by using the Get-ManagementRole
cmdlet.
The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the role group by using the
following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply to
the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example creates a new role group named "Limited Recipient Management" with the following settings:
The Mail Recipients and Mail Enabled Public Folders roles are assigned to the role group.
The users Kim and Martin are added as members. Because no custom recipient write scope was specified,
Kim and Martin can manage any recipient in the organization.
New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin"
This is the same example with a custom recipient write scope, which means Kim and Martin can only manage
recipients that are included in the Seattle Recipients scope (recipients who have their City property set to the value
Seattle).
New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients","Mail Enabled Public Folders" -
Members "Kim","Martin" -CustomRecipientWriteScope "Seattle Recipients"
For detailed syntax and parameter information, New -RoleGroup.

How do you know this worked?
To verify that you've successfully created a role group, do either of the following steps:
In the EAC, go to Permissions > Admin Roles, select the new role group you created, and verify the
settings in the Details pane or click Edit to verify the settings.
In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the
following command to verify the settings:
Get-RoleGroup -Identity "<Role Group Name>" | Format-List
Copy existing role groups

If an existing role group is close in terms of the permissions and settings that you want to assign to users, you can
copy the existing role group and modify the copy to suit your needs.
Use the EAC to copy a role group
Note: You can't use the EAC to copy a role group if you've used Exchange Online PowerShell to configure multiple
scopes or exclusive scopes on the role group. To copy role groups that have these settings, you need to use
Exchange Online PowerShell.
1. In the EAC, go to Permissions > Admin Roles.
2. Select the role group that you want to copy and then click Copy .
3. In the New role group window that appears, configure the following settings:
Name: The default value is "Copy of <Role Group Name>, but you can enter a unique name for the
role group.
Description: The existing description is present, but you can change it.
Write scope: The existing write scope is selected, but you can select Default or another custom
recipient write scope that you've already created.
Roles: Click Add or Remove to modify the roles that are assigned to the role group.
Members: Click Add or Remove to modify the role group membership.
When you're finished, click Save to create the role group.
Use Exchange Online PowerShell to copy a role group
1. Store the role group that you want to copy in a variable using the following syntax:
$RoleGroup = Get-RoleGroup "<Existing Role Group Name>"
2. Create the new role group using the following syntax:
New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>] [-ManagedBy

<Managers>] [-CustomRecipientWriteScope "<Existing Custom Recipient Write Scope Name>"]
The Members parameter specifies the members of the role group by using the following syntax:
"Member1","Member2",..."MemberN" . You can specify users, universal security groups ( USGs), or other role
groups (security principals).
The ManagedBy parameter specifies the delegates who can modify and remove the role group by using
the following syntax: "Delegate1","Delegate2",..."DelegateN" . Note that this setting isn't available in the
EAC.
The CustomRecipientWriteScope parameter specifies the existing custom recipient write scope to apply
to the role group. You can see the available custom recipient write scopes by using the Get-
ManagementScope cmdlet.
This example copies the Organization Management role group to the new role group named "Limited
Organization Management". The role group members are Isabelle, Carter, and Lukas and the role group delegates
are Jenny and Katie.
$RoleGroup = Get-RoleGroup "Organization Management"

New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas" -
ManagedBy "Jenny","Katie"
This example copies the Organization Management role group to the new role group called Vancouver
Organization Management with the Vancouver Users recipient custom recipient write scope.
$RoleGroup = Get-RoleGroup "Organization Management"

New-RoleGroup "Vancouver Organization Management" -Roles $RoleGroup.Roles -CustomRecipientWriteScope
"Vancouver Users"
For detailed syntax and parameter information, New -RoleGroup.

To verify that you've successfully copied a role group, do either of the following steps:

Modify role groups
Use the EAC to modify role groups
1. In the EAC, go to Permissions > Admin Roles, select the role group you want to modify, and then click Edit
.
The same options are available when you modify role groups as when you [create role groups](Use the EAC to
create role groups). You can:
Change the name and description.
Change the write scope (if you've created custom recipient write scopes).
Add and remove management roles (create or remove role assignments).
Add and remove members.
Notes:
You can't use the EAC to modify the write scope, roles and members of a role group if you've used
Exchange Online PowerShell to configure multiple scopes or exclusive scopes on the role group. To modify
the settings of these role groups, you need to use Exchange Online PowerShell.
Some role groups (for example, the Organization Management role group) restrict the roles that you can
remove from group.
You can add or remove delegates to a role group in the EAC. You can only use Exchange Online PowerShell.
Use Exchange Online PowerShell to add roles to role groups (create role assignments)
To add roles to role groups in Exchange Online PowerShell, you create management role assignments by using the
following syntax:
New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-
RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope
"<Role Scope Name>]
The role assignment name is created automatically if you don't specify one.
If you don't use the RecipientRelativeWriteScope parameter, the implicit read scope and implicit write scope
of the role is applied to the role assignment.
If a predefined scope meets your business requirements, you can use the RecipientRelativeWriteScope
parameter to apply the scope to the role assignment.
To apply a custom recipient write scope, use the CustomRecipientWriteScope parameter.
This example assigns the Transport Rules management role to the Seattle Compliance role group.
New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"
This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization
predefined scope.
New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -

RecipientRelativeWriteScope Organization
This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle
Recipients scope.
New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -

CustomRecipientWriteScope "Seattle Recipients"
For detailed syntax and parameter information, see New -ManagementRoleAssignment.

Use Exchange Online PowerShell to remove roles from role groups (remove role assignments)
To remove roles from role groups in Exchange Online PowerShell, you remove management role assignments by
using the following syntax:
Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" -Role "<Role Name>" -Delegating <$true |
$false> | Remove-ManagementRoleAssignment
To remove regular role assignments that grant permissions to users, use the value $false for the
Delegating parameter.
To remove delegating role assignments that allow the role to be assigned to others, use the value $true for
the Delegating parameter.
This example removes the Distribution Groups role from the Seattle Recipient Administrators role group.
Get-ManagementRoleAssignment -RoleAssignee "Seattle Recipient Administrators" -Role "Distribution Groups" -

Delegating $false | Remove-ManagementRoleAssignment
For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

Use Exchange Online PowerShell to modify the scope of role assignments in role groups
The write scope of a role assignment in a role group defines the objects that the members of the role group can
operate on (for example, all users, or only the users whose City property has the value Vancouver). You can modify
the write scope of the roles assigned to a role group to:
The implicit scope from the roles themselves. This means you didn't specify any custom scopes when you
created the role group, or you set the value of all role assignments in an existing role group to the value
$null .
The same custom scope for all role assignments.

Different custom scopes for each individual role assignment.
To set the scope on all of the role assignments on a role group at the same time, use the following syntax:
Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Set-ManagementRoleAssignment [-

CustomRecipientWriteScope "<Recipient Write Scope Name>"] [-RecipientRelativeScopeWriteScope
<MyDistributionGroups | Organization | Self>] [-ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope
name>"]
This example changes the recipient scope for all role assignments on the Sales Recipient Management role group
to Direct Sales Employees.
Get-ManagementRoleAssignment -RoleAssignee "Sales Recipient Management" | Set-ManagementRoleAssignment -

CustomRecipientWriteScope "Direct Sales Employees"
To change the scope on an individual role assignment between a role group and a management role, do the
following steps:
1. Replace <Role Group Name> with the name of the role group and run the following command to find the
names of all the role assignments on the role group:
Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-List Name
2. Find the name of the role assignment you want to change. Use the name of the role assignment in the next
step.
3. To set the scope on the individual role assignment, use the following syntax:
Set-ManagementRoleAssignment -Identity "<Role Assignment Name"> [-CustomRecipientWriteScope "<Recipient

Write Scope Name>"] [-RecipientRelativeScopeWriteScope <MyDistributionGroups | Organization | Self>] [-
ExclusiveRecipientWriteScope "<Exclusive Recipient Write Scope name>"]
This example changes the recipient scope for the role assignment named Mail Recipients_Sales Recipient
Management to All Sales Employees.
```
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All
Sales Employees"
```
For detailed syntax and parameter information, see Set-ManagementRoleAssignment.

Use Exchange Online PowerShell modify the list of delegates in role groups
Role group delegates define who is allowed to modify and delete the role group. You can't manage role group
delegates in the EAC.
To modify the list of delegates in a role group, use the following syntax:
Set-RoleGroup -Identity "<Role Group Name>" -ManagedBy <Delegates>
To replace the existing list of delegates with the values you specify, use the following syntax:
"Delegate1","Delegate2",..."DelegateN" .
To selectively modify the existing list of delegates, use the following syntax:
@{Add="Delegate1","Delegate2"...; Remove="Delegate3","Delegate4"...} .
This example replaces all current delegates of the Help Desk role group with the specified users.
Set-RoleGroup -Identity "Help Desk" -ManagedBy "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"
This example adds Daigoro Akai and removes Valeria Barrio from the list of delegates on the Help Desk role
group.
Set-RoleGroup -Identity "Help Desk" -ManagedBy @{Add="Daigoro Akai"; Remove="Valeria Barrios"}
For detailed syntax and parameter information, see Set-RoleGroup.
Use Exchange Online PowerShell modify the list of members in role

groups
The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual
members one at a time. The Update-RoleGroupMember cmdlet can replace or modify the existing list of
members.
The members of a role group can be users, universal security groups (USGs), or other role groups (security
principals).
To modify the members of a role group, use the following syntax:
Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members> [-BypassSecurityGroupManagerCheck]
To replace the existing list of members with the values you specify, use the following syntax:
"Member1","Member2",..."MemberN" .
To selectively modify the existing list of members, use the following syntax:
@{Add="Member1","Member2"...; Remove="Member3","Member4"...} .
This example replaces all current members of the Help Desk role group with the specified users.
Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"
This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role
group.
Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}
For detailed syntax and parameter information, see Update-RoleGroupMember.

To verify that you've successfully modified a role group, do any of the following steps:
Get-ManagementRoleAssignment -RoleAssignee "<Role Group Name>" | Format-Table *WriteScope
Remove role groups

You can't remove built-in role groups, but you can remove custom role groups that you've created.
Notes:
When you remove a role group, the management role assignments between the role group and the
management roles are deleted. Any management roles that are assigned to the role group aren't deleted.
If a user depends on the role group for access to a feature, the user will no longer have access to the feature
after you delete the role group.
Use the EAC to remove a role group
1. In the EAC, go to Permissions > Admin Roles.
2. Select the role group you want to remove and then click Delete .
3. Click Yes in the confirmation window that appears.
Use Exchange Online PowerShell to remove a role group
To remove a custom role group, use the following syntax:
Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]
This example removes the Training Administrators role group.
Remove-RoleGroup -Identity "Training Administrators"
This example removes the Vancouver Recipient Administrators role group. Because the user running the
command isn't defined in the ManagedBy property of the role group, the BypassSecurityGroupManagerCheck
switch is required in the command. The user that's running the command is assigned the Role Management role,
which enables the user to bypass the security group manager check.
Remove-RoleGroup - Identity "Vancouver Recipient Administrators" -BypassSecurityGroupManagerCheck
For detailed syntax and parameter information, see Remove-RoleGroup.

To verify that you've removed a role group, do either of the following steps:
In the EAC, go to Permissions > Admin Roles and verify that the role group is no longer listed.
In Exchange Online PowerShell, run the following command to verify the role group is no longer listed:
Get-RoleGroup
Role assignment policies in Exchange Online
A role assignment policy is a collection of one or more end-user roles that enable users to manage their mailbox
settings and distribution groups in Exchange Online. End-users roles are part of the role based access control
(RBAC ) permissions model in Exchange Online. You can assign different role assignment policies to different users
to allow or prevent specific self-management features in Exchange Online. For more information, see Role
assignment policies.
In Exchange Online, a default role assignment policy named Default Role Assignment Policy is specified by the
mailbox plan that's assigned to users when their account is licensed. For more information about mailbox plans,
see Mailbox plans in Exchange Online.
Role assignment polices are how end-user roles (as opposed to management roles) are assigned to users in
Exchange Online. There are several ways you can use role assignment policies to assign permissions to users:
New users:
Change the end-user roles that are assigned to the default role assignment policy.
Create a custom role assignment policy and set it as the default. Note that this method only affects
mailboxes that you create without specifying a role assignment policy or assigning a license (the
license specifies the mailbox plan, which specifies the role assignment policy).
Specify a custom role assignment policy in the mailbox plan. For more information, see Use
Exchange Online PowerShell to modify mailbox plans.
Existing users:
Assign a different license to the user. This will apply the settings of the different mailbox plan, which
specifies the role assignment policy to apply.
Manually assign a custom role assignment policy to mailboxes.
The available end-user roles that you can assign to mailbox plans are described in the following table:
ASSIGNED TO DEFAULT ROLE ASSIGNMENT

ROLE POLICY BY DEFAULT? DESCRIPTION
My Custom Apps Yes Install custom apps.
My Marketplace Apps Yes Install marketplace apps.
My ReadWriteMailbox Apps Yes Install apps with ReadWriteMailbox

permissions.
MyBaseOptions Yes Required for users to access options in

Outlook on the web from their own
mailbox.
MyContactInformation Yes Edit their address and telephone

number in the global address list (GAL).
This role contains the following child

roles:
• MyAddressInformation: Change all
elements of their mailing address, work
telephone number, and fax number.
• MyMobileInformation: Change their
mobile phone and pager numbers.
• MyPersonalInformation: Change
their home telephone number and web
page.
If you think this role gives users too

much power, you can remove the role
from the role assignment policy, and
assign one or more of the child roles.
For instructions, see the Add or remove
roles from a role assignment policy
section in this topic.
MyDistributionGroupMembership Yes Join or leave existing distribution

groups (if the group is configured to let
members join or leave the group).
MyDistributionGroups Yes Create new distribution groups, delete

groups they own, modify groups they
own, and manage group membership
for groups they own.
MyMailboxDelegation No Allows users to grant send on behalf of

permissions to other users on their
mailbox. Messages clearly show the
sender in the From field (<Sender> on
behalf of <Mailbox>), but replies are
delivered to the mailbox, not the
sender.
MyMailSubscriptions Yes Connected accounts were removed

from Outlook on the web in November,
2018. For more information, see
Connected accounts is no longer
supported in Outlook on the web.
MyProfileInformation Yes Edit their first name, middle initial, last

name, and display name in the GAL.
This role contains the following child

roles:
• MyDisplayName: Change their
display name.
• MyName: Change their first name,
middle initial, last name and Notes
property.
If you think this role gives users too

much power, you can remove the role
from the role assignment policy, and
assign one of the child roles. For
instructions, see the Add or remove
roles from a role assignment policy
MyRetentionPolicies Yes Allows users to add personal tags that

aren't part of their assigned retention
policy.*
MyTeamMailboxes Yes Site mailboxes were discontinued in

favor of Office 365 groups in
September, 2017. For more
information, see Use Office 365 Groups
instead of Site Mailboxes.
MyTextMessaging Yes Enable text message notifications for

meetings and new email messages.*
MyVoiceMail Yes Update their voice mail settings.*
* This feature isn't available in all regions or organizations.

Estimated time to complete each procedure: less than 5 minutes.
The procedures in this topic require the Role Management RBAC role in Exchange Online. Typically, you
get this permission via membership in the Organization Management role group (the Office 365 Global
administrator role). For more information, see Manage role groups in Exchange Online.
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To connect to
Changes to permissions take effect after the user logs out and logs in again.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.
View roles assigned to a role assignment policy

Use the EAC to view roles assigned to a role assignment policy
1. In the EAC, go to Permissions > User roles, and select the role assignment policy.
2. The roles that are assigned to the policy are displayed in the details pane. You can also click Edit to see
the roles, including the available roles that aren't assigned to the policy.
Use Exchange Online PowerShell to view roles assigned to a role assignment policy
To view the roles assigned to a role assignment policy, use the following syntax:
Get-ManagementRoleAssignment -RoleAssignee "<RoleAssignmentPolicyName>" | Format-Table Name,Role -Auto
This example returns the roles that are assigned to the policy named Default Role Assignment Policy.
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | Format-Table Name,Role -Auto
For detailed syntax and parameter information, see Get-ManagementRoleAssignment.

Note: To return a list of all available end-user roles, run the following command:
Get-ManagementRole | Where {$_.IsEndUserRole -eq $true} | Format-Table Name,Parent
Add or remove roles from a role assignment policy

Use the EAC to add or remove roles from a role assignment policy
1. In the EAC, go to Permissions > User roles, select the role assignment policy, and then click Edit .
2. In the policy properties window that opens, do one of the following steps:
To add a role, select the check box next to the role.
To remove a role that's already assigned, clear the check box.
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If
you clear the check box of the parent role, the check boxes for the child roles are also cleared. You can select
a child role by clearing the check box of the parent role and then selecting the individual child role.
3. When you're finished, click Save.
Use Exchange Online PowerShell to add roles to a role assignment policy
Adding a role to a role assignment policy creates a new role assignment with a unique name that's a combination
of the names of the role and the role assignment policy.
To add roles to a role assignment policy, use the following syntax:
New-ManagementRoleAssignment -Role <RoleName> -Policy "<RoleAssignmentPolicyName>"
This example adds the role MyMailboxDelegation to the role assignment policy named Default Role Assignment
Policy.
New-ManagementRoleAssignment -Role MyMailboxDelegation -Policy "Default Role Assignment Policy"
For detailed syntax and parameter information, see New -ManagementRoleAssignment.

Use Exchange Online PowerShell to remove roles from a role assignment policy
1. Use the procedure from the Use Exchange Online PowerShell to view roles assigned to a role assignment
policy section earlier in this topic to find the name of the role assignment for the role that you want to
remove (it's a combination of the names of the role and the role assignment policy).
2. To remove the role from the role assignment policy, use this syntax:
Remove-ManagementRoleAssignment -Identity "<RoleAssignmentName>"
This example removes the MyDistributionGroups role from the role assignment policy named Default Role
Assignment Policy.
Remove-ManagementRoleAssignment -Identity "MyDistributionGroups-Default Role Assignment Policy"
For detailed syntax and parameter information, see Remove-ManagementRoleAssignment.

To verify that you've successfully added or removed roles from a role assignment policy, use either of the
following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the roles in the
details pane or by clicking Edit .
In Exchange Online PowerShell, replace <RoleAssignmentPolicyName> with the name of the role
assignment policy, and run the following command:
Get-ManagementRoleAssignment -RoleAssignee "<RoleAssignmentPolicyName>" | Format-Table Name,Role -Auto
Create role assignment policies

Use the EAC to create role assignment policies
1. In the EAC, go to Permissions > User roles and click New .
2. In the new role assignment policy window that opens, configure the following settings:
Name: Enter a descriptive name.
Description: Enter an optional description.
Select the roles that you want to assign to the policy.
3. When you're finished, click Save
Use Exchange Online PowerShell to create role assignment policies
To create a role assignment policy, use the following syntax:
New-RoleAssignmentPolicy -Name <UniqueName> [-Description "<Descriptive Text>"] [-Roles "<EndUserRole1>","

<EndUserRole2>"...] [-IsDefault]
This example creates a new role assignment policy named Contoso Contractors that includes the specified end-
user roles.
New-RoleAssignmentPolicy -Name "Contoso Contractors" -Description "Limited self-management capabilities for

contingent staff."] -Roles "MyBaseOptions","MyContactInformation","MyProfileInformation"
For detailed syntax and parameter information, see New -RoleAssignmentPolicy.
To verify that you've successfully created a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the property
values in the details pane or by clicking Edit .
assignment policy, and run the following command to verify the property values:
Get-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" | Format-List

Description,AssignedRoles,IsDefault
Modify role assignment policies

You can use the EAC or Exchange PowerShell to Add or remove roles from a role assignment policy.
You can only use Exchange Online PowerShell to specify the default role assignment policy that's applied to new
mailboxes that aren't assigned a license or a role assignment policy when they're created.
Otherwise, all you can do in the EAC or Exchange Online PowerShell is modify the name and description of the
role assignment policy.
Use Exchange Online PowerShell to specify the default role assignment policy
To specify the default role assignment policy, use the following syntax:
Set-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" -IsDefault
This example configures Contoso Users as the default role assignment policy.
Set-RoleAssignmentPolicy -Identity "Contoso Users" -IsDefault
Note: The IsDefault switch is also available on the New-RoleAssignmentPolicy cmdlets.

For detailed syntax and parameter information, see Set-RoleAssignmentPolicy.
To verify that you've successfully modified a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles, select the role assignment policy, and verify the property
values in the details pane or by clicking Edit .
assignment policy, and run the following command to verify the property values:
Get-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>" | Format-List

Description,AssignedRoles,IsDefault
Remove role assignment policies

You can't remove the role assignment policy that's currently specified as the default. You first need to specify
another role assignment policy as the default before you can delete the policy.
You can't remove a role assignment policy that's assigned to mailboxes. Use the procedures described in the Use
Exchange Online PowerShell to modify role assignment policy assignments on mailboxes section to replace the
role assignment policy that's assigned to mailboxes.
Use the EAC to remove role assignment policies
1. In the EAC, go to Permissions > User roles, select the policy that you want to delete, and then click Delete
.
2. In the warning dialog box that appears, click Yes.
Use Exchange Online PowerShell to remove role assignment policies
To remove a role assignment policy, use the following syntax:
Remove-RoleAssignmentPolicy -Identity "<RoleAssignmentPolicyName>"
This example removes the role assignment policy named Contoso Managers.
Remove-RoleAssignmentPolicy -Identity "Contoso Managers"
For detailed syntax and parameter information, see Remove-RoleAssignmentPolicy.

To verify that you've successfully removed a role assignment policy, use either of the following steps:
In the EAC, go to Permissions > User roles and verify the role assignment policy isn't listed.
In Exchange Online PowerShell, run the following command to verify the role assignment policy isn't listed:
Get-RoleAssignmentPolicy | Format-Table Name
View role assignment policy assignments on mailboxes

Use the EAC to view role assignment policy assignments on mailboxes
1. In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit .
2. In the mailbox properties window that opens, click Mailbox features. The role assignment policy is shown
in the Role assignment policy field.
Use Exchange Online PowerShell to view role assignment policy assignments on mailboxes
To see the role assignment policy assignment on a specific mailbox, use the following syntax:
Get-Mailbox -Identity <MailboxIdentity> | Format-List RoleAssignmentPolicy
This example returns the role assignment policy for the mailbox named Pedro Pizarro.
Get-Mailbox -Identity "Pedro Pizarro" | Format-List RoleAssignmentPolicy
To return all mailboxes that have a specific role assignment policy assigned, use the following syntax:
$<VariableName> = Get-Mailbox -ResultSize unlimited
$<VariableName> | where {$_.RoleAssignmentPolicy -eq '<RoleAssignmentPolicyName>'}
This example returns all mailboxes that have the role assignment policy named Contoso Managers assigned.
$Mgrs = Get-Mailbox -ResultSize unlimited
$Mgrs | where {$_.RoleAssignmentPolicy -eq 'Contoso Managers'}
Modify role assignment policy assignments on mailboxes

A mailbox can have only one role assignment policy assigned. The role assignment policy that you assign to the
mailbox will replace the existing role assignment policy that's assigned.
Use the EAC to modify role assignment policy assignments on mailboxes
In the EAC, go to Recipients > Mailboxes, and do one of the following steps:
Individual mailboxes: Select the mailbox > click Edit > click Mailbox features in the window that
opens > click the dropdown next to Role assignment policy > select a new role assignment policy > click
Save.
Multiple mailboxes: Select multiple mailboxes of the same type (for example, User) by selecting a
mailbox, holding down the Shift key, and select another mailbox farther down in the list or by holding down
the CTRL key as you select each mailbox. In the details pane (that's now titled Bulk Edit): click More
options > click Update under Role Assignment Policy > select the role assignment policy in the window
that appears > click Save.
Use Exchange Online PowerShell to modify role assignment policy assignments on mailboxes
To change the role assignment policy assignment on a specific mailbox, use this syntax:
Set-Mailbox -Identity <MailboxIdentity> -RoleAssignmentPolicy "<RoleAssignmentPolicyName>"
This example applies the role assignment policy named Contoso Managers to the mailbox named Pedro Pizarro.
Get-Mailbox -Identity "Pedro Pizarro" -RoleAssignmentPolicy "<RoleAssignmentPolicyName>"
To change the assignment for all mailboxes that have a specific role assignment policy assigned, use the following
syntax:
$<VariableName> = Get-Mailbox -ResultSize unlimited
$<VariableName> | where {$_.RoleAssignmentPolicy -eq '<CurrentRoleAssignmentPolicyName>'} | Set-Mailbox -

RoleAssignmentPolicy '<NewRoleAssignmentPolicyName>'
This example changes the role assignment policy from Default Role Assignment Policy to Contoso Staff for all
mailboxes that currently have Default Role Assignment Policy assigned.
$Users = Get-Mailbox -ResultSize unlimited
$Users | where {$_.RoleAssignmentPolicy -eq 'Default Role Assignment Policy'} | Set-Mailbox -

RoleAssignmentPolicy 'Contoso Staff'

To verify that you've successfully modified the role assignment policy assignment on a mailbox, use any of the
following steps:
In the EAC, go to Recipients > Mailboxes > select the mailbox > click Edit > click Mailbox features
in the window that opens and verify the value in the Role assignment policy field.
In Exchange Online PowerShell, replace <MailboxIdentity> with the name, alias, email address, or account
name of the mailbox, and run the following command to verify the RoleAssignmentPolicy property value:
Get-Mailbox -Identity <MailboxIdentity> | Format-List RoleAssignmentPolicy
assignment policy, and run the following commands to verify the mailboxes that have the policy assigned:
$X = Get-Mailbox -ResultSize unlimited
$X | where {$_.RoleAssignmentPolicy -eq '<RoleAssignmentPolicyName>'}

Security and compliance for Exchange Online
Email has become a reliable and ubiquitous communication medium for information workers in organizations of
all sizes. Messaging stores and mailboxes have become repositories of valuable data. It's important for
organizations to formulate messaging policies that dictate the fair use of their messaging systems, provide user
guidelines for how to act on the policies, and where required, provide details about the types of communication
that may not be allowed.
Organizations must also create policies to manage email lifecycle, retain messages for the length of time based on
business, legal, and regulatory requirements, preserve email records for litigation and investigation purposes, and
be prepared to search and provide the required email records to fulfill eDiscovery requests.
Leakage of sensitive information such as intellectual property, trade secrets, business plans, and personally
identifiable information (PII) collected or handled by your organization must also be protected.
Security and compliance in Exchange Online

The following table provides an overview of the security and compliance features in Exchange Online and includes
links to topics that will help you learn about and manage these features.
FEATURE DESCRIPTION
Archive mailboxes in Exchange Online Archive mailboxes (called In-Place Archiving) let people in your
Office 365 organization take control of messaging data by
providing additional email storage. People can use Outlook or
Outlook Web App to view messages in their archive mailbox
and move or copy messages between their primary and
archive mailboxes.
In-Place Hold and Litigation Hold In-Place Hold and Litigation Hold allow you to preserve or
archive mailbox content for compliance and eDiscovery.
In-Place eDiscovery In-Place eDiscovery allows authorized compliance officers in

your organization to search mailbox data across your
Exchange organization, preview search results, copy them to a
Discovery mailbox or export them to a .pst file.
Inactive mailboxes in Exchange Online You can preserve the contents of deleted mailboxes
indefinitely by using inactive mailboxes. You can make an
inactive mailbox by placing an In-Place Hold or a Litigation
Hold on the mailbox, and then deleting the corresponding
Office 365 user account. In addition to preserving mailbox
contents, administrators or compliance officers can use In-
Place eDiscovery in Exchange Online or Content Search in the
Office 365 Security & Compliance Center to search the
contents of an inactive mailbox.
Data loss prevention (DLP) Data loss prevention (DLP) helps you identify and monitor
sensitive information, such as private identification numbers,
credit card numbers, or standard forms used in your
organization. You can set up DLP policies to notify users that
they are sending sensitive information or block the
transmission of sensitive information.
FEATURE DESCRIPTION
Exchange auditing reports You can use the auditing functionality in Exchange Online to
track changes made to your Exchange Online configuration by
Microsoft and by your organization's administrators, and to
audit mailbox access by persons other than the mailbox owner.
In Exchange Online, audited actions are recorded and available
to view in an online report or export to a file.
Messaging records management (MRM) Messaging records management (MRM) helps your
organization manage email lifecycle to meet business and
regulatory requirements and reduce the legal risks associated
with email. In Exchange Online, you can use In-Place Hold or
Litigation Hold to preserve email and Retention tags and
retention policies to archive and delete email.
Information Rights Management in Exchange Online Information Rights Management (IRM) helps you and your
users control who can access, forward, print, or copy sensitive
data within an email. IRM can use your on-premises Active
Directory Rights Management Services (AD RMS) server.
Office 365 Message Encryption Office 365 Message Encryption allow you to send encrypted
messages to people inside or outside your organization,
regardless of the destination email service—whether it's
Outlook.com, Yahoo, Gmail, or another service. Designated
recipients can send encrypted replies. Office 365 Message
Encryption combines email encryption and rights
management capabilities. Rights management capabilities are
powered by Azure Information Protection.
S/MIME for Message Signing and Encryption Secure/Multipurpose Internet Mail Extensions (S/MIME) allows
email users to help protect sensitive information by sending
signed and encrypted email within their organization. As an
administrator, you can enable S/MIME-based security for your
organization if you have mailboxes in either Exchange Server
or Exchange Online.
Journaling in Exchange Online Journaling can help you meet legal, regulatory, and
organizational compliance requirements by recording inbound
and outbound email communications. In Exchange Online, you
can create journal rules to deliver journal reports to your on-
premises mailbox or archiving system, or to an external
archiving service.
Mail flow rules (transport rules) in Exchange Online You can use mail flow rules (also known as transport rules) to
inspect messages sent or received by your users and take
actions such as blocking or bouncing a message, holding it for
review by a manager or an administrator or delivering a copy
to another recipient if the message matches specified
conditions.
Modify archive policies
In Exchange Online, you can use archive policies to automatically move mailbox items to personal (on-premises) or
cloud-based archives. Archive policies are retention tags that use the Move to Archive retention action.
Exchange Setup creates a retention policy called Default MRM Policy. This policy has a default policy tag (DPT)
assigned that moves items to the archive mailbox after two years. The policy also includes a number of personal
tags that users can apply to folders or mailbox items to automatically move or delete messages. If a mailbox
doesn't have a retention policy assigned when it's archive-enabled, the Default MRM Policy is automatically
applied to it by Exchange. You can also create your own archive and retention policies and apply them to mailbox
users. To learn more, see Retention tags and retention policies.
You can modify retention tags included in the default policy to meet your business requirements. For example, you
can modify the archive DPT to move items to the archive after three years instead of two. You can also create
additional personal tags and either add them to a retention policy, including the Default MRM Policy, or allow
users to add personal tags to their mailboxes from Outlook Web App Options.
For additional management tasks related to archives, see Enable or disable an archive mailbox in Exchange Online.
NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an archive
policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by the
hold.

Estimated time to completion: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Messaging records management" entry in the Messaging policy and
compliance permissions topic.
TIP
Use the EAC to modify the default archive policy

1. Navigate to Compliance management > Retention tags and then.
2. In the list view, select the tag Default 2 year move to archive and then click Edit .
TIP
You can click the TYPE column to sort retention tags by type. The default archive policy is displayed as type Default
and has the Archive retention action. Alternatively, click NAME to sort retention tags by name.
3. In Retention Tag, view or modify the following settings, and then click Save:
Name: Use this box at the top of the page to view or change the tag name.
Retention tag type: This read-only field displays the tag type.
Retention action: Don't modify this field for archive policies.
Retention period: Select one of the following options:
Never: Click this button to disable the tag. If the DPT is disabled, the tag is no longer applied to the mailbox.
IMPORTANT
Items that have a disabled retention tag applied aren't processed by the Mailbox Assistant. If you want to prevent a
tag from being applied to items, we recommend disabling the tag rather than deleting it. When you delete a tag, the
tag configuration is deleted from Active Directory, and the Mailbox Assistant processes all messages to remove the
deleted tag.
NOTE
If a user applies a tag to an item believing the item will never be moved, enabling the tag later may move items the
user wanted to retain in the primary mailbox.
When the item reaches the following age (in days): Click this button to specify that items be moved to
archive after a certain period. By default, this setting is configured to move items to the archive after two
years (730 days). To modify this setting, in the corresponding text box, type the number of days in the
retention period. The range of values is from 1 through 24,855 days.
Comment: Use this box to type a comment that will be displayed to Outlook and Outlook Web App users.
Use Exchange Online PowerShell to modify archive policies

This example modifies the Default 2 year move to archive tag to move items after 1,095 days (3 years).
Set-RetentionPolicyTag "Default 2 year move to archive" -Name "Default 3 year move to archive" -
AgeLimitForRetention 1095
This example disables the Default 2 year move to archive tag.
Set-RetentionPolicyTag "Default 2 year move to archive" -RetentionEnabled $false
This example retrieves all archive DPTs and personal tags and disables them.
Get-RetentionPolicyTag | ? {$_.RetentionAction -eq "MoveToArchive"} | Set-RetentionPolicyTag -RetentionEnabled

$false
For detailed syntax and parameter information, see Set-RetentionPolicyTag and Get-RetentionPolicyTag.
Use the Get-RetentionPolicyTag cmdlet to retrieve settings of the retention tag.
This command retrieves properties of the Default 2 year move to archive retention tag and pipes the output to the
Format-List cmdlet to display all properties in a list format.
Get-RetentionPolicyTag "Default 2 year move to archive" | Format-List

In-Place Hold and Litigation Hold
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or Office 365 retention policies in the Office
365 Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-
Place Holds, and creating new In-Place Holds in an Exchange hybrid deployment will still be supported. And, you'll still be
able to place mailboxes on Litigation Hold.
When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored
information (ESI), including email that's relevant to the case. This expectation often exists before the specifics of
the case are known, and preservation is often broad. Organizations may need to preserve all email related to a
specific topic or all email for certain individuals. Depending on the organization's electronic discovery
(eDiscovery) practices, the following measures can be adopted to preserve email:
End users may be asked to preserve email by not deleting any messages. However, users can still delete
email knowingly or inadvertently.
Automated deletion mechanisms such as messaging records management (MRM ) may be suspended.
This could result in large volumes of email cluttering the user mailbox, and thus impacting user
productivity. Suspending automated deletion also doesn't prevent users from manually deleting email.
Some organizations copy or move email to an archive to make sure it isn't deleted, altered, or tampered
with. This increases costs due to the manual efforts required to copy or move messages to an archive, or
third-party products used to collect and store email outside Exchange.
Failure to preserve email can expose an organization to legal and financial risks such as scrutiny of the
organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.
You can use In-Place Hold or Litigation Hold to accomplish the following goals:
Place user mailboxes on hold and preserve mailbox items immutably.
Preserve mailbox items deleted by users or automatic deletion processes such as MRM.
Use query-based In-Place Hold to search for and retain items matching specified criteria.
Preserve items indefinitely or for a specific duration.
Place a user on multiple holds for different cases or investigations.
Keep holds transparent from the user by not having to suspend MRM.
Enable In-Place eDiscovery searches of items placed on hold.
In-Place Hold scenarios

In previous versions of Exchange, the notion of legal hold is to hold all mailbox data for a user indefinitely or until
when hold is removed. In Exchange Online, In-Place Hold includes a new model that allows you to specify the
following parameters:
What to hold: You can specify which items to hold by using query parameters such as keywords, senders
and recipients, start and end dates, and also specify the message types such as email messages or
calendar items that you want to place on hold.
How long to hold: You can specify a duration for items on hold.
Using this new model, In-Place Hold allows you to create granular hold policies to preserve mailbox items in the
following scenarios:
Indefinite hold: The indefinite hold scenario is similar to Litigation Hold. It's intended to preserve
mailbox items so you can meet eDiscovery requirements. During the period of litigation or investigation,
items are never deleted. The duration isn't known in advance, so no end date is configured. To hold all mail
items indefinitely, you don't specify any query parameters or time duration when creating an In-Place
Hold.
Query-based hold: If your organization preserves items based on specified query parameters, you can
use a query-based In-Place Hold. You can specify query parameters such as keywords, start and end dates,
sender and recipient addresses, and message types. After you create a query-based In-Place Hold, all
existing and future mailbox items (including messages received at a later date) that match the query
parameters are preserved.
IMPORTANT
Items that are marked as unsearchable, generally because of failure to index an attachment, are also preserved
because it can't be determined whether they match query parameters. For more details about partially indexed
items, see Partially indexed items in Content Search in Office 365.
Time-based hold: Both In-Place Hold and Litigation Hold allow you to specify a duration of time for
which to hold items. The duration is calculated from the date a mailbox item is received or created.
If your organization requires that all mailbox items be preserved for a specific period, for example 7 years,
you can create a time-based hold so that items on hold are retained for a specific period of time. For
example, consider a mailbox that's placed on a time-based In-Place Hold and has a retention period set to
365 days. If an item in that mailbox is deleted after 300 days from the date it was received, it's held for an
additional 65 days before being permanently deleted. You can use a time-based In-Place Hold in
conjunction with a retention policy to make sure items are preserved for the specified duration and
permanently removed after that period.
You can use In-Place Hold to place a user on multiple holds. When a user is placed on multiple holds, the search
queries from any query-based hold are combined (with OR operators). In this case, the maximum number of
keywords in all query-based holds placed on a mailbox is 500. If there are more than 500 keywords, then all
content in the mailbox is placed on hold (not just that content that matches the search criteria). All content is held
until the total number of keywords is reduced to 500 or less.

Litigation Hold uses the LitigationHoldEnabled property of a mailbox to place mailbox content on hold.
Whereas In-Place Hold provides granular hold capability based on query parameters and the ability to place
multiple holds, Litigation Hold only allows you to place all items on hold. You can also specify a duration period
to hold items when a mailbox is placed on Litigation Hold. The duration is calculated from the date a mailbox
item is received or created. If a duration isn't set, items are held indefinitely or until the hold is removed.
When a mailbox is placed on one or more In-Place Holds and on Litigation Hold (without a duration period) at
the same time, all items are held indefinitely or until the holds are removed. If you remove Litigation Hold and
the user is still placed on one or more In-Place Holds, items matching the In-Place Hold criteria are held for the
period specified in the hold settings.
NOTE
When you place a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive
mailbox. If you place an on-premises primary mailbox on hold in an Exchange hybrid deployment, the cloud-based archive
mailbox (if enabled) is also placed on hold.
For more information, see:

Place a mailbox on Litigation Hold
Place all mailboxes on hold
Placing a mailbox on In-Place Hold

Authorized users that have been added to the Discovery Management role-based access control (RBAC ) role
group or assigned the Legal Hold and Mailbox Search management roles can place mailbox users on In-Place
Hold. You can delegate the task to records managers, compliance officers, or attorneys in your organization's
legal department, while assigning the least privileges. To learn more about assigning the Discovery Management
role group, see Assign eDiscovery permissions in Exchange.
You can use the In-Place eDiscovery & Hold wizard in the Exchange admin center (EAC ) or the New-
MailboxSearch and related cmdlets in Exchange Online PowerShell to place a mailbox on In-Place Hold. To
learn more about placing a mailbox on In-Place Hold, see Create or remove an In-Place Hold.
Many organizations require that users be informed when they're placed on hold. Additionally, when a mailbox is
on hold, any retention policies applicable to the mailbox user don't need to be suspended. Because messages
continue to be deleted as expected, users may not notice they're on hold. If your organization requires that users
on hold be informed, you can add a notification message to the mailbox user's Retention Comment property
and use the RetentionUrl property to link to a web page for more information. Outlook 2010 and later displays
the notification and URL in the backstage area. You must use Exchange Online PowerShell to add and manage
these properties for a mailbox.
Placing public folders on hold

In Exchange Online, you can place public folders on hold by using a In-Place Hold. Using Litigation Hold for
public folders isn't supported. When you create an In-Place Hold, the only option is to place a hold on all public
folders in your organization. The result is that an In-Place Hold is placed on all public folder mailboxes.
Additionally, when you place public folders on In-Place Hold, email messages related to the public folder
hierarchy synchronization process are also preserved. This might result in thousands of hierarchy
synchronization related email items being preserved. These messages can fill up the storage quota for the
Recoverable Items folder on public folder mailboxes. To prevent this, you can create a query-based In-Place Hold
and add the following property:value pair to the search query:
NOT(subject:HierarchySync*)
The result is that any message (related to the synchronization of the public folder hierarchy) that contains the
phrase "HierarchySync" in the subject line is not placed on hold.
Holds and the Recoverable Items folder

In-Place Hold and Litigation Hold uses the Recoverable Items folder to preserve items. The Recoverable Items
folder replaces the feature informally known as the dumpster in previous versions of Exchange. The Recoverable
Items folder is hidden from the default view of Outlook, Outlook Web App, and other email clients. To learn more
about the Recoverable Items folder, see Recoverable Items folder.
By default, when a user deletes a message from a folder other than the Deleted Items folder, the message is
moved to the Deleted Items folder. This is known as a move. When a user soft deletes an item (accomplished by
pressing the SHIFT and DELETE keys) or deletes an item from the Deleted Items folder, the message is moved to
the Recoverable Items folder, thereby disappearing from the user's view.
Items in the Recoverable Items folder are retained for the deleted item retention period configured for the user's
mailbox. By default, the deleted item retention period is 14 days for Exchange Online mailboxes. You can also
configure a storage quota for the Recoverable Items folder. This protects the organization from a potential denial
of service (DoS ) attack due to rapid growth of the Recoverable Items folder. If a mailbox isn't placed on In-Place
Hold or Litigation Hold, items are purged permanently from the Recoverable Items folder on a first in, first out
basis when the Recoverable Items warning quota is exceeded, or the item has resided in the folder for a longer
duration than the deleted item retention period.
The Recoverable Items folder contains the following subfolders used to store deleted items in various sites and
facilitate In-Place Hold and Litigation Hold:
Deletions - Items removed from the Deleted Items folder or soft-deleted from other folders are moved to
the Deletions subfolder and are visible to the user when using the Recover Deleted Items feature in
Outlook and Outlook Web App. By default, items reside in this folder until the deleted item retention
period configured for the mailbox expires.
Purges - When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted
Items tool in Outlook and Outlook Web App, the item is moved to the Purges folder. Items that exceed the
deleted item retention period configured for the mailbox are also moved to the Purges folder. Items in this
folder aren't visible to users if they use the Recover Deleted Items tool. When the Managed Folder
Assistant processes the mailbox, items in the Purges folder are purged from the mailbox. When you place
the mailbox user on Litigation Hold, the Managed Folder Assistant doesn't purge items in this folder.
DiscoveryHold - If a user is placed on an In-Place Hold, deleted items are moved to this folder. When the
Managed Folder Assistant processes the mailbox, it evaluates messages in this folder. Items matching the
In-Place Hold query are retained until the hold period specified in the query. If no hold period is specified,
items are held indefinitely or until the user is removed from the hold.
Versions - When a user placed on In-Place Hold or Litigation Hold, mailbox items must be protected from
tampering or modification by the user or a process. This is accomplished using a copy-on-write process.
When a user or a process changes specific properties of a mailbox item, a copy of the original item is
saved in the Versions folder before the change is committed. The process is repeated for subsequent
changes. Items captured in the Versions folder are also indexed and returned in eDiscovery searches. After
the hold is removed, copies in the Versions folder are removed by the Managed Folder Assistant.
Properties that trigger copy-on-write
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE
Messages (IPM.Note*) Subject

Posts (IPM.Post*) Body
Attachments
Senders/Recipients
Sent/Received Dates
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE
Items other than messages and posts Any change to a visible property, except the following:
Item location (when an item is moved between folders)
Item status change (read or unread)
Changes to retention tag applied to an item
Items in the default folder Drafts None (items in the Drafts folder are exempt from copy on
write)
IMPORTANT
Copy-on-write is disabled for calendar items in the organizer's mailbox when meeting responses are received from
attendees and the tracking information for the meeting is updated. For calendar items and items that have a reminder set,
copy-on-write is disabled for the ReminderTime and ReminderSignalTime properties. Changes to these properties are not
captured by copy-on-write. Changes to RSS feeds aren't captured by copy-on-write.
Although the DiscoveryHold, Purges, and Versions folders aren't visible to the user, all items in the Recoverable
Items folder are indexed by Exchange Search and are discoverable using In-Place eDiscovery. After a mailbox
user is removed from In-Place Hold or Litigation Hold, items in the DiscoveryHold, Purges, and Versions folders
are purged by the Managed Folder Assistant.
Holds and mailbox quotas

Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota. In Exchange Online, the
Recoverable Items folder has its own quota. For Exchange, the default values for the
RecoverableItemsWarningQuota and RecoverableItemsQuota mailbox properties are set to 20 GB and 30 GB
respectively. In Exchange Online, the quota for the Recoverable Items folder (in the user's primary mailbox) is
automatically increased to 100 GB when you place a mailbox on Litigation Hold or In-Place Hold. When the
storage quota for the Recoverable Items folder in the primary mailbox of a mailbox on hold is close to reaching
its limit, you can do the following things:
Enable the archive mailbox and turn on auto-expanding archiving - You can enable an unlimited
storage capacity for the Recoverable Items folder simply by enabling the archive mailbox and then turning
on the auto-expanding archiving feature in Exchange Online. This results in 110 GB for the Recoverable
Items folder in the primary mailbox and an unlimited amount of storage capacity for the Recoverable
Items folder in the user's archive. See how: Enable archive mailboxes in the Office 365 Security &
Compliance Center and Enable unlimited archiving in Office 365.
Notes:
After you enable the archive for a mailbox that's close to exceeding the storage quota for the
Recoverable Items folder, you might want to run the Managed Folder Assistant to manually trigger
the assistant to process the mailbox so that expired items are moved the Recoverable Items folder
in the archive mailbox. For instructions, see Step 4 in Increase the Recoverable Items quota for
mailboxes on hold.
Note that other items in the user's mailbox might be moved to the new archive mailbox. Consider
telling the user that this might happen after you enable the archive mailbox.
Create a custom retention policy for mailboxes on hold - In addition to enabling the archive mailbox
and auto-expanding archiving for mailboxes on Litigation Hold or In-Place Hold, you might also want to
create a custom MRM retention policy in Exchange Online for mailboxes on hold. This let's you apply a
retention policy to mailboxes on hold that's different from the Default MRM Policy that's applied to
mailboxes that aren't on hold. This lets you to apply retention tags that are specifically designed for
mailboxes on hold. This includes creating a new retention tag for the Recoverable Items folder.
For more information, see Increase the Recoverable Items quota for mailboxes on hold.
Holds and email forwarding

Users can use Outlook and Outlook Web App to set up email forwarding for their mailbox. Email forwarding lets
users configure their mailbox to forward email messages sent to their mailbox to another mailbox located in or
outside of their organization. Email forwarding can be configured so that any message sent to the original
mailbox isn't copied to that mailbox and is only sent to the forwarding address.
If email forwarding is set up for a mailbox and messages aren't copied to the original mailbox, what happens if
the mailbox is on hold? The hold settings for the mailbox are checked during the delivery process. If the message
meets the hold criteria for the mailbox, a copy of the message is saved to the Recoverable Items folder. That
means you can use eDiscovery tools to search the original mailbox to find messages that were forwarded to
another mailbox.
Deleting a mailbox on hold

When you delete the corresponding Office 365 account for a mailbox that's been placed on Litigation Hold or In-
Place Hold, the mailbox is converted to an inactive mailbox, which is a type of soft-deleted mailbox. Inactive
mailboxes are used to preserve the contents of a user's mailbox after they leave your organization. Items in an
inactive mailbox are preserved for the duration of the hold that was placed on the mailbox before it was made
inactive. This allows administrators, compliance officers, or records managers to use the Content Search tool in
the Office 365 Security & Compliance Center to access and search the contents of an inactive mailbox. Inactive
mailboxes can't receive email and aren't displayed in your organization's shared address book or other lists. For
more information, see Overview of inactive mailboxes in Office 365.
Create or remove an In-Place Hold
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place Holds in Exchange Online (in Office 365 and Exchange
Online standalone plans). But later this year or early next year, you won't be able to create new In-Place Holds in Exchange
Online. As an alternative to using In-Place Holds, you can use eDiscovery cases or retention policies in the Office 365
Security & Compliance Center. After we decommission new In-Place Holds, you'll still be able to modify existing In-Place
Holds, and creating new In-Place Holds in Exchange Server and Exchange hybrid deployments will still be supported. And,
you'll still be able to place mailboxes on Litigation Hold.
An In-Place Hold preserves all mailbox content, including deleted items and original versions of modified items.
All such mailbox items are returned in an In-Place eDiscovery search. When you place an In-Place Hold on a user's
mailbox on, the contents in the corresponding archive mailbox (if it's enabled) are also placed on hold, and
returned in a eDiscovery search.

Estimated time to complete: 5 minutes
permissions you need, see the "In-Place Hold" entry in the Messaging Policy and Compliance Permissions
topic.
To place an Exchange Online mailbox on In-Place Hold, it must be assigned an Exchange Online (Plan 2)
license. If a mailbox is assigned an Exchange Online (Plan 1) license, you would have to assign it a separate
Exchange Online Archiving license to place it on hold.
Depending on your Active Directory topology and replication latency, it may take up to an hour for an In-
Place Hold to take effect.
As previously explained, when you place an In-Place Hold on a user's mailbox, content in the user's archive
mailbox is also placed on hold. If you place an In-Place Hold on an on-premises primary mailbox in an
Exchange hybrid deployment, the cloud-based archive mailbox (if enabled) is also placed on hold.
If a user is placed on multiple In-Place Holds, the search queries from any query-based hold are combined
(with OR operators). In this case, the maximum number of keywords in all query-based holds placed on a
mailbox is 500. If there are more than 500 keywords, then all content in the mailbox is placed on hold (not
just that content that matches the search criteria). All content is held until the total number of keywords is
reduced to 500 or less.
In Exchange Online, the quota for the Recoverable Items folder is automatically increased to 100 GB when
you place an In-Place Hold on a mailbox. The default size of the Recoverable Items folder is 30 GB.
In Exchange Online, you can place an In-Place hold on Office 365 groups. When you place an Office 365
group on hold, the group mailbox is placed on hold; the mailboxes of the group members aren't placed on
hold. For information about Office 365 groups, see Learn about Office 365 groups.
Create an In-Place Hold

Use the EAC to create an In-Place Hold
1. Navigate to Compliance management > In-place eDiscovery & hold.
2. Click New .
3. In In-Place eDiscovery & Hold, on the Name and description page, type a name for the search and an
optional description, and then click Next.
4. On the Mailboxes and Public folders page, choose the content locations that you want to place on hold
and then click Next.
5. Search all mailboxes: You can't select this option to create an In-Place Hold. You can select this option for
In-Place eDiscovery searches, but to create an In-Place Hold, you must select the specific mailboxes that
you want to place on hold.
6. Don't search any mailboxes: Select this option when you're creating an In-Place Hold exclusively for
public folders.
7. Specify mailboxes to search: Select this option and then click Add to select the mailboxes or
distribution groups that you want to place on hold. In Exchange Online, you can also select Office 365
groups to place on hold.
8. Search all public folders: In Exchange Online, you can select this checkbox to place all public folders in
your organization on hold. As previously explained, to create an In-Place Hold only for public folders, be
sure to select the Don't search any mailboxes option.
9. On the Search query page, complete the following fields, and then click Next:
Include all user mailbox content: Click this button to place all content in selected mailboxes on hold.
Filter based on criteria: Click this button to specify search criteria, including keywords, start and end
dates, sender and recipient addresses, and message types. When you create a query-based hold, only items
that match the search criteria are preserved.
TIP
When you place public folders on In-Place Hold, email messages related to the public folder hierarchy
synchronization process are also preserved. This might result in thousands of hierarchy synchronization related email
items being preserved. These messages can fill up the storage quota for the Recoverable Items folder on public folder
mailboxes. To prevent this, you can create a query-based In-Place Hold and add the following property:value pair
to the search query: > NOT(subject:HierarchySync*) > The result is that any message (related to the
synchronization of the public folder hierarchy) that contains the phrase "HierarchySync" in the subject line is not
placed on hold.
6. On the In-Place Hold settings page, select the Place content matching the search query in selected
mailboxes on hold check box and then select one of the following options:
Hold indefinitely: Click this button to place items returned by the search on an indefinite hold. Items on
hold will be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Click this button to hold items
for a specific period. For example, you can use this option if your organization requires that all messages be
retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to
make sure items are deleted in seven years. To learn more about retention polices, see Retention tags and
retention policies.
Use Exchange Online PowerShell to create an In-Place Hold
This example creates an In-Place Hold named Hold-CaseId012 and adds the mailbox joe@contoso.com to the
hold.
IMPORTANT
If you don't specify additional search parameters for an In-Place Hold, all items in the specified source mailboxes are placed
on hold. If you don't specify the ItemHoldPeriod parameter, items are placed on hold indefinitely or until the mailbox is
either removed from hold or the hold is deleted.
New-MailboxSearch "Hold-CaseId012"-SourceMailboxes "joe@contoso.com" -InPlaceHoldEnabled $true
For detailed syntax and parameter information, see New -MailboxSearch.

To verify that you have successfully created the In-Place Hold, do one of the following:
Use the EAC to verify that the In-Place Hold is listed in the list view of the In-place eDiscovery & hold
tab.
Use the Get-MailboxSearch cmdlet to retrieve the mailbox search and check the search parameters. For
an example of how to retrieve a mailbox search, see the examples in Get-MailboxSearch.
Remove an In-Place Hold

IMPORTANT
In Exchange Server, mailbox searches can be used for an In-Place Hold and In-Place eDiscovery. You can't remove a mailbox
search that's used for In-Place Hold. You must first disable the In-Place Hold by clearing the Place content matching the
search query in selected mailboxes on hold check box on the In-Place Hold settings page or by setting the
InPlaceHoldEnabled parameter to $false in Exchange Online PowerShell. You can also remove a mailbox by using the
SourceMailboxes parameter specified in the search.
Use the EAC to remove an In-Place Hold

1. Navigate to Compliance management > In-Place eDiscovery & hold.
2. In the list view, select the In-Place Hold you want to remove and then click Edit .
3. In In-Place eDiscovery & Hold properties, on the In-Place Hold page, clear the Place content
matching the search query in selected mailboxes on hold, and then click Save.
4. Select the In-Place Hold again from the list view, and then click Delete .
5. In warning, click Yes to remove the search.
Use Exchange Online PowerShell to remove an In-Place Hold
This example first disables In-Place Hold named Hold-CaseId012 and then removes the mailbox search.
Set-MailboxSearch "Hold-CaseId012" -InPlaceHoldEnabled $false

Remove-MailboxSearch "Hold-CaseId012"
For detailed syntax and parameter information, see Set-Mailboxsearch.

To verify that you have successfully removed an In-Place Hold, do one of the following:
Use the EAC to verify that the In-Place Hold doesn't appear in the list view of the In-place eDiscovery &
hold tab.
Use the Get-MailboxSearch cmdlet to retrieve all mailbox searches and check that the search you
removed is no longer listed. For an example of how to retrieve a mailbox search, see the examples in Get-
MailboxSearch.
In-Place eDiscovery
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.
If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or
lawsuits), In-Place eDiscovery in Microsoft Exchange Server and Exchange Online can help you perform
discovery searches for relevant content within mailboxes. Exchange Server and Exchange Online also offer
federated search capability and integration with Microsoft SharePoint 2013 and Microsoft SharePoint Online.
Using the eDiscovery Center in SharePoint, you can search for and hold all content related to a case, including
SharePoint 2013 and SharePoint Online websites, documents, file shares indexed by SharePoint (SharePoint
2013 only), mailbox content in Exchange, and archived Lync 2013 content. You can also use In-Place eDiscovery
in an Exchange hybrid environment to search on-premises and cloud-based mailboxes in the same search.
IMPORTANT
In-Place eDiscovery is a powerful feature that allows a user with the correct permissions to potentially gain access to all
messaging records stored throughout the Exchange Server or Exchange Online organization. It's important to control and
monitor discovery activities, including addition of members to the Discovery Management role group, assignment of the
Mailbox Search management role, and assignment of mailbox access permission to discovery mailboxes.
How In-Place eDiscovery works

In-Place eDiscovery uses the content indexes created by Exchange Search. Role Based Access Control (RBAC )
provides the Discovery Management role group to delegate discovery tasks to non-technical personnel, without
the need to provide elevated privileges that may allow a user to make any operational changes to Exchange
configuration. The Exchange admin center (EAC ) provides an easy-to-use search interface for non-technical
personnel such as legal and compliance officers, records managers, and human resources (HR ) professionals.
Authorized users can perform an In-Place eDiscovery search by selecting the mailboxes, and then specifying
search criteria such as keywords, start and end dates, sender and recipient addresses, and message types. After
the search is complete, authorized users can then select one of the following actions:
Estimate search results: This option returns an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified.
Preview search results: This option provides a preview of the results. Messages returned from each
mailbox searched are displayed.
Copy search results: This option lets you copy messages to a discovery mailbox.
Export search results: After search results are copied to a discovery mailbox, you can export them to a
PST file.
Exchange Search
In-Place eDiscovery uses the content indexes created by Exchange Search. Exchange Search has been retooled to
use Microsoft Search Foundation, a rich search platform that comes with significantly improved indexing and
querying performance and improved search functionality. Because the Microsoft Search Foundation is also used
by other Office products, including SharePoint 2013, it offers greater interoperability and similar query syntax
across these products.
With a single content indexing engine, no additional resources are used to crawl and index mailbox databases for
In-Place eDiscovery when eDiscovery requests are received by IT departments.
In-Place eDiscovery uses Keyword Query Language (KQL ), a querying syntax similar to the Advanced Query
Syntax (AQS ) used by Instant Search in Microsoft Outlook and Outlook Web App. Users familiar with KQL can
easily construct powerful search queries to search content indexes.
For more information about the file formats indexed by Exchange search, see File Formats Indexed By Exchange
Search.
Discovery Management role group and management roles

For authorized users to perform In-Place eDiscovery searches, you must add them to the Discovery Management
role group. This role group consists of two management roles: the Mailbox Search Role, which allows a user to
perform an In-Place eDiscovery search, and the Legal Hold Role, which allows a user to place a mailbox on In-
Place Hold or litigation hold.
By default, permissions to perform In-Place eDiscovery-related tasks aren't assigned to any user or Exchange
administrators. Exchange administrators who are members of the Organization Management role group can add
users to the Discovery Management role group and create custom role groups to narrow the scope of a discovery
manager to a subset of users. To learn more about adding users to the Discovery Management role group, see
Assign eDiscovery permissions in Exchange.
IMPORTANT
If a user hasn't been added to the Discovery Management role group or isn't assigned the Mailbox Search role, the In-
Place eDiscovery & Hold user interface isn't displayed in the EAC, and the In-Place eDiscovery cmdlets aren't available in
Auditing of RBAC role changes, which is enabled by default, makes sure that adequate records are kept to track
assignment of the Discovery Management role group. You can use the administrator role group report to search
for changes made to administrator role groups. For more information, see Search the role group changes or
administrator audit logs.
Custom management scopes for In-Place eDiscovery

You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a
subset of mailboxes in your Exchange Server or Exchange Online organization. For example, you might want to
let a discovery manager search only the mailboxes of users in a specific location or department. You do this by
creating a custom management scope that uses a custom recipient filter to control which mailboxes can be
searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties.
For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a
custom scope is distribution group membership. If you use other properties, such as CustomAttributeN,
Department, or PostalCode, the search fails when it's run by a member of the role group that's assigned the
custom scope. For more information, see Create a custom management scope for In-Place eDiscovery searches.
Integration with SharePoint Server and SharePoint Online

Exchange Server and Exchange Online offer integration with SharePoint Server and SharePoint Online, allowing
a discovery manager to use eDiscovery Center in SharePoint to perform the following tasks:
Search and preserve content from a single location: An authorized discovery manager can search and
preserve content across SharePoint and Exchange, including Lync content such as instant messaging
conversations and shared meeting documents archived in Exchange mailboxes.
Case management eDiscovery Center uses a case management approach to eDiscovery, allowing you to
create cases and search and preserve content across different content repositories for each case.
Export search results: A discovery manager can use eDiscovery Center to export search results. Mailbox
content included in search results is exported to a PST file.
SharePoint also uses Microsoft Search Foundation for content indexing and querying. Regardless of whether a
discovery manager uses the EAC or the eDiscovery Center to search Exchange content, the same mailbox content
is returned.
In on-premises deployments, before you can use eDiscovery Center in SharePoint to search Exchange mailboxes,
you must establish trust between the two applications. In Exchange Server and SharePoint 2013, this is done
using OAuth authentication. For details, see Configure Exchange for SharePoint eDiscovery Center. eDiscovery
searches performed from SharePoint are authorized by Exchange using RBAC. For a SharePoint user to be able
to perform an eDiscovery search of Exchange mailboxes, they must be assigned delegated Discovery
Management permission in Exchange. To be able to preview mailbox content returned in an eDiscovery search
performed using SharePoint eDiscovery Center, the discovery manager must have a mailbox in the same
Exchange organization.
For step-by step instructions for setting up an eDiscovery Center in an Office 365 organization, see Set up an
eDiscovery Center in SharePoint Online.
eDiscovery in an Exchange hybrid deployment
To successfully perform cross-premises eDiscovery searches in an Exchange Server hybrid organization, you will
have to configure OAuth (Open Authorization) authentication between your Exchange on-premises and Exchange
Online organizations so that you can use In-Place eDiscovery to search on-premises and cloud-based mailboxes.
OAuth authentication is a server-to-server authentication protocol that allows applications to authenticate to each
other.
OAuth authentication supports the following eDiscovery scenarios in an Exchange hybrid deployment:
Search on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes.
Search on-premises and cloud-based mailboxes in the same eDiscovery search.
Search on-premises mailboxes by using the eDiscovery Center in SharePoint Online.
For more information about the eDiscovery scenarios that require OAuth authentication to be configured in an
Exchange hybrid deployment, see Using Oauth Authentication to Support eDiscovery in an Exchange Hybrid
Deployment. For step-by-step instructions for configuring OAuth authentication to support eDiscovery, see
Configure OAuth Authentication Between Exchange and Exchange Online Organizations.
Discovery mailboxes
After you create an In-Place eDiscovery search, you can copy the search results to a target mailbox. The EAC
allows you to select a discovery mailbox as the target mailbox. A discovery mailbox is a special type of mailbox
that provides the following functionality:
Easier and secure target mailbox selection: When you use the EAC to copy In-Place eDiscovery search
results, only discovery mailboxes are made available as a repository in which to store search results. You
don't need to sort through a potentially long list of mailboxes available in the organization. This also
eliminates the possibility of a discovery manager accidentally selecting another user's mailbox or an
unsecured mailbox in which to store potentially sensitive messages.
Large mailbox storage quota: The target mailbox should be able to store a large amount of message
data that may be returned by an In-Place eDiscovery search. By default, discovery mailboxes have a
mailbox storage quota of 50 gigabytes (GB ). This storage quota can't be increased.
More secure by default: Like all mailbox types, a discovery mailbox has an associated Active Directory
user account. However, this account is disabled by default. Only users explicitly authorized to access a
discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full
Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't
have mailbox access permissions assigned to any user.
Email delivery disabled: Although visible in Exchange address lists, users can't send email to a discovery
mailbox. Email delivery to discovery mailboxes is prohibited by using delivery restrictions. This preserves
the integrity of search results copied to a discovery mailbox.
Exchange Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You can use
Exchange Online PowerShell to create additional discovery mailboxes. By default, the discovery mailboxes you
create won't have any mailbox access permissions assigned. You can assign Full Access permissions for a
discovery manager to access messages copied to a discovery mailbox. For details, see Create a discovery mailbox.
In-Place eDiscovery also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-
b678-e6c29d823ed9} to hold In-Place eDiscovery metadata. System mailboxes aren't visible in the EAC or in
Exchange address lists. In on-premises organizations, before removing a mailbox database where the In-Place
eDiscovery system mailbox is located, you must move the mailbox to another mailbox database. If the mailbox is
removed or corrupted, your discovery managers are unable to perform eDiscovery searches until you re-create
the mailbox. For details, see Re-Create the Discovery System Mailbox.
Using In-Place eDiscovery

Users who have been added to the Discovery Management role group can perform In-Place eDiscovery searches.
You can perform a search using the web-based interface in the EAC. This makes it easier for non-technical users
such as records managers, compliance officers, or legal and HR professionals to use In-Place eDiscovery. You can
also use Exchange Online PowerShell to perform a search. For more information, see Create an In-Place
eDiscovery search
NOTE
In on-premises organizations, you can use In-Place eDiscovery to search mailboxes located on Exchange Server Mailbox
servers. To search mailboxes located on Exchange 2010 Mailbox servers, use Multi-Mailbox Search on an Exchange 2010
server. > > In a hybrid deployment, which is an environment where some mailboxes exist on your on-premises Mailbox
servers and some mailboxes exist in a cloud-based organization, you can perform In-Place eDiscovery searches of your
cloud-based mailboxes using the EAC in your on-premises organization. If you intend to copy messages to a discovery
mailbox, you must select an on-premises discovery mailbox. Messages from cloud-based mailboxes that are returned in
search results are copied to the specified on-premises discovery mailbox. To learn more about hybrid deployments, see
Exchange Server Hybrid Deployments.
The In-Place eDiscovery & Hold wizard in the EAC allows you to create an In-Place eDiscovery search and
also use In-Place Hold to place search results on hold. When you create an In-Place eDiscovery search, a search
object is created in the In-Place eDiscovery system mailbox. This object can be manipulated to start, stop, modify,
and remove the search. After you create the search, you can choose to get an estimate of search results, which
includes keyword statistics that help you determine query effectiveness. You can also do a live preview of items
returned in the search, allowing you to view message content, the number of messages returned from each
source mailbox and the total number of messages. You can use this information to further fine-tune your query if
required.
When satisfied with the search results, you can copy them to a discovery mailbox. You can also use the EAC or
Outlook to export a discovery mailbox or some of its content to a PST file.
When creating an In-Place eDiscovery search, you must specify the following parameters:
Name: The search name is used to identify the search. When you copy search results to a discovery
mailbox, a folder is created in the discovery mailbox using the search name and the timestamp to uniquely
identify search results in a discovery mailbox.
Mailboxes: You can choose to search all mailboxes in your Exchange Server or Exchange Online
organization or specify the mailboxes to search. A user's primary and archive mailboxes are included in the
search. If you also want to use the same search to place items on hold, you must specify the mailboxes. You
can specify a distribution group to include mailbox users who are members of that group. Membership of
the group is calculated once when creating the search and subsequent changes to group membership are
not automatically reflected in the search.
In Exchange Online, you can also specify Office 365 groups as a content source so that the group mailbox
is searched (or placed on hold). When you add an Office 365 group to an In-Place eDiscovery search, only
the group mailbox is searched; the mailboxes of the group members aren't searched.
Search query: You can either include all mailbox content from the specified mailboxes or use a search
query to return items that are more relevant to the case or investigation. You can specify the following
parameters in a search query:
Keywords: You can specify keywords and phrases to search message content. You can also use the
logical operators AND, OR, and NOT. Additionally, Exchange Server also supports the NEAR
operator, allowing you to search for a word or phrase that's in proximity to another word or phrase.
To search for an exact match of a multiple word phrase, you must enclose the phrase in quotation
marks. For example, searching for the phrase "plan and competition" returns messages that contain
an exact match of the phrase, whereas specifying plan AND competition returns messages that
contain the words plan and competition anywhere in the message.
Exchange Server also supports the Keyword Query Language (KQL ) syntax for In-Place eDiscovery
searches.
NOTE
In-Place eDiscovery does not support regular expressions.
You must capitalize logical operators such as AND and OR for them to be treated as operators
instead of keywords. We recommend that you use explicit parenthesis for any query that mixes
multiple logical operators to avoid mistakes or misinterpretations. For example, if you want to
search for messages that contain either WordA or WordB AND either WordC or WordD, you must
use (WordA OR WordB ) AND (WordC OR WordD ).
Start and End dates: By default, In-Place eDiscovery doesn't limit searches by a date range. To
search messages sent during a specific date range, you can narrow the search by specifying the start
and end dates. If you don't specify an end date, the search will return the latest results every time
you restart it.
Senders and recipients: To narrow down the search, you can specify the senders or recipients of
messages. You can use email addresses, display names, or the name of a domain to search for items
sent to or from everyone in the domain. For example, to find email sent by or sent to anyone at
Contoso, Ltd, specify **@contoso.com** in the From or the To/cc field in the EAC. You can also
specify **@contoso.com** in the Senders or Recipients parameters in Exchange Online PowerShell.
Message types: By default, all message types are searched. You can restrict the search by selecting
specific message types such as email, contacts, documents, journal, meetings, notes and Lync
content.
The following screenshot shows an example of a search query in the EAC.
When using In-Place eDiscovery, also consider the following:
Attachments: In-Place eDiscovery searches attachments supported by Exchange Search. For details, see
Default Filters for Exchange Search. In on-premises deployments, you can add support for additional file
types by installing search filters (also known as an iFilter) for the file type on Mailbox servers.
Unsearchable items: Unsearchable items are mailbox items that can't be indexed by Exchange Search.
Reasons they can't be indexed include the lack of an installed search filter for an attached file, a filter error,
and encrypted messages. For a successful eDiscovery search, your organization may be required to include
such items for review. When copying search results to a discovery mailbox or exporting them to a PST file,
you can include unsearchable items. For more information, see Unsearchable Items in Exchange
eDiscovery.
Encrypted items: Because messages encrypted using S/MIME aren't indexed by Exchange Search, In-
Place eDiscovery doesn't search these messages. If you select the option to include unsearchable items in
search results, these S/MIME encrypted messages are copied to the discovery mailbox.
IRM -protected items: Messages protected using Information Rights Management (IRM ) are indexed by
Exchange Search and therefore included in the search results if they match query parameters. Messages
must be protected by using an Active Directory Rights Management Services (AD RMS ) cluster in the
same Active Directory forest as the Mailbox server. For more information, see Information Rights
Management.
IMPORTANT
When Exchange Search fails to index an IRM-protected message, either due to a decryption failure or because IRM
is disabled, the protected message isn't added to the list of failed items. If you select the option to include
unsearchable items in search results, the results may not include IRM-protected messages that could not be
decrypted. > > To include IRM-protected messages in a search, you can create another search to include messages
with .rpmsg attachments. You can use the query string attachment:rpmsg to search all IRM-protected messages
in the specified mailboxes, whether successfully indexed or not. This may result in some duplication of search results
in scenarios where one search returns messages that match the search criteria, including IRM-protected messages
that have been indexed successfully. The search doesn't return IRM-protected messages that couldn't be indexed. >
> Performing a second search for all IRM-protected messages also includes the IRM-protected messages that were
successfully indexed and returned in the first search. Additionally, the IRM-protected messages returned by the
second search may not match the search criteria such as keywords used for the first search.
De-duplication: When copying search results to a discovery mailbox, you can enable de-duplication of
search results to copy only one instance of a unique message to the discovery mailbox. De-duplication has
the following benefits:
Lower storage requirement and smaller discovery mailbox size due to reduced number of messages
copied.
Reduced workload for discovery managers, legal counsel, or others involved in reviewing search
results.
Reduced cost of eDiscovery, depending on the number of duplicate items excluded from search
results.
Estimate, preview, and copy search results

After an In-Place eDiscovery search is completed, you can view search result estimates in the Details pane in the
EAC. The estimate includes number of items returned and total size of those items. You can also view keyword
statistics, which returns details about number of items returned for each keyword used in the search query. This
information is helpful in determining query effectiveness. If the query is too broad, it may return a much bigger
data set, which could require more resources to review and raise eDiscovery costs. If the query is too narrow, it
may significantly reduce the number of records returned or return no records at all. You can use the estimates
and keyword statistics to fine-tune the query to meet your requirements.
NOTE
In Exchange Server and Exchange Online, keyword statistics also include statistics for non-keyword properties such as dates,
message types, and senders/recipients specified in a search query.
You can also preview the search results to further ensure that messages returned contain the content you're
searching for and further fine-tune the query if required. eDiscovery Search Preview displays the number of
messages returned from each mailbox searched and the total number of messages returned by the search. The
preview is generated quickly without requiring you to copy messages to a discovery mailbox.
After you're satisfied with the quantity and quality of search results, you can copy them to a discovery mailbox.
When copying messages, you have the following options:
Include unsearchable items: For details about the types of items that are considered unsearchable, see
the eDiscovery search considerations in the previous section.
Enable de-duplication: De-duplication reduces the dataset by only including a single instance of a
unique record if multiple instances are found in one or more mailboxes searched.
Enable full logging: By default, only basic logging is enabled when copying items. You can select full
logging to include information about all records returned by the search.
Send me mail when the copy is completed: An In-Place eDiscovery search can potentially return a
large number of records. Copying the messages returned to a discovery mailbox can take a long time. Use
this option to get an email notification when the copying process is completed. For easier access using
Outlook Web App, the notification includes a link to the location in a discovery mailbox where the
messages are copied.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.
Export search results to a PST file

After search results are copied to a discovery mailbox, you can export the search results to a PST file.
After search results are exported to a PST file, you or other users can open them in Outlook to review or print
messages returned in the search results. For more information, see Export eDiscovery search results to a PST file.
Different search results

Because In-Place eDiscovery performs searches on live data, it's possible that two searches of the same content
sources and using the same search query can return different results. Estimated search results can also be
different from the actual search results that are copied to a discovery mailbox. This can happen even when
rerunning the same search within a short amount of time. There are several factors that can affect the consistency
of search results:
The continual indexing of incoming email because Exchange Search continuously crawls and indexes your
organization's mailbox databases and transport pipeline.
Deletion of email by users or automated processes.
Bulk importing large amounts of email, which takes time to index.
If you do experience dissimilar results for the same search, consider placing mailboxes on hold to preserve
content, running searches during off-peak hours, and allowing time for indexing after importing large amounts of
email.
Logging for In-Place eDiscovery searches

There are two types of logging available for In-Place eDiscovery searches:
Basic logging: Basic logging is enabled by default for all In-Place eDiscovery searches. It includes
information about the search and who performed it. Information captured about basic logging appears in
the body of the email message sent to the mailbox where the search results are stored. The message is
located in the folder created to store search results.
Full logging: Full logging includes information about all messages returned by the search. This
information is provided in a comma-separated value (.csv) file attached to the email message that contains
the basic logging information. The name of the search is used for the .csv file name. This information may
be required for compliance or record-keeping purposes. To enable full logging, you must select the Enable
full logging option when copying search results to a discovery mailbox in the EAC. If you're using
Exchange Online PowerShell, specify the full logging option using the LogLevel parameter.
NOTE
When using Exchange Online PowerShell to create or modify an In-Place eDiscovery search, you can also disable logging.
Besides the search log included when copying search results to a discovery mailbox, Exchange also logs cmdlets
used by the EAC or Exchange Online PowerShell to create, modify or remove In-Place eDiscovery searches. This
information is logged in the admin audit log entries. For details, see Administrator Audit Logging.
In-Place eDiscovery and In-Place Hold

As part of eDiscovery requests, you may be required to preserve mailbox content until a lawsuit or investigation
is disposed. Messages deleted or altered by the mailbox user or any processes must also be preserved. In
Exchange Server, this is accomplished by using In-Place Hold. For details, see In-Place Hold and Litigation Hold.
In Exchange Server, you can use the new In-Place eDiscovery & Hold wizard to search items and preserve
them for as long as they're required for eDiscovery or to meet other business requirements. When using the
same search for both In-Place eDiscovery and In-Place Hold, be aware of the following:
You can't use the option to search all mailboxes. You must select the mailboxes or distribution groups.
You can't remove an In-Place eDiscovery search if the search is also used for In-Place Hold. You must first
disable the In-Place Hold option in a search and then remove the search.
Preserving mailboxes for In-Place eDiscovery

When an employee leaves an organization, it's a common practice to disable or remove the mailbox. After you
disable a mailbox, it is disconnected from the user account but remains in the mailbox for a certain period, 30
days by default. The Managed Folder Assistant does not process disconnected mailboxes and any retention
policies are not applied during this period. You can't search content of a disconnected mailbox. Upon reaching the
deleted mailbox retention period configured for the mailbox database, the mailbox is purged from the mailbox
database.
IMPORTANT
In Exchange Online, In-Place eDiscovery can search content in inactive mailboxes. Inactive mailboxes are mailboxes that are
placed on In-Place Hold or litigation hold and then removed. Inactive mailboxes are preserved as long as they're placed on
hold. When an inactive mailbox is removed from In-Place Hold or when litigation hold is disabled, it is permanently deleted.
For details, see Manage Inactive Mailboxes in Exchange Online.
In on-premises deployments, if your organization requires that retention settings be applied to messages of
employees who are no longer in the organization or if you may need to retain an ex-employee's mailbox for an
ongoing or future eDiscovery search, do not disable or remove the mailbox. You can take the following steps to
ensure the mailbox can't be accessed and no new messages are delivered to it.
1. Disable the Active Directory user account using Active Directory Users & Computers or other Active
Directory or account provisioning tools or scripts. This prevents mailbox logon using the associated user
account.
IMPORTANT
Users with Full Access mailbox permission will still be able to access the mailbox. To prevent access by others, you
must remove their Full Access permission from the mailbox. For information about how to remove Full Access
mailbox permissions on a mailbox, see Manage permissions for recipients.
2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very
low value, 1 KB for example. This prevents delivery of new mail to and from the mailbox. For details, see
Configure Message Size Limits for a Mailbox.
3. Configure delivery restrictions for the mailbox so nobody can send messages to it. For details, see
Configure message delivery restrictions for a mailbox.
IMPORTANT
You must take the above steps along with any other account management processes required by your organization, but
without disabling or removing the mailbox or removing the associated user account.
When planning to implement mailbox retention for messaging retention management (MRM ) or In-Place
eDiscovery, you must take employee turnover into consideration. Long-term retention of ex-employee mailboxes
will require additional storage on Mailbox servers and also result in an increase in Active Directory database
because it requires that the associated user account be retained for the same duration. Additionally, it may also
require changes to your organization's account provisioning and management processes.
In-Place eDiscovery limits and throttling policies

In Exchange Server and Exchange Online, the resources In-Place eDiscovery can consume are controlled using
throttling policies.
The default throttling policy contains the following throttling parameters.
PARAMETER DESCRIPTION DEFAULT VALUE
DiscoveryMaxConcurrency The maximum number of In-Place 2

eDiscovery searches that can run at the Note: If an eDiscovery search is started
same time in your organization. while two previous searches are still
running, the third search won't be
queued and will instead fail. You have
to wait until one of the previous
searches finishes before you can
successfully start a new search.
DiscoveryMaxMailboxes The maximum number of mailboxes Exchange Online: 10,0001

that can be searched in a single In- Exchange Server: 5,000
Place eDiscovery search.
PARAMETER DESCRIPTION DEFAULT VALUE
DiscoveryMaxStatsSearchMailboxes The maximum number of mailboxes 100

that can be searched in a single In- Note: After you run an eDiscovery
Place eDiscovery search that still allows search estimate, you can view keyword
you to view keyword statistics. statistics. These statistics show details
about the number of items returned for
each keyword used in the search query.
If more than 100 source mailboxes are
included in the search, an error will be
returned if you try to view keyword
statistics.
DiscoveryMaxKeywords The maximum number of keywords 500

that can be specified in a single In-
Place eDiscovery search.
DiscoveryMaxSearchResultsPageSize The maximum number of items 200

displayed on a single page when
previewing In-Place eDiscovery search
results.
DiscoverySearchTimeoutPeriod The number of minutes that an In- 10 minutes

Place eDiscovery search will run before
it times out.
NOTE
1 If you initiate an eDiscovery search from the eDiscovery Center in SharePoint Online in an Office 365 organization, you
can search a maximum of 1,500 mailboxes in a single search.
In Exchange Server, you can change the default values for these parameters to suit your requirements or create
additional throttling policies and assign them to users with delegated Discovery Management permission. In
Exchange Online, the default values for these throttling parameters can't be changed.
In-Place eDiscovery documentation

The following table contains links to topics that will help you learn about and manage In-Place eDiscovery.
TOPIC DESCRIPTION
Assign eDiscovery permissions in Exchange Learn how to give a user access to use In-Place eDiscovery in
the EAC to search Exchange mailboxes. Adding a user to the
Discovery Management role group also allows the person to
use the eDiscovery Center in SharePoint 2013 and SharePoint
Online to search Exchange mailboxes.
Create a discovery mailbox Learn how to use Exchange Online PowerShell to create a
discovery mailbox and assign access permissions.
Create an In-Place eDiscovery search Learn how to create an In-Place eDiscovery search, and how
to estimate and preview eDiscovery search results.
TOPIC DESCRIPTION
Message properties and search operators for In-Place Learn which email message properties can be searched using
eDiscovery In-Place eDiscovery. The topic provides syntax examples for
each property, information about search operators such as
AND and OR, and information about other search query
techniques such as using double quotation marks (" ") and
prefix wildcards.
Search limits for In-Place eDiscovery in Exchange Online Learn In-Place eDiscovery limits in Exchange Online that help
maintain the health and quality of eDiscovery services for
Office 365 organizations.
Start or Stop an In-Place eDiscovery Search Learn how to start, stop, and restart eDiscovery searches.
Modify an In-Place eDiscovery Search Learn how to modify an existing eDiscovery search.
Copy eDiscovery Search Results to a Discovery Mailbox Learn how to copy the results of an eDiscovery search to a
discovery mailbox.
Export eDiscovery search results to a PST file Learn how to export the results of an eDiscovery search to a
PST file.
Create a custom management scope for In-Place eDiscovery Learn how to use custom management scopes to limit the
searches mailboxes that a discovery manager can search.
Remove an In-Place eDiscovery Search Learn how to delete an eDiscovery search.
Search and Delete Messages Learn how to use the Search-Mailbox cmdlet to search for
and then delete email messages.
Reduce the size of a discovery mailbox in Exchange Use this process to reduce the size of a discovery mailbox
that's larger than 50 GB.
Delete and re-create the default discovery mailbox in Learn how to delete the default discovery mailbox, re-create
Exchange it, and then reassign permissions to it. Use this procedure if
this mailbox has exceeded the 50 GB limit and you don't need
the search results.
Re-Create the Discovery System Mailbox Learn how to recreate the discovery system mailbox. This task
is applicable only to Exchange Server organizations.
Using Oauth Authentication to Support eDiscovery in an Learn about the eDiscovery scenarios in an Exchange hybrid
Exchange Hybrid Deployment deployment that require you to configure OAuth
authentication.
Configure Exchange for SharePoint eDiscovery Center Learn how to configure Exchange Server so that you can use
the eDiscovery Center in SharePoint 2013 to search Exchange
mailboxes.
Unsearchable Items in Exchange eDiscovery Learn about mailbox items that can't be indexed by Exchange
Search and are returned in eDiscovery search results as
unsearchable items.
For more information about eDiscovery in Office 365, Exchange Server, SharePoint 2013, and Lync 2013, see the
eDiscovery FAQ.
Assign eDiscovery permissions in Exchange
If you want users to be able to use Microsoft Exchange Server In-Place eDiscovery, you must first authorize them
by adding them to the Discovery Management role group. Members of the Discovery Management role group
have Full Access mailbox permissions for the Discovery mailbox that's created by Exchange Setup.
Cau t i on
Members of the Discovery Management role group can access sensitive message content. Specifically, these
members can use In-Place eDiscovery to search all mailboxes in your Exchange organization, preview messages
(and other mailbox items), copy them to a Discovery mailbox and export the copied messages to a .pst file. In most
organizations, this permission is granted to legal, compliance, or Human Resources personnel. >
To learn more about the Discovery Management role group, see Discovery Management. To learn more about
Role Based Access Control (RBAC ), see Understanding Role Based Access Control.
Interested in scenarios where this procedure is used? See the following topics:
Create an In-Place eDiscovery search
Create or remove an In-Place Hold

Estimated time to complete: 1 minute.
permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
By default, the Discovery Management role group doesn't contain any members. Administrators with the
Organization Management role are also unable to create or manage discovery searches without being
added to the Discovery Management role group.
In Exchange Server, members of the Organization Management role group can create an In-Place Hold and
Litigation Hold to place all mailbox content on hold. However, to create a query-based In-Place Hold, the
user must be a member of the Discovery Management role group or have the Mailbox Search role
assigned.
Use the EAC to add a user to the Discovery Management role group
1. Go to Permissions > Admin roles.
2. In the list view, select Discovery Management and then click Edit
3. In Role Group, under Members, click Add .
4. In Select Members, select one or more users, click Add, and then click OK.
5. In Role Group, click Save.
Use Exchange Online PowerShell to add a user to the Discovery

Management role group
This example adds the user Bsuneja to the Discovery Management role group.
Add-RoleGroupMember -Identity "Discovery Management" -Member Bsuneja
For detailed syntax and parameter information, see Add-RoleGroupMember.

To verify that you've added the user to the Discovery Management role group, do the following:
1. In the EAC, go to Permissions > Admin roles.
2. In the list view, select Discovery Management.
3. In the details pane, verify that the user is listed under Members.
You can also run this command to list the members of the Discovery Management role group.
Get-RoleGroupMember -Identity "Discovery Management"
TIP
Create an In-Place eDiscovery search
NOTE
We've postponed the July 1, 2017 deadline for creating new In-Place eDiscovery searches in Exchange Online (in Office 365
and Exchange Online standalone plans). But later this year or early next year, you won't be able to create new searches in
Exchange Online. To create eDiscovery searches, please start using Content Search in the Office 365 Security & Compliance
Center. After we decommission new In-Place eDiscovery searches, you'll still be able to modify existing In-Place eDiscovery
searches, and creating new In-Place eDiscovery searches in Exchange Server and Exchange hybrid deployments will still be
supported.
Use In-Place eDiscovery to search across all mailbox content, including deleted items and original versions of
modified items for users placed on In-Place Hold and Litigation Hold.

permissions you need, see the "In-Place eDiscovery" entry in the Messaging Policy and Compliance
Permissions topic.
To create eDiscovery searches, you have to have an SMTP address in the organization that you're creating
the searches in. So in Exchange Online, you must have a licensed Exchange Online (Plan 2) mailbox to
create eDiscovery searches. In an Exchange hybrid organization, your on-premises Exchange mailbox must
have a corresponding mail user account in your Office 365 organization so that you can search Exchange
Online mailboxes. Or, if you sign in with an account that only exists in Office 365, such as the tenant
administrator account, that account must be assigned an Exchange Online (Plan 2) license.
Exchange Server Setup creates a Discovery mailbox called Discovery Search Mailbox to copy search
results. The Discovery Search Mailbox is also created by default in Exchange Online. You can create
additional Discovery mailboxes. For details, see Create a discovery mailbox.
When you create an In-Place eDiscovery search, messages returned in search results aren't copied
automatically to a discovery mailbox. After you create the search, you can use the Exchange admin center
(EAC ) to estimate and preview search results or copy them to a discovery mailbox. For details, see:
Use the EAC to estimate or preview search results (later in this topic)
Copy eDiscovery Search Results to a Discovery Mailbox
TIP
Use the EAC to create an In-Place eDiscovery search

As previously explained, to create eDiscovery searches, you have to sign in to a user account that has an SMTP
address in your organization.
1. Go to Compliance management > In-place eDiscovery & hold.
2. Click New .
3. In In-Place eDiscovery & Hold, on the Name and description page, type a name for the search, add an
optional description, and then click Next.
4. On the Mailboxes page, select the mailboxes to search. You can search across all mailboxes or select
specific ones to search. In Exchange Online, you can also select Office 365 groups as a content source for
the search.
IMPORTANT
You can't use the Search all mailboxes option to place all mailboxes on hold. To create an In-Place Hold, you must
select Specify mailboxes to search. For more details, see Create or remove an In-Place Hold.
5. On the Search query page, complete the following fields:

Include all user mailbox content: Select this option to place all content in the selected mailboxes on
hold. If you select this option, you can't specify additional search criteria.
Filter based on criteria: Select this option to specify search criteria, including keywords, start and end
dates, sender and recipient addresses, and message types.
NOTE
The From: and To/Cc/Bcc: fields are connected by an OR operator in the search query that's created when you run
the search. That means any message sent or received by any of the specified users (and matches the other search
criteria) is included in the search results. > The dates are connected by an AND operator.
6. On the In-place hold settings page, you can select the Place content matching the search query in
selected mailboxes on hold check box, and then select one of the following options to place items on In-
Place Hold:
Hold indefinitely: Select this option to place the returned items on an indefinite hold. Items on hold will
be preserved until you remove the mailbox from the search or remove the search.
Specify number of days to hold items relative to their received date: Use this option to hold items
for a specific period. For example, you can use this option if your organization requires that all messages be
retained for at least seven years. You can use a time-based In-Place Hold along with a retention policy to
make sure items are deleted in seven years.
IMPORTANT
When placing mailboxes or items on In-Place Hold for legal purposes, it is generally recommended to hold items
indefinitely and remove the hold when the case or investigation is completed.
7. Click Finish to save the search and return an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click
Refresh to update the information displayed in the details pane.
Use Exchange Online PowerShell to create an In-Place eDiscovery

search
This example creates the In-Place eDiscovery search named Discovery-CaseId012 that searches for items
containing the keywords Contoso and ProjectA and that also meet the following criteria:
Start date: 1/1/2009
End date: 12/31/2011
Source mailbox: DG -Finance
Target mailbox: Discovery Search Mailbox
Message types: Email
Includes unsearchable items in the search statistics
Log level: Full
IMPORTANT
If you don't specify additional search parameters when running an In-Place eDiscovery search, all items in the specified
source mailboxes are returned in the results. If you don't specify mailboxes to search, all mailboxes in your Exchange or
Exchange Online organization are searched.
New-MailboxSearch "Discovery-CaseId012" -StartDate "01/01/2009" -EndDate "12/31/2011" -SourceMailboxes "DG-

Finance" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Contoso" AND "Project A"' -MessageTypes
Email -IncludeUnsearchableItems -LogLevel Full
NOTE
When using the StartDate and EndDate parameters, you have to use the date format of mm/dd/yyyy, even if your local
machine settings are configured to use a different date format, such as dd/mm/yyyy. For example, to search for messages
sent between April 1, 2013 and July 1, 2013, you would use 04/01/2013 and 07/01/2013 for the start and end dates.
This example creates an In-Place eDiscovery search named HRCase090116 that searches for email messages sent
by Alex Darrow to Sara Davis in 2015.
New-MailboxSearch "HRCase090116" -StartDate "01/01/2015" -EndDate "12/31/2015" -SourceMailboxes alexd,sarad -

SearchQuery 'From:alexd@contoso.com AND To:sarad@contoso.com' -MessageTypes Email -TargetMailbox "Discovery
Search Mailbox" -IncludeUnsearchableItems -LogLevel Full
After using Exchange Online PowerShell to create an In-Place eDiscovery search, you have to start the search by
using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the TargetMailbox
parameter. For details, see Copy eDiscovery Search Results to a Discovery Mailbox.
For detailed syntax and parameter information, see New -MailboxSearch.
Use the EAC to estimate or preview search results

After you create an In-Place eDiscovery search, you can use the EAC to get an estimate and preview of the search
results. If you created a new search using the New-MailboxSearch cmdlet, you can use Exchange Online
PowerShell to start the search to get an estimate of the search results. You can't use Exchange Online PowerShell
to preview messages returned in search results.
1. Navigate to Compliance management > In-place eDiscovery & hold.
2. In the list view, select the In-Place eDiscovery search, and then do one of the following:
Click Search > Estimate search results to return an estimate of the total size and number of items that
will be returned by the search based on the criteria you specified. Selecting this option restarts the search
and performs an estimate.
Search Estimates are displayed in the details pane. Click Refresh to update the information displayed in
the details pane.
Click Preview search results in the details pane to preview the results after the search estimate is
completed. Selecting this option opens the eDiscovery search preview window. All messages returned
from the mailboxes that were searched are displayed.
NOTE
The mailboxes that were searched are listed in the right pane in the eDiscovery search preview window. For each
mailbox, the number of items returned and the total size of these items is also displayed. All items returned by the
search are listed in the right pane, and can be sorted by newest or oldest date. Items from each mailbox can't be
displayed in the right pane by clicking a mailbox in the left pane. To view the items returned from a specific mailbox,
you can copy the search results and view the items in the discovery mailbox.
Use Exchange Online PowerShell to estimate search results
You can use the EstimateOnly switch to return only get an estimate of the search results and not copy the results
to a discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then
you can retrieve the estimated search results by using the Get-MailboxSearch cmdlet.
For example, you would run the following commands to create a new eDiscovery search and then display an
estimate of the search results:
New-MailboxSearch "FY13 Q2 Financial Results" -StartDate "04/01/2013" -EndDate "06/30/2013" -SourceMailboxes

"DG-Finance" -SearchQuery '"Financial" AND "Fabrikam"' -EstimateOnly -IncludeKeywordStatistics
Start-MailboxSearch "FY13 Q2 Financial Results"
Get-MailboxSearch "FY13 Q2 Financial Results"
To display specific information about the estimated search results from the previous example, you could run the
following command:
Get-MailboxSearch "FY13 Q2 Financial Results" | Format-List

Name,Status,LastRunBy,LastStartTime,LastEndTime,Sources,SearchQuery,ResultSizeEstimate,ResultNumberEstimate,Er
rors,KeywordHits
More information about eDiscovery searches

After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export
those search results to a PST file. For more information, see:
Copy eDiscovery Search Results to a Discovery Mailbox
Export eDiscovery search results to a PST file
After you run an eDiscovery search estimate (that includes keywords in the search criteria), you can view
keyword statistics by clicking View keyword statistics in the details pane for the selected search. These
statistics show details about the number of items returned for each keyword used in the search query.
However, if more than 100 source mailboxes are included in the search, an error will be returned if you try
to view keyword statistics. To view keyword statistics, no more than 100 source mailboxes can be included
in the search.
If you use Get-MailboxSearch in Exchange Online to retrieve information about an eDiscovery search,
you have to specify the name of a search to return a complete list of the search properties; for example,
Get-MailboxSearch "Contoso Legal Case" . If you run the Get-MailboxSearch cmdlet without using any
parameters, the following properties aren't returned:
SourceMailboxes
Sources
SearchQuery
ResultsLink
PreviewResultsLink
Errors
The reason is that it requires a lot of resources to return these properties for all eDiscovery searches
in your organization.
Export eDiscovery search results to a PST file
You can use the eDiscovery Export tool in the Exchange admin center (EAC ) to export the results of an In-Place
eDiscovery search to an Outlook Data File, which is also called a PST file. Administrators can distribute the results
of the search to other people within your organization, such as a human resources manager or records manager,
or to opposing counsel in a legal case. After search results are exported to a PST file, you or other users can open
them in Outlook to review or print messages returned in the search results. PST files can also be opened in third-
party eDiscovery and reporting applications. This topic shows you how to do this, as well as troubleshoot any
issues you might have.

Estimated time to complete: Time will vary based on the amount and size of the search results that will be
exported.
permissions you need, see the "In-Place eDiscovery" entry in the Messaging policy and compliance
permissions topic.
The computer you use to export search results to a PST file must meet the following system requirements:
32- or 64-bit versions of Windows 7 and later versions
Microsoft .NET Framework 4.7
A supported browser:
Internet Explorer 10 and later versions
OR
Mozilla Firefox or Google Chrome. If you use either of these browsers, be sure you install the
ClickOnce extension. To install the ClickOnce add-in, see Mozilla ClickOnce add-ons or ClickOnce
for Google Chrome.
You need an active mailbox attached to the account you wish to export.
Ensure that the local Intranet settings are setup correctly in Internet Explorer. Make sure that
https://*.outlook.com is added to the Local intranet zone.
Make sure the following URLS are not listed in the Trusted sites zone:
https://*.outlook.com
https://r4.res.outlook.com
https://*.res.outlook.com
TIP
Use the Exchange admin center to export In-Place eDiscovery search
results to a PST
1. Go to Compliance management > In-place eDiscovery & hold.
2. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click
Export to a PST file.
3. In the eDiscovery PST Export Tool window, do the following:

Click Browse to specify the location where you want to download the PST file.
Click the Enable deduplication checkbox to exclude duplicate messages. Only a single instance of a
message will be included in the PST file.
Click the Include unsearchable items checkbox to include mailbox items that couldn't be searched (for
example, messages with attachments of file types that couldn't be indexed by Exchange Search).
Unsearchable items are exported to a separate PST file.
IMPORTANT
Including unsearchable items when you export eDiscovery search results takes longer when mailboxes contain a lot
of unsearchable items. To reduce the time it takes to export search results and prevent large PST export files,
consider the following recommendations: > Create multiple eDiscovery searches that each search a fewer number of
source mailboxes. > If you're exporting all mailbox content within a specific date range (by not specifying any
keywords in the search criteria), then all unsearchable items within that date range will be automatically included in
the search results. Therefore, don't select the Include unsearchable items checkbox.
4. Click Start to export the search results to a PST file.

A window is displayed that contains status information about the export process.
More information
You can reduce the size of the PST export fileby exporting only the unsearchable items. To do this, create or
edit a search, specify a start date in the future, and then remove any keywords from the Keywords box.
This will result in no search results being returned. When you copy or export the search results and select
the Include unsearchable items checkbox, only the unsearchable items will be copied to the discovery
mailbox or exported to a PST file.
If you enable de-duplication, all search results are exported in a single PST file. If you don't enable de-
duplication, a separate PST file is exported for each mailbox included in the search. And as previously
stated, unsearchable items are exported to a separate PST file.
In addition to the PST files that contain the search results, two other files are also exported:
A configuration file (.txt file format) that contains information about the PST export request, such as
the name of the eDiscovery search that was exported, the date and time of the export, whether de-
duplication and unsearchable items were enabled, the search query, and the source mailboxes that
were searched.
A search results log (.csv file format) that contains an entry for each message returned in the search
results. Each entry identifies the source mailbox where the message is located. If you've enabled de-
duplication, this helps you identify all mailboxes that contain a duplicate message.
The name of the search is the first part of the filename for each file that is exported. Also, the date and time
of the export request is appended to the filename of each PST file and the results log.
For more information about de-duplication and unsearchable items, see:
Estimate, preview, and copy search results
Unsearchable Items in Exchange eDiscovery
To export eDiscovery search results from the eDiscovery Center in SharePoint or SharePoint Online, see
Export eDiscovery content and create reports.
Troubleshooting
SYMPTOM POSSIBLE CAUSE
Cannot export to a PST file. There is no active mailbox attached to the account. To export
the PST, you must have an active account.
Your version of Internet Explorer is out of date. Try updating
IE to version 10 or later. Or try a different browser.
Search criteria entered in the Filter based on criteria query
is incorrect. For example, a username is entered instead of an
email address. For more information about how to filter based
on criteria, see Modify an In-Place eDiscovery search.
Unable to export search results on a specific machine. Export The wrong Windows credentials were saved in the Credential
works as expected on a different machine. Manager. Clear your credentials and log in again.
eDiscovery PST Export Tool won't start. Local intranet zone settings aren't set up correctly in Internet
Explorer. Make sure that *.outlook.com, *.office365.com,
*.sharepoint.com and *.onmicrosoft.com are added to the
Local intranet zone trusted sites.
To add these sites to the Trusted zone in IE, see Security
zones: adding or removing websites.
Message properties and search operators for In-Place
eDiscovery
This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery
& Hold in Exchange Server and Exchange Online. The topic also describes Boolean search operators and other
search query techniques that you can use to refine eDiscovery search results.
In-Place eDiscovery uses Keyword Query Language (KQL ). For more details, see Keyword Query Language syntax
reference.
Searchable properties in Exchange

The following table lists email message properties that can be searched using an In-Place eDiscovery search or by
using the New-MailboxSearch or the Set-MailboxSearch cmdlet. The table includes an example of the
property:value syntax for each property and a description of the search results returned by the examples.
SEARCH RESULTS RETURNED

PROPERTY PROPERTY DESCRIPTION EXAMPLES BY THE EXAMPLES
Attachment The names of files attached attachment:annualreport.ppt Messages that have an

to an email message. attachment:annual* attached file named
annualreport.ppt.
In the second example, using
the wildcard returns
messages with the word
"annual" in the file name of
an attachment.
Bcc The BCC field of an email bcc:pilarp@contoso.com All examples return

message.1 bcc:pilarp messages with Pilar Pinilla
bcc:"Pilar Pinilla" included in the Bcc field.
Category The categories to search. category:"Red Category" Messages that have been
Categories can be defined by assigned the red category in
users by using Outlook or the source mailboxes.
Outlook Web App. The
possible values are:
blue
green
orange
purple
red
yellow
Cc The CC field of an email cc:pilarp@contoso.com In both examples, messages

message.1 cc:"Pilar Pinilla" with Pilar Pinilla specified in
the CC field.
From The sender of an email from:pilarp@contoso.com Messages sent by the

message.1 from:contoso.com specified user or sent from a
specified domain.
Importance The importance of an email importance:high Messages that are marked

message, which a sender can importance:medium as high importance, medium
specify when sending a importance:low importance, or low
message. By default, importance.
messages are sent with
normal importance, unless
the sender sets the
importance as high or low.
Kind The message type to search. kind:email Email messages that meet
Possible values: kind:email OR kind:im OR the search criteria. The
contacts kind:voicemail second example returns
docs email messages, instant
email messaging conversations,
faxes and voice messages that
im meet the search criteria.
journals
meetings
notes
posts
rssfeeds
tasks
voicemail
Participants All the people fields in an participants:garthf@contoso. Messages sent by or sent to

email message; these fields com garthf@contoso.com.
are From, To, CC, and BCC.1 participants:contoso.com The second example returns
all messages sent by or sent
to a user in the contoso.com
domain.
Received The date that an email received:04/15/2014 Messages that were received
message was received by a received>=01/01/2014 AND on April 15, 2014. The
recipient. received<=03/31/2014 second example returns all
messages received between
January 1, 2014 and March
31, 2014.
Recipients All recipient fields in an email recipients:garthf@contoso.co Messages sent to

message; these fields are To, m garthf@contoso.com.
CC, and BCC.1 recipients:contoso.com The second example returns
messages sent to any
recipient in the contoso.com
domain.
Sent The date that an email sent:07/01/2014 Messages that were sent on
message was sent by the sent>=06/01/2014 AND the specified date or sent
sender. sent<=07/01/2014 within the specified date
range.
Size The size of an item, in bytes. size>26214400 Messages larger than 25

size:1..1048576 MB.
The second example returns
messages from 1 through
1,048,576 bytes (1 MB) in
size.
Subject The text in the subject line of subject:"Quarterly Financials" Messages that contain the
an email message. subject:northwind exact phrase "Quarterly
Financials" anywhere in the
text of the subject line.
The second example returns
all messages that contain the
word northwind in the
subject line.
To The To field of an email to:annb@contoso.com All examples return

message.1 to:annb messages where Ann Beebe
to:"Ann Beebe" is specified in the To: line.
NOTE
1For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example,
you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.
Supported search operators

Boolean search operators, such as AND, OR, help you define more-precise mailbox searches by including or
excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..),
quotation marks, parentheses, and wildcards, help you refine eDiscovery search queries. The following table lists
the operators that you can use to narrow or broaden search results.
IMPORTANT
You must use uppercase Boolean operators in a search query. For example, use AND; don't use and. Using lowercase
operators in search queries will return an error.
OPERATOR USAGE DESCRIPTION
AND keyword1 AND keyword2 Returns messages that include all of the
specified keywords or property:value
expressions.
+ keyword1 +keyword2 +keyword3 Returns items that contain either

keyword2 or keyword3 and that also
contain keyword1 . Therefore, this
example is equivalent to the query
(keyword2 OR keyword3) AND
keyword1
.
Note that the query
keyword1 + keyword2 (with a space
after the + symbol) isn't the same as
using the AND operator. This query
would be equivalent to
"keyword1 + keyword2" and return
items with the exact phase
"keyword1 + keyword2" .
OR keyword1 OR keyword2 Returns messages that include one or

more of the specified keywords or
property:value expressions.
NOT keyword1 NOT keyword2 Excludes messages specified by a

NOT from:"Ann Beebe" keyword or a property:value
expression. For example,
NOT from:"Ann Beebe" excludes
messages sent by Ann Beebe.
- keyword1 -keyword2 The same as the NOT operator. This

query returns items that contain
keyword1 and excludes items that
contain keyword2 .
NEAR keyword1 NEAR(n) keyword2 Returns messages with words that are
near each other, where n equals the
number of words apart. For example,
best NEAR(5) worst returns
messages where the word "worst" is
within five words of "best". If no number
is specified, the default distance is eight
words.
: property:value The colon (:) in the property:value

syntax specifies that the property value
being searched for equals the specified
value. For example,
recipients:garthf@contoso.com
returns any message sent to
garthf@contoso.com.
< property<value Denotes that the property being

searched is less than the specified value.
1
> property>value Denotes that the property being

searched is greater than the specified
value.1
<= property<=value Denotes that the property being

searched is less than or equal to a
specific value.1
>= property>=value Denotes that the property being

searched is greater than or equal to a
specific value.1
.. property:value1..value2 Denotes that the property being

searched is greater than or equal to
value1 and less than or equal to
value2.1
"" "fair value" Use double quotation marks (" ") to

subject:"Quarterly Financials" search for an exact phrase or term in
keyword and property:value search
queries.
* cat* Prefix wildcard searches (where the

subject:set* asterisk is placed at the end of a word)
match for zero or more characters in
keywords or property:value queries.
For example, subject:set* returns
messages that contain the word set,
setup, and setting (and other words
that start with "set") in the subject line.
() (fair OR free) AND from:contoso.com Parentheses group together Boolean

(IPO OR initial) AND (stock OR shares) phrases, property:value items, and
(quarterly financials) keywords. For example,
(quarterly financials) returns
items that contain the words quarterly
and financials.
NOTE
1 Use this operator for properties that have date or numeric values.
Unsupported characters in search queries

Unsupported characters in a search query typically cause a search error or return unintended results. Unsupported
characters are often hidden and they're typically added to a query when you copy the query or parts of the query
from other applications (such as Microsoft Word or Microsoft Excel) and copy them to the keyword box on the
query page of In-Place eDiscovery search.
Here's a list of the unsupported characters for an In-Place eDiscovery search query.
Smart quotation marks: Smart single and double quotation marks (also called curly quotes) aren't
supported. Only straight quotation marks can be used in a search query.
Non-printable and control characters: Non-printable and control characters don't represent a written
symbol, such as a alpha-numeric character. Examples of non-printable and control characters include
characters that format text or separate lines of text.
Left-to-right and right-to-left marks: These are control characters used to indicate text direction for left-
to-right languages (such as English and Spanish) and right-to-left languages (such as Arabic and Hebrew ).
Lowercase Boolean operators: As previous explained, you have to use uppercase Boolean operators, such
as AND and OR, in a search query. Note that the query syntax will often indicate that a Boolean operator is
being used even though lowercase operators might be used; for example,
(WordA or WordB) and (WordC or WordD) .
**How to prevent unsupported characters in your search queries?**The best way to prevent unsupported
characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel and
then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the
Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy and
paste the query from the text file to the keyword query box.
Search tips and tricks
Keyword searches are not case sensitive. For example, cat and CAT return the same results.
A space between two keywords or two property:value expressions is the same as using AND. For example,
from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word
reorganization in the subject line.
Use syntax that matches the property:value format. Values are not case-sensitive, and they can't have a
space after the operator. If there is a space, your intended value will just be full-text searched. For example
to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address,
alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar
Pinilla".
You can use only prefix wildcard searches—for example, cat* or set*. Suffix wildcard searches (*cat) or
substring wildcard searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words.
For example subject:budget Q1 returns messages that contain budget in the in the subject line and that
contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1"
returns all messages that contain budget Q1 anywhere in the subject line.
Search limits for In-Place eDiscovery in Exchange Online
Various types of limits are applied to In-Place eDiscovery searches in Exchange Online and Office 365. These limits help to maintain the
health and quality of services provided to Office 365 organizations. In most cases, you can't modify these limits, but you should be aware of
them so that you can take these limits into consideration when planning, running, and troubleshooting eDiscovery searches.
Source mailbox limits

In-Place eDiscovery has limits on the number of source mailboxes that can be searched in a single search. The following table describes
these limits and suggests alternative ways to work around them. These limits apply to eDiscovery searches created by using the Exchange
admin center (EAC ) or Remote Windows PowerShell.
MORE INFORMATION AND SUGGESTED

DESCRIPTION OF LIMIT LIMIT WORKAROUNDS
The maximum number of mailboxes that can be 10,000 If you have more than 10,000 mailboxes in your
searched in a single In-Place eDiscovery search. organization, you won't be able to use the
Search all mailboxes option on the Mailboxes
page in the EAC. To search large numbers of
mailboxes (up to 10,000 mailboxes total), you can
organize users into distribution groups or
dynamic distribution groups and then specify a
group on the Mailboxes page in the EAC. 1
One workaround for this limit is to use the
Compliance Search feature in the Office 365
Compliance Center, which doesn't have a limit for
the number of mailboxes that can be searched in
a single search. You run a search in the
Compliance Center to search all mailboxes in your
organization to identify those that contain search
results. Then you can use that list of mailboxes as
the source mailboxes for an In-Place eDiscovery
search in the EAC. For details, see Use
Compliance Search in your eDiscovery workflow.
The maximum number of mailboxes that can be 100 After you run an eDiscovery search estimate, you
searched in a single In-Place eDiscovery search can view keyword statistics. These statistics show
that still allows you to view keyword statistics. details about the number of items returned for
each keyword used in the search query. If more
than 100 source mailboxes are included in the
search, an error will be returned if you try to view
keyword statistics.
To view keyword statistics, reduce the number of
source mailboxes to 100 or fewer, and then rerun
the search estimate. When you're satisfied with
the search query, you can add additional source
mailboxes to the search and then copy or export
the search results.
The maximum number of mailboxes that can be 10,000 You can place up to 10,000 mailboxes on In-Place
placed on In-Place Hold in a single In-Place Hold by using a single eDiscovery search.
eDiscovery search. However, if you select the Search all mailboxes
option on the Sources page, you won't be able
to enable an In-Place Hold for that search. To
place a large number of mailboxes on hold using
a single In-Place Hold, use distribution groups or
dynamic distribution groups to group mailboxes
together, and then specify one of those groups
on the Mailboxes page in the EAC. 1
A better option for placing a hold on a large
number of mailboxes is to use a Litigation Hold.
Using lots of single In-Place eDiscovery searches
to place mailboxes on hold isn't recommended.
For more information, see Place all mailboxes on
hold.
NOTE
1 Group membership is calculated only when the search or a hold is created. If a user gets added to the group after the search is created, the user's
mailbox won't be added automatically as a source mailbox. You'll have to edit the search and add the mailbox. The same thing applies when a user is
removed from a group that is used to create a search or hold. You'll have to edit the search to remove the mailbox.
Exchange admin center limits

There are also limits when you use the EAC to create and run In-Place eDiscovery searches. These limits are primarily related to the number
of source mailboxes that are displayed in the EAC when you select source mailboxes to search. The following table describes these limits and
suggests alternative ways to work around them.

The maximum number of mailboxes that are 500 Only 500 mailboxes, distribution groups, and
displayed in the mailbox picker for selecting dynamic distribution groups are listed in the
source mailboxes when creating a new In-Place mailbox picker to select source mailboxes from
eDiscovery or In-Place Hold search. when you create a new search. A message is
displayed saying that there are more recipients
than the ones displayed. Here are some
workarounds for this limit:
Use the search box to find a mailbox that isn't
listed in the mailbox picker.
Use distribution groups or dynamic distribution
groups to group large numbers of mailboxes
together. Then pick the group from the mailbox
list or search for it using the search box. Groups
are expanded into source mailboxes when you
create an eDiscovery search.
Select Search all mailboxes on the Mailbox
page if your organization has less than 10,000
mailboxes and you're not going to place
mailboxes on hold.
Use distribution groups or dynamic distribution
groups to group users if you want to place more
than 500 mailboxes on In-Place Hold.
The maximum number of mailboxes that are 3,000 Up to 3,000 mailboxes are displayed on the
displayed when editing an In-Place eDiscovery or Sources page in the EAC when you edit an In-
In-Place Hold search. Place eDiscovery search or hold. To add a mailbox
to the list of sources, you can use the search box
to find a mailbox that isn't listed in the mailbox
picker (a maximum of 500 recipients are listed in
the mailbox picker). To remove a mailbox that's
listed, you can select it and then click Remove.
To remove a mailbox that isn't listed, you have to
use Exchange Online PowerShell to remove it. For
example, the following commands are run to
remove the user Ann Beebe from an In-Place
Hold named ContosoHold.
$SourceMailboxes = Get-MailboxSearch
"ContosoHold"
$SourceMailboxes.Sources.Remove("/o=contoso/ou=Exchange
Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=28e3edb87e29422998ec8f3a9
annb")
Set-MailboxSearch "ContosoHold" -
SourceMailboxes $SourceMailboxes.Sources
The first command creates a variable that
contains the properties of ContosoHold. The
second command removes the user Ann Beebe
(by specifying the value of the
LegacyExchangeDN property) from the list of
source mailboxes. The third command edits
ContosoHold with the updated list of source
mailboxes.
To add a user to an In-Place Hold, use the
following syntax in the second command in the
previous example.
$SourceMailboxes.Sources.Add("
<LegacyExchangeDN of the user>")
Note: The Sources property of an In-Place
eDiscovery search or an In-Place Hold identifies
the source mailboxes by their
LegacyExchangeDN property. Because this
property uniquely identifies a user mailbox, using
the Sources property helps prevent adding or
removing the wrong mailbox. This also helps to
avoid issues if two mailboxes have the same alias
or primary SMTP address.
Other limits
The following table describes other limits that affect In-Place eDiscovery searches.
DESCRIPTION OF LIMIT LIMIT MORE INFORMATION
The maximum number of In-Place eDiscovery 2 If an eDiscovery search is started while two
searches that can run at the same time in your previous searches are still running, the third
organization. search won't be queued and will instead fail. You
have to wait until one of the running searches is
completed before you can successfully start a
new search.
Also, estimate-only and copy searches are both
considered In-Place eDiscovery searches. So, if
you are running an estimate-only search and a
copy search at the same time, you can't start
another search until one of the running searches
is completed. However, you can preview or
export the search results from another search
while two searches are running.
The maximum number of keywords that can be 500 Boolean operators, such as AND and OR aren't
specified in a single In-Place eDiscovery search counted against the total number of keywords.
query. For example, the keyword query
cat AND dog AND bird AND fish consists of
four keywords.
DESCRIPTION OF LIMIT LIMIT MORE INFORMATION
The maximum number of items displayed on the 200 When you preview search results, the mailboxes
search preview page when previewing In-Place that were searched are listed in the right pane on
eDiscovery search results. the eDiscovery search preview page. For each
mailbox, the number of items returned and the
total size of these items are also displayed. Items
returned by the search are listed in the right
pane. Up to 200 items are displayed on the
preview page.
Note: Items from each mailbox can't be displayed
in the right pane by clicking a mailbox in the left
pane. To view the items returned from a specific
mailbox, you can copy the search results and view
the items in the discovery mailbox.
The maximum number of keywords that can be 500 If multiple In-Place Holds are placed on a user's
specified in all In-Place Holds placed on a single mailbox, the maximum number of keywords in all
mailbox. search queries is 500. That's because Exchange
Online combines all the keyword search
parameters from of all In-Place Holds by using
the OR operator. If there are more than 500
keywords in the hold queries, then all content in
the mailbox is placed on hold (and not just that
content that matches the search criteria of any
query-based hold). All content is held until the
total number of keywords in all In-Place Holds is
reduced to 500 or less. Holding all mailbox
content is similar in functionality to a Litigation
Hold.
Maximum number of variants returned when 10,000 For non-phrase queries we use a special prefix
using a prefix wildcard to search for an exact index. This only tells us that a word occurs in a
phrase in a keyword search query or when using document, not where in the document it occurs.
a prefix wildcard and the NEAR operator. To do a phrase query we need to compare the
position within the document for the words in
the phrase. This means that we cannot use the
prefix index for phrase queries. In this case we are
internally expanding the query with all possible
words that the prefix expands to (i.e. "time*" can
expand to "time OR timer OR times OR timex OR
timeboxed OR ..."). 10,000 is the maximum
number of variants the word can expand to, not
the number of documents matching the query.
For non-phrase terms there are no upper limit.
Create a discovery mailbox
Microsoft Exchange Server Setup creates a discovery mailbox by default. In Exchange Online, a discovery mailbox
is also created by default. Discovery mailboxes are used as target mailboxes for In-Place eDiscovery searches in
the Exchange admin center (EAC ). You can create additional discovery mailboxes as required. After you create a
new discovery mailbox, you will have to assign Full Access permissions to the appropriate users so they can
access eDiscovery search results that are copied to the discovery mailbox.
Cau t i on
After a discovery manager copies the results of an eDiscovery search to a discovery mailbox, the mailbox can
potentially contain sensitive information. You should control access to discovery mailboxes and make sure only
authorized users can access them.
For more information, see Discovery mailboxes.

Estimated time to complete: 3 minutes.
permissions you need, see the "Creating discovery mailboxes" entry in Messaging policy and compliance
permissions topic.
Discovery mailboxes have a mailbox storage quota of 50 gigabytes (GB ). This storage quota can't be
increased.
You can't use the EAC to create a discovery mailbox or assign permissions to access it. You have to use
Exchange Online PowerShell. In Office 365, use Remote PowerShell connected to your Exchange Online
organization.
TIP
(Optional) Step 1: Connect to Exchange Online using remote

PowerShell
You only need to perform this step if you have an Exchange Online or Office 365 organization. If you have an
Exchange Server organization, go to the next step and run the command in Exchange Online PowerShell.
1. On your local computer, open Windows PowerShell and run the following command.
$UserCredential = Get-Credential
In the **Windows PowerShell Credential Request** dialog box, type username and password for an Office 365
global admin account, and then click **OK**.
2. Run the following command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -
AllowRedirection
Import-PSSession $Session
4. To verify that you're connected to your Exchange Online organization, run the following command to get a list
of all the mailboxes in your organization.
Get-Mailbox
For more information or if you have problems connecting to your Exchange Online organization, see Connect to
Exchange Online using remote PowerShell.
Step 2: Create a discovery mailbox

This example creates a discovery mailbox named SearchResults.
New-Mailbox -Name SearchResults -Discovery
For detailed syntax and parameter information, see new -Mailbox.

To display a list of all discovery mailboxes in an Exchange organization, run the following command:
Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}
For detailed syntax and parameter information, see Get-Mailbox.
Step 3: Assign permissions to a discovery mailbox

You have to explicitly assign users or groups the necessary permissions to open a discovery mailbox that you've
created. Use the following syntax to assign a user or group permissions to open a discovery mailbox and view
search results:
Add-MailboxPermission <Name of the discovery mailbox> -User <Name of user or group> -AccessRights FullAccess -
InheritanceType all
For example, the following command assigns the Full Access permission to the Litigation Managers group, so
members of the group can open the Fabrikam Litigation discovery mailbox.
Add-MailboxPermission "Fabrikam Litigation" -User "Litigation Managers" -AccessRights FullAccess -

InheritanceType all
For detailed syntax and parameter information, see Add-MailboxPermission.
More information
By default, members of the Discovery Management role group only have Full Access permission to the
default Discovery Search Mailbox. You will have to explicitly assign the Full Access permission to the
Discovery Management role group if you want members to open a discovery mailbox that you've created.
Although visible in Exchange address lists, users can't send email to a discovery mailbox. Email delivery to
discovery mailboxes is prohibited with delivery restrictions. This preserves the integrity of search results
copied to a discovery mailbox.
A discovery mailbox can't be repurposed or converted to another type of mailbox.
You can remove a discovery mailbox as you would any other type of mailbox.
Create a custom management scope for In-Place
eDiscovery searches
You can use a custom management scope to let specific people or groups use In-Place eDiscovery to search a
subset of mailboxes in your Exchange Online organization. For example, you might want to let a discovery
manager search only the mailboxes of users in a specific location or department. You can do this by creating a
custom management scope. This custom management scope uses a recipient filter to control which mailboxes can
be searched. Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties.
For In-Place eDiscovery, the only property on a user mailbox that you can use to create a recipient filter for a
custom scope is distribution group membership (the actual property name is MemberOfGroup). If you use other
properties, such as CustomAttributeN, Department, or PostalCode, the search fails when it's run by a member of
the role group that's assigned the custom scope.
To learn more about management scopes, see:
Understanding management role scopes
Understanding management role scope filters

As previously stated, you can only use group membership as the recipient filter to create a custom recipient
filter scope that is intended to be used for eDiscovery. Any other recipient properties can't be used to create
a custom scope for eDiscovery searches. Note that membership in a dynamic distribution group can't be
used either.
Perform steps 1 through 3 to let a discovery manager export the search results for an eDiscovery search
that uses a custom management scope.
If your discovery manager doesn't need to preview the search results, you can skip step 4.
If your discovery manager doesn't need to copy the search results, you can skip step 5.
Step 1: Organize users into distribution groups for eDiscovery

To search a subset of mailboxes in your organization or to narrow the scope of source mailboxes that a discovery
manager can search, you'll need to group the subset of mailboxes into one or more distribution groups. When you
create a custom management scope in step 2, you'll use these distribution groups as the recipient filter to create a
custom management scope. This allows a discovery manager to search only the mailboxes of the users who are
members of a specified group.
You might be able to use existing distribution groups for eDiscovery purposes, or you can create new ones. See
More information at the end of this topic for tips on how to create distribution groups that can be used to scope
eDiscovery searches.
Step 2: Create a custom management scope

Now you'll create a custom management scope that's defined by the membership of a distribution group (using
the MemberOfGroup recipient filter). When this scope is applied to a role group used for eDiscovery, members of
the role group can search the mailboxes of users who are members of the distribution group that was used to
create the custom management scope.
This procedure uses Exchange Online PowerShell commands to create a custom scope named Ottawa Users
eDiscovery Scope. It specifies the distribution group named Ottawa Users for the recipient filter of the custom
scope.
1. Run this command to get and save the properties of the Ottawa Users group to a variable, which is used in the
next command.
$DG = Get-DistributionGroup -Identity "Ottawa Users"
2. Run this command to create a custom management scope based on the membership of the Ottawa Users
distribution group.
New-ManagementScope "Ottawa Users eDiscovery Scope" -RecipientRestrictionFilter "MemberOfGroup -eq

'$($DG.DistinguishedName)'"
The distinguished name of the distribution group, which is contained in the variable **$DG**, is used to
create the recipient filter for the new management scope.
Step 3: Create a management role group

In this step, you create a new management role group and assign the custom scope that you created in step 2. Add
the Legal Hold and Mailbox Search roles so that role group members can perform In-Place eDiscovery searches
and place mailboxes on In-Place Hold or Litigation Hold. You can also add members to this role group so they can
search the mailboxes of the members of the distribution group used to create the custom scope in step 2.
In the following examples, the Ottawa Users eDiscovery Managers security group will be added as members this
role group. You can use either Exchange Online PowerShell or the EAC for this step.
Use Exchange Online PowerShell to create a management role group
Run this command to create a new role group that uses the custom scope created in step 2. The command also
adds the Legal Hold and Mailbox Search roles, and adds the Ottawa Users eDiscovery Managers security group as
members of the new role group.
New-RoleGroup "Ottawa Discovery Management" -Roles "Mailbox Search","Legal Hold" -CustomRecipientWriteScope

"Ottawa Users eDiscovery Scope" -Members "Ottawa Users eDiscovery Managers"
Use the EAC to create a management role group

1. In the EAC, go to Permissions > Admin roles, and then click New .
2. In New role group, provide the following information:
Name: Provide a descriptive name for the new role group. For this example, you'd use Ottawa Discovery
Management.
Write scope: Select the custom management scope that you created in step 2. This scope will be applied to
the new role group.
Roles: Click Add , and add the Legal Hold and Mailbox Search roles to the new role group.
Members: Click Add , and select the users, security group, or role groups that you want add as members
of the new role group. For this example, the members of the Ottawa Users eDiscovery Managers
security group will be able to search only the mailboxes of users who are members of the Ottawa Users
distribution group.
3. Click Save to create the role group.
Here's an example of what the New role group window will look like when you're done.
(Optional) Step 4: Add discovery managers as members of the

distribution group used to create the custom management scope
You only need to perform this step if you want to let a discovery manager preview eDiscovery search results.
Run this command to add the Ottawa Users eDiscovery Managers security group as a member of the Ottawa
Users distribution group.
Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Users eDiscovery Managers"
You can also use the EAC to add members to a distribution group. For more information, see Create and manage
distribution groups.
(Optional) Step 5: Add a discovery mailbox as a member of the
distribution group used to create the custom management scope
You only need to perform this step if you want to let a discovery manager copy eDiscovery search results.
Run this command to add a discovery mailbox named Ottawa Discovery Mailbox as a member of the Ottawa
Users distribution group.
Add-DistributionGroupMember -Identity "Ottawa Users" -Member "Ottawa Discovery Mailbox"
NOTE
To open a discovery mailbox and view the search results, discovery managers must be assigned Full Access permissions for
the discovery mailbox. For more information, see Create a discovery mailbox.

Here are some ways to verify if you've successfully implemented custom management scopes for eDiscovery.
When you verify, be sure that the user running the eDiscovery searches is a member of the role group that uses
the custom management scope.
Create an eDiscovery search, and select the distribution group that was used to create the custom
management scope as the source of mailboxes to be searched. All mailboxes should be successfully
searched.
Create an eDiscovery search, and search the mailboxes of any users who aren't members of the distribution
group that was used to create the custom management scope. The search should fail because the discovery
manager can only search mailboxes for users who are members of the distribution group that was used to
create the custom management scope. In this case, an error such as "Unable to search mailbox <name of
mailbox> because the current user does not have permissions to access the mailbox" will be returned.
Create an eDiscovery search, and search the mailboxes of users who are members of the distribution group
that was used to create the custom management scope. In the same search, include the mailboxes of users
who aren't members. The search should partially succeed. The mailboxes of members of the distribution
group used to create the custom management scope should be successfully searched. The search of
mailboxes for users who aren't members of the group should fail.
More information
Because distribution groups are used in this scenario to scope eDiscovery searches and not for message
delivery, consider the following when you create and configure distribution groups for eDiscovery:
Create distribution groups with a closed membership so that members can be added to or removed
from the group only by the group owners. If you're creating the group in Exchange Online
PowerShell, use the syntax MemberJoinRestriction closed and MemberDepartRestriction closed .
Enable group moderation so that any message sent to the group is first sent to the group
moderators who can approve or reject the message accordingly. If you're creating the group in
Exchange Online PowerShell, use the syntax ModerationEnabled $true . If you're using the EAC, you
can enable moderation after the group is created.
Hide the distribution group from the organization's shared address book. Use the EAC or the Set-
DistributionGroup cmdlet after the group is created. If you're using Exchange Online PowerShell,
use the syntax HiddenFromAddressListsEnabled $true .
In the following example, the first command creates a distribution group with closed membership
and moderation enabled. The second command hides the group from the shared address book.
New-DistributionGroup -Name "Vancouver Users eDiscovery Scope" -Alias VancouverUserseDiscovery -

MemberJoinRestriction closed -MemberDepartRestriction closed -ModerationEnabled $true
Set-DistributionGroup "Vancouver Users eDiscovery Scope" -HiddenFromAddressListsEnabled $true
For more information about creating and managing distribution groups, see Create and manage
Though you can use only distribution group membership as the recipient filter for a custom management
scope used for eDiscovery, you can use other recipient properties to add users to that distribution group.
Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a specific group
of users based on common user or mailbox attributes.
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -eq "HR"'
Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'CustomAttribute15 -eq

"VancouverSubsidiary"'
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'PostalCode -eq "98052"'
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'StateOrProvince -eq

"WA"'
Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited -OrganizationalUnit

"namsr01a002.sdf.exchangelabs.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com"
You can then use the examples from the previous bullet to create a variable that can be used with the Add-
DistributionGroupMember cmdlet to add a group of users to a distribution group. In the following
example, the first command creates a variable that contains all user mailboxes that have the value
Vancouver for the Department property in their user account. The second command adds these users to
the Vancouver Users distribution group.
$members = Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize unlimited -Filter 'Department -

eq "Vancouver"'
$members | ForEach {Add-DistributionGroupMember "Ottawa Users" -Member $_.Name}
You can use the Add-RoleGroupMember cmdlet to add a member to an existing role group that's used to
scope eDiscovery searches. For example, the following command adds the user
admin@ottawa.contoso.com to the Ottawa Discovery Management role group.
Add-RoleGroupMember "Vancouver Discovery Management" -Member paralegal@vancouver.contoso.com

You can also use the EAC to add members to a role group. For more information, see the "Add members to
a role group" section in Manage Role Group Members.
In Exchange Online, a custom management scope used for eDiscovery can't be used to search inactive
mailboxes. This is because an inactive mailbox can't be a member of a distribution group. For example, let's
say that a user is a member of a distribution group that was used to create a custom management scope for
eDiscovery. Then that user leaves the organization and their mailbox is made inactive (by placing a
Litigation Hold or In-Place hold on the mailbox and then deleting the corresponding Office 365 user
account). The result is that the user is removed as a member from any distribution group, including the
group that was used to create the custom management scope used for eDiscovery. If a discovery manager
(who is a member of the role group that's assigned the custom management scope) tries to search the
inactive mailbox, the search will fail. To search inactive mailboxes, a discover manager must be a member of
the Discovery Management role group or any role group that has permissions to search the entire
organization.
For more information about inactive mailboxes, see Inactive mailboxes in Exchange Online.
Reduce the size of a discovery mailbox in Exchange
Have a discovery mailbox that's exceeded the 50 GB limit? You can fix this issue by creating new discovery
mailboxes and copying the search results from the large discovery mailbox to the new ones.
Why would I want to do this?

In Exchange Server and Exchange Online, the maximum size of discovery mailboxes, which are used to store In-
Place eDiscovery search results, is 50 GB. Prior to the current size limit, you were able to increase the storage
quota to more than 50 GB, which resulted in having discovery mailboxes much larger than 50 GB. There are three
issues with discovery mailboxes that are larger than 50 GB:
They're not supported.
They can't be migrated to Office 365.
If they're discovery mailboxes in Exchange Server 2010, they can't be upgraded to later versions.
The process at a glance

Here's a quick look at what you'll need to do to reduce the size of a discovery mailbox that's exceeded the 50 GB
limit:
1. Step 1: Create discovery mailboxes additional discovery mailboxes to distribute the search results to.
2. Step 2: Copy search results to a discovery mailbox the search results from the existing discovery mailbox to
one or more of the new discovery mailboxes.
3. Step 3: Delete eDiscovery searches eDiscovery searches from the original discovery mailbox to reduce its
size.
The strategy presented here groups the search results from the original discovery mailbox into separate
eDiscovery searches that are based on date ranges. This is a quick way to copy many search results to a new
discovery mailbox. The following graphic illustrates this approach.
Estimated time to complete this task: Time will vary based on the amount and size of the search results that
will be copied to different discovery mailboxes.
Run the following command to determine the size of the discovery mailboxes in your organization.
Get-Mailbox -RecipientTypeDetails DiscoveryMailbox | Get-MailboxStatistics | Format-List

DisplayName,TotalItemSize
Determine if you need to keep some or all of the search results from the discovery mailbox that's exceeded
the 50 GB limit. Follow the steps in this topic to retain search results by copying them to a different
discovery mailbox. If you don't need to keep the results of a specific eDiscovery search, you can delete the
search, as explained in step 3. Deleting a search will delete the search results from the discovery mailbox.
If you don't need any of the search results from a discovery mailbox that's exceeded the 50 GB limit, you
can delete it. If this is the default discovery mailbox that was created when your Exchange organization was
provisioned, you can re-create it. For more information, see Delete and re-create the default discovery
mailbox in Exchange.
For current legal cases, you might want to export the results of selected eDiscovery searches to .pst files.
Doing this keeps the results from a specific search intact. In addition to the .pst files that contain the search
results, a search results log (.csv file format) that contains an entry for each message returned in the search
results is also exported. Each entry in this file identifies the source mailbox where the message is located.
For more information, see Export eDiscovery search results to a PST file.
After you export search results to .pst files, you'll need to use Outlook if you want to import them to a new
discovery mailbox.
Step 1: Create discovery mailboxes

The first step is to create additional discovery mailboxes so that you can copy the search results from the discovery
mailbox that's exceeded the size limit. Based on the 50 GB size limit for discovery mailboxes, determine how many
additional discovery mailboxes you'll need and create them. You'll then need to assign users or groups the
necessary permissions to open these new discovery mailboxes.
1. Run the following command to create a new discovery mailbox.
New-Mailbox -Name <discovery mailbox name> -Discovery
2. Run the following command to assign a user or group permissions to open the discovery mailbox and view
search results.
Add-MailboxPermission <discovery mailbox name> -User <name of user or group> -AccessRights FullAccess -
InheritanceType all
Step 2: Copy search results to a discovery mailbox

The next step is to use the New-MailboxSearch cmdlet to copy the search results from the existing discovery
mailbox to a new discovery mailbox that you created in the previous step. This procedure uses the StartDate and
EndDate parameters to scope the search results into batches that are no larger than 50 GB. This may require some
testing (by estimating the search results) to size the search results appropriately.
1. Run the following command to create a new eDiscovery search.
New-MailboxSearch -Name "Search results from 2010" -SourceMailboxes "Discovery Search Mailbox" -StartDate
"01/01/2010" -EndDate "12/31/2010" -TargetMailbox "Discovery Mailbox Backup 01" -EstimateOnly -
StatusMailRecipients admin@contoso.com
This example uses the following parameters:
Name: This parameter specifies the name of the new eDiscovery search. Because the search is scoped by
sent and received dates, it's useful that the name of the search includes the date range.
SourceMailboxes: This parameter specifies the default discovery mailbox. You can also specify the name of
another discovery mailbox that's exceeded the size limit.
StartDate and EndDate: These parameters specify the date range of the search results in the default
discovery mailbox to include in the search results.
NOTE
For dates, use the short date format, mm/dd/yyyy, even if the Regional Options settings on the local computer are
configured with a different format, such as dd/mm/yyyy. For example, use 03/01/2014 to specify March 1, 2014.
TargetMailbox: This parameter specifies that search results should be copied to the discovery mailbox
named "Discovery Mailbox Backup 01".
EstimateOnly: This switch specifies that only an estimate of the number of items that will be returned is
provided when the search is started. If you don't include this switch, messages are copied to the target
mailbox when the search is started. Using this switch lets you adjust the date ranges if necessary to increase
or decrease the number of search results.
StatusMailRecipients: This parameter specifies that the status message should be sent to the specified
recipient.
2. After the search is created, start it by using Exchange Online PowerShell or the Exchange admin center (EAC ).
Using Exchange Online PowerShell: Run the following command to start the search created in the previous
step. Because the EstimateOnly switch was included when the search was created, the search results won't be
copied to the target discovery mailbox.
Start-MailboxSearch "Search results from 2010"
Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search created
in the previous step, click Search , and then click Estimate search results.
3. If necessary, adjust the date range to increase or decrease the amount of search results that are returned. If
you change the date range, run the search again to get a new estimate of the results. Consider changing the
name of the search to reflect the new date range.
4. When you're finished testing the search, use Exchange Online PowerShell or the EAC to copy the search
results to the target discovery mailbox.
Using Exchange Online PowerShell: Run the following commands to copy the search results. You have to
remove the EstimateOnly switch before you can copy the search results.
Set-MailboxSearch "Search results from 2010" -EstimateOnly $false
Start-MailboxSearch "Search results from 2010"
Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search,
click Search , and then click Copy search results.
For more information, see Copy eDiscovery Search Results to a Discovery Mailbox.
5. Repeat steps 1 through 4 to create new searches for additional date ranges. Include the date range in the name
of the new search to indicate the range of the results. To make sure none of the discovery mailboxes exceeds
the 50 GB limit, use different discovery mailboxes as the target mailbox.
Step 3: Delete eDiscovery searches

After you've copied search results from the original discovery mailbox to another discovery mailbox, you can
delete the original eDiscovery searches. Deleting an eDiscovery search will delete the search results from the
discovery mailbox where those search results are stored.
Before deleting a search, you can run the following command to identify the size of the search results that have
been copied to a discovery mailbox for all searches in your organization.
Get-MailboxSearch | Format-List Name,TargetMailbox,ResultSizeCopied
You can use Exchange Online PowerShell or the EAC to delete an eDiscovery search.
Using Exchange Online PowerShell: Run the following command.
Remove-MailboxSearch -Identity <name of search>

Using the EAC: Go to Compliance management > In-Place eDiscovery & hold. Select the search that
you want to delete, and then click Delete .

After you've deleted the eDiscovery searches to remove the results from the discovery mailbox where they were
stored, run the following command to display the size of a selected discovery mailbox.
Get-Mailbox <name of discovery mailbox> | Get-MailboxStatistics | Format-List TotalItemSize

Delete and re-create the default discovery mailbox in
Exchange
You can use Exchange Online PowerShell to delete the default discovery mailbox, re-create it, and then assign
permissions to it.
Why would I want to do this?

In Exchange Server and Exchange Online, the maximum size of the default discovery mailbox is 50 GB. It's used to
store In-Place eDiscovery search results. Before the size limit was changed, organizations could increase the
storage quota to more than 50 GB. As a result, discovery mailboxes could grow to more than 50 GB. There are
three issues with a default discovery mailbox that is larger than 50 GB:
It's not supported.
It can't be migrated to Office 365.
If it's the default discovery mailbox in Exchange Server 2010, it can't be upgraded to Exchange Server 2013
or later.
How you resolve this depends on whether you want to save the search results from a default discovery mailbox
that's exceeded 50 GB.
DO YOU WANT TO SAVE THE SEARCH RESULTS? DO THIS
No Follow the steps in this topic to delete, and then re-create the
default discovery mailbox.
Yes Follow the steps in Reduce the size of a discovery mailbox in

Exchange.
Use Exchange Online PowerShell to delete and re-create the default

discovery mailbox
NOTE
You can't use the Exchange admin center (EAC) because discovery mailboxes aren't displayed in the EAC.
1. Run the following command to delete the default discovery mailbox.
Remove-Mailbox "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
2. In the message asking you to confirm that you want to delete the mailbox and the corresponding Active
Directory user object, type Y, and then press Enter.
A new user object is created in Active Directory when you create the discovery mailbox in the next step.
3. Run the following command to re-create the default discovery mailbox.
New-Mailbox -Name "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -Alias
"DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -DisplayName "Discovery Search Mailbox" -
Discovery
4. Run the following command to assign the Discovery Management role group permissions to open the default
discovery mailbox and view search results.
Add-MailboxPermission "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -User "Discovery

Management" -AccessRights FullAccess -InheritanceType all
Learn about DLP policies in Exchange Server and Exchange Online, including what they contain and how to test
them. You'll also learn about a new feature in Exchange DLP.
Data loss prevention (DLP ) is an important issue for enterprise message systems because of the extensive use of
email for business critical communication that includes sensitive data. In order to enforce compliance
requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP
features make managing sensitive data easier than ever before. For a conceptual overview of DLP, watch the
following video.
DLP policies are simple packages that contain sets of conditions, which are made up of mail flow rule (also
known as transport rule) conditions, exceptions, and actions that you create in the Exchange admin center (EAC )
and then activate to filter email messages and attachments. You can create a DLP policy, but choose to not
activate it. This allows you to test your policies without affecting mail flow. DLP policies can use the full power of
existing mail flow rules. In fact, a number of new types of mail flow rules have been created in Microsoft
Exchange Server and Exchange Online in order to accomplish new DLP capability. One important new feature of
mail flow rules is a new approach to classifying sensitive information that can be incorporated into mail flow
processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches,
regular expression evaluation, and other content examination to detect content that violates organizational DLP
policies. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online, and
Integrating sensitive information rules with mail flow rules in Exchange Online. You can also manage your DLP
policies by using Exchange Online PowerShell cmdlets. For more information about policy and compliance
cmdlets, see Messaging Policy and Compliance Cmdlets.
In addition to the customizable DLP policies themselves, you can also inform email senders that they may be
about to violate one of your policies—even before they send an offending message. You can accomplish this by
configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the
Microsoft Outlook 2013 client that provides information about possible policy violations to a person creating a
message. In Exchange Online and in Exchange Server, Policy Tips are also displayed in Outlook Web App and
OWA for Devices. For more information, see Policy Tips.
NOTE
DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information, see Exchange Online
Licensing. > Messages sent between on-premises users in a hybrid deployment do not have Exchange Online DLP policies
applied, because the message doesn't leave the on-premises infrastructure.
Looking for management tasks related to Data Loss Prevention? See DLP Procedures (Exchange Server) or DLP
Procedures (Exchange Online).
Establish policies to protect sensitive data

The data loss prevention features can help you identify and monitor many categories of sensitive information
that you have defined within the conditions of your policies, such as private identification numbers or credit card
numbers. You have the option of defining your own custom policies and mail flow rules or using the pre-defined
DLP policy templates provided by Microsoft in order to get started quickly. For more information about the
policy templates that are included, see DLP policy templates supplied in Exchange. A policy template includes a
range of conditions, rules, and actions that you can choose from in order to create and save an actual DLP policy
that will help you inspect messages. The policy templates are models from which you can select or build your
own specific rules to create a policy that meets your needs for data loss prevention.
Three different methods exist for you to begin using DLP:
1. Apply an out-of-the-box template supplied by Microsoft: The quickest way to start using DLP
policies is to create and implement a new policy using a template. This saves you the effort of building a
new set of rules from nothing. You will need to know what type of data you want to check for or which
compliance regulation you are attempting to address. You will also need to know your organizations
expectations for processing such data. More information at DLP policy templates supplied in Exchange
and Create a DLP policy from a template.
2. Import a pre-built policy file from outside your organization: You can import policies that have
already been created outside of your messaging environment by independent software vendors. In this
way you can extend the DLP solutions to suit your business requirements. More information at Policies
from Microsoft Partners, Define Your Own DLP Templates and Information Types, and Import a DLP
Policy From a File.
3. Create a custom policy without any pre-existing conditions: Your enterprise may have its own
requirements for monitoring certain types of data known to exist within a messaging system. You can
create a custom policy entirely on your own in order to start checking and acting upon your own unique
message data. You will need to know the requirements and constraints of the environment in which the
DLP policy will be enforced in order to create such a custom policy. More information at Create a custom
DLP policy.
After you have added a policy, you can review and change its rules, make the policy inactive, or remove it
completely. The procedures for these actions are provided in the Manage DLP Policies topic.
Sensitive information types in DLP policies

When you create or change DLP policies, you can include rules that include checks for sensitive information. The
sensitive information types listed in the Sensitive Information Types Inventory topic are available to be used in
your policies. The conditions that you establish within a policy, such as how many times something has to be
found before an action is taken or exactly what that action is can be customized within your new custom policies
in order to meet your specific policy requirements. For more information about creating DLP policies see, Create
a custom DLP policy. For more information about the full suite mail flow rules, see Mail flow rules (transport
rules) in Exchange Online.
To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy
templates that already include some of the sensitive information types. You cannot add conditions for all of the
sensitive information types listed here to policy templates however, because the templates are designed to help
you focus on the most-common types of compliance-related data within your organization. For more information
about the pre-built templates, see DLP policy templates supplied in Exchange. You can create numerous DLP
policies for your organization and have them all enabled so that many disparate types of information are
examined. You can also create a DLP policy that is not based on an existing template. To begin creating such a
policy, see Create a custom DLP policy. For more information about sensitive information types, see Sensitive
Information Types Inventory.
Policy Tips notify users about sensitive content expectations

You can use Policy Tip notification messages to inform email senders about possible compliance issues while
they are composing an email message. When you configure a Policy Tip in a DLP policy, the notification message
will only show up if something in the sender's email message meets the conditions described in your policy.
Policy Tips are similar to MailTips that were introduced in Microsoft Exchange 2010. For more information, see
Policy Tips.
Detecting sensitive information along with traditional message

classification
Exchange Server and Exchange Online present a new method of helping you manage message and attachment
data when compared with traditional message classification. A key factor in the strength of a DLP solution is the
ability to correctly identify confidential or sensitive content that may be unique to the organization, regulatory
needs, geography, or other business needs. Exchange Server can achieve this by using a new architecture for
deep content analysis coupled with detection criteria that you establish through rules in your DLP policies.
Helping prevent data loss in Exchange Server relies on configuring the correct set of sensitive information rules
so that they provide a high degree of protection while minimizing inappropriate mail flow disruption with false
positives and negatives. These types of rules, referred to throughout the DLP information as sensitive
information detection, function within the framework offered by mail flow rules in order to enable DLP
capabilities.
To learn more about these new features, see Integrating sensitive information rules with mail flow rules in
Exchange Online. The traditional message classification fields can still be applied to messages in Exchange and
these can be combined with the new sensitive information detection either together within a single DLP policy or
running concurrently so they are evaluated independently within Exchange. To learn more about the legacy
Exchange 2010 message classifications, see Understanding Message Classifications.
Information about DLP-processed messages

For Exchange Server to obtain information about messages and DLP policy detections in your environment, see
DLP policy detection reports and Create incident reports for DLP policy detections. Data related to DLP
detections, is highly integrated into the delivery reports message tracking tool of Exchange Server.
For Exchange Online, see DLP policy detection reports and Create incident reports for DLP policy detection.
Installation prerequisites
In order to make use of DLP features, you must have Exchange Server or Exchange Online configured with at
least one sender mailbox. Data Loss Prevention is a premium feature that requires an Enterprise Client Access
License (CAL ). For more information about getting started with Exchange Server, see Planning and Deployment.
For more information about getting started with Exchange Online, see Exchange Online.
For more information

Exchange Server
Messaging Policy and Compliance
DLP Procedures
DLP policy detection reports
Messaging Policy and Compliance Cmdlets
Exchange Online
Security and compliance for Exchange Online
DLP Procedures
How DLP rules are applied to evaluate messages
You can set up sensitive information rules within your Microsoft Exchange data loss prevention (DLP ) policies to
detect very specific data in email messages. This topic will help you understand how these rules are applied and
how messages are evaluated. You can avoid workflow disruptions for your email users and achieve a high degree
of accuracy with your DLP detections if you know how your rules are enforced. Let's use the Microsoft-supplied
credit card information rule as an example. When you activate a mail flow rule (also known as a transport rule) or
DLP policy, all messages that your users send are compared with the rule sets that you create.
Get precise about your needs

Suppose you need to act on credit card information in messages. The actions you take once it is found are not the
subject of this topic, but you can learn more about that in Mail flow rule actions in Exchange Online. With as most
certainty as possible, you need to ensure that what is detected in a message is truly credit card data and not
something else that could be a legitimate use of groups of numbers that merely resemble credit card data; for
example, a reservation code or a vehicle identification number.
To meet this need, let's make it clear that the following information should be classified as a credit card:
Margie's Travel,
I have received updated credit card information for Spencer.
Spencer Badillo
Visa: 4111 1111 1111 1111
Expires: 2/2012
Please update his travel profile.
Let's also make it clear that the following information should not be classified as a credit card.
Hi Alex,
I expect to be in Hawaii too. My booking code is 1234 1234 1234 1234 and I'll be there on 3/2018.
Regards, Lisa
The following XML snippet shows how the needs expressed earlier are currently defined in a sensitive information
rule that is provided with Exchange and it is embedded within one of the supplied DLP policy templates.
<Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
<Any minMatches="1">
<Match idRef="Keyword_cc_verification" />
<Match idRef="Keyword_cc_name" />
<Match idRef="Func_expiration_date" />
</Any>
</Pattern>
</Entity>
Pattern-matching in your solution

The XML rule definition shown earlier includes pattern-matching, which improves the likelihood that the rule will
detect only the important information and not detect vague, related information. For more information about the
XML schema for DLP rules and templates, see Define Your Own DLP Templates and Information Types.
In the credit card rule, there is a section of XML code for patterns, which includes a primary identifier match and
some additional corroborative evidence. All three of these requirements are explained here:
1. <IdMatch idRef="Func_credit_card" /> — This requires a match of a function, titled credit card, that is
internally defined. This function includes a couple of validations as follows:
2. It matches a regular expression—in this instance for 16 digits—that could also include variations like a space
delimiter so that it also matches 4111 1111 1111 1111 or a hyphen delimiter so that it also matches 4111-
1111-1111-1111.
3. It evaluates the Lhun's checksum algorithm against the 16-digit number in order to ensure the likelihood of
this being a credit card number is high.
4. It requires a mandatory match, after which corroborative evidence is evaluated.
5. <Any minMatches="1"> — This section indicates that the presence of at least one of the following items of
evidence is required.
6. The corroborative evidence can be a match of one of these three:
<Match idRef="Keyword_cc_verification">
<Match idRef="Keyword_cc_name">
<Match idRef="Func_expiration_date">
These three simply mean a list of keywords for credit cards, the names of the credit cards, or an expiration
date is required. The expiration date is defined and evaluated internally as another function.
The process of evaluating content against rules

The five steps here represent actions that Exchange takes to compare your rule with email messages. For our credit
card rule example, the following steps are taken.
STEP ACTION
1. Get Content Spencer Badillo

Visa: 4111 1111 1111 1111
Expires: 2/2012
2. Regular Expression Analysis 4111 1111 1111 1111 -> a 16-digit number is detected
STEP ACTION
3. Function Analysis 4111 1111 1111 1111 -> matches checksum

1234 1234 1234 1234 -> doesn't match
4. Additional Evidence
Keyword Visa is near the number. A regular expression for a

date (2/2012) is near the number.
5. Verdict
There is a regular expression that matches a checksum.

Additional evidence increases confidence.
The way this rule is set up by Microsoft makes it mandatory that corroborating evidence such as keywords are a
part of the email message content in order to match the rule. So the following email content would not be detected
as containing a credit card:
Margie's Travel,
I have received updated information for Spencer.
Spencer Badillo
4111 1111 1111 1111
Please update his travel profile.
You can use a custom rule that defines a pattern without extra evidence, as shown in the next example. This would
detect messages with only credit card number and no corroborating evidence.
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_credit_card" />
</Pattern>
</Entity>
The illustration of credit cards in this article can be extended to other sensitive information rules as well. To see the
complete list of the Microsoft-supplied rules in Exchange, use the Get-ClassificationRuleCollection cmdlet in
Exchange Online PowerShell in the following manner:
$rule_collection = Get-ClassificationRuleCollection
$rule_collection[0].SerializedClassificationRuleCollection | Set-Content oob_classifications.xml -Encoding byte

Mail flow rules (transport rules) in Exchange Online
Exchange Online PowerShell
Integrating sensitive information rules with mail flow
rules in Exchange Online
In Exchange Online, you can create DLP policies that contain rules for not only traditional message classifications
and existing mail flow rules (also known as transport rules) but also combine these with rules for sensitive
information found within messages. The existing mail flow rules framework offers rich capabilities to define
messaging policies, covering the entire spectrum of soft to hard controls. Examples include:
Limiting the interaction between recipients and senders, including interactions between departmental
groups inside an organization.
Applying separate policies for communications within and outside of an organization.
Preventing inappropriate content from entering or leaving an organization.
Filtering confidential information.
Tracking or archiving messages that are sent to or received from specific individuals.
Redirecting inbound and outbound messages for inspection before delivery.
Applying disclaimers to messages as they pass through the organization.
Mail flow rules allow you to apply messaging policies to email messages that flow through the mail flow pipeline
in the Transport service on Mailbox servers and on Edge Transport servers. These rules allow system
administrators to enforce messaging policies, help keep messages more secure, help to protect messaging
systems, and help prevent accidental information loss. For more information about mail flow rules, see Mail flow
rules (transport rules) in Exchange Online.
Sensitive information rules within the mail flow rule framework

Sensitive information rules are integrated with the mail flow rules framework by introduction of a condition that
you can customize: If the message contains...Sensitive Information. This condition can be configured with one
or more sensitive information types that are contained within the messages. When multiple DLP policies or rules
within a policy are configured with this condition, the policy or rule is satisfied when any of the conditions match.
Exchange policy rules examine the subject, body and any attachments of a message. If the rule matches any of
these message components, the rule actions will be applied.
The sensitive information condition may be combined with any of the already existing mail flow rules to define
messaging policies. If combined, the condition works in conjunction with other rules and provides the AND
semantics. For example, two different conditions are added together with an AND statement such that both need
to match for the action to be applied. Any of the mail flow rule actions can be configured as result of rules
containing the sensitive information type matching. Many different file types can be scanned by the mail flow rules
agent, which scans messages to enforce mail flow rules. To learn more about the supported file types, see File
Types that are supported in mail flow rules (Exchange Server) or Use mail flow rules to inspect message
attachments in Office 365 (Exchange Online).
The rules can also be used in the exception part of a rule definition. Their use in the exception definition is
independent of their use as a condition within the rule. This provides the flexibility to define rules that have the
condition specifying multiple information types to be applied as part of the condition and also differing
information types in the condition. This would allow policies such as matching specific traditional message-
classification rules, but not matching other sensitive information types before performing actions that you define
within a policy.

Sensitive Information Types Inventory
Mail flow rules in Exchange Server
Create a custom DLP policy
DLP policy templates supplied in Exchange
In Microsoft Exchange Server and Exchange Online, you can use data loss prevention (DLP ) policy templates as a
starting point for building DLP policies that help you meet your specific regulatory and business policy needs. You
can modify the templates to meet the specific needs of your organization.
Cau t i on
You should enable your DLP policies in test mode before running them in your production environment. During
such tests, it is recommended that you configure sample user mailboxes and send test messages that invoke your
test policies in order to confirm the results. > Use of these policies does not ensure compliance with any
regulation. After your testing is complete, make the necessary configuration changes in Exchange so the
transmission of information complies with your organization's policies. For example, you might need to configure
TLS with known business partners or add more restrictive mail flow rule (also known as transport rule) actions,
such as adding rights protection to messages that contain a certain type of data.
Templates available for DLP

The following table lists the DLP policy templates in Exchange. To learn more about customizing these templates
to create DLP policies, see Manage DLP Policies.
TEMPLATE DESCRIPTION
Australia Financial Data Helps detect the presence of information commonly

considered to be financial data in Australia, including credit
cards, and SWIFT codes.
Australia Health Records Act (HRIP Act) Helps detect the presence of information commonly
considered to be subject to the Health Records and
Information Privacy (HRIP) act in Australia, like medical
account number and tax file number.
Australia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in
Australia, like tax file number and driver's license.
Australia Privacy Act Helps detect the presence of information commonly

considered to be subject to the privacy act in Australia, like
driver's license and passport number.
Canada Financial Data Helps detect the presence of information commonly

considered to be financial data in Canada, including bank
account numbers and credit cards.
Canada Health Information Act (HIA) Helps detect the presence of information subject to Canada
Health Information Act (HIA) for Alberta, including data like
passport numbers and health information.
Canada Personal Health Act (PHIPA) - Ontario Helps detect the presence of information subject to Canada
Personal Health Information Protection Act (PHIPA) for
Ontario, including data like passport numbers and health
information.
Canada Personal Health Information Act (PHIA) - Manitoba Helps detect the presence of information subject to Canada
Personal Health Information Act (PHIA) for Manitoba,
including data like health information.
Canada Personal Information Protection Act (PIPA) Helps detect the presence of information subject to Canada
Personal Information Protection Act (PIPA) for British
Columbia, including data like passport numbers and health
information.
Canada Personal Information Protection Act (PIPEDA) Helps detect the presence of information subject to Canada
Personal Information Protection and Electronic Documents
Act (PIPEDA), including data like passport numbers and health
information.
Canada Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
Canada, like health ID number and social insurance number.
France Data Protection Act Helps detect the presence of information commonly
considered to be subject to the Data Protection Act in France,
like the health insurance card number.
France Financial Data Helps detect the presence of information commonly

considered to be financial information in France, including
information like credit card, account information, and debit
card numbers.
France Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
France, including information like passport numbers.
Germany Financial Data Helps detect the presence of information commonly

considered to be financial data in Germany like EU debit card
numbers.
Germany Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
Germany, including information like driver's license and
passport numbers.
Israel Financial Data Helps detect the presence of information commonly

considered to be financial data in Israel, including bank
account numbers and SWIFT codes.
Israel Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
Israel, like national ID number.
Israel Protection of Privacy Helps detect the presence of information commonly

considered to be subject to the Protection of Privacy in Israel,
including information like bank account numbers or national
ID.
Japan Financial Data Helps detect the presence of information commonly

considered to be financial information in Japan, including
information like credit card, account information, and debit
card numbers.
Japan Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
Japan, including information like driver's license and passport
numbers.
Japan Protection of Personal Information Helps detect the presence of information subject to Japan
Protection of Personal Information, including data like
resident registration numbers.
PCI Data Security Standard (PCI DSS) Helps detect the presence of information subject to PCI Data
Security Standard (PCI DSS), including information like credit
card or debit card numbers.
Saudi Arabia - Anti-Cyber Crime Law Helps detect the presence of information commonly
considered to be subject to the Anti-Cyber Crime Law in
Saudi Arabia, including international bank account numbers
and SWIFT codes.
Saudi Arabia Financial Data Helps detect the presence of information commonly
considered to be financial data in Saudi Arabia, including
international bank account numbers and SWIFT codes.
Saudi Arabia Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
Saudi Arabia, like national ID number.
U.K. Access to Medical Reports Act Helps detect the presence of information subject to United
Kingdom Access to Medical Reports Act, including data like
National Health Service numbers.
U.K. Data Protection Act Helps detect the presence of information subject to United
Kingdom Data Protection Act, including data like national
insurance numbers.
U.K. Financial Data Helps detect the presence of information commonly

considered to be financial information in United Kingdom,
including information like credit card, account information,
and debit card numbers.
U.K. Personal Information Online Code of Practice (PIOCP) Helps detect the presence of information subject to United
Kingdom Personal Information Online Code of Practice,
including data like health information.
U.K. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
United Kingdom, including information like driver's license and
passport numbers.
U.K. Privacy and Electronic Communications Regulations Helps detect the presence of information subject to United
Kingdom Privacy and Electronic Communications Regulations,
including data like financial information.
U.S. Federal Trade Commission (FTC) Consumer Rules Helps detect the presence of information subject to U.S.
Federal Trade Commission (FTC) Consumer Rules, including
data like credit card numbers.
U.S. Financial Data Helps detect the presence of information commonly

considered to be financial information in United States,
including information like credit card, account information,
and debit card numbers.
U.S. Gramm-Leach-Bliley Act (GLBA) Helps detect the presence of information subject to Gramm-
Leach-Bliley Act (GLBA), including information like social
security numbers or credit card numbers.
U.S. Health Insurance Act (HIPAA) Helps detect the presence of information subject to United
States Health Insurance Portability and Accountability Act
(HIPAA),including data like social security numbers and health
information.
U.S. Patriot Act Helps detect the presence of information commonly subject
to U.S. Patriot Act, including information like credit card
numbers or tax identification numbers.
U.S. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly
considered to be personally identifiable information (PII) in the
United States, including information like social security
numbers or driver's license numbers.
U.S. State Breach Notification Laws Helps detect the presence of information subject to U.S. State
Breach Notification Laws, including data like social security
and credit card numbers.
U.S. State Social Security Number Confidentiality Laws Helps detect the presence of information subject to U.S. State
Social Security Number Confidentiality Laws, including data
like social security numbers.

Create a DLP policy from a template
Sensitive Information Types Inventory
Create a DLP policy from a template
In Microsoft Exchange, you can use data loss prevention (DLP ) policy templates to help meet the messaging policy
and compliance needs of your organization. These templates contain pre-built sets of rules that can help you
manage message data that is associated with several common legal and regulatory requirements. To see a list of
all the templates supplied by Microsoft, see DLP policy templates supplied in Exchange. Example DLP templates
that are supplied can help you manage:
Gramm-Leach-Bliley Act (GLBA) data
Payment Card Industry Data Security Standard (PCI-DSS )
United States Personally Identifiable Information (U.S. PII)
You can customize any of these DLP templates or use them as-is. DLP policy templates are built on top of mail
flow rules (also known as transport rules) that include new conditions or predicates and actions. DLP policies
support the full range of traditional mail flow rules, and you can add the additional rules after a DLP policy has
been established. For more information about policy templates, see What the DLP policy templates include. To
learn more about mail flow rule capabilities, see Mail flow rules (transport rules) in Exchange Online. Once you
have started enforcing a policy, you can learn about how to observe the results by reviewing the Exchange Online:
Cau t i on
test policies in order to confirm the results.

Ensure that Exchange Server is set up as described in Planning and Deployment.
Configure both administrator and user accounts within your organization and validate basic mail flow.
permissions you need, see the "Data loss prevention (DLP )" entry in the Messaging policy and compliance
permissions topic
TIP
Use the EAC to configure a DLP policy from a template

1. In the EAC, navigate to Compliance management > Data loss prevention, and then click Add .
NOTE
You can also select this action if you click the arrow next to the Add icon and select New DLP policy from
template from the drop down menu.
2. On the Create a new DLP policy from a template page, complete the following fields:
3. Name: Add a name that will distinguish this policy from others.
4. Description: Add an optional description that summarizes this policy.
5. Choose a template: Select the appropriate template to begin creating a new policy.
6. More options: Select the mode or state. The new policy is not fully enabled until you specify that it should
be. The default mode for a policy is test without notifications.
7. Click Save to finish creating the policy.
NOTE
In addition to the rules within a specific template, your organization may have additional expectations or company policies
that apply to regulated data within your messaging environment. Exchange Server makes it easy for you to change the basic
template in order to add actions so that your Exchange messaging environment complies with your own requirements.
You can modify policies by editing the rules within them once the policy has been saved in your Exchange Server
environment. An example rule change might include making specific people exempt from a policy or sending a
notice and blocking message delivery if a message is found to have sensitive content. For more information about
editing policies and rules, see Manage DLP Policies.
You have to navigate to the specific policy's rule set on the Edit DLP policy page and use the tools available on
that page in order to change a DLP policy you have already created in Exchange Server.
Some policies allow the addition of rules that invoke RMS for messages. You must have RMS configured on the
Exchange server before adding the actions to make use of these types of rules.
For any of the DLP policies, you can change the rules, actions, exceptions, enforcement time period or whether
other rules within the policy are enforced and you can add your own custom conditions for each.

DLP policy templates
A custom data loss prevention (DLP ) policy allows you to establish conditions, rules, and actions that can help
meet the specific needs of your organization, and which may not be covered in one of the pre-existing DLP
templates.
The rule conditions that are available to you in a single policy include all the traditional mail flow rules (also
known as transport rules) in addition to the sensitive information types presented in Sensitive Information Types
Inventory. For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
Cau t i on
test policies in order to confirm the results. for more information about testing, see Test a mail flow rule.
For additional management tasks related to creating a custom DLP policy, see DLP Procedures(Exchange Server)
or DLP Procedures (Exchange Online).

permissions topic.
In order to create a new custom DLP policy, you must follow the installation instructions for Exchange
Server. For more information about deployment, see Planning and Deployment.
NOTE
Due to the variances in customer environments and content match requirements, Microsoft Support cannot assist in
providing custom content matching definitions; e.g., defining Custom Classifications and/or Regular Expression patterns
("RegEx"). For custom content matching development, testing, and debugging, Office 365 customers will need to rely upon
internal IT resources, or use an external consulting resource such as Microsoft Consulting Services (MCS). Support engineers
can provide limited support for the feature, but cannot provide assurances that any custom content matching development
will fulfill the customer's requirements or obligations. As an example of the type of support which can be provided, sample
regular expression patterns may be provided for testing purposes. Or support can assist with troubleshooting an existing
RegEx pattern which is not triggering as expected with a single specific content example.
For additional information on the .NET regex engine which is used for processing the text, see
https://docs.microsoft.com/dotnet/standard/base-types/regular-expressions.
Create a custom DLP policy

TIP
Use the EAC to create a custom DLP policy without any existing rules
1. In the EAC, navigate to Compliance management > Data loss prevention. Any existing policies that
you have configured are shown in a list.
2. Click the arrow that is beside the Add icon, and select New custom policy.
IMPORTANT
If you click Add icon instead of the arrow, you will create a new policy based on a template. For more information
about using templates, see Create a DLP policy from a template.
3. On the New custom policy page, complete the following fields:

4. Name: Add a name that will distinguish this policy from others.
5. Description: Add an optional description that summarizes this policy.
6. Choose a state: Select the mode or state for this policy. The new policy is not fully enabled until you
specify that it should be. The default mode for a policy is test without notifications.
7. Click Save to finish creating the new policy reference information. The policy is added to the list of all
policies that you have configured, although there are not yet any rules or actions associated with this new
custom policy.
8. Double-click the policy that you just created or select it and click Edit .
9. On the Edit DLP policy page, click Rules.
Click Add to add a new blank rule. You can establish conditions using all the traditional mail flow rules in
addition to the sensitive information types.
In order to avoid confusion, supply a unique name for each part of your policy or rule when you have the
option to provide your own character string. There are several options additional options available to you:
10. Click the arrow that is beside the Add icon to add a rule about sender notification or allowing overrides.
11. To remove a rule, highlight the rule and click Delete .
12. Click More options to add additional conditions and actions for this rule including time-bound limits of
enforcement or effects on other rules in this policy.
13. Click Save to finish modifying the policy and save your changes.
DLP policy templates are one type of feature Microsoft Exchange that can help you design and apply a robust
policy and compliance system for your messaging environment. For more information about compliance features,
see Messaging Policy and Compliance (Exchange 2016) or Security and compliance for Exchange Online.

Mail flow rules in Exchange Server Exchange 2016
Mail flow rules (transport rules) in Exchange Online Exchange Online
Integrating sensitive information rules with mail flow rules
Policy Tips
You can help to prevent your organization's Outlook, Outlook on the web (formerly known as Outlook Web App),
and OWA for Devices email users from inappropriately sending sensitive information by creating data loss
prevention (DLP ) policies that include Policy Tip notification messages. Similar to MailTips that were introduced
in Exchange Server 2010, Policy Tip notification messages are displayed to users in Outlook while they are
composing an email message. Policy Tip notification messages only show up if something about the sender's
email message seems to violate a DLP policy that you have in place and that policy includes a rule to notify the
sender when the conditions that you establish are met. Watch this video to learn more.
In order to show Policy Tips to your email senders, your rules must include the Notify the sender with a Policy
Tip action. You can add this in the rules editor from the Exchange admin center. For more information, see
Manage policy tips.
DLP policies do not differentiate between email message attachments, body text, or subject lines while evaluating
messages and the conditions within your policies. For example, if a user creates an email message that includes a
credit card number in the body of the message and then attempts to address the message to a recipient outside
your organization, then a Policy Tip notification message can be shown to that user in Outlook or Outlook Web
App reminding them of your enterprise's expectations for such information. However, this type of notification will
only show up if you have configured a DLP policy that restricts the example actions described; in this case adding
an external email alias to the header of a message with credit card data. There is a great variety of conditions,
actions, and exceptions you can choose from while creating DLP policies. This variety allows you to tailor your
data loss prevention efforts in a way that meets your specific organization's needs.
Any time you use either the notify sender action or an override action within a rule, we recommend that you also
include the condition that the message was sent from within your organization. You can do this by using the
policy rules editor to add the following condition: The sender is located... > inside the organization. Learn
more about changing existing DLP policies at Manage DLP Policies. This is a best practice recommendation
because the notify sender action is applied as part of your company's message creation experience. The senders
referred to by the action are the authors of messages within your company. The user interaction presented by
Policy Tips cannot be acted upon by your users for incoming messages and will be ignored when the sender is
located outside your organization. You can apply DLP policies to scan incoming messages and take a variety of
actions, but when you do this, don't add the notify sender action.
If email senders in your organization who are in the act of composing a message are made aware of your
organizational expectations and standards in real time through Policy Tip notifications, then they are less likely to
violate standards that your organization wants to enforce.
NOTE
Exchange Online: DLP is a premium feature that requires an Exchange Online Plan 2 subscription. For more information,
see Exchange Online Licensing.
Exchange Server: DLP is a premium feature that requires an Exchange Enterprise Client Access License (CAL). For more
information about CALs and server licensing, see Exchange Server Licensing.
If your organization is using Exchange Server 2013 SP1 (or above) or Exchange Online, Policy Tips are available to people
sending mail from Outlook 2013, Outlook Web App, or OWA for Devices. However, if your organization is currently
using Exchange Server 2013 before SP1, Policy Tips are only available to people sending email from Outlook 2013.
Default text for Policy Tips and rule options
You have a range of possible options when you add sender notification rules to DLP policies. When you add a
rule to notify the sender by using the Notify the sender with a Policy Tip action within a DLP policy, you can
choose how restrictive to be. The notification options in the following table are available. For general information
about editing policies, see Manage DLP Policies. For specific information about creating Policy Tips, see Manage
policy tips.
DEFAULT POLICY TIP NOTIFICATION

NOTIFICATION RULE MEANING MESSAGE THAT OUTLOOK USERS WILL SEE
Notify only Similar to MailTips, this causes an This message may contain sensitive
informative Policy Tip notification content. All recipients must be
message about a policy violation. A authorized to receive this content.
sender can prevent this type of tip
from showing up by using a Policy Tip
options dialog box that can be
accessed in Outlook.
Reject message The message will not be delivered until This message may contain sensitive
the condition is no longer present. The content. Your organization won't allow
sender is provided with an option to this message to be sent until that
indicate that their email message does content is removed.
not contain sensitive content. This is
also known as a false-positive override.
If the sender indicates this, then
Outlook will allow the message to leave
the outbox so that the user's report
may be audited, but Exchange will
block the message from being sent.
Reject unless false positive override The result with this notification rule is Before the sender selects an option
similar to the Reject message to override: This message may contain
notification rule. However, if you select sensitive content. Your organization
this then Exchange will allow the won't allow this message to be sent
message to be sent to the intended until that content is removed.
recipient, instead of blocking the After the sender selects an option
message. override: Your feedback will be
submitted to your administrator when
the message is sent.
Reject unless silent override The message will not be delivered until Before the sender selects an option
the condition is no longer present or to override: This message may contain
the sender indicates an override. The sensitive content. Your organization
sender is provided with an option to won't allow this message to be sent
indicate that they wish to override the until that content is removed.
policy. After the sender selects an option
override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.
DEFAULT POLICY TIP NOTIFICATION
NOTIFICATION RULE MEANING MESSAGE THAT OUTLOOK USERS WILL SEE
Reject unless explicit override The result with this notification rule is Before the sender selects an option
similar to the Reject unless silent to override: This message may contain
override notification rule, except that sensitive content. Your organization
in this case when the sender attempts won't allow this message to be sent
to override the policy, they are required until that content is removed.
to provide a justification for overriding After the sender selects an option
the policy. override: You have overridden your
organization's policy for sensitive
content in this message. Your action
will be audited by your organization.
Customize your Policy Tip notification messages

To customize the text of a Policy Tip notification that email senders see in their email program, select Manage
Policy Tips on the Data Loss Prevention page. In order for any of your custom text to appear, a DLP policy rule
must include the Notify the sender with a Policy Tip action. Add the action to a rule by using the DLP rules
editor.
For procedures that explain how to create your own Policy Tips, see Manage policy tips. The custom text that you
create can replace the default text shown in the previous table.
POLICY TIP NOTIFICATION ACTIONS AND SETTINGS MEANING
Notify the sender Your text only appears when a Notify the sender, but allow
them to send action is initiated.
Allow the sender to override Your text only appears when the following actions are
initiated: Block the message unless it's a false positive,
Block the message, but allow the sender to override and
send.
Block the message Your text only appears when a Block the message action is
initiated.
Link to compliance URL The compliance URL is a link to a web page where you can
explain your compliance and override policies. This link is
displayed in the Policy Tip when a user clicks the More
details link.

Manage DLP Policies
Manage policy tips
Manage policy tips
Policy Tips are informative notices that are displayed to email senders while they're composing a message. The
purpose of the Policy Tip is to educate users that they might be violating the business practices or policies that you
are enforcing with the data loss prevention (DLP ) policies that you have established. The following procedures will
help you begin using Policy Tips. Watch this video to learn more.

Estimated time to complete each procedure: 30 minutes
permissions topic.
Policy Tips will only show up for email senders when the following conditions are met:
1. Sender's message client program is Microsoft Outlook 2013. If your organization has deployed Exchange
2013 SP1 or is using Exchange Online, Policy Tips also show up in Outlook Web App and OWA for
Devices.
2. A mail flow rule (also known as a transport rule) exists that invokes Policy Tip notifications. You can create
such a mail flow rule by configuring a DLP policy that includes the action Notify the sender with a
Policy Tip.
3. The content of a message header, message body, or message attachment meets the conditions established
within the DLP policies or rules that also include Policy Tip notification rules. Put another way, the Policy
Tip only shows up for end-users if they do something that causes the associated rule to take action.
The default Policy Tip notification text that is built into the system will be shown if you don't use the Policy
Tip settings feature to customize your Policy Tip text. To learn more about the default text, see Policy Tips.
TIP
Create or modify a notify-only Policy Tip

This procedure results in an informational Policy Tip being shown to an email sender when the conditions of a
specific rule are met. In Microsoft Outlook, the sender can prevent this tip from showing up by using a Policy Tip
options dialog box. To configure custom Policy Tip text, see the Create custom Policy Tip notification text section
later in this topic
Use the EAC to configure notify-only Policy Tips
1. In the EAC, go to Compliance management > Data loss prevention.
2. Double-click one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the Edit DLP policy page, select Rules.
4. To add Policy Tips to an existing rule, highlight the rule and select Edit .
To add a new blank rule that you can fully customize, select Add and then select Create a new rule.
5. In Apply this rule if, select, The message contains sensitive information. This condition is required.
6. Select Add , select the sensitive information types, select Add, select OK, and then select OK.
7. In the Do the following box, select Notify the sender with a Policy Tip, and select an option in the
Choose whether the message is blocked or can be sent drop-down list, and then select OK.
8. If you want to add additional conditions or actions, at the bottom of the window, select More options.
NOTE
Only the following conditions can be used: > SentTo (The recipient is)> SentToScope (The recipient is
located)> From (The sender is)> FromMemberOf (The sender is a member of)> FromScope (The sender is
located)> The following actions can't be used: > RejectMessageReasonText (Reject the message and include
an explanation)> RejectMessageEnhancedStatusCode (Reject the message with the enhanced status code
of)> DeletedMessage (Delete the message without notifying anyone)
9. In the Choose a mode for this rule list, select whether you want the rule to be enforced. We recommend
testing the rule first.
10. Select Save to finish modifying the rule and save your changes.
To verify that you have successfully created a Policy Tip that will only notify a sender, do the following:
2. Select the policy that you expect to contain a notification message.
3. Select Edit and then select Rules.
4. Select the specific rule that you expect to contain a notification message.
5. Confirm that your Notify the sender action appears in the lower portion of the rule summary.
Create or modify a block-message Policy Tip

This procedure results in a Policy Tip being shown to an email sender that indicates a message is rejected and it
will not be delivered until the problematic condition is no longer present. The sender is provided with an option to
indicate that their email message does not contain the problematic condition. This is also known as a false-positive
override. If the sender indicates this, then the message can leave the outbox and the user's report may be audited.
However, Exchange will block the message from being sent.
Use the EAC to configure block-message Policy Tips
2. Double-click one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the Edit DLP policy page, select Rules.
5. To add a new blank rule that you can fully customize, select Add .
6. To add an action that will reveal a Policy Tip, select More options... and then select the Add action button.
7. From the drop down list, select Notify the sender with a Policy Tip and then select Block the message.
8. Select OK, then select Save to finish modifying the rule and save your changes.
To verify that you have successfully created a reject message Policy Tip, do the following:
2. Select one time to highlight the policy that you expect to contain a notification message.
4. Select one time to highlight the specific rule that you expect to contain a notification message.
5. Confirm that your Notify the sender that the message can't be sent action appears in the lower
portion of the rule summary.
Create or modify a block-unless-override Policy Tip

There are four options for Policy Tips that can reject messages or prevent messages from leaving the sender's
outbox. To learn more about these options, see Policy Tips.
Use the EAC to configure block-unless override Policy Tips
2. Double-select one of the policies that appear in your list of policies or highlight one item and select Edit .
3. On the edit DLP policy page, select Rules.
To add a new blank rule that you can fully customize, select Add and then select More options....
5. To add the action that will reveal a Policy Tip, Select the Add action button.
6. From the drop down list, select Notify the sender with a Policy Tip and then select Block the message,
but allow the sender to override and send.
7. Select OK, then select Save to finish modifying the rule and save your changes.
To verify that you have successfully created a reject unless override Policy Tip, do the following:
2. Select one time to highlight the policy that you expect to contain a notification message.
4. Select one time to highlight the specific rule that you expect to contain a notification message.
5. Confirm that your Block the message, but allow the sender to override and send action appears in
the lower portion of the rule summary.
Create custom Policy Tip notification text

This optional procedure will help you to customize the Policy Tip notification text that email senders see in their
email program. If you do this, your custom Policy Tip notification text will not appear unless you also configure a
DLP policy rule with an action that will cause the notification to appear. Keep in mind that there are default system
Policy Tip notifications that can be shown if you do not customize your Policy Tip notification text. To learn more
about the default text, see Policy Tips.
Use the EAC to create and manage custom Policy Tip notification text
2. Select Policy Tip settings .
3. To add a new Policy Tip with your own customized message, select Add . For more information about the
action choices available, see Policy Tips.
To modify an existing Policy Tip, highlight the tip and select Edit .
To delete an existing Policy Tip, highlight it and select Delete and then confirm your action.
4. Select Save to finish modifying the Policy Tip and save your changes.
5. Select Close to finish managing your Policy Tips and save your changes.
Use Exchange Online PowerShell to create custom Policy Tip notification text
The following example creates a new English-language Policy Tip that will block a message from being sent. The
text of this custom Policy Tip is changed to the following value: "This message appears to contain restricted
content and will not be delivered."
New-PolicyTipConfig -Name en\Reject -Value "This message appears to contain restricted content and will not be
delivered."
For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
Use Exchange Online PowerShell to modify custom Policy Tip notification text
The following example modifies an existing English-language, notify-only Policy Tip. The text of this custom Policy
Tip is changed to "Sending bank account numbers in email is not recommended."
Set-PolicyTipConfig en\NotifyOnly "Sending bank account numbers in email is not recommended."
For more information about DLP cmdlets, see Messaging Policy and Compliance Cmdlets.
To verify that you have successfully created custom Policy Tip text, do the following:
2. Select Policy Tip settings .
3. Select Refresh .
4. Confirm that your action, locale and text for that locale appear in the list.

Policy Tips
Exchange 2010 MailTips
Exchange auditing reports
Use audit logging to troubleshoot configuration issues by tracking specific changes made by administrators and to
help you meet regulatory, compliance, and litigation requirements. Exchange Online provides two types of audit
logging:
Administrator audit logging records any action, based on an Exchange Online PowerShell cmdlet,
performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of
security-related or compliance-related problems. In Exchange Online, actions performed by Microsoft
administrators and delegated administrators, are also recorded.
Mailbox audit logging records when a mailbox is accessed by an administrator, a delegated user, or the
person who owns the mailbox. This can help you determine who has accessed a mailbox and what they've
done.
Export audit logs

On the Compliance Management > Auditing page in the Exchange admin center (EAC ), you can search for and
export entries from the administrator audit log and the mailbox audit log.
Export the administrator audit log: Any action performed by an administrator that's based on an
Exchange Online PowerShell cmdlet that doesn't begin with the verbs Get, Search, or Test is logged in the
administrator audit log. Audit log entries include the cmdlet that was run, the parameter and values used
with the cmdlet, and when the operation was successful. You can search for and export entries from the
administrator audit log. When you export your search results, Microsoft Exchange saves them in an XML
file and attaches it to an email message. For more information, see:
Search the role group changes or administrator audit logs
View and export the external admin audit log
NOTE
By default, admin audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted. This
setting can't be changed in a cloud-based organization. However, it can be changed in an on-premises
Exchange organization by using the Set-AdminAuditLog cmdlet.
Export mailbox audit logs: When mailbox audit logging is enabled for a mailbox, Microsoft Exchange
stores a record of actions performed on mailbox data by non-owners in the mailbox audit log, which is
stored in a hidden folder in the mailbox being audited. Mailbox audit logging can also be configure to log
owner actions. Entries in this log indicate who accessed the mailbox and when, the actions performed, and
whether the action was successful. When you search for entries in the mailbox audit log and export them,
Microsoft Exchange saves the search results in an XML file and attaches it to an email message. For more
information, see Export mailbox audit logs.
Run auditing reports

When you run any of the following reports on the Auditing page in the EAC, the results are displayed in the
details pane of the report.
Run a non-owner mailbox access report: Use this report to find mailboxes that have been accessed by
someone other than the person who owns the mailbox. For more information, see Run a non-owner
mailbox access report.
Run an administrator role group report: Use this report to search for changes made to administrator
role groups. For more information, see Search the role group changes or administrator audit logs.
Run an in-place discovery and hold report: Use this report to find mailboxes that have been put on, or
removed from, In-Place Hold. For more information, see:
In-Place eDiscovery
Run a per-mailbox litigation hold report: Use this report to find mailboxes that were put on, or removed
from, litigation hold. For more information, see.
Run a per-mailbox litigation hold report
Place a mailbox on Litigation Hold
Run the admin audit log report: Use this report to view entries from the administrator audit log. Instead
of exporting the administrator audit log, which can take up to 24 hours to receive in an email message, you
can run this report in the EAC. This report records configuration changes made by administrators in your
organization. Up to 5000 entries will be displayed on multiple pages. To narrow the search, you can specify
a date range. For more information, see:
View the administrator audit log
Administrator audit logging
Run the external admin audit log report: This report is only available in Exchange Online and Exchange
Online Protection. Actions performed by Microsoft administrators or delegated administrators are logged
in the administrator audit log. Use the external admin audit log report to search for and view the actions
that administrators outside your organization performed on the configuration of your Exchange Online
organization. For more information, see View and export the external admin audit log.
Configure audit logging

Before you can run auditing reports and export audit logs, you have to configure audit logging for your
organization.
Enable mailbox audit logging
You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access
report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results when you run a report for
it or export the mailbox audit log.
To enable mailbox audit logging for a single mailbox, run the following command in Exchange Online PowerShell.
Set-Mailbox <Identity> -AuditEnabled $true
To enable mailbox auditing for all user mailboxes in your organization, run the following commands.
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
For more information about configuring which actions are logged, see:
Exchange Server: Enable or disable mailbox audit logging for a mailbox
Exchange Online: Enable mailbox auditing in Office 365
Give users access to Auditing reports
By default, administrators can access and run any of the reports on the Auditing page in the EAC. However, other
users, such as a records manager or legal staff, have to be assigned the necessary permissions.
The easiest way to give users access is to add them to the Records Management role group. You can also use
Exchange Online PowerShell to give a user access to the Auditing page in the EAC by assigning the Audit Logs
role to the user.
Add a user to the Records Management role group
1. Go to Permissions > Admin Roles.
2. In the list of role groups, click Records Management, and then click Edit .
3. Under Members, click Add .
4. In the Select Members dialog box, select the user. You can search for a user by typing all or part of a
display name, and then clicking Search . You can also sort the list by clicking the Name or Display
Name column headings.
5. Click Add and then click OK to return to the role group page.
6. Click Save to save the change to the role group.
In the details pane, the user is listed under Members and can access the Auditing page in the EAC, run auditing
reports, and export audit logs.
Assign the Audit Logs role to a user
Run the following command to assign the Audit Logs role to a user.
New-ManagementRoleAssignment -Role "Audit Logs" -User <Identity>
This enables the user to select Compliance Management > Auditing in the EAC to run any of the reports. The
user can also export the mailbox audit log, and export and view the administrator audit log.
NOTE
To allow a user to run auditing reports but not to export audit logs, use the preceding command to assign the View-Only
Audit Logs role.
Configure Outlook Web App to allow XML attachments

When you export the mailbox audit log or administrator audit log, Microsoft Exchange attaches the audit log,
which is an XML file, to an email message. However, Outlook Web App blocks XML attachments by default. If you
want to use Outlook Web App to access these audit logs, you have to configure Outlook Web App to allow XML
attachments.
Run the following command to allow XML attachments in Outlook Web App.
Set-OwaMailboxPolicy -Identity Default -AllowedFileTypes

'.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv',
'.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp
','.avi','.xml'
Export mailbox audit logs
When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log
whenever a user other than the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine
if a user other than the owner has accessed a mailbox.
When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and
attaches it to an email message sent to the specified recipients.
Before you begin

Estimated time to complete each procedure: Times are variable. In Exchange Online, the mailbox audit log is
sent within a few days after you export it.
In Exchange Online, you have to use Remote Windows PowerShell to perform many of the procedures in
this topic. For details, see Connect to Exchange Online Using Remote PowerShell.
Procedures in this topic require specific permissions. See each procedure for its permissions information.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection..
Configure mailbox audit logging

You have to enable mailbox audit logging on each mailbox that you want to audit before you can export and view
mailbox audit logs. You also have to configure Microsoft Outlook Web App to allow XML attachments to use
Outlook Web App to access the audit log.
Step 1: Enable mailbox audit logging
report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results for that mailbox when you
export the mailbox audit log.
permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance permissions
topic.
To enable mailbox audit logging for a single mailbox, run the command in Exchange Online PowerShell.
To enable mailbox audit logging for all user mailboxes in your organization, run the following commands.
Step 2: Configure Outlook Web App to allow XML attachments

When you export the mailbox audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an
email message. However, Outlook Web App blocks XML attachments by default. To access the exported audit log,
you have to use Microsoft Outlook or configure Outlook Web App to allow XML attachments.
permissions you need, see the "Outlook Web App mailbox policies" entry in the Client Access Permissions topic.
Perform the following procedures to allow XML attachments in Outlook Web App. In Exchange Server, use the
value Default for the Identity parameter.
1. Run the following command to add XML to the list of allowed file types in Outlook Web App.
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}
2. Run the following command to remove XML from the list of blocked file types in Outlook Web App.
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}

To verify that you've successfully configured mailbox audit logging, do the following:
1. Run the following command to verify that audit logging is configured for mailboxes.
Get-Mailbox | Format-List Name,AuditEnabled
A value of `True` for the _AuditEnabled_ property verifies that audit logging is enabled.
2. Run the following command to verify that XML attachments are allowed in Outlook Web App.
Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes
Verify that `.xml` is included in the list of allowed file types.
3. Run the following command to verify that XML attachments are removed from the blocked file list in Outlook
Web App.
Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes
Verify that `.xml` isn't included in the list of blocked file types.
Export the mailbox audit log
permissions you need, see the "View -only administrator audit logging" entry in the Shell Infrastructure
Permissions topic.
1. In the Exchange admin center (EAC ), go to Compliance Management > Auditing.
2. Click Export mailbox audit logs.
3. Configure the following search criteria for exporting the entries from the mailbox audit log:
Start and end dates: Select the date range for the entries to include in the exported file.
Mailboxes to search audit log for: Select the mailboxes to retrieve audit log entries for.
Type of non-owner access: Select one of the following options to define the type of non-owner access to
retrieve entries for:
All non-owners: Search for access by administrators and delegated users inside your organization, and by
Microsoft datacenter administrators in Exchange Online.
External users: Search for access by Microsoft datacenter administrators.
Administrators and delegated users: Search for access by administrators and delegated users inside
your organization.
Administrators: Search for access by administrators in your organization.
Recipients: Select the users to send the mailbox audit log to.
4. Click Export.
Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a
file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that
you specified.
Sign in to the mailbox where the mailbox audit log was sent. If you've successfully exported the audit log, you'll
receive a message sent from Exchange. In Exchange Online, it may take a few days to receive this message. The
mailbox audit log (named SearchResult.xml) will be attached to this message. If you've correctly configured
Outlook Web App to allow XML attachments, you can download the attached XML file.
View the mailbox audit log

Permissions topic.
To save and view the SearchResult.xml file:
1. Sign in to the mailbox where the mailbox audit log was sent.
2. In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the
body of the email message contains the search criteria.
3. Click the attachment and select to download the XML file.
4. Open the SearchResult.xml in Microsoft Excel.
More information
Entries in the mailbox audit log: The following example shows an entry from the mailbox audit log
contained in the SearchResult.xml file. Each entry is preceded by the <Event> XML tag and ends with the
</Event> XML tag. This entry shows that the administrator purged the message with the subject,
"Notification of litigation hold" from the Recoverable Items folder in David's mailbox on April 30, 2010.
<Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939"
Owner="PPLNSL-dom\david50001-1363917750"
LastAccessed="2010-04-30T11:01:55.140625-07:00"
Operation="HardDelete"
OperationResult="Succeeded"
LogonType="Admin"
FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
FolderPathName="\Recoverable Items\Deletions"
ClientInfoString="Client=OWA;Action=ViaProxy"
ClientIPAddress="10.196.241.168"
InternalLogonType="Owner"
MailboxOwnerUPN="david@contoso.com"
MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151"
CrossMailboxOperation="false"
LogonUserDN="Administrator"
LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
<SourceItems>
<ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C
317F68C24304BBD18ABE1F185E79B00000026BD540"
Subject="Notification of litigation hold"
FolderPathName="\Recoverable Items\Deletions" />
</SourceItems>
</Event>
Useful fields in the mailbox audit log: Here's a description of useful fields in the mailbox audit log. They
can help you identify specific information about each instance of non-owner access of a mailbox.
FIELD DESCRIPTION
Owner The owner of the mailbox that was accessed by a non-owner.
LastAccessed The date and time when the mailbox was accessed.
Operation The action that was performed by the non-owner. For more
information, see the "What gets logged in the mailbox audit
log?" section in Run a Non-Owner Mailbox Access Report.
OperationResult Whether the action performed by the non-owner succeeded

or failed.
LogonType The type of non-owner access. These include administrator,

delegate, and external.
FolderPathName The name of the folder that contained the message that was
affected by the non-owner.
ClientInfoString Information about the mail client used by the non-owner to

access the mailbox.
FIELD DESCRIPTION
ClientIPAddress The IP address of the computer used by the non-owner to

access the mailbox.
InternalLogonType The logon type of the account used by the non-owner to

access this mailbox.
MailboxOwnerUPN The email address of the mailbox owner.
LogonUserDN The display name of the non-owner.
Subject The subject line of the email message that was affected by the
non-owner.
[When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log
whenever a user other than the owner accesses the mailbox. Each log entry includes information about who
accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful.
Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to
determine if a user other than the owner has accessed a mailbox.When you export entries from mailbox audit
logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the
specified recipients.](#Introduction.md)
Run a non-owner mailbox access report
The Non-Owner Mailbox Access Report in the Exchange admin center (EAC ) lists the mailboxes that have been
accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner,
Microsoft Exchange logs information about this action in a mailbox audit log that's stored as an email message in a
hidden folder in the mailbox being audited. Entries from this log are displayed as search results and include a list of
mailboxes accessed by a non-owner, who accessed the mailbox and when, the actions performed by the non-owner,
and whether the action was successful. By default, entries in the mailbox audit log are retained for 90 days.
When you enable mailbox audit logging for a mailbox, Microsoft Exchange logs specific actions by non-owners,
including both administrators and users, called delegated users, who have been assigned permissions to a mailbox.
You can also narrow the search to users inside or outside your organization.

permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance
permissions topic.
TIP
Enable mailbox audit logging

report for. If mailbox audit logging isn't enabled, you won't get any results when you run a report.
To enable mailbox audit logging for a single mailbox, run the following command in Exchange Online PowerShell.
For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.
Set-Mailbox "Florence Flipo" -AuditEnabled $true
To enable mailbox auditing for all user mailboxes in your organization, run the following commands.

Run the following command to verify that you've successfully configured mailbox audit logging.
Get-Mailbox | Format-List Name,AuditEnabled
A value of True for the AuditEnabled property verifies that audit logging is enabled.
Run a non-owner mailbox access report

1. In the EAC, navigate to Compliance Management > Auditing.
2. Click Run a non-owner mailbox access report.
By default, Microsoft Exchange runs the report for non-owner access to any mailboxes in the organization
over the past two weeks. The mailboxes listed in the search results have been enabled for mailbox audit
logging.
3. To view non-owner access for a specific mailbox, select the mailbox from the list of mailboxes. View the
search results in the details pane.
TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.
Search for specific types of non-owner access

You can also specify the type of non-owner access, also called the logon type, to search for. Here are your options:
All non-owners: Search for access by administrators and delegated users inside your organization. Also
includes access user outside of your organization.
External users: Search for access by users outside of your organization.
Administrators and delegated users: Search for access by administrators and delegated users inside your
organization.
Administrators: Search for access by administrators in your organization.
To verify that you've successfully run a non-owner mailbox access report, check the search results pane. Mailboxes
that you ran the report for are displayed in this pane. If there are no results for a specific mailbox, it's possible there
hasn't been access by a non-owner or that non-owner access hasn't taken place within the specified date range. As
previously described, be sure to verify that audit logging has been enabled for the mailboxes you want to search
for access by non-owners.
What gets logged in the mailbox audit log?

When you run a non-owner mailbox access report, entries from the mailbox audit log are displayed in the search
results in the EAC. Each report entry contains this information:
Who accessed the mailbox and when
The actions performed by the non-owner
The affected message and its folder location
Whether the action was successful
The following table lists the actions performed by non-owners that can be logged by mailbox audit logging. In the
table, a Yes indicates that the action can be logged for that logon type, and a No indicates that an action can't be
logged. An asterisk ( * ) indicates that the action is logged by default when mailbox audit logging is enabled for the
mailbox. If you want to track actions that aren't logged by default, you have to use PowerShell to enable logging of
those actions.
NOTE
An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegated user.
ACTION DESCRIPTION ADMINISTRATOR DELEGATED USER
Copy A message was copied to Yes No

another folder.
Create An item is created in the Yes* Yes*

Calendar, Contacts, Notes,
or Tasks folder in the
mailbox; for example, a new
meeting request is created.
Note that message or folder
creation isn't audited.
FolderBind A mailbox folder was Yes* Yes

accessed.
Hard-delete A message was purged from Yes* Yes*

the Recoverable Items folder.
MessageBind A message was viewed in Yes No

the preview pane or opened.
Move A message was moved to Yes* Yes

another folder.
Move To Deleted Items A message was moved to Yes* Yes

the Deleted Items folder.
Send as A message was sent using Yes* Yes*

SendAs permission. This
means another user sent the
message as though it came
from the mailbox owner.
Send on behalf of A message was sent using Yes* Yes

SendOnBehalf permission.
This means another user
sent the message on behalf
of the mailbox owner. The
message will indicate to the
recipient who the message
was sent on behalf of and
who actually sent the
message.
ACTION DESCRIPTION ADMINISTRATOR DELEGATED USER
Soft-delete A message was deleted from Yes* Yes*

the Deleted Items folder.
Update A message was changed. Yes* Yes*
NOTE
* Audited by default if auditing is enabled for a mailbox.
Run a per-mailbox litigation hold report
If your organization is involved in a legal action, you may have to take steps to preserve relevant data, such as
email messages, that may be used as evidence. In situations like this, you can use litigation hold to retain all email
sent and received by specific people or retain all email sent and received in your organization for a specific time
period. For more information about what happens when a mailbox is on litigation hold and how to enable and
disable it, see the "Mailbox Features" section in Manage user mailboxes.
Use the litigation hold report to keep track of the following types of changes made to a mailbox in a given time
period:
Litigation hold was enabled.
Litigation hold was disabled.
For each of these change types, the report includes the user who made the change and the time and date the
change was made.

Permissions topic.
TIP
Use the EAC to run a litigation hold report

1. In the EAC, navigate to Compliance Management > Auditing.
2. Click Run a per-mailbox litigation hold report.
Microsoft Exchange runs the report for litigation hold changes made to any mailbox in the past two weeks.
3. To view the changes for a specific mailbox, in the search results pane, select the mailbox. View the search
results in the details pane.
TIP
Want to narrow the search results? Select the start date, end date, or both, and select specific mailboxes to search. Click
Search to re-run the report.

To verify that you've successfully run a litigation hold report, mailboxes that had litigation hold changes within the
date range are displayed in the search results pane. If there are no results, then no changes to litigation hold have
taken place within the date range or recent changes haven't taken effect yet.
NOTE
When a mailbox is put on litigation hold, it can take up to 60 minutes for the hold to take effect.
Search the role group changes or administrator audit
logs in Exchange Online
You can search the administrator audit logs to discover who made changes to the organization and recipient
configuration. This can be helpful when you're trying to track the cause of unexpected behavior, to identify a
malicious administrator, or to verify that compliance requirements are being met. For more information about
administrator audit logging, see Administrator audit logging.
If you want to search the mailbox audit log, see Mailbox Audit Logging.
TIP
In Exchange Online, you can use the EAC to view entries in the administrator audit log. For more information, see View the
administrator audit log.

Estimated time to complete each procedure: less than 5 minutes
permissions you need, see the "View -only administrator audit logging" entry in the Exchange and Shell
Infrastructure Permissions topic.
TIP
Use the EAC to run the management role group changes report
If you want to know what changes to management role group membership have been made to role groups in
your organization, you can use the Administrator Role Group report in the Exchange admin center (EAC ). Using
the Administrator Role Group report, you can view a list of role groups that have changed during a specified date
range. You can also select the specific role groups you want to view changes for.
1. In the EAC, select Compliance management > Auditing, and then click Run an administrator role
group report.
2. Select a date range using the Start date and End date fields.
3. Click Select role groups, and then select the role groups you want to show changes for or leave this field
blank to search for changes in all role groups.
4. Click Search.
If any changes are found using the criteria you specified, a list of changes will be displayed in the results pane.
Clicking a role group displays the changes to the role group in the details pane.
Use the EAC to export the administrator audit log

If you want to create an XML file that contains changes made to your organization, you can use the Export
Administrator Audit Log report in the EAC. Using the Export Administrator Audit Log report, you can specify a
date range to search for audit log entries that contain changes made by users you specify. The XML file is then
sent to a recipient as an email attachment. The maximum size of the XML file is 10 megabytes (MB ).
NOTE
By default, Outlook on the web (formerly known as Outlook Web App) doesn't allow you to open XML attachments. You can
either configure Outlook on the web to allow XML attachments to be viewed, or you can use another email client to view
the attachment (for example, Microsoft Outlook). For information about how to configure Outlook on the web to allow you
to view XML attachments, see View or configure Outlook on the web mailbox policy properties in Exchange Online.
1. In the EAC, select Compliance management > Auditing, and then click Export the administrator
audit log.
2. Select a date range using the Start date and End date fields.
3. In the Send the auditing report to field, click Select users and then select the recipient you want to send
the report to.
4. Click Export.
If any log entries are found using the criteria you specified, an XML file will be created and sent as an email
attachment to the recipient you specified.
Use Exchange Online PowerShell to search for audit log entries

You can use Exchange Online PowerShell to search for audit log entries that meet the criteria you specify. For a list
of search criteria, see Administrator audit logging. This procedure uses the Search-AdminAuditLog cmdlet and
displays search results in Exchange Online PowerShell. You can use this cmdlet when you need to return a set of
results that exceeds the limits defined on the New-AdminAuditLogSearch cmdlet or in the EAC Audit Reporting
reports.
If you want to send audit log search results in an email attachment to a recipient, see the Use Exchange Online
PowerShell to search for audit log entries and send results to a recipient section later in this topic.
To search the audit log for criteria you specify, use the following syntax.
Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -

StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True |
$False >
NOTE
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to
specify up to 250,000 log entries. Or, use the value Unlimited to return all entries.
This example performs a search for all audit log entries with the following criteria:
End date: 10/03/2018
User IDs: davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters

ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize -StartDate 08/04/2018
-EndDate 10/03/2018 -UserIds davids,chrisd,kima
This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need
to provide information for an investigation. The following criteria are used:
End date: 10/03/2018
Object ID: contoso.com/Users/DavidS
Search-AdminAuditLog -StartDate 05/01/2018 -EndDate 10/03/2018 -ObjectID contoso.com/Users/DavidS
If your searches return many log entries, we recommend that you use the procedure provided in Use Exchange
Online PowerShell to search for audit log entries and send results to a recipient later in this topic. The
procedure in that section sends an XML file as an email attachment to the recipients you specify, enabling you to
more easily extract the data you're interested in.
For detailed syntax and parameter information, see Search-AdminAuditLog.
View details of audit log entries
The Search-AdminAuditLog cmdlet returns the fields described in the "Audit log contents section of
Administrator audit logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and
ModifiedProperties, contain additional information that isn't viewable by default.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you
can use the procedure in Use Exchange Online PowerShell to search for audit log entries and send results
to a recipient later in this topic to create an XML file.
This procedure uses the following concepts:
Arrays
User-Defined Variables
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in
a variable using the following command.
$Results = Search-AdminAuditLog <search criteria>
2. Each audit log entry is stored as an array element in the variable $Results . You can select an array element
by specifying its array element index. Array element indexes start at zero (0) for the first array element. For
example, to retrieve the 5th array element, which has an index of 4, use the following command.
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the contents of the
CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
4. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry,
change the array element index.
Use Exchange Online PowerShell to search for audit log entries and
send results to a recipient
You can use Exchange Online PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within
15 minutes. For a list of search criteria, see Administrator audit logging.
NOTE
By default, Outlook on the web (formerly known as Outlook Web App) doesn't allow you to open XML attachments. You can
either configure Outlook on the web to allow XML attachments to be viewed, or you can use another email client to view
the attachment (for example, Microsoft Outlook). For information about how to configure Outlook on the web to allow you
to view XML attachments, see View or configure Outlook on the web mailbox policy properties in Exchange Online.
To search the audit log for criteria you specify, use the following syntax.
New-AdminAuditLogSearch -Cmdlets <cmdlet1, cmdlet2, ...> -Parameters <parameter1, parameter2, ...> -StartDate
<start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$true | $false > -
StatusMailRecipients <recipient1, recipient2, ...> -Name <string to include in subject>
This example performs a search for all audit log entries with the following criteria:
End date: 10/03/2018
User IDs davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendSize,
MaxReceiveSize
The command sends the results to the davids@contoso.com SMTP address with "Mailbox limit changes" included
in the subject line of the message.
New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters

ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize -StartDate 08/04/2018
-EndDate 10/03/2018 -UserIds davids,chrisd,kima -StatusMailRecipients davids@contoso.com -Name "Mailbox limit
changes"
NOTE
The report that the New-AdminAuditLogSearch cmdlet generates can be a maximum of 10 MB in size. If the search you
perform returns a report larger than 10 MB, change the search criteria you specified. For example, reduce the size of the
date range and run multiple reports, each with a portion of the original date range.
For more information about the format of the XML file, see Administrator Audit Log Structure.
For detailed syntax and parameter information, see New -AdminAuditLogSearch.
View the administrator audit log
In Exchange Online, you can use the Exchange admin center (EAC ) to search for and view entries in the
administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell
cmdlets, performed by administrators and users who have been assigned administrative privileges. Entries in the
administrator audit log provide you with information about what cmdlet was run, which parameters were used,
who ran the cmdlet, and what objects were affected.
NOTE
Administrator auditing logging is enabled by default. > The administrator audit log doesn't record any action that's based on
an Exchange Online PowerShell cmdlet that begins with the verbs Get, Search, or Test. > Audit log entries are kept for 90
days. When an entry is older than 90 days, it's deleted.

permissions you need, see the "View reports" entry in the Feature Permissions in EOP topic.
As previously stated, administrator audit logging is enabled by default. To verify that it's enabled, you can
run the following command.
Get-AdminAuditLogConfig | Format-List AdminAuditLogEnabled
In Exchange Server, you can enable administrator audit logging if it's disabled by running the following
command.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
In Exchange Online Protection and Exchange Online, administrator audit logging is always enabled. It can't
be disabled.
TIP
Use the EAC to view the administrator audit log

1. In the EAC, go to Compliance management > Auditing, and choose Run the admin audit log report.
2. Choose a Start date and End date, and then choose Search. All configuration changes made during the
specified time period are displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date and time are stored in
Coordinated Universal Time (UTC ) format.
Cmdlet: The name of the cmdlet that was used to make the configuration change.
User: The name of the user account of the user who made the configuration change.
Up to 5000 entries will be displayed on multiple pages. Specify a smaller date range if you need to narrow
your results. If you select an individual search result, the following additional information is displayed in the
details pane:
Object modified: The object that was modified by the cmdlet.
Parameters (Parameter:Value): The cmdlet parameters that were used, and any value specified with the
parameter.
3. If you want to print a specific audit log entry, choose the Print button in the details pane.

If you've successfully run an administrator audit log report, configuration changes made within the date range you
specify are displayed in the search results pane. If there are no results, change the date range and then run the
report again.
NOTE
When a change is made in your organization, it may take up to 15 minutes to appear in audit log search results. If a change
doesn't appear in the administrator audit log, wait a few minutes and run the search again.
View and export the external admin audit log
In Exchange Online, actions performed by Microsoft and delegated administrators are logged in the administrator
audit log. You can use the EAC or Exchange Online PowerShell to search for and view audit log entries to
determine if external administrators performed any actions on or changed the configuration of your Exchange
Online organization. You can also use Exchange Online PowerShell to export these audit log entries.

Estimated time to complete: This will vary based on whether you view or export entries from the admin
audit log. See each procedure for its estimated time to complete.
permissions you need, see the "View -only administrator audit logging" entry in the Exchange and Shell
Infrastructure Permissions topic.
When you export the admin audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an
email message that is sent to the specified recipients. However, Outlook Web App blocks XML attachments
by default. If you want to use Outlook Web App to access these audit logs, you have to configure Outlook
Web App to allow XML attachments. Run the following command to allow XML attachments in Outlook
Web App.
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes

'.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls',
'.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif
','.doc','.bmp','.avi','.xml'
TIP
Use the EAC to view the external admin audit log report
1. Go to Compliance management > Auditing and click View the external admin audit log report. All
configuration changes made by Microsoft datacenter administrators and delegated administrators during the
specified time period are displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date and time are stored in
Coordinated Universal Time (UTC ) format.
Cmdlet: The name of the cmdlet that was used to make the configuration change.
If you select an individual search result, the following information is displayed in the details pane:
The date and time that the cmdlet was run.
The user who ran the cmdlet. For all entries in the external admin audit log report, the user is identified as
Administrator, which indicates a Microsoft datacenter administrator or an external administrator.
The cmdlet parameters that were used, and any value specified with the parameter, in the format
Parameter:Value.
2. If you want to print a specific audit log entry, select it in the search results pane and then click Print in the
details pane.
3. To narrow the search, choose dates in the Start date and End date drop-down menus, and then click
Search.
Use Exchange Online PowerShell to view entries in the external admin

audit log report
You can use the Search-AdminAuditLog cmdlet with the ExternalAccess parameter to view entries from the
administrator audit log for actions performed by Microsoft datacenter administrators and delegated
administrators.
This command returns all entries in the administrator audit log for cmdlets run by external administrators.
Search-AdminAuditLog -ExternalAccess $true
This command returns entries in the administrator audit log for cmdlets run by external administrators between
September 17, 2013 and October 2, 2013.
Search-AdminAuditLog -ExternalAccess $true -StartDate 09/17/2013 -EndDate 10/02/2013
For more information, see Search-AdminAuditLog.
Use Exchange Online PowerShell to export the admin audit log

Estimated time to complete: Approximately 24 hours
You can use the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter to export entries from
the administrator audit log for actions performed by Microsoft datacenter administrators or delegated
administrators. Microsoft Exchange retrieves entries in the administrator audit log that were performed by external
administrators and saves them to a file named SearchResult.xml. This XML file is attached to an email message
that is sent to the specified recipients within 24 hours.
The following command returns entries in the administrator audit log for cmdlets run by external administrators
between September 25, 2013 and October 24, 2013. The search results are sent to the admin@contoso.com and
pilarp@contoso.com SMTP addresses and the text "External admin audit log" is added to the subject line of the
message.
New-AdminAuditLogSearch -ExternalAccess $true -EndDate 10/24/2013 -StartDate 07/25/2013 -StatusMailRecipients

admin@contoso.com,pilarp@contoso.com -Name "External admin audit log"
NOTE
When you include the ExternalAccess parameter, only entries for actions performed by Microsoft datacenter administrator or
delegated administrators are included in the audit log that is exported. If you don't include the ExternalAccess parameter, the
audit log will contain entries for actions performed by the administrators in your organization and by external administrators.
To verify that the command to export the admin audit log entries performed by external administrators was
successful, and to display information about current administrator audit log searches, run the following command:
Get-AuditLogSearch | Format-List
More information
In Office 365, you can delegate the ability to perform certain administrative tasks to an authorized partner
of Microsoft. These admin tasks include creating or editing users, resetting user passwords, managing user
licenses, managing domains, and assigning admin permissions to other users in your organization. When
you authorize a partner to take on this role, the partner is referred to as a delegated admin. The tasks
performed by a delegated admin are logged in the admin audit log. As previously described, actions
performed by delegated admins can be viewed by running the external admin audit log report or exported
by using the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter.
The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets,
performed by administrators and users who have been assigned administrative privileges. Actions
performed by external administrators are also logged. Entries in the admin audit log provide you with
information about the cmdlet that was run, which parameters were used, and what objects were affected.
The administrator audit log doesn't record any action that is based on an Exchange Online PowerShell
cmdlet that begins with the verbs Get, Search, or Test.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.
Messaging records management
Users send and receive email every day. If left unmanaged, the volume of email generated and received each day
can inundate users, impact user productivity, and expose your organization to risks. As a result, email lifecycle
management is a critical component for most organizations.
Messaging records management (MRM ) is the records management technology in Exchange Server and Exchange
Online that helps organizations manage email lifecycle and reduce the legal risks associated with email. Deploying
MRM can help your organization in several ways:
Meet business requirements: Depending on your organization's messaging policies, you may need to
retain important email messages for a certain period. For example, a user's mailbox may contain critical
messages related to business strategy, transactions, product development, or customer interactions.
Meet legal and regulatory requirements: Many organizations have a legal or regulatory requirement to
store messages for a designated period and remove messages older than that period. Storing messages
longer than necessary may increase your organization's legal or financial risks.
Increase user productivity: If left unmanaged, the ever-increasing volume of email in your users'
mailboxes can also impact their productivity. For example, although newsletter subscriptions and automated
notifications may have informational value when they're received, users may not remove them after reading
(often they're never read). Many of these types of messages don't have a retention value beyond a few days.
Using MRM to remove such messages can help reduce information clutter in users' mailboxes, thereby
increasing productivity.
Improve storage management: Due to expectations driven by free consumer email services, many users
keep old messages for a long period or never remove them. Maintaining large mailboxes is increasingly
becoming a standard practice, and users shouldn't be forced to change their work habits based on restrictive
mailbox quotas. However, retaining messages beyond the period that's necessary for business, legal, or
regulatory reasons also increases storage costs.
MRM provides the flexibility to implement the records management policy that best meets your organization's
requirements. With a good understanding of MRM, In-Place Archiving, and In-Place Hold, you can help meet your
goals of managing mailbox storage and meeting regulatory retention requirements.
Looking for management tasks related to MRM? See Messaging Records Management Procedures.
MRM in Exchange Server and Exchange Online

In Exchange Server and Exchange Online, MRM is accomplished through the use of retention tags and retention
policies. Retention tags are used to apply retention settings to an entire mailbox and default mailbox folders such
as Inbox and Deleted Items. You can also create and deploy retention tags that Outlook 2010 and later and
Outlook Web App users can use to apply to folders or individual messages. After they're created, you add retention
tags to a retention policy and then apply the policy to users. The Managed Folder Assistant processes mailboxes
and applies retention settings in the user's retention policy. To learn more about retention policies, see Retention
tags and retention policies.
When a message reaches its retention age specified in the applicable retention tag, the Managed Folder Assistant
takes the retention action specified by the tag. Messages can then be deleted permanently or deleted with the
ability to recover them. If an archive has been provisioned for the user, you can also use retention tags to move
items to the user's In-Place Archive.
MRM strategies
You can use retention policies to enforce basic message retention for an entire mailbox or for specific default
folders. Although there are several strategies for deploying MRM, here are some of the most common:
Remove all messages after a specified period: In this strategy, you implement a single MRM policy that
removes all messages after a certain period. In this strategy, there's no classification of messages. You can
implement this policy by creating a single default policy tag (DPT) for the mailbox. However, this doesn't ensure
that messages are retained for the specified period. Users can still delete messages before retention period is
reached.
Move messages to archive mailboxes: In this strategy, you implement MRM policies that move items to the
user's archive mailbox. An archive mailbox provides additional storage for users to maintain old and infrequently
accessed content. Retention tags that move items are also known as archive policies. Within the same retention
policy, you can combine a DPT and personal tags to move items, and a DPT, RPTs, and personal tags to delete
items. To learn more about archiving policies, see:
Exchange Server 2016:In-Place Archiving
Exchange Online:Archive Mailboxes in Exchange Online
NOTE
In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If you
assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved to the
archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold, an
archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration specified by
the hold.
Remove messages based on folder location: In this strategy, you implement MRM policies based on email
location. For example, you can specify that messages in the Inbox are retained for one year and messages in the
Junk Email folder are retained for 60 days. You can implement this policy by using a combination of retention
policy tags (RPTs) for each default folder you want to configure and a DPT for the entire mailbox. The DPT applies
to all custom folders and all default folders that don't have an RPT applied.
NOTE
In Exchange Server, you can create RPTs for the Calendar and Tasks folders. If you don't want items in these folders or other
default folders to expire, you can create a disabled retention tag for that default folder.
Allow users to classify messages: In this strategy, you implement MRM policies that include a baseline retention
setting for all messages but allow users to classify messages based on business or regulatory requirements. In this
case, users become an important part of your records management strategy - often they have the best
understanding of a message's retention value.
Users can apply different retention settings to messages that need to be retained for a longer or shorter period.
You can implement this policy using a combination of the following:
A DPT for the mailbox
Personal tags that users can apply to custom folders or individual messages
(Optional) Additional RPTs to expire items in specific default folders
For example, you can use a retention policy with personal tags that have a shorter retention period (such as two
days, one week, or one month), as well as personal tags that have a longer retention period (such as one, two, or
five years). Users can apply personal tags with the shorter retention periods for items such as newsletter
subscriptions that may lose their value within days of receiving them, and apply the tags with longer periods to
preserve items that have a high business value. They can also automate the process by using Inbox rules in
Outlook to apply a personal tag to messages that match rule conditions.
Retain messages for eDiscovery purposes: In this strategy, you implement MRM policies that remove
messages from mailboxes after a specified period but also retain them in the Recoverable Items folder for In-Place
eDiscovery purposes, even if the messages were deleted by the user or another process.
You can meet this requirement by using a combination of retention policies and In-Place Hold and Litigation Hold
or Litigation Hold. Retention policies remove messages from the mailbox after the specified period. A time-based
In-Place Hold or Litigation Hold preserves messages that were deleted or modified before that period. For
example, to retain messages for seven years, you can create a retention policy with a DPT that deletes messages in
seven years and Litigation Hold to hold messages for seven years. Messages that aren't removed by users will be
deleted after seven years; messages deleted by users before the seven year period will be retained in the
Recoverable Items folder for seven years. To learn more about this folder, see Recoverable Items Folder.
Optionally, you can use RPTs and personal tags to allow users to clean up their mailboxes. However, In-Place Hold
and Litigation Hold continues to retain the deleted messages until the hold period expires.
NOTE
A time-based In-Place Hold or Litigation Hold is similar to what was informally referred to as a rolling legal hold in Exchange
2010. Rolling legal hold was implemented by configuring the deleted item retention period for a mailbox database or
individual mailbox. However, deleted item retention retains deleted and modified items based on the date deleted. In-Place
Hold and Litigation Hold preserves items based on the date they're received or created. This ensures that messages are
preserved for at least the specified period.

Messaging Records Management Terminology in Exchange 2013
Retention tags and retention policies
Retention tags and retention policies
In Microsoft Exchange Server and Exchange Online, Messaging records management (MRM ) helps
organizations to manage email lifecycle and reduce legal risks associated with e-mail and other communications.
MRM makes it easier to keep messages needed to comply with company policy, government regulations, or legal
needs, and to remove content that has no legal or business value.
Watch this video for a quick overview of how to apply retention tags and a retention policy to a mailbox in
Exchange Online.
Messaging Records Management strategy

MRM in Exchange Server and Exchange Online is accomplished by using retention tags and retention policies.
Before discussing the details about each of these retention features, it's important to learn how the features are
used in the overall MRM strategy. This strategy is based on:
Assigning retention policy tags (RPTs) to default folders, such as the Inbox and Deleted Items.
Applying default policy tags (DPTs) to mailboxes to manage the retention of all untagged items.
Allowing the user to assign personal tags to custom folders and individual items.
Separating MRM functionality from users' Inbox management and filing habits. Users aren't required to
file messages in managed folders based on retention requirements. Individual messages can have a
different retention tag than the one applied to the folder in which they're located.
The following figure illustrates the tasks involved in implementing this strategy.
Retention tags
As illustrated in the preceding figure, retention tags are used to apply retention settings to folders and individual
items such as e-mail messages and voice mail. These settings specify how long a message remains in a mailbox
and the action to be taken when the message reaches the specified retention age. When a message reaches its
retention age, it's moved to the user's In-Place Archive or deleted.
Retention tags allow users to tag their own mailbox folders and individual items for retention. Users no longer
have to file items in managed folders provisioned by an administrator based on message retention requirements.
Types of retention tags
Retention tags are classified into the following three types based on who can apply them and where in a mailbox
they can be applied.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Default policy tag Automatically to Administrator Move to archive Users can't change
(DPT) entire mailbox Delete and allow DPTs applied to a
A DPT applies to recovery mailbox.
untagged items, Permanently delete
which are mailbox
items that don't have
a retention tag
applied directly or by
inheritance from the
folder.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Retention policy tag Automatically to a Administrator Delete and allow Users can't change
(RPT) default folder recovery the RPT applied to a
Default folders are Permanently delete default folder.
folders created
automatically in all
mailboxes, for
example: Inbox,
Deleted Items, and
Sent Items. See the
list of supported
default folders in
Default folders that
support Retention
Policy Tags.
Personal tag Manually to items Users Move to archive Personal tags allow
and folders Delete and allow your users to
Users can automate recovery determine how long
tagging by using Permanently delete an item should be
Inbox rules to either retained. For example,
move a message to a the mailbox can have
folder that has a a DPT to delete items
particular tag or to in seven years, but a
apply a personal tag user can create an
to the message. exception for items
such as newsletters
and automated
notifications by
applying a personal
tag to delete them in
three days.
More about personal tags

Personal tags are available to Outlook 2010 and Outlook Web App users as part of their retention policy. In
Outlook 2010 and Outlook Web App, personal tags with the Move to Archive action appear as Archive Policy,
and personal tags with the Delete and Allow Recovery or Permanently Delete actions appear as Retention
Policy, as shown in the following figure.
Users can apply personal tags to folders they create or to individual items. Messages that have a personal tag
applied are always processed based on the personal tag's settings. Users can apply a personal tag to a message
so that it's moved or deleted sooner or later than the settings specified in the DPT or RPTs applied to that user's
mailbox. You can also create personal tags with retention disabled. This allows users to tag items so they're never
moved to an archive or never expire.
NOTE
Users can apply archive policies to default folders, user-created folders or subfolders, and individual items. Users can apply
a retention policy to user-created folders or subfolders and individual items (including subfolders and items in a default
folder), but not to default folders.
Users can also use the Exchange admin center (EAC ) to select additional personal tags that aren't linked to their
retention policy. The selected tags then become available in Outlook 2010 and Outlook Web App. To enable
users to select additional tags from the EAC, you must add the MyRetentionPolicies Role to the user's role
assignment policy. To learn more about role assignment policies for users, see Understanding Management Role
Assignment Policies. If you allow users to select additional personal tags, all personal tags in your Exchange
organization become available to them.
NOTE
Personal tags are a premium feature. Mailboxes with policies that contain these tags (or as a result of users adding the tags
to their mailbox) require an Exchange Enterprise client access license (CAL).
Retention age
When you enable a retention tag, you must specify a retention age for the tag. This age indicates the number of
days to retain a message after it arrives in the user's mailbox.
The retention age for non-recurring items (such as email messages) is calculated differently than items that have
an end date or recurring items (such as meetings and tasks). To learn how retention age is calculated for different
types of items, see How retention age is calculated.
You can also create retention tags with retention disabled or disable tags after they're created. Because messages
that have a disabled tag applied aren't processed, no retention action is taken. As a result, users can use a
disabled personal tag as a Never Move tag or a Never Delete tag to override a DPT or RPT that would
otherwise apply to the message.
Retention actions
When creating or configuring a retention tag, you can select one of the following retention actions to be taken
when an item reaches its retention age:
RETENTION ACTION ACTION TAKEN... EXCEPT...
Move to Archive1 Moves the message to the user's If the user doesn't have an archive
archive mailbox mailbox, no action is taken.
Only available for DPTs and personal
tags
For details about archiving, see:
In-Place Archiving
Archive Mailboxes in Exchange Online
Delete and Allow Recovery Emulates the behavior when the user If you've set the deleted item retention
empties the Deleted Items folder. period to zero days, items are
Items are moved to the Recoverable permanently deleted. For details, see
Items Folder in the mailbox and Change how long permanently deleted
preserved until the deleted item items are kept for an Exchange Online
retention period. mailbox.
Provides the user a second chance to
recover the item using the Recover
Deleted Items dialog box in Outlook
or Outlook Web App
Permanently Delete Permanently deletes messages. If mailbox is placed on In-Place Hold

You can't recover messages after and Litigation Hold or Litigation Hold,
they're permanently deleted. items are preserved in the Recoverable
Items folder based on hold parameters.
In-Place eDiscovery will still return
these items in search results.
Mark as Past Retention Limit Marks a message as expired. In N. A.

Outlook 2010 or later, and Outlook
Web App, expired items are displayed
with the notification stating 'This item
has expired' and 'This item will expire in
0 days'. In Outlook 2007, items
marked as expired are displayed by
using strikethrough text.
NOTE
1 In an Exchange hybrid deployment, you can enable a cloud-based archive mailbox for an on-premises primary mailbox. If
you assign an archive policy to an on-premises mailbox, items are moved to the cloud-based archive. If an item is moved
to the archive mailbox, a copy of it isn't retained in the on-premises mailbox. If the on-premises mailbox is placed on hold,
an archive policy will still move items to the cloud-based archive mailbox where they are preserved for the duration
specified by the hold.
For details about how to create retention tags, see Create a Retention Policy.
Retention policies
To apply one or more retention tags to a mailbox, you must add them to a retention policy and then apply the
policy to mailboxes. A mailbox can't have more than one retention policy. Retention tags can be linked to or
unlinked from a retention policy at any time, and the changes automatically take effect for all mailboxes that have
the policy applied.
A retention policy can have the following retention tags:
RETENTION TAG TYPE TAGS IN A POLICY
Default policy tag (DPT) One DPT with the Move to Archive action
One DPT with the Delete and Allow Recovery or
Permanently Delete actions
One DPT for voice mail messages with the Delete and Allow
Recovery or Permanently Delete action
Retention policy tags (RPTs) One RPT for each supported default folder
> [!NOTE]> You can't link more than one RPT for a particular
default folder (such as Deleted Items) to the same retention
policy.
Personal tags Any number of personal tags

> [!TIP]> Many personal tags in a policy can confuse users.
We recommend adding no more than 10 personal tags to a
retention policy.
NOTE
Although a retention policy doesn't need to have any retention tags linked to it, we don't recommend using this scenario. If
mailboxes with retention policies don't have retention tags linked to them, this may cause mailbox items to never expire.
A retention policy can contain both archive tags (tags that move items to the personal archive mailbox) and
deletion tags (tags that delete items). A mailbox item can also have both types of tags applied. Archive mailboxes
don't have a separate retention policy. The same retention policy is applied to the primary and archive mailbox.
When planning to create retention policies, you must consider whether they'll include both archive and deletion
tags. As mentioned earlier, a retention policy can have one DPT that uses the Move to Archive action and one
DPT that uses either the Delete and Allow Recovery or Permanently Delete action. The DPT with the Move
to Archive action must have a lower retention age than the DPT with a deletion action. For example, you can use
a DPT with the Move to Archive action to move items to the archive mailbox in two years, and a DPT with a
deletion action to remove items from the mailbox in seven years. Items in both primary and archive mailboxes
will be deleted after seven years.
For a list of management tasks related to retention policies, see Messaging Records Management Procedures.
Default retention policy
Exchange Setup creates the retention policy Default MRM Policy. The Default MRM Policy is applied
automatically to new mailboxes in Exchange Online. In Exchange Server, the policy is applied automatically if you
create an archive for the new user and don't specify a retention policy
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
action, disable a tag or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant.
For more details, including a list of retention tags linked to the policy, see Default Retention Policy in Exchange
Online and Exchange Server.
Managed Folder Assistant

The Managed Folder Assistant, a mailbox assistant that runs on Mailbox servers, processes mailboxes that have a
retention policy applied.
The Managed Folder Assistant applies the retention policy by inspecting items in the mailbox and determining
whether they're subject to retention. It then stamps items subject to retention with the appropriate retention tags
and takes the specified retention action on items past their retention age.
The Managed Folder Assistant is a throttle-based assistant. Throttle-based assistants are always running and
don't need to be scheduled. The system resources they can consume are throttled. You can configure the
Managed Folder Assistant to process all mailboxes on a Mailbox server within a certain period (known as a work
cycle). Additionally, at a specified interval (known as the work cycle checkpoint), the assistant refreshes the list of
mailboxes to be processed. During the refresh, the assistant adds newly created or moved mailboxes to the
queue. It also reprioritizes existing mailboxes that haven't been processed successfully due to failures and moves
them higher in the queue so they can be processed during the same work cycle.
You can also use the Start-ManagedFolderAssistant cmdlet to manually trigger the assistant to process a
specified mailbox. To learn more, see Configure the Managed Folder Assistant.
NOTE
The Managed Folder Assistant doesn't take any action on messages that aren't subject to retention, specified by disabling
the retention tag. You can also disable a retention tag to temporarily suspend items with that tag from being processed.
Moving items between folders

A mailbox item moved from one folder to another inherits any tags applied to the folder to which it's moved. If
an item is moved to a folder that doesn't have a tag assigned, the DPT is applied to it. If the item has a tag
explicitly assigned to it, the tag always takes precedence over any folder-level tags or the default tag.
Applying a retention tag to a folder in the archive
When the user applies a personal tag to a folder in the archive, if a folder with the same name exists in the
primary mailbox and has a different tag, the tag on that folder in the archive changes to match the one in the
primary mailbox. This is by design to avoid any confusion about items in a folder in the archive having a different
expiry behavior than the same folder in the user's primary mailbox. For example, the user has a folder named
Project Contoso in the primary mailbox with a Delete - 3 years tag and a Project Contoso folder also exists in the
archive mailbox. If the user applies a Delete - 1 year personal tag to delete items in the folder after 1 year. When
the mailbox is processed again, the folder reverts to the Delete - 3 Years tag.
Removing or deleting a retention tag from a retention policy
When a retention tag is removed from the retention policy applied to a mailbox, the tag is no longer available to
the user and can't be applied to items in the mailbox.
Existing items that have been stamped with that tag continue to be processed by the Managed Folder Assistant
based on those settings and any retention action specified in the tag is applied to those messages.
However, if you delete the tag, the tag definition stored in Active Directory is removed. This causes the Managed
Folder Assistant to process all items in a mailbox and restamp the ones that have the removed tag applied.
Depending on the number of mailboxes and messages, this process may significantly consume resources on all
Mailbox servers that contain mailboxes with retention policies that include the removed tag.
IMPORTANT
If a retention tag is removed from a retention policy, any existing mailbox items with the tag applied will continue to expire
based on the tag's settings. To prevent the tag's settings from being applied to any items, you should delete the tag.
Deleting a tag removes it from any retention policies in which it's included.
Disabling a retention tag

If you disable a retention tag, the Managed Folder Assistant ignores items that have that tag applied. Items that
have a retention tag for which retention is disabled are either never moved or never deleted, depending on the
specified retention action. Because these items are still considered tagged items, the DPT doesn't apply to them.
For example, if you want to troubleshoot retention tag settings, you can temporarily disable a retention tag to
stop the Managed Folder Assistant from processing messages with that tag.
NOTE
The retention period for a disabled retention tag is displayed to the user as Never. If a user tags an item believing it will
never be deleted, enabling the tag later may result in unintentional deletion of items the user didn't want to delete. The
same is true for tags with the Move to Archive action.
Retention hold
When users are temporarily away from work and don't have access to their e-mail, retention settings can be
applied to new messages before they return to work or access their e-mail. Depending on the retention policy,
messages may be deleted or moved to the user's personal archive. You can temporarily suspend retention
policies from processing a mailbox for a specified period by placing the mailbox on retention hold. When you
place a mailbox on retention hold, you can also specify a retention comment that informs the mailbox user (or
another user authorized to access the mailbox) about the retention hold, including when the hold is scheduled to
begin and end. Retention comments are displayed in supported Outlook clients. You can also localize the
retention hold comment in the user's preferred language.
NOTE
Placing a mailbox on retention hold doesn't affect how mailbox storage quotas are processed. Depending on the mailbox
usage and applicable mailbox quotas, consider temporarily increasing the mailbox storage quota for users when they're on
vacation or don't have access to e-mail for an extended period. For more information about mailbox storage quotas, see
Configure Storage Quotas for a Mailbox.
During long absences from work, users may accrue a large amount of e-mail. Depending on the volume of e-
mail and the length of absence, it may take these users several weeks to sort through their messages. In these
cases, consider the additional time it may take the users to catch up on their mail before removing them from
retention hold.
If your organization has never implemented MRM, and your users aren't familiar with its features, you can also
use retention holds during the initial warm up and training phase of your MRM deployment. You can create and
deploy retention policies and educate users about the policies without the risk of having items moved or deleted
before users can tag them. A few days before the warm up and training period ends, you should remind users of
the warm-up deadline. After the deadline, you can remove the retention hold from user mailboxes, allowing the
Managed Folder Assistant to process mailbox items and take the specified retention action.
For details about how to place a mailbox on retention hold, see Place a mailbox on retention hold.
Default Retention Policy in Exchange Online and
Exchange Server
Exchange creates the retention policy Default MRM Policy in your Exchange Online and on-premises Exchange
organization. The policy is automatically applied to new users in Exchange Online. In on-premises organizations,
the policy is applied when you create an archive for the mailbox. You can change the retention policy applied to a
user at any time.
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
actions, disable a tag, or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant
Retention tags linked to the Default MRM Policy

The following table lists the default retention tags linked to the Default MRM Policy.
NAME TYPE RETENTION AGE (DAYS) RETENTION ACTION
Default 2 years move to Default Policy Tag (DPT) 730 Move to Archive
archive
Recoverable Items 14 days Recoverable Items folder 14 Move to Archive

move to archive
Personal 1 year move to Personal tag 365 Move to Archive

archive
Personal 5 year move to Personal tag 1,825 Move to Archive

archive
Personal never move to Personal tag Not applicable Move to Archive

archive
1 Week Delete Personal tag 7 Delete and Allow Recovery
1 Month Delete Personal tag 30 Delete and Allow Recovery
6 Month Delete Personal tag 180 Delete and Allow Recovery
1 Year Delete Personal tag 365 Delete and Allow Recovery
5 Year Delete Personal tag 1,825 Delete and Allow Recovery
Never Delete Personal tag Not applicable Delete and Allow Recovery
What you can do with the Default MRM Policy

YOU CAN... IN EXCHANGE ONLINE... IN EXCHANGE SERVER...
Apply the Default MRM Policy Yes, applied by default. No action is Yes, applied by default if you also create
automatically to new users required. an archive for the new user.
If you create an archive for the user
later, the policy is applied automatically
only if the user doesn't have an existing
Retention Policy.
Modify the retention age or retention Yes Yes

action of a retention tag linked to the
policy
Disable a retention tag linked to the Yes Yes

policy
Add a retention tag to the policy Yes Yes
Remove a retention tag from the policy Yes Yes
Set another policy as the default No No

retention policy to be applied
automatically to new users
More information
A Retention Tag can be linked to more than one Retention Policy. For details about managing Retention tags
and retention policies, see Messaging Records Management Procedures.
The Default MRM Policy doesn't include a DPT to automatically delete items (but it does contain personal
tags with the delete retention action that users can apply to mailbox items). If you want to automatically
delete items after a specified period, you can create a DPT with the required delete action and add it to the
policy. For details, see Create a Retention Policy and Add retention tags to or remove retention tags from a
retention policy.
Retention policies are applied to mailbox users. The same policy applies to the user's mailbox and archive.
Default folders that support Retention Policy Tags
You can use Retention tags and retention policies to manage email lifecycle. Retention Policies contain Retention
Tags, which are settings you can use to specify when a message should be automatically moved to the archive or
when it should be deleted.
A Retention Policy Tag (RPT) is a type of retention tag that you can apply to default folders in a mailbox, such as
Inbox and Deleted Items.
Supported default folders

You can create RPTs for the default folders shown in the following table.
FOLDER NAME DETAILS

FOLDER NAME DETAILS
Archive This folder is the default destination for messages archived

with the Archive button in Outlook. The Archive feature
provides a fast way for users to remove messages from their
Inbox without deleting them.
This RPT is available only in Exchange Online.
Calendar This default folder is used to store meetings and

appointments.
Clutter This folder contains email messages that are low priority.
Clutter looks at what you've done in the past to determine the
messages you're most likely to ignore. It then moves those
messages to the Clutter folder.
Conversation History This folder is created by Microsoft Lync (previously Microsoft

Office Communicator). Although not treated as a default
folder by Outlook, it's treated as a special folder by Exchange
and can have RPTs applied.
Deleted Items This default folder is used to store items deleted from other
folders in the mailbox. Outlook and Outlook Web App users
can manually empty this folder. Users can also configure
Outlook to empty the folder upon closing Outlook.
Drafts This default folder is used to store draft messages that haven't
been sent by the user. Outlook Web App also uses this folder
to save messages that were sent by the user but not
submitted to the Hub Transport server.
Inbox This default folder is used to store messages delivered to a

mailbox.
Journal This default folder contains actions selected by the user. These
actions are automatically recorded by Outlook and placed in a
timeline view.
Junk E-mail This default folder is used to save messages marked as junk e-
mail by the content filter on an Exchange server or by the
anti-spam filter in Outlook.
Notes This folder contains notes created by users in Outlook. These

notes are also visible in Outlook Web App.
Outbox This default folder is used to temporarily store messages sent

by the user until they're submitted to a Hub Transport server.
A copy of sent messages is saved in the Sent Items default
folder. Because messages usually remain in this folder for a
brief period, it isn't necessary to create an RPT for this folder.
RSS Feeds This default folder contains RSS feeds.

FOLDER NAME DETAILS
Recoverable Items This is a hidden folder in the Non-IPM sub-tree. It contains

the Deletions, Versions, Purges, DiscoveryHolds, and Audits
sub-folders. Retention tags for this folder move items from
the Recoverable Items folder in the user's primary mailbox to
the Recoverable Items folder in the user's archive mailbox. You
can assign only the Move To Archive retention action to tags
for this folder. To learn more, see Recoverable Items Folder.
Sent Items This default folder is used to store messages that have been
submitted to a Hub Transport server.
Sync Issues This folder contains synchronization logs. To learn more, see
Synchronization error folders.
Tasks This default folder is used to store tasks. To create an RPT for
the Tasks folder, you have to use Exchange Online PowerShell.
For more information, see New-RetentionPolicyTag. After the
RPT for the Tasks folder is created, you can manage it by using
the Exchange admin center.
More Info
RPTs are retention tags for default folders. You can only select a delete action for RPTs - either delete and
allow recovery or permanently delete.
You can't create an RPT to move messages to the archive. To move old items to archive, you can create a
Default Policy Tag (DPT), which applies to the entire mailbox, or Personal Tags, which are displayed in
Outlook and Outlook Web App (OWA) as Archive Policies. Your users can apply them to folders or
individual messages.
You can't apply RPTs to the Contacts folder.
You can only add one RPT for a particular default folder to a Retention Policy. For example, if a retention
policy has an Inbox tag, you can't add another RPT of type Inbox to that retention policy.
To learn how to create RPTs or other types of retention tags and add them to a retention policy, see Create a
Retention Policy.
In Exchange Server and Exchange Online, a DPT also applies to the Calendar and Tasks default folders.
This may result in items being deleted or moved to the archive based on the DPT settings. To prevent the
DPT settings from deleting items in these folders , create RPTs with retention disabled. To prevent the DPT
settings from moving items in a default folder, you can create a disabled Personal Tag with the move to
archive action, add it to the retention policy, and then have users apply it to the default folder. For details, see
Prevent archiving of items in a default folder in Exchange 2010.
How retention age is calculated
The Managed Folder Assistant (MFA) is one of many mailbox assistant processes that runs on mailbox servers. Its
job is to process mailboxes that have a Retention Policy applied, add the Retention Tags included in the policy to
the mailbox, and process items in the mailbox. If the items have a retention tag, the assistant tests the age of those
items. If an item has exceeded its retention age, it takes the specified retention action. Retention actions include
moving an item to the user's archive, deleting the item and allowing recovery, or deleting the item permanently.
See Retention tags and retention policies for more information.
Determining the age of different types of items

The retention age of mailbox items is calculated from the date of delivery or in the case of items like drafts that
aren't delivered but created by the user, the date an item was created. When the Managed Folder Assistant
processes items in a mailbox, it stamps a start date and an expiration date for all items that have retention tags
with the Delete and Allow Recovery or Permanently Delete retention action. Items that have an archive tag
are also stamped with a move date.
Items in the Deleted Items folder and items which may have a start and end date, such as calendar items (meetings
and appointments) and tasks, are handled differently as shown in this table.
THE RETENTION AGE IS CALCULATED

IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...
Email message Not in the Deleted Items folder Delivery date or date of creation
Document
Fax
Journal item
Meeting request, response, or
cancellation
Missed call
Email message In the Deleted Items folder Date of delivery or creation unless the
Document item was deleted from a folder that
Fax does not have an inherited or implicit
Journal item retention tag.
Meeting request, response, or If an item is in a folder that doesn't have
cancellation an inherited or implicit retention tag
Missed call applied, the item isn't processed by the
MFA and therefore doesn't have a start
date stamped by it. When the user
deletes such an item, and the MFA
processes it for the first time in the
Deleted Items folder, it stamps the
current date as the start date.
Calendar Not in the Deleted Items folder Non-recurring calendar items expire
according to their end date.
Recurring calendar items expire
according to the end date of their last
occurrence. Recurring calendar items
with no end date don't expire.
THE RETENTION AGE IS CALCULATED
IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...
Calendar In the Deleted Items folder A calendar item expires according to its
message-received date, if one exists. If a
calendar item doesn't have a message-
received date, it expires according to its
message-creation date. If a calendar
item has neither a message-received
date nor a message-creation date, it
doesn't expire.
Task Not in the Deleted Items folder Non-recurring tasks:

A non-recurring task expires according
to its message-received date , if one
exists.
If a non-recurring task doesn't have a
message-received date , it expires
according to its
message-creation date .
If a non-recurring task has neither a
message-received date nor a
message-creation date , it doesn't
expire.
A recurring task expires according to
the end date of its last occurrence. If
a recurring task doesn't have an
end date , it doesn't expire.
A regenerating task (which is a recurring
task that regenerates a specified time
after the preceding instance of the task
is completed) doesn't expire.
Task In the Deleted Items folder A task expires according to its message-
received date, if one exists. If a task
doesn't have a message-received date,
it expires according to its message-
creation date. If a task has neither a
message-received date nor a message-
creation date, it doesn't expire.
Contact In any folder Contacts aren't stamped with a start

date or an expiration date, so they're
skipped by the Managed Folder
Assistant and don't expire.
Corrupted In any folder Corrupted items are skipped by the

Managed Folder Assistant and don't
expire.
Examples
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
IF THE USER... THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
Receives a message in the Inbox on Inbox: Delete in 365 days Processes the message in the Inbox on
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days 1/26/2013, stamps it with a start date
2/27/2013. of 01/26/2013 and an expiration date
of 01/26/2014. Processes the message
again in the Deleted Items folder on
2/27/2013. It recalculates the expiration
date based on the same start date
(01/26/2013). Because the item is older
than 30 days, it is expired immediately.
Receives a message in the Inbox on Inbox: None (inherited or implicit) Processes the message in the Deleted
01/26/2013. Deletes the message on Deleted Items: Delete in 30 days Items folder on 02/27/2013 and
2/27/2013. determines the item doesn't have a
start date. It stamps the current date as
the start date, and 03/27/2013 as the
expiration date. The item is expired on
3/27/2013, which is 30 days after the
user deleted or moved it to the Deleted
Items folder.
More Info
In Exchange Online, the Managed Folder Assistant processes a mailbox once in seven days. This might
result in items being expired up to seven days after the expiration date stamped on the item.
Items in mailboxes placed on Retention Hold aren't processed by the Managed Folder Assistant until the
Retention Hold is removed.
If a mailbox is placed on In-Place Hold or Litigation Hold, expiring items are removed from the Inbox but
preserved in the Recoverable Items folder until the mailbox is removed from In-Place Hold and Litigation
Hold.
In hybrid deployments, the same retention tags and retention policies must exist in your on-premises and
Exchange Online organizations in order to consistently move and expire items across both organizations.
See Export and Import Retention Tags for more information.
Create a Retention Policy
In Exchange Online, you can use retention policies to manage email lifecycle. Retention policies are applied by
creating retention tags, adding them to a retention policy, and applying the policy to mailbox users.
Here's a video that shows you how to create a retention policy and apply it to a mailbox in Exchange Online.
For additional management tasks related to retention policies, see Messaging Records Management Procedures.

Estimated time to complete this task: 30 minutes.
Mailboxes to which you apply retention policies must reside on Exchange Server 2010 or later servers.
Step 1: Create a retention tag

permissions you need, see the "Messaging records management" entry in the Messaging policy and compliance
permissions topic.
Use the EAC to create a retention tag
1. Navigate to Compliance management > Retention tags, and then click Add
2. Select one of the following options:
Applied automatically to entire mailbox (default): Select this option to create a default policy tag
(DPT). You can use DPTs to create a default deletion policy and a default archive policy, which applies to all
items in the mailbox.
NOTE
You can't use the EAC to create a DPT to delete voice mail items. For details about how to create a DPT to delete
voice mail items, see Exchange Online PowerShell example below.
Applied automatically to a specific folder: Select this option to create a retention policy tag (RPT) for a
default folder such as Inbox or Deleted Items.
NOTE
You can only create RPTs with the Delete and allow recovery or Permanently delete actions.
Applied by users to items and folders (Personal): Select this option to create personal tags. These tags
allow Outlook and Outlook Web App users to apply archive or deletion settings to a message or folders
that are different from the settings applied to the parent folder or the entire mailbox.
3. The New retention tag page title and options will vary depending on the type of tag you selected. Complete
the following fields:
Name: Enter a name for the retention tag. The tag name is for display purposes and doesn't have any
impact on the folder or item a tag is applied to. Consider that the personal tags you provision for users are
available in Outlook and Outlook Web App.
Apply this tag to the following default folder: This option is available only if you selected Applied
automatically to a specific folder.
Retention action: Select one of the following actions to be taken after the item reaches its retention
period:
Delete and Allow Recovery: Select this action to delete items but allow users to recover them using the
Recover Deleted Items option in Outlook or Outlook Web App. Items are retained until the deleted item
retention period configured for the mailbox database or the mailbox user is reached.
Permanently Delete: Select this option to permanently delete the item from the mailbox database.
IMPORTANT
Mailboxes or items subject to In-Place Hold or litigation hold will be retained and returned in In-Place eDiscovery
searches. To learn more, see In-Place Hold and Litigation Hold.
Move to Archive: This action is available only if you're creating a DPT or a personal tag. Select this action
to move items to the user's In-Place Archive.
Retention period: Select one of the following options:
Never: Select this option to specify that items should never be deleted or moved to the archive.
When the item reaches the following age (in days): Select this option and specify the number of days
to retain items before they're moved or deleted. The retention age for all supported items except Calendar
and Tasks is calculated from the date an item is received or created. Retention age for Calendar and Tasks
items is calculated from the end date.
Comment: User this optional field to enter any administrative notes or comments. The field isn't displayed
to users.
Use Exchange Online PowerShell to create a retention tag
Use the New-RetentionPolicyTag cmdlet to create a retention tag. Different options available in the cmdlet
allow you to create different types of retention tags. Use the Type parameter to create a DPT ( All ), RPT (specify a
default folder type, such as Inbox ) or a personal tag ( Personal ).
This example creates a DPT to delete all messages in the mailbox after 7 years (2,556 days).
New-RetentionPolicyTag -Name "DPT-Corp-Delete" -Type All -AgeLimitForRetention 2556 -RetentionAction

DeleteAndAllowRecovery
This example creates a DPT to move all messages to the In-Place Archive in 2 years (730 days).
New-RetentionPolicyTag -Name "DPT-Corp-Move" -Type All -AgeLimitForRetention 730 -RetentionAction

MoveToArchive
This example creates a DPT to delete voice mail messages after 20 days.
New-RetentionPolicyTag -Name "DPT-Corp-Voicemail" -Type All -MessageClass Voicemail -AgeLimitForRetention 20 -
RetentionAction DeleteAndAllowRecovery
This example creates a RPT to permanently delete messages in the Junk EMail folder after 30 days.
New-RetentionPolicyTag -Name "RPT-Corp-JunkMail" -Type JunkEmail -AgeLimitForRetention 30 -RetentionAction

PermanentlyDelete
This example creates a personal tag to never delete a message.
New-RetentionPolicyTag -Name "Never Delete" -Type Personal -RetentionAction DeleteAndAllowRecovery -

RetentionEnabled $false
Step 2: Create a retention policy

permissions you need, see the "Messaging records management" entry in the Messaging policy and compliance
permissions topic.
Use the EAC to create a retention policy
1. Navigate to Compliance management > Retention policies, and then click Add
2. In New Retention Policy, complete the following fields:
Name: Enter a name for the retention policy.
Retention tags: Click Add to select the tags you want to add to this retention policy.
A retention policy can contain the following tags:
One DPT with the Move to Archive action.
One DPT with the Delete and Allow Recovery or Permanently Delete actions.
One DPT for voice mail messages with the Delete and Allow Recovery or Permanently Delete
actions.
One RPT per default folder such as Inbox to delete items.
Any number of personal tags.
NOTE
Although you can add any number of personal tags to a retention policy, having many personal tags with different
retention settings can confuse users. We recommend linking no more than ten personal tags to a retention policy.
You can create a retention policy without adding any retention tags to it, but items in the mailbox to which the
policy is applied won't be moved or deleted. You can also add and remove retention tags from a retention policy
after it's created.
Use Exchange Online PowerShell to create a retention policy
This example creates the retention policy RetentionPolicy-Corp and uses the RetentionPolicyTagLinks parameter
to associate five tags to the policy.
New-RetentionPolicy "RetentionPolicy-Corp" -RetentionPolicyTagLinks "DPT-Corp-Delete","DPT-Corp-Move","DPT-
Corp-Voicemail","RPT-Corp-JunkMail","Never Delete"
For detailed syntax and parameter information, see New -RetentionPolicy.
Step 3: Apply a retention policy to mailbox users

After you create a retention policy, you must apply it to mailbox users. You can apply different retention policies to
different set of users. For detailed instructions, see Apply a retention policy to mailboxes.

After you create retention tags, add them to a retention policy, and apply the policy to a mailbox user, the next time
the MRM mailbox assistant processes the mailbox, messages are moved or deleted based on settings you
configured in the retention tags.
To verify that you have applied the retention policy, do the following:
1. Replace <Mailbox Identity> with the name, email address, or alias of the mailbox, and run the following
command in Exchange Online PowerShell command to run the MRM assistant manually against a single
mailbox:
Start-ManagedFolderAssistant -Identity "<Mailbox Identity>"
2. Log on to the mailbox using Outlook or Outlook on the web (formerly known as Outlook Web App) and verify
that messages are deleted or moved to an archive in accordance with the policy configuration.
TIP
Add retention tags to or remove retention tags from
a retention policy
You can add retention tags to a retention policy when the policy is created or any time thereafter. For details about
how to create a retention policy, including how to simultaneously add retention tags, see Create a Retention Policy.
A retention policy can contain the following retention tags:
One or more retention policy tags (RPTs) for supported default folders
One default policy tag (DPT) with the Move to Archive action
One DPT with the Delete and Allow Recovery or the Permanently Delete action
One DPT for voice mail
Any number of personal tags
For more information about retention tags, see Retention tags and retention policies.

Estimated time to completion: 10 minutes.
permissions you need, see the "Messaging records management" entry in the Mailbox Permissions topic.
Retention tags aren't applied to a mailbox until they're linked to a retention policy and the Managed Folder
Assistant processes the mailbox. To start the Managed Folder Assistant so that it processes a mailbox, see
Configure and run the Managed Folder Assistant in Exchange 2016.
TIP
Use the EAC to add or remove retention tags

1. Go to Compliance management > Retention policies.
2. In the list view, select the retention policy to which you want to add retention tags and then click Edit .
3. In Retention Policy, use the following settings:
Add Click this button to add a retention tag to the policy.
Remove Select a tag from the list, and then click this button to remove the tag from the policy.
Use Exchange Online PowerShell to add or remove retention tags

This example adds the retention tags VPs-Default, VPs-Inbox, and VPs-DeletedItems to the retention policy
RetPolicy-VPs, which doesn't already have retention tags linked to it.
Cau t i on
If the policy has retention tags linked to it, this command replaces the existing tags.
Set-RetentionPolicy -Identity "RetPolicy-VPs" -RetentionPolicyTagLinks "VPs-Default","VPs-Inbox","VPs-

DeletedItems"
This example adds the retention tag VPs-DeletedItems to the retention policy RetPolicy-VPs, which already has
other retention tags linked to it.
$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks

$TagList.Add((Get-RetentionPolicyTag 'VPs-DeletedItems').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList
This example removes the retention tag VPs-Inbox from the retention policy RetPolicy-VPs.
$TagList = (Get-RetentionPolicy "RetPolicy-VPs").RetentionPolicyTagLinks

$TagList.Remove((Get-RetentionPolicyTag 'VPs-Inbox').DistinguishedName)
Set-RetentionPolicy "RetPolicy-VPs" -RetentionPolicyTagLinks $TagList
For detailed syntax and parameter information, see set-RetentionPolicy and get-RetentionPolicy.

To verify that you have successfully added or removed a retention tag from a retention policy, use the get-
RetentionPolicy cmdlet to verify the RetentionPolicyTagLinks property.
This example use the Get-RetentionPolicy cmdlet to retrieve retention tags added to the Default MRM Policy and
pipes them to the Format-Table cmdlet to output only the name property of each tag.
(Get-RetentionPolicy "Default MRM Policy").RetentionPolicyTagLinks | Format-Table name

Apply a retention policy to mailboxes
You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce
message retention settings. A mailbox can't have more than one retention policy.
Cau t i on
Messages are expired based on settings defined in the retention tags linked to the policy. These settings include
actions such moving messages to the archive or permanently deleting them. Before applying a retention policy to
one or more mailboxes, we recommended that you test the policy and inspect each retention tag associated with it.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.

permissions you need, see the "Applying retention policies" entry in the Messaging Policy and Compliance
Permissions topic.
TIP
Use the EAC to apply a retention policy to a single mailbox

1. Navigate to Recipients > Mailboxes.
2. In the list view, select the mailbox to which you want to apply the retention policy, and then click Edit .
3. In User Mailbox, click Mailbox features.
4. In the Retention policy list, select the policy you want to apply to the mailbox, and then click Save.
Use the EAC to apply a retention policy to multiple mailboxes

1. Navigate to Recipients > Mailboxes.
2. In the list view, use the Shift or Ctrl keys to select multiple mailboxes.
3. In the details pane, click More options.
4. Under Retention Policy, click Update.
5. In Bulk Assign Retention Policy, select the retention policy you want to apply to the mailboxes, and then
click Save.
Use Exchange Online PowerShell to apply a retention policy to a single

mailbox
This example applies the retention policy RP -Finance to Morris's mailbox.
Set-Mailbox "Morris" -RetentionPolicy "RP-Finance"
For detailed syntax and parameter information, see Set-Mailbox.
Use Exchange Online PowerShell to apply a retention policy to multiple

mailboxes
This example applies the new retention policy New -Retention-Policy to all mailboxes that have the old policy Old-
Retention-Policy.
$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -RetentionPolicy
"New-Retention-Policy"
This example applies the retention policy RetentionPolicy-Corp to all mailboxes in the Exchange organization.
Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy "RetentionPolicy-Corp"
This example applies the retention policy RetentionPolicy-Finance to all mailboxes in the Finance organizational
unit.
Get-Mailbox -OrganizationalUnit "Finance" -ResultSize Unlimited | Set-Mailbox -RetentionPolicy

"RetentionPolicy-Finance"
For detailed syntax and parameter information, see Get-Mailbox and Set-Mailbox.

To verify that you have applied the retention policy, run the Get-Mailbox cmdlet to retrieve the retention policy for
the mailbox or mailboxes.
This example retrieves the retention policy for Morris's mailbox.
Get-Mailbox Morris | Select RetentionPolicy
This command retrieves all mailboxes that have the retention policy RP -Finance applied.
Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionPolicy -eq "RP-Finance"} | Format-Table

Name,RetentionPolicy -Auto
Place a mailbox on retention hold
Placing a mailbox on retention hold suspends the processing of a retention policy or managed folder mailbox
policy for that mailbox. Retention hold is designed for situations such as a user being on vacation or away
temporarily.
During retention hold, users can log on to their mailbox and change or delete items. When you perform a mailbox
search, deleted items that are past the deleted item retention period aren't returned in search results. To make sure
items changed or deleted by users are preserved in legal hold scenarios, you must place a mailbox on legal hold.
For more information, see Create or remove an In-Place Hold.
You can also include retention comments for mailboxes you place on retention hold. The comments are displayed
in supported versions of Microsoft Outlook.
For additional management tasks related to messaging records management (MRM ), see Messaging Records
Management Procedures.

permissions you need, see the "Messaging records management" entry in the Messaging Policy and
Compliance Permissions topic.
You can't use the Exchange admin center (EAC ) to place a mailbox on retention hold. You must use Exchange
Online PowerShell.
TIP
Use Exchange Online PowerShell to place a mailbox on retention hold

This example places Michael Allen's mailbox on retention hold.
Set-Mailbox "Michael Allen" -RetentionHoldEnabled $true
Use Exchange Online PowerShell to remove retention hold for a

mailbox
This example removes the retention hold from Michael Allen's mailbox.
Set-Mailbox "Michael Allen" -RetentionHoldEnabled $false

To verify that you have successfully placed a mailbox on retention hold, use the Get-Mailbox cmdlet to retrieve the
RetentionHoldEnabled property of the mailbox.
This command retrieves the RetentionHoldEnabled property for Michael Allen's mailbox.
Get-Mailbox "Michael Allen" | Select RetentionHoldEnabled
This command retrieves all mailboxes in the Exchange organization, filters the mailboxes that are placed on
retention hold, and lists them along with the retention policy applied to each.
IMPORTANT
Because RetentionHoldEnabled isn't a filterable property in Exchange Server, you can't use the Filter parameter with the Get-
Mailbox cmdlet to filter mailboxes that are placed on retention hold on the server-side. This command retrieves a list of all
mailboxes and filters on the client running Exchange Online PowerShell session. In large environments with thousands of
mailboxes, this command may take a long time to complete.
Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table

Name,RetentionPolicy,RetentionHoldEnabled -Auto
Journaling in Exchange Online
Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements
by recording inbound and outbound email communications. When planning for messaging retention and
compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how
Exchange Online helps you secure journaled messages.
Why journaling is important

First, it's important to understand the difference between journaling and a data archiving strategy:
Journaling is the ability to record all communications, including email communications, in an organization
for use in the organization's email retention or archival strategy. To meet an increasing number of
regulatory and compliance requirements, many organizations must maintain records of communications
that occur when employees perform daily business tasks.
Data archiving refers to backing up the data, removing it from its native environment, and storing it
elsewhere, therefore reducing the strain of data storage. You can use Exchange journaling as a tool in your
email retention or archival strategy.
Although journaling may not be required by a specific regulation, compliance may be achieved through journaling
under certain regulations. For example, corporate officers in some financial sectors may be held liable for the
claims made by their employees to their customers. To verify that the claims are accurate, a corporate officer may
set up a system where managers review some part of employee-to-client communications regularly. Every quarter,
the managers verify compliance and approve their employees' conduct. After all managers report approval to the
corporate officer, the corporate officer reports compliance, on behalf of the company, to the regulating body. In this
example, email messages might be one type of the employee-to-client communications that managers must
review; therefore, journaling can be used to collect all email messages sent by client-facing employees. Other client
communication mechanisms may include faxes and telephone conversations, which may also be subject to
regulation. The ability to journal all classes of data in an enterprise is a valuable functionality of the IT architecture.
The following list shows some of the more well-known U.S. and international regulations where journaling may
help form part of your compliance strategies:
Sarbanes-Oxley Act of 2002 (SOX)
Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)
National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)
Gramm-Leach-Bliley Act (Financial Modernization Act)
Financial Institution Privacy Protection Act of 2001
Financial Institution Privacy Protection Act of 2003
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (Patriot Act)
European Union Data Protection Directive (EUDPD )
Japan's Personal Information Protection Act
Journal rules
The following are key aspects of journal rules:
Journal rule scope: Defines which messages are journaled by the Journaling agent.
Journal recipient: Specifies the SMTP address of the recipient you want to journal.
Journaling mailbox: Specifies one or more mailboxes used for collecting journal reports.
In Exchange Online, the maximum number of journal rules you can create is 10.
Journal rule scope
You can use a journal rule to journal only internal messages, only external messages, or both. The following list
describes these scopes:
Internal messages only: Journal rules with the scope set to journal internal messages sent between the
recipients inside your Exchange organization.
External messages only: Journal rules with the scope set to journal external messages sent to recipients
or received from senders outside your Exchange organization.
All messages: Journal rules with the scope set to journal all messages that pass through your organization
regardless of origin or destination. These include messages that may have already been processed by
journal rules in the Internal and External scopes.
Journal recipient
You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal.
The recipient can be a mailbox, distribution group, mail user, or contact. These recipients may be subject to
regulatory requirements, or they may be involved in legal proceedings where email messages or other
communications are collected as evidence. By targeting specific recipients or groups of recipients, you can easily
configure a journaling environment that matches your organization's processes and meets regulatory and legal
requirements. Targeting only the specific recipients that need to be journaled also minimizes storage and other
costs associated with retention of large amounts of data.
All messages sent to or from the journaling recipients you specify in a journaling rule are journaled. If you specify
a distribution group as the journaling recipient, all messages sent to or from members of the distribution group
are journaled. If you don't specify a journaling recipient, all messages sent to or from recipients that match the
journal rule scope are journaled.
Journaling mailbox
The journaling mailbox is used to collect journal reports. How you configure the journaling mailbox depends on
your organization's policies, regulatory requirements, and legal requirements. You can specify one journaling
mailbox to collect messages for all the journal rules configured in the organization, or you can use different
journaling mailboxes for different journal rules or sets of journal rules.
You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-
premises archiving system or a third-party archiving service. If you're running an Exchange hybrid deployment
with your mailboxes split between on-premises servers and Exchange Online, you can designate an on-premises
mailbox as the journaling mailbox for your Exchange Online and on-premises mailboxes.
Journaling mailboxes contain very sensitive information. You must secure journaling mailboxes because they
collect messages that are sent to and from recipients in your organization. These messages may be part of legal
proceedings or may be subject to regulatory requirements. Various laws require that messages remain tamper-
free before they're submitted to an investigatory authority. We recommend that you create policies that govern
who can access the journaling mailboxes in your organization, limiting access to only those individuals who have a
direct need to access them. Speak with your legal representatives to make sure that your journaling solution
complies with all the laws and regulations that apply to your organization.
IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers. If this happens, Microsoft
datacenter personnel will attempt to contact your organization and ask you to fix the problem so that the journal reports
can be successfully delivered to a journaling mailbox. If you haven't resolved the issue after two days of being contacted,
Microsoft will disable the problematic journaling rule.
Alternate journaling mailbox

When the journaling mailbox is unavailable, you may not want the undeliverable journal reports to collect in mail
queues on Mailbox servers. Instead, you can configure an alternate journaling mailbox to store those journal
reports. The alternate journaling mailbox receives the journal reports as attachments in the non-delivery reports
(also known as NDRs or bounce messages) generated when the journaling mailbox or the server on which it's
located refuses delivery of the journal report or becomes unavailable.
When the journaling mailbox becomes available again, you can use the Send Again feature of OfficeOutlook to
submit journal reports for delivery to the journaling mailbox.
When you configure an alternate journaling mailbox, all the journal reports that are rejected or can't be delivered
across your entire Exchange organization are delivered to the alternate journaling mailbox. Therefore, it's
important to make sure that the alternate journaling mailbox and the Mailbox server where it's located can
support many journal reports.
Cau t i on
If you configure an alternate journaling mailbox, you must monitor the mailbox to make sure that it doesn't
become unavailable at the same time as the journal mailboxes. If the alternate journaling mailbox also becomes
unavailable or rejects journal reports at the same time, the rejected journal reports are lost and can't be retrieved.
Because the alternate journaling mailbox collects all the rejected journal reports for the entire Exchange Online
organization, you must make sure that this doesn't violate any laws or regulations that apply to your organization.
If laws or regulations prohibit your organization from allowing journal reports sent to different journaling
mailboxes from being stored in the same alternate journaling mailbox, you may be unable to configure an
alternate journaling mailbox. Discuss this with your legal representatives to determine whether you can use an
alternate journaling mailbox.
When you configure an alternate journaling mailbox, you should use the same criteria that you used when you
configured the journaling mailbox.
IMPORTANT
The alternate journaling mailbox should be treated as a special dedicated mailbox. Any messages addressed directly to the
alternate journaling mailbox aren't journaled.
Journal reports
A journal report is the message that the Journaling agent generates when a message matches a journal rule and is
to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered
as an attachment to the journal report. The body of a journal report contains information from the original
message such as the sender email address, message subject, message-ID, and recipient email addresses. This is
also referred to as envelope journaling, and is the only journaling method supported by Office 365.
Journal reports and IRM -protected messages
When implementing journaling, you must consider journaling reports and IRM -protected messages. IRM -
protected messages will affect the search and discovery capabilities of third-party archiving systems that don't
have RMS support built-in. In Office 365, you can configure Journal Report Decryption to save a clear-text copy of
the message in a journal report.
Troubleshooting
When a message matches the scope of multiple journal rules, all matching rules will be triggered.
If the matching rules are configured with different journal mailboxes, a journal report will be sent to each
journal mailbox.
If the matching rules are all configured with the same journal mailbox, only one journal report is sent to the
journal mailbox.
Journaling always identifies messages as internal if the email address in the SMTP MAIL FROM command is in a
domain that's configured as an accepted domain in Exchange Online. This includes spoofed messages from
external sources (messages where the X-MS -Exchange-Organization-AuthAs header value is also
Anonymous). Therefore, journal rules that are scoped to external messages won't be triggered by spoofed
messages with SMTP MAIL FROM email addresses in accepted domains.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online
Protection.
If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange
Online don't work as expected.
Manage journaling
Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by
recording inbound and outbound email communications. For more information about journaling, see Journaling in
Exchange Online.
This topic shows you how to perform basic tasks related to managing journaling in Exchange Server and Exchange
Online.

Estimated time to complete each procedure: 5 minutes.
permissions you need, see the "Journaling" entry in the Messaging policy and compliance permissions topic.
You need to have a journaling mailbox and (optionally) an alternate journaling mailbox configured. For more
information, see Configure Journaling in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection. If
you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange Online don't
work as expected.
Create a journal rule

Use the EAC to create a journal rule
1. In the EAC, go to Compliance management > Journal rules, and then click Add .
2. In Journal rule, provide a name for the journal rule and then compete the following fields:
If the message is sent to or received from: Specify the recipient that the rule will target. You can
either select a specific recipient or apply the rule to all messages.
Journal the following messages: Specify the scope of the journal rule. You can journal only the
internal messages, only the external messages, or all messages regardless of origin or destination.
Send journal reports to: Type the address of the journaling mailbox that will receive all the journal
reports.
NOTE
You can also type the display name or alias of a mail user or a mail contact as the journal mailbox. In this case, journal
reports will be sent to the external email address of the mail user or mail contact. But as previously explained, the
external email address of a mail user or mail contact can't be the address of an Exchange Online mailbox.
3. Click Save to create the journal rule.

Use Exchange Online PowerShell to create a journal rule
This example creates the journal rule Discovery Journal Recipients to journal all messages sent from and received
by the recipient user1@contoso.com.
New-JournalRule -Name "Discovery Journal Recipients" -Recipient user1@contoso.com -JournalEmailAddress "Journal

Mailbox" -Scope Global -Enabled $True

To verify that you have successfully created the journal rule, do one of the following:
From the EAC, verify that the new journal rule you created is listed on the Journal rules tab.
From Exchange Online PowerShell, verify that the new journal rule exists by running the following
command (the example below verifies the rule created in Exchange Online PowerShell example above):
Get-JournalRule -Identity "Discovery Journal Recipients"
View or modify a journal rule

Use the EAC to view or modify a journal rule
1. In the EAC, go to Compliance management > Journal rules.
2. In the list view, you'll see all the journal rules in your organization.
3. Double-click the rule you want to view or modify.
4. In Journal Rule, modify the settings you want. For more information about the settings in this dialog box,
see the procedure Use the EAC to create a journal rule earlier in this topic.
Use Exchange Online PowerShell to view or modify a journal rule
This example displays a summary list of all journal rules in the Exchange organization:
Get-JournalRule
This example retrieves the journal rule Brokerage Journal Rule, and pipes the output to the Format-List command
to display rule properties in a list format:
Get-JournalRule -Identity "Brokerage Journal Rule" | Format-List
If you want to modify the properties of a specific rule, you need to use the Set-JournalRule cmdlet. This example
changes the name of the journal rule JR-Sales to TraderVault . The following rule settings are also changed:
Recipient
JournalEmailAddress
Scope
Set-JournalRule -Identity "JR-Sales" -Name TraderVault -Recipient traders@woodgrovebank.com -

JournalEmailAddress tradervault@woodgrovebank.com -Scope Internal

To verify that you have successfully modified a journal rule, do one of the following:
From the EAC, go to Compliance management, > Journal rules. Double-click the rule you modified and
verify your changes were saved.
From Exchange Online PowerShell, verify that you modified the journal rule successfully by running the
following command. This command will list the properties you modified along with the name of the rule
(the example below verifies the rule modified in Exchange Online PowerShell example above):
Get-JournalRule -Identity "TraderVault" | Format-List Name,Recipient,JournalEmailAddress,Scope
Enable or disable a journal rule

IMPORTANT
When you disable a journal rule, the journaling agent will stop journaling messages targeted by that rule. While a journal rule
is disabled, any messages that would have normally been journaled by the rule aren't journaled. Make sure that you don't
compromise the regulatory or compliance requirements of your organization by disabling a journaling rule.
Use the EAC to enable or disable a journal rule

2. In the list view, in the On column next to the rule's name, select the check box to enable the rule or clear it to
disable the rule.
Use Exchange Online PowerShell to enable or disable a journal rule
This example enables the rule Contoso.
Enable-JournalRule -Identity "Contoso Journal Rule"
This example disables the rule Contoso.
Disable-JournalRule -Identity "Contoso Journal Rule"

To verify that you have successfully enabled or disabled a journal rule, do one of the following:
From the EAC, view the list of journal rules check the status of the check box in the On column.
From Exchange Online PowerShell, run the following command to return a list of all journal rules in your
organization along, including their status:
Get-JournalRule | Format-Table Name,Enabled
Remove a journal rule

Use the EAC to remove a journal rule
2. In the list view, select the rule you want to remove, and then click Delete .
Use Exchange Online PowerShell to remove a journal rule
This example removes the rule Brokerage Journal Rule.
Remove-JournalRule -Identity "Brokerage Journal Rule"

To verify that you have successfully removed the journal rule, do one of the following:
From the EAC, verify that the rule you removed is no longer listed on the Journal rules tab.
From Exchange Online PowerShell, run the following command to verify that the rule you removed is no
longer listed:
Get-JournalRule

Disable or Enable Journaling of Voice Mail and Missed Call Notifications
New -JournalRule
Get-JournalRule
Set-JournalRule
Enable-JournalRule
Disable-JournalRule
Remove-JournalRule
Configure Journaling in Exchange Online
Journaling allows you to meet your organization's archiving requirements. You can create journal rules and have
messages matching the rule's conditions delivered to the journaling address specified in the rule. For more
information about journaling, see Journaling in Exchange Online.
Here are two things you need to know before you start creating journal rules.
Specify a journaling mailbox

A journaling mailbox is the mailbox or recipient that receives journal reports for messages that match a journal
rule's conditions. You can specify different journaling mailboxes for different journal rules. For example, you can
create a journal rule to journal messages sent or received by users in Europe and another one to journal messages
sent or received by users in North America, and configures each rule to deliver journal reports to an address in
their own geography. Or configure different journal rules for users in the Finance and Legal departments and
similarly, have the journal reports delivered to different addresses.
Exchange Online doesn't support delivering journal reports to an Exchange Online mailbox. You must specify the
email address of an on-premises archiving system or a third-party archiving service as the journaling mailbox.
IMPORTANT
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid
destination, the journal report remains in the transport queue on Microsoft datacenter servers; delivery of queued items is
periodically retried. If this happens, Microsoft datacenter personnel will attempt to contact your organization and ask you to
fix the problem so that the journal reports can be successfully delivered to a journaling mailbox. If you haven't resolved the
issue after two days of being contacted, Microsoft will disable the problematic journaling rule.
Specify an alternate journaling mailbox for undeliverable journal

reports
As previously explained, undeliverable journal reports are queued on Microsoft datacenter servers. Undeliverable
journal reports can't be returned to the sender in a non-delivery report (also known as an NDR or bounce
message) because the sender is the Exchange Online service. To handle the NDRs for undelivered journal reports,
you have to you specify an alternate journaling mailbox that accepts the NDRs for all undeliverable journal reports.
Like the journaling mailbox, the alternate journaling mailbox can't be an Exchange Online mailbox.
The original journal report is an attachment in the NDR. When the journaling mailbox for a undelivered journal
report becomes available again, you can use the Resend this message feature in Outlook on the NDRs in the
alternate journaling mailbox to send the unaltered delivery report to the journaling mailbox.
You can use mail flow rules (also known as transport rules) to identify and take action on messages that flow
through your Exchange Online organization. Mail flow rules are similar to the Inbox rules that are available in
Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're
in transit, and not after the message is delivered to the mailbox. Mail flow rules contain a richer set of
conditions, exceptions, and actions, which provides you with the flexibility to implement many types of
messaging policies.
This article explains the components of mail flow rules, and how they work.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For each rule, you have the
option of enforcing it, testing it, or testing it and notifying the sender. To learn more about the testing options,
see Test a mail flow rule and Policy Tips.
For summary and detail reports about messages that matched mail flow rules, see Use mail protection reports
in Office 365 to view data about malware, spam, and rule detections.
To implement specific messaging policies by using mail flow rules, see these topics:
Use mail flow rules to inspect message attachments in Office 365
Enable message encryption and decryption in Office 365
Common attachment blocking scenarios for mail flow rules
Organization-wide message disclaimers, signatures, footers, or headers in Office 365
Use mail flow rules so messages can bypass Clutter
Use mail flow rules to route email based on a list of words, phrases, or patterns
Use mail flow rules to set the spam confidence level (SCL ) in messages
Create organization-wide safe sender or blocked sender lists in Office 365
Define rules to encrypt or decrypt email messages
Mail flow rule components

A mail flow rule is made of conditions, exceptions, actions, and properties:
Conditions: Identify the messages that you want to apply the actions to. Some conditions examine
message header fields (for example, the To, From, or Cc fields). Other conditions examine message
properties (for example, the message subject, body, attachments, message size, or message classification).
Most conditions require you to specify a comparison operator (for example, equals, doesn't equal, or
contains) and a value to match. If there are no conditions or exceptions, the rule is applied to all messages.
For more information about mail flow rule conditions in Exchange Online, see Mail flow rule conditions and
exceptions (predicates) in Exchange Online.
Exceptions: Optionally identify the messages that the actions shouldn't apply to. The same message
identifiers that are available in conditions are also available in exceptions. Exceptions override
conditions and prevent the rule actions from being applied to a message, even if the message matches
all of the configured conditions.
Actions: Specify what to do to messages that match the conditions in the rule, and don't match any of
the exceptions. There are many actions available, such as rejecting, deleting, or redirecting messages,
adding additional recipients, adding prefixes in the message subject, or inserting disclaimers in the
message body.
For more information about mail flow rule actions that are available in Exchange Online, see Mail flow
rule actions in Exchange Online.
Properties: Specify other rules settings that aren't conditions, exceptions or actions. For example, when
the rule should be applied, whether to enforce or test the rule, and the time period when the rule is
active.
For more information, see the Mail flow rule properties section in this topic.
Multiple conditions, exceptions, and actions
The following table shows how multiple conditions, condition values, exceptions, and actions are handled in a
rule.
COMPONENT LOGIC COMMENTS
Multiple conditions AND A message must match all the

conditions in the rule. If you need to
match one condition or another, use
separate rules for each condition. For
example, if you want to add the same
disclaimer to messages with
attachments and messages that
contain specific text, create one rule
for each condition. In the EAC, you
can easily copy a rule.
One condition with multiple values OR Some conditions allow you to specify
more than one value. The message
must match any one (not all) of the
specified values. For example, if an
email message has the subject Stock
price information, and the The
subject includes any of these words
condition is configured to match the
words Contoso or stock, the condition
is satisfied because the subject
contains at least one of the specified
values.
Multiple exceptions OR If a message matches any one of the

exceptions, the actions are not applied
to the message. The message doesn't
have to match all the exceptions.
Multiple actions AND Messages that match a rule's

conditions get all the actions that are
specified in the rule. For example, if
the actions Prepend the subject of
the message with and Add
recipients to the Bcc box are
selected, both actions are applied to
the message.
Keep in mind that some actions (for

example, the Delete the message
without notifying anyone action)
prevent subsequent rules from being
applied to a message. Other actions
(for example, the Forward the
message) don't allow additional
actions.
You can also set an action on a rule so

that when that rule is applied,
subsequent rules are not applied to
the message.
Mail flow rule properties

The following table describes the rule properties that are available in mail flow rules.
PROPERTY NAME IN THE EAC PARAMETER NAME IN POWERSHELL DESCRIPTION
Priority Priority Indicates the order that the rules are

applied to messages. The default
priority is based on when the rule is
created (older rules have a higher
priority than newer rules, and higher
priority rules are processed before
lower priority rules).
You change the rule priority in the

EAC by moving the rule up or down in
the list of rules. In the PowerShell, you
set the priority number (0 is the
highest priority).
For example, if you have one rule to

reject messages that include a credit
card number, and another one
requiring approval, you'll want the
reject rule to happen first, and stop
applying other rules.
For more information, see Set the

priority of a mail flow rule.
PROPERTY NAME IN THE EAC PARAMETER NAME IN POWERSHELL DESCRIPTION
Mode Mode You can specify whether you want the

rule to start processing messages
immediately, or whether you want to
test rules without affecting the
delivery of the message (with or
without Data Loss Prevention or DLP
Policy Tips).
Policy Tips present a brief note in

Outlook or Outlook on the web that
provides information about possible
policy violations to the person that's
creating the message. For more
information, see Policy Tips.
For more information about the

modes, see Test a mail flow rule.
Activate this rule on the following ActivationDate Specifies the date range when the rule
date ExpiryDate is active.
Deactivate this rule on the
following date
On check box selected or not selected New rules:Enabled parameter on the You can create a disabled rule, and
New-TransportRule cmdlet. enable it when you're ready to test it.
Existing rules: Use the Enable- Or, you can disable a rule without
TransportRule or Disable- deleting it to preserve the settings.
TransportRule cmdlets.
The value is displayed in the State

property of the rule.
Defer the message if rule RuleErrorAction You can specify how the message
processing doesn't complete should be handled if the rule
processing can't be completed. By
default, the rule will be ignored, but
you can choose to resubmit the
message for processing.
Match sender address in message SenderAddressLocation If the rule uses conditions or

exceptions that examine the sender's
email address, you can look for the
value in the message header, the
message envelope, or both.
Stop processing more rules SenderAddressLocation This is an action for the rule, but it
looks like a property in the EAC. You
can choose to stop applying additional
rules to a message after a rule
processes a message.
Comments Comments You can enter descriptive comments

about the rule.
How mail flow rules are applied to messages

All messages that flow through your organization are evaluated against the enabled mail flow rules in your
organization. Rules are processed in the order listed on the Mail flow > Rules page in EAC, or based on the
corresponding Priority parameter value in the PowerShell.
Each rule also offers the option of stopping processing more rules when the rule is matched. This setting is
important for messages that match the conditions in multiple mail flow rules (which rule do you want applied
to the message? All? Just one?).
Differences in processing based on message type
There are several types of messages that pass through an organization. The following table shows which
messages types can be processed by mail flow rules.
TYPE OF MESSAGE CAN A RULE BE APPLIED?
Regular messages: Messages that contain a single rich Yes

text format (RTF), HTML, or plain text message body or a
multipart or alternative set of message bodies.
Office 365 Message Encryption: Messages encrypted by Rules can always access envelope headers and process
Office 365 Message Encryption in Office 365. For more messages based on conditions that inspect those headers.
information, see Office 365 Message Encryption.
For a rule to inspect or modify the contents of an encrypted
message, you need to verify that transport decryption is
enabled (Mandatory or Optional; the default is Optional).
For more information, see Enable or disable transport
decryption.
You can also create a rule that automatically decrypts

encrypted messages. For more information, see Define rules
to encrypt or decrypt email messages.
S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those headers.
Rules with conditions that require inspection of the

message's content, or actions that modify the message's
content can't be processed.
RMS protected messages: Messages that had an Active Rules can always access envelope headers and process
Directory Rights Management Services (AD RMS) or Azure messages based on conditions that inspect those headers.
Rights Management (RMS) policy applied.
For a rule to inspect or modify the contents of an RMS
protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the default is
Optional). For more information, see Enable or disable
transport decryption.
Clear-signed messages: Messages that have been signed Yes

but not encrypted.
UM messages: Messages that are created or processed by Yes

the Unified Messaging service, such as voice mail, fax,
missed call notifications, and messages created or
forwarded by using Microsoft Outlook Voice Access.
Anonymous messages: Messages sent by anonymous Yes

senders.
TYPE OF MESSAGE CAN A RULE BE APPLIED?
Read reports: Reports that are generated in response to Yes

read receipt requests by senders. Read reports have a
message class of IPM.Note*.MdnRead or
IPM.Note*.MdnNotRead .
What else should I know?

The Version or RuleVersion property value for a rule isn't important in Exchange Online.
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to
be applied to messages.

Organization-wide Disclaimers, Signatures, Footers, or Headers
Mail flow rule procedures in Exchange Online
Transport and Inbox rule limits
Mail flow rule conditions and exceptions (predicates) in Exchange
Online
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the rule is applied to or not
applied to. For example, if the rule adds a disclaimer to messages, you can configure the rule to only apply to messages that contain
specific words, messages sent by specific users, or to all messages except those sent by the members of a specific distribution group.
Collectively, the conditions and exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions specify messages to include,
while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The sender is condition requires
the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words
condition requires one property to specify the message header field, and a second property to specify the text to look for in the header
field. Some conditions or exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange Online.
For more information about conditions and exceptions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online Protection or Mail flow rule conditions and exceptions (predicates) in
Exchange Server.
Conditions and exceptions for mail flow rules in Exchange Online

The tables in the following sections describe the conditions and exceptions that are available in mail flow rules in Exchange Online. The
property types are described in the Property types section.
Senders
Recipients
Message subject or body
Attachments
Any recipients
Message sensitive information types, To and Cc values, size, and character sets
Sender and recipient
Message properties
Message headers
Notes:
After you select a condition or exception in the Exchange admin center (EAC ), the value that's ultimately shown in the Apply this
rule if or Except if field is often different (shorter) than the click path value you selected. Also, when you create new rules based
on a template (a filtered list of scenarios), you can often select a short condition name instead of following the complete click path.
The short names and full click path values are shown in the EAC column in the tables.
If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent in Exchange Online
PowerShell is to create a rule without specifying any condition parameters.
The settings and properties are the same in conditions and exceptions, so the output of the Get-TransportRulePredicate cmdlet
doesn't list exceptions separately. Also, the names of some of the predicates that are returned by this cmdlet are different than the
corresponding parameter names, and a predicate might require multiple parameters.
Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the sender's address.
In the EAC, in the Properties of this rule section, click Match sender address in message. Note that you might need to click More
options to see this setting. In Exchange Online PowerShell, the parameter is SenderAddressLocation. The available values are:
Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields). This is the default
value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission,
which is typically stored in the Return-Path field). Note that message envelope searching is only available for the following
conditions (and the corresponding exceptions):
The sender is ( From)
The sender is a member of ( FromMemberOf)
The sender address includes ( FromAddressContainsWords)
The sender address matches ( FromAddressMatchesPatterns)
The sender's domain is ( SenderDomainIs)
Header or envelope ( HeaderOrEnvelope ) Examine senders in the message header and the message envelope.
CONDITION AND EXCEPTION

CONDITION OR EXCEPTION IN THE PARAMETERS IN EXCHANGE ONLINE
EAC POWERSHELL PROPERTY TYPE DESCRIPTION
The sender is From Addresses Messages that are sent by the

ExceptIfFrom specified mailboxes, mail users, mail
The sender > is this person contacts, or Office 365 groups in
the organization.
For more information about using

Office 365 groups with this
condition, see the Addresses entry
in the Property types section.
The sender is located FromScope UserScopeFrom Messages that are sent by either
ExceptIfFromScope internal senders or external
The sender > is senders.
external/internal
The sender is a member of FromMemberOf Addresses Messages that are sent by a

ExceptIfFromMemberOf member of the specified
The sender > is a member of distribution group, mail-enabled
this group security group, or Office 365.

The sender address includes FromAddressContainsWords Words Messages that contain the
ExceptIfFromAddressContainsWor specified words in the sender's
The sender > address includes ds email address.
any of these words
The sender address matches FromAddressMatchesPatterns Patterns Messages where the sender's email
ExceptIfFromAddressMatchesPatte address contains text patterns that
The sender > address matches rns match the specified regular
any of these text patterns expressions.
The sender is on a recipient's list SenderInRecipientList SupervisionList Messages where the sender is on
ExceptIfSenderInRecipientList the recipient's Allow list or Block
The sender > is on a recipient's list.
supervision list
The sender's specified SenderADAttributeContainsWords First property: ADAttribute Messages where the specified
properties include any of these ExceptIfSenderADAttributeContain Active Directory attribute of the
words sWords Second property: Words sender contains any of the
specified words.
The sender > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).
The sender's specified SenderADAttributeMatchesPattern First property: ADAttribute Messages where the specified
properties match these text s Active Directory attribute of the
patterns ExceptIfSenderADAttributeMatches Second property: Patterns sender contains text patterns that
Patterns match the specified regular
The sender > has specific expressions.
properties matching these text
patterns
The sender has overridden the HasSenderOverride n/a Messages where the sender has
Policy Tip ExceptIfHasSenderOverride chosen to override a data loss
prevention (DLP) policy. For more
The sender > has overridden information about DLP policies, see
the Policy Tip Data loss prevention.
Sender's IP address is in the SenderIPRanges IPAddressRanges Messages where the sender's IP

range ExceptIfSenderIPRanges address matches the specified IP
address, or falls within the specified
The sender > IP address is in IP address range.
any of these ranges or exactly
matches
The sender's domain is SenderDomainIs DomainName Messages where the domain of the
ExceptIfSenderDomainIs sender's email address matches the
The sender > domain is specified value.
If you need to find sender domains

that contain the specified domain
(for example, any subdomain of a
domain), use The sender address
matches (
FromAddressMatchesPatterns)
condition and specify the domain
by using the syntax:
'@domain\.com$' .
Recipients
The recipient is SentTo Addresses Messages where one of the

ExceptIfSentTo recipients is the specified mailbox,
The recipient > is this person mail user, or mail contact in the
organization. The recipients can be
in the To, Cc, or Bcc fields of the
message.
Note: You can't specify distribution

groups, mail-enabled security
groups, or Office 365 groups. If
you need to take action on
messages that are sent to a group,
use the To box contains (
AnyOfToHeader) condition instead.
The recipient is located SentToScope UserScopeTo Messages that are sent to internal
ExceptIfSentToScope or external recipients.
The recipient > is
external/external
The recipient is a member of SentToMemberOf Addresses Messages that contain recipients

ExceptIfSentToMemberOf who are members of the specified
The recipient > is a member of distribution group, mail-enabled
this group security group, or Office 365
group. The group can be in the To,
Cc, or Bcc fields of the message.

The recipient address includes RecipientAddressContainsWords Words Messages that contain the
ExceptIfRecipientAddressContains specified words in the recipient's
The recipient > address includes Words email address.
any of these words
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.
The recipient address matches RecipientAddressMatchesPatterns Patterns Messages where a recipient's email
ExceptIfRecipientAddressMatchesP address contains text patterns that
The recipient > address atterns match the specified regular
matches any of these text expressions.
patterns
Note: This condition doesn't
consider messages that are sent to
recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.
The recipient is on the sender's RecipientInSenderList SupervisionList Messages where the recipient is on
list ExceptIfRecipientInSenderList the sender's Allow list or Block list.
The recipient > is on the

sender's supervision list
The recipient's specified RecipientADAttributeContainsWor First property: ADAttribute Messages where the specified
properties include any of these ds Active Directory attribute of a
words ExceptIfRecipientADAttributeCont Second property: Words recipient contains any of the
ainsWords specified words.
The recipient > has specific
properties including any of Note that the Country attribute
these words requires the two-letter country
code value (for example, DE for
Germany).
The recipient's specified RecipientADAttributeMatchesPatt First property: ADAttribute Messages where the specified
properties match these text erns Active Directory attribute of a
patterns ExceptIfRecipientADAttributeMatc Second property: Patterns recipient contains text patterns
hesPatterns that match the specified regular
The recipient > has specific expressions.
properties matching these text
patterns
A recipient's domain is RecipientDomainIs DomainName Messages where the domain of a

ExceptIfRecipientDomainIs recipient's email address matches
The recipient > domain is the specified value.
If you need to find recipient

domains that contain the specified
domain (for example, any
subdomain of a domain), use The
recipient address matches (
RecipientAddressMatchesPatterns)
condition, and specify the domain
by using the syntax
'@domain\.com$' .
Message subject or body
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.

The subject or body includes SubjectOrBodyContainsWords Words Messages that have the specified
ExceptIfSubjectOrBodyContainsWo words in the Subject field or
The subject or body > subject rds message body.
or body includes any of these
words
The subject or body matches SubjectOrBodyMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectOrBodyMatchesPatt or message body contain text
The subject or body > subject erns patterns that match the specified
or body matches these text regular expressions.
patterns
The subject includes SubjectContainsWords Words Messages that have the specified
ExceptIfSubjectContainsWords words in the Subject field.
The subject or body > subject
includes any of these words
The subject matches SubjectMatchesPatterns Patterns Messages where the Subject field
ExceptIfSubjectMatchesPatterns contains text patterns that match
The subject or body > subject the specified regular expressions.
matches these text patterns
Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to inspect message attachments
in Office 365.

Any attachment's content AttachmentContainsWords Words Messages where an attachment

includes ExceptIfAttachmentContainsWord contains the specified words.
s
Any attachment > content
includes any of these words
Any attachments content AttachmentMatchesPatterns Patterns Messages where an attachment

matches ExceptIfAttachmentMatchesPatter contains text patterns that match
ns the specified regular expressions.
Any attachment > content
matches these text patterns Note: Only the first 150 kilobytes
(KB) of the attachments are
scanned.
Any attachment's content can't AttachmentIsUnsupported n/a Messages where an attachment

be inspected ExceptIfAttachmentIsUnsupported isn't natively recognized by
Exchange Online.
Any attachment > content can't
be inspected
Any attachment's file name AttachmentNameMatchesPatterns Patterns Messages where an attachment's

matches ExceptIfAttachmentNameMatches file name contains text patterns
Patterns that match the specified regular
Any attachment > file name expressions.
Any attachment's file extension AttachmentExtensionMatchesWor Words Messages where an attachment's

matches ds file extension matches any of the
ExceptIfAttachmentExtensionMatc specified words.
Any attachment > file extension hesWords
includes these words
Any attachment is greater than AttachmentSizeOver Size Messages where any attachment is
or equal to ExceptIfAttachmentSizeOver greater than or equal to the
specified value.
Any attachment > size is
greater than or equal to In the EAC, you can only specify
the size in kilobytes (KB).
The message didn't complete AttachmentProcessingLimitExceed n/a Messages where the rules engine
scanning ed couldn't complete the scanning of
ExceptIfAttachmentProcessingLimi the attachments. You can use this
Any attachment > didn't tExceeded condition to create rules that work
complete scanning together to identify and process
messages where the content
couldn't be fully scanned.
Any attachment has executable AttachmentHasExecutableContent n/a Messages where an attachment is

content ExceptIfAttachmentHasExecutable an executable file. The system
Content inspects the file's properties rather
Any attachment > has than relying on the file's extension.
executable content
Any attachment is password AttachmentIsPasswordProtected n/a Messages where an attachment is

protected ExceptIfAttachmentIsPasswordProt password protected (and therefore
ected can't be scanned). Password
Any attachment > is password detection only works for Office
protected documents and .zip files.
has these properties, including AttachmentPropertyContainsWor First property: Messages where the specified
any of these words ds DocumentProperties property of an attached Office
ExceptIfAttachmentPropertyContai document contains the specified
Any attachment > has these nsWords Second property: Words words.
properties, including any of
these words This condition helps you integrate
mail flow rules with SharePoint, File
Classification Infrastructure (FCI) in
Windows Server 2012 R2 or later,
or a third-party classification
system.
You can select from a list of built-in

properties, or specify a custom
property.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the message contains at least
one of the specified recipients. For example, let's say you have a rule that rejects messages. If you use a recipient condition from the
Recipients section, the message is only rejected for those specified recipients. For example, if the rule finds the specified recipient in a
message, but the message contains five other recipients. The message is rejected for that one recipient, and is delivered to the five other
recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all recipients of the message, not just
for the detected recipients.
Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the
recipient's primary email address.

Any recipient address includes AnyOfRecipientAddressContainsW Words Messages that contain the
ords specified words in the To, Cc, or
Any recipient > address ExceptIfAnyOfRecipientAddressCo Bcc fields of the message.
includes any of these words ntainsWords
Any recipient address matches AnyOfRecipientAddressMatchesPa Patterns Messages where the To, Cc, or Bcc
tterns fields contain text patterns that
Any recipient > address ExceptIfAnyOfRecipientAddressMa match the specified regular
matches any of these text tchesPatterns expressions.
patterns
Message sensitive information types, To and Cc values, size, and character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the Any recipients section (all
recipients of the message are affected by the rule, not just the detected recipients).
Notes:
The recipient conditions in this section do not consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
For more information about using Office 365 groups with the recipient conditions in this section, see the Addresses entry in the
Property types section.

The message contains sensitive MessageContainsDataClassificati SensitiveInformationTypes Messages that contain sensitive
information ons information as defined by data loss
ExceptIfMessageContainsDataClas prevention (DLP) policies.
The message > contains any of sifications
these types of sensitive This condition is required for rules
information that use the Notify the sender
with a Policy Tip (NotifySender)
action.
The To box contains AnyOfToHeader Addresses Messages where the To field

ExceptIfAnyOfToHeader includes any of the specified
The message > To box contains recipients.
this person
The To box contains a member AnyOfToHeaderMemberOf Addresses Messages where the To field
of ExceptIfAnyOfToHeaderMemberOf contains a recipient who is a
member of the specified
The message > To box contains distribution group, mail-enabled
a member of this group security group, or Office 365
group.
The Cc box contains AnyOfCcHeader Addresses Messages where the Cc field

ExceptIfAnyOfCcHeader includes any of the specified
The message > Cc box contains recipients.
this person
The Cc box contains a member AnyOfCcHeaderMemberOf Addresses Messages where the Cc field
of ExceptIfAnyOfCcHeaderMemberOf contains a recipient who is a
member of the specified
The message > contains a distribution group or mail-enabled
member of this group security group.
The To or Cc box contains AnyOfToCcHeader Addresses Messages where the To or Cc

ExceptIfAnyOfToCcHeader fields contain any of the specified
The message > To or Cc box recipients.
contains this person
The To or Cc box contains a AnyOfToCcHeaderMemberOf Addresses Messages where the To or Cc

member of ExceptIfAnyOfToCcHeaderMember fields contain a recipient who is a
Of member of the specified
The message > To or Cc box distribution group or mail-enabled
contains a member of this security group.
group
The message size is greater MessageSizeOver Size Messages where the total size
than or equal to ExceptIfMessageSizeOver (message plus attachments) is
greater than or equal to the
The message > size is greater specified value.
than or equal to
In the EAC, you can only specify
the size in kilobytes (KB).
Note: Message size limits on

mailboxes are evaluated before
mail flow rules. A message that's
too large for a mailbox will be
rejected before a rule with this
condition is able to act on the
message.
The message character set ContentCharacterSetContainsWor CharacterSets Messages that have any of the
name includes any of these ds specified character set names.
words ExceptIfContentCharacterSetConta
insWords
The message > character set
name includes any of these
words
Sender and recipient

The sender is one of the SenderManagementRelationship ManagementRelationship Messages where the either sender
recipient's ExceptIfSenderManagementRelatio is the manager of a recipient, or
nship the sender is managed by a
The sender and the recipient > recipient.
the sender's relationship to a
recipient is
The message is between BetweenMemberOf1 and Addresses Messages that are sent between
members of these groups BetweenMemberOf2 members of the specified
ExceptIfBetweenMemberOf1 and distribution groups or mail-
The sender and the recipient > ExceptIfBetweenMemberOf2 enabled security groups.
the message is between
members of these groups For more information about using
The manager of the sender or ManagerForEvaluatedUser and First property: EvaluatedUser Messages where either a specified
recipient is ManagerAddress user is the manager of the sender,
ExceptIfManagerForEvaluatedUser Second property: Addresses or a specified user is the manager
The sender and the recipient > and ExceptIfManagerAddress of a recipient.
the manager of the sender or
recipient is this person
The sender's and any recipient's ADAttributeComparisonAttribute First property: ADAttribute Messages where the specified
property compares as and ADComparisonOperator Active Directory attribute for the
ExceptIfADAttributeComparisonAt Second property: Evaluation sender and recipient either match
The sender and the recipient > tribute and or don't match.
the sender and recipient ExceptIfADComparisonOperator
property compares as
Message properties
The message type is MessageTypeMatches MessageType Messages of the specified type.

ExceptIfMessageTypeMatches Note: When Outlook or Outlook
The message properties > Web App is configured to forward
include the message type a message, the
ForwardingSmtpAddress
property is added to the message.
The message type isn't changed to
AutoForward .
The message is classified as HasClassification MessageClassification Messages that have the specified
ExceptIfHasClassification message classification. This is a
The message properties > custom message classification that
include this classification you can create in your organization
by using the New-
MessageClassification cmdlet.
The message isn't marked with HasNoClassification n/a Messages that don't have a
any classifications ExceptIfHasNoClassification message classification.
The message properties > don't

include any classification
The message has an SCL greater SCLOver SCLValue Messages that are assigned a
than or equal to ExceptIfSCLOver spam confidence level (SCL) that's
greater than or equal to the
The message properties > specified value.
include an SCL greater than or
equal to
The message importance is set WithImportance Importance Messages that are marked with the
to ExceptIfWithImportance specified Importance level.
The message properties >

include the importance level
Message headers
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
A message header includes HeaderContainsMessageHeader First property: Messages that contain the
and HeaderContainsWords MessageHeaderField specified header field, and the
A message header > includes ExceptIfHeaderContainsMessageH value of that header field contains
any of these words eader and Second property: Words the specified words.
ExceptIfHeaderContainsWords
The name of the header field and
the value of the header field are
always used together.
A message header matches HeaderMatchesMessageHeader First property: Messages that contain the
and HeaderMatchesPatterns MessageHeaderField specified header field, and the
A message header > matches ExceptIfHeaderMatchesMessageHe value of that header field contains
these text patterns ader and Second property: Patterns the specified regular expressions.
ExceptIfHeaderMatchesPatterns
The name of the header field and
the value of the header field are
always used together.
Property types
The property types that are used in conditions and exceptions are described in the following table.
NOTE
If the property is a string, trailing spaces are not allowed.
PROPERTY TYPE VALID VALUES DESCRIPTION

ADAttribute Select from a predefined list of Active Directory You can check against any of the following
attributes Active Directory attributes:
City
Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
In the EAC, to specify multiple words or text

patterns for the same attribute, separate the
values with commas. For example, the value
San Francisco,Palo Alto for the City
attribute looks for "City equals San Francisco" or
City equals Palo Alto".
In Exchange Online PowerShell, use the syntax

"AttributeName1:Value1,Value 2 with
spaces,Value3...","AttributeName2:Word4,Value
5 with spaces,Value6..."
, where Value is the word or text pattern that
you want to match. For example,
"City:San Francisco,Palo Alto" or
"City:San Francisco,Palo Alto" ,
"Department:Sales,Finance" .
When you specify multiple attributes, or multiple

values for the same attribute, the or operator is
used. Don't use values with leading or trailing
spaces.
Note that the Country attribute requires the

two-letter ISO 3166-1 country code value (for
example, DE for Germany). To search for values,
see https://go.microsoft.com/fwlink/p/?
LinkId=331680.
Addresses Exchange Online recipients Depending on the nature of the condition or

exception, you might be able to specify any
mail-enabled object in the organization (for
example, recipient-related conditions), or you
might be limited to a specific object type (for
example, groups for group membership
conditions). And, the condition or exception
might require one value, or allow multiple
values.
In Exchange Online PowerShell, separate

multiple values by commas.
This condition doesn't consider messages that

are sent to recipient proxy addresses. It only
matches messages that are sent to the
recipient's primary email address.
The recipient picker in the EAC doesn't allow you

to select Office 365 groups from the list of
recipients. But, you can enter the email address
of an Office 365 group in the box next to Check
names, and then validate the email address by
clicking Check names, which will add the Office
365 group to the add box.
CharacterSets Array of character set names One or more content character sets that exist in
a message. For example: Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
DomainName Array of SMTP domains For example, contoso.com or

eu.contoso.com .
In Exchange Online PowerShell, you can specify

multiple domains separated by commas.
EvaluatedUser Single value of Sender or Recipient Specifies whether the rule is looking for the
manager of the sender or the manager of the
recipient.
Evaluation Single value of Equal or Not equal ( NotEqual ) When comparing the Active Directory attribute
of the sender and recipients, this specifies
whether the values should match, or not match.
Importance Single value of Low, Normal, or High The Importance level that was assigned to the
message by the sender in Outlook or Outlook
on the web.
IPAddressRanges Array of IP addresses or address ranges You enter the IPv4 addresses using the
following syntax:
• Single IP address: For example,
192.168.1.1 .
• IP address range: For example,
192.168.0.1-192.168.0.254 .
• Classless InterDomain Routing (CIDR) IP
address range: For example, 192.168.0.1/25 .
In Exchange Online PowerShell, you can specify

multiple IP addresses or ranges separated by
commas.
ManagementRelationship Single value of Manager or Direct report ( Specifies the relationship between the sender
DirectReport ) and any of the recipients. The rule checks the
Manager attribute in Active Directory to see if
the sender is the manager of a recipient, or if
the sender is managed by a recipient.
MessageClassification Single message classification In the EAC, you select from the list of message
classifications that you've created.
In Exchange Online PowerShell, you use the

Get-MessageClassification cmdlet to identify
the message classification. For example, use the
following command to search for messages with
the Company Internal classification and
prepend the message subject with the value
CompanyInternal :
New-TransportRule "Rule Name" -
HasClassification @(Get-
MessageClassification "Company
Internal").Identity -PrependSubject
"CompanyInternal"
MessageHeaderField Single string Specifies the name of the header field. The name
of the header field is always paired with the
value in the header field (word or text pattern
match).The message header is a collection of
required and optional header fields in the
message. Examples of header fields are To,
From, Received, and Content-Type. Official
header fields are defined in RFC 5322. Unofficial
header fields start with X- and are known as X-
headers.
MessageType Single message type value Specifies one of the following message types:
• Automatic reply ( OOF )
• Auto-forward ( AutoForward )
• Encrypted
• Calendaring
• Permission controlled (
PermissionControlled )
• Voicemail
• Signed
• Approval request ( ApprovalRequest )
• Read receipt ( ReadReceipt )
Note: When Outlook or Outlook on the web is

configured to forward a message, the
ForwardingSmtpAddress property is added to
the message. The message type isn't changed to
AutoForward .
Patterns Array of regular expressions Specifies one or more regular expressions that
are used to identify text patterns in values. For
more information, see Regular Expression
Syntax.
In Exchange Online PowerShell, you specify

multiple regular expressions separated by
commas, and you enclose each regular
expression in quotation marks (").
SCLValue One of the following values: Specifies the spam confidence level (SCL) that's
• Bypass spam filtering ( -1 ) assigned to a message. A higher SCL value
• Integers 0 through 9 indicates that a message is more likely to be
spam.
SensitiveInformationTypes Array of sensitive information types Specifies one or more sensitive information
types that are defined in your organization. For
a list of built-in sensitive information types, see
What the sensitive information types in
Exchange look for.
In Exchange Online PowerShell, use the syntax

@{<SensitiveInformationType1>},@{<SensitiveInformationType
. For example, to look for content that contains
at least two credit card numbers, and at least
one ABA routing number, use the value
@{Name="Credit Card Number";
minCount="2"},@{Name="ABA Routing
Number"; minCount="1"}
.
Size Single size value Specifies the size of an attachment or the whole
message.
In the EAC, you can only specify the size in

kilobytes (KB).
In Exchange Online PowerShell, when you enter

a value, qualify the value with one of the
following units:
• B (bytes)
• KB (kilobytes)
• MB (megabytes)
• GB (gigabytes)
For example, 20 MB . Unqualified values are
typically treated as bytes, but small values may
be rounded up to the nearest kilobyte.
SupervisionList Single value of Allow or Block Supervision policies were a feature in Live@edu
that allowed you to control who could send mail
to and receive mail from users in your
organization (for example, the closed campus
and anti-bullying policies). In Office 365, you
can't configure supervision list entries on
mailboxes.
UserScopeFrom Single value of Inside the organization ( A sender is considered to be inside the
InOrganization ) or Outside the organization if either of the following conditions
organization ( NotInOrganization ) is true:
• The sender is a mailbox, mail user, group, or
mail-enabled public folder that exists inside the
organization.
• The sender's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection. For more information
about accepted domains, see Accepted
Domains.
A sender is considered to be outside the

organization if either of the following conditions
is true:
• The sender's email address isn't in an accepted
domain.
• The sender's email address is in an accepted
domain that's configured as an external relay
domain.
Note: To determine whether mail contacts are

considered to be inside or outside the
organization, the sender's address is compared
with the organization's accepted domains.
UserScopeTo One of the following values: A recipient is considered to be inside the

• Inside the organization ( InOrganization ) organization if either of the following conditions
• Outside the organization ( is true:
NotInOrganization ) • The recipient is a mailbox, mail user, group, or
mail-enabled public folder that exists inside the
organization.
• The recipient's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection.
A recipient is considered to be outside the

organization if either of the following conditions
is true:
• The recipient's email address isn't in an
accepted domain.
• The recipient's email address is in an accepted
domain that's configured as an external relay
domain.
Words Array of strings Specifies one or more words to look for. The
words aren't case-sensitive, and can be
surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported.
For example, "contoso" matches " Contoso".
However, if the text is surrounded by other

characters, it isn't considered a match. For
example, "contoso" doesn't match the following
values:
• Acontoso
• Contosoa
• Acontosob
The asterisk (*) is treated as a literal character,

and isn't used as a wildcard character.

Mail flow rule actions in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Server
New-TransportRule
Actions in mail flow rules (also known as transport rules) specify what you want to do to messages that match
conditions of the rule. For example, you can create a rule that forwards message from specific senders to a
moderator, or adds a disclaimer or personalized signature to all outbound messages.
Actions typically require additional properties. For example, when the rule redirects a message, you need to
specify where to redirect the message. Some actions have multiple properties that are available or required. For
example, when the rule adds a header field to the message header, you need to specify both the name and value of
the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can also
specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you can
configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and redirect
the same message.
For more information about mail flow rules in Exchange Online, see Mail flow rules (transport rules) in Exchange
Online.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule conditions and
exceptions (predicates) in Exchange Online.
For more information about actions in mail flow rules in Exchange Online Protection or Exchange Server, see Mail
flow rule actions in Exchange Online Protection or Mail flow rules (transport rules).
Actions for mail flow rules in Exchange Online

The actions that are available in mail flow rules in Exchange Online are described in the following table. Valid
values for each property are described in the Property values section.
Notes:
After you select an action in the Exchange admin center (EAC ), the value that's ultimately shown in the Do
the following field is often different from the click path you selected. Also, when you create new rules, you
can sometimes (depending on the selections you make) select a short action name from a template (a
filtered list of actions) instead of following the complete click path. The short names and full click path
values are shown in the EAC column in the table.
The names of some of the actions that are returned by the Get-TransportRuleAction cmdlet are different
than the corresponding parameter names, and multiple parameters might be required for an action.
ACTION PARAMETER IN
ACTION IN THE EAC POWERSHELL PROPERTY DESCRIPTION
Forward the message for ModerateMessageByUser Addresses Forwards the message to

approval to these people the specified moderators as
an attachment wrapped in
Forward the message for an approval request. For
approval > to these more information, see
people Common message approval
scenarios. You can't use a
distribution group as a
moderator.
ACTION PARAMETER IN
Forward the message for ModerateMessageByManag n/a Forwards the message to

approval to the sender's er the sender's manager for
manager approval.
This action only works if the
Forward the message for sender's Manager attribute
approval > to the is defined. Otherwise, the
sender's manager message is delivered to the
recipients without
moderation.
Redirect the message to RedirectMessageTo Addresses Redirects the message to

these recipients the specified recipients. The
message isn't delivered to
Redirect the message to > the original recipients, and
these recipients no notification is sent to the
sender or the original
recipients.
Deliver the message to Quarantine n/a Delivers the message to the

the hosted quarantine hosted quarantine. For more
information about the
Redirect the message to > hosted quarantine in Office
hosted quarantine 365, see Quarantine.
Use the following RouteMessageOutboundCo OutboundConnector Uses the specified outbound

connector nnector connector to deliver the
message. For more
Redirect the message to > information about
the following connector connectors, see Configure
mail flow using connectors
in Office 365.
Reject the message with RejectMessageReasonText String Returns the message to the
the explanation sender in a non-delivery
report (also known as an
Block the message > NDR or bounce message)
reject the message and with the specified text as the
include an explanation rejection reason. The
recipient doesn't receive the
original message or
notification.
The default enhanced status
code that's used is 5.7.1 .
When you create or modify
the rule in PowerShell, you
can specify the DSN code by
using the
RejectMessageEnhancedStat
usCode parameter.
ACTION PARAMETER IN
Reject the message with RejectMessageEnhancedStat DSNEnhancedStatusCode Returns the message to the
the enhanced status code usCode sender in an NDR with the
specified enhanced delivery
Block the message > status notification (DSN)
reject the message with code. The recipient doesn't
the enhanced status code receive the original message
of or notification.
Valid DSN codes are 5.7.1
or 5.7.900 through
5.7.999 .
The default reason text
that's used is
Delivery not
authorized, message
refused
.
the rule in PowerShell, you
can specify the rejection
reason text by using the
RejectMessageReasonText
parameter.
Delete the message DeleteMessage n/a Silently drops the message

without notifying anyone without sending a
notification to the recipient
Block the message > or the sender.
delete the message
without notifying anyone
Add recipients to the Bcc BlindCopyTo Addresses Adds one or more recipients
box to the Bcc field of the
message. The original
Add recipients > to the recipients aren't notified, and
Bcc box they can't see the additional
addresses.
Add recipients to the To AddToRecipients Addresses Adds one or more recipients

box to the To field of the
Add recipients > to the To recipients can see the
box additional addresses.
Add recipients to the Cc CopyTo Addresses Adds one or more recipients

box to the Cc field of the
Add recipients > to the Cc recipients can see the
box additional address.
ACTION PARAMETER IN
Add the sender's manager AddManagerAsRecipientTyp AddedManagerAction Adds the sender's manager
as a recipient e to the message as the
specified recipient type ( To,
Add recipients > add the Cc, Bcc ), or redirects the
sender's manager as a message to the sender's
recipient manager without notifying
the sender or the recipient.
This action only works if the
sender's Manager attribute
is defined in Active
Directory.
Append the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the end of the
Apply a disclaimer to the ckAction Second property: message.
message > append a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Append .
Prepend the disclaimer ApplyHtmlDisclaimerText First property: Applies the specified HTML
ApplyHtmlDisclaimerFallba DisclaimerText disclaimer to the beginning
Apply a disclaimer to the ckAction Second property: of the message.
message > prepend a ApplyHtmlDisclaimerLocati DisclaimerFallbackAction When you create or modify
disclaimer on Third property (PowerShell the rule in PowerShell, use
only): the
DisclaimerTextLocation ApplyHtmlDisclaimerLocati
on parameter with the value
Prepend .
Remove this header RemoveHeader MessageHeaderField Removes the specified

header field from the
Modify the message message header.
properties > remove a
message header
Set the message header SetHeaderName First property: Adds or modifies the
to this value SetHeaderValue MessageHeaderField specified header field in the
Second property: String message header, and sets
Modify the message the header field to the
properties > set a specified value.
message header
Apply a message ApplyClassification MessageClassification Applies the specified

classification message classification to the
message.
Modify the message
properties > apply a
message classification
Set the spam confidence SetSCL SCLValue Sets the spam confidence
level (SCL) to level (SCL) of the message to
the specified value.
Modify the message
properties > set the spam
confidence level (SCL)
ACTION PARAMETER IN
Apply Office 365 Message ApplyRightsProtectionTempl RMSTemplate Applies the specified Azure
Encryption and rights ate Rights Management (Azure
protection RMS) template to the
message. Azure RMS is part
Apply Office 365 Message of Azure Information
Encryption and rights Protection. For more
protection to the message information, see Set up new
with Office 365 Message
Encryption capabilities.
Modify the message
security > Apply Office
365 Message Encryption
and rights protection
Require TLS encryption RouteMessageOutboundRe n/a Forces the outbound

quireTls messages to be routed over
Modify the message a TLS encrypted connection.
security > require TLS
encryption
Encrypt the messages ApplyOME n/a If you haven't moved your

with the previous version Office 365 organization to
of OME Office 365 Message
Encryption (OME) that's built
Modify the message on Azure Information
security > Apply Office Protection, this action
the previous version of encrypts the message and
OME attachments with the
previous version of OME.
Notes:
• We recommend that you
make a plan to move to
OME on Azure Information
Protection as soon as it's
reasonable for your
organization. For
instructions, see Set up new
Office 365 Message
Encryption capabilities.
• If you receive an error
stating that IRM licensing
isn't enabled, you can't setup
the previous version of
OME. If you setup OME
now, you'll setup the OME
capabilities that are built on
Azure Information
Protection.
Remove the previous RemoveOME n/a Decrypt the message and

version of OME from the attachments from the
message previous version of OME so
users don't need to sign in
Modify the message to the encryption portal in
security > Remove the order to view them. This
previous version of OME action is only available for
messages that are sent
within your organization.
ACTION PARAMETER IN
Remove Office 365 RemoveOMEv2 n/a Remove the Azure RMS

Message Encryption and template from the message.
rights protection
Modify the message

security > Remove Office
365 Message Encryption
and rights protection
Prepend the subject of PrependSubject String Adds the specified text to

the message with the beginning of the
Subject field of the
message. Consider using a
space or a colon (:) as the
last character of the
specified text to differentiate
it from the original subject
text.
To prevent the same string
from being added to
messages that already
contain the text in the
subject (for example, replies),
add the The subject
includes (
ExceptIfSubjectContainsWor
ds) exception to the rule.
ACTION PARAMETER IN
Notify the sender with a NotifySender First property: Notifies the sender or blocks
Policy Tip RejectMessageReasonText NotifySenderType the message when the
RejectMessageEnhancedStat Second property: String message matches a DLP
usCode (PowerShell only) Third property (PowerShell policy.
only): When you use this action,
DSNEnhancedStatusCode you need to use the The
message contains
sensitive information (
MessageContainsDataClass
ification condition.
the rule in PowerShell, the
RejectMessageReasonText
parameter is optional. If you
don't use this parameter, the
default text
Delivery not
authorized, message
refused
is used.
In PowerShell, you can also
use the
RejectMessageEnhancedStat
usCode parameter to specify
the enhanced status code. If
you don't use this
parameter, the default
enhanced status code
5.7.1 is used.
This action limits the other
conditions, exceptions, and
actions that you can
configure in the rule.
Generate incident report GenerateIncidentReport First property: Addresses Sends an incident report
and send it to IncidentReportContent Second property: that contains the specified
IncidentReportContent content to the specified
recipients.
An incident report is
generated for messages that
match data loss prevention
(DLP) policies in your
organization.
Notify the recipient with a GenerateNotification NotificationMessageText Specifies the text, HTML
message tags, and message keywords
to include in the notification
message that's sent to the
message's recipients. For
example, you can notify
recipients that the message
was rejected by the rule, or
marked as spam and
delivered to their Junk Email
folder.
ACTION PARAMETER IN
Properties of this rule SetAuditSeverity AuditSeverityLevel Specifies whether to:

section > Audit this rule Prevent the generation of an
with severity level incident report and the
corresponding entry in the
message tracking log.
Generate an incident report
and the corresponding entry
in the message tracking log
with the specified severity
level (low, medium, or high).
Properties of this rule StopRuleProcessing n/a Specifies that after the

section > Stop processing message is affected by the
more rules rule, the message is exempt
from processing by other
More options > rules.
Properties of this rule
section > Stop processing
more rules
Property values
The property values that are used for actions in mail flow rules are described in the following table.
PROPERTY VALID VALUES DESCRIPTION
AddedManagerAction One of the following values: Specifies how to include the sender's
To manager in messages.
If you select To, Cc, or Bcc, the sender's
Cc manager is added as a recipient in the
specified field.
Bcc If you select Redirect, the message is
only delivered to the sender's manager
Redirect without notifying the sender or the
recipient.
This action only works if the sender's
Manager is defined.
Addresses Exchange recipients Depending on the action, you might be

able to specify any mail-enabled object
in the organization, or you might be
limited to a specific object type.
Typically, you can select multiple
recipients, but you can only send an
incident report to one recipient.
AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with severity specify the severity level that's assigned
level, or select Audit this rule with to the incident report and to the
severity level with the value Not corresponding entry in the message
specified ( DoNotAudit ) tracking log.
Low The other value prevents an incident
report from being generated, and
Medium prevents the corresponding entry from
being written to the message tracking
High log.
DisclaimerFallbackAction One of the following values: Specifies what to do if the disclaimer

Wrap can't be applied to a message. There are
situations where the contents of a
Ignore message can't be altered (for example,
the message is encrypted). The available
Reject fallback actions are:
• Wrap: The original message is
wrapped in a new message envelope,
and the disclaimer text is inserted into
the new message. This is the default
value.
• Ignore: The rule is ignored and the
message is delivered without the
disclaimer
• Reject: The message is returned to
the sender in an NDR.
Notes:
Subsequent mail flow rules are applied
to the new message envelope, not to
the original message. Therefore,
configure these rules with a lower
priority than other rules.
If the original message can't be
wrapped in a new message envelope,
the original message isn't delivered. The
message is returned to the sender in an
NDR.
DisclaimerText HTML string Specifies the disclaimer text, which can

include HTML tags, inline cascading
style sheet (CSS) tags, and images by
using the IMG tag. The maximum
length is 5000 characters, including
tags.
DisclaimerTextLocation Single value: Append or Prepend In PowerShell, you use the

ApplyHtmlDisclaimerLocation to
specify the location of the disclaimer
text in the message:
• Append : Add the disclaimer to the
end of the message body. This is the
default value.
• Prepend : Add the disclaimer to the
beginning of the message body.
DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used. You
5.7.1 can create custom DSNs by using the
5.7.900 through 5.7.999 New-SystemMessage cmdlet.
If you don't specify the rejection reason
text along with the DSN code, the
default reason text that's used is
Delivery not authorized, message
refused
.
When you create or modify the rule in
PowerShell, you can specify the
rejection reason text by using the
RejectMessageReasonText parameter.
IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
report. You can choose to include any
Recipients combination of these properties. In
addition to the properties you specify,
Subject the message ID is always included. The
available properties are:
Cc'd recipients ( Cc ) Sender: The sender of the original
Bcc'd recipients ( Bcc ) message.
Severity Recipients, Cc'd recipients, and Bcc'd
recipients: All recipients of the
Sender override information ( message, or only the recipients in the
Override ) Cc or Bcc fields. For each property, only
Matching rules ( RuleDetections ) the first 10 recipients are included in
False positive reports ( the incident report.
FalsePositive )
Subject: The Subject field of the
original message.
Detected data classifications (
Severity: The audit severity of the rule
DataClassifications )
that was triggered. Message tracking
Matching content ( IdMatch ) logs include all the audit severity levels,
Original mail ( AttachOriginalMail ) and can be filtered by audit severity. In
the EAC, if you clear the Audit this rule
with severity level check box (in
PowerShell, the SetAuditSeverity
parameter value DoNotAudit ), rule
matches won't appear in the rule
reports. If a message is processed by
more than one rule, the highest
severity is included in any incident
reports.
Sender override information: The
override if the sender chose to override
a Policy Tip. If the sender provided a
justification, the first 100 characters of
the justification are also included.
Matching rules: The list of rules that
the message triggered.
False positive reports: The false
positive if the sender marked the
message as a false positive for a Policy
Tip.
Detected data classifications: The list
of sensitive information types detected
in the message.
Matching content: The sensitive
information type detected, the exact
matched content from the message,
and the 150 characters before and after
the matched sensitive information.
Original mail: The entire message that
triggered the rule is attached to the
incident report.
In PowerShell, you specify multiple
values separated by commas.
MessageClassification Single message classification object In the EAC, you select from the list of
available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to see
the message classification objects that
are available.
MessageHeaderField Single string Specifies the SMTP message header

field to add, remove, or modify.
The message header is a collection of
required and optional header fields in
the message. Examples of header fields
are To, From, Received, and Content-
Type. Official header fields are defined
in RFC 5322. Unofficial header fields
start with X- and are known as X-
headers.
NotificationMessageText Any combination of plain text, HTML Specified the text to use in a recipient
tags, and keywords notification message.
In addition to plain text and HTML tags,
you can specify the following keywords
that use values from the original
message:
%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%
NotifySenderType One of the following values: Specifies the type of Policy Tip that the
Notify the sender, but allow them to sender receives if the message violates
send ( NotifyOnly ) a DLP policy. The settings are described
Block the message ( RejectMessage ) in the following list:
Block the message unless it's a false Notify the sender, but allow them to
positive ( send: The sender is notified, but the
RejectUnlessFalsePositiveOverride message is delivered normally.
) Block the message: The message is
Block the message, but allow the rejected, and the sender is notified.
sender to override and send ( Block the message unless it's a false
RejectUnlessSilentOverride ) positive: The message is rejected
Block the message, but allow the unless it's marked as a false positive by
sender to override with a business the sender.
justification and send ( Block the message, but allow the
RejectUnlessExplicitOverride )
sender to override and send: The
message is rejected unless the sender
has chosen to override the policy
restriction.
Block the message, but allow the
sender to override with a business
justification and send: This is similar
to Block the message, but allow the
sender to override and send type,
but the sender also provides a
justification for overriding the policy
restriction.
When you use this action, you need to
use the The message contains
sensitive information (
MessageContainsDataClassification)
condition.
OutboundConnector Single outbound connector Specifies the identity of outbound

connector that's used to deliver
messages. For more information about
connectors, see Configure mail flow
using connectors in Office 365.
In the EAC, you select the connector
from a list.
OutboundConnector cmdlet to see
the connectors that are available.
RMSTemplate Single Azure RMS template object Specifies the Azure Rights Management
(Azure RMS) template that's applied to
the message.
In the EAC, you select the RMS
template from a list.
RMSTemplate cmdlet to see the RMS
templates that are available.
For more information about RMS in
Office 365, see What is Azure
Information Protection?.
SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the message. A
Integers 0 through 9 higher SCL value indicates that a
message is more likely to be spam.
String Single string Specifies the text that's applied to the

specified message header field, NDR, or
event log entry.
In PowerShell, if the value contains
spaces, enclose the value in quotation
marks (").

Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Server
Organization-wide message disclaimers, signatures, footers, or headers in Office 365
Office 365 Message Encryption
Best practices for configuring mail flow rules in
Exchange Online
Follow these best practice recommendations for mail flow rules (also known as transport rules) in order to avoid
common configuration errors. Each recommendation links to a topic with an example and step-by-step
instructions.
Test your rules

To make sure unexpected things don't happen to people's email, and to make sure you're really meeting the
business, legal, or compliance intentions of your rule, be sure to test it thoroughly. There are many options, and
rules can interact with each other, so it's important to test messages that you expect both will match the rule and
won't match the rule in case you inadvertently made a rule too general. To learn all the options for testing rules, see
Test a mail flow rule.
Scope your rule

Make sure your rule applies only to the messages you intend it to. For example:
Restrict a rule to messages either coming into or going out of the organization
By default, a new rule applies to messages that are either sent or received by people in your organization.
So if you want the rule to apply only one way, be sure to specify that in the conditions for the rule. For an
example, see Common attachment blocking scenarios for mail flow rules.
Restrict a rule based on the sender's or receiver's domain
By default, a new rule applies to messages sent from or received at any domain. Sometimes you want a rule
to apply to all domains except for one, or to just one domain. For examples, see Create organization-wide
safe sender or blocked sender lists in Office 365.
For a complete list of all the conditions and exceptions that are available for mail flow rules, see Mail flow rule
conditions and exceptions (predicates) in Exchange Online.
Know when you need two rules

Sometimes it takes two rules to do what you want. Mail flow rules are processed in order, so multiple rules can
apply to the same message. For example, if one of the actions is to block the message, and you also have another
action you'd like to apply, such as copying the message to the sender's manager or changing the subject for the
notification message, you would need two rules. The first rule could copy the message to the sender's manager and
change the subject, and the second rule could block the message.
If you use two rules like this, be sure that the conditions are identical. To see examples, look at example 3 in
Common message approval scenarios in Exchange Online, example 3 in Common attachment blocking scenarios
for mail flow rules in Exchange Online, and Organization-wide message disclaimers, signatures, footers, or headers
in Exchange Online.
Don't repeat an action on every email in a conversation

The chain of email in a conversation can include many individual messages, and repeating the action on each
message in the thread might get annoying. For example, if you have an action such as adding a disclaimer, you
might want it to apply only to the first message in the thread. If so, add an exception for messages that already
include the disclaimer text. For an example, see Organization-wide message disclaimers, signatures, footers, or
headers in Exchange Online.
Know when to stop rule processing

Sometimes it makes sense to stop rule processing once a rule is matched. For example, if you have one rule to
block messages with attachments and one to insert a disclaimer in messages that match a pattern, you probably
should stop rule processing once the message is blocked. There's no need for further action.
To stop rule processing after a rule is triggered, in the rule, select the Stop processing more rules check box.
If you have lots of keywords or patterns to match, load them from a file
For example, you might want to prevent emails from being sent if they contain a list of unacceptable or bad words.
You can create a text file containing these words and phrases, and then use PowerShell to set up a mail flow rule
that blocks messages that use them.
The text file can contain regular expressions for patterns. These expressions are not case-sensitive. Common
regular expressions include:
EXPRESSION MATCHES
. Any single character
* Any additional characters
\d Any decimal digit
[character_group] Any single character in character_group.
For an example that shows a text file with regular expressions and the Exchange module Windows PowerShell
commands to use, see Use mail flow rules to route email based on a list of words, phrases, or patterns in Exchange
Online.
To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to inspect message attachments
in Exchange Online
You can inspect email attachments in your Exchange Online organization by setting up mail flow rules (also
known as transport rules). Exchange Online offers mail flow rules that provide the ability to examine email
attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can
then take action on the messages that were inspected based on the content or characteristics of those
attachments. Here are some attachment-related tasks you can do by using mail flow rules:
Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the
message.
Inspect content within attachments and, if there are any keywords you specify, redirect the message to a
moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the entire message from
being sent.
Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to
prevent the message from being delivered.
Check whether the properties of an attached Office document match the values that you specify. With this
condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party
classification system, such as SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail flow rule.
Block all messages containing attachments. For examples, see Common attachment blocking scenarios for
mail flow rules in Exchange Online.
NOTE
All of these conditions will scan compressed archive attachments.
Exchange Online admins can create mail flow rules in the Exchange admin center (EAC ) at Mail flow > Rules.
You need to be assigned permissions before you can perform this procedure. After you start to create a new rule,
you can see the full list of attachment-related conditions by clicking More options > Any attachment under
Apply this rule if. The attachment-related options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and actions that you can
choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP ) and hybrid
customers can benefit from the mail flow rules best practices provided in Best Practices for Configuring EOP. If
you're ready to start creating rules, see Manage mail flow rules in Exchange Online.
Inspect the content within attachments

You can use the mail flow rule conditions in the following table to examine the content of attachments to
messages. For these conditions, only the first one megabyte (MB ) of text extracted from an attachment is
inspected. Note that the 1 MB limit refers to the extracted text, not the file size of the attachment. For example, a 2
MB file may contain less than 1 MB of text, so all of the text would be inspected.
In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule.
Learn about creating or changing rules at Manage mail flow rules in Exchange Online.
CONDITION NAME IN EXCHANGE ONLINE

CONDITION NAME IN THE EAC POWERSHELL DESCRIPTION
Any attachment's content includes AttachmentContainsWords This condition matches messages with
Any attachment > content includes supported file type attachments that
any of these words contain a specified string or group of
characters.
Any attachment's content matches AttachmentMatchesPatterns This condition matches messages with
Any attachment > content matches supported file type attachments that
these text patterns contain a text pattern that matches a
specified regular expression.
Any attachment's content can't be AttachmentIsUnsupported Mail flow rules only can inspect the
inspected content of supported file types. If the
Any attachment > content can't be mail flow rule encounters an
inspected attachment that isn't supported, the
AttachmentIsUnsupported condition is
triggered. The supported file types are
described in the next section.
Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online
PowerShell.
Supported file types for mail flow rule content inspection
The following table lists the file types supported by mail flow rules. The system automatically detects file types by
inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers
from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable
code that can be checked within the context of mail flow rules is listed later in this topic.
CATEGORY FILE EX TENSION NOTES
Office 2007 and later .docm, .docx, .pptm, .pptx, .pub, .one, Microsoft OneNote and Microsoft
.xlsb, .xlsm, .xlsx Publisher files aren't supported by
default.
The contents of any embedded parts
contained within these file types are
also inspected. However, any objects
that aren't embedded (for example,
linked documents) aren't inspected.
Office 2003 .doc, .ppt, .xls None
Additional Office files .rtf, .vdw, .vsd, .vss, .vst None
Adobe PDF .pdf None
HTML .html None
XML .xml, .odp, .ods, .odt None
Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, None
.dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini,
inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs,
.wtx
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an
embedded document, the contents of
that embedded document aren't
inspected.
AutoCAD Drawing .dxf AutoCAD 2013 files aren't supported.
Image .jpg, .tiff Only the metadata text associated with

these image files is inspected. There is
no optical character recognition.
CATEGORY FILE EX TENSION NOTES
Compressed archive files .bz2, cab, .gz, .rar, .tar, .zip, .7z The content of these files, which were
originally in a supported file type
format, are inspected and processed in
a manner similar to messages that have
multiple attachments. The properties of
the compressed archive file itself are
not inspected. For example, if the
container file type supports comments,
that field isn't inspected.
Inspect the file properties of attachments

The following conditions can be used in mail flow rules to inspect different properties of files that are attached to
messages. In order to start using these conditions when inspecting messages, you need to add them to a mail
flow rule. For more information about creating or changing rules, see Manage mail flow rules.

Any attachment's file name matches AttachmentNameMatchesPatterns This condition matches messages with
attachments whose file name contains
Any attachment > file name the characters you specify.
Any attachment's file extension AttachmentExtensionMatchesWords This condition matches messages with
matches attachments whose file name extension
matches what you specify.
Any attachment > file extension
includes these words
Any attachment is greater than or AttachmentSizeOver This condition matches messages with
equal to attachments when those attachments
are greater than or equal to the size
Any attachment > size is greater you specify.
than or equal to
The message didn't complete AttachmentProcessingLimitExceeded This condition matches messages when
scanning an attachment is not inspected by the
mail flow rules agent.
Any attachment > didn't complete
scanning
Any attachment has executable AttachmentHasExecutableContent This condition matches messages that
content contain executable files as attachments.
The supported file types are listed here.
Any attachment > has executable
content
Any attachment is password AttachmentIsPasswordProtected This condition matches messages with

protected attachments that are protected by a
password. Password detection only
Any attachment > is password works for Office documents and .zip
protected files.
Any attachment has these AttachmentPropertyContainsWords This condition matches messages

properties, including any of these where the specified property of the
words attached Office document contains
specified words. A property and its
Any attachment > has these possible values are separated with a
properties, including any of these colon. Multiple values are separated
words with a comma. Multiple property/value
pairs are also separated with a comma.
Notes:
The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule
and Set-TransportRule cmdlets. For more information, see New -TransportRule.
Learn more about property types for these conditions at Mail flow rule conditions and exceptions
(predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange
Online Protection.
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Supported executable file types for mail flow rule inspection
The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. This
helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The
following table lists the executable file types supported by these conditions. If a file is found that is not listed here,
the AttachmentIsUnsupported condition is triggered.
TYPE OF FILE NATIVE EX TENSION
32-bit Windows executable file with a dynamic link library .dll

extension.
Self-extracting executable program file. .exe
Uninstallation executable file. .exe
Program shortcut file. .exe
32-bit Windows executable file. .exe
Microsoft Visio XML drawing file. .vxd
OS/2 operating system file. .os2
16-bit Windows executable file. .w16
Disk-operating system file. .dos
European Institute for Computer Antivirus Research standard .com

antivirus test file.
Windows program information file. .pif

TYPE OF FILE NATIVE EX TENSION
Windows executable program file. .exe
IMPORTANT
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code,
3D object, or sequence files) files are not considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy
that blocks these file types (the common attachment types filter). For more information, see Configure Anti-Malware
Policies.
Data loss prevention policies and attachment mail flow rules

To help you manage important business information in email, you can include any of the attachment-related
conditions along with the rules of a data loss prevention (DLP ) policy.
DLP policies and attachment-related conditions can help you enforce your business needs by defining those
needs as mail flow rule conditions, exceptions, and actions. When you include the sensitive information inspection
in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related
conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not
available with all versions of Exchange; learn more at Data loss prevention.

For information on broadly blocking email with attachments, regardless of malware status, see Reducing Malware
Threats Through File Attachment Blocking in Exchange Online Protection.
Enable message encryption and decryption in Office
365
Office 365 Message Encryption lets email users send encrypted messages to people inside or outside their
organization. For information about Office 365 Message Encryption, see Set up new Office 365 Message
Encryption capabilities. To learn how to create mail flow rules (also known as transport rules) for encryption, see
Define rules to encrypt or decrypt email messages .
See also
Encryption in Office 365
Common attachment blocking scenarios for mail
flow rules in Exchange Online
Your organization might require that certain types of messages be blocked or rejected in order to meet legal or
compliance requirements, or to implement specific business needs. This article discusses examples of common
scenarios for blocking all attachments which you can set up using mail flow rules (also known mail flow rules) in
Exchange Online.
For additional examples showing how to block specific attachments, see:
Using mail flow rules to inspect message attachments (Exchange Server)
Use mail flow rules to inspect message attachments in Office 365 (Exchange Online, Exchange Online
Protection)
The malware filter includes a Common Attachment Types Filter. In the Exchange admin center (EAC ), go to
Protection, then click New ( ) to add filters. In the Exchange Online portal, browse to Protection, and then
select Malware Filter.
To get started implementing any of these scenarios to block certain message types:
1. Open the Exchange admin center (EAC ). For more information, see Exchange admin center in Exchange
Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.
Note: In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which should detect most
attachments. However, if you want to detect every possible attachment of any size, you need to use PowerShell to
adjust the attachment size to 1 byte after you create the rule in the EAC. To learn how to connect to Exchange
Online PowerShell, see Connect to Exchange Online PowerShell. To learn how to connect to Exchange Online
Protection PowerShell, see Connect to Exchange Online Protection PowerShell.
Replace <Rule Name> with the name of the existing rule, and run the following command to set the attachment
size to 1 byte:
Set-TransportRule -Identity "<Rule Name>" -AttachmentSizeOver 1B
After you adjust the attachment size to 1 byte, the value that's displayed for the rule in the EAC is 0.00 KB.
Example 1: Block messages with attachments, and notify the sender

If you don't want people in your organization to send or receive attachments, you can set up a mail flow rule to
block all messages with attachments.
In this example, all messages sent to or from the organization with attachments are blocked.
If all you want to do is block the message, you might want to stop rule processing once this rule is matched. Scroll
down the rule dialog box, and select the Stop processing more rules check box.
Example 2: Notify intended recipients when an inbound message is

blocked
If you want to reject a message but let the intended recipient know what happened, you can use the Notify the
recipient with a message action.
You can include placeholders in the notification message so that it includes information about the original
message. The placeholders must be enclosed in two percent signs (%%), and when the notification message is
sent, the placeholders are replaced with information from the original message. You can also use basic HTML
such as <br>, <b>, <i>, and <img> in the message.
TYPE OF INFORMATION PLACEHOLDER
Sender of the message. %%From%%
Recipients listed on the "To" line. %%To%%
Recipients listed on the "Cc" line. %%Cc%%
Subject of the original message. %%Subject%%
Headers from the original message. This is similar to the list of %%Headers%%
headers in a delivery status notification (DSN) generated for
the original message.
Date the original message was sent. %%MessageDate%%
In this example, all messages that contain attachments and are sent to people inside your organization are
blocked, and the recipient is notified.
Example 3: Modify the subject line for notifications
When a notification is sent to the recipient, the subject line is the subject of the original message. If you want to
modify the subject so that it is clearer to the recipient, you must use two mail flow rules:
The first rule adds the word "undeliverable" to the beginning of the subject of any messages with
attachments.
The second rule blocks the message and sends a notification message to the sender using the new subject
of the original message.
IMPORTANT
The two rules must have identical conditions. Rules are processed in order, so the first rule adds the word "undeliverable",
and the second rule blocks the message and notifies the recipient.
Here's what the first rule would look like if you want to add "undeliverable" to the subject:
And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that you temporarily block
attachments. For example, the following rule has both a start and stop day and time:
See also
Mail flow rules (Exchange Server)
Mail flow rules (Exchange Online Protection)
Organization-wide message disclaimers, signatures,
footers, or headers in Exchange Online
You can add an HTML or plain text legal disclaimer, disclosure statement, signature, or other information to the
top or bottom of email messages that enter or leave your organization. To do this, you create a mail flow rule (also
known as a transport rule) that adds the required information to messages.
Notes:
Users can apply signatures to their own outgoing messages in Outlook or Outlook on the web (formerly
known as Outlook Web App). For more information, see Create and add an email signature in Outlook
Web App.
If you want the information to be added only to outgoing messages, you need to add a corresponding
condition (for example, recipients located outside the organization). By default, mail flow rules are applied
to incoming and outgoing messages.
To avoid multiple disclaimers being added in an email conversation, add an exception that looks for unique
text in your disclaimer. This ensures that the disclaimer is only added to the original message.
Test the disclaimer. When you create the mail flow rule, you have the option to start using it immediately (
Enforce), or to test it first and view the results in the messaging log. We recommend testing all mail flow
rules prior to setting them to Enforce.
For examples and information about how to scope and format disclaimers, signatures, and other additions to
email messages, see Organization-wide disclaimers, signatures, footers, or headers in Exchange 2016.

For information about how to access the Exchange admin center (EAC ), see Exchange admin center in
Exchange Online. To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
permissions you need, see the "Mail flow" entry in the Feature permissions in Exchange Online topic.
TIP
Use the EAC to add a disclaimer or other email header or footer

1. Open the EAC and go to Mail flow > Rules.
2. Click Add , and then click Apply disclaimers.
3. In the New rule window that appears, enter a unique name the rule.
4. In the Apply this rule if box, select the conditions for displaying the disclaimer. For example, select The
recipient is located condition, and then select Outside the organization. If you want this rule to apply
to every message that enters or leaves your organization, select [Apply to all messages].
5. Next to the Do the following box, select Enter text to enter the text of your disclaimer. For information
about what can be added, see Formatting your disclaimer.
6. Click Select one, and select one of the Fallback options if the disclaimer can't be added.
7. Specify the audit severity level to assign the severity level that appears in the message log.
8. Select the mode for the rule. Select Enforce to turn on the disclaimer immediately, or select Test without
Policy Tips to put a message in the message tracking log instead of adding the disclaimer.
9. If you have additional conditions or exceptions that you want to add, select More options at the bottom of
the page, which will show additional settings. For example, to add the exception that prevents multiple
disclaimers being added in an email conversation, select Add exception and then select The subject or
body > Subject or body matches these text patterns, and then specify the words or phrases in your
disclaimer. Or, to put your disclaimer at the top of the email message instead of the bottom, in Do the
following, select Apply a disclaimer to the message > prepend a disclaimer.
For more examples of how to scope your disclaimer, see Scoping your disclaimer.
Use Exchange Online PowerShell to add a disclaimer or other email

header or footer
Use the New -TransportRule cmdlet to create the disclaimer rule. For detailed parameter information, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online or Mail flow rule conditions and exceptions
(predicates) in Exchange Online Protection.
This example creates a new mail flow rule that adds a disclaimer with an image to the end of all email messages
that are sent outside the organization.
New-TransportRule -Name "External Disclaimer" -SentToScope NotInOrganization -ApplyHtmlDisclaimerText "

<h3>Disclaimer Title</h3><p>This is the disclaimer text.</p><img alt='Contoso logo'
src='http://www.contoso.com/images/logo.gif'>"
This example creates a new mail flow rule that adds an advertisement for one month to the beginning of all
outgoing messages.
New-TransportRule -Name "March Special" -Enabled $true -SentToScope NotInOrganization -

ApplyHtmlDisclaimerLocation Prepend -ActivationDate '03/1/2017' -ExpiryDate '03/31/2017'-
ApplyHtmlDisclaimerText "<table align=center width=200 border=1 bordercolor=blue bgcolor=green cellpadding=10
cellspacing=0><tr><td nowrap><a href=http://www.contoso.com/marchspecials.htm>Click to see March specials</a>
</td></tr></table>"
For more examples of how to scope your disclaimer, see Scoping your disclaimer.

To verify that you've successfully created a disclaimer, and that the disclaimer works as expected, do the following
steps:
Send yourself both a plain text email and an HTML email that match the conditions and exceptions you
defined, and verify that the text appears as you intended.
If you added an exception to avoid adding the disclaimer to successive messages in a conversation, forward
your test messages to yourself to make sure that they don't get an extra copy of the disclaimer.
Send yourself some messages that should not get the disclaimer and verify that the disclaimer is not
included.

After you configure a disclaimer or email header or footer, see Manage mail flow rules for information about how
to view, modify, enable, disable, or remove a rule.
You can begin using mail flow rules (also known as transport rules) in Exchange Online by using the following
procedures. To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport rules) in
Exchange Online.
Organization-wide message disclaimers, signatures, footers, or headers in Exchange Online Information to help
you set up a legal disclaimer, email disclaimer, consistent signature, email header, or email footer by using mail
flow rules.
Create organization-wide safe sender or blocked sender lists in Office 365 Information to help you create domain
or user-based safe sender and blocked sender lists by using mail flow rules.
Manage message approval Information to help you create moderated distribution groups, and forward messages
matching a wide variety of criteria to specific approvers.
Use mail flow rules to route email based on a list of words, phrases, or patterns Information to help you comply
with your organization's email policies.
Use mail flow rules so messages can bypass Clutter Information to help you make sure messages are sent to an
inbox instead of the Clutter folder.
Topics related to preventing spam:
Use mail flow rules to set the spam confidence level (SCL ) in messages
https://docs.microsoft.com/office365/SecurityCompliance/use-transport-rules-to-configure-bulk-email-filtering)
Additional considerations when configuring IP Allow lists
Manage mail flow rules Information to help you create, view, modify, enable, disable, or remove a mail flow rule,
and information about importing and exporting mail flow rule collections.
Test a mail flow rule Information on various ways to test a mail flow rule.
Best practices for configuring mail flow rules Information to help you avoid common configuration errors.
Use mail protection reports in Office 365 to view data about malware, spam, and rule detections Information on
how to view summary and detail reports about mail flow rule matches.
Manage mail flow rules in Exchange Online
You can use mail flow rules (also known as transport rules) in Exchange Online to look for specific conditions on
messages that pass through your organization and take action on them. This topic shows you how to create,
copy, adjust the order, enable or disable, delete, or import or export rules, and how to monitor rule usage.
TIP
To make sure your rules work the way you expect, be sure to thoroughly test each rule and interactions between rules.
Interested in scenarios where these procedures are used? See the following topics:
Use mail flow rules to route email based on a list of words, phrases, or patterns
Use mail flow rules so messages can bypass Clutter
Best practices for configuring mail flow rules
Define rules to encrypt or decrypt messages

You need to be assigned permissions before you can perform these procedures. To see what permissions
you need, see the "Mail flow" entry in Feature permissions in Exchange Online.
When a rule is listed as version 14, this means that the rule is based on an Exchange Server 2010 mail
flow rule format. All options are available for these rules.
TIP
Protection.
Create a mail flow rule

You can create a mail flow rule by setting up a Data Loss Prevention (DLP ) policy, creating a new rule, or by
copying a rule. You can use the Exchange admin center (EAC ) or Exchange Online PowerShell.
NOTE
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be applied to email.
Use a DLP policy to create mail flow rules

Each DLP policy is a collection of mail flow rules. After you create the DLP policy, you can fine-tune the rules
using the procedures below.
1. Create a DLP policy. For instructions, see:
Exchange Server DLP Procedures
Exchange Online DLP procedures
2. Modify the mail flow rules created by the DLP policy. See View or modify a mail flow rule.
Use the EAC to create a mail flow rule
The EAC allows you to create mail flow rules by using a template, copying an existing rule, or from scratch.
1. Go to Mail flow > Rules.
2. Create the rule by using one of the following options:
To create a rule from a template, click Add and select a template.
To copy a rule, select the rule, and then select Copy .
To create a new rule from scratch, Add and then select Create a new rule.
3. In the New rule dialog box, name the rule, and then select the conditions and actions for this rule:
a. In Apply this rule if..., select the condition you want from the list of available conditions.
Some conditions require you to specify values. For example, if you select The sender is...
condition, you must specify a sender address. If you're adding a word or phrase, note that
trailing spaces are not allowed.
If the condition you want isn't listed, or if you need to add exceptions, select More options.
Additional conditions and exceptions will be listed.
If you don't want to specify a condition, and want this rule to apply to every message in your
organization, select [Apply to all messages] condition.
b. In Do the following..., select the action you want the rule to take on messages matching the
criteria from the list of available actions.
Some of the actions will require you to specify values. For example, if you select the
Forward the message for approval to... condition, you will need to select a recipient in
your organization.
If the condition you want isn't listed, select More options. Additional conditions will be
listed.
c. Specify how rule match data for this rule is displayed in the Data Loss Prevention (DLP ) reports
and the Mail protection reports.
Under Audit this rule with severity level, select a level to specify the severity level for this rule. The
Office 365 activity reports for mail flow rules group rule matches by severity level. Severity level is just
a filter to make the reports easier to use. The severity level has no impact on the priority in which the
rule is processed.
NOTE
If you clear the Audit this rule with severity level checkbox, rule matches will not show up in the rule reports.
d. Set the mode for the rule. You can use one of the two test modes to test the rule without impacting
mail flow. In both test modes, when the conditions are met, an entry is added to the message trace.
Enforce: This turns on the rule and it starts processing messages immediately. All actions on the
rule will be performed.
Test with Policy Tips: This turns on the rule, and any Policy Tip actions ( Notify the sender with
a Policy Tip) will be sent, but no actions related to message delivery will be performed. Data Loss
Prevention (DLP ) is required in order to use this mode. To learn more, see Policy Tips.
Test without Policy Tips: Only the Generate incident report action will be enforced. No actions
related to message delivery are performed.
4. If you are satisfied with the rule, go to step 5. If you want to add more conditions or actions, or if you want
to specify exceptions or set additional properties, click More options. After you click More options,
complete the following fields to create your rule:
a. To add more conditions, click Add condition. If you have more than one condition, you can
remove any one of them by clicking Remove X next to it. Note that there are a larger variety of
conditions available once you click More options.
b. To add more actions, click Add action. If you have more than one action, you can remove any one
of them by clicking Remove X next to it. Note that there are a larger variety of actions available
once you click More options.
c. To specify exceptions, click Add exception, then select exceptions using the Except if... dropdown.
You can remove any exceptions from the rule by clicking the Remove X next to it.
d. If you want this rule to take effect after a certain date, click Activate this rule on the following
date: and specify a date. Note that the rule will still be enabled prior to that date, but it won't be
processed.
Similarly, you can have the rule stop processing at a certain date. To do so, click Deactivate this
rule on the following date: and specify a date. Note that the rule will remain enabled, but it won't
be processed.
e. You can choose to avoid applying additional rules once this rule processes a message. To do so,
click Stop processing more rules. If you select this, and a message is processed by this rule, no
subsequent rules are processed for that message.
f. You can specify how the message should be handled if the rule processing can't be completed. By
default, the rule will be ignored and the message will be processed regularly, but you can choose to
resubmit the message for processing. To do so, check the Defer the message if rule processing
doesn't complete check box.
g. If your rule analyzes the sender address, it only examines the message headers by default.
However, you can configure your rule to also examine the SMTP message envelope. To specify
what's examined, click one of the following values for Match sender address in message:
Header: Only the message headers will be examined.
Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message envelope will be
examined.
h. You can add comments to this rule in the Comments box.
5. Click Save to complete creating the rule.
Use Exchange Online PowerShell to create a mail flow rule
This example uses the New -TransportRule cmdlet to create a new mail flow rule that prepends "
External message to Sales DG: " to messages sent from outside the organization to the Sales Department
distribution group.
New-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo
"Sales Department" -PrependSubject "External message to Sales DG:"
The rule parameters and action used in the above procedure are for illustration only. Review all the available mail
flow rule conditions and actions to determine which ones meet your requirements.
To verify that you have successfully created a new mail flow rule, do the following:
In the EAC, verify that the new mail flow rule you created is listed in the Rules list.
From Exchange Online PowerShell, verify that you created the new mail flow rule successfully by running
the following command (the example below verifies the rule created in Exchange Online PowerShell
example above):
Get-TransportRule "Mark messages from the Internet to Sales DG"
View or modify a mail flow rule

NOTE
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be applied to email.
Use the EAC to view or modify a mail flow rule

1. In the EAC, go to Mail flow > Rules.
2. When you select a rule in the list, the conditions, actions, exceptions and select properties of that rule are
displayed in the details pane. To view all the properties of a specific rule, double click it. This opens the
rule editor window, where you can make changes to the rule. For more information about rule properties,
see Use the EAC to create a mail flow rule section, earlier in this topic.
Use Exchange Online PowerShell to view or modify a mail flow rule
The following example gives you a list of all rules configured in your organization:
Get-TransportRule
To view the properties of a specific mail flow rule, you provide the name of that rule or its GUID. It is usually
helpful to send the output to the Format-List cmdlet to format the properties. The following example returns all
the properties of the mail flow rule named Sender is a member of Marketing:
Get-TransportRule "Sender is a member of marketing" | Format-List
To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This cmdlet allows you to change
any property, condition, action or exception associated with a rule. The following example adds an exception to
the rule "Sender is a member of marketing" so that it won't apply to messages sent by the user Kelly Rollin:
Set-TransportRule "Sender is a member of marketing" -ExceptIfFrom "Kelly Rollin"

To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, click the rule you modified in the Rules list and view the details pane.
From Exchange Online PowerShell, verify that you modified the mail flow rule successfully by running the
following command to list the properties you modified along with the name of the rule (the example
below verifies the rule modified in Exchange Online PowerShell example above):
Get-TransportRule "Sender is a member of marketing" | Format-List Name,ExceptIfFrom
Mail flow rule properties

You can also use the Set-TransportRule cmdlet to modify existing mail flow rules in your organization. Below is a
list properties not available in the EAC that you can change. For more information on using the Set-
TransportRule cmdlet to make these changes see Set-TransportRule

Stop Processing Rules StopRuleProcessing Enables you to stop processing

additional rules
Header/Envelope matching SenderAddressLocation Enables you to examine the SMTP

message envelope to ensure the
header and envelop match
Audit severity SetAuditSeverity Enables you to select a severity level

for the audit
Rule modes Mode Enables you to set the mode for the
rule
Set the priority of a mail flow rule

The rule at the top of the list is processed first. This rule has a Priority of 0.
Use the EAC to set the priority of a rule
1. In the EAC, go to Mail flow > Rules. This displays the rules in the order in which they are processed.
2. Select a rule, and use the arrows to move the rule up or down the list.
Use Exchange Online PowerShell to set the priority of a rule
The following example sets the priority of "Sender is a member of marketing" to 2:
Set-TransportRule "Sender is a member of marketing" priority "2"

To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, look at the order of the rules.
From Exchange Online PowerShell, verify the priority of the rules (the example below verifies the rule
modified in Exchange Online PowerShell example above):
Get-TransportRule * | Format-List Name,Priority
Enable or disable a mail flow rule

Rules are enabled when you create them. You can disable a mail flow rule.
Use the EAC to enable or disable a mail flow rule
2. To disable a rule, clear the check box next to its name.
3. To enable a disabled rule, select the check box next to its name.
Use Exchange Online PowerShell to enable or disable a mail flow rule
The following example disables the mail flow rule "Sender is a member of marketing":
Disable-TransportRule "Sender is a member of marketing"
The following example enables the mail flow rule "Sender is a member of marketing":
Enable-TransportRule "Sender is a member of marketing"

To verify that you have successfully enabled or disabled a mail flow rule, do the following:
In the EAC, view the list of rules in the Rules list and check the status of the check box in the ON column.
From Exchange Online PowerShell, run the following command which will return a list of all rules in your
organization along with their status:
Get-TransportRule | Format-Table Name,State
Remove a mail flow rule

Use the EAC to remove a mail flow rule
2. Select the rule you want to remove and then click Delete .
Use Exchange Online PowerShell to remove a mail flow rule
The following example removes the mail flow rule "Sender is a member of marketing":
Remove-TransportRule "Sender is a member of marketing"

To verify that you have successfully removed the mail flow rule, do the following:
In the EAC, view the rules in the Rules list and verify that the rule you removed is no longer shown.
From Exchange Online PowerShell, run the following command and verify that the rule you remove is no
longer listed:
Get-TransportRule
Monitor rule usage

If you're using Exchange Online or Exchange Online Protection, you can check the number of times each rule is
matched by using a rules report. In order to be included in the reports, a rule must have the Audit this rule
with severity level check box selected. You can look at a report online, or download an Excel version of all the
mail protection reports.
NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
Use the Office 365 admin center to generate a rules report

1. In the Office 365 admin center, select Reports.
2. In the Rules section, select Top rule matches for mail or Rule matches for mail.
To learn more, see View mail protection reports.
Download an Excel version of the reports
1. On the Reports page in the Office 365 admin center, select Mail protection reports (Excel).
2. If it is your first time using the Excel mail protection reports, a tab opens to the download page.
a. Select Download to download the Microsoft Office 365 Excel Plugin for Exchange Online
Reporting.
b. Open the download.
c. In the Mail Protection reports for Office 365 Setup dialog box, select Next, accept the terms of
the license agreement, and then select Next.
d. Select the service you are using, and then select Next.
e. Verify the prerequisites, and then select Next.
f. Select Install. A shortcut to the reports is placed on your desktop.
3. On your desktop, select Office 365 Mail Protection Reports.
4. In the report, select the Rules tab.
Import or export a mail flow rule collection

You must use Exchange Online PowerShell to import or export a mail flow rule collection. For information about
how to import a mail flow rule collection from an XML file, see Import-TransportRuleCollection.
For information about how to export a mail flow rule collection to an XML file, see Export-
TransportRuleCollection.
Need more help?

Resources for Exchange Online:
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Journal, Transport, and Inbox rule limits
Resources for Exchange Online Protection:
Mail flow rules (transport rules) in Exchange Online Protection
Journal, Transport, and Inbox rule limits
Resources for Exchange Server:
Mail flow rule conditions and exceptions (predicates) in Exchange Server
Mail flow rule actions in Exchange Server
Test a mail flow rule in Exchange Online
Each time you create a mail flow rule (also known as a transport rule) you should test it before turning it on. This
way, if you accidentally create a condition that doesn't do exactly what you want or interacts with other rules in
unexpected ways, you won't have any unintended consequences.
IMPORTANT
Wait 30 minutes after creating a rule before you test it. If you test immediately after you create the rule, you may get
inconsistent behavior. If you're using Exchange Server and have multiple Exchange servers, it may take even longer for all
the servers to receive the rule.
Step 1: Create a rule in test mode

You can evaluate the conditions for a rule without taking any actions that impact mail flow by choosing a test
mode. You can set up a rule so that you get an email notification any time the rule is matched, or you can look at
the Look at the message trace for messages that might match the rule. There are two test modes:
Test without Policy Tips: Use this mode together with an incident report action, and you can receive an
email message each time an email matches the rule.
Test with Policy Tips: This mode is only available if you're using Data loss prevention (DLP ), which is
available with some Exchange Online and Exchange Online Protection (EOP ) subscription plans. With this
mode, a message is set to the sender when a message they are sending matches a policy, but no mail flow
actions are taken.
Here's what you'll see when a rule is matched if you include the incident report action:
Use a test mode with an incident report action

1. In the Exchange admin center (EAC ), go to Mail flow > Rules.
2. Create a new rule, or select an existing rule, and then select Edit.
3. Scroll down to the Choose a mode for this rule section, and then select Test without Policy Tips or
Test with Policy Tips.
4. Add an incident report action:
a. Select Add action, or, if this isn't visible, select More options, and then select Add action.
b. Select Generate incident report and send it to.
c. Click Select one... and select yourself or someone else.
d. Select Include message properties, and then select any message properties that you want
included in the email you receive. If you don't select any, you will still get an email when the rule is
matched.
5. Select Save.
Step 2: Evaluate whether your rule does what you intend

To test a rule, you can either send enough test messages to confirm that what you expect happens, or look at the
message trace for messages that people in your organization send. Be sure to evaluate the following types of
messages:
Messages that you expect to match the rule
Messages that you don't expect to match the rule
Messages sent to and from people in your organization
Messages sent to and from people outside your organization
Replies to messages that match the rule
Messages that might cause interactions between multiple rules
Tips for sending test messages
One way to test is to sign in as both the sender and recipient of a test message.
If you don't have access to multiple accounts in your organization, you can test in an Office 365 trial
account or create a few temporary fake users in your organization.
Because a web browser typically doesn't let you have simultaneous open sessions on the same computer
signed in to multiple accounts, you can use Internet Explorer InPrivate Browsing, or a different computer,
device, or web browser for each user.
Look at the message trace
The message trace includes an entry for each rule that is matched for the message, and an entry for each action
the rule takes. This is useful for tracking what happens to test messages, and also for tracking what happens to
real messages going through your organization.
1. In the EAC, go to Mail flow > Message trace.

2. Find the messages that you want to trace by using criteria such as the sender and the date sent. For help
specifying criteria, see Run a Message Trace and View Results.
3. After locating the message you want to trace, double-click it to view details about the message.
4. Look in the Event column for Transport rule. The Action column shows the specific action taken.
Step 3: When you're done testing, set the rule to enforce

2. Select a rule, and then select Edit.
3. Select Enforce.
4. If you used an action to generate an incident report, select the action and then select Remove.
5. Select Save.
TIP
To avoid surprises, inform your users about new rules.
Troubleshooting suggestions
Here are some common problems and resolutions:
Everything looks right, but the rule isn't working.
Occasionally it takes longer than 15 minutes for a new mail flow to be available. Wait a few hours, and then
test again. Also check to see if another rule might be interfering. Try changing this rule to priority 0 by
moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the conditions is
met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule by selecting Copy and
then remove one condition from the original and the other condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem to be working.
SentTo matches messages where one of the recipients is a mailbox, mail-enabled user, or contact, but you
can't specify a distribution group with this condition. Instead, use To box contains a member of this
group ( SentToMemberOf).
Other testing options

If you're using Exchange Online or Exchange Online Protection, you can check the number of times each rule is
matched by using a rules report. In order to be included in the reports, a rule must have the Audit this rule with
severity level check box selected. These reports help you spot trends in rule usage and identify rules that are not
matched.
To view a rules report, in the Office 365 admin center, select Reports.
NOTE
While most data is in the report within 24 hours, some data may take as long as 5 days to appear.
To learn more, see View mail protection reports.
Need more help?

Mail flow rules (transport rules) in Exchange Online Protection
Mail flow rules (transport rules) in Exchange Server
Use mail flow rules so messages can bypass Clutter in
Exchange Online
If you want to be sure that you receive particular messages, you can create a mail flow rule (also known as a
transport rule) that makes sure that these messages bypass your Clutter folder. Check out Use Clutter to sort low -
priority messages in Outlook for more info on Clutter.
For additional management tasks related to mail flow rules, check out Mail flow rules (transport rules) in Exchange
Online and the New -TransportRule PowerShell topic. If you're new to Exchange Online PowerShell, check out
Connect to Exchange Online PowerShell.

For more information about opening and using the Exchange admin center (EAC ), see Exchange admin
center in Exchange Online.
Use the Exchange admin center to create a mail flow rule to bypass the
clutter folder
This example allows all messages with title "Meeting" to bypass clutter.
1. In the Exchange admin center (EAC ), go to Mail flow > Rules. Click New and then choose Create a
new rule....
2. After you're done creating the new rule, click Save to start the rule.
Use Exchange Online PowerShell to create a mail flow rule to bypass

the clutter folder
This example allows all messages with title "Meeting" to bypass clutter.
New-TransportRule -Name "<Unique rule name>" -SubjectContainsWords "Meeting" -SetHeaderName "X-MS-Exchange-

Organization-BypassClutter" -SetHeaderValue "true"
IMPORTANT
In this example, both X-MS-Exchange-Organization-BypassClutter and true are case sensitive.
For detailed syntax and parameter information, see New -TransportRule.

You can check email message headers to see if the email messages are landing in the Inbox due to the Clutter mail
flow rule bypass. Pick an email message from a mailbox in your organization that has the Clutter bypass mail flow
rule applied. Look at the headers stamped on the message, and you should see the X-MS -Exchange-
Organization-BypassClutter: true header. This means the bypass is working. Check out the View the internet
header information for an email message topic for info on how to find the header information.
NOTE
Calendar items (accepted, sent, or declined meetings notifications) won't contain this header.
Use mail flow rules to route email based on a list of
words, phrases, or patterns
To help your users comply with your organization's email policies, you can use Exchange mail flow rules (also
known as transport rules) to determine how email containing specific words or patterns is routed. For a short list
of words or phrases, you can use the Exchange admin center (EAC ). For a longer list, you might want to use
Exchange Online PowerShell to read the list from a text file.
If your organization uses Data Loss Prevention (DLP ), see Data loss prevention for additional options for
identifying and routing email that contains sensitive information.
Example 1: Use a short list of unacceptable words

If your list of words or phrases is short, you can create a rule using the Exchange admin center. For example, if you
want to make sure no one sends email with bad words or with misspellings of your company name, internal
acronyms or product names, you could create a rule to block the message and tell the sender. Note that words,
phrases, and patterns are not case sensitive.
This example blocks messages with common typos.
Example 2: Use a long list of unacceptable words

If your list of words, phrases, or patterns is long, you can put them in a text file with each word, phrase, or pattern
on its own line. Use Exchange Online PowerShell to read in the list of keywords into a variable, create a mail flow
rule, and assign the variable with the keywords to the mail flow rule condition. For example, the following script
takes a list of misspellings from a file called C:\My Documents\misspelled_companyname.txt.
$Keywords=Import-Content "C:\My Documents\misspelled_companyname.txt"

New-TransportRule -Name "Block messages with unacceptable words" -SubjectOrBodyContainsWords $Keywords -
SentToScope "NotInOrganization" -RejectMessageReasonText "Do not use internal acronyms, product names, or
misspellings in external communications."
Using phrases and patterns in the text file
The text file can contain regular expressions for patterns. These expressions are not case-sensitive. Common
regular expressions include:
:----- :-----
. Any single character
* Any additional characters
\d Any decimal digit
[character_group] Any single character in character_group.
For example, this text file contains common misspellings of Microsoft.
[mn]sft
[mn]icrosft
[mn]icro soft
[mn].crosoft
To learn how to specify patterns using regular expressions, see Regular Expression Reference.
Use mail flow rules to automatically add meetings to
calendars in Exchange Online
With the Direct to Calendar feature in Exchange Online, administrators can configure mail flow rules (also known
as transport rules) that allow designated users to add meetings to calendars. The benefits of Direct to Calendar are:
The event is automatically added to the recipient's calendar without any action from them. If the user
received the meeting invitation, it's on their calendar.
The sender doesn't need to deal with Out of Office or other unwanted response messages that result from
sending meeting invitations to a large number of recipients.
No meeting-related messages are seen by attendees unless the meeting is cancelled.
Direct to Calendar requires two mail flow rules with specific conditions and actions. These rules are described in
the following table:
RULE DESCRIPTION CONDITION ACTION COMMENTS
This mail flow rule turns The sender is or The Set the message header to We recommend that you use
regular meeting invitations sender > is this person this value or Modify the dedicated mailboxes (shared
into Direct to Calendar (the From parameter). message properties > set mailboxes are OK) for
meeting invitations. This condition identifies the a message header (the sending Direct to Calendar
users who are authorized to SetHeaderName and meeting invitations, because
send Direct to Calendar SetHeaderValue any meeting invitations from
meeting invitations. parameters). these senders will be
Although you can use other This action sets the X-MS- automatically added to
conditions, restricting the Exchange-Organization- recipient calendars.
invitations by sender helps CalendarBooking- The dedicated mailboxes
prevent unauthorized use of Response header to the require no special
Direct to Calendar meeting value Accept . Other valid permissions to send Direct
invitations. values are Tentative and to Calendar meeting
Decline . invitations.
This mail flow rule prevents The sender is or The Set the message header to Technically, this rule is
Direct to Calendar meeting sender > is this person this value or Modify the optional (without it,
invitations from appearing in (the From parameter). message properties > set meetings are still
the Inbox of recipients. a message header (the automatically added to
SetHeaderName and recipient calendars).
SetHeaderValue Note that this rule doesn't
parameters). prevent meeting cancellation
This action sets the X-MS- messages for Direct to
Exchange-Organization- Calendar meetings from
CalendarBooking- appearing in the Inbox of
TriageAction header to the recipients.
value MoveToDeletedItems .
The other valid value is
None .
For more information about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.

The designated accounts for sending Direct to Calendar meeting invitations need to exist.
For more information about opening and using the Exchange admin center (EAC ), see Exchange admin
center in Exchange Online.
TIP
Use the Exchange admin center to create Direct to Calendar mail flow
rules
1. In the EAC, go to Mail flow > rules.
2. Click New ( ), and then select Create a new rule.
3. In the New rule page that opens, click More options.
4. Configure these additional settings on the New rule page:

Name: Direct to Calendar response (or anything descriptive).
Apply this rule if > The sender > is this person: Select one or more users to send Direct to
Calendar meeting invitations.
Do the following > Modify the message properties > set a message header: Enter the
following values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-Response
to the value Accept
When you're finished, click Save.
5. Back at Mail flow > Rules, click New ( ) again, and then select Create a new rule.
6. In the New rule page that opens, click More options.
7. Configure these additional settings on the New rule page:

Name: Direct to Calendar triage action (or anything descriptive).
Apply this rule if > The sender > is this person: Select the same users as in step 3.
Do the following > Modify the message properties > set a message header: Enter the following
values:
Set the message header X-MS-Exchange-Organization-CalendarBooking-TriageAction
to the value MoveToDeletedItems
Use Exchange Online PowerShell to create Direct to Calendar mail flow

rules
1. To create the mail flow rule that turns regular meeting invitations into Direct to Calendar meeting
invitations, use the following syntax:
New-TransportRule -Name "Direct to Calendar response" -From "<designated sender 1>","<designated sender
2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept
This example configures the rule using the dedicated mailbox named Direct to Calendar invites.
New-TransportRule -Name "Direct to Calendar response" -From "Direct to Calendar invites" -SetHeaderName
"X-MS-Exchange-Organization-CalendarBooking-Response" -SetHeaderValue Accept
2. To create the mail flow rule that prevents Direct to Calendar meeting invitations from appearing in the Inbox
of recipients, use the following syntax:
New-TransportRule -Name "Direct to Calendar triage action" -From "<designated sender 1>","<designated
sender 2>"... -SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems
This example configures the rule using the dedicated mailbox named Direct to Calendar invites.
New-TransportRule -Name "Direct to Calendar triage action" -From "Direct to Calendar invites" -
SetHeaderName "X-MS-Exchange-Organization-CalendarBooking-TriageAction" -SetHeaderValue
MoveToDeletedItems

To verify that you have successfully configured Direct to Calendar meeting invitations, use the designated sender
mailbox to send a test meeting invitation to a small number of recipients. Verify that the meeting automatically
appears in the calendars of the recipients, and verify there are no meeting-related messages in the Inbox (the
second rule should automatically move these messages to the Deleted Items folder).
More information
The designated sender mailbox will receive meeting acceptance responses to Direct to Calendar meetings.
Use the following strategies to help minimize the impact of these messages on the designated sender:
In Outlook, enable the Update tracking information, and then delete responses that don't
contain comments and After updating tracking information, move receipt to <Deleted
Items> settings in Mail > Tracking for the designated sender mailbox. For more information, see
Change how meeting requests, polls, and read or delivery receipts are processed.
Clearing the Request Responses setting in Direct to Calendar meeting invitations doesn't prevent
responses from being sent back to the designated sender mailbox.
If the designated mailbox sends a meeting cancellation for a Direct to Calendar meeting, the cancelled
meeting title is always changed to CANCELED: <previous meeting title>, and the cancelled meeting
remains in the calendars of attendees until they manually remove it.
Meeting cancellation messages for Direct to Calendar meetings will always appear in the Inbox of recipients.
Manage message approval in Exchange Online
Sometimes it makes sense to have a second set of eyes on a message before the message is delivered. As an
Exchange administrator, you can set this up. This process is called moderation, and the approver is called the
moderator. Depending on which messages need approval, you can use one of two approaches:
Change the distribution group properties
This article explains:
How to decide which approval approach to use
How the approval process works
To learn how to implement common scenarios, see Common message approval scenarios.
How to decide which approval approach to use

Here's a comparison of the two approaches to message approval.
WHAT DO YOU WANT TO DO? APPROACH FIRST STEP
Create a moderated distribution group Set up message approval for the Go to the Exchange admin center (EAC)
where all messages to the group must distribution group. > Recipients> Groups, edit the
be approved. distribution group, and then select
Message approval.
Require approval for messages that Create a mail flow rule (also known as a Go to the EAC > Mail flow > Rules.
match specific criteria or that are sent transport rule) using the Forward the
to a specific person. message for approval action.
You can specify message criteria,
including text patterns, senders, and
recipients. Your criteria can also contain
exceptions.
How the approval process works

When someone sends a message to a person or group that requires approval, if they're using Outlook on the web
(formerly known as Outlook Web App), they're notified that their message might be delayed.
The moderator receives an email with a request to approve or reject the message. The text of the message includes
buttons to approve or reject the message, and the attachment includes the original message to review.
The moderator can take one of three actions:
1. If approved, the message goes to the original intended recipients. The original sender isn't notified.
2. If rejected, a rejection message is sent to the sender. The moderator can add an explanation:
3. If the approver either deletes or ignores the approval message, an expiration message is sent to the sender.
This happens after two days in Exchange Online, and after five days in Exchange Server. (In Exchange
Server, you can change this time period).
The message that's waiting for approval gets temporarily stored in a system mailbox called the arbitration mailbox.
Until the moderator decides to approve or reject the message, deletes the approval message, or lets the approval
message expire, the original message is kept in the arbitration mailbox.
Questions and answers

What's the difference between the approver and owner of a distribution group?
The owner of a distribution group is responsible for managing the distribution group membership. For example, a
person in IT might be the owner of a distribution group called All Employees, but only the Human Resources
manager might be set up as the moderator. Also, messages that the owner sends to the distribution group do not
need to be approved by a moderator.
What happens when the moderator or approver sends a message to the distribution group?
The message goes directly to the group, bypassing the approval process.
What happens when only a subset of recipients needs approval?
You can send a message to a group of recipients where only a subset of the recipients requires approval. Consider
a message that's sent to 12 recipients, one of which is a moderated distribution group. The message is
automatically split into two copies. One message is delivered immediately to the 11 recipients that don't require
approval, and the second message is submitted to the approval process for the moderated distribution group. If a
message is intended for more than one moderated recipient, a separate copy of the message is automatically
created for each moderated recipient and each copy goes through the appropriate approval process.
What if my distribution group contains moderated recipients that require approval?
A distribution group can include moderated recipients that also require approval. In this case, after the message to
the distribution group is approved, a separate approval process occurs for each moderated recipient that's a
member of the distribution group. However, you can also enable the automatic approval of the distribution group
members after the message to the moderated distribution group is approved. To do this, you use the
BypassNestedModerationEnabled parameter on the Set-DistributionGroup cmdlet.
Is this process different if we have our own Exchange servers?
By default, one arbitration mailbox is used for each Exchange organization. If you have your own Exchange servers
and need more arbitration mailboxes for load balancing, follow the instructions for adding arbitration mailboxes in
Manage and troubleshoot message approval. Arbitration mailboxes are system mailboxes and don't require an
Exchange license.
Need more info?
Common message approval scenarios in Exchange
Online
Your organization may require certain types of messages be approved in order to meet legal or compliance
requirements, or to implement a specific business workflow. This article discusses examples of common scenarios
that you can set up by using Exchange.
Example 1: Avoid mail storms to a large distribution group

To control messages to a large distribution group, you can require that a moderator approve messages that are
sent to that group. If there are no criteria for which messages require approval, the simplest way to set this up is
to configure the group to require message approval.
In this example, all messages to the All Employees group must be approved, except if the senders are members of
the distribution group named Legal Team.
To require that messages to a specific distribution group be approved, in the Exchange admin center (EAC ), go to
Recipients > Groups, edit the distribution group, and then select Message approval. To open the EAC, see
Exchange admin center in Exchange Online.
Example 2: Forward messages to a sender's manager for approval

Here are some common types of messages for which you might want to require manager approval:
Messages sent from a user to certain distribution groups or recipients
Messages sent to external users or partners
Message sent between two groups
Messages sent with specific content, such as the name of a specific customer
Messages sent by a trainee
To require that a message be sent for approval, first, create a mail flow rule (also known as a transport rule) using
the Send messages to a moderator template, and select that the messages should go to the sender's manager,
as shown in the following screenshots.
Then, define which messages need approval.

Here's an example where all messages sent out by a trainee, Garth Fort, to recipients outside the organization
requires a manager's approval.
To get started, go to EAC > Mail flow > Rules, and create a new rule using the Send messages to a moderator
template. To open the EAC, see Exchange admin center in Exchange Online.
IMPORTANT
Some conditions and actions, including forwarding to the sender's manager, are hidden by default in the New rule page. To
see all the conditions and actions, select More options.
Example 3: Set up a message approval chain
You can require multiple levels of approval for messages. For example, you can require that messages to a specific
customer be approved first by a customer relationship manager and then by a compliance officer, or you can
require that expense reports be approved by two levels of managers.
To create this type of multiple-level approval, create one mail flow rule for each level of approval. Each rule
detects the same patterns in the messages, as follows:
The first rule forwards the message to the first approver. When the first approver accepts the message, the
message automatically goes to the approver in the second rule.
If all approvers in the chain select Approve when they receive the approval request, when the last
approval in the chain is complete, the original message is sent to the intended recipients.
If anyone in the approval chain selects Reject when they receive the approval request, the sender receives
a rejection message.
If any of the approval requests aren't approved within the expiration time (2 days for Exchange Online, 5
days for Exchange Server), the sender receives an expiration message.
The following example assumes that you have a customer called Blue Yonder Airlines, and you want both the
customer relationship manager and the compliance officer to approve all messages that go to this customer. You
create two rules, one for each approver. The first rule goes to the first-level approver. The second rule goes to the
second-level approver.
The first rule identifies all messages with the company name Blue Yonder Airlines in the subject or message, and
it sends these messages to the internal customer relationship manager for Blue Yonder Airlines, Garret Vargas.
The second rule sends these messages to the compliance officer, Tony Krijnen.
Example 4: Forward messages that match one of several criteria
Within a mail flow rule, all conditions configured within the rule must be true for the rule to match. If you want
the same actions applied for either condition, you should create a separate rule for each one.
To do this, on the Rules page in EAC, create a rule for the first condition. Then select the rule, select Copy, and
change the conditions in the new rule to match the second condition.
Be careful when you create multiple rules with "OR" conditions so you don't end up with a message being sent
multiple times to the approver. To avoid this, add an exception to the second rule so it ignores messages that
matched the first rule.
For example, a single rule can't check whether a message has "sales quote" in either the subject or in the
attachment title. To avoid the message being sent multiple times to the approver, if the first rule checks for "sales
quote" in the subject or body of the message, the second rule that checks for "sales quote" in attachment content
needs an exception that contains the first rule's criteria.
NOTE
Exceptions are hidden by default in the New rule page. To see all the conditions and actions, select More options.
Example 5: Forward a message that contains sensitive information
If you have the Data loss prevention(DLP ) feature, many types of sensitive information are predefined. With DLP,
you see that the message contains a sensitive information condition. Whether or not you have DLP, you can
create conditions that identify specific sensitive information patterns that are unique to your organization.
Here's an example where messages with sensitive information require approval. In this example, messages that
contain a credit card number require approval.
See also
Recoverable Items folder in Exchange Online
To protect from accidental or malicious deletion and to facilitate discovery efforts commonly undertaken before or
during litigation or investigations, Exchange Online use the Recoverable Items folder. The Recoverable Items folder
replaces the feature that was known as the dumpster in earlier versions of Exchange. The following Exchange
features use the Recoverable Items folder:
Deleted item retention
Single item recovery
In-Place Hold
Litigation Hold
eDiscovery hold
Office 365 retention policies
Mailbox audit logging
Calendar logging
Terminology
Knowledge of the following terms will help you understand the content in this topic.
Delete
Describes when an item is deleted from any folder and placed in the Deleted Items default folder.
Soft delete
Describes when an item is deleted from the Deleted Items default folder and placed in the Recoverable Items
folder. Also describes when an Outlook user deletes an item by pressing Shift+Delete, which bypasses the Deleted
Items folder and places the item directly in the Recoverable Items folder.
Hard delete
Describes when an item is marked to be purged from the mailbox database. This is also known as a store hard
delete.
Recoverable Items folder

Each user mailbox is divided into two subtrees: the IPM (interpersonal messaging) subtree, which contains the
normal, visible folders such as Inbox, Calendar, and Sent Items and the non-IPM subtree, which contains internal
data, preferences, and other operational data about the mailbox. The Recoverable Items folder resides in the non-
IPM subtree of each mailbox. This subtree isn't visible to users using Outlook, Outlook on the web (formerly
known as Outlook Web App), or other email clients.
This architectural change provides the following key benefits:
When a mailbox is moved to another mailbox database, the Recoverable Items folder moves with it.
The Recoverable Items folder is indexed by Exchange Search and can be discovered by using In-Place
eDiscovery or Content Search in the Office 365 Security & Compliance Center.
The Recoverable Items folder has its own storage quota.
Exchange can prevent data from being purged from the Recoverable Items folder.
Exchange can track edits of certain content.
The Recoverable Items folder contains the following subfolders:
Deletions: This subfolder contains all items deleted from the Deleted Items folder. (In Outlook, a user can
soft delete an item by pressing Shift+Delete.) This subfolder is available to users through the Recover
Deleted Items feature in Outlook and Outlook on the web.
Versions: If In-Place Hold, Litigation Hold, or a Office 365 retention policy is enabled, this subfolder
contains the original copy of the item and also if the item is modified multiple times, a copy of the item
before modification is saved. To understand what action is considered as modification, refer the Copy-on-
Write section later in this article. This folder isn't visible to end users.
Purges: If either Litigation Hold or single item recovery is enabled, this subfolder contains all items that are
hard deleted. This folder isn't visible to end users.
Audits: If mailbox audit logging is enabled for a mailbox, this subfolder contains the audit log entries. To
learn more about mailbox audit logging, see Export mailbox audit logs in Exchange Online.
DiscoveryHolds: If In-Place Hold is enabled or if an Office 365 retention policy is assigned to the mailbox,
this subfolder contains all items that meet the hold query parameters and are hard deleted.
Calendar Logging: This subfolder contains calendar changes that occur within a mailbox. This folder isn't
available to users.
The following illustration shows the subfolders in the Recoverable Items folders. It also shows the deleted item
retention, single item recovery, and hold workflow processes that are described in the following sections.
Deleted item retention

An item is considered to be soft deleted in the following cases:
A user deletes an item or empties all items from the Deleted Items folder.
A user presses Shift+Delete to delete an item from any other mailbox folder.
Soft-deleted items are moved to the Deletions subfolder of the Recoverable Items folder. This provides an
additional layer of protection so users can recover deleted items without requiring Help desk intervention. Users
can use the Recover Deleted Items feature in Outlook or Outlook on the web to recover a deleted item. Users can
also use this feature to permanently delete an item. For more information, see:
Recover deleted items in Outlook 2013 or Outlook 2016
Recover deleted items or email messages in Outlook on the web
Items remain in the Deletions subfolder until the deleted item retention period is reached. The default deleted item
retention period for Exchange Online is 14 days. You can modify this period for mailboxes up to a maximum of 30
days. In addition to a deleted item retention period, the Recoverable Items folder is also subject to quotas. To learn
more, see Recoverable Items mailbox quotas later in this topic.
After the deleted item retention period expires, the item is moved to the Purges folder and is no longer visible to
the user. When the Managed Folder Assistant (MFA) processes the mailbox, items in the Purges subfolder are
purged from Exchange Online.
Single item recovery
If an item is removed from the Deletions subfolder, either by a user purging the item by using the Recover Deleted
Items feature or by an automated process such as the Managed Folder Assistant, the item can't be recovered by
the user. When the Managed Folder Assistant processes the Recoverable Items folder for a mailbox that has single
item recovery enabled, any item in the Purges subfolder isn't purged if the deleted item retention period hasn't
expired for that item. This means that an admin can still recover the item by using an eDiscovery tool such as In-
Place eDiscovery or Content Search.
The following table lists the contents of and actions that can be performed in the Recoverable Items folder if single
item recovery is enabled.
Recoverable Items folder and single item recovery
MANAGED FOLDER
ASSISTANT
USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS RECOVERABLE ITEMS ITEMS FROM THE PURGES ITEMS FROM
STATE OF SINGLE ITEM FOLDER CONTAINS FOLDER CONTAINS RECOVERABLE ITEMS THE RECOVERABLE
RECOVERY SOFT-DELETED ITEMS HARD-DELETED ITEMS FOLDER ITEMS FOLDER
Enabled Yes Yes No Yes. By default, all

items are purged after
14 days, with the
exception of calendar
items, which are
purged after 120
days.
Disabled Yes No Yes Yes. By default, all

items are purged after
14 days, with the
exception of calendar
items, which are
purged after 120
days. If the
Recoverable Items
warning quota is
reached before the
deleted item retention
period elapses,
messages are deleted
in first in, first out
(FIFO) order.

In Exchange Online, discovery managers can use In-Place eDiscovery with delegated Discovery Management role
group permissions to perform eDiscovery searches of mailbox content. In Exchange Online, you can use In-Place
Hold to preserve mailbox items that match query parameters and protect the items from deletion by users or
automated processes. You can also use Litigation Hold to preserve all items in user mailboxes and protect the
items from deletion by users or automated processes.
Putting a mailbox on In-Place Hold or Litigation Hold stops the Managed Folder Assistant from automatically
purging messages from the DiscoveryHolds and Purges subfolders. Additionally, copy-on-write page protection is
also enabled for the mailbox. Copy-on-write page protection creates a copy of the original item before any
modifications are written to the Exchange store. After the mailbox is removed from hold, the Managed Folder
Assistant resumes automated purging.
NOTE
If you put a mailbox on both In-Place Hold and Litigation Hold, Litigation Hold takes preference because this puts the entire
mailbox on hold.
The following table lists the contents of and actions that can be performed in the Recoverable Items folder if
Litigation Hold is enabled.
Recoverable Items folder and holds
MANAGED FOLDER
ASSISTANT
RECOVERABLE ITEMS USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS FOLDER CONTAINS ITEMS FROM THE PURGES ITEMS FROM
FOLDER CONTAINS MODIFIED AND HARD- RECOVERABLE ITEMS THE RECOVERABLE
STATE OF HOLD SOFT-DELETED ITEMS DELETED ITEMS FOLDER ITEMS FOLDER
Enabled Yes Yes No No
Disabled Yes No Yes Yes
To learn more about In-Place eDiscovery, In-Place Hold, and Litigation Hold, see the following topics:
In-Place eDiscovery in Exchange Online
In-Place Hold and Litigation Hold in Exchange Online
Copy-on-write page protection and modified items
If a user who is placed on In-Place Hold or Litigation Hold modifies specific properties of a mailbox item, a copy of
the original mailbox item is created before the changed item is written. The original copy is saved in the Versions
subfolder. This process is known as copy-on-write page protection. Copy-on-write page protection applies to items
residing in any mailbox folder. The Versions subfolder isn't visible to users.
The following table lists the message properties that trigger copy-on-write page protection.
Properties that trigger copy-on-write page protection
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE PAGE PROTECTION
Messages (IPM.Note*) • Subject

• Body
Posts (IPM.Post*) • Attachments
• Senders and recipients
• Sent and received dates
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE PAGE PROTECTION
Items other than messages and posts Any change to a visible property, except the following:
• Item location (when an item is moved between folders)
• Item status change (read or unread)
• Changes to a retention tag applied to an item
Items in the Drafts default folder None. Items in the Drafts folder are exempt from copy-on-
write page protection.
IMPORTANT
Copy-on-write page protection doesn't save a version of the meeting when a meeting organizer receives responses from
attendees and the meeting's tracking information is updated. Also, changes to RSS feeds aren't captured by copy-on-write
page protection.
When a mailbox is no longer on In-Place Hold or Litigation Hold, copies of modified items stored in the Versions
folder are removed.
Recoverable Items mailbox quotas

When an item is moved to the Recoverable Items folder, its size is deducted from the mailbox quota and added to
the size of the Recoverable Items folder. In Exchange Online, the default limits for the Recoverable Items quota are:
a soft limit of 20 GB and a hard limit of 30 GB. However, the quotas for the Recoverable Items folder are
automatically increased to 90 GB and 100 GB, respectively, when you place a mailbox on Litigation Hold or In-
Place Hold or if an Office 365 retention policy is applied to the mailbox. For more information, see Increase the
Recoverable Items quota for mailboxes on hold.
If the Recoverable Items folder for a mailbox reaches the Recoverable Items quota, no more items can be stored in
the folder. This impacts mailbox functionality in the following ways:
Mailbox users can't delete items.
The Managed Folder Assistant can't delete items based on retention tag or managed folder settings.
For mailboxes that have single item recovery, In-Place Hold or Litigation Hold enabled, the copy-on-write
page protection process can't maintain versions of items edited by the user.
For mailboxes that have mailbox audit logging enabled, no mailbox audit log entries can be saved in the
Audits subfolder.
For mailboxes that aren't placed on In-Place Hold or Litigation Hold, the Managed Folder Assistant automatically
purges items from the Recoverable Items folder when the deleted item retention period expires. If the folder
reaches the Recoverable Items warning quota, the assistant automatically purges items in first-in-first-out order.
If the mailbox is placed on In-Place Hold or Litigation Hold or assigned to an Office 365 retention policy, copy-on-
write page protection can't maintain versions of modified items. To maintain versions of modified items, you need
to reduce the size of the Recoverable Items folder. You can use the Search-Mailbox cmdlet to copy messages from
the Recoverable Items folder of a mailbox to a discovery mailbox, and then delete the items from the mailbox. For
details, see Clean up or delete items from the Recoverable Items folder.
More information
Copy-on-write is only enabled when a mailbox is on In-Place Hold or Litigation Hold.
If users need to recover deleted items from the Recoverable Items folder, point them to the following topics:
Recover deleted items in Outlook for Windows
Recover deleted items or email in Outlook on the web
Clean up or delete items from the Recoverable Items
folder in Exchange Online
The Recoverable Items folder (known in earlier versions of Exchange as the dumpster) exists to protect from
accidental or malicious deletions and to facilitate discovery efforts commonly undertaken before or during
litigation or investigations.
How you clean up or delete items from a user's Recoverable Items folder depends on whether the mailbox is
placed on In-Place Hold or Litigation Hold, or had single item recovery enabled:
If a mailbox isn't placed on In-Place Hold or Litigation Hold or other types of holds in Office 365, or if a
mailbox doesn't have single item recovery enabled, you can simply delete items from the Recoverable Items
folder. After items are deleted, you can't use single item recovery to recover them.
If the mailbox is placed on In-Place Hold or Litigation Hold or other types of holds in Office 365, or if single
item recovery is enabled, you'll want to preserve the mailbox data until the hold is removed or single item
recovery is disabled. In this case, you need to perform more detailed steps to clean up the Recoverable
Items folder.
To learn more about In-Place Hold and Litigation Hold, see In-Place Hold and Litigation Hold in Exchange Online.
To learn more about single item recovery, see Single item recovery.

By default, the Mailbox Import Export role isn't assigned to any role groups in Exchange Online. To use any
cmdlets that require the Mailbox Import Export role, you need to add the role to a role group. For more
information, see Manage role groups in Exchange Online|
Because incorrectly cleaning up the Recoverable Items folder can result in data loss, it's important that
you're familiar with the Recoverable Items folder and the impact of removing its contents. Before
performing this procedure, we recommend that you review the information in Recoverable Items folder in
Exchange Online.
You can only use Exchange Online PowerShell to perform the procedures in this topic. To connect to
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online or Exchange Online Protection.
Use Exchange Online PowerShell to delete items from the Recoverable

Items folder for mailboxes that aren't placed on hold or don't have
single item recovery enabled
This example permanently deletes items from the user Gurinder Singh's Recoverable Items folder and also copies
the items to the GurinderSingh-RecoverableItems folder in the Discovery Search Mailbox (a built-in mailbox in
Exchange Online).
Search-Mailbox -Identity "Gurinder Singh" -SearchDumpsterOnly -TargetMailbox "Discovery Search Mailbox" -
TargetFolder "GurinderSingh-RecoverableItems" -DeleteContent
NOTE
To delete items from the mailbox without copying them to another mailbox, use the preceding command without the
TargetMailbox and TargetFolder parameters.
For detailed syntax and parameter information, see Search-Mailbox.
Use Exchange Online PowerShell to clean up the Recoverable Items

folder for mailboxes that are placed on hold or have single item
recovery enabled
This scenario is fully covered in the topic Delete items in the Recoverable Items folder of cloud-based mailboxes on
hold.

To verify that you've successfully cleaned up or deleted items from the Recoverable Items folder of a mailbox, use
Get-MailboxFolderStatistics cmdlet the check the size of the Recoverable Items folder.
This example retrieves the size of the Recoverable Items folder and its subfolders and an item count in the folder
and each subfolder.
Get-MailboxFolderStatistics -Identity "Gurinder Singh" -FolderScope RecoverableItems | Format-Table

Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders -Auto
Mail flow best practices for Exchange Online and
Office 365 (overview)
Use Microsoft Exchange Online and Office 365 to manage mail flow. Find out how, and get tips and best practices
for setting up and managing your email.
This article is intended for IT Pros. Want something else?
Try Set up Office 365 for business or Deploy Office 365 Enterprise for your organization.
Office 365 gives you flexibility in determining the best arrangement for how email is delivered to your
organization's mailboxes. The path email takes from the internet to a mailbox and vice versa is called mail flow.
Most organizations want Office 365 to manage all their mailboxes and filtering, and some organizations need
more complex mail flow setups to make sure that they comply with specific regulatory or business needs. If you're
part of a small business or simply an organization that wants Office 365 to manage all your mailboxes and mail
flow, we recommend following the steps in Set up Office 365 for business. That article provides a complete
checklist for setting up Office 365 services and programs, including how to set up your mail flow and email
clients.
For information about how your email is protected with EOP, see Exchange Online Protection Overview.
TIP
Are you new to Office 365 mail flow? Check out the External Domain Name System records for Office 365 topic. We
especially recommend reading the part about SPF records because customers often list the wrong values in their SPF record,
which can cause mail flow problems.
Office 365 mail flow covers the following scenarios:
MAIL FLOW SETUP YOUR ORGANIZATION'S SCENARIO COMPLEXITY
Manage all mailboxes and mail flow Scenario 1 Simple

using Office 365 I'm a new Office 365 customer, and all
my users' mailboxes are in Office 365. I
want to use all filtering solutions
offered by Office 365.
Scenario 2
I'm a new Office 365 customer. I have
an existing email service but plan to
move all the existing users' mailboxes
to the cloud at once. I want to use all
filtering solutions offered by Office 365.
Manage mail flow using a third-party Scenario 1 Complex

cloud service with Office 365 I plan to have Office 365 host all of my
organization's mailboxes. My
organization uses (or plans to use) a
third-party (mail services) cloud
solution for filtering spam and malware.
All email sent from the internet must
be filtered by this third-party cloud
service.
Scenario 2
I plan to have Office 365 host all my
organization's mailboxes. My
organization needs to send all email to
a third-party service, such as archiving
or auditing. However, the third-party
service doesn't provide a spam filtering
solution.
Manage mail flow with mailboxes in Scenario 1 Very complex

multiple locations (Office 365 and on- I'm migrating my mailboxes to Office
prem) 365, and I want to keep some
mailboxes on my organization's mail
Important: In the near future, Office server (on-premises server). I want to
365 will reject email from unknown use Office 365 as my spam filtering
senders that are relayed from on- solution and would like to send my
premises servers. This means that if the messages from my on-premises server
sender or recipient domain of a to the internet via Office 365. Office
message doesn't belong to your 365 sends and receives all messages.
organization, Office 365 will reject the Scenario 2
message unless you have created a I'm migrating my mailboxes to Office
connector to allow this behavior. This 365, and I want to keep some
change will help prevent unauthorized mailboxes on my organization's mail
parties from using your organization to server (on-premises server). I want to
send spam or malware through Office use the filtering and compliance
365. solutions that are already in my on-
This change potentially affects your premises environment. And all
mail flow if you use any scenario in this messages coming from the internet to
section. Each scenario has best my cloud mailboxes or messages sent
practices to ensure that your mail flow to the internet from my cloud
continues uninterrupted. mailboxes need to route through my
on-premises servers.
Scenario 3
I'm migrating my mailboxes to Office
365, and I want to keep some
server (on-premises server). I want to
use the filtering and compliance
solutions that are already in my on-
premises email environment. All
messages coming from the internet to
my cloud mailboxes or messages sent
to the internet from cloud mailboxes
must route through my on-premises
servers. And I need to point my
domain's MX record to my on-premises
server.
Scenario 4
I'm migrating my mailboxes to Office
365, and I want to keep some
use the filtering and compliance
solutions that are already in my on-
premises email environment. All
messages sent from my on-premises
servers must relay through Office 365
to the internet. And I need to point my
domain's MX record to my on-premises
server.
Manage mail flow using a third-party Scenario Most complex

cloud service with mailboxes on Office I'm migrating my mailboxes to Office
365 and on-prem 365, and I want to keep some
use a third-party cloud service to filter
spam from the internet. My messages
to the internet need to route through
Office 365 to protect my on-premises
servers' IP addresses from being added
to external block lists.
Send emails from a multifunction Scenario Complex

printer/scanner/fax/application through All my organization's mailboxes are
Office 365 hosted in Office 365, but I have a
For details about this scenario, see How multifunction printer, scanner, fax
to set up a multifunction device or machine, or an application that needs
application to send email using Office to send email.
365.
Using Exchange Online Protection Scenario Simple

(EOP) standalone I have my own email servers (on-
For details about this scenario, see Mail premises servers), and I subscribe to
Flow in EOP and How connectors work EOP for email protection services only.
with my on-premises email servers
For information about migrating your email to Microsoft Exchange Online, see Ways to migrate multiple email
accounts to Office 365.
Introduction to the basics of Office 365 mail flow

Office 365 uses domains, like contoso.com, to route email messages. When you set up email in Office 365, you
typically switch from the default domain that you got when you first signed up for Office 365 (the domain ending
with .onmicrosoft.com) to your organization's domain. Domain names, like contoso.com, are managed by using a
worldwide system of domain registrars (for example, GoDaddy, HostGator, or Moniker) and databases called the
Domain Name System (DNS ). DNS provides a mapping between human-readable computer hostnames and the
IP addresses used by networking equipment. If you're new to DNS, we recommend that you read DNS basics.
The following video provides you with a quick overview of some of the most important concepts about what DNS
is and how it works.
Understanding how DNS records control mail flow

In Office 365 mail flow, there are several components of DNS that are particularly important for email
authentication and delivery: MX records, SPF, DKIM, and DMARC.
MX (mail exchanger) records provide an easy way for mail servers to know where to send email. You can think
of the MX record as a type of postal address. If you want Office 365 to receive all email addressed to
anyone@contoso.com, the MX record for contoso.com should point to Office 365, and it will look like the
following example:
Hostname: contoso-com.mail.protection.outlook.com
Priority: 0
TTL: 1 hour
SPF (sender policy framework) is a specially formatted TXT record in DNS. SPF validates that only the
organization that owns a domain is actually sending email from that domain. SPF is a security measure that helps
makes sure someone doesn't impersonate another organization. This impersonation is often called spoofing. As a
domain owner, you can use SPF to publish a list of IP addresses or subnets that are authorized to send email on
your organization's behalf. This can be helpful if you want to send email from multiple servers or services with
different IP addresses.
IMPORTANT
You can only have one SPF record per domain. Having multiple SPF records will invalidate all SPF records and cause mail flow
problems.
Because most modern email servers look up a domain's SPF record before they accept any email from it, it's
important to set up a valid SPF record in DNS when you first set up mail flow. For a quick introduction to SPF
and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth
understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid
deployments, start with How Office 365 uses Sender Policy Framework (SPF ) to prevent spoofing.
DomainKeys Identified Mail (DKIM ). lets you attach a digital signature to email messages in the message
header of emails you send. Email systems that receive email from your domain use this digital signature to
determine if incoming email that they receive is legitimate. For information about DKIM and Office 365, see Use
DKIM to validate outbound email sent from your domain in Office 365.
Domain-based Message Authentication, Reporting, and Conformance (DMARC ). helps receiving mail
systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for
your email partners. For information on setting up DMARC, see Use DMARC to validate email in Office 365.
Use SPF, DKIM, and DMARC together for the best experience.
How MX records affect spam filtering
For the best mail flow experience-especially for spam filtering—we recommend pointing the MX record for your
organization's domain to Office 365. Spam scanning is the initial connection point to the Office 365 service. Who
is sending the message, the IP address of the server that originally sent the message, and the behavior of the
connecting mail server, all help determine whether a message is legitimate or spam. If your domain's MX record
doesn't point to Office 365, the spam filters won't be as effective. If your MX record doesn't point to Office 365,
there will be some valid messages that the service misclassifies as spam and some spam messages that the
service misclassifies as legitimate email.
With that said, there are legitimate business scenarios that require your domain's MX record to point to
somewhere other than Office 365. For example, email destined for your organization might need to initially arrive
at another destination (such as a third-party archiving solution), then route through Office 365, and then be
delivered to mailboxes on your organization's mail server. This setup might provide the best solution to meet your
business requirements.
Whatever your needs, this guide will help you understand how your MX records, SPF, and, potentially, connectors
need to be set up.

The following are additional topics related to mail flow in Exchange Online:
Test mail flow by validating your Office 365 connectors
Troubleshoot Office 365 mail flow
Use Directory Based Edge Blocking to reject messages sent to invalid recipients
Manage accepted domains in Exchange Online
Remote domains in Exchange Online
Message format and transmission in Exchange Online
Configure the external postmaster address in Exchange Online
Test mail flow by validating your Office 365
connectors
To validate and troubleshoot mail flow from Office 365 to your organization's email server (also called on-
premises server), validate your connectors. You can set up and validate connectors on the connectors page in the
Exchange admin center (EAC ). The built-in validation tests that your mail flow from Office 365 reaches:
Your organization's email server
A partner organization.
For more information, see Validate connectors in Office 365
Mail flow issues can also happen when your MX record is not setup correctly. To verify your MX record, see Find
and fix issues after adding your domain or DNS records in Office 365.
NOTE
These tests replace Office 365 mail flow troubleshooting that was previously available in the Remote Connectivity Analyzer.
See also
Configure mail flow using connectors in Office 365
Set up connectors to route mail between Office 365 and your own email servers
Fixing connector validation errors
When do I need a connector?
Can't send or receive email? Office 365 for business has several ways that can troubleshoot the issue as an admin.
We recommend using the automated solutions because they are typically easier and faster than manual
troubleshooting.
For instructions about troubleshooting options, see Find and fix email delivery issues as an Office 365 for
business admin.
Troubleshoot mail flow caused by connectors

To validate and troubleshoot mail flow from Office 365 to the email servers in your on-premises organization
(also called the on-premises server), validate your connectors. You can set up and validate connectors on the
Connectors page in the Exchange admin center (EAC ). The built-in validation tests that your mail flow from Office
365 reaches:
Your organization's email server
A partner organization.
For more information, see Validate connectors in Office 365.
Troubleshoot mail flow issues caused by incorrect SPF records or MX

records
Troubleshooting: Best practices for SPF in Office 365 gives tips on how to fix several SPF record errors. The
beginning of that article also provides an explanation of what SPF records are and how Office 365 uses them to
prevent spoofing.
Mail flow issues can also happen when your MX record is not setup correctly. To verify your MX record, see Find
and fix issues after adding your domain or DNS records in Office 365.

Mail flow best practices for Exchange Online and Office 365 (overview )
Mail Flow in EOP
Connectors are a collection of instructions that customize the way your email flows to and from your Office 365
organization. Actually, most Office 365 organizations don't need connectors for regular mail flow. This topic
describes the mail flow scenarios that require connectors.
What do connectors do?

Connectors are used to:
Enable mail flow between Office 365 and any email server that you have in your on-premises organization
(also known as on-premises email servers).
Apply security restrictions or controls for to email exchanges between your Office 365 organization and a
business partner or service provider.
Enable email notifications from printers, devices, or other non-mailbox entities.
Avoid graylisting that would otherwise occur because of the large volume of mail that's regularly
exchanged between your Office 365 organization and your on-premises email server or partners.
NOTE
Graylisting is a delay tactic that's used to protect email systems from spam. In Office 365, graylisting is done by throttling
IPs to limit senders from sending suspiciously large amounts of email. Office 365 responds to these abnormal influxes of
mail by returning a temporary non-delivery report error (also known as an NDR or bounce message) in the range 451
4.7.500-699 (ASxxx). For more details on these types of delivery issues, see Fix email delivery issues for error code 451
4.7.500-699 (ASxxx) in Office 365.
What happened to inbound and outbound connectors?

Nothing. We just don't call them "inbound" and "outbound" anymore (although the PowerShell cmdlet names
still contains these terms). If you previously set up inbound and outbound connectors, they will still function in
exactly the same way.
The process for setting up connectors has changed; instead of using the terms "inbound" and "outbound", we ask
you to specify the start and end points that you want to use. The way connectors work in the background is the
same as before (inbound means into Office 365; outbound means sent from Office 365).

Exchange Online is ready to send and receive email from the internet right away. You don't need to set up
connectors unless you have Exchange Online Protection (EOP ) or other specific circumstances that are described
in the following table:
SCENARIO DESCRIPTION CONNECTOR REQUIRED? CONNECTOR SETTINGS

You have a standalone You have your own on- Yes Connector for incoming
EOPsubscription. premises email servers, and email:
you subscribe to EOP only • From: Your on-premises
for email protection services email server
for your on-premises • To: Office 365
mailboxes (you have no
mailboxes in Exchange Connector for outgoing
Online). email:
• From: Office 365
For more information, see • To: Your on-premises mail
the topic Exchange Online server
Protection overview and
theHow connectors work
with my on-premises email
servers section later in this
topic.
Some of your mailboxes are Before you manually Yes Connector for incoming
on your on-premises email configure connectors, check email:
servers, and some are in whether an Exchange hybrid • From: Your on-premises
Exchange Online. deployment better meets email server
your business needs. • To: Office 365
For details, see the I have
my own email servers Connector for outgoing
section later in this topic email:
and the Exchange Server • From: Office 365
Hybrid Deployments topic. • To: Your on-premises
email server
All of your mailboxes are in You don't have your own Optional Only one connector for
Exchange Online, but you email servers, but you need incoming email:
need to send email from to send email from non- • From: Your organization's
sources in your on-premises mailboxes: printers, fax email server
organization. machines, apps, or other • To: Office 365
devices.
For details, see Option 3:

Configure a connector to
send mail using Office 365
SMTP relay
You frequently exchange You want to use Transport Optional Connector for incoming
sensitive information with Layer Security (TLS) to email:
business partners, and you encrypt sensitive • From: Partner
want to apply security information or you want to organization
restrictions. limit the source (IP • To: Office 365
addresses) for email from Connector for outgoing
the partner domain. email:
For details, see Set up • To: Partner organization
connectors for secure mail
flow with a partner
organization.
TIP
If you don't have Exchange Online or EOP and are looking for information about Send connectors and Receive connectors
in Exchange 2016 or Exchange 2019, see Connectors.
I have my own email servers
If you have Exchange Online or EOP and your own on-premises email servers, you definitely need connectors.
This is more complicated and has more options as described in the following table:
HAVE YOU COMPLETED AN

YOU'RE ON-PREMISES EMAIL YOUR SERVICE SUBSCRIPTION EXCHANGE HYBRID DO I NEED TO SET UP
ORGANIZATION IS IS DEPLOYMENT? CONNECTORS MANUALLY?
Exchange 2010 or later Exchange Online Protection Not available Yes. Follow the instructions
in Set up connectors to
route mail between Office
365 and your own email
servers.
Exchange 2010 or later Exchange Online No Consider whether an

Exchange hybrid
deployment will better meet
your organization's needs by
reviewing the topic that
matches your current
situation in Exchange Server
Hybrid Deployments.
If a hybrid deployment is
the right option for your
organization, use the Hybrid
Configuration wizard to
integrate Exchange Online
with your on-premises
Exchange organization.
If you don't want a hybrid

deployment and you only
want connectors that enable
mail routing, follow the
instructions in Set up
connectors to route mail
between Office 365 and
your own email servers.
Exchange 2010 or later Exchange Online Yes No. The Hybrid

Configuration wizard creates
connectors for you. To view
or edit those connectors, go
to the Connectors page in
the Exchange admin center
(EAC), or rerun the Hybrid
Configuration wizard.
HAVE YOU COMPLETED AN
YOU'RE ON-PREMISES EMAIL YOUR SERVICE SUBSCRIPTION EXCHANGE HYBRID DO I NEED TO SET UP
ORGANIZATION IS IS DEPLOYMENT? CONNECTORS MANUALLY?
Exchange 2007 or earlier Exchange Online Protection Not available Yes. Follow the instructions
or Exchange Online in Set up connectors to
servers.
In limited circumstances,
you might have a hybrid
configuration with Exchange
Server 2007 and Office 365.
Check whether connectors
are already set up for your
organization by going to the
Connectors page in the
EAC.
Non-Microsoft SMTP server Exchange Online Protection Not available Yes. Follow the instructions
or Exchange Online in Set up connectors to
servers.
How connectors work with my on-premises email servers

Connectors enable mail flow in both directions (to Office 365 and from Office 365). You can enable mail flow
with any SMTP server (for example, Microsoft Exchange or a third-party email server).
The diagram below shows how connectors in Exchange Online or EOP work with your own email servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that
you manage, and Bob has a mailbox in Exchange Online. John and Bob both exchange mail with Sun, a customer
with an internet email account:
When email is sent between John and Bob, connectors are needed
When email is sent between John and Sun, connectors are needed. (All internet email is delivered via
Office 365).
When email is sent between Bob and Sun, no connector is needed.
IMPORTANT
Always confirm that your internet-facing email servers aren't accidentally configured to allow open relay. An open relay
allows mail from any source (spammers) to be transparently re-routed through the open relay server. This behavior masks
the original source of the messages, and makes it look like the mail originated from the open relay server.
What if I've already run the Hybrid Configuration Wizard?

If you've already run the Hybrid Configuration wizard, the required connectors are already configured for you.
You can view your hybrid connectors on the Connectors page in the EAC. You can view, troubleshoot, and
update these connectors using the procedures described in Set up connectors to route mail between Office 365
and your own email servers, or you can re-run the Hybrid Configuration wizard to make changes.
Connectors for mail flow with a partner organization

You can create connectors to add additional security restrictions for email sent between Office 365 and a partner
organization. A partner can be an organization you do business with, such as a bank. It can also be a cloud email
service provider that provides services such as archiving, antispam, and so on. You can create a partner connector
that defines boundaries and restrictions for email sent to or received from your partners, including scoping the
connector to receive email from specific IP addresses, or requiring TLS encryption.
Example use of connectors with a partner organization
The diagram below shows an example where ContosoBank.com is a business partner that you share financial
details with via email. Because you are sharing financial information, you want to protect the integrity of the mail
flow between your businesses. Connectors with TLS encryption enable a secure and trusted channel for
communicating with ContosoBank.com. In this example, two connectors are created in Office 365. TLS is
required for mail flow in both directions, so ContosoBank.com must have a valid encryption certificate. A
certificate from a commercial certification authority (CA)that's automatically trusted by both parties is
recommended.
Additional partner organization connector options: specify a domain or IP address ranges

When you create a connector, you can also specify the domain or IP address ranges that your partner sends mail
from. If email messages don't meet the security conditions that you set on the connector, the message will be
rejected. For more information about creating connectors to exchange secure email with a partner organization,
see Set up connectors for secure mail flow with a partner organization.
Connectors for mail notifications from printers and devices

This scenario applies only to organizations that have all their mailboxes in Exchange Online (no on-premises
email servers) and allows a program or a device, such as a printer, to send email. For example, if you want a
printer to send notifications when a print job is ready, or you want your scanner to email documents, you can use
this option to send mail through Office 365 (but there are other options that don't require connectors). For
details, see How to Allow a Multi-function Device or Application to Send E -mail through Office 365 Using SMTP.
How do I set up connectors?

Before you set up a connector, you need to configure the accepted domains for Office 365. For more information,
see Manage accepted domains in Exchange Online.
Connector setup topics:
Set up connectors for secure mail flow with a partner organization
See also
What happens when I have multiple connectors for the same scenario?
Do I need to create a connector in Exchange Online?
Find your mail flow scenario to see if you need to create a connector for your Exchange Online organization.
You have a standalone You have your own on- Yes Connector for incoming
EOPsubscription. premises email servers, and email:
you subscribe to EOP only • From: Your on-premises
for email protection services email server
for your on-premises • To: Office 365
mailboxes (you have no
mailboxes in Exchange Connector for outgoing
Online). email:
For more information, see • To: Your on-premises mail
the topic Exchange Online server
Protection overview and
How connectors work with
my on-premises email
servers.
Some of your mailboxes are Before you manually Yes Connector for incoming
on your on-premises email configure connectors, check email:
servers, and some are in whether an Exchange hybrid • From: Your on-premises
Exchange Online. deployment better meets email server
your business needs. • To: Office 365
For details, see I have my
own email servers and Connector for outgoing
Exchange Server Hybrid email:
Deployments. • From: Office 365
• To: Your on-premises email
server
All of your mailboxes are in You don't have your own Optional Only one connector for
Exchange Online, but you email servers, but you need incoming email:
need to send email from to send email from non- • From: Your organization's
sources in your on-premises mailboxes: printers, fax email server
organization. machines, apps, or other • To: Office 365
devices.
For details, see Option 3:

Configure a connector to
send mail using Office 365
SMTP relay
You frequently exchange You want to use Transport Optional Connector for incoming
sensitive information with Layer Security (TLS) to email:
business partners, and you encrypt sensitive • From: Partner organization
want to apply security information or you want to • To: Office 365
restrictions. limit the source (IP Connector for outgoing
addresses) for email from email:
the partner domain. • From: Office 365
• To: Partner organization
For details, see Set up
connectors for secure mail
flow with a partner
organization.
NOTE
For more information about these scenarios, see Configure mail flow using connectors in Office 365.
Set up connectors to route mail between Office 365
and your own email servers
This topic helps you set up the connectors you need for the following two scenarios:
You have your own email servers (also called on-premises servers), and you subscribe to Exchange Online
Protection (EOP ) for email protection services.
You have (or intend to have) mailboxes in two places; some mailboxes in Office 365, and some of your
mailboxes are on your organization email servers (also called on-premises servers).
NOTE
Before you get started, make sure you check on your specific scenario in f I have my own email servers.
How do Office 365 connectors work with my on-premises email

servers?
If you have EOP and your own email servers, or if some of your mailboxes are in Office 365 and some are on
your email servers, set up connectors to enable mail flow in both directions. You can enable mail flow between
Office 365 and any SMTP -based email server, such as Exchange or a third-party email server.
The diagram below shows how connectors in Office 365 (including Exchange Online or EOP ) work with your
own email servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that
you manage, and Bob has a mailbox in Office 365. John and Bob both exchange mail with Sun, a customer with
an internet email account:
When email is sent between John and Bob, connectors are needed.
When email is sent between John and Sun, connectors are needed. (All internet email is delivered via
Office 365.)
When email is sent between Bob and Sun, no connector is needed.
If you have your own email servers and Office 365, you must set up connectors in Office 365. Without
connectors, email will not flow between Office 365 and your organization's email servers.
How do connectors route mail between Office 365 and my own email
server?
You need two connectors to route email between Office 365 and your email servers, as follows:
A connector from Office 365 to your own email server
When you set up Office 365 to accept all email on behalf of your organization, you will point your domain's MX
(mail exchange) record to Office 365. To prepare for this mail delivery scenario, you must set up an alternative
server (called a "smart host") so that Office 365 can send email to your organization's email server (also called
"on-premises server"). To complete the scenario, you might need to configure your email server to accept
messages delivered by Office 365.
A connector from your own email server to Office 365
When this connector is set up, Office 365 will accept messages from your organization's email server and send
the messages to recipients on your behalf. This recipient could be a mailbox for your organization in Office 365,
or it could be a recipient on the internet. To complete this scenario, you'll also need to configure your email
server to send email messages directly to Office 365.
This connector enables Office 365 to scan your email for spam and malware, and to enforce compliance
requirements such as running data loss prevention policies. When your email server sends all email messages
directly to Office 365, your own IP addresses are shielded from being added to a spam block list. To complete
the scenario, you might need to configure your email server to send messages to Office 365.
NOTE
This scenario requires two connectors: one from Office 365 to your mail servers, and one to manage mail flow in the
opposite direction. Before you start, make sure you have all the information you need, and continue with the instructions
until you have set up and validated both connectors.
Overview of the steps

Here is an overview of the steps:
Complete the prerequisites for your email server environment.
Part 1: Configure mail to flow from Office 365 to your email server.
Part 2: Configure mail to flow from your email server to Office 365.
Prerequisites for your on-premises email environment

Prepare your on-premises email server so that it's ready to connect with Office 365. Follow these steps:
1. Make sure that your on-premises email server is set up and capable of sending and receiving internet
(external) email.
2. Check that your on-premises email server has Transport Layer Security (TLS ) enabled, with a valid
certification authority-signed (CA-signed) certificate. We recommend that the certificate subject name
includes the domain name that matches the primary email server in your organization. Buy a CA-signed
digital certificate that matches this description, if necessary.
3. If you want to use certificates for secure communication between Office 365 and your email server,
update the connector your email server uses to receive mail. This connector must recognize the right
certificate when Office 365 attempts a connection with your server. If you're using Exchange, see Receive
Connectors for more information. On the Edge Transport Server or Client Access Server (CAS ), configure
the default certificate for the Receive connector. Update the TlsCertificateName parameter on the Set-
ReceiveConnector cmdlet in the Exchange Management Shell. To learn how to open the Exchange
Management Shell in your on-premises Exchange organization, see Open the Exchange Management
Shell.
4. Make a note of the name or IP address of your external-facing email server. If you're using Exchange, this
will be the Fully Qualified Domain Name (FQDN ) of your Edge Transport server or CAS that will receive
email from Office 365.
5. Open port 25 on your firewall so that Office 365 can connect to your email servers.
6. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online
Protection IP addresses for the published IP address range.
7. Make a note of an email address for each domain in your organization. You'll need this later to test that
your connector is working properly.
Part 1: Configure mail to flow from Office 365 to your on-premises

email server
There are three steps for this:
1. Configure your Office 365 environment.
2. Set up a connector from Office 365 to your email server.
3. Change your MX record to redirect your mail flow from the internet to Office 365.
1. Configure your Office 365 environment
Make sure you have completed the following in Office 365:
1. To set up connectors, you need permissions assigned before you can begin. To check what permissions
you need, see the "Office 365 connectors" entry in the Feature permissions in EOP topic.
2. If you want EOP or Exchange Online to relay email from your email servers to the internet, either:
Use a certificate configured with a subject name that matches an accepted domain in Office 365. We
recommend that your certificate's common name or subject alternative name matches the primary
SMTP domain for your organization. For details, see Prerequisites for your on-premises email
environment.
-OR -
Make sure that all your organization sender domains and subdomains are configured as accepted
domains in Office 365.
For more information about defining accepted domains, see Manage accepted domains in Exchange
Online and Enable mail flow for subdomains in Exchange Online.
3. Decide whether you want to use mail flow rules (also known as transport rules) or domain names to
deliver mail from Office 365 to your email servers. Most businesses will choose to deliver mail for all
accepted domains. For more information, see Scenario: Conditional mail routing in Exchange Online.
NOTE
You can set up mail flow rules as described in Mail flow rule actions in Exchange Online. For example, you might want to
use mail flow rules with connectors if your mail is currently directed via distribution lists to multiple sites.
2. Set up a connector from Office 365 to your email server

To create a connector in Office 365, click Admin, and then click Exchange to go to the Exchange admin center.
Next, click mail flow, and click connectors.
If any connectors already exist for your organization, you can see them listed here.
Before you set up a new connector, check any connectors that are already listed here for your organization. For
example, if you ran the Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365
and Exchange Server will be set up already and listed here. You don't need to set them up again, but you can edit
them here if you need to. If you don't plan to use the hybrid configuration wizard, or if you're running Exchange
Server 2007 or earlier, or if you're running a non-Microsoft SMTP mail server, set up connectors using the
wizard.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more
information. The wizard will guide you through setup. At the end, make sure your connector validates. If the
connector does not validate, double-click the message displayed to get more information, and see About fixing
connector validation errors for help resolving issues.
3. Change your MX record to redirect your mail flow from the internet to Office 365
To redirect email flow to Office 365, change the MX (mail exchange) record for your domain. For instructions on
how to do this, see Add MX record to route email.
Part 2: Configure mail to flow from your email server to Office 365
There are two steps for this:
1. Set up a connector from your email server to Office 365.
2. Set up your email server to relay mail to the internet via Office 365.
Once you have completed Part 2, see the instructions at the end to check that your configuration works.
1. Set up a connector from your email server to Office 365
To create a connector in Office 365, click Admin, click Exchange, and then to go to the Exchange admin center.
Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can see
them listed here.
information. In particular, see Identifying email from your email server for help configuring certificate or IP
address settings for this connector. The wizard will guide you through setup. At the end, save your connector.
2. Set up your email server to relay mail to the internet via Office 365
Next, you must prepare your email server to send mail to Office 365. This enables mail flow from your email
servers to the internet via Office 365.
If your on-premises email environment is Microsoft Exchange, you create a Send connector that uses smart host
routing to send messages to Office 365. For more information, see Create a Send connector to route outbound
email through a smart host . For instructions on how to do this with Exchange Server 2010, see Create an SMTP
Send Connector.
To create the Send connector in Exchange Server, use the following syntax in the Exchange Management Shell.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open
the Exchange Management Shell.
NOTE
In the following procedures, the CloudServicesMailEnabled parameter is available in Exchange 2013 or later.
New-SendConnector -Name <DescriptiveName> -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn
<CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts <YourDomain>-
com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
This example creates a new Send Connector with the following properties:
Name: My company to Office 365
FQDN: mail.contoso.com
SmartHosts: contoso-com.mail.protection.outlook.com
New-SendConnector -Name "My company to Office 365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn
mail.contoso.com -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts contoso-
com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
How do I know connectors will route my organization mail correctly?

If you have completed all of these steps correctly, all your mail will now be delivered via Office 365.
To check that this is working:
1. Send email from a mailbox on your email server to an external (internet) recipient.
2. Send email from an internet mailbox to a mailbox on your email server.
Make sure both emails are received.
Change a connector that Office 365 is using for mail flow

To change settings for a connector, select the connector you want to edit and then select the edit icon as shown in
the following screen shot.
The connector wizard opens, and you can make changes to the existing connector settings. While you change the
connector settings, Office 365 continues to use the existing connector settings for mail flow. When you save
changes to the connector, Office 365 starts using the new settings.
What happens when I have multiple connectors for the same

scenario?
Most customers don't need to set up connectors. For those that do, one connector per single mail flow direction
is usually enough. But you can also create multiple connectors for a single mail flow direction, such as from
Office 365 to your email server (also called on-premises server).
When there are multiple connectors, the first step to resolving mail flow issues is to know which connector
Office 365 is using. Office 365 uses the following order to choose a connector to apply to an email:
1. Use a connector that exactly matches the recipient domain.
2. Use a connector that applies to all accepted domains.
3. Use wildcard pattern matching. For example, *.contoso.com would match mail.contoso.com as well as
sales.contoso.com.
Example of how Office 365 applies multiple connectors
In this example, your organization has four accepted domains, contoso.com, sales.contoso.com, fabrikam.com,
and contoso.onmicrosoft.com. You have three connectors configured from Office 365 to your organization's
email server. For this example, these connectors are known as Connector 1, Connector 2, and Connector 3.
Connector 1 is configured for all accepted domains in your organization. The following screen shot shows the
connectors wizard screen where you define which domains the connector applies to. In this case, the setting
chosen is For email messages sent to all accepted domains in your organization.
Connector 2 is set up specifically for your company domain Contoso.com. The following screen shot shows the
connectors wizard screen where you define which domains the connector applies to. In this case, the setting
chosen is Only when email messages are sent to these domains. For Connector 2, your company domain
Contoso.com is specified.
Connector 3 is also set up by using the option Only when email messages are sent to these domains. But,
instead of the specific domain Contoso.com, the connector uses a wildcard: *.Contoso.com as shown in the
following screen shot.
For each email sent from Office 365 to mailboxes on your email server, Office 365 selects the most specific
connector possible. For email sent to:
john@fabrikam.com, Office 365 selects Connector 1.
john@contoso.com, Office 365 selects Connector 2.
john@sales.contoso.com, Office 365 selects Connector 3.
See also
Validate connectors in Office 365
Set up connectors for secure mail flow with a partner
organization
You can create connectors to apply security restrictions to mail exchanges with a partner organization or service
provider. A partner can be an organization you do business with, such as a bank. It can also be a third-party cloud
service that provides services such as archiving, anti-spam, and filtering.
You can create a connector to enforce encryption via transport layer security (TLS ). You can also apply other
security restrictions such as specifying domain names or IP address ranges that your partner organization sends
mail from.
NOTE
Setting up a connector to exchange mail with a partner organization is optional; mail flows to and from your partner
organization without connectors.
If you use a third-party cloud service for email filtering and need instructions for making this work with Office
365, see Mail flow best practices for Exchange Online and Office 365 (overview ).
Using connectors to exchange email with a partner organization

By default, Office 365 sends mail using TLS encryption, provided that the destination server also supports TLS. If
your partner organization supports TLS, you only need to create a connector if you want to enforce certain
security restrictions - for example, you always want TLS applied, or you require certificate verification whenever
mail is sent from your partner to your organization.
NOTE
For information about TLS, see How Exchange Online uses TLS to secure email connections in Office 365 and for detailed
technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for
Exchange Online.
When you set up a connector, email messages are checked to make sure they meet the security restrictions that
you specify. If email messages don't meet the security restrictions that you specify, the connector will reject them,
and those messages will not be delivered. This makes it possible to set up a secure communication channel with a
partner organization.
You can set up one or both of the following depending on your requirements:
Set up a connector to apply security restrictions to mail sent from Office 365 to your partner organization
Set up a connector to apply security restrictions to mail sent from your partner organization to Office 365
Also in this article:
Example security restrictions you can apply to email sent from a partner organization
Review this section to help you determine the specific settings you need for your business.
Set up a connector to apply security restrictions to mail sent from
Office 365 to your partner organization
To create a connector in Office 365, click Admin, then click Exchange to go to the Exchange admin center.
Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can see
them listed here.
Before you set up a new connector, check any connectors that are already listed here for your organization. For
example, if you already have a connector set up for a partner organization, you'll see it listed. Make sure you don't
create duplicate connectors for a single organizational partner; when this happens, it can cause errors, and your
mail might not be delivered.
information. The wizard will guide you through setup. At the end, make sure your connector validates. If the
connector does not validate, see About fixing connector validation errors for help resolving issues.
If you want to create a secure channel with your partner organization in both directions, set up a connector that
restricts mail flow from your partner organization to Office 365.
Set up a connector to apply security restrictions to mail sent from your
partner organization to Office 365
You can set up a connector to apply security restrictions to email that your partner organization sends to you. To
start the wizard, click the plus symbol +. On the first screen, choose the following options:
information. The wizard will guide you through setup. At the end, save your connector.
Ask your partner organization to send a test email. Make sure the email your partner organization sends will
cause the connector to be applied. For example, if you specified security restrictions for mail sent from a specific
partner domain, make sure they send test mail from that domain. Check that the test email is delivered to
confirm that the connector works correctly.

To change settings for a connector, select the connector you want to edit and then select the edit icon as shown in
the following screen shot.
The connector wizard opens, and you can make changes to the existing connector settings. While you change the
connector settings, Office 365 continues to use the existing connector settings for mail flow. When you save
changes to the connector, Office 365 starts using the new settings.
Example security restrictions you can apply to email sent from a

partner organization
Review these connector examples to help you decide whether you want to apply security restrictions to email
sent by a partner organization, and understand what settings will meet your business needs:
Create a partner organization connector
To create a connector in Office 365, click Admin, and then click Exchange to go to the Exchange admin
center. Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can
see them listed here.
To start the wizard, click the plus symbol +. To create a connector for email you receive from a partner
organization, use the options depicted in the following screenshot:
Once you choose this mail flow scenario, you can set up a connector that will apply security restrictions to email
that your partner organization sends to you. For some security restrictions, you might need to talk to your
partner organization to obtain information to complete some settings. Look for the examples that best meet your
needs to help you set up your partner connector.
NOTE
Any email sent from your partner organization that does not meet security restrictions that you specify will not be
delivered.
Example 1: Require that email sent from your partner organization domain contosobank.com is encrypted
using transport layer security (TLS )
To do this, specify your partner organization domain name to identify mail from that partner, and then choose
transport layer security (TLS ) encryption when you create your Partner to Office 365 connector. Use these
options during setup:
Use this screen to enter your partner organization's domain name(s) so the connector can identify mail sent by
your partner:
Choose this setting to require encryption for all email from ContosoBank.com using TLS:
When you choose these settings, all email from your partner organization's domain, ContosoBank.com, must be
encrypted using TLS. Any mail that is not encrypted will be rejected.
Example 2: Require that email sent from your partner organization domain ContosoBank.com is encrypted and
uses their domain certificate
To do this, use all the settings shown in Example 1. Also, add the certificate domain name that your partner
organization uses to connect with Office 365. Use this option during setup:
When you set these restrictions, all mail from your partner organization domain must be encrypted using TLS,
and sent from a server with the certificate name you specify. Any email that does not meet these conditions will
be rejected.
Example 3: Require that all email is sent from a specific IP address range
This email could be from a partner organization, such as ContosoBank.com, or from your on-premises
environment. For instance, the MX record for your domain, contoso.com, points to on-premises, and you want all
email sent to contoso.com to come from your on-premises IP addresses only. This helps prevent spoofing and
makes sure your compliance policies can be enforced for all messages.
To do this, specify your partner organization domain name to identify mail from that partner, and then restrict the
IP addresses that you accept mail from. Using an IP address makes the connector more specific because it
identifies a single address or an address range that your partner organization sends mail from. Enter your
partner domain as described in Example 1, then use this option during setup:
When you set these restrictions, all email sent from your partner organization domain, ContosoBank.com, or
from your on-premises environment must be sent from the IP address or an address range you specify. Any mail
that does not meet these conditions will be rejected.
Example 4: Require that all email sent to your organization from the internet is sent from a specific IP address
(third-party email service scenario )
Mail flow from a third-party email service to Office 365 works without a connector. However, in this scenario you
can optionally use a connector to restrict all mail delivery to your organization. If you use the settings described
in this example, they will apply to all email sent to your organization. When all email sent to your organization
comes from a single third-party email service, you can optionally use a connector to restrict all mail delivery; only
mail sent from a single IP address or address range will be delivered.
NOTE
Make sure you identify the full range of IP addresses that your third-party email service sends mail from. If you miss an IP
address, or if one gets added without your knowledge, some mail will not be delivered to your organization.
To restrict all mail sent to your organization from a specific IP address or address range, use these options during
setup:
When you set these restrictions, all mail sent to your organization must be sent from a specific IP address range.
Any internet email that does not originate from this IP address range will be rejected.
Example 5: Require that all mail sent from your partner organization IP address or address range is encrypted
using TLS
To identify your partner organization by IP address, use these options during setup:
Add the requirement for TLS encryption by using this setting:
When you set these restrictions, all mail from your partner organization sent from the IP address or address
range you specify must be sent using TLS. Any mail that does not meet this restriction will be rejected.
See also
About fixing connector validation errors
What happens when I have multiple connectors for the same scenario?
Validate connectors in Office 365
If your organization has its own email server (also called on-premises server), you must set up connectors to
enable mail flow between Office 365 and your email server. For mail flow to work correctly, your connectors must
be validated and turned on. Connector validation runs as part of the connector setup process. This article helps if
you want to validate your connectors at a different time, or if you want to understand more about the process. Use
built-in connector validation to test whether a connector is set up correctly and fix any mail flow issues before you
turn the connector on.
NOTE
If you want to change connector settings, Office 365 uses the existing connector settings for mail flow until you save your
changes. For more information, see Change a connector that Office 365 is using for mail flow
Validate and turn on connectors

1. Sign in to Office 365, choose Admin, and then click Exchange to go to the Exchange admin center. Click
Mail flow, and click Connectors.
Any Office 365 connectors that exist for your organization are listed on the Connectors page. This includes
connectors that were created by using the Hybrid Configuration Wizard or PowerShell. You can validate
any connector configured for mail flow from Office 365 to your organization's email server, or to a partner
organization.
2. Choose the connector you want to validate or turn on. You can see information about the connector in the
details pane as shown in the following screen shot.
3. When you select a connector for mail flow that originates in Office 365, you can choose the Validate this
connector link. You can also see whether the connector was validated previously as shown in the following
screen shot.
4. With the connector selected, choose Validate this connector. The Validate this connector dialog box
opens. Enter one or more email addresses to start the validation. Office 365 uses these addresses to make
sure your mail flow is set up correctly. For example, if you want to validate a connector for mail flow from
Office 365 to your organization's email server, enter an email address for a mailbox located on that email
server.
5. Choose Validate to continue. To find out what issues validation examines, and for details about fixing any
validation errors, see Fixing connector validation errors.
6. For each connector, check whether the connector is turned on. If a connector that you need for mail flow
isn't turned on, under Status choose Turn it on.
NOTE
If you continue to have mail flow issues after validating a connector, check whether you have set up multiple connectors that
might apply in a single scenario. For example, problems can occur if you have more than one connector set up for mail flow
from Office 365 to your email server. If you need multiple connectors for mail flow from Office 365 to your email server (or
to a partner), make sure you validate and turn on each connector. > If you want to change a connector, Office 365 uses the
existing connector settings for mail flow until you save your changes. For more information, see Change a connector that
Office 365 is using for mail flow
See also
Fixing connector validation errors
Scenario: Conditional mail routing in Exchange
Online
There might be times you need to route mail differently depending on who the mail is sent to or from, where it's
being sent, the contents of the message, and so on. For example, if you have multiple sites around the world, you
might want to route mail to a specific site. You can do this using connectors and mail flow rules (also known as
transport rules).
When the steps below are completed, a mail flow rule will redirect messages addressed to users whose City
property is set to New Orleans to the IP address specified by the Outbound connector.
Step 1: Use the Exchange admin center to create the connector

The first thing we need to do is create an Outbound connector. This connector will be used by the mail flow rule
that we'll set up in Step 2. In this connector, you'll select where messages it receives originate (such as a mailbox in
your Office 365 organization), the type of organization where the messages will be sent (such as your on-premises
servers), the security that should be applied to the connection, and name or IP address of the target server. If you
want to learn more about how to create connectors, check out Configure mail flow using connectors in Office 365.
1. In the EAC, go to Mail flow > Connectors. click New to create a new connector.
2. In the From: drop-down box, choose Office 365.
3. In the To: drop-down box, choose either Your organization's email server or Partner organization if you
want to connect to a server other than your organizations.
4. Name the connector and add a description. If you want to turn the connector on immediately, check Turn it
on. Click Next.
5. Choose Only when I have a transport rule... and click Next.
6. Specify one or more smart hosts to which Office 365 will deliver email messages.
7. Define your Transport Layer Security (TLS ) settings depending on your security needs.
8. Review your new connector configurations and click Next to validate the connector.
Step 2: Use the EAC to create a mail flow rule

Now that we've created a connector, we need to create a mail flow rule that'll send mail to it based on the criteria
you define. There are many conditions you can select from to control when messages should be sent to the
connector.
1. In the EAC, navigate to Mail flow > Rules. Click New and choose Create a new rule....
2. In the New rule window, name the rule. To see all the options available for the rule, click More options... at
the bottom of the page.
3. For *Apply this rule if..., select The recipient... and has specific properties including any of these
words. The select user properties box appears. Click , and under User properties:, choose City. City is
an Active Directory attribute made available for use by the rule. Specify the name of the city, such as New
Orleans. Click OK, and then click OK again to close the select user properties box.
IMPORTANT
Check the accuracy of user attributes in Active Directory to ensure that the mail flow rule works as intended. > Note
that outbound connector changes may take time to replicate.
4. For *Do the following..., choose Redirect the message to... and then specify the following connector.
The select connector box appears. Choose the Outbound connector you created previously.
You can choose additional properties for the rule, such as the test mode and when to activate the rule.
5. To save the connector, click Save.
Scenario: Integrate Office 365 with an email add-on
service
Many third-party cloud service solutions provide add-on services for Office 365. For security reasons, we don't
allow third-party email add-on services to be installed in Office 365. But, you can work with the service provider to
configure the settings in your Office 365 organization so you can use the service.
This topic describes the best practices for how your organization can use a third-party email add-on service by
examining a fictional service named Contoso Signature Service. This fictional service runs in Azure and provides
custom email signatures (note that the service could be deployed in a cloud environment other than Azure). The
mail flow and a high-level summary of the service are shown in the following diagram.
1. When a user in your Office 365 organization composes and sends a message, the message is diverted to
Contoso Signature Service by using a connector and a mail flow rule (also known as a transport rule) that
you create.
Connections from Office 365 to Contoso Signature Service are encrypted by TLS, because you configure
the certificate domain name for the service in the connector settings (for example,
smtp.contososignatureservice.com).
2. Contoso Signature Service accepts the message and adds an email signature to the message. The service
also stamps the message with a custom header to indicate the message has been processed.
3. Contoso Signature Service routes the message back to Office 365. A connector that you create accepts the
incoming messages from Contoso Signature Service.
Contoso Signature Service uses smart host routing to route messages back to the region where your
Office 365 organization is located. For example, if your Office 365 domain is
fabrikam.onmicrosoft.com, the destination smart host is fabrikam.mail.protection.outlook.com.
Contoso Signature Service provides a unique certificate domain name for each customer. You
configure this domain name as an accepted domain in your Office 365 organization, and in the
connector settings (for example,
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com).
4. Office 365 sends the message with the customized signature to the original recipients.
The rest of this topic explains how to configure mail flow in Office 365 to work with the email add-on service.
NOTE
These elements are required for any email add-on service that you want to integrate with your Office 365 organization. You
need to work with the email add-on service provider to configure their required settings in Office 365.

To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online. To learn how to
use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
TIP
Step 1: Create an outbound connector to route messages to the email

add-on service
The important settings for the connector are:
From Office 365 to the email add-on service.
Uses smart host routing to the email add-on service.
Uses TLS to encrypt the connection based on the domain name of the email add-on service (smart host).
Use the EAC to create the outbound connector to the email add-on service
1. In the EAC, go to Mail flow > Connectors, and then click New .
2. The new connector wizard opens. On the Select your mail flow scenario page, configure these settings:
From: Office 365
To: Your organization's email server
When you're finished, click Next.
3. On the next page, configure these settings:
Name: Enter a descriptive name (for example, Office 365 to Contoso Signature Service).
Retain internal Exchange email headers (recommended): Configure one of these values:
Checked: Preserves internal headers in messages that are sent to the email add-on service, which
means the messages are treated as trusted internal messages. If you select this value, you'll also need
to use the same value on this setting for the inbound connector that you create in Step 4 (otherwise,
the inbound connector will remove the internal Exchange headers from the returning messages).
Unchecked: Removes internal headers from messages before they're sent to the email add-on
service. If you select this value, the value of this setting on the inbound connector that you create in
Step 4 is meaningless (by definition, there will be no internal Exchange headers to keep or remove in
returning messages).

4. On the When do you want to use this connector? page, select Only when I have a transport rule set
up that redirects messages to this connector, and then click Next.
5. On the How do you want to route email messages? page, click Add . In the Add smart host dialog
that appears, enter the smart host value for the email add-on service (for example,
smtp.contososignatureservice.com), click Save, and then click Next.
6. On the How should Office 365 connect to your email server? page, configure these settings:
Verify Always use Transport Layer Security (TLS ) to secure the connection (recommended) is
selected.
Verify Issued by a trusted certificate authority (CA ) is selected.
Select And the subject name or subject alternative name (SAN ) matches this domain name,
and enter the smart host that you used in the previous step (for example,
smtp.contososignatureservice.com).

7. On the Confirm your settings page, verify the settings, and then click Next.
8. On the Validate this connector page, click Add . In the Add email dialog that appears, enter an email
address that isn't in Office 365 to test the connector (for example, admin@fabrikam.com), click OK, and then
click Validate.
A progress indicator appears. When the connector validation is complete, click Close.
9. On the Validation result page, click Save.

Use Exchange Online PowerShell to create the outbound connector to the email add-on service
To create the outbound connector to the email add-on service in Exchange Online PowerShell, use this syntax:
New-OutboundConnector -Name "<Descriptive Name>" -ConnectorType OnPremises -IsTransportRuleScoped $true -
UseMxRecord $false -SmartHosts <SmartHost> -TlsSettings DomainValidation -TlsDomain <SmartHost> [-
CloudServicesMailEnabled $true]
This example creates an outbound connector with these settings:

Name: Office 365 to Contoso Signature Service
Smart host destination of the email add-on service: smtp.contososignatureservice.com
TLS domain for domain validation: smtp.contososignatureservice.com
Internal Exchange message headers that identify messages as internal are preserved in the outbound
messages.
New-OutboundConnector -Name "Office 365 to Contoso Signature Service" -ConnectorType OnPremises -

IsTransportRuleScoped $true -UseMxRecord $false -SmartHosts smtp.contososignatureservice.com -TlsSettings
DomainValidation -TlsDomain smtp.contososignatureservice.com -CloudServicesMailEnabled $true
For detailed syntax and parameter information, see New -OutboundConnector.

How do you know this step worked?
To verify that you've successfully created an outbound connector to route messages to the email add-on service,
use either of these procedures:
In the EAC, go to Mail flow > Connectors, select the connector, click Edit , and verify the settings.
In Exchange Online PowerShell, replace <Connector Name> with the name of the connector, and run this
command to verify the property values:
Get-OutboundConnector -Identity "<Connector Name>" | Format-List

Name,ConnectorType,IsTransportRuleScoped,UseMxRecord,SmartHosts,TlsSettings,TlsDomain,CloudServicesMailE
nabled
Step 2: Create a mail flow rule to route unprocessed messages to the

email add-on service
The rule routes messages from internal senders to the outbound connector that you created in Step 1 if the
messages haven't already been processed by the email add-on service (the custom header isn't stamped on the
message).
Use the EAC to create a mail flow rule to route unprocessed messages to the email add-on service
1. In the EAC, go to Mail flow > Rules, and click New , and then select Create a new rule.
2. In the New rule page that opens, click More options near the bottom of the page.
3. On the New rule page, configure these settings:

Name: Enter a descriptive name (for example, Route email to Contoso Signature Service).
Apply this rule if: Select The sender > Is external/internal > Select Inside the organization,
and then click OK.
Do the following: Select Redirect the message to > The following connector > Select the
outbound connector you created in Step 1, and then click OK.
Except if: Click Add exception > Select A message header > Includes and of these words.
Click Enter text, enter the name of the custom header field that's applied by the email add-on service
(for example, SignatureContoso), and then click OK.
Click Enter words, enter the header field value that indicates a message has been processed by the
email add-on service (for example, true), click Add , and then click OK.
Near the bottom of the page, select Stop processing more rules.
Use Exchange Online PowerShell to create a mail flow rule to route unprocessed messages to the email add-on
service
To create the mail flow rule in Exchange Online PowerShell, use this syntax:
New-TransportRule -Name "<Descriptive Name>" -FromScope InOrganization -RouteMessageOutboundConnector "

<Connector Name>" -ExceptIfHeaderContainsMessageHeader <HeaderName> -ExceptIfHeaderContainsWords <HeaderValue>
-StopRuleProcessing $true
This example creates the mail flow rule with these settings:
Name: Route email to Contoso Signature Service
Outbound connector name: Office 365 to Contoso Signature Service
Header field and value that indicates processing by the email add-on serviceSignatureContoso with
the value true.
New-TransportRule -Name "Route email to Contoso Signature Service" -FromScope InOrganization -

RouteMessageOutboundConnector "Office 365 to Contoso Signature Service" -ExceptIfHeaderContainsMessageHeader
SignatureContoso -ExceptIfHeaderContainsWords true -StopRuleProcessing $true

To verify that you've successfully created a mail flow rule to route unprocessed messages to the email add-on
service, use either of these procedures:
In the EAC, go to Mail flow > Rules, select the rule, click Edit , and verify the settings of the rule.
In Exchange Online PowerShell, replace <Rule Name> with the name of the rule, and run this command to
verify the property values:
Get-TransportRule -Identity "<Rule Name>" | Format-List

Name,FromScope,RouteMessageOutboundConnector,ExceptIfHeaderContainsMessageHeader,ExceptIfHeaderContainsW
ords,StopRuleProcessing
Step 3: Add the custom certificate domain provided by the email add-
on service as an accepted domain in Office 365
1. Go to the Office 365 admin center at https://portal.office.com/adminportal/home, and then click Setup >
Domains, and then click Add domain.
2. In the Add a domain page that appears, enter the custom certificate domain that the email add-on service
provided when you enrolled in the service (for example,
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com), and then click Next.
3. On the Verify domain page, use the details on the TXT record or MX record tabs to create a TXT or MX
proof of domain ownership record for the custom certificate domain. After you've created the proof of
domain ownership record, click Verify. After the domain has been verified, click Save and close.
For more information, see Add your domain to Office 365
Step 4: Create an inbound connector to receive messages from the

email add-on service
The important settings for the connector are:
From the email add-on service to Office 365.
TLS encryption and certificate verification is based on the custom certificate domain name that you
configured as an accepted domain in the previous step.
Use the EAC to create an inbound connector to receive messages from the email add-on service
1. In the EAC, go to Mail flow > Connectors, and then click New .
2. The new connector wizard opens. On the Select your mail flow scenario page, configure these settings:
From Your organization's email server
To Office 365
3. On the next page, configure these settings:
Name: Enter a descriptive name (for example, Contoso Signature Service to Office 365).
Retain internal Exchange email headers (recommended): Configure one of these values:
Checked: Preserves internal headers in messages that are returning from the email add-on service. If
you selected this value on this setting for the outbound connector that you create in Step 1, you'll
need to configure the same value here. The internal Exchange headers in the returning messages are
preserved, which means the messages returning from the email add-on service are treated as trusted
internal messages.
Unchecked: Removes the internal Exchange headers (if any) from messages that are returning from
the email add-on service.

4. On the How should Office 365 identify email from your email server? page, verify that the first option
is selected (verify by certificate), and enter the certificate domain that the email add-on service gave to you
when you enrolled in the service (for example,
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com).
5. On the Confirm your settings page, verify the settings, and then click Save.
Use Exchange Online PowerShell to create an inbound connector to receive messages from the email add-on
service
To create the inbound connector from the email add-on service in Exchange Online PowerShell, use this syntax:
New-InboundConnector -Name "<Descriptive Name>" -SenderDomains * -ConnectorType OnPremises -RequireTls $true -

RestrictDomainsToCertificate $true -TlsSenderCertificateName <CertificateDomainName> [-CloudServicesMailEnabled
$true]
This example creates an outbound connector with these settings:

Name: Contoso Signature Service to Office 365
Domain name used by the email add-on service's certificate to authenticate with your Office 365
organization: S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com
Internal Exchange message headers that identify messages returning from the email add-on service as
internal messages are preserved.
New-InboundConnector -Name "Contoso Signature Service to Office 365" -SenderDomains * -ConnectorType OnPremises
-RequireTls $true -RestrictDomainsToCertificate $true -TlsSenderCertificateName
S5HG3DCG14H8S1R2303RZHM4RX.smtp.contososignatureservice.com -CloudServicesMailEnabled $true
For detailed syntax and parameter information, see New -InboundConnector.

To verify that you've successfully created an inbound connector to receive messages from the email add-on service,
use any of these procedures:
In the EAC, go to Mail flow > Connectors, select the connector, click Edit , and verify the settings.
In Exchange Online PowerShell, replace <Connector Name> with the name of the connector, and run this
command to verify the property values:
Get-InboundConnector -Identity "<Connector Name>" | Format-List

Name,SenderDomains,ConnectorType,RequireTls,RestrictDomainsToCertificate,TlsSenderCertificateName,CloudS
ervicesMailEnabled
Use Directory Based Edge Blocking to reject
messages sent to invalid recipients
Directory Based Edge Blocking (DBEB ) in Exchange Online and Exchange Online Protection (EOP ) lets you reject
messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to
Office 365 and block all messages sent to email addresses that aren't present in Office 365.
If a message is sent to a valid email address in Office 365, the message continues through the rest of the service
filtering layers: antimalware, antispam, and mail flow rules (also known as transport rules). If the address isn't, the
service blocks the message before filtering even occurs, and a non-delivery report (also known as an NDR or
bounce message) is returned to the sender. The NDR looks like this:
550 5.4.1 [<InvalidAlias>@\<Domain>]: Recipient address rejected: Access denied .
If all recipients for your domain are in Exchange Online, DBEB is already in effect, and you don't need
to do anything. If you're migrating from another email system to Exchange Online, you can use the procedure in
this topic to enable DBEB for the domain before the migration.
NOTE
In hybrid environments, in order for DBEB to work, email for the domain must be routed to Office 365 first (the MX record
for the domain must point to Office 365).

Estimated time to complete: 5 to 10 minutes
To open the Exchange admin center (EAC ), see Exchange admin center in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
Configure DBEB
1. Verify that your accepted domain in Exchange Online is to Internal relay: a. In the EAC, go to Mail flow >
Accepted domains.
2. Select the domain and click Edit.
3. Ensure that the domain type is set to Internal relay. If it's set to Authoritative, change it to Internal relay
and click Save.
4. Add users to Office 365. For example:
Directory synchronization: Add valid users to Office 365 by synchronizing from your on-premises Active
Directory environment to Azure Active Directory in the cloud. For more information about how to set up
directory synchronization, see "Use directory synchronization to manage recipients" in Manage Mail Users in
EOP.
Add users via PowerShell or the EAC: For more information about how to do this, see Manage Mail Users
in EOP or Manage mail users in Exchange Online.
3. Set your accepted domain in Exchange Online to Authoritative: a. In the EAC, go to Mail flow > Accepted
domains. b. Select the domain and click Edit. c. Set the domain type to Authoritative.
4. Choose Save to save your changes, and confirm that you want to enable DBEB.
Notes:
Until all of your valid recipients have been added to Exchange Online and replicated through the system,
you should leave the accepted domain configured as Internal relay. Once the domain type has been
changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the
service (except for mail-enabled public folders). There might be infrequent instances where recipient
addresses that do not exist in your Office 365 organization are allowed to relay through the service.
For more information about DBEB and mail-enabled public folders, see Office 365 Directory Based Edge
Blocking support for on-premises Mail Enabled Public Folders.
Manage accepted domains in Exchange Online
When you add your domain to Office 365, it's called an accepted domain. This means that users in this domain
can send and receive mail. For more information on how to add your domain to Office 365 using the Office 365
admin center, see Add a domain to Office 365.
After you add your domain using the Office 365 admin center, you can use the Exchange admin center (EAC ) to
view your accepted domains and configure the domain type.
There are two types of accepted domains in Exchange Online:
Authoritative: Email is delivered to email addresses that are listed for recipients in Office 365 for this
domain. Emails for unknown recipients are rejected.
If you just added your domain to Office 365 and you select this option, it's critical that you add your
recipients to Office 365 before setting up mail to flow through the service.
Typically, you use this option when all the email recipients in your domain are using Office 365. You
can also use it if some recipients exist on your own email servers. However, if recipients exist on
your own email servers, you must add your recipients to this Office 365 domain in order to make
sure that mail is delivered as expected. For more information about how to manage your recipients,
see these topics:
Exchange Online: Manage mail users
Exchange Online Protection: Manage Mail Users in EOP
Setting this option enables Directory Based Edge Blocking (DBEB ), which rejects messages for
invalid recipients at the service network perimeter. For more information about configuring DBEB
during a migration, see Use Directory Based Edge Blocking to reject messages sent to invalid
recipients.
Internal relay (also known as non-authoritative): Recipients for this domain can be in Office 365 or
your own email servers. Email is delivered to known recipients in Office 365 or is relayed to your own
email server if the recipients aren't known to Office 365.
You should not select this option if all of the recipients for this domain are in Office 365.
If you select this option, you must create a connector for mail flow from Office 365 to your on-
premises email server; otherwise recipients on the domain who are not hosted in Office 365 won't
be able to receive mail on your own email servers. For more information about setting up
connectors, see Set up connectors to route mail between Office 365 and your own email servers.
This option is required if you enable the subdomain routing option on a domain in order to let email
pass through the service and be delivered to any subdomains of your accepted domains. For more
information, see Enable mail flow for subdomains in Exchange Online.

permissions you need, see the "Domains" entry in the Mail flow permissions topic.
TIP
View accepted domains

Use the EAC to view accepted domains
1. In the EAC, go to Mail flow > Accepted domains.
2. Click the Name, Accepted Domain, or Domain Type column heading to sort alphabetically in ascending
or descending order. By default, accepted domains are sorted alphabetically by name in ascending order.
Use Exchange Online PowerShell to view accepted domains
To view summary information about all accepted domains, run the following command:
Get-AcceptedDomain
To view details about a specific accepted domain, use the following syntax.
Get-AcceptedDomain -Identity <Name> | Format-List
This example shows details about the accepted domain named contoso.com.
Get-AcceptedDomain -Identity contoso.com | Format-List
Configure the domain type

After you add a domain to your Exchange Online organization in the Office 365 admin center, you can configure
the domain type.
Use the EAC to change the domain type
1. In the EAC, go to Mail flow > Accepted domains.
2. Select the domain and click Edit .
3. In the Accepted Domain window, in the This accepted domain is section, select the domain type. The
possible values are Authoritative and Internal relay.
If you select Authoritative, you must confirm that you want to enable Directory Based Edge Blocking.
If you select Internal Relay, you can enable match subdomains to enable mail flow to all subdomains. For
more information, see Enable mail flow for subdomains in Exchange Online.
Use Exchange Online PowerShell to change the domain type
To configure the domain type, use the following syntax:
Set-AcceptedDomain -Identity <Name> -DomainType <Authoritative | InternalRelay>
This example configures the accepted domain named contoso.com as an internal relay domain.
Set-AcceptedDomain -Identity contoso.com -DomainType InternalRelay
For detailed syntax and parameter information, see Set-AcceptedDomain.

To verify that you've successfully configured the domain type, do either of the following steps:
In the EAC at Mail flow > Accepted domains, click Refresh . In the list of accepted domains, verify the
domain type value of the accepted domain is configured correctly.
In Exchange Online PowerShell, run the command Get-AcceptedDomain . In the list of accepted domains,
verify the domain type value of the accepted domain is configured correctly.
Enable mail flow for subdomains in Exchange Online
If you have a hybrid environment, with mailboxes hosted both in Exchange Online and on-premises Exchange, and
you have subdomains of the accepted domains that only exist in your on-premises environment, you can enable
email flow to and from these on-premises subdomains. For example, if you have an accepted domain called
Contoso.com, and you enable match subdomains, users can send email to, or receive email from all subdomains
of Contoso.com that exist in your on-premises environment, such as marketing.contoso.com and
nwregion.contoso.com. In Microsoft Forefront Online Protection for Exchange (FOPE ), this feature was called
catch-all domains.
IMPORTANT
If you have a limited number of subdomains, and know all the subdomain names, we recommend setting up each
subdomain as an accepted domain by using the Office 365 admin center, rather than using the procedures in this topic. By
setting up each subdomain separately, you can have finer control over mail flow, and include unique mail flow rules (also
known transport rules) for each subdomain. For more information about adding a domain in the Office 365 admin center,
see Add your domain to Office 365. > > In order to enable match subdomains, an accepted domain must be set up as an
internal relay domain. For information about setting the domain type to internal relay, see Manage accepted domains in
Exchange Online. > > After you enable match subdomains, in order for the service to deliver mail for all subdomains to your
organization's email server (outside Office 365), you must also change the outbound connector. For instructions, see Use the
EAC to add the domain to your outbound connector.

permissions you need, see the "Domains" entry in the Feature permissions in Exchange Online topic.
TIP
Use the EAC to set up match subdomains on a domain

1. In the EAC, go to Mail Flow > Accepted domains, and select the domain.
2. In the Details pane, Verify that Internal Relay is selected.
3. Select Match subdomains for this domain for sending and receiving emails.
Use the EAC to add the domain to your outbound connector

1. In the EAC, go to Mail Flow > Connectors.
2. Under Outbound Connectors, select the connector for your organization's email server, and then select
Edit .
3. Select Scope, and then select one of the following:
Select Route all accepted domains through this connector.
In the Recipient domains section, select New . In the Add domain box, enter a wildcard domain entry
for the domain for which you enabled match subdomains. For example, if you enabled match subdomains
for contoso.com, enter *.contoso.com as a recipient domain.
NOTE
If you don't yet have an outbound connector, see Configure mail flow using connectors in Office 365.
Use Exchange Online PowerShell to set up match subdomains on a

domain
To add match subdomains to a domain that is set up as an internal relay, use this syntax:
Set-AcceptedDomain -Identity <Domain Name> -MatchSubdomains $true
This example sets up match subdomains for the contoso.com domain.
Set-AcceptedDomain -Identity contoso.com -MatchSubdomains $true
For detailed syntax and parameter information, see Set-AcceptedDomain.

To verify that you've successfully added match subdomains to a domain using Exchange Online PowerShell, run
the following command to verify the MatchSubdomains property value:
Get-AcceptedDomain | Format-List Name,MatchSubdomains

Remote domains in Exchange Online
There are many reasons why you might want to control the types and the format of messages that your users
send from Exchange Online to recipients in external domains (domains that aren't configured as accepted domains
in Exchange Online). For example:
You don't want to let your users forward messages to recipients in other domains.
You work with an organization that you don't want to receive automatic messages from (for example, non-
delivery reports and out-of-office replies).
You have a business partner that's outside your organization, and you'd like that partner to receive the
same out-of-office replies as those received by people inside your organization.
Your users frequently send email to a company that supports limited email formats, and you'd like to make
sure all emails sent to that organization are sent in a format that they can read.
To accomplish this, you use what's called a remote domain. The remote domain settings override settings that
your users might configure in Outlook or Outlook on the web (formerly known as Outlook Web App), or that you
configure in the Exchange admin center (EAC ) or Exchange Online PowerShell. For example, users might have an
out-of-office reply set up for people outside the organization, but if a sender from a remote domain sends mail to
them, and the remote domain is not set to receive out-of-office replies, no out-of-office reply is sent. To change the
settings, you can:
Create a remote domain for a specific domain, and set unique properties for emails sent to that domain.
Modify the settings for the default remote domain. If you have no other remote domains set up, changes to
the default remote domain apply to all external domains. If you have other remote domains set up, changes
to the default remote domain apply to all other external domains.
For instructions on how to create and configure remote domains, see Manage remote domains in Exchange
Online.
Reducing or increasing information flow to another company

When a message comes from outside your organization, there are several types of replies that are automatically
generated. Some types of replies are set up by users in Outlook or Outlook Web App, and others are set up by
admins. Because the remote domain settings override settings configured by users, as well as mail user and mail
contact settings configured by admins, you can choose which types of automatic replies are sent to everyone on a
remote domain.
If a remote domain configuration blocks a specific type of reply, like a non-delivery report, from being sent to
recipients in that domain, the reply is generated, but then it is deleted before it is sent. No error message is sent.
For example, if you turn off automatic forwarding on the default remote domain, when users try to automatically
forward email to another domain, they can change their settings or create the Inbox rule, but their messages won't
be forwarded.
The following table shows the types of replies you can control in a remote domain and the settings that each
remote domain setting overrides.
PER-USER SETTINGS THAT THIS REMOTE
TYPE OF REPLY DESCRIPTION DOMAIN SETTING OVERRIDES
Out-of-office messages Specify whether an out-of-office This setting overrides out-of-office reply
message should be sent to people on settings specified by individual users in
the remote domain, and if so, which Outlook or Outlook on the web.
message to use. You can select either
the reply that the user on your domain
set up for people outside your
organization, or the one for people
inside your organization. The default is
to send the out-of-office reply for
people outside your organization.
Automatic replies Allow or prevent automatic replies to This setting overrides automatic replies
senders on the remote domain. The set up by admins using the Set-
default is to allow automatic replies. MailboxAutoReplyConfiguration cmdlet.
Automatic forwards Allow or prevent automatically When users configure automatic

forwarded messages to be sent to forwarding to recipients on a remote
people on the remote domain. The domain, the remote domain settings
default is to allow automatic override users' automatic forwarding
forwarding. settings (messages are blocked if
automatic forwards are disabled for the
remote domain). Users can configure
automatic forwarding by using these
methods:
• Inbox rules in Outlook or Outlook on
the web to forward messages. Learn
more about Inbox rules in Outlook and
Outlook on the web.
• Forwarding options in Outlook on the
web. For more information, see Forward
email from Office 365 to another email
account.
Note: When admins use other methods
to configure automatic forwarding for
users, the forwarded messages aren't
affected by the remote domain settings
(messages are forwarded to recipients
on the remote domain even if
automatic forwards are disabled for the
remote domain). For example:
• Mail forwarding for a user. For more
information, see Configure email
forwarding for a mailbox.
• Mail flow rules (also known as
transport rules) to forward messages.
For more information, see Mail flow
rules (transport rules) in Exchange
Online.
Delivery reports Allow or prevent a delivery receipt to An email sender on the remote domain
be sent to people on the remote can request a delivery receipt on a
domain. The default is to allow sending message. This remote domain setting
delivery reports. can override the sender's request for a
delivery receipt and prevent the
delivery receipt from being sent. For
more information about requesting a
delivery receipt, see Add tracking to
email messages.
PER-USER SETTINGS THAT THIS REMOTE
TYPE OF REPLY DESCRIPTION DOMAIN SETTING OVERRIDES
Non-delivery report Allow or prevent non-delivery reports This remote domain setting is the only
(also known a NDRs or bounce way to prevent non-delivery reports
messages) to be sent to people on the from being sent when a message can't
remote domain. The default is to allow be delivered.
sending non-delivery reports.
Meeting forward notifications Prevent or allow meeting forward Meeting forward notifications are
notifications to be sent to people on automatically created and sent to the
the remote domain. The default is to meeting organizer when a meeting
prevent sending meeting forward participant forwards a meeting.
notifications. Typically, they are sent to meeting
organizers only on domains that are
part of your Exchange Online
organization. Admins can enable them
to be sent to meeting organizers on the
remote domain.
Specifying message format

To make sure that email sent from your Exchange Online organization is compatible with the receiving messaging
system in the remote domain, you can specify the message format and character set to use for all email messages
sent to that remote domain. For example, if you know that the remote domain is not using Exchange, you can
specify to never use Rich Text Format (RTF ). The following table describes the message format settings.
SETTING DESCRIPTION SETTINGS THAT THIS OVERRIDES
Rich Text Format (RTF) Choose how to format messages: Message format can be defined in
• Always: Use this value if the remote several places: Outlook or Outlook on
domain uses Exchange. the web, and the admin can also use
• Never: If the remote domain does the Set-MailContact or Set-MailUser
not use Exchange, use this value. cmdlets to modify settings per recipient.
• Follow user settings: Use message Remote domain settings override
format settings defined by the user. Use settings specified by a user or by the
this value if you don't know what email admin. For more information about the
system the remote domain uses. message formats and the order of
The default is to follow the user's precedence of message format settings,
settings. see Message format and transmission
in Exchange Online.
MIME character set and Non-MIME • None: Use the character set specified These settings are used only if the
character set in the message. message doesn't include a character set.
• Select a character set from the list: For a complete list of supported
If the message does not have a character sets, see Supported character
character set, the selected character set sets for remote domains.
is used.
By default, no character sets are
specified.
If you specify a particular message format for the remote domain, the format of the headers and message content
sent to the domain are modified.
Other settings
You can configure other message settings for remote domains by using Exchange Online PowerShell. For a
complete list of settings, see Set-RemoteDomain.
What else do I need to know?
You can set up a remote domain only for an external domain. A domain is defined as external if it isn't listed
on the Office 365 admin center > Domains page. For example, if fabrikam.com is one of your domains,
you can't create a remote domain for fabrikam.com.
You can't remove the default remote domain.
You can specify all subdomains when you create a remote domain.
See also
Manage remote domains in Exchange Online
Manage remote domains in Exchange Online
Remote domains define settings based on the destination domain of each email message. All organizations have a
default remote domain named "Default" that's applied to the domain "*". The default remote domain applies the
same settings to all email messages regardless of the destination domain. However, you can configure specific
settings for a specific destination domain.
The following table shows the default values for common settings:
SETTING DEFAULT
Out of office replies Send external out of office replies to people on the remote
domain.
Automatic replies Allow automatic replies or automatically forwarded messages

to be sent to people on the remote domain.
Delivery and non-delivery reports Allow delivery and non-delivery reports to be sent to people
on the remote domain.
Meeting forward notifications Don't allow meeting forward notifications to be sent to people
on the remote domain.
Rich Text format (RTF) Follow settings created by each user in Outlook or Outlook
Web App when a message is sent to people on the remote
domain.
Supported character set Do not specify a MIME or non-MIME character set if the
character set isn't specified in the message sent to the remote
domain.
For information about when to configure remote domains, descriptions of the available settings, and information
about how remote domain settings override per-user settings, see Remote domains in Exchange Online.

TIP
Create and configure remote domains
Notes:
You can configure a remote domain for any domain that's listed on the Office 365 admin center >
Domains page. For example, if fabrikam.com is one of your accepted domains, you can't create a remote
domain for fabrikam.com.
If you create a remote domain for a specific destination domain, and a setting for the specific remote
domain conflicts with the same setting in the default remote domain, the setting for the specific remote
domain overrides the setting in the default remote domain.
Once you've created a remote domain, you can't change or replace the domain inside the remote domain.
Instead, create and configure a new remote domain with the new domain name.
Use the EAC to create and configure a remote domain
1. In the EAC, go to Mail flow > Remote domains.
2. To create a new domain:
3. Select New .
4. In the Name box, enter a descriptive name for the domain.
5. In the Remote Domain box, enter the full domain name. Use the wildcard character (*) for all subdomains
of a specified domain, for example, *.contoso.com.
6. To change settings for the default domain, select Default, and then select Edit.
7. Select the options you want:
In the Out of Office reply types section, specify which type of out of office replies should be sent to
people at this domain.
In the Automatic replies section, specify whether you want to allow automatic replies, automatic
forwarding, or both.
In the Message reporting section, specify:
Whether you want to allow delivery reports and non-delivery reports.
If a meeting set up by someone on the remote domain is forwarded to another person in your organization,
whether the notification message should go to the meeting organizer on the remote domain.
In the Use Rich-text format section, specify whether to follow each user's message settings, or whether to
always or never preserve RTF formatting. Selecting Never means that RTF messages are sent as plain text
or HTML.
In the Supported Character Set area, specify which character set to use if the message doesn't specify the
character set.
5. Click Save. If you created a new remote domain, it is added to the list.
Use Exchange Online PowerShell to create and configure a remote domain
After you create the remote domain, you can configure the settings (you can't create the remote domain and
configure the settings in one step).
Step 1: Create the remote domain
To create a new remote domain, use the following syntax:
New-RemoteDomain -Name "<Unique Name"> -DomainName <single SMTP domain | domain with subdomains>
This example creates a remote domain for messages sent to the contoso.com domain.
New-RemoteDomain -Name Contoso -DomainName contoso.com
This example creates a remote domain for messages sent to the contoso.com domain and all its subdomains.
New-RemoteDomain -Name "Contoso and subdomains" -DomainName *.contoso.com
For detailed syntax and parameter information, see New -RemoteDomain.

Step 2: Configure the remote domain settings
To configure the settings for a remote domain, use the following syntax:
Set-RemoteDomain -Identity <Name> [-AllowedOOfType <External | InternalLegacy | ExternalLegacy | None>] [-

AutoForwardEnabled <$true | $false>] [-AutoReplyEnabled <$true | $false>] [-CharacterSet
<SupportedCharacterSet>] [-DeliveryReportEnabled <$true | $false>] [-NonMimeCharacterSet
<SupportedCharacterSet>] [-TNEFEnabled <$true | $false>]
This example disables automatic replies, automatic forwarding, and out-of-office replies to recipients at all remote
domains that aren't specified with their own remote domain.
Set-RemoteDomain -Identity Default -AutoReplyEnabled $false -AutoForwardEnabled $false -AllowedOOFType None
This example sends internal out of office replies to users at the remote domain named Contoso.
Set-RemoteDomain -Identity Contoso -AllowedOOFType InternalLegacy
This example disables prevents delivery reports and non-delivery reports from being sent to users at Contoso.
Set-RemoteDomain -Identity Contoso -DeliveryReportEnabled $false -NDREnabled $false
This example sends all messages to Contoso using Transport Neutral Encapsulation Formation (TNEF ) encoding,
rather than MIME encoding. This preserves Rich Text format in messages.
Set-RemoteDomain -Identity Contoso -TNEFEnabled $true
This example sends all messages to Contoso using MIME encoding, which means that all RTF messages are
always converted to HTML or plain text.
Set-RemoteDomain -Identity Contoso -TNEFEnabled $false
This example uses the message format settings the user has defined in Outlook or Outlook Web App for encoding
messages.
Set-RemoteDomain -Identity Contoso -TNEFEnabled $null
This example uses the Korean (ISO ) character set for MIME messages sent to Contoso.
Set-RemoteDomain -Identity Contoso -CharacterSet iso-2022-kr
This example specifies using the Unicode character set for non-MIME messages sent to Contoso.
Set-RemoteDomain -Identity Contoso -NonMimeCharacterSet utf-8
For detailed syntax and parameter information, see Set-RemoteDomain.

To verify that you've successfully created and configured a remote domain, use either of the following steps:
In the EAC, go to Mail flow > Remote domains, select the remote domain, and then click Edit to verify
the settings.
In Exchange Online PowerShell, replace <Remote Domain Name> with the name of the remote domain
and run the following command to verify the settings:
Get-RemoteDomain -Identity "<Remote Domain Name>" | Format-List
Remove remote domains

Notes:
You can't remove the default remote domain.
When you remove a remote domain, the default remote domain settings will then apply to messages sent
to that domain.
Removing a remote domain doesn't disable mail flow to the remote domain.
Use the EAC to remove a remote domain
1. In the EAC, go to Mail flow > Remote domains.
2. Select a remote domain, and then select Delete .
3. In the warning dialog box, select Yes.
Use Exchange Online PowerShell to remove a remote domain
To remove a remote domain, use the following syntax:
Remove-RemoteDomain -Identity <Remote Domain Name>
This example removes the remote domain named Contoso.
Remove-RemoteDomain -Identity Contoso
For detailed syntax and parameter information, see Remove-RemoteDomain.

To verify that you've successfully removed a remote domain, do either of the following steps:
In the EAC, go to Mail flow > Remote domains and verify the remote domain isn't listed.
In Exchange Online PowerShell, run the following command and verify that the remote domain isn't listed:
Get-RemoteDomain
Supported character sets for remote domains in
Exchange Online
Remote domains define settings based on the destination domain of each email message. All organizations have a
default remote domain named "Default" that's applied to the domain "*". The default remote domain applies the
same settings to all email messages regardless of the destination domain. However, you can configure specific
settings for a specific destination domain.
For more information about remote domains, see Remote domains in Exchange Online.
For remote domain procedures, see Manage remote domains in Exchange Online.
The following table describes the character sets that you can configure in remote domains.
In the Exchange admin center (EAC ), go to Mail flow > Remote domains. Click New to create a new
remote domain or select the existing remote domain and click Edit . In the settings window that opens,
use the MIME character set and Non-MIME character set drop-down lists to select the character set.
In Exchange Online PowerShell, use the value in the Name column in the following table for the
CharacterSet parameter or NonMimeCharacterSet parameter on the Set-RemoteDomain cmdlet.
NAME DESCRIPTION
big5 Chinese Traditional (Big5)
DIN_66003 German (IA5)
euc-jp Japanese (EUC)
euc-kr Korean (EUC)
GB18030 Chinese Simplified (GB18030)
gb2312 Chinese Simplified (GB2312)
hz-gb-2312 Chinese Simplified (HZ)
iso-2022-jp Japanese (JIS)
iso-2022-kr Korean (ISO)
iso-8859-1 Western European (ISO)
iso-8859-2 Central European (ISO)
iso-8859-3 Latin 3 (ISO)
iso-8859-4 Baltic (ISO)

NAME DESCRIPTION
iso-8859-5 Cyrillic (ISO)
iso-8859-6 Arabic (ISO)
iso-8859-7 Greek (ISO)
iso-8859-8 Hebrew (ISO)
iso-8859-9 Turkish (ISO)
iso-8859-13 Estonian (ISO)
iso-8859-15 Latin 9 (ISO)
koi8-r Cyrillic (KOI8-R)
koi8-u Cyrillic (KOI8-U)
ks_c_5601-1987 Korean (Windows)
NS_4551-1 Norwegian (IA5)
SEN_850200_B Swedish (IA5)
shift_jis Japanese (Shift-JIS)
utf-8 Unicode (UTF-8)
windows-1250 Central European (Windows)
windows-1251 Cyrillic (Windows)
windows-1252 Western European (Windows)
windows-1253 Greek (Windows)
windows-1254 Turkish (Windows)
windows-1255 Hebrew (Windows)
windows-1256 Arabic (Windows)
windows-1257 Baltic (Windows)
windows-1258 Vietnamese (Windows)
windows-874 Thai (Windows)

Message format and transmission in Exchange Online
There are settings in Outlook, Outlook on the web, and Exchange Online that control the format of email
messages and how they are sent to people on other domains. The default settings work in most cases. If specific
recipients have trouble reading messages sent from your organization, you can adjust the settings for individual
users, or for all users on a specific domain. For example, you can prevent recipients from receiving a winmail.dat
attachment.
There are two types of settings you can use:
Message format: When a user creates a message, they can choose the message format in which to author
the message. In Outlook, they have a choice between plain text, HTML, and rich-text format. In Outlook
Web App they have a choice between plain text and HTML.
Message transmission: This means how the message is actually sent to the other email system. Exchange
can send messages to other domains by using Multipurpose Internet Mail Extensions (MIME ) or Transport
Neutral Encapsulation Format (TNEF ). All three message formats can be sent using TNEF. Only HTML and
plain text can be sent using MIME. Message transmission format can be set by an admin per domain or per
recipient, and users can also specify message transmission format.
Message formats
The following list describes the three message formats available in Exchange Online, and shows which ones are
available in Outlook and Outlook Web App:
AVAILABLE IN OUTLOOK ON
FORMAT DESCRIPTION AVAILABLE IN OUTLOOK THE WEB
Plain text A plain text message uses Yes Yes

only US-ASCII text as
described in RFC 2822. The
message can't contain
different fonts or other text
formatting.
HTML An HTML message supports Yes Yes

text formatting, background
images, tables, bullet points,
and other graphical
elements.
Rich text format (RTF) RTF supports text Yes Can read messages
formatting and other formatted in RTF, but can't
graphical elements. format or send this format
Only Outlook, Outlook Web
App, and a few other MAPI
email clients understand RTF
messages.
Message transmission formats for mail sent to external recipients

The following table describes the message transmission formats that Exchange Online uses to send email
messages to external recipients.
TRANSMISSION FORMAT DESCRIPTION
Transport Neutral Encapsulation Format (TNEF) TNEF is a Microsoft-specific format for transmitting formatted
email messages. A TNEF message contains a plain text version
of the message and an attachment that packages the original
formatted version of the message. Typically, this attachment is
named Winmail.dat. The Winmail.dat attachment includes
formatting, attachments, and Outlook-specific features such
as meeting requests.
An email client that fully understands TNEF, such as Outlook,
processes the Winmail.dat attachment and displays the
original message content without ever displaying the
Winmail.dat attachment. An email client that doesn't
understand TNEF may present a TNEF message in any of the
following ways:
The plain text version of the message is displayed, and the
message contains an attachment named Winmail.dat, Win.dat,
or some other generic name such as Att_nnnnn_.dat or
Att_nnnnn_.eml where the nnnnn placeholder represents a
random number.
The plain text version of the message is displayed. The TNEF
attachment is ignored or removed. The result is a plain text
message.
There are third-party utilities that can help convert
Winmail.dat attachments.
Multipurpose Internet Mail Extensions (MIME) MIME is an internet standard that supports text in character
sets other than ASCII, non-text attachments, message bodies
with multiple parts, and header information in non-ASCII
character sets.
Message format and transmission settings

Admins and users can control message formatting and transmission. Admin settings override user settings.
Admins can control the following settings:
Remote domain settings: Remote domain settings control the format of messages sent to people on the
remote domain. You can control the format for a specific external domain, or for all external domains. For
more information about remote domains, see Remote domains in Exchange Online. The remote domain
settings override the per-user settings set by admins or users.
Mail user and mail contact settings: You can change settings for individual recipients by changing
settings for specific mail users or mail contacts. Mail users and mail contacts are similar because both have
external email addresses and contain information about people outside the Exchange Online organization.
The main difference is mail users have user IDs that can be used to sign in to the Exchange Online
organization. When an admin changes a per-recipient setting, it overrides settings that a user sets for that
recipient. For more information about the admin settings, see Manage mail users and Manage mail
contacts.
Users can control the following settings:
Outlook settings: In Outlook, you can set the message formatting and encoding options described in the
following list:
Message format: You can set the default message format for all messages. You can override the
default message format as you compose a specific message.
Internet message format: You can control whether TNEF messages are sent to remote recipients
or whether they are first converted to a more compatible format. You can also specify various
message encoding options for messages sent to remote recipients. These settings don't apply to
messages sent to recipients in the Exchange Online organization.
Internet recipient message format: You can control whether TNEF messages are sent to specific
recipients or whether they are first converted to a more compatible format. You can set the options
for specific contacts in your Contacts folder, and you can override these options for a specific
recipient in the To, Cc, or Bcc fields as you compose a message. These options aren't available for
recipients in the Exchange Online organization.
Internet recipient message encoding options: You can control the MIME or plain text encoding
options for specific contacts in your Contacts folder, and you can override these options for a specific
recipient in the To, Cc, or Bcc fields as you compose a message. These options aren't available for
recipients in the Exchange Online organization.
International options: You can control the character sets used in messages.
For more information about Outlook settings, see Change the message format in Outlook.
Outlook Web App/Outlook on the web settings: You can set the message formatting options described
in the following list:
Message format: You can set the default message format for all messages. You can override the
default message format as you compose a specific message.
For more information on Outlook Web App settings, see Create and respond to messages in
Outlook Web App.
Configure the external postmaster address in
Exchange Online
The external postmaster address is used as the sender for system-generated messages and notifications sent to
message senders that exist outside your Microsoft Exchange Online organization. An external sender is any sender
that has an email address in a domain that isn't configured as an accepted domain in your organization.
By default, the value of the external postmaster address setting is blank. This default value sets the external
postmaster address to the value postmaster@<Default accepted domain> for your organization.
There's no mailbox associated with the postmaster@<Default accepted domain> email address.

You can only use Exchange Online PowerShell to perform this procedure. To learn how to connect to
Use Exchange Online PowerShell to configure the external postmaster

address
To configure the external postmaster address, use the following syntax:
Set-TransportConfig -ExternalPostmasterAddress <EmailAddress>
This example sets the external postmaster address to the value postmaster@contoso.com .
Set-TransportConfig -ExternalPostmasterAddress postmaster@contoso.com
This example returns the external postmaster address to the default value.
Set-TransportConfig -ExternalPostmasterAddress $null

To verify that you have successfully configured the external postmaster address, do the following:
1. Run the following command to verify the property value:
Get-TransportConfig | Format-List ExternalPostmasterAddress
A blank value indicates the default value postmaster@<Default accepted domain>.

2. From an external email account, send a message to your Exchange organization that will generate a non-
delivery report (also known as an NDR or bounce message). For example, you can configure a mail flow
rule (also known as a transport rule) to send an NDR for a message from that sender that contains specific
keywords. Verify that the sender's email address in the DSN matches the external postmaster address you
specified.
Protection.
Manage all mailboxes and mail flow using Office 365
Summary: How to use hosted mail flow with Office 365.

For most organizations, we recommend using hosted mail flow because it's the simplest configuration, in which
Office 365 manages all mailboxes and filtering. This simple configuration makes it easy to set up and manage mail
flow.
Manage all mailboxes and mail flow using Office 365 (recommended).
Hosted mail flow scenarios
I'm a new Office 365 customer, and all my users' mailboxes are in Office 365. I want to use all filtering
solutions that Office 365 offers.
I'm a new Office 365 customer. I have an existing email service, but I plan to immediately move all existing
mailboxes to the cloud. I want to use all filtering solutions that Office 365 offers.
For this scenario, your organization's mail flow setup looks like the following diagram:
Best practices for hosted mail flow scenarios

To set up hosted mail flow, we recommend using the Office 365 setup wizard. To get to the Office 365 setup
wizard, go to Setup in the Office 365 admin center.
The Office 365 setup wizard walks you through the following steps.
1. Add your custom domains in Office 365. To prove that you own the domains, follow the instructions in Add
users and domains.
2. Create user mailboxes in Exchange Online or move all users' mailboxes to Office 365.
3. Update the DNS records for the domains that you added in step 1. (Not sure how to do this? Follow the
instructions on this page.)
The following DNS records control mail flow:
MX record - Point your MX record to Office 365 in the following format:
<domainKey>.mail.protection.outlook.com.
For example, the domain contoso.com should have the MX record contoso-
com.mail.protection.outlook.com.
SPF record - This is a special TXT record in DNS that identifies a service as a valid sender for a particular
domain. Because Office 365 is sending all your messages, list only Office 365 as a valid sender for your
domain. To do that, add an SPF record for your domain in the following format:
v=spf1 include:spf.protection.outlook.com -all
For a full list of setup instructions, check out Set up Office 365 for business or Deploy Office 365 Enterprise for
your organization.
See also
Manage mail flow using a third-party cloud service with Office 365
Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)
Manage mail flow using a third-party cloud service with mailboxes on Office 365 and on-prem
Manage mail flow using a third-party cloud service
with Exchange Online
This topic covers the following complex mail flow scenarios using Exchange Online:
Scenario 1 - MX record points to third-party spam filtering
Scenario 2 - MX record points to third-party solution without spam filtering
NOTE
Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso mail server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
examples. You can adapt these examples to fit your organization's domain name and public-facing IP address where
necessary.
Using a third-party cloud service with Office 365

Scenario 1 - MX record points to third-party spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. My organization uses a third-party cloud
service for spam, malware, and phish filtering. All email from the internet must first be filtered by this third-party
cloud service before being routed to Office 365.
For this scenario, your organization's mail flow setup looks like the following diagram:
Best practices for using a third-party cloud filtering service with Office 365
users and domains.
instructions on this page.) The following DNS records control mail flow:
MX record: Your domain's MX record must point to your third-party service provider. Follow their
guidelines for how to configure your MX record.
SPF record: All mail sent from your domain to the internet originates in Office 365, so your SPF
record requires the standard value for Office 365:
v=spf1 include:spf.protection.outlook.com -all
You would only need to include the third-party service in your SPF record if your organization sends
outbound internet email through the service (where the third-party service would be a source for
email from your domain).
Scenario 2 (unsupported) - MX record points to third-party solution without spam filtering
I plan to use Exchange Online to host all my organization's mailboxes. All email that's sent to my domain from the
internet must first flow through a third-party archiving or auditing service before arriving in Exchange Online. All
outbound email that's sent from my Exchange Online organization to the internet must also flow through the
service. However, the service doesn't provide a spam filtering solution.
We don't recommend or support this scenario because the inbound mail flow through the service causes Office
365 spam and phish filtering to not work properly (mail from all internet senders appears to originate from the
third-party service, not the true email source on the internet). If you choose this scenario, your organization's mail
flow setup looks like the following diagram:
Best practices for using a third-party cloud service with Office 365
Don't use this scenario because it isn't currently supported. We recommend that you use the archiving and
auditing solutions that are provided by Office 365.
See also
Manage mail flow with mailboxes in multiple locations (Office 365 and on-premises Exchange)
Manage mail flow using a third-party cloud service with Exchange Online and on-premises mailboxes
Manage mail flow with mailboxes in multiple
locations (Exchange Online and on-premises)
Summary: How to manage mail flow in an Exchange hybrid environment, which is when some mailboxes are on-
premises and some are in Office 365.
This topic covers the following complex mail flow scenarios using Office 365:
Scenario 1: MX record points to Office 365 and Office 365 filters all messages
Scenario 2: MX record points to Office 365 and mail is filtered on-premises
Scenario 3: MX record points to my on-premises servers
Scenario 4: MX record points to my on-premises server, which filters and provides compliance solutions for
your messages. Your on-premises server needs to relay messages to the internet through Office 365.
NOTE
Examples in this topic use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso email server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
necessary.
Manage mail flow where some mailboxes are in Office 365 and some
mailboxes are on your organization's email servers
Scenario 1: MX record points to Office 365 and Office 365 filters all messages
I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's
email server (on-premises server). I want to use Office 365 as my spam filtering solution and want to send my
messages from my on-premises server to the internet by using Office 365. Office 365 sends and receives all
messages.
Most customers who need a hybrid mail flow setup should allow Office 365 to perform all their filtering and
routing. We recommend that you point your MX record to Office 365 because this provides for the most accurate
spam filtering. For this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
users and domains.
MX record: Point your MX record to Office 365 in the following format: <domainKey>-
com.mail.protection.outlook.com
For example, if your domain is contoso.com, the MX record should be: contoso-
SPF record: This should list Office 365 as a valid sender, plus any IP addresses from your on-premises
servers that connect to EOP, and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address is131.107.21.231, the SPF record
for contoso.com should be:
v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com -all
Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-
party, as shown in the following example:
```
v=spf1 include:spf.protection.outlook.com include:third_party_cloud_service.com -all
```
4. In the Exchange admin center, use the connector wizard to Configure mail flow using connectors in Office 365
for the following scenarios:
Sending messages from Office 365 to your organization's email servers
Sending messages from your on-premises servers to Office 365
If either of the following scenarios apply to your organization, you must create a connector to support
sending mail from your on-premises servers to Office 365.
Your organization is authorized to send messages on behalf of your client, but your organization doesn't
own the domain. For example, contoso.com is authorized to send email through fabrikam.com, which
doesn't belong to contoso.com.
Your organization relays non-delivery reports (also known as NDRs or bounce messages) to the internet
through Office 365.
To create the connector, choose the first option in the connector creation wizard on the How should Office
365 identify email for your email server screen.
This enables Office 365 to identify your email server by using the certificate. In this scenario, the certificate
CN or Subject Alternative Name (SAN ) contains the domain that belongs to your organization. For more
details, see Identifying email from your email server. For connector configuration details see, Part 2:
Configure mail to flow from your email server to Office 365.
5. You don't need connectors in the following scenarios unless one of your partners has a special requirement,
such as enforcing TLS with a bank.
Sending mail from Office 365 to a partner organization
Sending mail from a partner organization to Office 365
NOTE
If your organization's uses Exchange 2010 or later, we recommend that you use the Hybrid Configuration Wizard to
configure connectors in Office 365 as well as on your on-premises Exchange servers. For this scenario, your domain's MX
record can't point to your organization's email server.
Scenario 2: MX record points to Office 365 and mail is filtered on-premises

I'm migrating my mailboxes to Exchange Online and I want to keep some mailboxes on my organization's
email server (on-premises server). I want to use the filtering and compliance solutions that are already in my
on-premises environment. All messages that come from the internet to my cloud mailboxes, or messages sent
to the internet from my cloud mailboxes, must route through my on-premises servers.
If you have business or regulatory reasons for filtering mail in your on-premises environment, we recommend
pointing your domain's MX record to Office 365 and enabling centralized mail transport. This setup provides
optimal spam filtering and protects your organization's IP addresses. For this scenario, your organization's mail
flow setup looks like the following diagram.
Best practices
users and domains.
2. Create user mailboxes in Exchange Online or Move all users' mailboxes to Office 365.
MX record: Point your MX record to Office 365 in the following format: <domainKey>-
For example, if your domain is contoso.com, the MX record should be: contoso-
SPF record: This should list Office 365 as a valid sender, plus any IP addresses from your on-premises
servers that connect to EOP, and any third parties that send email on behalf of your organization. For
example, if your organization's email server's internet-facing IP address is131.107.21.231, the SPF record
for contoso.com should be:
4. Use Centralized Mail Transport (CMT) for on-premises compliance solutions.

Mail that comes from the internet to a mailbox in Exchange Online first gets sent to your on-premises
server and then comes back to Exchange Online to be delivered to the mailbox. Line 1 represents this path
in the scenario 2 diagram.
Mail that comes from Exchange Online and is destined for the internet is first sent to your on-premises
servers, then comes back to Exchange Online, and is then delivered to the internet. Line 4 represents this
path in the scenario 2 diagram.
To achieve this configuration, create connectors via the Hybrid Configuration Wizard or via cmdlets, and
enable CMT. For details about CMT, see Transport Options in Exchange Hybrid Deployments.
You don't need connectors in the following scenarios unless one of your partners has special requirements, such
as enforcing TLS with a bank.
Sending mail from Office 365 to a partner organization
Sending mail from a partner organization to Office 365
Scenario 3: MX record points to my on-premises servers
on-premises email environment. All messages that come from the internet to my cloud mailboxes, or messages
sent to the internet from cloud mailboxes, must route through my on-premises servers. I need to point my
domain's MX record to my on-premises server.
As an alternative to Scenario 2, you can point your domain's MX record to your organization's email server instead
of to Office 365. Some organizations have a business or regulatory need for this setup, but filtering typically
works better if you use Scenario 2.
For this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
If the MX record for your domain needs to point to your on-premises IP address, use the following best practices:
users and domains.
SPF record: This should list Office 365 as a valid sender. It should also include any IP addresses from your
on-premises servers that connect to EOP and any third parties that send email on behalf of your
organization. For example, if your organization's email server's internet-facing IP address is131.107.21.231,
the SPF record for contoso.com should be:
4. Because you're not relaying messages from your on-premises servers to the internet through Office 365, you
don't technically need to create connectors for the following scenarios. But if at some point you change your
MX record to point to Office 365, you'll need to create connectors; therefore, it's best to do it up front. In the
Exchange admin center, use the connector wizard to Part 2: Configure mail to flow from your email server to
Office 365 for the following scenarios, or use the Hybrid Configuration Wizard to create connectors:
Sending mail from Office 365 to your organization's email servers
Sending mail from your on-premises servers to Office 365
5. To make sure that messages are sent to your organization's on-premises servers through MX, go to Example
security restrictions you can apply to email sent from a partner organization, and follow "Example 3: Require
that all email from your partner organization domain ContosoBank.com is sent from a specific IP address
range."
Scenario 4: MX record points to my on-premises server, which filters and provides compliance solutions for
your messages. Your on-premises server needs to relay messages to the internet through Office 365.
on-premises email environment. All messages sent from my on-premises servers must relay through Office
365 to the internet. I need to point my domain's MX record to my on-premises server.
For this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
If the MX record for your domain needs to point to your on-premises IP address, use the following best practices:
users and domains.
MX record: Point your MX record to your on-premises server in the following format: mail.
<domainKey>.com
For example, if your domain is contoso.com, the MX record should be: .mail.contoso.com.
SPF record: This should list Office 365 as a valid sender. It should also include any IP addresses from your
on-premises servers that connect to EOP and any third parties that send email on behalf of your
organization. For example, if your organization's email server's internet-facing IP address is
131.107.21.231, the SPF record for contoso.com should be:
4. In the Exchange admin center, use the connector wizard to Configure mail flow using connectors in Office 365
for the following scenarios:
Sending mail from Office 365 to your organization's email servers
Sending mail from your on-premises servers to Office 365
You need to create a connector to support the scenario "Sending mail from your on-premises servers to
Office 365" if any of the following scenarios apply to your organization:
Your organization is authorized to send mail on behalf of your client, but your organization doesn't own the
domain. For example, contoso.com is authorized to send email through fabrikam.com, which doesn't belong
to contoso.com.
Your organization relays non-delivery reports (NDRs) to the internet through Office 365.
The MX record for your domain, contoso.com, points to your on-premises server, and users in your
organization automatically forward messages to email addresses outside your organization. For example,
kate@contoso.com has forwarding enabled, and all messages go to kate@tailspintoys.com. If
john@fabrikam.com sends a message to kate@contoso.com, by the time the message arrives at Office 365
the sender domain is fabrikam.com and the recipient domain is tailspin.com. Neither the sender domain
nor recipient domain belongs to your organization.
To create the connector, choose the first option in the connector creation wizard on the How should Office
365 identify email for your email server screen.
This allows Office 365 to identify your email server by using the certificate. In this scenario, the certificate
CN or Subject Alternative Name (SAN ) contains the domain that belongs to your organization. For more
details, see Identifying email from your email server. For connector configuration details see, Part 2:
Configure mail to flow from your email server to Office 365.
5. Set up connectors for secure mail flow with a partner organization to make sure that messages are sent to your
organization's on-premises servers via MX.
See also
Manage mail flow using a third-party cloud service with mailboxes on Office 365 and on-prem
Manage mail flow using a third-party cloud service
with Exchange Online and on-premises mailboxes
This topic covers the most complex mail flow scenario using Office 365.
NOTE
Examples in this guide use the fictitious organization, Contoso, which owns the domain contoso.com. The IP address of the
Contoso mail server is 131.107.21.231, and its third-party provider uses 10.10.10.1 for their IP address. These are just
necessary.
Using a third-party cloud service with mailboxes in Exchange Online

and on my organization's email servers
Scenario
I'm migrating my mailboxes to Exchange Online, and I want to keep some mailboxes on my organization's on-
premises email server. I want to use a third-party cloud service to filter spam from the internet. My messages
to the internet must route through Office 365 to prevent my on-premises servers' IP addresses from being
added to external block lists.
In this scenario, your organization's mail flow setup looks like the following diagram.
Best practices
users and domains.
MX record: Point your MX record to your third-party service. Follow their guidelines for configuring your
MX record.
SPF record: Because your domain's MX record must point to a third-party service (in other words, you
require complex routing), include the third-party service in your SPF record. Follow the third-party
provider's guidelines for adding them to your SPF record. Also add Office 365 and the IP addresses of your
on-premises servers as valid senders. For example, if contoso.com is your domain name, the third-party
cloud service IP address is 10.10.10.1, and your on-premises server IP address is 131.107.21.231, the SPF
record for contoso.com should be:
v=spf1 ip4:10.10.10.1 ip4:131.107.21.231 include:spf.protection.outlook.com -all
Alternatively, depending on the third-party's requirements, you might need to include the domain from the third-
party, as shown in the following example:
v=spf1 ip4:131.107.21.231 include:spf.protection.outlook.com include:third_party_cloud_service.com -all

More information
There are additional considerations in hybrid deployments between on-premise Exchange and Office 365. For
more information, see Exchange Server hybrid deployments.
See also
Manage mail flow with mailboxes in multiple locations (Office 365 and on-prem)
How to set up a multifunction device or application
to send email using Office 365
Prerequisites: Office 365 Subscription, Exchange Online Plan

This article explains how you can send email from devices and business applications when all of your mailboxes
are in Office 365. For example:
You have a scanner, and you want to email scanned documents to yourself or someone else.
You have a line-of-business (LOB ) application that manages appointments, and you want to email
reminders to clients of their appointment time.
NOTE
Beginning September 1st, 2018, Office 365 is slowly rolling out changes to SMTP client submission (also known as SMTP
Authenticated Submission), which may affect your devices and your applications that send emails. For more information, see
the KB article Improvements to the SMTP Authenticated Submission client protocol.
Option 1 (recommended): Authenticate your device or application

directly with an Office 365 mailbox, and send mail using SMTP client
submission
This option supports most usage scenarios and it's the easiest to set up. Choose this option when:
You want to send email from a third-party hosted application, service, or device.
You want to send email to people inside and outside your organization.
To configure your device or application, connect directly to Office 365 using the SMTP client submission endpoint
smtp.office365.com.
Each device/application must be able to authenticate with Office 365. The email address of the account that's used
to authenticate with Office 365 will appear as the sender of messages from the device/application.
How to set up SMTP client submission
Enter the following settings directly on your device or in the application as their guide instructs (it might use
different terminology than this article). As long as your scenario meets the requirements for SMTP client
submission, the following settings will enable you to send email from your device or application.
DEVICE OR APPLICATION SETTING VALUE
Server/smart host smtp.office365.com
Port Port 587 (recommended) or port 25
TLS/ StartTLS Enabled
Username/email address and password Enter the sign in credentials of the hosted mailbox being used
For more information, expand the following sections.
TLS and other encryption options
Determine what version of TLS your device supports by checking the device guide or with the vendor. If your
device or application does not support TLS 1.2 or above:
Use direct send (Option 2) or Office 365 SMTP relay (Option 3) for sending mail instead (depending on
your requirements).
If it is essential to use SMTP client submission and your printer only supports SSL 3.0, you can set up an
alternative configuration called Indirect SMTP client submission. This uses a local SMTP relay server to
connect to Office 365. This is a much more complex setup. Instructions can be found here: How to configure
IIS for relay with Office 365.
NOTE
If your device recommends or defaults to port 465, it does not support SMTP client submission.
How SMTP client submission works

The following diagram gives you a conceptual overview of what you're environment will look like.
Features of SMTP client submission

SMTP client submission allows you to send email to people in your organization as well as outside your
company.
This method bypasses most spam checks for email sent to people in your organization. This can help
protect your company IP addresses from being blocked by a spam list.
With this method, you can send email from any location or IP address, including your (on-premises)
organization's network, or a third-party cloud hosting service, like Microsoft Azure.
Requirements for SMTP client submission
Authentication: You must be able to configure a user name and password to send email on the device.
Mailbox: You must have a licensed Office 365 mailbox to send email from.
Transport Layer Security (TLS ): Your device must be able to use TLS version 1.2 and above.
Port: Port 587 (recommended) or port 25 is required and must be unblocked on your network. Some
network firewalls or ISPs block ports—especially port 25.
NOTE
For information about TLS, see How Exchange Online uses TLS to secure email connections in Office 365 and for detailed
technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for
Exchange Online.
Limitations of SMTP client submission

You can only send from one email address unless your device can store login credentials for multiple Office 365
mailboxes. Office 365 imposes a limit of 30 messages sent per minute, and a limit of 10,000 recipients per day.
Option 2: Send mail directly from your printer or application to Office

365 (direct send)
Choose this option when:
SMTP client submission (Option 1) is not compatible with your business needs or with your device. For
example, your device or application does not meet the requirements of SMTP client submission, such as
TLS support.
You only need to send messages to recipients in your own organization who have mailboxes in Office 365;
you don't need to send email to people outside of your organization.
Other scenarios when direct send may be your best choice:
You want your device or application to send from each user's email address and do not want each user's
mailbox credentials configured to use SMTP client submission. Direct send allows each user in your
organization to send email using their own address.
Avoid using a single mailbox with Send As permissions for all your users. This method is not supported
because of complexity and potential issues.
You want to send bulk email or newsletters. Office 365 does not allow you to do this via SMTP client
submission. Direct send allows you to send a high volume of messages.
Note that there is a risk of your email being marked as spam by Office 365. You might want to enlist the
help of a bulk email provider to assist you. For example, they'll help you adhere to best practices, and can
help ensure that your domains and IP addresses are not blocked by others on the internet.
Settings for direct send
Enter the following settings on the device or in the application directly.
Server/smart host Your MX endpoint, for example, contoso-

Port Port 25
TLS/StartTLS Enabled
Email address Any email address for one of your Office 365 accepted
domains. This email address does not need to have a mailbox.
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static
IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
DNS ENTRY VALUE
SPF v=spf1 ip4:<Static IP Address>

include:spf.protection.outlook.com ~all
Step-by-step instructions for direct send

1. If your device or application can send from a static public IP address, obtain this IP address and make a
note of it. You can share your static IP address with other devices and users, but don't share the IP address
with anyone outside of your company. Your device or application can send from a dynamic or shared IP
address but messages are more prone to antispam filtering.
2. Sign in to Office 365.
3. Make sure your domain, such as contoso.com, is selected. Click Manage DNS, and find the MX record. The
MX record will have a POINTS TO ADDRESS value that looks similar to cohowineinc-
com.mail.protection.outlook.com, as depicted in the following screenshot. Make a note of the MX record
POINTS TO ADDRESS value, which we refer to as your MX endpoint.
4. Go back to the device, and in the settings, under what would normally be called Server or Smart Host,
enter the MX record POINTS TO ADDRESS value you recorded in step 3.
5. Now that you are done configuring your device settings, go to your domain registrar's website to update
your DNS records. Edit your sender policy framework (SPF ) record. In the entry, include the IP address that
you noted in step 1. The finished string looks similar to this:
v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all
where 10.5.3.2 is your public IP address.
NOTE
Skipping this step might cause email to be sent to recipients' junk mail folders.
6. To test the configuration, send a test email from your device or application, and confirm that the recipient
received it.
How direct send works
In the following diagram, the application or device in your organization's network uses direct send and your Office
365 mail exchange (MX) endpoint to email recipients in your organization. It's easy to find your MX endpoint in
Office 365 if you need to look it up.
You can configure your device to send email direct to Office 365. Use direct send to relay email to recipients with
Office 365 mailboxes in your organization. Direct send also works for external recipients with mailboxes in Office
365. If your device uses direct send to try to relay an email for a recipient who doesn't have an Office 365 mailbox,
the email will be rejected.
NOTE
If your device or application has the ability to act as a email server to deliver messages to Office 365 as well as other email
providers, there are no Office 365 settings needed for this scenario. Consult your device or application instructions for more
information.
Features of direct send

Uses Office 365 to send emails, but does not require a dedicated Office 365 mailbox.
Doesn't require your device or application to have a static IP address. However, this is recommended if
possible.
Doesn't work with a connector; never configure a device to use a connector with direct send, this can cause
problems.
Doesn't require your device to support TLS.
Direct send has higher sending limits than SMTP client submission. Senders are not bound by the 30 messages
per minute or 10,000 recipients per day limit.
Requirements for direct send
Port: Port 25 is required and must be unblocked on your network.
Static IP address is recommended: A static IP address is recommended so that an SPF record can be
created for your domain. This helps avoid your messages being flagged as spam.
Does not require an Office 365 mailbox with a license.
Limitations of direct send
Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or
Gmail addresses.
Your messages will be subject to antispam checks.
Sent mail might be disrupted if your IP addresses are blocked by a spam list.
Office 365 uses throttling policies to protect the performance of the service.
Option 3: Configure a connector to send mail using Office 365 SMTP

relay
This option is more difficult to implement than the others. Only choose this option when:
SMTP client submission (Option 1) is not compatible with your business needs or with your device
You can't use direct send (Option 2) because you must send email to external recipients.
SMTP relay lets Office 365 relay emails on your behalf by using a connector that's configured with your public IP
address or TLS a certificate. Setting up a connector makes this a more complicated option.
Settings for Office 365 SMTP relay
Server/smart host Your MX endpoint, e.g. yourdomain-

Port Port 25
TLS/StartTLS Enabled
Email address Any email address in one of your Office 365 verified domains.
This email address does not need a mailbox.
If you already have a connector that's configured to deliver messages from your on-premises organization to
Office 365 (for example, a hybrid environment), you probably don't need to create a dedicated connector for Office
365 SMTP relay. If you need to create a connector, use the following settings to support this scenario:
CONNECTOR SETTING VALUE
From Your organization's email server
To Office 365
Domain restrictions: IP address/range Your on-premises IP address or address range that the device
or application will use to connect to Office 365
We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static
IP address, add it to your SPF record in your domain registrar's DNS settings as follows:
DNS ENTRY VALUE
SPF v=spf1 ip4:<Static IP Address>

include:spf.protection.outlook.com ~all
Step-by-step configuration instructions for SMTP relay

1. Obtain the public (static) IP address that the device or application with send from. A dynamic IP address
isn't supported or allowed. You can share your static IP address with other devices and users, but don't
share the IP address with anyone outside of your company. Make a note of this IP address for later.
2. Sign in to Office 365.
3. Select Domains. Make sure your domain, such as contoso.com, is selected. Click Manage DNS and find
the MX record. The MX record will have a POINTS TO ADDRESS value that looks similar to cohowineinc-
com.mail.protection.outlook.com as depicted in the following screenshot. Make a note of the MX record
POINTS TO ADDRESS value. You'll need this later.
4. Check that the domains that the application or device will send to have been verified. If the domain is not
verified, emails could be lost, and you won't be able to track them with the Exchange Online message trace
tool.
5. In Office 365, click Admin, and then click Exchange to go to the Exchange admin center.
6. In the Exchange admin center, go to Mail flow > Connectors.
7. Check the list of connectors set up for your organization. If there is no connector listed from your
organization's email server to Office 365, create one.
8. To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the
Click Next, and give the connector a name.

9. On the next screen, choose the option By verifying that the IP address of the sending server matches
one of these IP addresses that belong to your organization, and add the IP address from step 1.
10. Leave all the other fields with their default values, and select Save.
11. Now that you are done with configuring your Office 365 settings, go to your domain registrar's website to
update your DNS records. Edit your SPF record. Include the IP address that you noted in step 1. The
finished string should look similar to this v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com ~all ,
where 10.5.3.2 is your public IP address. Skipping this step can cause email to be sent to recipients' junk
mail folders.
12. Now, go back to the device, and in the settings, find the entry for Server or Smart Host, and enter the MX
record POINTS TO ADDRESS value that you recorded in step 3.
13. To test the configuration, send a test email from your device or application, and confirm that it was received
by the recipient.
How Office 365 SMTP relay works
In the following diagram, the application or device in your organization's network uses a connector for SMTP relay
to email recipients in your organization.
The Office 365 connector that you configure authenticates your device or application with Office 365 using
an IP address. Your device or application can send email using any address (including ones that can't receive
mail), as long as the address uses one of your domains. The email address doesn't need to be associated
with an actual mailbox. For example, if your domain is contoso.com, you could send from an address like
do_not_reply@contoso.com.
Office 365 SMTP relay uses a connector to authenticate the mail sent from your device or application. This
allows Office 365 to relay those messages to your own mailboxes as well as external recipients. Office 365
SMTP relay is very similar to direct send except that it can send mail to external recipients.
Due to the added complexity of configuring a connector, direct send is recommended over Office 365
SMTP relay, unless you must send email to external recipients. To send email using Office 365 SMTP relay,
your device or application server must have a static IP address or address range. You can't use SMTP relay
to send email directly to Office 365 from a third-party hosted service, such as Microsoft Azure.
Features of Office 365 SMTP relay
Office 365 SMTP relay does not require the use of a licensed Office 365 mailbox to send emails.
Office 365 SMTP relay has higher sending limits than SMTP client submission; senders are not bound by
the 30 messages per minute or 10,000 recipients per day limits.
Requirements for Office 365 SMTP relay
Static IP address or address range: Most devices or applications are unable to use a certificate for
authentication. To authenticate your device or application, use one or more static IP addresses that are not
shared with another organization.
Connector: You must set up a connector in Exchange Online for email sent from your device or application.
Port: Port 25 is required and must not be blocked on your network or by your ISP.
Licensing: SMTP relay doesn't use a specific Office 365 mailbox to send email. This is why it's important
that only licensed users send email from devices or applications configured for SMTP relay. If you have
senders using devices or LOB applications who don't have an Office 365 mailbox license, obtain and assign
an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that
allows you to send email via Office 365.
Limitations of Office 365 SMTP relay
Sent mail can be disrupted if your IP addresses are blocked by a spam list.
Reasonable limits are imposed for sending. For more information, see Higher Risk Delivery Pool for
Outbound Messages.
Requires static unshared IP addresses (unless a certificate is used).
Compare the options

Here's a comparison of each configuration option and the features they support.
SMTP CLIENT SUBMISSION DIRECT SEND SMTP RELAY
Features
Send to recipients in your Yes Yes Yes

domain(s)
Relay to internet via Office Yes No. Direct delivery only. Yes
365
Bypasses antispam Yes, if the mail is destined No. Suspicious emails might No. Suspicious emails might
for one of your Office 365 be filtered. We recommend a be filtered. We recommend a
mailboxes. custom Sender Policy custom SPF record.
Framework (SPF) record.
Supports mail sent from Yes Yes. We recommend No

applications hosted by a updating your SPF record to
third party allow the third party to send
as your domain.
Requirements
Open network port Port 587 or port 25 Port 25 Port 25
Device or application server Required Optional Optional

must support TLS
Requires authentication Office 365 user name and None One or more static IP
password required addresses. Your printer or
the server running your LOB
app must have a static IP
address to use for
authentication with Office
365.
Limitations
SMTP CLIENT SUBMISSION DIRECT SEND SMTP RELAY
Throttling limits 10,000 recipients per day. Standard throttling is in Reasonable limits are
30 messages per minute. place to protect Office 365. imposed. The service can't
be used to send spam or
bulk mail. For more
information about
reasonable limits, see Higher
Risk Delivery Pool for
Outbound Messages.
Use your own email server to send email from multifunction devices
and applications
If you happen to have an on-premises email server, you should seriously consider using that server for SMTP
relay instead of Office 365. A local email server that you have physical access to is much easier to configure for
SMTP relay by devices and applications on your local network. The details about how to do this depend on your
on-premises email server. For Exchange Server, see the following topics:
Allow anonymous relay on Exchange servers
Receive messages from a server, service, or device that doesn't use Exchange
Related Topics
Fix issues with printers, scanners, and LOB applications that send email using Office 365
When you set up a multifunction device or application to send email through Office 365, there are some cases
where the device or application can't connect directly to Office 365. In these cases, you need to set up Internet
Information Services (IIS ) to work as an intermediary.
You might want to do this in the following scenarios:
You don't have an on-premises messaging system any longer
You have line-of-business (LOB ) programs or devices in an on-premises environment
Your LOB programs and devices have to send email messages to remote domains and to your Exchange
Online mailboxes
Before proceeding, review How to set up a multifunction device or application to send email using Office 365 as
there may be an available option that doesn't require setting up an additional server to relay.
NOTE
These instructions can be modified for other SMTP relays that you might have in your organization.
What you need to know before you begin

Your on-premises domain must be added as an accepted domain in Office 365. For example, if the account
you're relaying from is bob@tailspintoys.com, you have to add tailspintoys.com as an accepted domain in
Office 365.
Your on-premises account must also be either an Exchange Online-licensed user in Office 365 or an
alternative email address of an Exchange Online-licensed user. For example, if the account that you're
relaying from is printer@tailspintoys.com and you want to relay through bob@contoso.com (an Office 365
user), you have to add printer@tailspintoys.com as an alternate email address to bob@contoso.com.
Set up Exchange Online as an SMTP Relay Using Windows Server 2012

1. Install Internet Information Services (IIS )
2. In Server Manager, select Add Roles.
3. On the Before you begin page in the Add Roles Wizard, select Next.
4. On the Select Installation Type page, select Role-based or Feature-based installation.
5. On the Select destination server page, choose Select a server from the server pool, and select the server
that will be running SMTP services. Select Next.
6. On the Select Server Roles page, select Web Server (IIS ), and then select Next. If a page that requests
additional features is displayed, select Add Features and then select Next.
7. On the Select Role Services page, make sure that Basic Authentication under Security is selected, and then
select Next.
8. On the Confirm Installation Steps page, select Install.
9. Install SMTP
10. Open Server Manager and select Add Roles and Features.
11. Select Server Selection and make sure that the server that will be running the SMTP server is selected
and then select Features.
12. On the Select Features screen, choose SMTP Server. You may be prompted to install additional
components. If that's the case, select Add Required Features and select Next.
13. Select Install. After the installation is finished, you may have to start the SMTP service by using the
Services snap-in for the Microsoft Management Console (MMC ).
14. Set up SMTP
15. Open Server Manager, select Tools, and then select I nternet Information Services (IIS ) 6.0.
16. Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
17. On the General tab, select Advanced > Add.
18. In the IP Address box, specify the address of the server that's hosting the SMTP server.
19. In the Port box, enter 587 and select OK.
20. On the Access tab, do the following:
21. Select Authentication and make sure that Anonymous Access is selected.
22. Select Connection > Only the List Below, and then specify the IP addresses of the devices that will be
connecting to the SMTP server, such as printers.
23. Select Relay > Only the List Below, and then specify the IP address of the devices relaying through this
SMTP server
24. On the Delivery tab, select Outbound Security, and then do the following:
25. Select Basic Authentication.
26. Enter the credentials of the Office 365 user who you want to use to relay SMTP mail.
27. Select TLS Encryption.
28. Select Outbound Connections, and in the TCP Port box, enter 587 and select OK.
29. Select Advanced and specify SMTP.office365.com as the Smart Host.
30. Restart the IIS service and the SMTP service.
Set up Exchange Online as an SMTP Relay Using Windows Server 2008

1. Install Internet Information Services (IIS )
2. In Server Manager, select Add Roles.
3. On the Before you begin page in the Add Roles Wizard, select Next.
4. On the Select Server Roles page, select Web Server (IIS ) and select Install.
5. Select Next until you get to the Select Role Services page.
6. In addition to what is already selected, make sure that ODBC Logging, IIS Metabase Compatibility,
and IIS 6 Management Console are selected and then select Next.
7. When you're prompted to install IIS, select Install. You may need to restart the server after the installation is
finished.
8. Install SMTP
9. Open Server Manager and select Add Roles and Features.
10. On the Select Features screen, choose SMTP Server. You may be prompted to install additional
components. If that's the case, select Add Required Features and select Next.
11. Select Install. After the installation is finished, you may have to start the SMTP service by using the
Services snap-in for the Microsoft Management Console (MMC ).
12. Set up SMTP
13. Select Start > Administrative Tools > Internet Information Services (IIS ) 6.0.
14. Expand the current server, right-click the SMTP Virtual Server, and then select Properties.
15. On the General tab, select Advanced > Add.
16. In the IP Address box, specify the address of the server that's hosting the SMTP server.
17. In the Port box, enter 587 and select OK.
18. On the Access tab, do the following:
19. Select Authentication and make sure that Anonymous Access is selected.
20. Select Connection > Only the List Below, and then specify the IP addresses of the devices that will be
connecting to the SMTP server, such as printers.
21. Select Relay > Only the List Below, and then specify the IP address of the devices relaying through this
SMTP server
22. On the Delivery tab, select Outbound Security, and then do the following:
23. Select Basic Authentication.
24. Enter the credentials of the Office 365 user who you want to use to relay SMTP mail.
25. Select TLS Encryption.
26. Select Outbound Connections and in the TCP Port box, enter 587 and select OK.
27. Select Advanced and specify SMTP.office365.com as the Smart Host.
28. Restart the IIS service and the SMTP service.

You can test SMTP relay services without using an separate LOB application or device.
To test SMTP relay services, use the following steps.
1. Create a text file using Notepad or another text editor. The file should contain the following code. Replace the
source and destination email addresses with the addresses you will use to relay SMTP.
FROM: <source email address>
TO: <destination email address>
SUBJECT: Test email
This is a test email sent from my SMTP server
2. Save the text file as Email.txt.

3. Copy the Email.txt file into the following folder: C:\InetPub\MailRoot\Pickup.
4. After a short time, the file should automatically be moved to the C:\InetPub\MailRoot\Queue folder. When
the SMTP server delivers the mail, the file is automatically deleted from the local folder.
Cau t i on
If the SMTP server can't deliver the message, a non-delivery report (NDR ) is created in the
C:\InetPub\MailRoot\BadMail folder. You can use this NDR to diagnose delivery issues.
Related Topics
Troubleshoot email sent from printers and business applications
Fix issues with printers, scanners, and LOB
applications that send email using Office 365
Email clients provide actionable error messages when something goes wrong. Sending email from devices and
applications is less easy to fix, and you might not get clear information to help you. This article can help you
troubleshoot, and it uses printer configurations as examples.
As a first step to fixing any problems, check your configuration. See How to set up a multifunction device or
application to send email using Office 365 for detailed information about the configuration options.
My printer is already configured for email, but I don't know which

configuration option it uses
Below are the three configuration options to help you identify which one is in use:
1. SMTP client submission (recommended)
Your printer is connected to the Office 365 server "smtp.office365.com."
You entered an email address and password for the printer mailbox.
The printer can send email to people inside and outside your organization.
2. Direct send
Your printer is connected to an Office 365 server whose name ends with "mail.protection.outlook.com."
There is no connector set up in Office 365 for emails sent from your organization's network.
The printer can send email only to people in your organization; email can't be sent to recipients outside your
organization.
3. Office 365 SMTP relay
Your printer is connected to an Office 365 server whose name ends with "mail.protection.outlook.com."
There is a connector set up in Office 365 for emails sent from your organization's network to Office 365.
The printer can send email to people inside and outside your organization.
Fix issues with SMTP client submission

I set up my printer for SMTP client submission, but it still can't send emails
1. Check the settings entered directly into the printer:
Printer setting Value
:----- :-----
Server/smart host smtp.office365.com
Port Port 587 (recommended) or port 25
TLS/ StartTLS Enabled
Username/email address and password Login credentials of Office 365 mailbox the printer uses
2. If your printer didn't require a password for the email address you entered, your printer is trying to send
emails without logging on to Office 365. SMTP client submission requires your printer to log on to Office
365. Direct send and Office 365 SMTP relay do not require a logon; consider one of these options instead.
3. Your printer or application must send email from the same address that you entered logon credentials for
during email setup. If the printer or application tries to send email from a different account, this results in an
error similar to:
5.7.60 SMTP; Client does not have permissions to send as this sender.
For example, if you entered login credentials for sales@contoso.com in your application settings, but the
application tries to send emails from salesperson1@contoso.com, this is not supported. For this scenario,
use Office 365 SMTP relay instead.
4. Test the user name and password by logging on to Outlook on the web, and try to send a test email to make
sure the account is not blocked. If the user is blocked, you can find help in the article, Removing a user,
domain, or IP address from a block list after sending spam email.
5. Next, test that you can connect to Office 365 from your network by doing the following:
6. Follow the instructions to install the Telnet Client tool on a computer on the same network as the device or
application.
7. Run the tool from the command line by typing telnet.
8. Type open smtp.office365.com 587 (or substitute 25 for 587 if you are using that port setting instead).
9. If you connected successfully to an Office 365 server, expect to receive a response line similar to this:
220 BY1PR10CA0041.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 1 Jun
2015 12:00:00 +0000
10. If you can't connect to Office 365, your network firewall or Internet Service Provider (ISP ) might have
blocked port 587 or 25. Correct this so you can send email from your printer.
11. If none of these issues applies to your device, it might not meet requirements for Transport Layer Security
(TLS ) encryption. Your device must support TLS version 1.0 or above. Update the firmware on the device to
solve this, or try one of the other configuration options where TLS is optional.
For more information about TLS, see How Exchange Online uses TLS to secure email connections in Office
365 and for detailed technical information about how Exchange Online uses TLS with cipher suite ordering,
see Enhancing mail flow security for Exchange Online.
I receive an authentication error when my device tries to send email
This can be caused by a number of issues:
1. Make sure that you entered the correct user name and password.
2. Try logging into OWA with the printer's user name and password. Send an email to make sure that the
mailbox is active and has not been blocked for sending spam.
3. Check that your device or application supports TLS version 1.0 or above. The best way to check is by
upgrading the firmware on the device or updating the application you're sending email from to the latest
version. Contact your device manufacturer to confirm that it supports TLS version 1.0 or above.
Error: 5.7.60 SMTP; Client does not have permissions to send as this sender
This error indicates that the device is trying to send an email from an address that doesn't match the logon
credentials. An example would be if your entered login credentials for sales@contoso.com in your application
settings but the application tries to send emails from salesperson1@contoso.com. If your application or printer
behaves this way, use Office 365 SMTP relay because SMTP client submission does not support this scenario.
Error: Client was not authenticated to send anonymous mail during MAIL FROM
This error indicates that your printer connects to the SMTP client submission endpoint (smtp.office365.com).
However, your printer must also logon to a mailbox to send a message. This error occurs when you have not
entered mailbox logon credentials in the printer's settings. If there is no option to enter credentials, this printer
does not support SMTP client submission; use either direct send or Office 365 SMTP relay instead. See How to
set up a multifunction device or application to send email using Office 365.
Error: 550 5.1.8 Bad outbound sender
This error indicates that the device is trying to send an email from an Office 365 mailbox that is on a spam block
list. For help, see Removing a user, domain, or IP address from a block list after sending spam email.
Fix issues with direct send

I set up my printer for direct send and it's not sending email - or - My device was sending email using direct
send, but it stopped working
This can be caused by a number of issues.
1. A common reason for issues with direct send is a blocked IP address. If antispam tools detect outbound
spam from your organization, your IP address can be blocked by a spam block list. Check whether your IP
address is on a block list by using a third-party service, such as MXToolbox or WhatIsMyIPAddress. Follow
up with the organization that added your IP address to their block list. Office 365 uses block lists to protect
our service. For help, see Removing a user, domain, or IP address from a block list after sending spam
email.
2. To rule out a problem with your device, send a test email to check your connection to Office 365. To send a
test email, follow these steps in the article, Use Telnet to Test SMTP Communication. If you can't connect to
Office 365, your network or ISP might have blocked communication using port 25. If you can't reverse this,
use SMTP client submission instead.
Error: Client was not authenticated to send anonymous mail during MAIL FROM
This indicates that you are connecting to the SMTP client submission endpoint (smtp.office365.com), which can't
be used for direct send. For direct send, use the MX endpoint for your Office 365 tenant, which ends with
"mail.protection.outlook.com." You can find your MX endpoint by following the steps in Option 2: Send mail
directly from your printer or application to Office 365 (direct send).
My emails are not sent to recipients who are not in my organization
This is by design. Direct send allows email to be sent only to recipients in your organization that are hosted in
Office 365. If you need to send to external recipients, use SMTP client submission or Office 365 SMTP relay.
The MX endpoint is too long for the printer setting box. Can I use an IP address instead?
It's not possible to use an IP address in place of an MX endpoint. This could result in your not being able to send
messages in the future. If the MX endpoint is too long, consider using SMTP client submission, which has a
shorter endpoint (smtp.office365.com).
Emails from my device are marked as junk by Office 365
For direct send, we recommend using a device that sends from a static IP address. This allows you to set up a
Sender Policy Framework (SPF ) record to help prevent emails being marked as spam. Check that your SPF record
is set up with your static IP address. A network or ISP change could change your static IP address. Update your
SPF record to reflect this change. If you aren't sending from your own static IP address, consider SMTP client
submission instead.
Fix issues with Office 365 SMTP relay

I set up my printer for Office 365 SMTP relay but it's not sending email -or- My device was sending email using
SMTP relay, but it stopped working
This can be caused by a number of issues.
1. A common reason for issues with Office 365 SMTP relay is a blocked IP address. If antispam tools detect
outbound spam from your organization, your IP address can be blocked by a spam block list. Check
whether your IP address is on a block list by using a third-party service, such as MXToolbox or
WhatIsMyIPAddress. Follow up with the organization that added your IP address to their block list. Office
365 uses block lists to protect our service. For help, see Removing a user, domain, or IP address from a
block list after sending spam email.
2. To rule out a problem with your device, send a test email to check your connection to Office 365. To send a
test email, follow these steps in the article, Use Telnet to Test SMTP Communication. If you can't connect to
Office 365, your network or ISP might have blocked communication using port 25. If you can't reverse this,
use SMTP client submission instead.
Emails are no longer being sent to external recipients
Network or ISP changes might change your static IP address. This results in your connector not identifying and
relaying your messages to external recipients. Update your connector and your SPF record with the new IP
address. Follow the steps in Option 3: Configure a connector to send mail using Office 365 SMTP relay to edit
your existing connector settings.
Emails from my device are marked as junk by Office 365
Office 365 SMTP relay requires your device to send email from a static IP address. Check that your SPF record is
set up with your static IP address. A network or ISP change could change your static IP address. Update your SPF
record to reflect this change. If you aren't sending from your own static IP address, consider SMTP client
submission instead.
See also
Recipients in Exchange Online
In Exchange Online, the Exchange admin center (EAC ) has replaced the Exchange Control Panel (ECP ) as the GUI-
based administrative tool used to manage cloud-based recipients. The EAC also replaces the Exchange
Management Console in Exchange Server. For more information, see Exchange admin center.
Managing recipients in Exchange Online

Although the EAC has a different look and feel than the ECP, managing Exchange Online recipients in the EAC is
similar to managing recipients in the current version of Exchange Online. And because you use the EAC in both
Exchange Online and Exchange on-premises organizations, managing cloud-based recipients is similar to
managing on-premises recipients. For more information about managing some of the different types of recipients
in Exchange Online, see the following articles:
Create user mailboxes in Exchange Online
Create and manage distribution groups
Manage mail users
Create and manage room mailboxes
Message and recipient limits in Exchange Online
The content in this topic has been moved to another topic. Check out the new topic at Exchange Online Limits.
Create user mailboxes in Exchange Online
You have to use the Office 365 admin center or Exchange Online PowerShell to create an Exchange Online user
mailbox. You can't create new user mailboxes using the Exchange admin center (EAC ). However, after Exchange
Online mailboxes are created, you can manage them using the EAC.
NOTE
After you create a new mailbox using Exchange Online PowerShell, you have to assign it an Exchange Online license or it
will be disabled when the 30-day grace period ends.

permissions you need, see the "Recipient Provisioning Permissions" section in the Mailbox Permissions
topic.
It's a good idea to use strong passwords that are at least eight characters long, and combine uppercase
and lowercase letters, numbers, and symbols.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange
Online PowerShell.
TIP
Protection..
Use the Office 365 admin center to create a new mailbox

You can use the Office 365 admin center to create a new user account. When you assign the user account a
license for Exchange Online, a mailbox is automatically created for the user. To create new user accounts in the
Office 365 admin center, see the following topics:
Create or edit users
Add multiple users with a CSV file
Use Exchange Online PowerShell to create a new mailbox

This example creates an Exchange Online mailbox and Office 365 user account for Holly Holt. The optional
parameter ResetPasswordOnNextLogon will require the user to reset their password the first time they sign in to
Office 365.
New-Mailbox -Alias hollyh -Name hollyh -FirstName Holly -LastName Holt -DisplayName "Holly Holt" -
MicrosoftOnlineServicesID hollyh@corp.contoso.com -Password (ConvertTo-SecureString -String 'P@ssw0rd' -
AsPlainText -Force) -ResetPasswordOnNextLogon $true
After you create a mailbox by running the previous command, an Office 365 user account is also created. You
have to activate this user account by assigning a license. To assign a license in the Office 365 admin center, see
Assign or remove a license.

To verify that you've successfully created a new mailbox, do one of the following:
In the EAC, navigate to Recipients > Mailboxes. The new user mailbox is displayed in the mailbox list.
Under Mailbox Type, the type is User.
Click Refresh if the new mailbox isn't displayed at first.
In the Office 365 admin center, verify that the new user account is listed and that it's been assigned an
Exchange Online license.
In Exchange Online PowerShell, run the following command to display information about the new user
mailbox.
Get-Mailbox <Name> | Format-List Name,RecipientTypeDetails,PrimarySmtpAddress,SKUAssigned
If a license is assigned to the mailbox, the value for the SKUAssigned property is True . If a license hasn't
been assigned, the value is blank.
Delete or restore user mailboxes in Exchange Online
There are several things you should consider before you decide to delete a user mailbox. There's different kinds of
deletions that you can do on a user mailbox and some of them won't allow you to restore or recover the mailbox.
This article walks you through the deleted mailbox scenarios, as well as how to delete, recover or permanently
remove a mailbox from Exchange Online.
Soft-deleted user mailboxes

A soft-deleted user mailbox is a mailbox that has been deleted using the Office 365 admin center or the Remove-
Mailbox cmdlet in Exchange Online PowerShell, and has still been in the Azure active directory (Azure AD ) recycle
bin for less than 30 days.
A soft-deleted user mailbox is a mailbox that has been deleted in the following cases:
The user mailbox's associated Azure active directory user account is soft deleted (the Azure active directory
user object is out of scope or in the recycle bin container).
The user mailbox's associated Azure active directory user account has been hard deleted but the Exchange
Online mailbox is in a litigation hold or eDiscovery hold.
The user mailbox's associated Azure active directory user account has been purged within the last 30 days;
which is the retention length Exchange Online will keep the mailbox in a soft deleted state before it is
permanently purged and unrecoverable.
NOTE
If you run the Azure cmdlet Remove-MsolUser with the -RemoveFromRecycleBin parameter in order to remove a user from
the Azure AD recycle bin, it will always put an existing Exchange Online mailbox associated with the Azure AD user in a soft-
deleted state, as long as the user's license was not removed. However, if you remove the user's license prior to removing the
user from the recycle bin, the user will not go into a soft-deleted user mailbox state.
If in the 30 day time period a new Azure Active Directory user is synchronized from the original on-premises
recipient account with the same ExchangeGuid or ArchiveGuid, this will result in an ExchangeGuid validation
conflict error.
Check out Overview of inactive mailboxes in Office 365 for more info about creating an inactive mailbox by placing
a Litigation Hold on a mailbox before deleting it.
Hard-deleted user mailboxes

A hard-deleted user mailbox is a mailbox that has been deleted in the following cases:
The user mailbox has been soft-deleted for more than 30 days, and the associated Azure active directory
user has been hard-deleted. Check out the Remove-MsolUser cmdlet. All mailbox content such as emails,
contacts and files will be permanently deleted.
The user mailbox's associated Azure active directory user account has been hard-deleted in the Azure active
directory. The user mailbox is now soft-deleted in Exchange Online and stays in the soft deleted state for 30
days. If in the 30 days time period a new Azure active directory user is synchronized from the original on-
premises recipient account with the same ExchangeGuid or ArchiveGuid, and that new account is licensed
for Exchange Online, this will result in a hard deletion of the original user mailbox. All mailbox content such
as emails, contacts and files will be permanently deleted.
The soft deleted mailbox has been deleted using the Remove-Mailbox cmdlet with the PermanentlyDelete
parameter in Exchange Online PowerShell.
The above scenarios assume that the user mailbox isn't in any of the hold states, like Litigation hold or eDiscovery
hold. If there is any type of hold on the user mailbox the mailbox can't be removed from Exchange Online. For all
mail user recipient types, Litigation hold or eDiscovery hold are ignored and have no impact on the mail users
hard-deleted or soft-delete behavior. The mail user object can't be deleted if there is a journal mailbox associated
You can disable journaling on the mail user by using the Disable-JournalArchiving cmdlet.
Delete a user mailbox

Use the Office 365 admin center to delete a user account
When you delete an Office 365 user account, the corresponding Exchange Online mailbox is deleted and removed
from the list of mailboxes in the EAC. After the user account is deleted, it's listed on the Deleted Users page in the
Office 365 admin center. It can be recovered within 30 days after being deleted. After 30 days, the user account and
mailbox are permanently deleted and not recoverable.
To delete an Office 365 work or school account, see Delete or restore users.
Use Exchange Online PowerShell to delete a mailbox
permissions you need, see the"Recipient Provisioning Permissions" section in the Recipients permissions
topic.
PowerShell.
When you delete an Exchange Online mailbox using Exchange Online PowerShell, the corresponding Office 365
user is deleted and removed from the list of users in the Office 365 admin center. The user will still be recoverable
for 30 days. After the 30 days time limit, the user is permanently deleted.
This example deletes an Exchange Online mailbox and the corresponding Office 365 user account for Walter Harp.
Remove-Mailbox -Identity "Walter Harp"
Use Windows Powershell to permanently delete a user mailbox

This example deletes the user account for Walter Harp from the Azure active directory.
Remove-MsolUser -UserPrincipalName <Walter Harp> -RemoveFromRecycleBin true
For more details, check out, Remove-MsolUser.

To verify that you've successfully deleted an Exchange Online mailbox, do one of following:
In the EAC, navigate to Recipients > Mailboxes. The deleted mailbox is removed from the mailbox list.
Click Refresh if the deleted mailbox is still displayed.
If you deleted the Office 365 user account, verify that the user account isn't listed on the Active users page
in the Office 365 admin center, and that it's listed on the Deleted Users page.
In Exchange Online PowerShell, use the following syntax to verify that the mailbox has been deleted.
Get-Mailbox <identity>
The command will return an error stating that the mailbox couldn't be found, which verifies that the mailbox
was deleted.
If you permanently deleted the user mailbox, verify that the user mailbox isn't still showing up in the Azure
active directory recycle bin.
Restore a user mailbox

When you delete a mailbox, Exchange Online retains the mailbox and all its contents until the deleted mailbox
retention period expires, which is 30 days. After 30 days, the mailbox is permanently deleted and can't be
recovered. The method for restoring a mailbox depends on whether the mailbox was deleted by deleting the Office
365 user account or removing the Exchange Online license.
Use the Office 365 admin center to restore a user account
If the mailbox was deleted by deleting the corresponding Office 365 user account, you can restore the mailbox by
restoring the user account in the Office 365 admin center.
To restore an Office 365 user account, see Delete or restore users.
Use Exchange Online PowerShell to restore a user account
You can recover soft-deleted mailboxes using the PowerShell cmdlet below. The cmdlet example below restores the
mailbox for Allie Bellew.
1. Connect to Exchange Online PowerShell
2. Run the Undo-SoftDeletedMailbox cmdlet.
Undo-SoftDeletedMailbox allieb@contoso.com -WindowsLiveID allieb@contoso.com -Password (ConvertTo-SecureString

-String 'Pa$$word1' -AsPlainText -Force)

To verify that you've successfully restored a mailbox, do one of the following:
In the EAC, navigate to Recipients > Mailboxes. The restored mailbox is displayed in the mailbox list.
Click Refresh if the mailbox isn't displayed at first.
In Exchange Online PowerShell, use the following syntax to verify that the mailbox was restored.
Get-Mailbox <Identity>
Restoring a user in a hybrid scenario

For user mailboxes in a hybrid scenario, if the mailbox has been soft-deleted and the Azure active directory user
that was associated with the mailbox has been hard-deleted from Azure Active Directory, you can use New-
MailboxRestoreRequest to recover the mailbox. Read Configure Office 365 Groups with on-premises Exchange
hybrid for more info. The procedures in this section explain how to restore the mailbox for a soft-deleted user.
1. Connect to Exchange Online PowerShell
2. Run the following cmdlet to identify the soft-deleted mailbox that you want to restore.
Get-Mailbox -SoftDeletedMailbox | Select-Object Name,ExchangeGuid
For the soft-deleted mailbox that you want to restore, note its GUID value (you'll use the value in Step 4).
3. Create a new target mailbox for the restored mailbox. For more information, see Create user mailboxes in
Exchange Online. After you create the target mailbox, run the following command to get the GUID value of
the target mailbox that you'll need in the next step.
Get-Mailbox -Identity <NameOrAliasOfNewTargetMailbox> | Format-List ExchangeGuid
4. Replace <SoftDeletedMailboxGUID> with the GUID value from Step 2, and <NewTargetMailboxGUID>
with the GUID value from Step 3, and run the following cmdlet to restore the mailbox:
New-MailboxRestoreRequest -SourceMailbox <SoftDeletedMailboxGUID> -TargetMailbox <NewTargetMailboxGUID>
License removal
For info on removing a license from a user in Office 365 and Exchange Online, check out Change in behavior for
delicensed Exchange Online users.
Additional information
TIP
After you create a user mailbox, you can make changes and set additional properties by using the EAC or

Estimated time to complete each user mailbox task: 2 to 5 minutes.
topic.
TIP
Change user mailbox properties

Use the EAC to change user mailbox properties
1. In the EAC, navigate to Recipients > Mailboxes.
2. In the list of user mailboxes, click the mailbox that you want to change the properties for, and then click Edit
.
3. On the mailbox properties page, you can change any of the following properties.
General
Mailbox Usage
Contact Information
Organization
Email Address
Mailbox Features
Member Of
MailTip
Mailbox Delegation
General
Use the General section to view or change basic information about the user.
First name, Initials, Last name
* Name: This is the name that's listed in Active Directory. If you change this name, it can't exceed 64
characters.
* Display name: This name appears in your organization's address book, on the To: and From: lines in
email, and in the Mailbox list. This name can't contain empty spaces before or after the display name.
* Alias: This specifies the email alias for the user. The user's alias is the portion of the email address on the
left side of the at (@) symbol. It must be unique in the forest.
* User logon name: This is the name that the user uses to sign in to their mailbox and to log on to the
domain. Typically the user logon name consists of the user's alias on the left side of the @ symbol, and the
domain name in which the user account resides on the right side of the @ symbol.
NOTE
This box is labeled User ID in Exchange Online.
Require password change on next logon: Select this check box if you want the user to reset their
password the next time they sign in to their mailbox.
NOTE
This check box isn't available in Exchange Online.
Hide from address lists: Select this check box to prevent the recipient from appearing in the address book
and other address lists that are defined in your Exchange organization. After you select this check box, users
can still send messages to the recipient by using the email address.
Click More options to view or change these additional properties:
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the user
account. You have to use Active Directory Users and Computers to move the user account to a different
OU.
NOTE
This box isn't available in Exchange Online.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the mailbox.
To move the mailbox to a different database, select it in the mailbox list, and then click Move mailbox to
another database in the Details pane.
NOTE
This option isn't available in Exchange Online.
Custom attributes: This section displays the custom attributes defined for the user mailbox. To specify
custom attribute values, click Edit. You can specify up to 15 custom attributes for the recipient.
Mailbox Usage
Use the Mailbox Usage section to view or change the mailbox storage quota and deleted item retention settings
for the mailbox. These settings are configured by default when the mailbox is created. They use the values that are
configured for the mailbox database and apply to all mailboxes in that database. You can customize these settings
for each mailbox instead of using the mailbox database defaults.
Last logon: This read-only box displays the last time that the user signed in to their mailbox.
Mailbox usage: This area shows the total size of the mailbox and the percentage of the total mailbox quota
that has been used.
NOTE
To obtain the information that's displayed in the previous two boxes, the EAC queries the mailbox database that hosts the
mailbox. If the EAC is unable to communicate with the Exchange store that contains the mailbox database, these boxes will
be blank. A warning message is displayed if the user hasn't signed in to the mailbox for the first time.
Click More options to view or change the mailbox storage quota and the deleted item retention settings for the
mailbox.
NOTE
These settings aren't available in the EAC in Exchange Online.
Storage quota settings: To customize these settings for the mailbox and not use the mailbox database
defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
The value range for any of the storage quota settings is from 0 through 2047 gigabytes (GB ).
Issue a warning at (GB ): This box displays the maximum storage limit before a warning is issued to
the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning
message to the user.
Prohibit send at (GB ): This box displays the prohibit send limit for the mailbox. If the mailbox size
reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and
displays a descriptive error message.
Prohibit send and receive at (GB ): This box displays the prohibit send and receive limit for the
mailbox. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox
user from sending new messages and won't deliver any new messages to the mailbox. Any
messages sent to the mailbox are returned to the sender with a descriptive error message.
Deleted item retention settings: To customize these settings for the mailbox and not use the mailbox
database defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
Keep deleted items for (days): This box displays the length of time that deleted items are retained
before they are permanently deleted and can't be recovered by the user. When the mailbox is
created, this value is based on the deleted item retention settings configured for the mailbox
database. By default, a mailbox database is configured to retain deleted items for 14 days. The value
range for this property is from 0 through 24855 days.
Don't permanently delete items until the database is backed up: Select this check box to
prevent mailboxes and email messages from being deleted until after the mailbox database on which
the mailbox is located has been backed up.
Contact Information
Use the Contact Information section to view or change the user's contact information. The information on this
page is displayed in the address book. Click More options to display additional boxes.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Mailbox users can use Outlook or Outlook Web App to view and change their own contact information. But they
can't change the information in the Notes and Web page boxes.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that is accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari's mailbox is specified in the Manager box of
Chris's mailbox and Kate's mailbox, and Chris and Kate appear in the Direct reports box in the properties
of Kari's mailbox.
Email Address
Use the Email Address section to view or change the email addresses associated with the user mailbox. This
includes the user's primary SMTP address and any associated proxy addresses. The primary SMTP address (also
known as the default reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service to locate UM -enabled users within an Exchange organization. EUM addresses
consist of the extension number and the UM dial plan for the UM -enabled user. Click this button and
type the extension number in the Address/Extension box. Then click Browse and select a dial plan
for the user.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Make this the reply address: In Exchange Online, you can select this check box to make the new
email address the primary SMTP address for the mailbox. This check box isn't available in the EAC in
Exchange Server.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
NOTE
This check box isn't available in Exchange Online.
Make this the reply address

Mailbox Features
Use the Mailbox Features section to view or change the following mailbox features and settings:
Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing policy controls how
users in your organization can share calendar and contact information with users outside your Exchange
organization. The Default Sharing Policy is assigned to mailboxes when they are created. To change the
sharing policy that's assigned to the user, select a different one from the drop-down list.
Role assignment policy: This box shows the role assignment policy assigned to the mailbox. The role
assignment policy specifies the role-based access control (RBAC ) roles that are assigned to the user and
control what specific mailbox and distribution group configuration settings users can modify. To change the
role assignment policy that's assigned to the user, select a different one from the drop-down list.
Retention policy: This box shows the retention policy assigned to the mailbox. A retention policy is a
group of retention tags that are applied to the user's mailbox. They allow you to control how long to keep
items in users' mailboxes and define what action to take on items that have reached a certain age. A
retention policy isn't assigned to mailboxes when they are created. To assign a retention policy to the user,
select one from the drop-down list.
Address book policy: This box shows the address book policy applied to the mailbox. An address book
policy allows you to segment users into specific groups to provide customized views of the address book.
To apply or change the address book policy applied to the mailbox, select one from the drop-down list.
Unified Messaging: This feature is disabled by default. When you enable Unified Messaging (UM ), the
user will be able to use your organization's UM features and a default set of UM properties are applied to
the user. Click Enable to enable UM for the mailbox. For information about how to enable UM, see Enable
a user for voice mail.
NOTE
A UM dial plan and a UM mailbox policy must exist before you can enable UM.
Mobile Devices: Use this section to view and change the settings for Exchange ActiveSync, which is
enabled by default. Exchange ActiveSync enables access to an Exchange mailbox from a mobile device.
Click Disable Exchange ActiveSync to disable this feature for the mailbox.
Outlook Web App: This feature is enabled by default. Outlook Web App enables access to an Exchange
mailbox from a web browser. Click Disable to disable Outlook Web App for the mailbox. Click Edit details
to add or change an Outlook Web App mailbox policy for the mailbox.
IMAP: This feature is enabled by default. Click Disable to disable IMAP for the mailbox.
POP3: This feature is enabled by default. Click Disable to disable POP3 for the mailbox.
MAPI: This feature is enabled by default. MAPI enables access to an Exchange mailbox from a MAPI client
such as Outlook. Click Disable to disable MAPI for the mailbox.
Litigation hold: This feature is disabled by default. Litigation hold preserves deleted mailbox items and
records changes made to mailbox items. Deleted items and all instances of changed items are returned in a
discovery search. Click Enable to put the mailbox on litigation hold. If the mailbox is on litigation hold, click
Disable to remove the litigation hold. Mailboxes on litigation hold are inactive mailboxes and can't be
deleted. To delete the mailbox, remove the litigation hold. If the mailbox is on litigation hold, click Edit
details to view and change the following litigation hold settings:
Hold date: This read-only box indicates the date and time when the mailbox was put on litigation
hold.
Put on hold by: This read-only box indicates the user who put the mailbox on litigation hold.
Note: Use this box to notify the user about the litigation hold, explain why the mailbox is on
litigation hold, or provide additional guidance to the user, such as informing them that the litigation
hold won't affect their day-to-day use of email.
URL: Use this box to provide a URL to a website that provides information or guidance about the
litigation hold on the mailbox.
NOTE
The text from these boxes appears in the user's mailbox only if they are using Outlook 2010 or later versions.
It doesn't appear in Outlook Web App or other email clients. To view the text from the Note and URL boxes
in Outlook, click the File tab, and on the Info page, under Account Settings, you'll see the litigation hold
comment.
Archiving: If an archive mailbox doesn't exist for the user, this feature is disabled. To enable an archive
mailbox, click Enable. If the user has an archive mailbox, the size of the archive mailbox and usage statistics
are displayed. Click Edit details to view and change the following archive mailbox settings:
Status: This read-only box indicates whether an archive mailbox exists.
Database: This read-only box shows the name of the mailbox database that hosts the archive
mailbox. This box isn't available in Exchange Online.
Name: Type the name of the archive mailbox in this box. This name is displayed under the folder list
in Outlook or Outlook Web App.
Archive quota (GB ): This box shows the total size of the archive mailbox. To change the size, type a
new value in the box or select a value from the drop-down list.
Issue warning at (GB ): This box shows the maximum storage limit for the archive mailbox before a
warning is issued to the user. If the archive mailbox size reaches or exceeds the value specified,
Exchange sends a warning message to the user. To change this limit, type a new value in the box or
select a value from the drop-down list.
NOTE
The archive quota and the issue warning quota for the archive mailbox can't be changed in Exchange Online.
Delivery Options: Use to forward email messages sent to the user to another recipient and to set the
maximum number of recipients that the user can send a message to. Click View details to view and
change these settings.
Forwarding address: Select the Enable forwarding check box and then click Browse to display
the Select Mail User and Mailbox page. Use this page to select a recipient to whom you want to
forward all email messages that are sent to this mailbox.
Deliver message to both forwarding address and mailbox: Select this check box so that
messages will be delivered to both the forwarding address and the user's mailbox.
Recipient limit: This setting controls the maximum number of recipients the user can send a
message to. Select the Maximum recipients check box to limit the number of recipients allowed in
the To:, Cc:, and Bcc: boxes of an email message and then specify the maximum number of recipients.
NOTE
For on-premises Exchange organizations, the recipient limit is unlimited. For Exchange Online organizations,
the limit is 500 recipients.
Message Size Restrictions: These settings control the size of messages that the user can send and receive.
Click View details to view and change maximum size for sent and received messages.
NOTE
These settings can't be changed in Exchange Online.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this user. Click
View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders in
the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or more
dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they are used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues if they send a message to this recipient.
A MailTip is text that is displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc boxes of a new
email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Mailbox Delegation
Use the Mailbox Delegation section to assign permissions to other users (also called delegates) to allow them to
sign in to the user's mailbox or send messages on behalf of the user. You can assign the following permissions:
Send As: This permission allows users other than the mailbox owner to use the mailbox to send messages.
After this permission is assigned to a delegate, any message that a delegate sends from this mailbox will
appear as if it was sent by the mailbox owner. However, this permission doesn't allow a delegate to sign in
to the user's mailbox.
Send on Behalf Of: This permission also allows a delegate to use this mailbox to send messages.
However, after this permission is assigned to a delegate, the From: address in any message sent by the
delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.
Full Access: This permission allows a delegate to sign in to the user's mailbox and view the contents of the
mailbox. However, after this permission is assigned to a delegate, the delegate can't send messages from
the mailbox. To allow a delegate to send email from the user's mailbox, you still have to assign the delegate
the Send As or the Send on Behalf Of permission.
To assign permissions to delegates, click Add under the appropriate permission to display a page that displays a
list of all recipients in your Exchange organization that can be assigned the permission. Select the recipients you
want, add them to the list, and then click OK. You can also search for a specific recipient by typing the recipient's
name in the search box and then clicking Search .
Use Exchange Online PowerShell to change user mailbox properties
Use the Get-Mailbox and Set-Mailbox cmdlets to view and change properties for user mailboxes. One
advantage of using Exchange Online PowerShell is the ability to change the properties for multiple mailboxes. For
information about what parameters correspond to mailbox properties, see the following topics:
Get-Mailbox
Set-Mailbox
Here are some examples of using Exchange Online PowerShell to change user mailbox properties.
This example shows how to forward Pat Coleman's email messages to Sunil Koduri's (sunilk@contoso.com)
mailbox.
Set-Mailbox -Identity patc -DeliverToMailboxAndForward $true -ForwardingAddress sunilk@contoso.com
This example uses the Get-Mailbox command to find all user mailboxes in the organization, and then uses the
Set-Mailbox command to set the recipient limit to 500 recipients allowed in the To:, Cc:, and Bcc: boxes of an
email message.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -

RecipientLimits 500
This example uses the Get-Mailbox command to find all the mailboxes in the Marketing organizational unit, and
then uses the Set-Mailbox command to configure these mailboxes. The custom warning, prohibit send, and
prohibit send and receive limits are set to 200 megabytes (MB ), 250 MB, and 280 MB respectively, and the
mailbox database's default limits are ignored. This command can be used to configure a specific set of mailboxes
to have larger or smaller limits than other mailboxes in the organization.
Get-Mailbox -OrganizationalUnit "Marketing" | Set-Mailbox -IssueWarningQuota 209715200 -ProhibitSendQuota

262144000 -ProhibitSendReceiveQuota 293601280 -UseDatabaseQuotaDefaults $false
This example uses the Get-Mailbox cmdlet to find all users in the Customer Service department, and then uses
the Set-Mailbox cmdlet to change the maximum message size for sending messages to 2 MB.
Get-Mailbox -Filter "Department -eq 'Customer Service'" | Set-Mailbox -MaxSendSize 2097152
This example sets the MailTip translation in French and Chinese.
Set-Mailbox john@contoso.com -MailTipTranslations ("FR: C'est la langue française", "CHT: 這是漢語語言")

To verify that you've successfully changed properties for a user mailbox, do the following:
In the EAC, select the mailbox and then click Edit to view the property or feature that you changed.
Depending on the property that you changed, it might be displayed in the Details pane for the selected
mailbox.
In Exchange Online PowerShell, use the Get-Mailbox cmdlet to verify the changes. One advantage of
using Exchange Online PowerShell is that you can view multiple properties for multiple mailboxes. In the
example above where the recipient limit was changed, run the following command to verify the new value.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Format-List

Name,RecipientLimits
For the example above where the message limits were changed, run this command.
Get-Mailbox -OrganizationalUnit "Marketing" | Format-List

Name,IssueWarningQuota,ProhibitSendQuota,ProhibitSendReceiveQuota,UseDatabaseQuotaDefaults
Bulk edit user mailboxes

You can use the EAC to change the properties for multiple user mailboxes. When you select two or more user
mailboxes from the mailbox list in the EAC, the properties that can be bulk edited are displayed in the Details
pane. When you change one of these properties, the change is applied to all selected mailboxes.
Here's a list of the user mailbox properties and features that can be bulk edited. Note that not all properties in
each area are available to be changed.
Contact Information: Change shared properties such as street, postal code, and city name.
Organization: Change shared properties such as department name, company name, and the manager that
the selected users report to.
Custom attributes: Change or add values for custom attributes 1 - 15.
Mailbox quota: Change the mailbox quota values and the retention period for deleted items. This isn't
available in Exchange Online.
Email connectivity: Enable or disable Outlook Web App, POP3, IMAP, MAPI, and Exchange ActiveSync.
Archive: Enable or disable the archive mailbox.
Retention policy, role assignment policy, and sharing policy: Update the settings for each of these
mailbox features.
Move mailboxes to another database: Move the selected mailboxes to a different database.
Delegate permissions: Assign permissions to users or groups that allow them to open or send messages
from other mailboxes. You can assign Full, Send As and Send on Behalf permissions to users or groups.
Check out Manage permissions for recipients for more details.
NOTE
The estimated time to complete this task is 2 minutes, but may take longer if you change multiple properties or features.
Use the EAC to bulk edit user mailboxes

2. In the list of mailboxes, select two or more mailboxes.
TIP
You can select multiple adjacent mailboxes by holding down the Shift key and clicking the first mailbox, and then
clicking the last mailbox you want to edit. You can also select multiple non-adjacent mailboxes by holding down the
Ctrl key and clicking each mailbox that you want to edit.
3. In the Details pane, under Bulk Edit, select the mailbox properties or feature that you want to edit.
4. Make the changes on the properties page and then save your changes.
To verify that you've successfully bulk edited user mailboxes, do one of the following:
In the EAC, select each of the mailboxes that you bulk edited and then click Edit to view the property or
feature that you changed.
using Exchange Online PowerShell is that you can view multiple properties for multiple mailboxes. For
example, say you used the bulk edit feature in the EAC to enable the archive mailbox and assign a retention
policy to all users in your organization. To verify these changes, you could run the following command:

Name,ArchiveDatabase,RetentionPolicy
For more information about the available parameters for the Get-Mailbox cmdlet, see Get-Mailbox.
Add or remove email addresses for a mailbox
You can configure more than one email address for the same mailbox. The additional addresses are called proxy
addresses. A proxy address lets a user receive email that's sent to a different email address. Any email message
sent to the user's proxy address is delivered to their primary email address, which is also known as the primary
SMTP address or the default reply address.
IMPORTANT
If you're using Office 365 for business, you should add or remove email addresses for user mailboxes in the Add another
email alias for a user
For additional management tasks related to managing recipients, see the "Recipients documentation" table in
Recipients.

permissions you need, see the "Recipient Provisioning Permissions" section in the Recipients permissions
topic.
The procedures in this topic show how to add or remove email addresses for a user mailbox. You can use similar
procedures to add or remove email addresses for other recipient types.
Add an email address to a user mailbox

Use the EAC to add an email address
2. In the list of user mailboxes, click the mailbox that you want to add an email address to, and then click Edit
.
3. On the mailbox properties page, click Email Address.
NOTE
On the Email Address page, the primary SMTP address is displayed in bold text in the address list, with the
uppercase SMTP value in the Type column.
4. Click Add , and then click SMTP to add an SMTP email address to this mailbox.
NOTE
SMTP is the default email address type. You can also add Exchange Unified Messaging (EUM) addresses or custom
addresses to a mailbox. For more information, see "Change user mailbox properties" in the Manage user mailboxes
topic.
5. Type the new SMTP address in the Email address box, and then click OK.
The new address is displayed in the list of email addresses for the selected mailbox.
6. Click Save to save the change.
Use Exchange Online PowerShell to add an email address
The email addresses associated with a mailbox are contained in the EmailAddresses property for the mailbox.
Because it can contain more than one email address, the EmailAddresses property is known as a multivalued
property. The following examples show different ways to modify a multivalued property.
This example shows how to add an SMTP address to the mailbox of Dan Jump.
Set-Mailbox "Dan Jump" -EmailAddresses @{add="dan.jump@northamerica.contoso.com"}
This example shows how to add multiple SMTP addresses to a mailbox.
Set-Mailbox "Dan Jump" -EmailAddresses @{add="dan.jump@northamerica.contoso.com","danj@tailspintoys.com"}
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
This example shows another way to add email addresses to a mailbox by specifying all addresses associated with
the mailbox. In this example, danj@tailspintoys.com is the new email address that you want to add. The other two
email addresses are existing addresses. The address with the case-sensitive qualifier SMTP is the primary SMTP
address. You have to include all email addresses for the mailbox when you use this command syntax. If you don't,
the addresses specified in the command will overwrite the existing addresses.
Set-Mailbox "Dan Jump" -EmailAddresses

SMTP:dan.jump@contoso.com,dan.jump@northamerica.contoso.com,danj@tailspintoys.com

To verify that you've successfully added an email address to a mailbox, do one of the following:
In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click Edit .
On the mailbox properties page, click Email Address.
In the list of email addresses for the mailbox, verify that the new email address is included.
Or
Run the following command in Exchange Online PowerShell.
Get-Mailbox <identity> | Format-List EmailAddresses

Verify that the new email address is included in the results.
Remove an email address from a user mailbox

Use the EAC to remove an email address
2. In the list of user mailboxes, click the mailbox that you want to remove an email address from, and then click
Edit .
3. On the mailbox properties page, click Email Address.
4. In the list of email addresses, select the address you want to remove, and then click Remove .
5. Click Save to save the change.
Use Exchange Online PowerShell to remove an email address
This example shows how to remove an email address from the mailbox of Janet Schorr.
Set-Mailbox "Janet Schorr" -EmailAddresses @{remove="janets@corp.contoso.com"}
This example shows how to remove multiple addresses from a mailbox.
Set-Mailbox "Janet Schorr" -EmailAddresses @{remove="janet.schorr@corp.contoso.com","janets@tailspintoys.com"}
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
You can also remove an email address by omitting it from the command to set email addresses for a mailbox. For
example, let's say Janet Schorr's mailbox has three email addresses: janets@contoso.com (the primary SMTP
address), janets@corp.contoso.com, and janets@tailspintoys.com. To remove the address
janets@corp.contoso.com, you would run the following command.
Set-Mailbox "Janet Schorr" -EmailAddresses SMTP:janets@contoso.com,janets@tailspintoys.com
Because janets@corp.contoso.com was omitted in the previous command, it's removed from the mailbox.
To verify that you've successfully removed an email address from a mailbox, do one of the following:
In the list of email addresses for the mailbox, verify that the email address isn't included.
Or
Get-Mailbox <identity> | Format-List EmailAddresses
Verify that the email address isn't included in the results.

Use Exchange Online PowerShell to add email addresses to multiple
mailboxes
You can add a new email address to multiple mailboxes at one time by using Exchange Online PowerShell and a
comma separated values (CSV ) file.
This example imports data from C:\Users\Administrator\Desktop\AddEmailAddress.csv, which has the following
format.
Mailbox,NewEmailAddress
Dan Jump,danj@northamerica.contoso.com
David Pelton,davidp@northamerica.contoso.com
Kim Akers,kima@northamerica.contoso.com
Janet Schorr,janets@northamerica.contoso.com
Jeffrey Zeng,jeffreyz@northamerica.contoso.com
Spencer Low,spencerl@northamerica.contoso.com
Toni Poe,tonip@northamerica.contoso.com
...
Run the following command to use the data in the CSV file to add the email address to each mailbox specified in
the CSV file.
Import-CSV "C:\Users\Administrator\Desktop\AddEmailAddress.csv" | ForEach {Set-Mailbox $_.Mailbox -

EmailAddresses @{add=$_.NewEmailAddress}}
NOTE
The column names in the first row of this CSV file ( Mailbox,NewEmailAddress ) are arbitrary. Whatever you use for column
names, make sure you use the same column names in Exchange Online PowerShell command.

To verify that you've successfully added an email address to multiple mailboxes, do one of the following:
In the EAC, navigate to Recipients > Mailboxes, click a mailbox that you added the address to, and then
click Edit .
In the list of email addresses for the mailbox, verify that the new email address is included.
Or
Run the following command in Exchange Online PowerShell, using the same CSV file that you used to add
the new email address.
Import-CSV "C:\Users\Administrator\Desktop\AddEmailAddress.csv" | ForEach {Get-Mailbox $_.Mailbox |

Format-List Name,EmailAddresses}
Verify that the new email address is included in the results for each mailbox.
TIP
Change how long permanently deleted items are
kept for an Exchange Online mailbox
If you've permanently deleted an item in Microsoft Outlook or Outlook on the web (formerly known as Outlook
Web App), the item is moved to a folder ( Recoverable Items > Deletions) and kept there for 14 days, by
default. You can change how long items are kept, up to a maximum of 30 days.
NOTE
You must use Exchange Online PowerShell to make the change. Unfortunately, you can't currently do this directly in the
Outlook or Outlook on the web.

If you want to place a mailbox on In-Place Hold and Litigation Hold so the retention limit is ignored, make
sure the mailbox has an Exchange Online (Plan 2) user license.
topic.
You can only use Exchange Online PowerShell to perform this procedure. To learn how to use Windows
PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
TIP
Change how long permanently deleted items are kept

In these examples, we increase the retention period to 30 days, the maximum for Exchange Online mailboxes. But
you can set the number to whatever you like, up to that limit.
Example 1:: Set Emily Maier's mailbox to keep deleted items for 30 days. In Exchange Online PowerShell, run the
following command.
Set-Mailbox -Identity "Emily Maier" -RetainDeletedItemsFor 30
Example 2:: Set all user mailboxes in the organization to keep deleted items for 30 days. In Exchange Online
PowerShell, run the following command.
RetainDeletedItemsFor 30
Need more details about using these commands? See Exchange Online PowerShell Help topic Set-Mailbox.
TIP
Need to keep deleted items for longer than 30 days? To do this, place the mailbox on In-Place Hold or Litigation Hold. This
works because when a mailbox is placed on hold, deleted items are kept and retention settings for deleted items are ignored.
See In-Place Hold and Litigation Hold.
Check to be sure the value is changed

To check for one mailbox, run the following command:
Get-Mailbox <Name> | Format-List RetainDeletedItemsFor
Or to check for all mailboxes, run the following command:

Name,RetainDeletedItemsFor
More about deleted items and retention time

When a user permanently deletes a mailbox item (such as an email message, a contact, a calendar appointment, or
a task) in Microsoft Outlook and Outlook Web App, the item is moved to the Recoverable Items folder, and into
a subfolder named Deletions.
A mailbox item is deleted and moved to the Recoverable Items folder when a user does one of the following:
Deletes an item from the Deleted Items folder
Empties the Deleted Items folder
Permanently deletes an item by selecting it and pressing Shift+Delete
How long deleted items are kept in the Deletions folder depends on the deleted item retention period that is set
for the mailbox. An Exchange Online mailbox keeps deleted items for 14 days, by default. Use Exchange Online
PowerShell, as shown above, to change this setting, to increase the period up to a maximum of 30 days.
Users can recover, or purge, deleted items before the retention time for a deleted item expires. To do so, they use
the Recover Deleted Items feature in Outlook or Outlook on the web. See the following topics for Outlook or
for Outlook Web App.
Additional help:
If a user purges a deleted item, you can recover it before the deleted item retention period expires. For
details, see Recover deleted messages in a user's mailbox.
To learn more about deleted item retention, the Recoverable Items folder, In-Place Hold, and Litigation
Hold, see Understanding Recoverable Items.
Configure email forwarding for a mailbox
Email forwarding lets you to set up a mailbox to forward email messages sent to that mailbox to another user's
mailbox in or outside of your organization.
IMPORTANT
If you're using Office 365 for business, you should configure email forwarding in the Office 365 admin center: Configure
email forwarding in Office 365
If your organization uses an on-premises Exchange or hybrid Exchange environment, you should use the on-
premises Exchange admin center (EAC ) to create and manage shared mailboxes.
Use the Exchange admin center to configure email forwarding

You can use the Exchange admin center (EAC ) set up email forwarding to a single internal recipient, a single
external recipient (using a mail contact), or multiple recipients (using a distribution group).
permissions you need, see the "Recipient Provisioning Permissions" entry in the Recipients Permissions topic.
2. In the list of user mailboxes, click or tap the mailbox that you want to configure mail forwarding for, and
then click or tap Edit .
3. On the mailbox properties page, click Mailbox Features.
4. Under Mail Flow, select View details to view or change the setting for forwarding email messages.
On this page, you can set the maximum number of recipients that the user can send a message to. For on-
premises Exchange organizations, the recipient limit is unlimited. For Exchange Online organizations, the
limit is 500 recipients.
5. Check the Enable forwarding check box, and then click or tap Browse.
6. On the Select Recipient page, select a user you want to forward all email to. Select the Deliver message
to both forwarding address and mailbox check box if you want both the recipient and the forwarding
email address to get copies of the emails sent. Click or tap OK, and then click or tap Save.
What if you want to forward mail to an address outside your organization? Or forward mail to multiple recipients?
You can do that, too!
External addresses: Create a mail contact and then, in the steps above, select the mail contact on the
Select Recipient page. Need to know how to create a mail contact? Check out Manage mail contacts.
Multiple recipients: Create a distribution group, add recipients to it, and then in the steps above, select the
mail contact on the Select Recipient page. Need to know how to create a mail contact? Check out Create
and manage distribution groups.

To make sure that you've successfully configured email forwarding, do one of the following:
1. In the EAC, go to Recipients > Mailboxes.
2. In the list of user mailboxes, click or tap the mailbox that you configured email forwarding for, and then click
Edit .
3. On the mailbox properties page, click or tap Mailbox Features.
4. Under Mail Flow, click or tap View details to view the mail forwarding settings.
Additional information
This topic is for admins. If you want to forward your own email to another recipient, check out the following topics:
Forward email to another email account
Manage email messages by using rules
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts
for the Exchange admin center.
Protection.
Configure message delivery restrictions for a mailbox
You can use the EAC or Exchange Online PowerShell to place restrictions on whether messages are delivered to
individual recipients. Message delivery restrictions are useful to control who can send messages to users in your
organization. For example, you can configure a mailbox to accept or reject messages sent by specific users or to
accept messages only from users in your Exchange organization.
IMPORTANT
Message delivery restrictions do not impact mailbox permissions. A user with Full Access permissions on a mailbox will still be
able to update the contents in that mailbox, such as by copying messages into the mailbox, even if that user has been
restricted.
The message delivery restrictions covered in this topic apply to all recipient types. To learn more about the
different recipient types, see Recipients.
For additional management tasks related to recipients, see the following topics:
Manage mail users

topic.
TIP
Use the EAC to configure message delivery restrictions

2. In the list of user mailboxes, click the mailbox that you want to configure message delivery restrictions for,
and then click Edit .
4. Under Message Delivery Restrictions, click View details to view and change the following delivery
restrictions:
All senders: This option specifies that the user can accept messages from all senders. This includes both
senders in your Exchange organization and external senders. This is the default option. It includes external
users only if you clear the Require that all senders are authenticated check box. If you select this check
box, messages from external users will be rejected.
Only senders in the following list: This option specifies that the user can accept messages only from a
specified set of senders in your Exchange organization. Click Add to display a list of all recipients in your
Exchange organization. Select the recipients you want, add them to the list, and then click OK. You can also
search for a specific recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: This option prevents anonymous users from sending
messages to the user. This includes external users that are outside of your Exchange organization.
No senders: This option specifies that the mailbox won't reject messages from any senders in the Exchange
organization. This is the default option.
Senders in the following list: This option specifies that the mailbox will reject messages from a specified
set of senders in your Exchange organization. Click Add to display a list of all recipients in your Exchange
organization. Select the recipients you want, add them to the list, and then click OK. You can also search for
a specific recipient by typing the recipient's name in the search box and then clicking Search .
5. Click OK to close the Message Delivery Restrictions page, and then click Save to save your changes.
Use Exchange Online PowerShell to configure message delivery

restrictions
The following examples show how to use Exchange Online PowerShell to configure message delivery restrictions
for a mailbox. For other recipient types, use the corresponding Set- cmdlet with the same parameters.
This example configures the mailbox of Robin Wood to accept messages only from the users Lori Penor, Jeff
Phillips, and members of the distribution group Legal Team 1.
Set-Mailbox -Identity "Robin Wood" -AcceptMessagesOnlyFrom "Lori Penor","Jeff Phillips" -

AcceptMessagesOnlyFromDLMembers "Legal Team 1"
NOTE
If you're configuring a mailbox to accept messages only from individual senders, you have to use the
AcceptMessagesOnlyFrom parameter. If you're configuring a mailbox to accept messages only from senders that are
members of a specific distribution group, use the AcceptMessagesOnlyFromDLMembers parameter.
This example adds the user named David Pelton to the list of users whose messages will be accepted by the
mailbox of Robin Wood.
Set-Mailbox -Identity "Robin Wood" -AcceptMessagesOnlyFrom @{add="David Pelton"}
This example configures the mailbox of Robin Wood to require all senders to be authenticated. This means the
mailbox will only accept messages sent by other users in your Exchange organization.
Set-Mailbox -Identity "Robin Wood" -RequireSenderAuthenticationEnabled $true
This example configures the mailbox of Robin Wood to reject messages from the users Joe Healy, Terry Adams,
and members of the distribution group Legal Team 2.
Set-Mailbox -Identity "Robin Wood" -RejectMessagesFrom "Joe Healy","Terry Adams" -RejectMessagesFromDLMembers

"Legal Team 2"
This example configures the mailbox of Robin Wood to also reject messages sent by members of the group Legal
Team 3.
Set-Mailbox -Identity "Robin Wood" -RejectMessagesFromDLMembers @{add="Legal Team 3"}
NOTE
If you're configuring a mailbox to reject messages from individual senders, you have to use the RejectMessagesFrom
parameter. If you're configuring a mailbox to reject messages from senders that are members of a specific distribution group,
use the RejectMessagesFromDLMembers parameter.
For detailed syntax and parameter information related to configuring delivery restrictions for different types of
recipients, see the following topics:
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Mailbox
Set-MailContact
Set-MailUser

To verify that you've successfully configured message delivery restrictions for a user mailbox, do one the following:
2. In the list of user mailboxes, click the mailbox that you want to verify the message delivery restrictions for,
4. Under Message Delivery Restrictions, click View details to verify the delivery restrictions for the
mailbox.
Or
Get-Mailbox <identity> | Format-List

AcceptMessagesOnlyFrom,AcceptMessagesOnlyFromDLMembers,RejectMessagesFrom,RejectMessagesFromDLMembers,RequireS
enderAuthenticationEnabled
Convert a mailbox
Converting a mailbox to a different type of mailbox is very similar to the experience in earlier versions of Exchange.
You must still use the Set-Mailbox cmdlet in Exchange Online PowerShell to do the conversion.
You can convert the following mailboxes from one type to another:
User mailbox to resource (room or equipment) mailbox
Shared mailbox to user mailbox
Shared mailbox to resource mailbox
Resource mailbox to user mailbox
Resource mailbox to shared mailbox
Note that if your organization uses a hybrid Exchange environment, you need to manage your mailboxes by using
the on-premises Exchange management tools. To convert a mailbox in a hybrid environment, you might need to
move the mailbox back to on-premises Exchange, convert the mailbox type, and then move it back to Office 365.
IMPORTANT
If you are converting a user mailbox to a shared mailbox, you should either remove any mobile devices from the mailbox
before the conversion, or you should block mobile access to the mailbox after the conversion. This is because once the
mailbox is converted to a shared mailbox, mobile functionality will not work properly. Additionally, if you are trying to prevent
access to the converted mailbox, you might have to reset the password. For more information on blocking access, see
Remove a former employee from Office 365.
Use Exchange Online PowerShell to convert a mailbox

permissions you need, see the "Recipient Provisioning Permissions" section in the Mailbox Permissions topic.
This example converts the shared mailbox, MarketingDept1 to a user mailbox.
Set-Mailbox MarketingDept1 -Type Regular
You can use the following values for the Type parameter:
Regular
Room
Equipment
Shared

To verify that you have successfully converted the mailbox, run the following command in Exchange Online
PowerShell:
Get-Mailbox -Identity MarketingDept1 | Format-List RecipientTypeDetails
The value for RecipientTypeDetails should be UserMailbox .

For detailed syntax and parameter information, see Get-Mailbox.
TIP
Enable or disable Exchange ActiveSync for a mailbox
You can use the EAC or Exchange Online PowerShell to enable or disable Microsoft Exchange ActiveSync for a user
mailbox. Exchange ActiveSync is a client protocol that lets users synchronize a mobile device with their Exchange
mailbox. Exchange ActiveSync is enabled by default when a user mailbox is created. To learn more, see Exchange
ActiveSync.

permissions you need, see the "Exchange ActiveSync settings" entry in the Clients and Mobile Devices
Permissions topic.
TIP
Use the EAC to enable or disable Exchange ActiveSync

2. In the list of user mailboxes, click the mailbox that you want to enable or disable Exchange ActiveSync for,
4. Under Mobile Devices, do one of the following:
To disable Exchange ActiveSync click Disable Exchange ActiveSync.
A warning appears asking if you're sure you want to disable Exchange ActiveSync. Click Yes.
To enable Exchange ActiveSync, click Enable Exchange ActiveSync.
5. Click Save to save your change.
NOTE
You can enable and disable Exchange ActiveSync for multiple user mailboxes by using the EAC bulk edit feature. For more
information about how to do this, see the "Bulk edit user mailboxes" section in Manage user mailboxes.
Use Exchange Online PowerShell to enable or disable Exchange

ActiveSync
This example disables Exchange ActiveSync for the mailbox of Yan Li.
Set-CASMailbox -Identity "Yan Li" -ActiveSyncEnabled $false
This example enables Exchange ActiveSync for the mailbox of Elly Nkya.
Set-CASMailbox -Identity Ellyn@contoso.com -ActiveSyncEnabled $true
For detailed syntax and parameter information, see Set-CASMailbox.

To verify that you've successfully enabled or disabled Exchange ActiveSync for a user mailbox, do one of the
following:
On the mailbox properties page, click Mailbox Features.
Under Mobile Devices, verify whether Exchange ActiveSync is enabled or disabled.
Or
Get-CASMailbox <identity>
If Exchange ActiveSync is enabled, the value for the ActiveSyncEnabled property is True . If Exchange
ActiveSync is disabled, the value is False .
Enable or disable MAPI for a mailbox
You can use the Exchange admin center or Exchange Online PowerShell to enable or disable MAPI for a user
mailbox. When MAPI is enabled, a user's mailbox can be accessed by Outlook or other MAPI email clients. When
MAPI is disabled, it can't be accessed by Outlook or other MAPI clients. However, the mailbox will continue to
receive email messages, and, assuming that the mailbox is enabled to support access by those clients, a user can
access the mailbox to send and receive email by using Outlook Web App, a POP email client, or an IMAP client.
NOTE
Support for Outlook Web App and MAPI, POP3, and IMAP4 email clients is enabled by default when a user mailbox is
created.
For additional management tasks related to managing email client access to a mailbox, see the following topics:
Enable or disable Outlook Web App for a mailbox
Enable or Disable IMAP4 Access for a User
Enable or Disable POP3 Access for a User

permissions you need, see the "Client Access user settings" entry in the Clients and Mobile Devices
Permissions topic.
TIP
Use the EAC to enable or disable MAPI

2. In the list of user mailboxes, click the mailbox that you want to enable or disable MAPI, and then click Edit
.
4. Under Email Connectivity, do one of the following.
To disable MAPI, under MAPI: Enabled, click Disable.
A warning appears asking if you're sure you want to disable MAPI. Click Yes.
To enable MAPI, under MAPI: Disabled, click Enable.
Use Exchange Online PowerShell to enable or disable MAPI

This example disables MAPI for the mailbox of Ken Sanchez.
Set-CASMailbox -Identity "Ken Sanchez" -MAPIEnabled $false
This example enables MAPI for the mailbox of Esther Valle.
Set-CASMailbox -Identity "Esther Valle" -MAPIEnabled $true

To verify that you've successfully enabled or disabled MAPI for a user mailbox, do one of the following:
Under Email Connectivity, verify whether MAPI is enabled or disabled.
Or
If MAPI is enabled, the value for the MapiEnabled property is True . If MAPI is disabled, the value is False .
Enable or disable Outlook Web App for a mailbox
You can use the EAC or Exchange Online PowerShell to enable or disable Outlook Web App for a user mailbox.
When Outlook Web App is enabled, a user can use Outlook Web App to send and receive email. When Outlook
Web App is disabled, the mailbox will continue to receive email messages, and a user can access it to send and
receive email by using a MAPI client, such as Microsoft Outlook, or with a POP or IMAP email client, assuming
that the mailbox is enabled to support access by those clients.
NOTE
Support for Outlook Web App and MAPI, POP3, and IMAP4 email clients is enabled by default when a user mailbox is
created.
For additional management tasks related to managing email client access to a mailbox, see the following topics:
Enable or disable MAPI for a mailbox
Enable or Disable IMAP4 Access for a User
Enable or Disable POP3 Access for a User

permissions you need, see the "Client Access user settings" entry in the Clients and Mobile Devices
Permissions topic.
TIP
Use the EAC to enable or disable Outlook Web App

2. In the list of user mailboxes, click the mailbox that you want to enable or disable Outlook Web App for, and
then click Edit .
4. Under Email Connectivity, do one of the following:
To disable Outlook Web App, under Outlook Web App: Enabled, click Disable.
A warning appears asking if you're sure you want to disable Outlook Web App. Click Yes.
To enable Outlook Web App, under Outlook Web App: Disabled, click Enable.
NOTE
You can enable and disable Outlook Web App for multiple user mailboxes by using the EAC bulk edit feature. For more
information about how to do this, see the "Bulk edit user mailboxes" section in Manage user mailboxes.
Use Exchange Online PowerShell to enable or disable Outlook Web

App
This example disables Outlook Web App for the mailbox of Yan Li.
Set-CASMailbox -Identity "Yan Li" -OWAEnabled $false
This example enables Outlook Web App for the mailbox of Elly Nkya.
Set-CASMailbox -Identity Ellyn@contoso.com -OWAEnabled $true

To verify that you've successfully enabled or disabled Outlook Web App for a user mailbox, do one of the
following:
Under Email Connectivity, verify whether Outlook Web App is enabled or disabled.
Or
If Outlook Web App is enabled, the value for the OWAEnabled property is True . If Outlook Web App is
disabled, the value is False .
Mailbox plans in Exchange Online
A mailbox plan is a template that automatically configures mailbox properties in Exchange Online. Mailbox plans
correspond to Office 365 license types. When you assign a license to a new user, the corresponding mailbox plan is
used to configure the settings on the new mailbox that's created. If you change the license that's assigned to an
existing user, the settings in the mailbox plan that's associated with the new license are applied to the user's existing
mailbox.
The following table describes the mailbox plans that you're likely to see in Exchange Online.
SUBSCRIPTION OR LICENSE MAILBOX PLAN DISPLAY NAME
Exchange Online Kiosk ExchangeOnlineDeskless
Office 365 Enterprise E1 ExchangeOnline
Exchange Online Plan 1
Office 365 Enterprise E3 ExchangeOnlineEnterprise
Office 365 Enterprise E5
Exchange Online Plan 2
Office 365 Business Essentials ExchangeOnlineEssentials
Notes:
The availability of a mailbox plan in your organization is determined by your selection when you enroll in
Office 365. A subscription might contain multiple mailbox plans. A mailbox plan might not be available to
you based on your subscription or the age of your organization.
The name value of the mailbox plan is appended with (for example,
-<GUID>
ExchangeOnlineEnterprise-44107b46-a8c4-4573-a7ba-bb004fde4d58 ).
For every mailbox plan (returned by the Get-MailboxPlan cmdlet), there's a corresponding Client Access services
(CAS ) mailbox plan (returned by the Get-CasMailboxPlan cmdlet). The names and display names of the mailbox
plans and CAS mailbox plans are identical, and the relationship between them is unbreakable (both the mailbox
plan and the corresponding CAS mailbox plan are assigned to the mailbox when you license the user; you can't
assign just the mailbox plan or just the CAS mailbox plan separately).
The modifiable settings that are available in mailbox plans by using the Set-MailboxPlan cmdlet are described in
SETTING DEFAULT VALUE DESCRIPTION
IssueWarningQuota Varies by license. The user receives a warning message

when their mailbox reaches the specified
size.
For more information, see Capacity

alerts.
MaxReceiveSize Varies by license. The maximum total message size that

can be received by the mailbox. This
value is roughly 33% larger than the
actual message size to account for
Base64 encoding.
For more information, see Message

limits across Office 365 options.
MaxSendSize Varies by license. The maximum total message size that

can be sent from the mailbox. This value
is roughly 33% larger than the actual
message size to account for Base64
encoding.
For more information, see Message

limits across Office 365 options.
ProhibitSendQuota Varies by license. The user receives a warning message

and they can't send messages when
their mailbox reaches the specified size
(which must be greater than the
IssueWarningQuota value).

alerts.
ProhibitSendReceiveQuota Varies by license. The user receives a warning message

and they can't send or receive messages
when their mailbox reaches the specified
size (which must be greater than the
ProhibitSendQuota value).

alerts.
RetainDeletedItemsFor 14.00:00:00 (14 days) Depending on your subscription, you

can change this value up to 30 days.
For more information, see Change how
long permanently deleted items are
kept for an Exchange Online mailbox.
RetentionPolicy Default MRM Policy For more information, see Retention

tags and retention policies in Exchange
Online.
RoleAssignmentPolicy Default Role Assignment Policy Grants users permissions to their own
mailbox and distribution groups. For
more information, see Role assignment
policies.
The modifiable settings that are available in CAS mailbox plans by using the Set-CasMailboxPlan cmdlet are
described in the following table:

ActiveSyncEnabled True Enables or disables Exchange ActiveSync

(EAS) access to the mailbox.
ImapEnabled Varies by license. Enables or disables IMAP4 access to the

mailbox.
OwaMailboxPolicy OwaMailboxPolicy-Default Configures the user's settings in

Outlook on the web (formerly known as
Outlook Web App). For more
information about Outlook on the web
mailbox policies, see Outlook on the
web mailbox policies in Exchange
Online.
PopEnabled True Enables or disables IMAP4 access to the

mailbox.
Modifying the settings of a mailbox plan won't update the settings of an existing mailbox that's already has the
mailbox plan applied. To modify these settings on a existing mailbox, you can:
Modify the corresponding mailbox settings directly in the Exchange admin center (EAC ) or in Exchange
Online PowerShell (the Set-Mailbox and Set-CasMailbox cmdlets).
Assign a different license to the user. The mailbox plan that corresponds to the new license will be applied to
the existing mailbox (the settings in the mailbox plan will be applied to the existing mailbox).

permissions you need, see the "Mailbox settings" entry in the Feature permissions in Exchange Online topic.
TIP
Use Exchange Online PowerShell to view mailbox plans

These examples return a summary list of all mailbox plans:
Get-MailboxPlan
Get-CasMailboxPlan
These examples return the modifiable property values in all mailbox plans:
Get-MailboxPlan | Format-List
DisplayName,IsDefault,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDeletedItemsFor,RetentionPolicy,RoleAssi
gnmentPolicy
Get-CasMailboxPlan | Format-List DisplayName,ActiveSyncEnabled,ImapEnabled,PopEnabled,OwaMailboxPolicy
These examples return detailed information for the mailbox plan named ExchangeOnlineEnterprise.
Get-MailboxPlan -Identity ExchangeOnlineEnterprise | Format-List
Get-CasMailboxPlan -Identity ExchangeOnlineEnterprise | Format-List
This example returns the mailbox plan that's assigned to the user named Suk-Jae Yoo.
Get-Mailbox -Identity "Suk-Jae Yoo" | Format-List MailboxPlan
To return all mailboxes that had a specific mailbox plan applied:

1. Run the following command to find the distinguished name of the mailbox plan:
Get-MailboxPlan | Format-List DisplayName,DistinguishedName
2. Use the following syntax to return the mailboxes that have the mailbox plan assigned:
Get-Mailbox -ResultSize unlimited -Filter {MailboxPlan -eq '<MailboxPlanDistinguishedName>'}
This example returns the mailboxes that have the ExchangeOnline mailbox plan applied.
Get-Mailbox -ResultSize unlimited -Filter {MailboxPlan -eq 'CN=ExchangeOnline-93f46670-2ae7-4591-baa4-

ee153e090945,OU=constoso.onmicrosoft.com,OU=Microsoft Exchange Hosted
Organizations,DC=NAMPR22B009,DC=PROD,DC=OUTLOOK,DC=COM'}
For detailed syntax and parameter information, see Get-MailboxPlan and Get-CasMailboxPlan.
Use Exchange Online PowerShell to specify the default mailbox plan

The default mailbox plan is used as the default template for new mailboxes that you create without a license
(because the license specifies the mailbox plan).
To specify the default mailbox plan, use the following syntax:
Set-MailboxPlan -Identity <MailboxPlanIdentity> -IsDefault
This example specifies the ExchangeOnline mailbox plan as the default.
Set-MailboxPlan -Identity ExchangeOnline -IsDefault
For detailed syntax and parameter information, see Set-MailboxPlan.

To verify that you've successfully specified the default mailbox plan, use any of the following steps:
In Exchange Online PowerShell, run the following command to verify the property values:
Get-MailboxPlan | Format-Table DisplayName,IsDefault -Auto
Create a new mailbox without assigning a license as described in Create user mailboxes in Exchange Online.
Replace <MailboxIdentity> with the name, alias, account name, or email address of the mailbox, and run the
following command in Exchange Online PowerShell to verify the MailboxPlan property value:
Get-Mailbox -Identity <MailboxIdentity> | Format-List MailboxPlan
Use Exchange Online PowerShell to modify mailbox plans

To modify a mailbox plan, use the following syntax:
Set-MailboxPlan -Identity <MailboxPlanIdentity> [-MaxReceiveSize <Size>] [-MaxSendSize <Size>] [-

IssueWarningQuota <Size>] [-ProhibitSendQuota <Size>] [-ProhibitSendReceiveQuota <Size>] [-
RetainDeletedItemsFor <TimeSpan>] [-RetentionPolicy <RetentionPolicyIdentity>] [-RoleAssignmentPolicy
<RoleAssignmentPolicyIdentity>]
Set-CASMailboxPlan -Identity <MailboxPlanIdentity> [-ActiveSyncEnabled <$true | $false>] [-ImapEnabled <$true

| $false>] [-PopEnabled <$true | $false>] [-OwaMailboxPolicy <PolicyIdentity>]
This example modifies the mailbox plan named ExchangeOnlineEnterprise to use the retention policy named
Contoso Retention Policy.
Set-MailboxPlan -Identity -RetentionPolicy "Contoso Retention Policy"
This example disables Exchange ActiveSync, POP3, and IMAP4 access to mailboxes in all CAS mailbox plans.
Get-CASMailboxPlan | Set-CASMailboxPlan -ActiveSyncEnabled $false -ImapEnabled $false -PopEnabled $false
For detailed syntax and parameter information, see Set-MailboxPlan and Set-CasMailboxPlan.
To verify that you've successfully modified a mailbox plan, use any of the following steps:
In Exchange Online PowerShell, run the following commands to verify the property values:
Get-MailboxPlan | Format-List
DisplayName,IsDefault,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDeletedItemsFor,RetentionPolicy,Ro
leAssignmentPolicy
Get-CasMailboxPlan | Format-List DisplayName,ActiveSyncEnabled,ImapEnabled,PopEnabled,OwaMailboxPolicy
Using the license that corresponds to the modified mailbox plan, do one of the following steps:
Create a new mailbox and assign the license as described in Create user mailboxes in Exchange
Online.
Assign the license to an existing mailbox user who currently has a different license (therefore,
mailbox plan) assigned.
Replace <MailboxIdentity> with the name, alias, account name, or email address of the mailbox, and run the
following commands in Exchange Online PowerShell to verify the property values:
Get-Mailbox -Identity "<MailboxIdentity>" | Format-List

MailboxPlan,Max*Size,IssueWarningQuota,Prohibit*Quota,RetainDeletedItemsFor,RetentionPolicy,RoleAssignme
ntPolicy
Get-CasMailbox -Identity "<MailboxIdentity>" | Format-List

ActiveSyncEnabled,ImapEnabled,PopEnabled,OwaMailboxPolicy
Automatically save sent items in delegator's mailbox
Mailboxes in Office 365 can be set up so that someone (such as an executive assistant) can access the mailbox of
another person (such as a manager) and send mail as them. These people are often called the delegate and the
delegator, respectively. We'll call them "assistant" and "manager" for simplicity's sake. When an assistant is granted
access to a manager's mailbox, it's called delegated access.
People often set up delegated access and send permissions to allow an assistant to manage a manager's calendar
where they need to send and respond to meeting requests. By default, when an assistant sends mail as, or on
behalf of, a manager, the sent message is stored in the assistant's Sent Items folder. You can use this article to
change this behavior so that the sent message is stored in both the assistant and manager's Sent Items folders.
Let's take a look at a quick example of how this would work in real life:
Mary is the Vice President of Global Sales. She has an extremely busy schedule and has Rob, her executive
assistant, to help manage her calendar.
To help Mary, Rob's been granted delegated access to Mary's mailbox and to send messages on her behalf.
This allows him to see what's on her calendar; schedule, accept, and decline meeting requests; and respond
to messages.
Messages that Rob sends on behalf of Mary are stored in his Sent Items folder. Mary wants a copy so Rob
manually copies messages he's sent on her behalf from his Sent Items folder to her Sent Item folder.
Rob's wonders if there's a better way to handle Sent Items so he asks his IT Help Desk. He learns Mary's
mailbox can be set up to store messages he sends on her behalf in both his Sent Items and her Sent Items
automatically. This is exactly what he wants so he asks the Help Desk to set it up.
Send As...Send on behalf of...what do they mean and which should I

choose?
When you set up someone as a delegate on a manager's mailbox, you can choose whether they "Send as" the
manager, or "Send on behalf of" them. The difference is subtle, but can be important in some organizations:
Send As When someone has "Send as" permissions on a mailbox, messages they send from that mailbox
will show only the mailbox owner's name in the From: field of the message. In the example above, if Rob has
"Send as" permissions on Mary's mailbox, messages he sends from her mailbox will show From: Mary to
recipients.
Send on behalf of When someone has "Send on behalf of" permissions on a mailbox, messages they send
from the owner's mailbox will show that the message was sent by someone on behalf of the mailbox owner.
In the example above, if Rob has "Send on behalf of" permissions on Mary's mailbox, messages he sends
from her mailbox will show From: Rob on behalf of Mary to recipients.
The send permissions that someone has on another user's mailbox are important when thinking about how sent
items should be handled. This is because you can decide, for each level of permissions, whether messages should
be stored in just the assistant's Sent Items folder or in both the assistant and manager's Sent Items folders. Office
365 defaults to storing sent items for messages sent with "Send as" and "Send on behalf of" permissions in the
assistant's Sent Items only. You can change that default behavior using the steps below.
TIP
Managers might have multiple assistants with different levels of permissions. In the example above, while Rob may be able to
send messages on behalf of Mary, she could have another assistant that can Send as Mary. If this was the case, Mary's IT
department could do the steps for both "Send as" and "Send on behalf of" permissions.
How do I set up a mailbox to save messages "Sent as" a manager when

they're sent by an assistant?
When you do these steps, any messages sent as the manager whose mailbox you're configuring, will be saved to
the manager's Sent Items folder. To set this up, just follow the steps below. You'll need to use Windows PowerShell
to complete the steps; if you haven't used it before, go to Using PowerShell with Exchange Online for instructions
on how to get connected. There's a great video too!
1. Open Windows PowerShell and, using the instructions at Using PowerShell with Exchange Online, connect
to Exchange Online PowerShell.
2. Get the email address of the manager.
3. Run the following command in the PowerShell window.
Set-Mailbox <manager's email address> -MessageCopyForSentAsEnabled $true
For example, if Mary's email address is mary@contoso.com, her IT department would run the command `Set-Mailbox
mary@contoso.com -MessageCopyForSentAsEnabled $true`.
That's it! The manager will now automatically get a copy of any messages sent by an assistant, in their Sent Items
folder.
TIP
You can turn this off by going through the steps above and replacing $true with $false in the [Set-Mailbox] command. For
example, to turn it off for Mary, they'd run the command
Set-Mailbox mary@contoso.com -MessageCopyForSentAsEnabled $false .
How do I set up a mailbox to save messages "Sent on behalf of" a

manager when they're sent by an assistant?
When you do these steps, any messages sent on behalf of the manager whose mailbox you're configuring, will be
saved to the manager's Sent Items folder. To set this up, just follow the steps below. You'll need to use Windows
PowerShell to complete the steps; if you haven't used it before, go to Using PowerShell with Exchange Online for
instructions on how to get connected. There's a great video too!
1. Open Windows PowerShell and, using the instructions at Using PowerShell with Exchange Online, connect
to Exchange Online PowerShell.
2. Get the email address of the manager.
3. Run the following command in the PowerShell window.
Set-Mailbox <manager's email address> -MessageCopyForSendOnBehalfEnabled $true

For example, if Mary's email address is mary@contoso.com, her IT department would run the command `Set-Mailbox
mary@contoso.com -MessageCopyForSendOnBehalfEnabled $true`.
That's it! The manager will now automatically get a copy of any messages sent by an assistant, in their Sent Items
folder.
TIP
You can turn this off by going through the steps above and replacing $true with $false in the [Set-Mailbox] command. For
example, to turn it off for Mary, they'd run the command
Set-Mailbox mary@contoso.com -MessageCopyForSendOnBehalfEnabled $false .
Clutter notifications in Outlook
Clutter is a feature in Office 365 designed to help users focus on the most important messages in their Inbox by
moving lower priority messages into a new Clutter folder.
Clutter Notifications
Clutter is enabled by users in their O365 Settings options. This article contains information for O365
administrators about notifications from Clutter to end-users.
These notifications are an integral part of the Clutter feature and therefore can't be suspended by administrators.
Clutter is a user election, similar to someone opting to use Conversation view, and the notifications help the user
understand the state of Clutter across all clients. There is no central reporting available at this time. For information
on how to change the branding of the notifications see Change the branding of Clutter notifications.
NOTE
For information on how end users can enable and begin using Clutter, see Use Clutter to sort low priority messages in
Outlook Web App.
Invitation to use Clutter

Before users enable Clutter, they may receive a Clutter invitation in their Inbox. The invitation lets the user know
that the feature is available and covers the benefits of using Clutter.
Clutter is always running in the background, as Exchange looks at a user's mailbox and tries to train itself to
identify low -priority messages. The invitation that a user receives provides a link to turn Clutter "on" (or enable
Clutter), meaning the user now allows Clutter to automatically move low -priority message from their Inbox to a
dedicated folder.
To determine whether or not a user receives an invitation to enable Clutter, there are several criteria, including:
Has Exchange looked at enough information in a user's mailbox to determine the parameters for Clutter?
Sufficient email: Does the user receive at least 3 clutter messages and at least 3 non-clutter messages?
Watermark current : Is the state of training reflective of the user's current state?
Supported classification version: Is the version for which training is complete still supported?
True positive rate: Are at least 85% of true clutter messages classified as clutter?
False positive rate: Are less than 20% of messages classified as clutter actually non-clutter?
An example of the invitation notification is as follows:
Around the time that an invitation is sent, a new folder called Clutter is created and added to their Favorites. The
same invitation message will appear as the first message inside the Clutter folder.
Cleaning up
To make sure the user understands that the new feature is on, Clutter will send another notification to their Inbox,
describing how Clutter works and how to correct Clutter when it incorrectly moves a message to the Clutter folder.
Clutter is a "learning" feature, which means that after the user provides information to Clutter by manually moving
low -priority messages to the Clutter folder, Clutter will be able to identify similar messages and move them
automatically.
If the user finds that Clutter isn't what they need, this notification also provides a link for turning Clutter off. In
newer clients, there are specific controls to control Clutter, but these are unavailable in older clients.
Hard at work
During the first three weeks of Clutter usage, the following notification is sent periodically for two reasons. First, it
reminds the user to inspect the Clutter folder and make sure that Clutter is filtering messages correctly. Second,
this notification provides a way for the user to provide feedback on Clutter. Additionally, there are links that
provide more information about the feature and that turn Clutter off.
Change the branding of Clutter notifications
The Clutter feature uses Inbox notifications to invite users and to send status messages. The default branding used
for these notifications is Outlook, but you can modify the branding for your organization.
Change the branding of Clutter notifications

This article describes how to change the branding of Clutter notifications to match that of your school, business, or
organization.
NOTE
For more information about the types of Clutter notifications that end users in your organization receive, see Clutter
notifications in Outlook.
To begin, you will need to sign in to Office 365 with your work or school account.
1. Once signed in to Office 365, go to the Office 365 admin center.
2. Click to expand Users, then select Active Users.
3. Select the plus [ +] sign to add a user. The Create a new user account dialog will open.
4. In the Create a new user account dialog, enter a Display name and a username. The display name will
appear in the Sender field for all Clutter notifications sent to your users. Office 365 generates a new
temporary password for the new user account. Click Create to create the account.
5. Go the Exchange admin center.
6. Click recipients, and then click mailboxes.
7. Select the user you just created, and then click the pencil icon to edit the account, as shown in the following
example.
8. In the user account dialog, click Email address, and then click the plus sign [ +] to add an email address to
the new user account.
9. In the new email address dialog, select SMTP as the email address type, and then, in the Email address
box, type the following: 7a694ec2-b7c9-41eb-b562-08fd2b277ae0@[your default domain], where
[your default domain] is the domain that your organization uses. For most organizations, this would be
[your domain name].onmicrosoft.com.
When finished, click OK.
10. Back in the user account dialog, click save to associate the new email address with the user account. All
Clutter notifications sent to end users in your organization will now originate from this account.
Change the branding of Clutter notifications using PowerShell

You can also create a new shared mailbox as the branding mailbox using PowerShell. Follow these steps.
1. Connect to Exchange Online Using Remote PowerShell.
2. Type the following commands:
New-Mailbox -Shared -Name branding@contoso.com -DisplayName "Branding Clutter Mailbox" -Alias branding
Set-Mailbox "IT Admin" -EmailAddresses SMTP: branding@contoso
Enable or disable single item recovery for a mailbox
You can use Exchange Online PowerShell to enable or disable single item recovery on a mailbox. In Exchange
Online, single item recovery is enabled by default when a new mailbox is created. In Exchange Server, single item
recovery is disabled when a mailbox is created. If single item recovery is enabled, messages that are permanently
deleted (purged) by the user are retained in the Recoverable Items folder of the mailbox until the deleted item
retention period expires. This lets an administrator recover messages purged by the user before the deleted item
retention period expires. Also, if a message is changed by a user or a process, copies of the original item are also
retained when single item recovery is enabled.

permissions you need, see the "Retention and legal holds" entry in the Mailbox Permissions topic.
You can't use the Exchange admin center (EAC ) to enable or disable single item recovery.
In Exchange Online, the deleted item retention period is set to 14 days, by default. You can change this
setting to a maximum of 30 days. For details, see Change how long permanently deleted items are kept for
an Exchange Online mailbox.
In Exchange Server, the mailbox uses the deleted item retention settings of the mailbox database, by default.
The deleted item retention period for a mailbox database is set to 14 days, but you can override the default
by configuring this setting on a per-mailbox basis. For details, see Configure deleted item retention and
recoverable items quotas.
Protection.
Use Exchange Online PowerShell to enable single item recovery

This example enables single item recovery for the mailbox of April Summers.
Set-Mailbox -Identity "April Summers" -SingleItemRecoveryEnabled $true
This example enables single item recovery for the mailbox of Pilar Pinilla and sets the number of days that deleted
items are retained to 30 days.
Set-Mailbox -Identity "Pilar Pinilla" -SingleItemRecoveryEnabled $true -RetainDeletedItemsFor 30
This example enables single item recovery for all user mailboxes in the organization.

SingleItemRecoveryEnabled $true
This example enables single item recovery for all user mailboxes in the organization and sets the number of days
that deleted items are retained to 30 days

SingleItemRecoveryEnabled $true -RetainDeletedItemsFor 30
Use Exchange Online PowerShell to disable single item recovery

You might need to disable single item recovery for a user's mailbox. For example, before you can use Search-
Mailbox -DeleteContent to permanently delete content from a mailbox, you have to disable single item
recovery. For more information, see Search and Delete Messages.
This example disables single item recovery for the mailbox of Ayla Kol.
Set-Mailbox -Identity "Ayla Kol" -SingleItemRecoveryEnabled $false

To verify that you've enabled single item recovery for a mailbox and display the value for how long deleted items
will be retained (in days), run the following command.
Get-Mailbox <Name> | Format-List SingleItemRecoveryEnabled,RetainDeletedItemsFor
You can use this same command to verify that single item recovery is disabled for a mailbox.
More information
To learn more about single item recovery, see Recoverable Items folder. To recover messages purged by the
user before the deleted item retention period expires, see Recover deleted messages in a user's mailbox.
If a mailbox is placed on In-Place Hold or Litigation Hold, messages in the Recoverable Items folder are
retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the
hold is removed or the hold duration is changed.
Recover deleted messages in a user's mailbox
(This topic is intended for Exchange administrators.)

Administrators can search for and recover deleted email messages in a user's mailbox. This includes items that are
permanently deleted (purged) by a person (by using the Recover Deleted Items feature in Outlook or Outlook
Web App), or items deleted by an automated process, such as the retention policy assigned to user mailboxes. In
these situations, the purged items can't be recovered by a user. But administrators can recover purged messages if
the deleted item retention period for the item hasn't expired.
NOTE
In addition to using this procedure to search for and recover deleted items (which are moved to the Recoverable
Items\Purges folder if either single item recovery or litigation hold is enabled), you can also use this procedure to search for
items residing in other folders in the mailbox and to delete items from the source mailbox (also known as search and
destroy).
What you need to know before you begin?

Estimated time to complete: 15-30 minutes.
Single item recovery must be enabled for a mailbox before the item you want to recover is deleted. In
Exchange Online, single item recovery is enabled by default when a new mailbox is created. In Exchange
Server, single item recovery is disabled when a mailbox is created. For more information, see Enable or
disable single item recovery for a mailbox.
To search for and recover items, you must have the following information:
Source mailbox: This is the mailbox being searched.
Target mailbox: This is the discovery mailbox in which messages will be recovered. Exchange Setup
creates a default discovery mailbox. In Exchange Online, a discovery mailbox is also created by
default. If required, you can create additional discovery mailboxes. For details, see Create a discovery
mailbox.
NOTE
When using the Search-Mailbox cmdlet, you can also specify a target mailbox that isn't a discovery mailbox.
However, you can't specify the same mailbox as the source and target mailbox.
Search criteria: Criteria include sender or recipient, or keywords (words or phrases) in the message.
This topic focuses on using PowerShell to recover deleted items in a user's mailbox. You can also use the
GUI-based In-Place eDiscovery tool to find and export deleted items to a PST file. The user will use this
PST file to restore the deleted messages to their mailbox. For detailed instructions, see Recover deleted
items in a user's mailbox - Admin Help.
(Optional) Step 1: Connect to Exchange Online using remote

PowerShell
You only need to perform this step if you have an Exchange Online or Office 365 organization. If you have an
Exchange Server organization, go to the next step and run the command in Exchange Online PowerShell.
1. On your local computer, open Windows PowerShell and run the following command.
$UserCredential = Get-Credential
In the **Windows PowerShell Credential Request** dialog box, type username and password for an Office 365
global admin account, and then click **OK**.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -
AllowRedirection
Import-PSSession $Session
4. To verify that you're connected to your Exchange Online organization, run the following command to get a list
of all the mailboxes in your organization.
Get-Mailbox
For more information or if you have problems connecting to your Exchange Online organization, see Connect to
Exchange Online using remote PowerShell.
Step 2: Search for and recover missing items

permissions you need, see the "In-Place eDiscovery" entry in the Messaging Policy and Compliance Permissions
topic.
NOTE
You can use In-Place eDiscovery in the Exchange admin center (EAC) to search for missing items. However, when using the
EAC, you can't restrict the search to the Recoverable Items folder. Messages matching your search parameters will be
returned even if they're not deleted. After they're recovered to the specified discovery mailbox, you may need to review the
search results and remove unnecessary messages before recovering the remaining messages to the user's mailbox or
exporting them to a .pst file. > For details about how to use the EAC to perform an In-Place eDiscovery search, see Create
an In-Place eDiscovery search.
The first step in the recovery process is to search for messages in the source mailbox. Use one of the following
methods to search a user mailbox and copy messages to a discovery mailbox.
This example searches for messages in April Stewart's mailbox that meet the following criteria:
Sender: Ken Kwok
Keyword: Seattle
Search-Mailbox "April Stewart" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "Discovery Search
Mailbox" -TargetFolder "April Stewart Recovery" -LogLevel Full
NOTE
When using the Search-Mailbox cmdlet, you can scope the search by using the SearchQuery parameter to specify a query
formatted using Keyword Query Language (KQL). You can also use the SearchDumpsterOnly switch to search only items in
the Recoverable Items folder.

To verify that you have successfully searched the messages you want to recover, log on to the discovery mailbox
you selected as the target mailbox and review the search results.
Step 3: Restore recovered items

permissions you need, see the "In-Place eDiscovery" entry in the Messaging Policy and Compliance Permissions
topic.
NOTE
You can't use the EAC to restore recovered items.
After messages have been recovered to a discovery mailbox, you can restore them to the user's mailbox by using
the Search-Mailbox cmdlet. In Exchange Server, you can also use the New-MailboxExportRequest and New-
MailboxImportRequest cmdlets to export the messages to or import the messages from a .pst file.
Use Exchange Online PowerShell to restore messages
This example restores messages to April Stewart's mailbox and deletes them from the Discovery Search Mailbox.
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "April
Stewart" -TargetFolder "Recovered Messages" -LogLevel Full -DeleteContent

To verify that you have successfully recovered messages to the user's mailbox, have the user review messages in
the target folder you specified in the above command.
(Exchange Server) Use Exchange Online PowerShell to export and import messages from a .pst file
In Exchange Server, you can export contents from a mailbox to a .pst file and import the contents of a .pst file to a
mailbox. To learn more about mailbox import and export, see Understanding Mailbox Import and Export Requests.
You can't perform this task in Exchange Online.
This example uses the following settings to export messages from the folder April Stewart Recovery in the
Discovery Search Mailbox to a .pst file:
Mailbox: Discovery Search Mailbox
Source folder: April Stewart Recovery
ContentFilter: April travel plans
PST file path \MYSERVER\HelpDeskPst\AprilStewartRecovery.pst
New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -SourceRootFolder "April Stewart Recovery" -

ContentFilter {Subject -eq "April travel plans"} -FilePath \\MYSERVER\HelpDeskPst\AprilStewartRecovery.pst
For detailed syntax and parameter information, see New -MailboxExportRequest.

This example uses the following settings to import messages from a .pst file to the folder Recovered By Helpdesk
in April Stewart's mailbox:
Mailbox: April Stewart
Target folder: Recovered By Helpdesk
PST file path \MYSERVER\HelpDeskPst\AprilStewartRecovery.pst
New-MailboxImportRequest -Mailbox "April Stewart" -TargetRootFolder "Recovered By Helpdesk" -FilePath

\\MYSERVER\HelpDeskPst\AprilStewartRecovery.pst
For detailed syntax and parameter information, see New -MailboxImportRequest.

To verify that you have successfully exported messages to a .pst file, use Outlook to open the .pst file and inspect
its contents. To verify that you have successfully imported messages from the .pst file, have the user inspect the
contents of the target folder you specified in the above command.
More information
The ability to recover deleted items is enabled by single item recovery, which lets an administrator recover a
message that's been purged by a user or by retention policy as long as the deleted item retention period
hasn't expired for that item. To learn more about single item recovery, see Recoverable Items Folder.
An Exchange Online mailbox is configured to retain deleted items for 14 days, by default. You can change
this setting to a maximum of 30 days. In Exchange Server, a mailbox database is configured to retain
deleted items for 14 days, by default. You can configure deleted item retention settings for a mailbox or
mailbox database. For more information, see:
Change how long permanently deleted items are kept for an Exchange Online mailbox
Configure Deleted Item Retention and Recoverable Items Quotas
As previously explained, you can also use the In-Place eDiscovery tool to find and export deleted items to a
PST file. The user will use this PST file to restore the deleted messages to their mailbox. For detailed
instructions, see Recover deleted items in a user's mailbox - Admin Help.
Users can recover a deleted item if it hasn't been purged and if the deleted item retention period for that
item hasn't expired. If users need to recover deleted items from the Recoverable Items folder, point them to
the following topics:
Recover deleted items in Outlook 2010
Recover deleted items in Outlook 2013
Recover deleted items or email in Outlook Web App
This topic shows you how to use the Search-Mailbox cmdlet to search for and recover missing items. If
you use this cmdlet, you can search only one mailbox at a time. If you want to search multiple mailboxes at
the same time, you can use In-Place eDiscovery in the Exchange admin center (EAC ) or the New -
MailboxSearch cmdlet in Windows PowerShell.
In addition to using this procedure to search for and recover deleted items, you can also use a similar
procedure to search for items in user mailboxes and then delete those items from the source mailbox. For
more information, see Search and delete messages.
Use Exchange Online PowerShell to display Office 365
mailbox information
Admins can learn how to use Exchange Online PowerShell to display information about mailboxes in their Office
365 organization.
To give you an idea of some of the things you can do with PowerShell in Office 365, let's take a look at user
mailboxes in Exchange Online PowerShell
Before you begin

To learn how to use remote PowerShell to connect to Exchange Online, see Connect to Exchange Online
PowerShell.
Display mailbox information with Exchange Online PowerShell

You can easily get information about a single user mailbox. For example, here's a command that returns some
information about Ken Myer's mailbox:
Get-Mailbox -Identity "Ken Myer"
This command will return something similar to this:
Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------
kenmyer kenmyer bn1pr02mb038 49.5 GB (53,150,220,288 bytes)
You can see things like Ken's alias and his mailbox size quota. But there's a lot more information that's associated
with an Exchange Online mailbox than just the four properties returned by the Get-Mailbox cmdlet.
Here's an example command that displays all the information for a specific mailbox:
Get-Mailbox -Identity "Ken Myer" | Format-List
The command instructs Exchange Online PowerShell to return all of the available properties for the mailbox in a
list. There are about 200 different properties and property values. You can also use the Format-List and Format-
Table cmdlets to return only specific property values. For example, you can also view litigation hold-related
properties for Ken Myer with this command:
Get-Mailbox -Identity "Ken Myer" | Format-List DisplayName, LitigationHoldEnabled, LitigationHoldDate,

LitigationHoldOwner, LitigationHoldDuration
You can also use wildcard characters when working with the Format-List cmdlet. For example, all the litigation
hold properties start with the letters lit . You can retrieve this same information by using this command:
Get-Mailbox -Identity "Ken Myer" | Format-List DisplayName, Lit*

This command tells Get-Mailbox to retrieve the value of Ken's DisplayName property along with the values of
any properties that have names that begin with the letters lit . Here's an example of what we get back:
DisplayName : Ken Myer

LitigationHoldEnabled : False
LitigationHoldDate :
LitigationHoldOwner :
LitigationHoldDuration : Unlimited
You can return information about multiple mailboxes by leaving out the Identity parameter. This example returns
the DisplayName and LitigationHoldEnabled properties for all mailboxes:
Get-Mailbox -ResultSize unlimited | Format-Table DisplayName, LitigationHoldEnabled -Auto
In many cases, you only want to look at a subset of your mailboxes. For example, suppose you are asked to come
up with a list of all the mailboxes that have been assigned a litigation hold. You can use the Where-Object cmdlet
in conjunction with the Get-Mailbox cmdlet. The Where-Object cmdlet needs a filter phrase to tell Exchange
Online PowerShell what set of mailboxes you are interested in.
In their simplest form, filter phrases use the syntax {<PropertyName> -<ComparisonOperator> <PropertyValue>} .
Some commonly used comparison operators are:
eq (equals; not case-sensitive)
ne (does not equal; not case-sensitive)
gt (greater than)
lt (less than)
For a complete list of comparison operators, see Where-Object.

Values for <PropertyValue> depend on the property, and can be values like strings, numbers, Boolean values (
$True or $False ), or no value ( $Null ). Text values with spaces require quotation marks around the value.
Numerical values, Boolean values and $Null don't require quotation marks around the value.
Returning to our example of all the mailboxes that have been assigned a litigation hold, the filter phrase is
{LitigationHoldEnabled -eq $True} :
The property name is LitigationHoldEnabled .

The comparison operator is eq .
The property value we're looking for is $True .
Once you have the filter phrase, you can construct the Where-Object portion of the command using this syntax:
Get-Mailbox -ResultSize unlimited | Where-Object {$_.<Filter Phrase>}
Here's the command for our example:
Get-Mailbox -ResultSize unlimited | Where-Object {$_.LitigationHoldEnabled -eq $True}
For another example, suppose you'd like to make sure that all of your users have the junk email rule enabled.
Here's a quick command to find any users who don't have that rule enabled:
Get-Mailbox -ResultSize unlimited | Get-MailboxJunkEmailConfiguration | Where-Object {$_.Enabled -eq $False}
This is just one example. If you want to display a set of mailboxes based on a setting and can't filter on that setting
in the Office 365 admin center, do these steps:
1. Find the mailbox property that corresponds to the setting you're interested in by running the command
Get-Mailbox -Identity "<MailboxIdentity" | Select-Object * to list all the properties of a mailbox.
<MailboxIdentity> is any unique identifier for the mailbox (name, email address, alias, etc.)
2. Construct your Office 365 PowerShell command like this:

Get-Mailbox -ResultSize unlimited | Where-Object {$_.<PropertyName> -<ComparisonOperator>
<PropertyValue>}
Use the Exchange admin center (EAC ) or Exchange Online PowerShell to create a new distribution group in your
Exchange Online organization or to mail-enable an existing group.
There are two types of groups that can be used to distribute messages:
Mail-enabled universal distribution groups (also called distribution groups) can be used only to distribute
messages.
Mail-enabled universal security groups (also called security groups) can be used to distribute messages as
well as to grant access permissions to resources. For more information, see Manage mail-enabled security
groups.
It's important to note the terminology differences between Active Directory and Exchange Online. In Active
Directory, a distribution group refers to any group that doesn't have a security context, whether it's mail-enabled
or not. In contrast, in Exchange, all mail-enabled groups are referred to as distribution groups, whether they have
a security context or not.

Estimated time to complete: 2 to 5 minutes.
permissions you need, see the "Distribution groups" entry in the Recipients Permissions topic.
If your organization has configured a group naming policy, it's applied only to groups created by users.
When you or other administrators use the EAC to create distribution groups, the group naming policy is
ignored and isn't applied to the group name. However, if you use Exchange Online PowerShell to create or
rename a distribution group, the policy is applied unless you use the IgnoreNamingPolicy parameter to
override the group naming policy. For more information, see:
Create a distribution group naming policy
Override the distribution group naming policy
Create a distribution group

Use the EAC to create a distribution group
1. In the EAC, navigate to Recipients > Groups.
2. Click New > Distribution group.
3.
You can now create an Office 365 group instead of a distribution group, if you have an Office 365 for
business plan or an Exchange Online plan. Office 365 groups have the features of a distribution group and
much more. With Office 365 groups, you can send email to a group, share a common calendar, have a
library for storing and working on group files and folders. Click New > Office 365 group to get started
and check out Office 365 Groups - Admin help.
If you have existing distribution groups that you want to migrate to Office 365 groups, check out Migrate
distribution lists to Office 365 Groups - Admin help.
If you still want to create a distribution group, click or tap the New distribution group wizard.
4. On the New distribution group page, complete the following boxes:
* Display name: Use this box to type the display name. This name appears in your organization's address
book, on the To: line when email is sent to this group, and in the Groups list in the EAC. The display name
is required and should be user-friendly so people recognize what it is. It also must be unique in the forest.
* Alias: Use this box to type the name of the alias for the group. The alias can't exceed 64 characters and
must be unique in the forest. When a user types the alias in the To: line of an email message, it resolves to
the group's display name.
Organizational unit (You'll only see this option in Exchange Server on-premises) You can select an
organizational unit (OU ) other than the default (which is the recipient scope). If the recipient scope is set to
the forest, the default value is set to the Users container in the Active Directory domain that contains the
computer on which the EAC is running. If the recipient scope is set to a specific domain, the Users
container in that domain is selected by default. If the recipient scope is set to a specific OU, that OU is
selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within the
specified scope. Select the OU you want, and then click OK.
* Owners: By default, the person who creates a group is the owner. All groups must have at least one
owner. You can add owners by clicking Add .
Members: Use this section to add members and to specify whether approval is required for people to join
or leave the group.
Group owners don't have to be members of the group. Use Add group owners as members to add or
remove the owners as members.
To add members to the group, click Add . When you've finished adding members, click OK to return to
the New distribution group page.
Under Choose whether owner approval is required to join the group, specify whether approval is
required for people to join the group. Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners: This is the default
setting.
Closed: Members can be added only by the group owners. All requests to join will be rejected
automatically
Owner Approval: All requests are manually approved or rejected by the group owners: If you
select this option, the group owner or owners will receive an email message requesting approval to join
the group.
Under Choose whether the group is open to leave, specify whether approval is required for people to
leave the group. Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners: This is
the default setting.
Closed: Members can be removed only by the group owners. All requests to leave will be
rejected automatically
5. When you've finished, click Save to create the distribution group.
NOTE
By default, new distribution groups require that all senders be authenticated. This prevents external senders from sending
messages to distribution groups. To configure a distribution group to accept messages from all senders, you must modify
the message delivery restriction settings for that distribution group.
Use Exchange Online PowerShell to create a distribution group

This example creates a distribution group with an alias itadmin and the name IT Administrators. The
distribution group is created in the default OU, and anyone can join this group without approval by the group
owners.
New-DistributionGroup -Name "IT Administrators" -Alias itadmin -MemberJoinRestriction open
For more information about using Exchange Online PowerShell to create distribution groups, see New -
DistributionGroup.
To verify that you've successfully created a distribution group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new distribution group is displayed in the group list.
Under Group Type, the type is Distribution group.
In Exchange Online PowerShell, run the following command to display information about the new
distribution group.
Get-DistributionGroup <Name> | Format-List Name,RecipientTypeDetails,PrimarySmtpAddress
NOTE
You can create or mail-enable only universal distribution groups. To convert a domain-local or a global group to a universal
group, you can use the Set-Group cmdlet using Exchange Online PowerShell. You may have mail-enabled groups that were
migrated from previous versions of Exchange that are not universal groups. You can use the EAC or Exchange Online
PowerShell to manage these groups
Change distribution group properties

Use the EAC to change distribution group properties
2. In the list of groups, click the distribution group that you want to view or change, and then click Edit .
3. On the group properties page, click one of the following sections to view or change properties.
General
Use this section to view or change basic information about the group.
* Display name: This name appears in the address book, on the To: line when email is sent to this group,
and in the Groups list. The display name is required and should be user-friendly so people recognize what
it is. It also has to be unique in your domain.
If you've implemented a group naming policy, the display name has to conform to the naming format
defined by the policy.
* Alias: This is the portion of the email address that appears to the left of the at (@) symbol. If you change
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also,
the email address with the previous alias will be kept as a proxy address for the group.
Description: Use this box to describe the group so people know what the purpose of the group is. This
description appears in the address book and in the Details pane in the EAC.
Hide this group from address lists: Select this check box if you don't want users to see this group in the
address book. To send email to this group, a sender has to type the group's alias or email address on the
To: or Cc: lines.
TIP
Consider hiding security groups because they're typically used to assign permissions to group members and not to
send email.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the
distribution group. You have to use Active Directory Users and Computers to move the group to a
different OU.
Ownership
Use this section to assign group owners. The group owner can add members to the group, approve or reject
requests to join or leave the group, and approve or reject messages sent to the group. By default, the person who
creates a group is the owner. All groups must have at least one owner.
You can add owners by clicking Add . You can remove an owner by selecting the owner and then clicking
Remove .
Membership
Use this section to add or remove members. Group owners don't have to be members of the group. Under
Members, you can add members by clicking Add . You can remove a member by selecting a user in the
member list and then clicking Remove .
Membership approval
Use this section to specify whether approval is required for users to join or leave the group.
Choose whether owner approval is required to join the group: Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners
Closed: Members can be added only by the group owners. All requests to join will be
Owner Approval: All requests are approved or rejected by the group owners: If you select
this option, the group owner or owners receive an email requesting approval to join the group.
Choose whether the group is open to leave: Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners
Closed: Members can be removed only by the group owners. All requests to leave will be
Delivery management
Use this section to manage who can send email to this group.
Only senders inside my organization: Select this option to allow only senders in your organization to
send messages to the group. This means that if someone outside of your organization sends an email
message to this group, it will be rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages
to the group.
You can further limit who can send messages to the group by allowing only specific senders to send
messages to this group. Click Add and then select one or more recipients. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.
To remove a person or a group from the list, select them in the list and then click Remove .
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email
sent from a mail contact will be rejected, even if they are added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages are reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization when their messages aren't approved: When you select
this option, only people or groups in your organization are notified when a message that they sent
to the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
SMTP: This is the default address type. Click this button and then type the new SMTP address in
the * Email address box.
NOTE
To make the new address the primary SMTP address for the group, select the Make this the reply address
check box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
address type.
Edit: To change an email address associated with the group, select it in the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address
check box.
Remove: To delete an email address associated with the group, select it in the list, and then click Remove
.
Automatically update email addresses based on the email address policy applied to this
recipient: Select this check box to have the recipient's email addresses automatically updated based on
changes made to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues if they send a message to this group. A MailTip
is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email message.
For example, you could add a MailTip to large groups to warn potential senders that their message will be sent to
lots of people.
NOTE
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group
or send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group.
After this permission is assigned, the delegate has the option to add the group in the From line. The
message will appear to be sent by the group and will say that it was sent by the delegate on behalf of the
group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search.
Use Exchange Online PowerShell to change distribution group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change properties for
distribution groups. Advantages of using Exchange Online PowerShell are the ability to change the properties
that aren't available in the EAC and to change properties for multiple groups. For information about which
parameters correspond to distribution group properties, see the following topics:
Get-DistributionGroup
Here are some examples of using Exchange Online PowerShell to change distribution group properties.
This example changes the primary SMTP address (also called the reply address) for the Seattle Employees
distribution group from employees@contoso.com to sea.employees@contoso.com. Also, the previous reply
address will be kept as a proxy address.
Set-DistributionGroup "Seattle Employees" -EmailAddresses

SMTP:sea.employees@contoso.com,smtp:employees@contoso.com
This example limits the maximum message size that can be sent to all distribution groups in the organization to
10 megabytes (MB ).
Get-DistributionGroup -ResultSize unlimited -Filter {(RecipientTypeDetails -eq

'MailUniversalDistributionGroup')} | Set-DistributionGroup -MaxReceiveSize 10MB
This example enables moderation for the distribution group Customer Support and sets the moderator to Amy.
In addition, this moderated distribution group will notify senders who send mail from within the organization if
their messages aren't approved.
Set-DistributionGroup -Identity "Customer Support" -ModeratedBy "Amy" -ModerationEnabled $true -

SendModerationNotifications 'Internal'
This example changes the user-created distribution group Dog Lovers to require the group manager to approve
users' requests to join the group. In addition, by using the BypassSecurityGroupManagerCheck parameter, the
group manager will not be notified that a change was made to the distribution group's settings.
Set-DistributionGroup -Identity "Dog Lovers" -MemberJoinRestriction 'ApprovalRequired' -

BypassSecurityGroupManagerCheck

To verify that you've successfully changed properties for a distribution group, do the following:
In the EAC, select the group and then click Edit to view the property or feature that you changed.
group.
In Exchange Online PowerShell, use the Get-DistributionGroup cmdlet to verify the changes. One
advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple
groups. In the example above where the recipient limit was changed, run the following command to verify
the new value.
Name,RecipientLimits

Create a distribution group naming policy
A group naming policy lets you standardize and manage the names of distribution groups created by users in your
organization. You can require a specific prefix and suffix be added to the name for a distribution group when it's
created, and you can block specific words from being used. This helps you minimize the use of inappropriate
words in group names.
A group naming policy:
Enforces a consistent naming strategy for groups created by users.
Identifies distribution groups in the shared address book.
Suggests the function or membership of the group.
Identifies the type of users who are likely members of the group.
Identifies the geographic region the group is used in.
Blocks inappropriate words in group names.
How does a group naming policy work? When a user creates a group, they specify a name in the Display Name
field. After the group is created, Microsoft Exchange applies the group naming policy by adding any prefix or suffix
that you've defined in the group naming policy. The full name is displayed in the distribution groups list in the
Exchange admin center (EAC ), the shared address book, and the To:, Cc:, and From: fields in email messages. If a
user tries to use a word that you've blocked, they get an error message when they try to save the new group and
are asked to remove the blocked word and save the group again.
Here are some examples of a group naming policy. In each, <Group Name> is a descriptive name provided by
the person who creates the group. Exchange adds the prefixes and suffixes defined by the policy to the display
name when the group is created.
Text strings, with underscore characters, used for a single prefix (DG ) and suffix (Users):
DG_<Group Name>_Users
Multiple prefixes (DG and Contoso) and one suffix (Users), using text strings:
DG_Contoso_<Group Name>_Users
An attribute (Department) used for the prefix:
Department_<Group Name>
For example, say that your school populates the Department attribute for faculty members. Here's an
example of a group name created by a faculty member in the Psychology department:
Psychology_Cognitive201
In this example, the underscore character (_) is provided as the only text string in a second prefix to separate
the department name from the group name.

permissions you need, see the "Distribution Groups" entry in the Recipients permissions topic.
The maximum length for a group name is 64 characters. This includes the combined number of characters
in the prefix, the group name provided by the user, and the suffix.
The group naming policy is applied only to groups created by users. When you or other administrators use
the EAC to create distribution groups, the group naming policy is ignored and not applied to the group
name.
Group names are created without spacing. We recommend that you use an underscore character (_) or
some other placeholder between text strings, attributes, and the group name.
You can use Windows PowerShell to override the group naming policy when you create and edit a
distribution group. For more information, see Override the distribution group naming policy.
TIP
Use the EAC to create a group naming policy

1. In the EAC, select Groups > More > Configure group naming policy.
2. Under Group Naming Policy, configure the prefix by selecting either Attribute or Text in the pull-down
menu.
Attribute: Select the attribute and then click OK.
Text: Type the text string and click OK.
Notice that the text string that you typed or the attribute you selected is displayed as a hyperlink. Click the
hyperlink to change the text string or attribute.
3. Click Add to add additional prefixes.
4. For the suffix, in the pull-down menu, select either Attribute or Text, and configure the suffix.
5. Click Add to add additional suffixes.
After you add a prefix or suffix, notice that a preview of the group naming policy is displayed.
6. To delete a prefix or suffix from the policy, click Remove .
7. Click Blocked Words to add or remove blocked words.
To add a word to the list, type the word to block and click Add .
To remove a word from the list, select it and click Remove.
To edit an existing blocked word, select it and click Edit.
8. When you are finished, click Save.

To verify that you've successfully created a group naming policy, do the following:
In the EAC, select Groups > More > Configure group naming policy.
On the Group naming policy page, the group naming policy that you defined is displayed under Preview
of policy.
In Windows PowerShell, run the following command to display the group naming policy.
Get-OrganizationConfig | Format-List DistributionGroupNamingPolicy

Override the distribution group naming policy
The group naming policy for distribution groups is applied only to groups created by users. When you or other
administrators use the Exchange admin center (EAC ) to create distribution groups, the group naming policy is
ignored and not applied to the group name.
However, if you use Exchange Online PowerShell to create or rename a distribution group, the group naming
policy is applied to groups created by administrators unless you use the IgnoreNamingPolicy parameter to
override the group naming policy.

permissions you need, see the "Distribution Groups" entry in the Recipients permissions topic.
TIP
Use Exchange Online PowerShell to override the group naming policy

when you create a new group
To override the group naming policy, run the following command.
New-DistributionGroup -Name <Group Name> -IgnoreNamingPolicy
For example, if the group naming policy for your organization is DG_<Group Name>_Users, run the following
command to create a group named All Administrators.
New-DistributionGroup -Name "All Administrators" -IgnoreNamingPolicy
When Microsoft Exchange creates this group, it uses All Administrators for both the Name and DisplayName
parameters.
Use Exchange Online PowerShell to override the group naming policy

when you rename a group
To override the group naming policy when you rename an existing group with Exchange Online PowerShell, run
the following command.
Set-DistributionGroup -Identity <Old Group Name> -Name <New Group Name> -DisplayName <New Group Name> -
IgnoreNamingPolicy
For example, let's say you created a group naming policy late one night and the next morning you realized you
misspelled the text string in the prefix. The next morning, you see that a new group has already been created with
the misspelled prefix. You can fix the group naming policy in the EAC, but you have to use Exchange Online
PowerShell to rename the group with the misspelled name. Run the following command.
Set-DistributionGroup -Identity "Government_Contracts_NWRegion" -Name "Government_ContractEstimates_NWRegion"

-DisplayName "Government_ContractEstimates_NWRegion" -IgnoreNamingPolicy
IMPORTANT
Be sure to include the DisplayName parameter when you rename a group. If you don't, the old name is still displayed in the
shared address book on the To:, Cc:, and From: lines in email messages.

To verify that you've successfully created or renamed a distribution group that ignores the group naming policy,
run the following commands.
Get-DistributionGroup <Name> | Format-List DisplayName
Get-OrganizationConfig | Format-List DistributionGroupNamingPolicy
If the format of the display name for the group is different than the one enforced by your organization's group
naming policy, it worked.
Dynamic distribution groups are mail-enabled Active Directory group objects that are created to expedite the mass
sending of email messages and other information within a Microsoft Exchange organization.
Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic
distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that
you define. When an email message is sent to a dynamic distribution group, it's delivered to all recipients in the
organization that match the criteria defined for that group.
IMPORTANT
A dynamic distribution group includes any recipient in Active Directory with attribute values that match its filter. If a
recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start
receiving messages that are sent to the group. Well-defined, consistent account provisioning processes will reduce the
chances of this issue occurring.

permissions you need, see the "Dynamic distribution groups" entry in the Recipients Permissions topic.
TIP
Create a dynamic distribution group

Use the EAC to create a dynamic distribution group
1. In the EAC, navigate to Recipients > Groups > New > Dynamic distribution group.
2. On the New dynamic distribution group page, complete the following boxes:
* Display name: Use this box to type the display name. This name appears in the shared address book, on
the To: line when email is sent to this group, and in the Groups list in the EAC. The display name is required
and should be user-friendly so people recognize what it is. It also must be unique in the forest.
NOTE
Group naming policy isn't applied to dynamic distribution groups.
* Alias: Use this box to type the name of the alias for the group. The alias cannot exceed 64 characters and
must be unique in the forest. When a user types the alias in the To: line of an email message, it resolves to
the group's display name.
description appears in the shared address book.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users container in
the Active Directory domain that contains the computer on which the EAC is running. If the recipient scope
is set to a specific domain, the Users container in that domain is selected by default. If the recipient scope is
set to a specific OU, that OU is selected by default.
Owner: An owner for a dynamic distribution group is optional. You can add owners by clicking Browse and
then selecting users from the list.
3. Use the Members section to specify the types of recipients for the group and set up rules that will determine
membership. Select one of the following boxes:
All recipient types: Choose this option to send messages that meet the criteria defined for this group to all
recipient types.
Only the following recipient types: Messages that meet the criteria defined for this group will be sent to
one or more of the following recipient types:
Users with Exchange mailboxes: Select this check box if you want to include users that have Exchange
mailboxes. Users that have Exchange mailboxes are those that have a user domain account and a mailbox in
the Exchange organization.
Users with external email addresses: Select this check box if you want to include users that have external
email addresses. Users that have external email accounts have user domain accounts in Active Directory,
but use email accounts that are external to the organization. This enables them to be included in the global
address list (GAL ) and added to distribution lists.
Resource mailboxes: Select this check box if you want to include Exchange resource mailboxes. Resource
mailboxes allow you to administer company resources through a mailbox, such as a conference room or a
company vehicle.
Contacts with external email addresses: Select this check box if you want to include contacts that have
external email addresses. Contacts that have external email addresses don't have user domain accounts in
Active Directory, but the external email address is available in the GAL.
Mail-enabled groups: Select this check box if you want to include security groups or distribution groups
that have been mail-enabled. Mail-enabled groups are similar to distribution groups. Email messages that
are sent to a mail-enabled group account will be delivered to several recipients.
4. Click Add a rule to define the criteria for membership in this group.
5. Select one of the following recipient attributes from the drop-down list and provide a value. If the value for
the selected attribute matches that value you define, the recipient receives a message sent to this group.
ATTRIBUTE SEND MESSAGE TO A RECIPIENT IF...
Recipient container The recipient object resides in the specified domain or OU.
State or province The specified value matches the recipient's State or province
property.
ATTRIBUTE SEND MESSAGE TO A RECIPIENT IF...
Company The specified value matches the recipient's Company property.
Department The specified value matches the recipient's Department

property.
Custom attributeN (where N is a number from 1 to 15) The specified value matches the recipient's CustomAttributeN
property.
**Important**: The values that you enter for the selected attribute must exactly match those that appear in
the recipient's properties. For example, if you enter **Washington** for **State or province**, but the value
for the recipient's property is **WA**, the condition will not be met. Also, text-based values that you
specify aren't case-sensitive. For example, if you specify **Contoso** for the **Company** attribute, messages
will be sent to a recipient if this value is **contoso**.
6. In the Specify words or phrases window, type the value in the text box. Click Add and then click OK.
7. To add another rule to define the criteria for membership, click Add a rule under the previous rule that you
created.
IMPORTANT
If you add multiple rules to define membership, a recipient must meet the criteria of each rule to receive a message
sent to the group. In other words, each rule is connected with the Boolean operator AND.
8. When you've finished, click Save to create the dynamic distribution group.
NOTE
If you want to specify rules for attributes other than the ones available in the EAC, you must use Exchange Online PowerShell
to create a dynamic distribution group. Keep in mind that the filter and condition settings for dynamic distribution groups
that have custom recipient filters can be managed only by using Exchange Online PowerShell. For an example of how to
create a dynamic distribution group with a custom query, see the next section on using Exchange Online PowerShell to
create a dynamic distribution group.
Use Exchange Online PowerShell to create a dynamic distribution group

This example creates the dynamic distribution group "Mailbox Users DDG" that contains only mailbox users.
New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Mailbox Users DDG" -OrganizationalUnit

Users
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users on a server called Server1.
New-DynamicDistributionGroup -Name "Mailbox Users on Server1" -OrganizationalUnit Users -RecipientFilter

{((RecipientTypeDetails -eq 'UserMailbox' -and ServerName -eq 'Server1'))}
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users that have a value of "FullTimeEmployee" in the CustomAttribute10 property.
New-DynamicDistributionGroup -Name "Full Time Employees" -RecipientFilter {(RecipientTypeDetails -eq
'UserMailbox') -and (CustomAttribute10 -eq 'FullTimeEmployee')}
For detailed syntax and parameter information, see New -DynamicDistributionGroup.

To verify that you've successfully created a dynamic distribution group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new dynamic distribution group is displayed in the
group list. Under Group Type, the type is Dynamic distribution group.
In Exchange Online PowerShell, run the following command to display information about the new dynamic
distribution group.
Get-DynamicDistributionGroup | Format-List Name,RecipientTypeDetails,RecipientFilter,PrimarySmtpAddress
Change dynamic distribution group properties

Use the EAC to change dynamic distribution group properties
2. In the list of groups, click the dynamic distribution group that you want to view or change, and then click
Edit .
3. On the group's properties page, click one of the following sections to view or change properties.
General
and in the Groups list. The display name is required and should be user-friendly so people recognize what it
is. It also has to be unique in your domain.
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also, the
email address with the previous alias will be kept as a proxy address for the group.
address book. To send email to this group, a sender has to type the group's alias or email address on the To:
or Cc: lines.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the dynamic
distribution group. You have to use Active Directory Users and Computers to move the group to a different
OU.
Ownership
Use this section to assign a group owner. A dynamic distribution group can have only one owner. The group owner
appears on the Managed by tab of the object in Active Directory Users and Computers.
You can add owners by clicking Browse and selecting the owner from the list. To remove the owner, click Clear
and then click Save. .
Membership
Use this section to change the criteria used to determine membership of the group. You can delete or change
existing membership rules and add new rules. For procedures that tell you how to do this, see Use the EAC to
create a dynamic distribution group in the procedures for configuring membership when you use the EAC to
create a new dynamic distribution group.
Delivery management
send messages to the group. This means that if someone outside your organization sends an email
message to this group, it is rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages to
the group.
IMPORTANT
sent from a mail contact is rejected, even if they're added to this list.
Message approval
default. If you select this check box, incoming messages are reviewed by the group moderators before
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization only when their messages aren't approved: When you
select this option, only people or groups in your organization are notified when a message that they
sent to the group isn't approved by a moderator.
Email options
NOTE
check box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
address type.
Edit: To change an email address associated with the group, select it from the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address check
box.
Remove: To delete an email address associated with the group, select it from the list, and then click
Remove .
to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues before they send a message to this group. A
MailTip is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email
message. For example, you could add a MailTip to large groups to warn potential senders that their message will
be sent to lots of people.
NOTE
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or
send messages on behalf of the group. You can assign the following permissions:
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group on the From line. The message
will appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
by typing the recipient's name in the search box and then clicking Search.
Use Exchange Online PowerShell to change dynamic distribution group properties
Use the Get-DynamicDistributionGroup and Set-DynamicDistributionGroup cmdlets to view and change
properties for dynamic distribution groups. Advantages of using Exchange Online PowerShell are the ability to
change the properties that aren't available in the EAC and change properties for multiple groups. For information
about what parameters correspond to distribution group properties, see the following topics:
Get-DynamicDistributionGroup
Here are some examples of using Exchange Online PowerShell to change dynamic distribution group properties.
This example changes the following parameters for all dynamic distribution groups in the organization:
Hide all dynamic distribution groups from the address book
Set the maximum message size that can be sent to the group to 5MB
Enable moderation
Assign the administrator as the group moderator
Get-DynamicDistributionGroup -ResultSize unlimited | Set-DynamicDistributionGroup -

HiddenFromAddressListsEnabled $true -MaxReceiveSize 5MB -ModerationEnabled $true -ModeratedBy administrator
This example adds the proxy SMTP email address, Seattle.Employees@contoso.com, to the All Employees group.
Set-DynamicDistributionGroup -Identity "All Employees" -EmailAddresses SMTP:All.Employees@contoso.com,

smtp:Seattle.Employees@contoso.com

To verify that you've successfully changed properties for a dynamic distribution group, do the following:
group.
In Exchange Online PowerShell, use the Get-DynamicDistributionGroup cmdlet to verify the changes.
One advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple
groups. In the first example, you would run the following command to verify the new values.
Get-DynamicDistributionGroup -ResultSize unlimited | Format-List

Name,HiddenFromAddressListsEnabled,MaxReceiveSize,ModerationEnabled,ModeratedBy
View members of a dynamic distribution group
Dynamic distribution groups are distribution groups whose membership is based on specific recipient filters rather
than a defined set of recipients. Microsoft Exchange provides precanned filters to make it easier to create recipient
filters for dynamic distribution groups. A precanned filter is a commonly used filter that you can use to meet a
variety of recipient-filtering criteria. You can specify the recipient types you want to include in a dynamic
distribution group. Additionally, you can also specify a list of conditions that the recipients must meet. You can use
Exchange Online PowerShell to preview the list of recipients for a dynamic distribution group that uses precanned
filters.

permissions you need, see the "Dynamic distribution groups" entry in the Recipients Permissions topic.
TIP
Use Exchange Online PowerShell to preview the list of members of a

dynamic distribution group
This example returns the list of members for the dynamic distribution group named Full Time Employees. The first
command stores the dynamic distribution group object in the variable $FTE . The second command uses the Get-
Recipient cmdlet to list the recipients that match the criteria defined for the dynamic distribution group.
$FTE = Get-DynamicDistributionGroup "Full Time Employees"
Get-Recipient -RecipientPreviewFilter $FTE.RecipientFilter -OrganizationalUnit $FTE.RecipientContainer
For detailed syntax and parameter information, see Get-DynamicDistributionGroup and Get-Recipient.
NOTE
You cannot view members of a dynamic distribution group by using the EAC.

To verify that you've successfully viewed the members of a dynamic distribution group, do the following:
In Exchange Online PowerShell, a list of members is returned after you run the previous command to preview a
list of dynamic distribution group members. For example, if you created a new user mailbox with properties that
match the recipient filter for the dynamic distribution group, this new user should be displayed in the list of
group members.
A mail-enabled security group can be used to distribute messages as well as to grant access permissions to
resources in Active Directory. For more information, see Recipients.

permissions you need, see the "Distribution groups" entry in the Recipients permissions topic.
TIP
Create a mail-enabled security group

Use the EAC to create a security group
2. Click New > Security group.
3. On the New security group page, complete the following fields:
* Display name: Use this box to type the display name. This name appears in the shared address book, on
the To: line when email is sent to this group, and in the Groups list in the EAC. The display name is required
and should be user-friendly so people recognize what it is. It also must be unique in the forest.
NOTE
If a group naming policy is applied, you must follow the naming constraints enforced for your organization. For more
information, see Create a distribution group naming policy. If you want to override your organization's group naming
policy, see Override the distribution group naming policy.
* Alias: Use this box to type the alias for the security group. The alias can't exceed 64 characters and must
be unique in the forest. When a user types the alias on the To: line of an email message, it resolves to the
group's display name.
Description: Use this box to describe the security group so people know what the purpose of the group is.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users container in
the Active Directory domain that contains the computer on which the EAC is running. If the recipient scope
is set to a specific domain, the Users container in that domain is selected by default. If the recipient scope is
set to a specific OU, that OU is selected by default.
specified scope. Select the desired OU, and then click OK.
* Owners: By default, the person who creates a group is the owner. All groups must have at least one
owner. You can add owners by clicking Add.
Members: Use this section to add members and to specify whether approval is required for people to join
or leave the group.
Group owners don't have to be members of the group. Use Add group owners as members to add or
remove the owners as members.
To add members to the group, click Add . When you've finished adding members, click OK to return to
the New security group page.
Select the Owner approval is required check box if you want the group owners to receive user requests
to join the group. If you select this option, members can only be removed by the group owners.
4. When you've finished, click Save to create the security group.
NOTE
By default, all new mail-enabled security groups require that all senders be authenticated. This prevents external senders
from sending messages to mail-enabled security groups. To configure a mail-enabled security group to accept messages
from all senders, you must modify the message delivery restriction settings for that group.
Use Exchange Online PowerShell to create a security group

This example creates a security group with an alias fsadmin and the name File Server Managers. The security
group is created in the default OU, and anyone can join this group with approval by the group owners.
New-DistributionGroup -Name "File Server Managers" -Alias fsadmin -Type security
For more information about using Exchange Online PowerShell to create mail-enabled security groups, see New -
DistributionGroup.
To verify that you've successfully created a mail-enabled security group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new mail-enabled security group is displayed in the
group list. Under Group Type, the type is Security group.
In Exchange Online PowerShell, run the following command to display information about the new mail-
enabled security group.
Get-DistributionGroup <Name> | Format-List Name,RecipientTypeDetails,PrimarySmtpAddress
Change mail-enabled security group properties

Use the EAC to change mail-enabled security group properties
2. In the list of groups, click the security group that you want to view or change, and then click Edit .
3. On the group properties page, click one of the following sections to view or change properties.
General
and in the Groups list. The display name is required and should be user-friendly so people recognize what it
is. It also has to be unique in your domain.
the alias, the primary SMTP address for the group will also be changed, and contain the new alias. Also, the
email address with the previous alias will be kept as a proxy address for the group.
address book. If this check box is selected, a sender has to type the group's alias or email address on the To:
or Cc: lines to send mail to the group.
TIP
Consider hiding security groups because they're typically used to assign permissions to group members and not to
send email.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the security
group. You have to use Active Directory Users and Computers to move the group to a different OU.
Ownership
Use this section to assign group owners. The group owner can add members to the group, and approve or reject
requests to join the group. By default, the person who creates a group is the owner. All groups must have at least
one owner.
You can add owners by clicking Add . You can remove an owner by selecting the owner and then clicking
Remove .
Membership
Use this section to add or remove members. Group owners don't have to be members of the group. Under
Members, you can add members by clicking Add . You can remove a member by selecting a user in the
member list and then clicking Remove .
Membership approval
Use this section to specify whether owner approval is required for users to join the group. If you select the Owner
approval is required check box, the group owner or owners receive an email requesting approval to join the
group. As previously mentioned, only owners can remove members from the group.
NOTE
This option will not work with mail-enabled security groups because of security-related limitations.
Delivery management
send messages to the group. This means that if someone outside of your organization sends an email
message to this group, it will be rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages to
the group.
IMPORTANT
sent from a mail contact will be rejected, even if they're added to this list.
Message approval
default. If you select this check box, incoming messages will be reviewed by the group moderators before
moderator" and you don't select a moderator, messages to the group will be sent to the group owners for
approval.
Notify all senders when their messages aren't approved: This is the default setting. Senders
inside and outside your organization will be notified when their messages aren't approved.
Notify senders in your organization when their messages aren't approved: When you select
this option, only people or groups in your organization are notified when a message that they sent to
the group isn't approved by a moderator.
Email options
NOTE
check box. This check box is displayed only when the Automatically update email addresses based on
the email address policy applied to this recipient check box isn't selected.
NOTE
address type.
Edit: To change an email address associated with the group, select it in the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address check
box. As previously mentioned, this check box is displayed only when the Automatically update email addresses
based on the email address policy applied to this recipient check box isn't selected.
Remove: To delete an email address associated with the group, select it in the list, and then click Remove
.
to email address policies in your organization. By default, this box is selected.
MailTip
Use this section to add a MailTip to alert users of potential issues before they send a message to this group. A
MailTip is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email
message. For example, you could add a MailTip to large groups to warn potential senders that their message will
be sent to lots of people.
NOTE
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or
send messages on behalf of the group. You can assign the following permissions:
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group in the From line. The message will
appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
by typing the recipient's name in the search box and then clicking Search .
Use Exchange Online PowerShell to change security group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change properties for security
groups. Advantages of using Exchange Online PowerShell are the ability to change the properties that aren't
available in the EAC and to change properties for multiple security groups. For information about which
parameters correspond to which distribution group properties, see the following topics:
Get-DistributionGroup
Here are some examples of using Exchange Online PowerShell to change security group properties.
This example displays a list of all security groups in the organization.
Get-DistributionGroup -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'MailUniversalSecurityGroup')}
This example changes the primary SMTP address (also called the reply address) for the Seattle Administrators
security group from admins@contoso.com to seattle.admins@contoso.com. The previous reply address will be
kept as a proxy address.
Set-DistributionGroup "Seattle Employees" -EmailAddresses SMTP:sea.admins@contoso.com,smtp:admins@contoso.com
This example hides all security groups in the organization from the address book.
Get-DistributionGroup -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'MailUniversalSecurityGroup')}

| Set-DistributionGroup -HiddenFromAddressListsEnabled $true

To verify that you've successfully changed properties for a security group, do the following:
group.
In Exchange Online PowerShell, use the Get-DistributionGroup cmdlet to verify the changes. One
advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple
groups. In the example above where all security groups were hidden from the address book, run the
following command to verify the new value.
Get-DistributionGroup -ResultSize unlimited -Filter {(RecipientTypeDetails -eq

'MailUniversalSecurityGroup')} |
fl Name,HiddenFromAddressListsEnabled
Allow/Block guest access to Office 365 groups
You can allow or block guest users who are using a specific domain. For example, let's say your business (Contoso)
has a partnership with another business (Fabrikam). You can add Fabrikam to your Allow list so your users can add
those guests to their groups.
Or, let's say you want to block personal email address domains. You can set up a Block list that contains domains
like Gmail.com and Outlook.com.
Important information about how block lists work

You can create either an Allow list or Block list. But you can't set up both types of lists. By default,
whatever domains are not in an Allow list are on a Block list, and vice versa.
You can create only one policy per organization. You can update that policy with more domains, or you can
delete that policy to create a new one.
This list works independently from SPO allow/block list. You would need to set-up Allow/Block list for SPO
if you want to restrict individual file sharing of Group connected site.
This list doesn't apply to already added guest members, this will be enforced for all the guests added after
the list is set-up. However, you can remove them through the script.
Install the preview version of the Azure Active Directory Module for
Windows PowerShell
IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for
Windows PowerShell, specifically, the AzureADPreview module version 2.0.0.98 or later.
1. Open Windows PowerShell as an administrator:
2. In your search bar, type Windows PowerShell.
3. Right-click on Windows PowerShell and select Run as Administrator.
The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an
administrator.
2. Run this command to see if you have any versions of the Azure Active Directory Module for Windows
PowerShell installed on your computer:
Get-Module -ListAvailable AzureAD*
If no results are returned, run this command to install the latest version of the AzureADPreview module:
Install-Module AzureADPreview
If only the AzureAD module is shown in the results, run these commands to install the AzureADPreview
module:
Uninstall-Module AzureAD
If only the AzureADPreview module is shown in the results, but the version is less than 2.0.0.98, run these
commands to update it:
Uninstall-Module AzureADPreview
If both the AzureAD and AzureADPreview modules are shown in the results, but the version of the
AzureADPreview module is less than 2.0.0.98, run these commands to update it:
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Create a new Allow or Block list policy

1. Did you install the AzureADPreview module as instructioned above? Not having the preview version is
the #1 reason these steps don't work for people.
2. Go to Script for Allow/Block policy at Microsoft Download Center to download the script ( Set-
GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.
3. Run the script with this command:
Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com", "fabrikam.com")
Where you replace **contoso.com** and **fabrikam.com** with the domains you want to allow.
OR
Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com", "fabrikam.com")
Remember, you can create only one policy. You'll get an error if you try to create another one.
Replace the existing policy with a new list of domains

To replace the existing policy with new list of domains, run this command:
Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @("contoso.com", "fabrikam.com")

Where you replace contoso.com and fabrikam.com with the domains you want to allow.
OR
Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @("contoso.com", "fabrikam.com")
Add more domains to an existing policy

To append a new domain to the your policy, run this command:
Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @("contoso.com")
Where you replace contoso.com and fabrikam.com with the domains you want to allow.
OR
Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @("contoso.com")
Migrate the existing allow/block policy from SharePoint Online

This list works independently from the SharePoint Online allow/block list. You would need to set up allow/block list
for SharePoint Online if you want to restrict individual file sharing of Group connected site.
However, if your organization already has an allow/block list for SharePoint Online, you can migrate that list using
this command.
1. Install the SharePoint Online Management tool.
2. Run this command:
Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint
Clear the domain list

To remove all the domains from your policy, run this command:
Set-GuestAllowBlockDomainPolicy.ps1 -Remove
Script for Allow/Block policy

Go to Script for Allow/Block policy at Microsoft Download Center to download the script ( Set-
GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.
Mail contacts are mail-enabled directory service objects that contain information about people or organizations
that exist outside your Exchange or Exchange Online organization. Each mail contact has an external email
address. For more information about mail contacts, see Recipients.

topic.
TIP
Create a mail contact

Use the EAC to create a mail contact
1. In the EAC, navigate to Recipients > Contacts.
2. Click New > Mail contact.
3. Complete the following boxes on the New mail contact page:
First name: Use this box to type the contact's first name.
Initials: Use this box to type the contact's initials.
Last name: Use this box to type the contact's last name.
* Display name: Use this box to type a display name for the contact. This is the name that's listed in the
contacts list in the EAC and in your organization's address book. By default, this box is populated with the
names you enter in the First name, Initials, and Last name boxes. If you didn't use those boxes, you must
still type a name in this box because it's required. The name can't exceed 64 characters.
* Name: Use this box to type a name for the contact. This is the name that's listed in the directory service.
Like the display name, this box is populated by default with the names you enter in the First name,
Initials, and Last name boxes. If you didn't use those boxes, you must still type a name in this box because
it's required. The name can't exceed 64 characters.
* Alias: Use this box to type an alias (64 characters or less) for the contact. This box is required.
* External email address: Use this box to type the outside email account of the contact. This box is
required. Email sent to this contact is forwarded to this email address.
Organizational unit: You can select an organizational unit (OU ) other than the default, which is the
recipient scope. If the recipient scope is set to the forest, the default value is set to the Users container in the
domain that contains the computer on which the EAC is running. If the recipient scope is set to a specific
domain, the Users container in that domain is selected by default. If the recipient scope is set to a specific
OU, that OU is selected by default.
NOTE
The Organizational unit box is only available in Exchange Server. It isn't available in Exchange Online.
4. When you've finished, click Save.

Use Exchange Online PowerShell to create a mail contact
This example creates a mail contact for Debra Garcia in Exchange Server.
New-MailContact -Name "Debra Garcia" -ExternalEmailAddress dgarcia@tailspintoys.com -OrganizationalUnit Users
This example creates a mail contact for Alan Shen in Exchange Online.
New-MailContact -Name "Alan Shen" -ExternalEmailAddress alans@fourthcoffee.com
This example mail-enables an existing contact named Karen Toh in Exchange Server.
Enable-MailContact -Identity "Karen Toh" -ExternalEmailAddress ktoh@tailspintoys.com

To verify that you've successfully created a mail contact, do one of the following:
In the EAC, navigate to Recipients > Contacts. The new mail contact is displayed in the contact list. Under
Contact Type, the type is Mail contact.
In Exchange Online PowerShell, run the following command to display information about the new mail
contact.
Get-MailContact <Name> | Format-List Name,RecipientTypeDetails,ExternalEmailAddress
Change mail contact properties

Use the EAC to change mail contact properties
2. In the list of mail contacts and mail users, click the mail contact that you want to change the properties for,
3. On the mail contact properties page, click one of the following sections to view or change properties.
General
Use the General section to view or change basic information about the mail contact.
characters.
* Display name: This name appears in your organization's address book, on the To and From lines in
email, and in the Mailbox list. This name can't contain empty spaces before or after the display name.
* Alias: This is the mail contact's alias. If you change it, it must be unique in the organization and must be
64 characters or less.
* External email address: This is mail contact's primary SMTP address and their outside email account.
Email sent to this contact is forwarded to this email address.
Click More options to display the OU that contains the mail contact account. You have to use Active
Directory Users and Computers to move the contact to a different OU.
Contact Information
Use the Contact Information section to view or change the recipient's contact information, such as mailing
address and telephone numbers. This information is displayed in the address book.
Organization
Use the Organization section to record detailed information about the mail contact's role in the organization.
This information is displayed in the address book. Also, you can create a virtual organization chart that's
accessible from email clients such as Outlook.
Title: Use this box to view or change the contact's title.
Department: Use this box to view or change the department in which the contact works. You can use this
box to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to view or change the company for which the contact works. You can also use this
box to create recipient conditions for dynamic distribution groups.
Direct reports: You can't modify this box. A direct report is a recipient who reports to a specific manager. If
you've specified a manager for the recipient, that recipient appears as a direct report in the details of the
manager's mailbox. For example, Toby manages Ann and Spencer, who are mail contacts, so Toby is
specified in the Manager box in the organization properties for Ann and Spencer, and Ann and Spencer
appear in the Direct reports box in the properties of Toby's mailbox.
Email Options
Use the Email Options section to add or remove proxy addresses for the mail contact or edit existing proxy
addresses. The mail contact's primary SMTP address is also displayed in this section, but you can't change it. To
change it, you have to change the contact's external email address in the General section.
NOTE
The Email Options section is only available in Exchange Server. It's not available in Exchange Online.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a message to this
recipient. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc lines of
a new email message.
NOTE
Use Exchange Online PowerShell to change mail contact properties

Properties for a mail contact are stored in both Active Directory and Exchange. In general, use the Get-Contact
and Set-Contact cmdlets to view and change organization and contact information properties. Use the Get-
MailContact and Set-MailContact cmdlets to view or change mail-related properties, such as email addresses,
the MailTip, custom attributes, and whether the contact is hidden from address lists.
For more information, see the following topics:
Get-Contact
Set-Contact
Get-MailContact
Set-MailContact
Here are some examples of using Exchange Online PowerShell to change mail contact properties.
This example configures the Title, Department, Company, and Manager properties for the mail contact Kai Axford.
Set-Contact "Kai Axford" _-Title Consultant -Department "Public Relations" -Company Fabrikam -Manager "Karen
Toh"
This example sets the CustomAttribute1 property to a value of PartTime for all mail contacts and hides them from
the organization's address book.
Get-MailContact | Set-MailContact -CustomAttribute1 PartTime -HiddenFromAddressListsEnabled $true
This example sets the CustomAttribute15 property to a value of TemporaryEmployee for all mail contacts in the
Public Relations department.
Get-Contact -Filter "Department -eq 'Public Relations'" | Set-MailContact -CustomAttribute15 TemporaryEmployee

To verify that you've successfully changed properties for a mail contact, do the following:
In the EAC, select the mail contact, and then click Edit to view the property that you changed.
In Exchange Online PowerShell, use the Get-Contact and Get-MailContact cmdlets to verify the changes.
One advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple
mail contacts. In the example above where all mail contacts had the CustomAttribute1 property set to
PartTime and were hidden from the address book, run the following command to verify the changes.
Get-MailContact | Format-List Name,CustomAttribute1,HiddenFromAddressListsEnabled
In the example above where the CustomAttribute15 was set for all mail contacts in the Public Relations
department, run the following command to verify the changes.
Get-Contact -Filter "Department -eq 'Public Relations'" | Get-MailContact | Format-List
Name,CustomAttribute15
Bulk edit mail contacts

You can use the EAC to change selected properties for multiple mail contacts. When you select two or more mail
contacts from the contacts list in the EAC, the properties that can be bulk edited are displayed in the Details pane.
When you change one of these properties, the change is applied to all selected recipients.
When you bulk edit mail contacts, you can change the following property areas:
Organization: Change shared properties such as department name, company name, and the manager that
the selected mail contacts or mail users report to.
Use the EAC to bulk edit mail contacts
2. In the list of contacts, select two or more mail contacts. You can't bulk edit a combination of mail contacts
and mail users.
TIP
You can select multiple adjacent mail contacts by holding down the Shift key and clicking the first mail contact, and
then clicking the last mail contact you want to edit. You can also select multiple mail contacts by holding down the
Ctrl key and clicking each one that you want to edit.
3. In the Details pane, under Bulk Edit, click Update under Contact Information or Organization.
To verify that you've successfully bulk edited mail contacts, do one of the following:
In the EAC, select each of the mail contacts that you bulk edited, and then click Edit to view the
properties that you changed.
In Exchange Online PowerShell, use the Get-Contact cmdlet to verify the changes. For example, say you
used the bulk edit feature in the EAC to change the manager and the office for all mail contacts from a
vendor company named A. Datum Corporation. To verify these changes, you could run the following
command in Exchange Online PowerShell.
Get-Contact -ResultSize unlimited -Filter {(Company -eq 'Adatum')} | Format-List Name,Office,Manager

Manage mail users
Mail users are similar to mail contacts. Both have external email addresses and both contain information about
people outside your Exchange or Exchange Online organization that can be displayed in the shared address book
and other address lists. However, unlike a mail contact, a mail user has logon credentials in your Exchange or
Office 365 organization and can access resources. For more information, see Recipients.

topic.
TIP
Create a mail user

Use the EAC to create a mail user
1. In the EAC, navigate to Recipients > Contacts > New > Mail user.
2. On the New mail user page, in the * Alias box, type the alias for the mail user. The alias can't exceed 64
characters and must be unique in the forest. This box is required.
3. Do one of the following to specify the email address type for the mail user:
To specify an SMTP email address for the mail user's external email address, click SMTP.
NOTE
SMTP addresses are validated for correct formatting. If your entry is inconsistent with the SMTP format, an error
message will be displayed when you click Save to create the mail user.
To specify a custom address type, click the option button and then type the custom address type. For
example, you can specify an X.500, GroupWise, or Lotus Notes address.
4. In the * External email address box, type the mail user's external email address. Email sent to this mail
user is forwarded to this email address. This box is required.
5. Select one of the following options:
Existing user: Select to mail-enable an existing user.
Click Browse to open the Select User - Entire Forest dialog box. This dialog box displays a list of user
accounts in the organization that aren't mail-enabled or don't have mailboxes. Select the user account you
want to mail-enable, and then click OK. If you select this option, you don't have to provide user account
information because this information already exists in Active Directory.
New user: Select to create a new user account in Active Directory and mail-enable the user. If you select
this option, you'll have to provide the required user account information.
6. If you selected New User in Step 5, complete the following boxes on the New mail user page. Otherwise
skip to Step 7.
First name: Use this box to type the first name of the mail user.
Initials: Use this box to type the initials of the mail user.
Last name: Use this box to type the last name of the mail user.
* Display name: Use this box to type a display name for the user. This is the name that's listed in
the contacts list in the EAC and in your organization's address book. By default, this box is populated
with the names you enter in the First name, Initials, and Last name boxes. If you didn't use those
boxes, you must still type a name in this box because it's required. The name can't exceed 64
characters.
* User ID: Use this box to type the name that the mail user will use to log on to the domain. The
user logon name consists of a username on the left side of the at (@) symbol and a suffix on the
right side. Typically, the suffix is the domain name the user account resides in.
* New Password: Use this box to type the password that the mail user must use to log on to the
domain.
NOTE
Make sure that the password you supply complies with the password length, complexity, and history requirements
of the domain you're creating the user account in.
* Confirm password: Use this box to confirm the password that you typed in the Password box.
Require password change on next logon: Select this check box if you want mail users to reset the
password when they first log on to the domain.
If you select this check box, at first logon, the new mail user will be prompted with a dialog box in which to
change the password. The mail user won't be allowed to perform any tasks until the password is changed
successfully.
7. When you've finished, click Save to create the mail user.
Use Exchange Online PowerShell to create a mail user
This example creates a mail-enabled user account for Jeffrey Zeng with the following details:
The name and display name is Jeffrey Zeng (if you don't use the DisplayName parameter, the value of the
Name parameter is used for the display name).
The alias is jeffreyz.
The external email address is jzeng@tailspintoys.com.
The first name is Jeffrey and the last name is Zeng.
The logon name is jeffreyz@contoso.com.
The password is Pa$$word1.
New-MailUser -Name "Jeffrey Zeng" -Alias jeffreyz -ExternalEmailAddress jzeng@tailspintoys.com -FirstName
Jeffrey -LastName Zeng -UserPrincipalName jeffreyz@contoso.com -Password (ConvertTo-SecureString -String
'Pa$$word1' -AsPlainText -Force)
This example creates a mail-enabled user account for Rene Valdes in Exchange Online.
New-MailUser -Name "Rene Valdes" -Alias renev -ExternalEmailAddress renevaldes@fineartschool.edu -FirstName

Rene -LastName Valdes -MicrosoftOnlineServicesID renev@contoso.com -Password (ConvertTo-SecureString -String
'P@ssw0rd' -AsPlainText -Force)

To verify that you've successfully created a mail user, do one of the following:
In the EAC, navigate to Recipients > Contacts. The new mail user is displayed in the list of contacts.
Under Contact Type, the type is Mail user.
In Exchange Online PowerShell, run the following command to display information about the new mail
user.
Get-MailUser <Name> | Format-List Name,RecipientTypeDetails,ExternalEmailAddress
Change mail user properties

After you create a mail user, you can make changes and set additional properties by using the EAC or Exchange
Online PowerShell.
You can also change properties for multiple user mailboxes at the same time. For more information, see Use the
EAC to bulk edit mail users.
The estimated time to complete this task will vary based on the number of properties you want to view or change.
Use the EAC to change user mailbox properties
2. In the list of contacts, click the mail user that you want to change the properties for, and then click Edit .
3. On the mail user properties page, click one of the following sections to view or change properties.
General
Use the General section to view or change basic information about the mail user.
characters.
* Display name: This name appears in your organization's address book, on the To: and From: lines in
email, and in the list of contacts in the EAC. This name can't contain empty spaces before or after the
display name.
* User logon name: This is the name that the user uses to log on to the domain. In Exchange Online, this
is the User ID that the user uses to sign in to Office 365.
Hide from address lists: Select this check box to prevent the mail user from appearing in the address
book and other address lists that are defined in your Exchange organization. After you select this check box,
users can still send messages to the recipient by using the email address.
Custom attributes: This section displays the custom attributes defined for the mail user. To specify custom
attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Contact Information
Use the Contact Information section to view or change the user's contact information. The information on this
page is displayed in the address book. Click More options to display additional boxes.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that's accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari is specified in the Manager box for Chris and
Kate, and Chris and Kate appear in the Direct reports box in the properties of Kari's account.
Email Addresses
Use the Email Addresses section to view or change the email addresses associated with the mail user. This
includes the mail user's primary SMTP address, their external email address, and any associated proxy addresses.
The primary SMTP address (also known as the default reply address) is displayed in bold text in the address list,
with the uppercase SMTP value in the Type column. By default, after the mail user is created, the primary SMTP
address and the external email address are the same.
SMTP: This is the default address type. Click this button and then type the new SMTP address in
the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting. You must
make sure that the custom address you specify complies with the format requirements for that address type.
Set the external email address: Use this box to change the mail user's external address. Email sent to this
mail user is forwarded to this email address.
Mail Flow Settings
Use the Mail Flow Settings section to view or change the following settings:
Message Size Restrictions: These settings control the size of messages that the mail user can send and
receive. Click View details to view and change maximum size for sent and received messages.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this mail user.
Click View details to view and change these restrictions.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders
in the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or
more dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed
on this page because their membership is calculated each time they're used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a message to this
recipient. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc lines of
a new email message.
NOTE
Use Exchange Online PowerShell to change mail user properties

Properties for a mail user are stored in both Active Directory and Exchange. In general, use the Get-User and Set-
User cmdlets to view and change organization and contact information properties. Use the Get-MailUser and
Set-MailUser cmdlets to view or change mail-related properties, such email addresses, the MailTip, custom
attributes, and whether the mail user is hidden from address lists.
Use the Get-MailUser and Set-MailUser cmdlets to view and change properties for mail users. For information,
see the following topics:
Get-User
Set-User
Get-MailUser
Set-MailUser
Here are some examples of using Exchange Online PowerShell to change mail user properties.
This example sets the external email address for Pilar Pinilla.
Set-MailUser "Pilar Pinilla" -ExternalEmailAddress pilarp@tailspintoys.com
This example hides all mail users from the organization's address book.
Get-MailUser | Set-MailUser -HiddenFromAddressListsEnabled $true
This example sets the Company property for all mail users to Contoso.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser')} | Set-User -Company Contoso
This example sets the CustomAttribute1 property to a value of ContosoEmployee for all mail users that have a
value of Contoso in the Company property.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq 'Contoso')}|
Set-MailUser -CustomAttribute1 ContosoEmployee

To verify that you've successfully changed properties for mail users, do the following:
In the EAC, select the mail user and then click Edit to view the property that you changed.
In Exchange Online PowerShell, use the Get-User and Get-MailUser cmdlets to verify the changes. One
advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple mail
contacts.
Get-MailUser | Format-List Name,CustomAttribute1

In the example above where the Company property was set to Contoso for all mail contacts, run the
following command to verify the changes:
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser')} | Format-List

Name,Company
In the example above where all mail users had the CustomAttribute1 property set to ContosoEmployee,
run the following command to verify the changes.
Get-MailUser | Format-List Name,CustomAttribute1
Bulk edit mail users

You can also use the EAC to change selected properties for multiple mail users. When you select two or more mail
users from the contacts list in the EAC, the properties that can be bulk edited are displayed in the Details pane.
When you change one of these properties, the change is applied to all selected recipients.
When you bulk edit mail users, you can change the following property areas:
Organization: Change shared properties such as department name, company name, and the manager
that the selected mail contacts or mail users report to.
Use the EAC to bulk edit mail users
2. In the list of contacts, select two or more mail users. You can't bulk edit a combination of mail contacts and
mail users.
TIP
You can select multiple adjacent mail users by holding down the Shift key and clicking the first mail user, and then
clicking the last mail user you want to edit. You can also select multiple mail users by holding down the Ctrl key and
clicking each one that you want to edit.
3. In the Details pane, under Bulk Edit, click Update under Contact Information or Organization.
To verify that you've successfully bulk edited mail users, do one of the following:
In the EAC, select each of the mail users that you bulk edited and then click Edit to view the properties
that you changed.
In Exchange Online PowerShell, use the Get-User cmdlet to verify the changes. For example, say you used
the bulk edit feature in the EAC to change the manager and the office for all mail users from a vendor
company named A. Datum Corporation. To verify these changes, you could run the following command in
Exchange Online PowerShell:
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq
'Adatum')} | Format-List Name,Office,Manager
Use directory synchronization to manage mail users in Exchange
Online
This section provides information about managing email users by using directory synchronization in Exchange
Online. Directory synchronization is available for hybrid customers with on-premises and cloud-hosted
mailboxes, and for fully hosted Exchange Online customers whose Active Directory is on-premises.
Notes:
If you use directory synchronization to manage your recipients, you can still add and manage users in the
Office 365 admin center, but they will not be synchronized with your on-premises Active Directory. This is
because directory synchronization only syncs recipients from your on-premises Active Directory to the
cloud.
Using directory synchronization is recommended for use with the following features:
Outlook safe sender and blocked sender lists: When synchronized to the service, these lists will
take precedence over spam filtering in the service. This lets users manage their own safe sender and
blocked sender lists on a per-user or per-domain basis.
Directory Based Edge Blocking (DBEB ): For more information about DBEB, see Use Directory
Based Edge Blocking to reject messages sent to invalid recipients.
End user spam quarantine: In order to access the end user spam quarantine, end users must have
a valid Office 365 user ID and password. Customers with on-premises mailboxes must be valid
email users. >
Mail flow rules (also known as transport rules): When you use directory synchronization, your
existing Active Directory users and groups are automatically uploaded to the cloud, and you can
then create mail flow rules that target specific users and/or groups without having to manually add
them via the EAC or Exchange Online PowerShell. Note that dynamic distribution groups can't be
synchronized via directory synchronization.
Before you begin
Get the necessary permissions and prepare for directory synchronization, as described in Prepare for directory
synchronization.
To synchronize user directories
1. Activate directory synchronization, as described in Activate directory synchronization.
2. Set up your directory synchronization computer, as described in Set up your directory sync computer.
3. Synchronize your directories, as described in Use the Configuration Wizard to sync your directories.
IMPORTANT
When you finish the Azure Active Directory Sync Tool Configuration Wizard, the MSOL_AD_SYNC account is created
in your Active Directory forest. This account is used to read and synchronize your on-premises Active Directory
information. In order for directory synchronization to work correctly, make sure that TCP 443 on your local directory
synchronization server is open.
4. Activate synced users, as described in Activate synced users.

5. Manage directory synchronization, as described in Manage directory synchronization.
6. Verify that Exchange Online is synchronizing correctly. In the EAC, go to Recipients > Contacts and view
that the list of users was correctly synchronized from your on-premises environment.
Create and manage room mailboxes
A room mailbox is a resource mailbox that's assigned to a physical location, such as a conference room, an
auditorium, or a training room. After an administrator creates room mailboxes, users can easily reserve rooms by
including room mailboxes in meeting requests. For more details, check out Recipients.
For info about another type of resource mailbox, check out Manage equipment mailboxes.

topic.
IMPORTANT
If you're running Exchange Server in a hybrid scenario, make sure you create the room mailboxes in the appropriate place.
Create your room mailboxes for your on-premises organization on-premises, and room mailboxes for Exchange Online side
should be created in the cloud.
Create a room mailbox

Use the Exchange admin center to create a room mailbox
1. In the Exchange admin center, navigate to Recipients > Resources.
2. To create a room mailbox, click New > Room mailbox.
3. Use the options on the page to specify the settings for the new resource mailbox.
* Room name: Use this box to type a name for the room mailbox. This is the name that's listed in the
resource mailbox list in the Exchange admin center and in your organization's address book. This name is
required and it can't exceed 64 characters.
TIP
Although there are other fields that describe the details of the room, for example, Location and Capacity, consider
summarizing the most important details in the room name using a consistent naming convention. Why? So users
can easily see the details when they select the room from the address book in the meeting request.
* Email address: A room mailbox has an email address so it can receive booking requests. The email
address consists of an alias on the left side of the @ symbol, which must be unique in the forest, and your
domain name on the right. The email address is required.
Location, Phone, Capacity: You can use these fields to enter details about the room. However, as
explained earlier, you can include some or all of this information in the room name so users can see it.
4. When you're finished, click Save to create the room mailbox.
Once you've created your room mailbox, you can edit your room mailbox to update info about booking options,
MailTips and mailbox delegation. Check out the Use the Exchange admin center section below to change room
mailbox properties.
Use Exchange Online PowerShell to create a room mailbox
This example creates a room mailbox with the following configuration:
The mailbox's name is ConfRoom1. This name will also be used to create the room's email address.
The display name in the Exchange admin center and the address book will be Conference Room 1.
The Room switch specifies that this mailbox will be created as a room mailbox.
New-Mailbox -Name ConfRoom1 -DisplayName "Conference Room 1" -Room
For detailed syntax and parameter information, see New -Mailbox.

You can make sure you've created the room mailbox correctly a couple of different ways:
In the Exchange admin center, navigate to Recipients > Resources. The new room mailbox is displayed in
the mailbox list. Under Mailbox Type, the type is Room.
In Exchange Online PowerShell, run the following command to display information about the new room
mailbox.
Get-Mailbox <Name> | Format-List Name,RecipientTypeDetails,PrimarySmtpAddress
Create a room list

If you're planning to have more than a hundred rooms, or already have more than a hundred rooms created, use a
room list to help you organize your rooms. If your company has several buildings with rooms that can be booked
for meetings, it might help to create room lists for each building. Room lists are specially marked distribution
groups that you can use the same way you use distribution groups. However, you can only create room lists using
Use Exchange Online PowerShell to create a room list
This example creates a room list for building 32.
New-DistributionGroup -Name "Building 32 Conference Rooms" -OrganizationalUnit "contoso.com/rooms" -RoomList
Use Exchange Online PowerShell to add a room to a room list

This example adds confroom3223 to the building 32 room list.
Add-DistributionGroupMember -Identity "Building 32 Conference Rooms" -Member confroom3223@contoso.com
Use Exchange Online PowerShell to convert a distribution group to a room list

You may already have created distribution groups in the past that contain your conference rooms. You don't need
to recreate them; we can convert them quickly into a room list.
This example converts the distribution group, building 34 conference rooms, to a room list.
Set-DistributionGroup -Identity "Building 34 Conference Rooms" -RoomList
Change room mailbox properties

After you create a room mailbox, you can make changes and set additional properties by using the Exchange
admin center or Exchange Online PowerShell.
Use the Exchange admin center to change room mailbox properties
1. In the Exchange admin center, navigate to Recipients > Resources.
2. In the list of resource mailboxes, click the room mailbox that you want to change the properties for, and
then click Edit .
3. On the room mailbox properties page, click one of the following sections to view or change properties.
General
Use the General section to view or change basic information about the resource.
* Room name: This name appears in the resource mailbox list in the Exchange admin center and in your
organization's address book. It can't exceed 64 characters if you change it.
* Email address: This read-only box displays the email address for the room mailbox. You can change it in
the Email Address section.
Capacity: Use this box to enter the maximum number of people who can safely occupy the room.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the account for
the room mailbox. You have to use Active Directory Users and Computers to move the account to a
different OU.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the room
mailbox. Use the Migration page in the Exchange admin center to move the mailbox to a different
database.
* Alias: Use this box to change the alias for the room mailbox.
Hide from address lists: Select this check box to prevent the room mailbox from appearing in the address
book and other address lists that are defined in your Exchange organization. After you select this check box,
users can still send booking messages to the room mailbox by using the email address.
Department: Use this box to specify a department name that the room is associated with. You can use this
property to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to specify a company that the room is associated with, if applicable. Like the
Department property, you can use this property to create recipient conditions for dynamic distribution
groups and address lists.
Address book policy: Use this option to specify an address book policy (ABP ) for the room mailbox. ABPs
contain a global address list (GAL ), an offline address book (OAB ), a room list, and a set of address lists. To
learn more, see Address book policies.
In the drop-down list, select the policy that you want associated with this mailbox.
Custom attributes: This section displays the custom attributes defined for the room mailbox. To specify
custom attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Delegates
Use this section to view or change how the room mailbox handles reservation requests and to define who can
accept or decline booking requests if it isn't done automatically.
Booking requests: Select one of the following options to handle booking requests.
Accept or decline booking requests automatically: A valid meeting request automatically
reserves the room. If there's a scheduling conflict with an existing reservation, or if the booking
request violates the scheduling limits of the resource, for example, the reservation duration is too
long, the meeting request is automatically declined.
Select delegates who can accept or decline booking requests: Resource delegates are
responsible for accepting or declining meeting requests that are sent to the room mailbox. If you
assign more than one resource delegate, only one of them has to act on a specific meeting request.
Delegates: If you selected the option requiring that booking requests be sent to delegates, the specified
delegates are listed. Click Add or Remove to add or remove delegates from this list.
Booking Options
Use the Booking Options section to view or change the settings for the booking policy that defines when the
room can be scheduled, how long it can be reserved, and how far in advance it can be reserved.
Allow repeating meetings: This setting allows or prevents repeating meetings for the room. By default,
this setting is enabled, so repeating meetings are allowed.
Allow scheduling only during working hours: This setting accepts or declines meeting requests that
aren't during the working hours defined for the room. By default, this setting is disabled, so meeting
requests are allowed outside the working hours. By default, working hours are 8:00 A.M. to 5:00 P.M.
Monday through Friday. You can configure the working hours of the room mailbox in the Appearance
section on the Calendar page.
Always decline if the end date is beyond this limit: This setting controls the behavior of repeating
meetings that extend beyond the date specified by the maximum booking lead time setting.
If you enable this setting, a repeating booking request is automatically declined if the bookings start
on or before the date specified by the value in the Maximum booking lead time box, and they
extend beyond the specified date. This is the default setting.
If you disable this setting, a repeating booking request is automatically accepted if booking requests
start on or before the date specified by the value in the Maximum booking lead time box, and
they extend beyond the specified date. However, the number of bookings is reduced so bookings
won't occur after the specified date.
Maximum booking lead time (days): This setting specifies the maximum number of days in advance that
the room can be booked. Valid input is an integer between 0 and 1080. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that the room can be reserved
in a booking request. The default value is 24 hours.
For repeating booking requests, the maximum booking duration applies to the length of Exchange admin
center instance of the repeating booking request.
There's also a box on this page that you can use to write a message that will be sent to users who send booking
requests to reserve the room.
Contact Information
Use the Contact Information section to view or change the contact information for the room. The information on
this page is displayed in the address book.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies, or
address lists.
Email Address
Use the Email Address section to view or change the email addresses associated with the room mailbox. This
includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP address
(also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Messaging service to locate UM -enabled recipients within an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
button and type the extension number in the Address/Extension box. Then click Browse and select
a dial plan for the mailbox.
NOTE
address type.
NOTE
When you add a new email address, you have the option to make it the primary SMTP address.
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the room mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc
lines of a new email message.
NOTE
Use Exchange Online PowerShell to change room mailbox properties

Use the following sets of cmdlets to view and change room mailbox properties: Get-Mailbox and Set-Mailbox
cmdlets to view and change general properties and email addresses for room mailboxes. Use the Get-
CalendarProcessing and Set-CalendarProcessing cmdlets to view and change delegates and booking options.
Get-User and Set-User: Use these cmdlets to view and set general properties such as location, department,
and company names.
Get-Mailbox and Set-Mailbox: Use these cmdlets to view and set mailbox properties, such as email
addresses and the mailbox database.
Get-CalendarProcessing and Set-CalendarProcessing: Use these cmdlets to view and set booking
options and delegates.
For information about these cmdlets, see the following topics:
Get-User
Set-User
Get-Mailbox
Set-Mailbox
Get-CalendarProcessing
Set-CalendarProcessing
Here are some examples of using Exchange Online PowerShell to change room mailbox properties.
This example changes the display name, the primary SMTP address (called the default reply address), and the
room capacity. Also, the previous reply address is kept as a proxy address.
Set-Mailbox "Conf Room 123" -DisplayName "Conf Room 31/123 (12)" -EmailAddresses
SMTP:Rm33.123@contoso.com,smtp:rm123@contoso.com -ResourceCapacity 12
This example configures room mailboxes to allow booking requests to be scheduled only during working hours
and sets a maximum duration of 9 hours.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox')} | Set-CalendarProcessing

-ScheduleOnlyDuringWorkHours $true -MaximumDurationInMinutes 540
This example uses the Get-User cmdlet to find all room mailboxes that correspond to private conference rooms,
and then uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Robin Wood to
accept or decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox') -and (DisplayName -like
'Private*')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Robin Wood"

To verify that you've successfully changed properties for a room mailbox, do the following:
In the Exchange admin center, select the mailbox and then click Edit to view the property or feature that
you changed. Depending on the property that you changed, it might be displayed in the Details pane for the
selected mailbox.
example above where booking requests could be scheduled only during working hours and have a
maximum duration of 9 hours, run the following command to verify the new values.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox')} | Get-

CalendarProcessing | Format-List Identity,ScheduleOnlyDuringWorkHours,MaximumDurationInMinutes
TIP
An equipment mailbox is a resource mailbox assigned to a resource that's not location specific, such as a portable
computer, projector, microphone, or a company car. After an administrator creates an equipment mailbox, users
can easily reserve the piece of equipment by including the corresponding equipment mailbox in a meeting request.
You can use the EAC and Exchange Online PowerShell to create an equipment mailbox or change equipment
mailbox properties. For more information, see Recipients.
For information about another type of resource mailbox, a room mailbox, see Create and manage room mailboxes.

topic.
TIP
Create an equipment mailbox

Use the EAC to create an equipment mailbox
1. In the EAC, navigate to Recipients > Resources.
2. To create an equipment mailbox, click New > Equipment mailbox. To create a room mailbox, click New >
Room mailbox.
3. Use the options on the page to specify the settings for the new resource mailbox.
* Equipment name: Use this box to type a name for the equipment mailbox. This is the name that's listed
in the resource mailbox list in the EAC and in your organization's address book. This name is required and it
can't exceed 64 characters.
TIP
Although there are other fields that describe the details of the room, for example, Capacity, consider summarizing the
most important details in the equipment name using a consistent naming convention. Why? So users can easily see
the details when they select the equipment from the address book in a meeting request.
* Email address: An equipment mailbox has an email address so it can receive booking requests. The email
address consists of an alias on the left side of the @ symbol, which must be unique in the forest, and your
domain name on the right. The email address is required.
4. When you're finished, click Save to create the equipment mailbox.
Once you've created your equipment mailbox, you can edit your equipment mailbox to update info about booking
options, MailTips and delegates. Check out the Change equipment mailbox properties section below to change
room mailbox properties
Use Exchange Online PowerShell to create an equipment mailbox
This example creates an equipment mailbox with the following configuration:
The equipment mailbox resides on Mailbox Database 1.
The equipment's name is MotorVehicle2 and the name will display in the GAL as Motor Vehicle 2.
The email address is MotorVehicle2@contoso.com.
The mailbox is in the Equipment organizational unit.
The Equipment parameter specifies that this mailbox will be created as an equipment mailbox.
New-Mailbox -Database "Mailbox Database 1" -Name MotorVehicle2 -OrganizationalUnit Equipment -DisplayName
"Motor Vehicle 2" -Equipment
For detailed syntax and parameter information, see New -Mailbox.

To verify that you've successfully created a user mailbox, do one of the following:
In the EAC, navigate to Recipients > Resources. The new user mailbox is displayed in the mailbox list.
Under Mailbox Type, the type is Equipment.
In Exchange Online PowerShell, run the following command to display information about the new
equipment mailbox.
Get-Mailbox <Name> | Format-List Name,RecipientTypeDetails,PrimarySmtpAddress
Change equipment mailbox properties

After you create an equipment mailbox, you can make changes and set additional properties by using the EAC or
Use the EAC to change equipment mailbox properties
1. In the EAC, navigate to Recipients > Resources.
2. In the list of resource mailboxes, click the equipment mailbox that you want to change the properties for,
3. On the equipment mailbox properties page, click one of the following sections to view or change properties.
General
Use the General section to view or change basic information about the resource.
* Equipment name: This name appears in the resource mailbox list in the EAC and in your organization's
address book. It can't exceed 64 characters if you change it.
* Email address: This read-only box displays the email address for the equipment mailbox. You can change
it in the Email Address section.
Capacity: Use this box to enter the maximum number of people who can use this resource, if applicable,
For example, if the equipment mailbox corresponds to a compact car, you could enter 4.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the account for
the equipment mailbox. You have to use Active Directory Users and Computers to move the account to a
different OU.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the
equipment mailbox. Use the Migration page in the EAC to move the mailbox to a different database.
* Alias: Use this box to change the alias for the equipment mailbox.
Hide from address lists: Select this check box to prevent equipment mailbox from appearing in the
address book and other address lists that are defined in your Exchange organization. After you select this
check box, users can still send booking messages to the equipment mailbox by using the email address.
Department: Use this box to specify a department name that the resource is associated with. You can use
this property to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to specify a company that the resource is associated with. Like the Department
property, you can use this property to create recipient conditions for dynamic distribution groups and
address lists.
Address book policy: Use this option to specify an address book policy (ABP ) for the resource. ABPs
contain a global address list (GAL ), an offline address book (OAB ), a room list, and a set of address lists. To
learn more, see Address book policies.
In the drop-down list, select the policy that you want associated with this mailbox.
Custom attributes: This section displays the custom attributes defined for the equipment mailbox. To
specify custom attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Delegates
Use this section to view or change how the equipment mailbox handles reservation requests and to define who
can accept or decline booking requests if it isn't done automatically.
Booking requests: Select one of the following options to handle booking requests.
Accept or decline booking requests automatically: A valid meeting request automatically
reserves the resource. If there's a scheduling conflict with an existing reservation, or if the booking
request violates the scheduling limits of the resource, for example, the reservation duration is too
long, the meeting request is automatically declined.
Select delegates who can accept or decline booking requests: Resource delegates are
responsible for accepting or declining meeting requests that are sent to the equipment mailbox. If
you assign more than one resource delegate, only one of them has to act on a specific meeting
request.
Delegates: If you selected the option requiring that booking requests be sent to delegates, the specified
delegates are listed. Click Add or Remove to add or remove delegates from this list.
Booking Options
Use the Booking Options section to view or change the settings for the booking policy that defines when the
resource can be scheduled, how long it can be reserved, and how far in advance it can be reserved.
Allow repeating meetings: This setting allows or prevents repeating meetings for the resource. By
default, this setting is enabled, so repeating meetings are allowed.
Allow scheduling only during working hours: This setting accepts or declines meeting requests that
aren't during the working hours defined for the resource. By default, this setting is disabled, so meeting
requests are allowed outside the working hours.By default, working hours are 8:00 A.M. to 5:00 P.M.
Monday through Friday. You can configure the working hours of the equipment mailbox in the Appearance
section on the Calendar page.
Always decline if the end date is beyond this limit: This setting controls the behavior of repeating
meetings that extend beyond the date specified by the maximum booking lead time setting.
If you enable this setting, a repeating booking request is automatically declined if the bookings start
on or before the date specified by the value in the Maximum booking lead time box, and they
extend beyond the specified date. This is the default setting.
If you disable this setting, a repeating booking request is automatically accepted if the booking
requests start on or before the date specified by the value in the Maximum booking lead time
box, and they extend beyond the specified date. However, the number of bookings is reduced so
bookings won't occur after the specified date.
Maximum booking lead time (days): This setting specifies the maximum number of days in advance that
the resource can be booked. Valid input is an integer between 0 and 1080. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that the resource can be
reserved in a booking request. The default value is 24 hours.
For repeating booking requests, the maximum booking duration applies to the length of each instance of
the repeating booking request.
There is also a box on this page that you can use to write a message that will be sent to users who send meeting
requests to reserve the resource.
Contact Information
Use the Contact Information section to view or change the contact information for the resource. The information
on this page is displayed in the address book.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies, or
address lists.
Email Address
Use the Email Address section to view or change the email addresses associated with the equipment mailbox.
This includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP
address (also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP
value in the Type column.
Messaging service to locate UM -enabled recipients within an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
button and type the extension number in the Address/Extension box. Then click Browse and select
a dial plan for the mailbox.
NOTE
address type.
NOTE
When you add a new email address, you have the option to make it the primary SMTP address.
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the equipment mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc,
or Bcc lines of a new email message.
NOTE
Use Exchange Online PowerShell to change equipment mailbox properties

Use the following sets of cmdlets to view and change equipment mailbox properties: Get-Mailbox and Set-
Mailbox cmdlets to view and change general properties and email addresses for equipment mailboxes. Use the
Get-CalendarProcessing and Set-CalendarProcessing cmdlets to view and change delegates and booking
options.
Get-User and Set-User: Use these cmdlets to view and set general properties such as department and
company names.
Get-Mailbox and Set-Mailbox: Use these cmdlets to view and set mailbox properties, such as email
addresses and the mailbox database.
Get-CalendarProcessing and Set-CalendarProcessing: Use these cmdlets to view and set booking
options and delegates.
For information about these cmdlets, see the following topics:
Get-User
Set-User
Get-Mailbox
Set-Mailbox
Get-CalendarProcessing
Set-CalendarProcessing
Here are some examples of using Exchange Online PowerShell to change equipment mailbox properties.
This example changes the display name and primary SMTP address (called the default reply address) for the
MotorPool 1 equipment mailbox. The previous reply address is kept as a proxy address.
Set-Mailbox "MotorPool 1" -DisplayName "Motor Pool 1 - Compact" -EmailAddresses

SMTP:MP1.compact@contoso.com,smtp:MP.1@contoso.com
This example configures equipment mailboxes to allow booking requests to be scheduled only during working
hours.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'EquipmentMailbox')} | Set-

CalendarProcessing -ScheduleOnlyDuringWorkHours $true
This example uses the Get-User cmdlet to find all equipment mailboxes in the Audio Visual department, and then
uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Ann Beebe to accept or
decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'EquipmentMailbox') -and (Department -eq
'Audio Visual')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Ann Beebe"

To verify that you've successfully changed properties for an equipment mailbox, do the following:
In the EAC, select the mailbox and then click Edit to view the property or feature that you changed.
mailbox.
example above where booking requests could be scheduled only during working hours, run the following
command to verify the new value.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'EquipmentMailbox')} | Get-

CalendarProcessing | Format-List Identity,ScheduleOnlyDuringWorkHours
Manage permissions for recipients in Exchange
Online
In Exchange Online, you can use the Exchange admin center (EAC ) or Exchange Online PowerShell to assign
permissions to a mailbox or group so that other users can access the mailbox (the Full Access permission), or send
email messages that appear to come from the mailbox or group (the Send As or Send on Behalf permissions). The
users that are assigned these permissions on other mailboxes or groups are called delegates.
The permissions that you can assign to delegates for mailboxes and groups in Exchange Online are described in
Note: Although you might be able use Exchange Online PowerShell to assign some or all of these permissions to
other delegate types on other kinds of recipient objects, this topic focuses on the delegate and recipient object
types that produce useful results.
RECIPIENT TYPES IN ADDITIONAL RECIPIENT AVAILABLE DELEGATE

PERMISSION DESCRIPTION THE EAC TYPES IN POWERSHELL TYPES
Full Access Allows the delegate User mailboxes Discovery mailboxes Mailboxes with user
to open the mailbox, accounts
and view, add and Resource mailboxes
remove the contents Mail users with
of the mailbox. Shared mailboxes accounts
Doesn't allow the
delegate to send Mail-enabled security
messages from the groups
mailbox.
If you assign the Full

Access permission to
a mailbox that's
hidden from address
lists, the delegate
won't be able to open
the mailbox. By
default, discovery
mailboxes are hidden
from address lists.
By default, the
mailbox auto-
mapping feature uses
Autodiscover to
automatically open
the mailbox in the
delegate's Outlook
profile (in addition to
their own mailbox). If
you don't want this to
happen, you need to
take one of the
following actions:
• Use the Add-

MailboxPermission
cmdlet in Exchange
Online PowerShell to
assign the Full Access
permission with the
-AutoMapping
$false
setting. For more
information, see the
Use Exchange Online
PowerShell to assign
the Full Access
permission to
mailboxes section in
this topic.
• Assign the Full

Access permission to
a mail-enabled
security group. The
mailbox won't open in
the Outlook profile of
each member.
Send As Allows the delegate User mailboxes n/a Mailboxes with user
to send messages as accounts
if they came directly Resource mailboxes
from the mailbox or Mail users with
group. There's no Shared mailboxes accounts
indication that the
message was sent by Distribution groups Mail-enabled security
the delegate. groups
Dynamic distribution
Doesn't allow the groups
delegate to read the
contents of the Mail-enabled security
mailbox. groups
If you assign the Send Office 365 groups

As permission to a
mailbox that's hidden
from address lists, the
delegate won't be
able to send
messages from the
mailbox.
Send on Behalf Allows the delegate User mailboxes Shared mailboxes Mailboxes with user
to send messages accounts
from the mailbox or Resource mailboxes
group. The From Mail users with
address of these Distribution groups accounts
messages clearly
shows that the Dynamic distribution Mail-enabled security
message was sent by groups groups
the delegate ("
<Delegate> on Mail-enabled security Distribution groups
behalf of groups
<MailboxOrGroup>")
. However, replies to Office 365 groups
these messages are
sent to the mailbox or
group, not to the
delegate.
Doesn't allow the

delegate to read the
contents of the
mailbox.
If you assign the Send

on Behalf permission
to a mailbox that's
hidden from address
lists, the delegate
won't be able to send
messages from the
mailbox.
If a user has both

Send As and Send on
Behalf permissions to
a mailbox or group,
the Send on Behalf
permission is always
used.

permissions you need, see the "Mailbox settings" entry in the Feature permissions in Exchange Online
topic.
To open and use the EAC, see Exchange admin center in Exchange Online. To connect to Exchange Online
PowerShell, see Connect to Exchange Online PowerShell.
When a mailbox is added to Outlook using Advanced Settings, only the primary mailbox will be added; the
archive mailbox won't be added. If a user needs to also access the archive mailbox, the mailbox should be
added to Outlook as a second account in the same Outlook profile.
TIP
Use the EAC to assign permissions to individual mailboxes

1. In the EAC, click Recipients in the feature pane. Depending on the type of mailbox that you want to assign
permissions for, click on one of the following tabs:
Mailboxes: User or linked mailboxes.
Resources: Room or equipment mailboxes.
Shared: Shared mailboxes.
2. In the list of mailboxes, select the mailbox that you want to assign permissions for, and then click Edit .
3. On the mailbox properties page that opens, click Mailbox delegation and configure one or more of the
following permissions:
Send As: Messages sent by a delegate appear to come from the mailbox.
Send on Behalf: Messages sent by a delegate have " <Delegate> on behalf of <Mailbox>" in the
From address. Note that this permission isn't available in the EAC for shared mailboxes.
Full Access: The delegate can open the mailbox and do anything except send messages.
To assign permissions to delegates, click Add under the appropriate permission. A dialog box appears
that lists the users or groups that can have the permission assigned to them. Select the user or group from
the list, and then click Add. Repeat this process as many times as necessary. You can also search for users
or groups in the search box by typing all or part of the name, and then clicking Search . When you're
finished selecting delegates, click OK.
To remove a permission from a delegate, select the delegate in the list under the appropriate permission,
and then click Remove .
Use the EAC to assign permissions to multiple mailboxes at the same

time
2. Select the mailboxes that you want to assign permissions for. Use click + Shift key + click to select a range
of mailboxes, or Ctrl key + click to select multiple individual mailboxes. The title of the details pane changes
to Bulk Edit as shown in the following diagram.
3. At the bottom of the details pane, click More options. Under the Mailbox Delegation option that
appears, choose Add or Remove. Depending on your selection, do one of the following steps:
Add: In the Bulk Add Delegation dialog box that appears, click Add under the appropriate
permission (Send As, Send on Behalf, or Full Access). When you're finished selecting users or
groups to add as delegates, click Save.
Remove: In the Bulk Remove Delegation dialog box that appears, click Add under the
appropriate permission (Send As, Send on Behalf, or Full Access). When you're finished selecting
users or groups to remove from the existing delegates, click Save.
Use the EAC to assign permissions to groups

1. In the EAC, go to Recipients > Groups.
2. In the list of groups, select the group that you want to assign permissions for, and then click Edit .
3. On the group properties page that opens, click Group delegation and configure one of the following
permissions:
Send As: Messages sent by a delegate appear to come from the group.
Send on Behalf: Messages sent by a delegate have " <Delegate> on behalf of <Group>" in the
From address.
4. To assign permissions to delegates, click Add under the appropriate permission. A dialog box appears
that lists the users or groups that can have the permission assigned to them. Select the user or group from
the list, and then click Add. Repeat this process as many times as necessary. You can also search for users
or groups in the search box by typing all or part of the name, and then clicking Search . When you're
finished selecting delegates, click OK.
To remove a permission from a delegate, select the delegate in the list under the appropriate permission,
and then click Remove .
Use Exchange Online PowerShell to assign the Full Access permission
to mailboxes
You use the Add-MailboxPermission and Remove-MailboxPermission cmdlets to manage the Full Access
permission for mailboxes. These cmdlets use the same basic syntax:
Add-MailboxPermission -Identity <MailboxIdentity> -User <DelegateIdentity> -AccessRights FullAccess -

InheritanceType All [-AutoMapping $false]
Remove-MailboxPermission -Identity <MailboxIdentity> -User <DelegateIdentity> -AccessRights FullAccess -

InheritanceType All
This example assigns the delegate Raymond Sam the Full Access permission to the mailbox of Terry Adams.
Add-MailboxPermission -Identity "Terry Adams" -User raymonds -AccessRights FullAccess -InheritanceType All
This example assigns Esther Valle the Full Access permission to the organization's default discovery search
mailbox, and prevents the mailbox from automatically opening in Esther Valle's Outlook.
Add-MailboxPermission -Identity "DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" -User estherv -

AccessRights FullAccess -InheritanceType All -AutoMapping $false
This example assigns members of the Helpdesk mail-enabled security group the Full Access permission to the
shared mailbox named Helpdesk Tickets.
Add-MailboxPermission -Identity "Helpdesk Tickets" -User Helpdesk -AccessRights FullAccess -InheritanceType

All
This example removes Full Access permission for Jim Hance from Ayla Kol's mailbox.
Remove-MailboxPermission -Identity ayla -User "Jim Hance" -AccessRights FullAccess -InheritanceType All
For detailed syntax and parameter information, see:

Add-MailboxPermission.
Remove-MailboxPermission.
To verify that you've successfully assigned or removed the Full Access permission for a delegate on a mailbox, use
either of the following procedures:
In the properties of the mailbox in the EAC, verify the delegate is or isn't listed in Mailbox delegation >
Full Access.
Replace <MailboxIdentity> with the identity of the mailbox and run the following command in Exchange
Online PowerShell to verify that the delegate is or isn't listed..
Get-MailboxPermission <MailboxIdentity> | where {$_.AccessRights -like 'Full*'} | Format-Table

User,Deny,IsInherited,AccessRights -Auto
For more information, see Get-MailboxPermission.

Use Exchange Online PowerShell to assign the Send As permission to
mailboxes and groups
You use the Add-RecipientPermission and Remove-RecipientPermission cmdlets to manage the Send As
permission for mailboxes and groups. These cmdlets use the same basic syntax:
<Add-RecipientPermission | Remove-RecipientPermission> -Identity <MailboxOrGroupIdentity> -Trustee

<DelegateIdentity> -AccessRights SendAs
This example assigns the Send As permission to the Printer Support group on the shared mailbox named
Contoso Printer Support.
Add-RecipientPermission -Identity "Contoso Printer Support" -Trustee "Printer Support" -AccessRights SendAs
This example removes the Send As permission for the user Karen Toh on the mailbox for Yan Li.
Remove-RecipientPermission -Identity "Yan Li" -Trustee "Karen Toh" -AccessRights SendAs
For detailed syntax and parameter information, see:

Add-RecipientPermission
Remove-RecipientPermission
To verify that you've successfully assigned or removed the Send As permission for a delegate on a mailbox or
group, use either of the following procedures:
In the properties of the mailbox or group in the EAC, verify the delegate is or isn't listed in Mailbox
delegation > Send As or Group delegation > Send As.
Replace <MailboxIdentity> and <DelegateIdentity> with the name, alias, or email address of the mailbox
or group and run the following command in Exchange Online PowerShell to verify that the delegate is or
isn't listed.
Get-RecipientPermission -Identity <MailboxIdentity> -Trustee <DelegateIdentity>
Use Exchange Online PowerShell to assign the Send on Behalf

permission to mailboxes and groups
You use the GrantSendOnBehalfTo parameter on the various mailbox and group Set- cmdlets to manage the
Send on Behalf permission for mailboxes and groups:
Set-Mailbox
Set-DistributionGroup: Distribution groups and mail-enabled security groups.
Set-UnifiedGroup: Office 365 groups.
The basic syntax for these cmdlets is:
<Cmdlet> -Identity <MailboxOrGroupIdentity> -GrantSendOnBehalfTo <Delegates>
The GrantSendOnBehalfTo parameter has the following options for delegate values:
Replace existing delegates: <DelegateIdentity> or "<DelegateIdentity1>","<DelegateIdentity2>",...
Add or remove delegates without affecting other delegates:

@{Add="\<value1\>","\<value2\>"...; Remove="\<value1\>","\<value2\>"...}
Remove all delegates: Use the value $null .
This example assigns the delegate Holly Holt the Send on Behalf permission to the mailbox of Sean Chai.
Set-Mailbox -Identity seanc@contoso.com -GrantSendOnBehalfTo hollyh
This example adds the group tempassistants@contoso.com to the list of delegates that have Send on Behalf
permission to the Contoso Executives shared mailbox.
Set-Mailbox "Contoso Executives" -GrantSendOnBehalfTo @{Add="tempassistants@contoso.com"}
This example assigns the delegate Sara Davis the Send on Behalf permission to the Printer Support distribution
group.
Set-DistributionGroup -Identity printersupport@contoso.com -GrantSendOnBehalfTo sarad
This example removes the Send on Behalf permission that was assigned to the administrator on the All
Employees dynamic distribution group.
Set-DynamicDistributionGroup "All Employees" -GrantSendOnBehalfTo @{Remove="Administrator"}

To verify that you've successfully assigned or removed the Send on Behalf permission for a delegate on a mailbox
or group, use either of the following procedures:
In the properties of the mailbox or group in the EAC, verify the delegate is or isn't listed in Mailbox
delegation > Send As or Group delegation > Send As.
Replace <MailboxIdentity> or <GroupIdentity> with the identity of the mailbox or group and run the one
of the following commands in Exchange Online PowerShell to verify that the delegate is or isn't listed.
Mailbox:
Get-Mailbox -Identity <MailboxIdentity> | Format-List GrantSendOnBehalfTo
Distribution group or mail-enabled security group:
Get-DistributionGroup -Identity <GroupIdentity> | Format-List GrantSendOnBehalfTo
Dynamic distribution group:

Get-DynamicDistributionGroup -Identity <GroupIdentity> | Format-List GrantSendOnBehalfTo
Office 365 group:
Get-UnifiedGroup -Identity <GroupIdentity> | Format-List GrantSendOnBehalfTo
Next steps
For more information about how delegates can use the permissions that are assigned to them on mailboxes and
groups, see the following topics:
Access another person's mailbox
Open and use a shared mailbox in Outlook
Open and use a shared mailbox in Outlook on the Web
Send email from another person or group in Outlook on the Web
Manage Facebook contact sync in your organization
Facebook contact synchronization lets people set up a connection between their Facebook account and their Office
365 account by using Outlook Web App. After they set up a Facebook connection, all their Facebook friends are
listed as contacts in People in Office 365. They can then interact with their Facebook friends as they do with their
other contacts. Facebook contact sync is turned on by default if the feature is available in your region.
TIP
As an administrator, you probably want to keep Facebook contact sync turned on if your organization uses Facebook for
business purposes, such as networking and marketing. Turn it off if you don't want your users to download their Facebook
friends as contacts in Outlook Web App. For information about how people set up Facebook contact sync, see Add Facebook
friends as contacts.
NOTE
The features that are available to your Office 365 organization are determined by the service plan for your account. Some
features aren't available to mailboxes or organizations in specific regions.
Turn Facebook contact sync on or off

You turn Facebook contact sync on or off for users in your organization by using Outlook Web App mailbox policy
settings. Similar to other Outlook Web App mailbox policy settings, you can change the settings for Facebook
contact sync by using the Exchange admin center (EAC ) or Exchange Online PowerShell. For detailed information
about managing Outlook Web App mailbox policy settings, see View or configure Outlook Web App mailbox
policy properties.

The information for each Facebook friend is stored as a read-only contact record in the Facebook folder in People.
The information that's synchronized between Facebook and Outlook Web App includes first name, last name, all
phone numbers, all email addresses, and all street addresses. Facebook contacts are stored in the user's mailbox
and are retained in accordance with the Office 365 service agreement.
During the Outlook Web App and Facebook connection setup, the contacts in the user's default contacts folder are
uploaded to Facebook as part of a one-time synchronization with Facebook. Facebook uses this contact information
as part of the "People you may know" friend suggestions on Facebook. The one-time upload of information also
allows Facebook to include the information for your users' Outlook Web App contacts in Facebook applications
that your users may choose to use, for example, mobile phone applications.
For information about how your users can set up a connection to Facebook using a desktop version of Outlook, see
Social Connector for Microsoft Outlook.
Manage LinkedIn contact sync in your organization
LinkedIn contact synchronization lets people set up a connection between their LinkedIn account and their Office
365 account by using Outlook Web App. After they set up LinkedIn contact sync, all their LinkedIn connections are
listed as contacts in People in Office 365. They can then interact with their LinkedIn connections as they do with
other contacts. LinkedIn contact sync is turned on by default if the feature is available for your region.
TIP
As an administrator, you probably want to keep LinkedIn contact sync turned on if your organization uses LinkedIn for
business purposes, such as networking and marketing. Turn it off if you don't want your users to download their LinkedIn
connections as contacts in Outlook Web App. For more information about how people can set up LinkedIn contact sync, see
Managed LinkedIn contact sync in your organization.
NOTE
The features that are available to your Office 365 organization are determined by the service plan for your account. Some
features aren't available to mailboxes or organizations in specific regions.
Turn LinkedIn contact sync on or off

You turn LinkedIn contact sync on or off for users in your organization by using Outlook Web App mailbox policy
settings. Similar to other Outlook Web App mailbox policy settings, you can change the settings for LinkedIn
contact sync by using the Exchange admin center (EAC ) or Exchange Online PowerShell. For detailed information
about managing Outlook Web App mailbox policy settings, see View or configure Outlook Web App mailbox
policy properties.

The information for each LinkedIn contact is stored as a read-only contact record in the LinkedIn folder in People.
The information that's synchronized between LinkedIn and Outlook Web App includes first name, last name, all
phone numbers, all email addresses, and all street addresses. LinkedIn contacts are stored in the user's mailbox and
are retained in accordance with the Office 365 service plan. For information about how your users can set up a
connection to LinkedIn using a desktop version of Outlook, have them check out Social Connector for Microsoft
Outlook.
Configure a moderated recipient in Exchange Online
In your Exchange Online organization, you may need to restrict access to specific recipients. The most common
scenario is the need to control messages sent to large distribution groups. Depending on your organization's
requirements, you may also need to control the messages sent to executive mailboxes or partner contacts. You can
use moderated recipients to accomplish these tasks. When you configure a recipient for moderation, all messages
sent to that recipient are subject to approval by the designated moderators.

permissions you need, see the"Moderated Transport" entry in the Transport Permissions topic.
You can use the Exchange admin center (EAC ) to configure a distribution group for moderation. All other
recipient types can only be configured for moderation using PowerShell. To learn how to use Windows
TIP
Use the EAC to configure a moderated distribution group

This example configures the following moderation settings for the distribution group named All Employees:
Enable moderation for the distribution group.
Designate David Hamilton and Yossi Ran as moderators.
Allow the members of the distribution group named HR to bypass moderation.
Notify internal senders if their message to the distribution group is rejected, but do not send any
notifications to external senders.
To accomplish the tasks in this example scenario, perform the following procedure:
2. In the result pane, select the All employees distribution group and click Edit .
3. On the properties page, click Message approval, and complete the following:
4. Select the Messages sent to this group have to be approved by a moderator check box.
5. In the Group moderators list, click Add .
6. In the Select group moderators dialog, find and select David Hamilton, click Add, find and select Yossi
Ran, and click Add. When you are finished, click OK.
7. In the Senders who don't require message approval list, click Add .
8. In the Select senders dialog, find and select HR from the list and click Add. When you are finished, click
OK.
9. In Select moderation notifications, select Notify all senders when their messages aren't approved.
10. Click Save.
Use Exchange Online PowerShell to configure a moderated recipient

Run the following command:
Set-<RecipientType> <Identity> -ModerationEnabled $true -ModeratedBy <recipient1,recipient2...> -

ByPassModerationFromSendersOrMembers <recipient1,recipient2...> -SendModerationNotifications <Never | Always |
Internal>
Enable moderation for the distribution group.
Designate David Hamilton and Yossi Ran as moderators.
Allow the members of the distribution group named HR to bypass moderation.
Notify internal senders if their message to the distribution group is rejected, but do not send any
notifications to external senders.
To accomplish the tasks in this example scenario, run the following command:
Set-DistributionGroup "All Employees" -ModerationEnabled $true -ModeratedBy "David Hamilton","Yossi Ran" -

ByPassModerationFromSendersOrMembers HR -SendModerationNotifications Internal
To add or remove users from the list of moderators or recipients who bypass moderation without affecting other
entries, use the following syntax:
Set-<RecipientType> <Identity> -ModeratedBy @{Add="<recipient1>","<recipient2>"...; Remove="<recipient1>","

<recipient2>"...} -ByPassModerationFromSendersOrMembers @{Add="<recipient1>","<recipient2>"...; Remove="
<recipient1>","<recipient2>"...}
Add the user chris@contoso.com to the list of existing moderators.
Remove the user michelle@contoso.com from the list of existing senders who bypass moderation.
Set-DistributionGroup "All Employees" -ModeratedBy @{Add="chris@contoso.com"} -

ByPassModerationFromSendersOrMembers @{Remove="michelle@contoso.com"

To verify that you have successfully configured a recipient for moderation, do the following:
1. Send a test message to the moderated recipient.
2. Verify the designated moderators receive notification.
3. Verify the recipients who bypass moderation receive the message directly.
Ways to migrate multiple email accounts to Office
365
Your organization can migrate email to Office 365 from other systems. Your administrators can Migrate
mailboxes from Exchange Server or Migrate email from another IMAP -enabled email system. And your users can
Have users import their own email their own email, contacts, and other mailbox information to an Office 365
mailbox created for them. Your organization also can Work with a partner to migrate email to migrate email.
Before you start an email migration, review limits and best practices for Exchange Online to make sure you get
the performance and behavior you expect after migration.
See Decide on a migration path or Exchange migration advisors for help with choosing the best option for your
organization.
TIP
Another option available to assist you with your email migration is FastTrack Center Benefit for Office 365. FastTrack
specialists can help you plan and perform your migration. For more information, see Data Migration.
You can also view an overview video:
Migrate mailboxes from Exchange Server

For migrations from an existing on-premises Exchange Server environment, an administrator can migrate all
email, calendar, and contacts from user mailboxes to Office 365.
There are three types of email migrations that can be made from an Exchange Server:
Migrate all mailboxes at once (cutover migration) or Express migration
Use this type of migration if you're running Exchange 2003, Exchange 2007, Exchange 2010, or Exchange
2013, and if there are fewer than 2000 mailboxes. You can perform a cutover migration by starting from
the Exchange admin center (EAC ); see Perform a cutover migration to Office 365. See Use express
migration to migrate Exchange mailboxes to Office 365 to use the Express migration.
IMPORTANT
With cutover migration, you can move up to 2000 mailboxes, but due to length of time it takes to create and
migrate 2000 users, it is more reasonable to migrate 150 users or less.
Migrate mailboxes in batches (staged migration)
Use this type of migration if you're running Exchange 2003 or Exchange 2007, and there are more than
2,000 mailboxes. For an overview of staged migration, see What you need to know about a staged email
migration to Office 365. To perform the migration tasks, see Perform a staged migration of Exchange
Server 2003 and Exchange 2007 to Office 365.
Migrate using an integrated Exchange Server and Office 365 environment (hybrid)
Use this type of migration to maintain both on-premises and online mailboxes for your organization and
to gradually migrate users and email to Office 365. Use this type of migration if:
You have Exchange 2010 and more than 150-2,000 mailboxes.
You have Exchange 2010 and want to migrate mailboxes in small batches over time.
You have Exchange 2013.
For more information, see Plan an Exchange Online hybrid deployment in Office 365.
Use Office 365 Import Service to migrate PST-files

If your organization has many large PST files, you can use the Office 365 Import Service to migrate email data to
Office 365.
You can use the Office 365 Import Service to either upload the PST files through a network, or to mail the PST
files in a drive that you prepare.
For instructions, see Office 365 Import Service.
Migrate email from another IMAP-enabled email system

You can use the Internet Message Access Protocol (IMAP ) to migrate user email from Gmail, Exchange,
Outlook.com, and other email systems that support IMAP migration. When you migrate the user's email by using
IMAP migration, only the items in the users' inbox or other mail folders are migrated. Contacts, calendar items,
and tasks can't be migrated with IMAP, but they can be by a user.
IMAP migration also doesn't create mailboxes in Office 365. You'll have to create a mailboxfor each user before
you migrate their email.
To migrate email from another mail system, see Migrate your IMAP mailboxes to Office 365. After the email
migration is done, any new mail sent to the source email isn't migrated.
Have users import their own email
Users can import their own email, contacts, and other mailbox information to Office 365. See Migrate email and
contacts to Office 365 to learn how.
Work with a partner to migrate email

If none of the types of migrations described will work for your organization, consider working with a partner to
migrate email to Office 365.
METHOD DESCRIPTION
Use a third-party email migration tool

Migration tools can help speed up and simplify email
migration. You'll find a list of tools in the Office 365
Marketplace.
Hire a partner to help migrate your email

You'll find a list of partners in the Office 365 Marketplace.
Related Topics
Use PowerShell for email migration to Office 365
Deciding on the best migration path of your users' email to Office 365 can be difficult. This article gives guidance
based on your current email system and other factors, such as how quickly you want to migrate to Office 365. Your
migration performance will vary based on your network, mailbox size, migration speed, and so on.
IMPORTANT
This topic is intended for Office 365 global administrators. If you want to migrate email for a single account, see Migrate
email and contacts to Office 365 instead.
How do I decide which method to use?

Before you start an email migration, review the limits and Office 365 migration performance and best practices for
Exchange Online to make sure you get the performance and behavior you expect after migration.
You, as Office 365 global administrator, can migrate mailboxes from an Exchange Server or from another email
system. The content in the following sections is organized by email system, and the linked topics help you decide
on the best method based on number of mailboxes and your time and mailbox size constraints.
Your existing system is an Exchange Server

For migrations from an existing on-premises Exchange Server environment, you can migrate all email, calendar
items, tasks and contacts from user mailboxes to Office 365. The available methods are cutover, staged, and
Exchange Hybrid migrations. These migration methods copy over all mail data, including contacts, calendar items,
and tasks. You can also use the Internet Message Access Protocol (IMAP ) migration from Exchange servers, and if
your Exchange server is older than Exchange 2003, IMAP migration is your only option. Note that IMAP migration
will copy over only email data.
IMPORTANT
Staged and Exchange Hybrid migrations require that you also set up directory synchronization. For more information, see
Office 365 integration with on-premises environments.
For migration recommendations, expand one of the following sections based on your source system:
Exchange 2003 or Exchange 2007

If your source system is Exchange 2003 or Exchange 2007, consider the following options.
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and migrate
2000 users, it is more reasonable to migrate 150 users or less.
HOW QUICKLY DO YOU WANT TO
NUMBER OF MAILBOXES MIGRATE? USE
Fewer than 150 Over a weekend or a few days. Cutover

For an overview, see What you need to
know about a cutover email migration
to Office 365.
Fewer than 150 Slowly, by migrating a few users at a Staged

time. For an overview, see What you need to
know about a staged email migration to
Office 365.
Over 150 Over a weekend or a few days. Staged

If you have more than 150 mailboxes ,
the best method is to use staged
migration where you can migrate a
limited number of users at a time. This
is because cutover migration
performance suffers when you try to
migrate more than 150 mailboxes.
Over 150 Slowly, by migrating a few users at a Staged

time.
If the mailboxes you're migrating contain a large amount of data, you can also use Office 365 Import Service to
import PST files to Office 365. You can use the Office 365 Import Service to either ship the files or to import them
across the network.
If you have an extremely large number of mailboxes (5,000+), you might want to hire a partner to help you
migrate your email data.
You'll find a list of partners in the Microsoft Partner Center.
Exchange 2010, 2013 or 2016

If your source system is Exchange 2010, Exchange 2013 , or Exchange Server 2016, consider the following options.
NOTE
Even though cutover migration support moving up to 2000 mailboxes, due to length of time it takes to create and migrate
2000 users, it is more reasonable to migrate 150 users or less.

Fewer than 150 Over a weekend or a few days. Cutover or Express migration.
Fewer than 150 Slowly, by migrating a few users at a Exchange Hybrid

time.
Over 150 Over a weekend or a few days. Exchange Hybrid

If you have more than 150 mailboxes,
the best method is to use an Exchange
hybrid migration where you can
migrate a limited number of users at a
time. This is because cutover migration
performance suffers when you try to
migrate more than 150 mailboxes.
Over 150 Slowly, by migrating a few users at a Exchange Hybrid

time.
across the network.
If you have an extremely large number of mailboxes (5,000+), you might want to hire a partner to help you
migrate your email data.
You'll find a list of partners in the Microsoft Partner Center.
Exchange Server 2000 or earlier versions

For earlier versions of Exchange server, you will have to use IMAP migration.
Other email systems

For other email systems that support IMAP, you can use IMAP migrations.
Depending on your source system, see one of the following:
Migrate G Suite mailboxes to Office 365
Migrate other types of IMAP mailboxes to Office 365
This topic includes the instructions for the migration CSV files for Exchange, Mirapoint, Dovecoat, and
Courier IMAP.
IMAP migration in the Office 365 admin center
across the network.
You can also hire a partner to help you migrate your email data. You'll find a list of partners in the Microsoft
Partner Center.
Leave us a comment
Were these instructions helpful? If so, please let us know at the bottom of this topic. If they weren't, and you're still
having trouble deciding on a migration strategy, tell us what source email system you want to migrate from and
we'll use your feedback to improve our content.
Use Minimal Hybrid to quickly migrate Exchange
mailboxes to Office 365
You can use the minimal hybrid, also known as express migration, option in the Exchange Hybrid Configuration
Wizard to migrate the contents of user mailboxes to Office 365 over a course of couple of weeks or less.
Pre-requisites
Use minimal hybrid to migrate emails if you:
Are running at least one Exchange 2010, Exchange 2013, and/or Exchange 2016 server on-premises.
Plan to move to Exchange Online over a course of few weeks or less.
Do not plan to continue to run directory synchronization to manage your users.
Step 1: Verify you own the domain

During the migration, the Simple Mail Transfer Protocol (SMTP ) address of each on-premises mailbox is used to
create the email address for a new Office 365 mailbox. To run an express migration, the on-premises domain must
be a verified domain in your Office 365 organization.
1. Sign in to Office 365 with your work or school account.
2. Choose Setup > Domains.
3. On the Domains- page, click Add domain to start the domain wizard.
4. On the Add a domain page, type in the domain name (for example, Contoso.com) you use for your on-
premises Exchange organization, and then choose Next.
5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records are managed by
GoDaddy) or Add a TXT record instead for any other registrars > Next.
6. Follow the instructions provided for your DNS hosting provider. The TXT record usually is chosen to verify
ownership.
You can also find the instructions in Create DNS records at any DNS hosting provider for Office 365.
After you add your TXT or MX record, wait about 15 minutes before proceeding to the next step.
7. In the Office 365 domain wizard, choose done, verify now, and you'll see a verification page. Choose
Finish.
If the verification fails at first, wait awhile, and try again.
Do not continue to the next step in the domains wizard. You now have verified that you own the on-
premises Exchange organization domain and are ready to continue with an email migration.
You will finish setting up your domain after the migrations are complete.
Step 2: Start express migration
On a computer that is domain joined to your on-premises organization, sign in to your Office 365 account by
using your global admin credentials, and start the Exchange Hybrid Configuration Wizard on the Data migration
page of the Office 365 admin page.
1. In the Office 365 Admin center, go to Setup > Data migration.
2. Migration page, under Select your data service, choose Exchange.
3. On the first Hybrid Configuration Wizard page, choose next and on the On-premises Exchange
Server Organization page, accept the default values and choose next.
By default the wizard connects to the Exchange server running the latest version.
4. On the Credentials page, choose Use current Windows credentials for on-premises Exchange server, and
enter admin credentials for it and your Office 365 tenant choose next, and then choose next again once
the connections and credentials have validated.
5. On the Hybrid Features page, select Minimal Hybrid Configuration > next.
6. On the Ready for Update page, choose update to prepare the on-premises mailboxes for migration.
Step 3: Run directory synchronization to create users in Office 365

1. On the User Provisioning page, select Synchronize my users and passwords one time.
At this point you are prompted to download and install the Azure AD Connect wizard to synchronize
your users from on-premises to Office 365.
2. Once Azure AD Connect has downloaded, run it and choose the default options for Express settings.
After synchronization is completed, you will be taken to the Office 365 Data migration page where you
can see all of your users that were synchronized to Office 365.
After the one-time synchronization is done, directory synchronization is turned off for your Office 365
tenant.
Step 4: Give Office 365 licences to your users
After Azure AD connect synchronizes your users and their passwords to Office 365, you have to assign Office 365
licenses them so that they have a cloud mailbox to which to migrate their on-premises mailbox data.
The status on the Data migration page indicates that a license is needed as shown in the figure.
In the Admin center, go to Users > Active users and follow these instructions to Assign licenses to users in Office
365 for business.
Step 5: Start migrating user mailbox data

After you assign licences to your users you can go to the Data migration page to start migrating their mailboxes.
1. Go to Setup > Data migration, and on the Migration page choose Exchange for your data service.
2. On the Data migration page, select the users whose mailboxes you want to migrate and then choose Start
migration.
It is recommended that you migrate mailboxes for two or three users as a test before migrating all of your
users to make sure everything works as expected.
The Data migration page will display the migration status as it progresses. For a full list, see Migration
users status report, which you can also view in the Exchange admin center.
Step 6: Update DNS records
Email systems use a DNS record called an MX record to figure out where to deliver emails. During the email
migration process, your MX record was pointing to your on-premises Exchange email system. Now that the email
migration to Office 365 is complete, it's time to point your MX record at Office 365. You will also need to finish
setting up your DNS records. In the Office 365 Admin center go to Settings > Domains and then choose the
domain name you want to update, for example contoso.com. The domains wizard will guide you through the
update steps. See this article for instructions specific to your registrar or host: Create DNS records at any DNS
hosting provider for Office 365.
See also
Office 365 migration performance and best practices
How to decommission Exchange servers in a Hybrid environment
Modify or remove Exchange 2010
How to remove an Exchange 2007 organization
What you need to know about a cutover email
migration to Office 365
As part of an Office 365 deployment, you can migrate the contents of user mailboxes from a source email system
to Office 365. When you do this all at one time, it's called a cutover migration. Choosing a cutover migration is
suggested when:
Your current on-premises Exchange organization is Microsoft Exchange Server 2003, Microsoft Exchange
Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, or Exchange Server 2016.
Your on-premises Exchange organization has fewer than 2,000 mailboxes.
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and
If a cutover migration won't work for you, see Ways to migrate email to Office 365 for other options.
Things to consider
Setting up an email cutover migration to Office 365 requires careful planning. Before you begin, here are a few
things to consider:
You can move your entire email organization to Office 365 over a few days and manage user accounts in
Office 365.
A maximum of 2,000 mailboxes can be migrated to Office 365 by using a cutover Exchange migration.
However, it is recommended that you only migrate 150 mailboxes.
The primary domain name used for your on-premises Exchange organization must be an accepted as a
domain owned by you in your Office 365 organization.
After the migration is complete, each user who has an on-premises Exchange mailbox also will be a new
user in Office 365. But you'll still have to assign licenses to users whose mailboxes are migrated.
Impact to users
After your on-premises and Office 365 organizations are set up for a cutover migration, post-setup tasks could
impact your users.
Administrators or users must configure desktop computers: Make sure that desktop computers are
updated and set up for use with Office 365. These actions allow users to use local user credentials to sign in
to Office 365 from desktop applications. Users with permission to install applications can update and set up
their own desktops. Or updates can be installed for them. After updates are made, users can send email
from Outlook 2013, Outlook 2010, or Outlook 2007.
Potential delay in email routing: Email sent to on-premises users whose mailboxes were migrated to
Office 365 are routed to their on-premises Exchange mailboxes until the MX record is changed.
How does cutover migration work?
The main steps you perform for a cutover migration are shown in the following illustration.
1. The administrator communicates upcoming changes to users and verifies domain ownership with the
domain registrar.
2. The administrator prepares the servers for a cutover migration and creates empty mail-enabled security
groups in Office 365.
3. The administrator connects Office 365 to the on-premises email system (this is called creating a migration
endpoint).
4. The administrator migrates the mailboxes and then verifies the migration.
5. Grant Office 365 licences to your users.
6. The administrator configures the domain to begin routing email directly to Office 365.
7. The administrator verifies that routing has changed, and then deletes the cutover migration batch.
8. The administrator completes post-migration tasks in Office 365 (assigns licenses to users and creates an
Autodiscover Domain Name System (DNS ) record), and optionally decommissions the on-premises
Exchange servers.
See how -to steps in Complete post migration tasks.
9. The administrator sends a welcome letter to users to tell them about Office 365 and to describe how to sign
in to their new mailboxes.
Ready to start?
If you're comfortable setting up a migration to Office 365, here are the tasks that need to be done:
Set up Exchange Server by using the Exchange admin center.
Change your organization's MX record to point to Office 365 when the migration is complete. Your MX
record is how other mail systems find the location of your email system. Changing your MX record allows
other mail systems to begin to send email directly to the new mailboxes in Office 365. We provide
instructions on how to do this for many DNS providers. To set up your public DNS servers, you need to
change your organization's MX record to point to Office 365 if you choose to route all incoming internet
mail for your on-premises Exchange organization through Office 365.
If you're ready to begin a cutover migration, go to Perform a cutover migration of email to Office 365.
See also
Ways to migrate email to Office 365
Use PowerShell to perform a cutover migration to Office 365
Migrate email using the Exchange cutover method
to Office 365. When you do this all at one time, it's called a cutover migration. Choosing a cutover migration is
suggested when:
Your current on-premises Exchange organization is Microsoft Exchange Server 2003 or later.
Your on-premises Exchange organization has fewer than 2,000 mailboxes.
NOTE
Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and
Plan for migration

Setting up an email cutover migration to Office 365 requires careful planning. Before you begin, here are a few
things to consider:
You can move your entire email organization to Office 365 over a few days and manage user accounts in
Office 365.
A maximum of 2,000 mailboxes can be migrated to Office 365 by using a cutover Exchange migration.
However, it is recommended that you only migrate 150 mailboxes.
The primary domain name used for your on-premises Exchange organization must be an accepted as a
domain owned by you in your Office 365 organization.
After the migration is complete, each user who has an on-premises Exchange mailbox also will be a new
user in Office 365. But you'll still have to assign licenses to users whose mailboxes are migrated.
Impact to users
After your on-premises and Office 365 organizations are set up for a cutover migration, post-setup tasks could
impact your users.
Administrators or users must configure desktop computers: Make sure that desktop computers are
updated and set up for use with Office 365. These actions allow users to use local user credentials to sign
in to Office 365 from desktop applications. Users with permission to install applications can update and set
up their own desktops. Or updates can be installed for them. After updates are made, users can send email
from Outlook 2013, Outlook 2010, or Outlook 2007.
Potential delay in email routing: Email sent to on-premises users whose mailboxes were migrated to
Office 365 are routed to their on-premises Exchange mailboxes until the MX record is changed.
How does cutover migration work?
The main steps you perform for a cutover migration are shown in the following illustration.
1. The administrator communicates upcoming changes to users and verifies domain ownership with the
domain registrar.
2. The administrator prepares the servers for a cutover migration and creates empty mail-enabled security
groups in Office 365.
3. The administrator connects Office 365 to the on-premises email system (this is called creating a migration
endpoint).
4. The administrator migrates the mailboxes and then verifies the migration.
5. Grant Office 365 licences to your users.
6. The administrator configures the domain to begin routing email directly to Office 365.
7. The administrator verifies that routing has changed, and then deletes the cutover migration batch.
8. The administrator completes post-migration tasks in Office 365 (assigns licenses to users and creates an
Autodiscover Domain Name System (DNS ) record), and optionally decommissions the on-premises
Exchange servers.
9. The administrator sends a welcome letter to users to tell them about Office 365 and to describe how to
sign in to their new mailboxes.
Ready to run a cutover migration?

Expand the sections below and follow the steps.
Prepare for a cutover migration

Before you migrate mailboxes to Office 365 by using a cutover migration, there are a few changes to your
Exchange Server environment you must complete first.
NOTE
If you have turned on directory synchronization, you need to turn it off before you can perform a cutover migration. You
can do this by using PowerShell. For instructions, see Turn off directory synchronization for Office 365.
1. Configure Outlook Anywhere on your on-premises Exchange Server: The email migration service uses
Outlook Anywhere (also known as RPC over HTTP ), to connect to your on-premises Exchange Server.
Outlook Anywhere is automatically configured for Exchange 2013. For information about how to set up
Outlook Anywhere for Exchange 2010, Exchange 2007, and Exchange 2003, see the following:
Exchange 2010: Enable Outlook Anywhere
Exchange 2007: How to Enable Outlook Anywhere
How to configure Outlook Anywhere with Exchange 2003
2. You must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere
configuration in order for Office 365 to run a cutover migration. For cutover migration you will to add the
Outlook Anywhere and Autodiscover services to your certificate. For instructions on how to set up certificates,
see:
3. Optional: Verify that you can connect to your Exchange organization using Outlook Anywhere: Try
one of the following methods to test your connection settings.
Use Outlook from outside your corporate network to connect to your on-premises Exchange mailbox.
Use the Microsoft Exchange Remote Connectivity Analyzer to test your connection settings. Use the
Outlook Anywhere (RPC over HTTP ) or Outlook Autodiscover tests.
Wait for the connection to automatically be tested when you connect Office 365 to your email system later
in this procedure.
4. Set permissions: The on-premises user account that you use to connect to your on-premises Exchange
organization (also called the migration administrator) must have the necessary permissions to access the
on-premises mailboxes that you want to migrate to Office 365. This user account is used when you
connect Office 365 to your email system later in this procedure.
5. To migrate the mailboxes, the admin must have one of the following permissions:
The migration administrator must be assigned the FullAccess permission for each on-premises mailbox.
or
The migration administrator must be assigned the Receive As permission on the on-premises mailbox
database that stores user mailboxes.
For instructions about how to set these permissions, see Assign Exchange permissions to migrate
mailboxes to Office 365.
6. Disable Unified Messaging (UM ): If UM is turned on for the on-premises mailboxes you're migrating,
turn off UM before migration. Turn on UM or the mailboxes after migration is complete.
7. Create security groups and clean up delegates: Because the email migration service can't detect
whether on-premises Active Directory groups are security groups, it can't provision any migrated groups
as security groups in Office 365. If you want to have security groups in Office 365, you must first provision
an empty mail-enabled security group in Office 365 before starting the cutover migration.
Additionally, this migration method only moves mailboxes, mail users, mail contacts, and mail-enabled
groups. If any other Active Directory object, such as user mailbox that is not migrated to Office 365 is
assigned as a manager or delegate to an object being migrated, you must remove them from the object
before migration.
Step 1: Verify you own the domain

create the email address for a new Office 365 mailbox. To run a cutover migration, the on-premises domain must
be a verified domain in your Office 365 organization.
3. On the Domains- page, click Add domain to start the domain wizard.
4. On the Add a domain page, type in the domain name (for example, Contoso.com) you use for your on-
premises Exchange organization, and then choose Next.
5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records are managed by
GoDaddy) or Add a TXT record instead for any other registrars > Next.
ownership.
You can also find the instructions in Create DNS records for Office 365 when you manage your DNS
records.
7. In the Office 365 domain wizard, choose done, verify now, and you'll see a verification page. Choose
Finish.
If the verification fails at first, wait awhile, and try again.
Do not continue to the next step in the domain wizard. You now have verified that you own the on-
premises Exchange organization domain and are ready to continue with an email migration.
Step 2: Connect Office 365 to your email system

A migration endpoint contains the settings and credentials needed to connect the on-premises server that hosts
the mailboxes you're migrating with Office 365. The migration endpoint also defines the number of mailboxes to
migrate simultaneously. For a cutover migration, you'll create an Outlook Anywhere migration endpoint.
1. Go to the Exchange admin center.
2. In the Exchange admin center, go to Recipients > Migration.
3. Choose More > Migration endpoints.
4. On the Migration endpoints page, choose New .
5. On the Select the migration endpoint type page, choose Outlook Anywhere > Next.
6. On the Enter on-premises account credentials page, enter information in the following boxes:
Email address: Type the email address of any user in the on-premises Exchange organization that will be
migrated. Office 365 will test the connectivity to this user's mailbox.
Account with privileges: Type the username (domain\username format or an email address) for an
account that has the necessary administrative permissions in the on-premises organization. Office 365 will
use this account to detect the migration endpoint and to test the permissions assigned to this account by
attempting to access the mailbox with the specified email address.
Password of account with privileges: Type the password for the account with privileges that is the
administrator account.
7. Choose Next and do one of the following:
If Office 365 successfully connects to the source server, the connection settings are displayed. Choose
Next.
If the test connection to the source server isn't successful, provide the following information:
Exchange server: Type the fully qualified domain name (FQDN ) for the on-premises Exchange Server.
This is the host name for your Mailbox server. For example, EXCH-SRV -01.corp.contoso.com.
RPC proxy server: Type the FQDN for the RPC proxy server for Outlook Anywhere. Typically, the proxy
server is the same as your Outlook Web App URL. For example, mail.contoso.com, which is also the URL
for the proxy server that Outlook uses to connect to an Exchange Server
8. On the Enter general information page, type a Migration endpoint name, for example, Test5-endpoint.
Leave the other two boxes blank to use the default values.
9. Choose New to create the migration endpoint.
To validate your Exchange Online is connected to the on-premises server, you can run the command in
Example 4 of Test-MigrationServerAvailability.
Step 3: Create the cutover migration batch

In a cutover migration, on-premises mailboxes are migrated to Office 365 in a single migration batch.
2. Choose New > Migrate to Exchange Online.
3. On the Select a migration type page, choose Cutover migration > next.
4. On the Confirm the migration endpoint page, the migration endpoint information is listed. Verify the
information and then choose next.
5. On the Move configuration page, type the name (cannot contain spaces or special characters) of the
migration batch, and then choose next. The batch name is displayed in the list of migration batches on the
Migration page after you create the migration batch.
6. On the Start the batch page, choose one of the following:
Automatically start the batch: The migration batch is started as soon as you save the new migration
batch with a status of Syncing.
Manually start the batch later: The migration batch is created but is not started. The status of the batch
is set to Created. To start a migration batch, select it on the migration dashboard, and then choose Start.
7. Choose new to create the migration batch.
The new migration batch is displayed on the migration dashboard.
Step 4: Start the cutover migration batch

If you created a migration batch and configured it to be started manually, you can start it by using the Exchange
admin center.
2. On the migration dashboard, select the batch and then choose Start.
3. If a migration batch starts successfully, its status on the migration dashboard changes to Syncing.
Verify the synchronization worked

You'll be able to follow the sync status on the migration dashboard. If there are errors, you can view a log
file that gives you more information about them.
You can also verify that the users get created in the Office 365 admin center as the migration proceeds.
After the migration is done, the sync status is Synced.
Optional: Reduce email delays

Although this task is optional, doing it can help avoid delays in the receiving email in the new Office 365
mailboxes.
When people outside of your organization send you email, their email systems don't double-check where to send
that email every time. Instead, their systems save the location of your email system based on a setting in your
DNS server known as a time-to-live (TTL ). If you change the location of your email system before the TTL
expires, the sender's email system tries to send email to the old location before figuring out that the location
changed. This location change can result in a mail delivery delay. One way to avoid this is to lower the TTL that
your DNS server gives to servers outside of your organization. This will make the other organizations refresh the
location of your email system more often.
Most email systems ask for an update each hour if a short interval such as 3,600 seconds (one hour) is set. We
recommend that you set the interval at least this low before you start the email migration. This setting allows all
the systems that send you email enough time to process the change. Then, when you make the final switch over
to Office 365, you can change the TTL back to a longer interval.
The place to change the TTL setting is on your email system's MX record. This lives on your public-facing DNS
system. If you have more than one MX record, you need to change the value on each record to 3,600 seconds or
less.
If you need some help configuring your DNS settings, see Create DNS records for Office 365 when you manage
your DNS records.
Step 5: Route your email directly to Office 365

migration process, your MX record was pointing to your source email system. Now that the email migration to
Office 365 is complete, it's time to point your MX record at Office 365. This helps make sure that email is
delivered to your Office 365 mailboxes. Moving the MX record will also let you turn off your old email system
when you're ready.
For many DNS providers, there are specific instructions to change your MX record. If your DNS provider isn't
included, or if you want to get a sense of the general directions, general MX record instructions are provided as
well.
It can take up to 72 hours for the email systems of your customers and partners to recognize the changed MX
record. Wait at least 72 hours before you proceed to the next task: Delete the cutover migration batch.
Step 6: Delete the cutover migration batch

After you change the MX record and verify that all email is being routed to Office 365 mailboxes, notify the users
that their mail is going to Office 365. After this you can delete the cutover migration batch. Verify the following
before you delete the migration batch.
All users are using Office 365 mailboxes. After the batch is deleted, mail sent to mailboxes on the on-
premises Exchange Server isn't copied to the corresponding Office 365 mailboxes.
Office 365 mailboxes were synchronized at least once after mail began being sent directly to them. To do
this, make sure that the value in the Last Synced Time box for the migration batch is more recent than
when mail started being routed directly to Office 365 mailboxes.
When you delete a cutover migration batch, the migration service cleans up any records related to the migration
batch and then deletes the migration batch. The batch is removed from the list of migration batches on the
migration dashboard.
2. On the migration dashboard, select the batch, and then choose Delete.
NOTE
It can take a few minutes or the batch to be removed.

4. Verify that the migration batch is no longer listed on the migration dashboard.
Step 7: Assign licenses to Office 365 users

Activate Office 365 user accounts for the migrated accounts by assigning licenses: If you don't assign a
license, the mailbox is disabled when the grace period ends (30 days). To assign a license in the Office 365 admin
center, see Assign licenses to users in Office 365 for business.
Complete post migration tasks

After migrating mailboxes to Office 365, there are post-migration tasks that must be completed.
1. Create an Autodiscover DNS record so users can easily get to their mailboxes: After all on-
premises mailboxes are migrated to Office 365, you can configure an Autodiscover DNS record for your
Office 365 organization to enable users to easily connect to their new Office 365 mailboxes with Outlook
and mobile clients. This new Autodiscover DNS record has to use the same namespace that you're using
for your Office 365 organization. For example, if your cloud-based namespace is cloud.contoso.com, the
Autodiscover DNS record you need to create is autodiscover.cloud.contoso.com.
If you keep your Exchange Server, you should also make sure that Autodiscover DNS CNAME record has
to point to Office 365 in both internal and external DNS after the migration so that the Outlook client will
to connect to the correct mailbox. Replace <ServerName> with the name of the Client Access server and
run the following command in the Exchange Management Shell to prevent client connections to the server.
You'll need to run the command on every Client Access server.
Set-ClientAccessServer -Identity <ServerName> -AutoDiscoverServiceInternalUri $null
Office 365 uses a CNAME record to implement the Autodiscover service for Outlook and mobile clients.
The Autodiscover CNAME record must contain the following information:
Alias: autodiscover
Target: autodiscover.outlook.com
For more information, see Create DNS records for Office 365 when you manage your DNS records.
2. Decommission on-premises Exchange Servers: After you've verified that all email is being routed
directly to the Office 365 mailboxes, and no longer need to maintain your on-premises email organization
or don't plan on implementing a single sign-on solution, you can uninstall Exchange from your servers and
remove your on-premises Exchange organization.
For more information, see the following:
Modify or Remove Exchange 2010
How to Remove an Exchange 2007 Organization
How to Uninstall Exchange Server 2003
NOTE
Decommissioning Exchange can have unintended consequences. Before decommissioning your on-premises
Exchange organization, we recommend that you contact Microsoft Support.
See also
What you need to know about a staged email
migration to Office 365
to Office 365. When you do this over time, it's called a staged migration. A staged migration is recommended
when:
Your source email system is Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007.
NOTE
Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 are out of support. Support for Exchange
2003 ended on April 8, 2014. Support for Exchange 2007 ended on April 11, 2017.
NOTE
You can't use a staged migration to migrate Exchange 2013 or Exchange 2010 mailboxes to Office 365. Consider
using a cutover migration or a hybrid email migration instead.
You have more than 2,000 mailboxes.

If a staged email migration won't work for you, see Ways to migrate email to Office 365 for other options.
Things to consider
Here are a few items to be aware of:
You must synchronize accounts between your on-premises Active Directory domain and Office 365 by
using Azure Active Directory sync for a staged migration to work.
The primary domain name used for your on-premises Exchange organization must be a domain verified to
your Office 365 organization.
You can migrate only user mailboxes and resource mailboxes. Other recipient types, such as distribution
groups, contacts, and mail-enabled users are migrated to Office 365 through the process of directory
synchronization.
Out of Office messages aren't migrated with user mailboxes. If a user turns on the Out of Office feature
before the migration, the feature will remain enabled on the migrated mailbox, but the Out of Office
message is blank. People who send messages to the mailbox won't receive an Out of Office notification. To
allow Out of Office notifications to be sent, the user needs to recreate the Out of Office message after the
mailbox is migrated.
If you limited the connections to your source email system, it's a good idea to increase them to improve
migration performance. Common connection limits include client/server total connections, per-user
connections, and IP address connections on either the server or the firewall. If you didn't limit these
connections, you can skip this task.
Impact of migration to users

Administrators can access email: To migrate email, you need access to the user mailboxes in your source
email system.
Users must create new Outlook profiles: After the mailboxes are migrated and the on-premises
accounts are converted to mail-enabled accounts, the users must create a new Office 365 profile in
Outlook, and then Outlook automatically connects to Office 365.
How does staged migration work?

The main steps you perform for a staged migration, and the results for your users, are shown in the following
illustration.
Here's a description of the staged migration shown in the illustration.

1. The administrator synchronizes the list of users between their on-premises environment and Office 365.
See how -to steps in Prepare for a staged migration.
2. The administrator creates a comma-separated value (CSV ) file that contains a row for each user whose on-
premises mailbox will be migrated in the migration batch.
See how -to steps in Create a list of mailboxes to migrate .
3. The administrator creates and runs a staged migration batch by using the migration dashboard in the
Exchange admin center.
See how -to steps in Connect Office 365 to your email system, Migrate your mailboxes, and Start the staged
migration batch.
After the administrator starts the migration batch, Exchange Online does the following:
Verifies that directory synchronization is enabled.
Checks that a mail-enabled user exists in the Office 365 organization for each user listed in the CSV file.
Mail-enabled users are created in Office 365 as a result of the directory synchronization process.
Converts the Office 365 mail-enabled user to an Exchange Online mailbox for each user in the migration
batch.
Begins initial synchronization. Exchange Online processes up to N migration requests at one time. N
represents the maximum number of concurrent migrations that the administrator specified when creating
the migration endpoint used for the migration batch. By default, initial synchronization is performed on 20
mailboxes at a time until all mailboxes in the migration batch are migrated.
Configures mail forwarding. The TargetAddress property on the on-premises mailbox is configured with
the email address of the Exchange Online mailbox. This process means that mail sent to the on-premises
mailbox is forwarded to the corresponding Exchange Online mailbox.
4. After it creates the Exchange Online mailbox and configures mail forwarding for each user in the CSV file,
Exchange Online sends a status email message to the administrator. This status message lists the number
of mailboxes that were successfully migrated and how many couldn't be migrated. The message also
includes links to migration statistics and error reports that contain more detailed information. At this point,
users can start using their Exchange Online mailboxes.
5. As part of initial synchronization, Exchange Online then migrates all email messages, contacts, and calendar
items from the on-premises mailboxes to Exchange Online mailboxes. Exchange Online sends a final
migration report when the data migration is complete.
6. After a migration batch is complete and the administrator verifies that all mailboxes in the batch are
successfully migrated, the administrator can convert the on-premises mailboxes to mail-enabled users.
See how -to steps in Convert on-premises mailboxes to mail-enabled users so that migrated users can get
to their email.
7. If a user opens their mailbox with Outlook, the Autodiscover service tries to connect to the on-premises
mailbox. After you convert on-premises mailboxes to mail-enabled users, the Autodiscover service uses the
mail-enabled user to connect Outlook to the Exchange Online mailbox after the user creates a new Outlook
profile.
8. The administrator creates additional migration batches, submitting a CSV file for each one.
9. The administrator runs additional migration batches.
10. The administrator resolves any issues. After all on-premises mailboxes in a batch are successfully migrated,
the administrator deletes the migration batch.
See how -to steps in Delete the staged migration batch.
11. Users can use their Exchange Online mailboxes.
12. The administrator, to complete the transition to Exchange Online and Office 365, performs post-
configuration tasks such as:
Assign licenses to Office 365 users.
Configure the MX record to point to your Office 365 organization so that email is delivered directly to
Exchange Online mailboxes.
Create an Autodiscover Domain Name System (DNS ) record for your Office 365 organization.
See how -to steps in Route your email directly to Office 365 and Complete post migration tasks.
The administrator can decommission the on-premises Exchange Servers (optional).
NOTE
If you implement a single sign-on solution, it is strongly recommended that you maintain at least one Exchange
Server so that you can access Exchange System Manager (Exchange 2003) or the Exchange Management
Console/Exchange Management Shell (Exchange 2007) to manage mail-related attributes on the on-premises mail-
enabled users. For Exchange 2007, the Exchange Server that you maintain should have the Hub Transport, Client
Access, and Mailbox server roles installed.
Ready to start?
If you're comfortable setting up a migration to Office 365, here are the tasks that need to be done.
Using either Microsoft Azure Active Directory Synchronization Tool or Microsoft Azure Active Directory
Sync Services (AAD Sync) to synchronize and create your on-premises users in Office 365.
Configuring Exchange Server by using the Exchange admin center.
Changing your organization's MX record to point to Office 365 when the migration is complete. Your MX
record is how other mail systems find the location of your email system. Changing your MX record allows
other mail systems to begin to send email directly to the new mailboxes in Office 365.
To finish a staged email migration successfully, it's a good idea to be comfortable doing these tasks:
You configure or verify that directory synchronization is working.
You configure or verify that Outlook Anywhere is working.
You create one or more lists of mailboxes to migrate in Excel.
You use step-by-step wizards in Office 365 to configure and start the migration process.
You add or change your organization's DNS records, such as the Autodiscover and MX records.
You mail-enable on-premises mailboxes.
If you're ready to begin a staged email migration, you can use the steps given in Perform a staged migration email
to Office 365.
See also
Use PowerShell to perform a staged migration to Office 365
Perform a staged migration of email to Office 365
You can migrate the contents of user mailboxes from an Exchange 2003 or Exchange 2007 email to Office 365
over time by using a staged migration.
This article walks you through the tasks involved with for a staged email migration. What you need to know
about a staged email migration to Office 365 gives you an overview of the migration process. When you're
comfortable with the contents of that article, use this one to begin migrating mailboxes from one email system to
another.
For Windows PowerShell steps, see Use PowerShell to perform a staged migration to Office 365.
Migration Tasks
Here are the tasks to do when you're ready to get started with your staged migration.
1. Prepare for a staged migration
2. Verify you own the domain
3. Use directory synchronization to create users in Office 365
4. Create a list of mailboxes to migrate
5. Connect Office 365 to your email system
6. Migrate your mailboxes
7. Start the staged migration batch
8. Convert on-premises mailboxes to mail-enabled users so that migrated users can get to their email
9. Route your email directly to Office 365
10. Delete the staged migration batch
11. Complete post migration tasks
Prepare for a staged migration

Before you migrate mailboxes to Office 365 by using a staged migration, there are a few changes you must make
first to your Exchange Server environment.
To prepare for a staged migration
1. Configure Outlook Anywhere on your on-premises Exchange Server: The email migration service uses
Outlook Anywhere (also known as RPC over HTTP ), to connect to your on-premises Exchange Server. For
information about how to set up Outlook Anywhere for Exchange 2007, and Exchange 2003, see the
following:
Exchange 2007: How to Enable Outlook Anywhere
How to configure Outlook Anywhere with Exchange 2003
IMPORTANT
You must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere
configuration. Outlook Anywhere can't be configured with a self-signed certificate. For more information, see How
to configure SSL for Outlook Anywhere.
2. (Optional) Verify that you can connect to your Exchange organization using Outlook Anywhere: Try
one of the following methods to test your connection settings.
Use Outlook from outside your corporate network to connect to your on-premises Exchange mailbox.
Use the Microsoft Exchange Remote Connectivity Analyzer to test your connection settings. Use the
Outlook Anywhere (RPC over HTTP ) or Outlook Autodiscover tests.
Wait for the connection to automatically be tested when you Connect Office 365 to your email system later
in this procedure.
3. Set permissions: The on-premises user account that you use to connect to your on-premises Exchange
organization (also called the migration administrator) must have the necessary permissions to access the
on-premises mailboxes that you want to migrate to Office 365. This user account is used when you
Connect Office 365 to your email system later in this procedure.
4. To migrate the mailboxes, the admin must have one of the following permission sets:
Be assigned the FullAccess permission for each on-premises mailbox and be assigned the
WriteProperty permission to modify the TargetAddress property on the on-premises user accounts.
or
Be assigned the Receive As permission on the on-premises mailbox database that stores user mailboxes,
and the WriteProperty permission to modify the TargetAddress property on the on-premises user
accounts.
For instructions about how to set these permissions, see Assign Exchange permissions to migrate
5. Disable Unified Messaging (UM ): If UM is turned on for the on-premises mailboxes you're migrating, turn
off UM before migration. Turn on UM for the mailboxes after migration is complete. For how -to steps, see
disable unified messaging.
Verify you own the domain

create the email address for a new Office 365 mailbox. To run a staged migration, the on-premises domain must
be verified as a domain you own in your Office 365 organization.
Use the domains wizard to verify you own the on-premises domain
NOTE
You must be a global admin in Office 365 to complete these steps.

3. On the Manage domains page, click Add domain to start the domain wizard.
4. On the Add a domain to Office 365 page, choose Specify a domain name and confirm ownership.
5. Type the domain name (for example, Contoso.com) you use for your on-premises Exchange organization,
and then choose Next.
6. On the confirm that you own <your domain name> page, select your Domain Name System (DNS )
hosting provider from the list or select General Instructions, if applicable.
domain ownership.
You can also find the TXT or MX value specific to your Office 365 tenant by following instructions in
Gather the information you need to create Office 365 DNS records.
8. In the Office 365 domain wizard choose done, verify now, and you should see a verification page.
Choose Finish.
If you do not see the verification page, wait awhile, and try again.
Do not continue to the next step in the domain wizard. You now have verified that you own the on-
premises Exchange organization domain, and are ready to continue with an email migration.
Use directory synchronization to create users in Office 365

You use directory synchronization to create all the on-premises users in your Office 365 organization.
You will need to license the users after they're created. You have 30 days to add licenses after the users are
created. For steps to add licenses, see Complete post migration tasks.
To create new users
You can use either the Microsoft Azure Active Directory Synchronization Tool or the Microsoft Azure Active
Directory Sync Services (AAD Sync) to synchronize and create your on-premises users in Office 365. After
mailboxes are migrated to Office 365, you'll manage user accounts in your on-premises organization and
they're synchronized with your Office 365 organization. For more information, see Directory Integration .
Create a list of mailboxes to migrate

After you identify the users whose on-premises mailboxes you want to migrate to Office 365, you'll use a comma
separated value (CSV ) file to create a migration batch. Each row in the CSV file—used by Office 365 to run the
migration—contains information about an on-premises mailbox.
NOTE
There isn't a limit for the number of mailboxes that you can migrate to Office 365 using a staged migration. The CSV file for
a migration batch can contain a maximum of 2,000 rows. To migrate more than 2,000 mailboxes, create additional CSV files
and use each file to create a new migration batch.
Supported attributes
The CSV file for a staged migration supports the following three attributes. Each row in the CSV file corresponds
to a mailbox and must contain a value for each of these attributes.
ATTRIBUTE DESCRIPTION REQUIRED?
EmailAddress Specifies the primary SMTP email Required

address, for example,
pilarp@contoso.com, for on-premises
mailboxes.
Use the primary SMTP address for on-
premises mailboxes and not user IDs
from the Office 365. For example, if the
on-premises domain is named
contoso.com but the Office 365 email
domain is named service.contoso.com,
you would use the contoso.com
domain name for email addresses in
the CSV file.
Password The password to be set for the new Optional

Office 365 mailbox. Any password
restrictions that are applied to your
Office 365 organization also apply to
the passwords included in the CSV file.
ForceChangePassword Specifies whether a user must change Optional

the password the first time they sign in
to their new Office 365 mailbox. Use
True or False for the value of this
parameter. Note that if you've
implemented a single sign-on solution
by deploying Active Directory
Federation Services (AD FS) 2.0 (AD FS
2.0) or greater in your on-premises
organization, you must use False for
the value of the
ForceChangePassword attribute.
CSV file format

Here's an example of the format for the CSV file. In this example, three on-premises mailboxes are migrated to
Office 365.
The first row, or header row, of the CSV file lists the names of the attributes, or fields, specified in the rows that
follow. Each attribute name is separated by a comma.
EmailAddress,Password,ForceChangePassword
pilarp@contoso.com,Pa$$w0rd,False
tobyn@contoso.com,Pa$$w0rd,False
briant@contoso.com,Pa$$w0rd,False
Each row under the header row represents one user and supplies the information that will be used to migrate the
user's mailbox. The attribute values in each row must be in the same order as the attribute names in the header
row.
Use any text editor, or an application like Excel, to create the CSV file. Save the file as a .csv or .txt file.
NOTE
If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8 or other Unicode encoding. Depending
on the application, saving the CSV file with UTF-8 or other Unicode encoding may be easier when the system locale of the
computer matches the language used in the CSV file.
Connect Office 365 to your email system

A migration endpoint contains the settings and credentials needed to connect the on-premises server that hosts
the mailboxes you're migrating with Office 365. For a staged migration, you create an Outlook Anywhere
migration endpoint. One migration endpoint is created to use for all of your migration batches.
To create a migration endpoint
3. Choose More > Migration endpoints.
4. On the Migration endpoints page, choose New .

5. On the Select the migration endpoint type page, choose Outlook Anywhere > Next.
6. On the Enter on-premises account credentials page, enter the following information:
Email address: Type the email address of any user in the on-premises Exchange organization that will be
migrated. Office 365 will test the connectivity to this user's mailbox.
Account with privileges: Type the username (domain\username format or an email address) for an
account that has the necessary administrative permissions in the on-premises organization. Office 365 will
use this account to detect the migration endpoint and to test the permissions assigned to this account by
attempting to access the mailbox with the specified email address.
Password of account with privileges: Type the password for the account with privileges that is the
7. Choose Next and then do one of the following:
If Office 365 successfully connects to the source server, the connection settings are displayed. Choose
Next.
If the test connection to the source server isn't successful, provide the following information:
Exchange server: Type the fully qualified domain name (FQDN ) for the on-premises Exchange Server.
This is the host name for your Mailbox server; for example, EXCH-SRV -01.corp.contoso.com.
RPC proxy server: Type the FQDN for the RPC proxy server for Outlook Anywhere. Typically, the proxy
server is the same as your Outlook Web App URL. For example, mail.contoso.com, which is also the URL
for the proxy server that Outlook uses to connect to an Exchange Server
9. Choose New to create the migration endpoint.

To validate your Exchange Online is connected to the on-premises server, you can run the command in
Example 4 of Test-MigrationServerAvailability.
Migrate your mailboxes

You create and then run a migration batch to migrate mailboxes to Office 365.
Create a staged migration batch
For a staged migration, you migrate mailboxes in batches—one batch for each CSV file you created.
To create a staged migration batch
1. In the Exchange admin center, navigate to Recipients > Migration.
2. Choose New > Migrate to Exchange Online.
3. On the Select a migration type page, choose Staged migration > next.
4. On the Select the users page, choose Browse and select the CSV file to use for this migration batch.
After you select a CSV file, Office 365 checks the CSV file to make sure that:
It isn't empty.
It uses comma-separated formatting.
It doesn't contain more than 2,000 rows.
It includes the required EmailAddress column in the header row.
All rows have the same number of columns as the header row.
If any one of these checks fails, you'll get an error that describes the reason for the failure. At this point,
you must fix any errors in the CSV file and resubmit it to create a migration batch. After the CSV file is
validated, the number of users listed in the CSV file is displayed as the number of mailboxes to migrate.
5. Choose next.
6. On the Confirm the migration endpoint page, verify the migration endpoint information that is listed
and then choose next.
7. On the Move configuration page, type the name (no spaces or special characters) of the migration batch,
and then choose next. This name is displayed in the list of migration batches on the Migration page after
you create the migration batch.
8. On the Start the batch page, choose one of the following:
Automatically start the batch: The migration batch is started as soon as you save the new migration
batch. The batch starts with a status of Syncing.
Manually start the batch later: The migration batch is created but not started. The status of the batch is
set to Created. To start a migration batch, select it on the migration dashboard and then choose Start.
9. Choose new to create the migration batch.
The new migration batch is displayed on the migration dashboard.
Start the staged migration batch
If you created a migration batch and configured it to be manually started, you can start it by using the Exchange
Admin center.
To start a staged migration batch
1. In the Exchange admin center, go to Recipients> Migration.
2. On the migration dashboard, select the batch, and then choose Start.
3. If a migration batch starts successfully, its status on the migration dashboard changes to Syncing.
Verify the migration step worked

You'll be able to follow the sync status in the migration dashboard. If there is an issue, you can view a log file that
gives you more information about the errors.
You can also verify that the users get created in the Office 365 admin center as the migration proceeds.
Convert on-premises mailboxes to mail-enabled users so that migrated

users can get to their email
After you have successfully migrated a batch of mailboxes, you need some way to let users get to their mail. A
user whose mailbox has been migrated now has both a mailbox on-premises and one in Office 365. Users who
have a mailbox in Office 365 will stop receiving new mail in their on-premises mailbox.
Because you are not done with your migrations, you are not yet ready to direct all users to Office 365 for their
email. So what do you do for those people who have both? What you can do is change the on-premises
mailboxes that you've already migrated to mail-enabled users. When you change from a mailbox to a mail-
enabled user, you can direct the user to Office 365 for their email instead of going to their on-premises mailbox.
Another important reason to convert on-premises mailboxes to mail-enabled users is to retain proxy addresses
from the Exchange Online mailboxes by copying proxy addresses to the mail-enabled users. This lets you manage
cloud-based users from your on-premises organization by using Active Directory. Also, if you decide to
decommission your on-premises Exchange organization after all mailboxes are migrated to Exchange Online, the
proxy addresses you've copied to the mail-enabled users will remain in your on-premises Active Directory.
For more information and to download scripts that you can run to convert mailboxes to mail-enabled users, see
the following:
Convert Exchange 2007 mailboxes to mail-enabled users
Convert Exchange 2003 mailboxes to mail-enabled users
Optional: Repeat migration steps

You can run batches simultaneously or one by one. Do what is convenient for your schedule and ability to help
people as they complete their migration. Remember, each migration batch has a limit of 2,000 mailboxes.
When you're done migrating everyone to Office 365, you'll be ready to start sending email directly to Office 365
and decommissioning your old email system.

You don't need to do this task, but if you skip it, it might take longer for email to start showing up in the new
Office 365 mailboxes.
expires, they'll try to send you email at the old location first before figuring out that the location changed. This can
result in a mail delivery delay. One way to avoid this is to lower the TTL that your DNS server gives to servers
outside of your organization. This will make the other organizations refresh the location of your email system
more often.
Using a short interval, such as 3,600 seconds (one hour) or less, means that most email systems will ask for an
updated location every hour. We recommend that you set the interval at least this low before you start the email
migration. This allows all the systems that send you email enough time to process the change. Then, when you
make the final switch over to Office 365, you can change the TTL back to a longer interval.
The place to change the TTL setting is on your email system's mail exchanger record, also called an MX record.
This lives on your public facing DNS system. If you have more than one MX record, you need to change the value
on each record to 3,600 or less.
If you need some help configuring your DNS settings, go to our Create DNS records at any DNS hosting
provider for Office 365.
Route your email directly to Office 365

migration process, your MX record was pointing to your on-premises email system. Now that the email
migration to Office 365 is complete for all of your users, it's time to point your MX record to Office 365. This
helps ensure that incoming email is delivered to your Office 365mailboxes. Moving the MX record also let you
turn off your old email system when you are ready.
For many DNS providers, we have Create DNS records at any DNS hosting provider for Office 365. If your DNS
provider isn't included, or you want to get a sense of the general directions, we've provided general MX record
instructions as well.
record. Wait at least 72 hours before you proceed to the next task.
Delete the staged migration batch

After you change the MX record and verify that all email is being routed to Office 365 mailboxes, you can delete
the staged migration batches. Verify the following before you delete a migration batch:
All users in the batch are using their Office 365 mailboxes. After the batch is deleted, mail sent to
mailboxes on the on-premises Exchange Server isn't copied to the corresponding Office 365 mailboxes.
Office 365 mailboxes were synchronized at least once after mail began being sent directly to them. To do
this, make sure that the value in the Last Synced Time box for the migration batch is more recent than
when mail started being routed directly to Office 365 mailboxes.
When you delete a staged migration batch, the migration service cleans up any records related to the migration
batch and then deletes the migration batch. The batch is removed from the list of migration batches on the
migration dashboard.
To delete the staged migration batch
2. On the migration dashboard, select the batch, and then choose Delete.
It might take a few minutes for the batch to get deleted.
4. Verify that the migration batch is no longer listed on the migration dashboard.
Complete post migration tasks

After migrating mailboxes to Office 365, there are post-migration tasks that must be completed.
To complete post-migration tasks
1. Activate Office 365 user accounts for the migrated accounts by assigning licenses: If you don't
assign a license, the mailbox is disabled when the grace period (30 days) ends. To assign a license in the
Office 365 admin center, see Assign licenses to users in Office 365 for business.
2. Create an Autodiscover DNS record so users can easily get to their mailboxes: After all on-
premises mailboxes are migrated to Office 365, you can configure an Autodiscover DNS record for your
Office 365 organization to enable users to easily connect to their new Office 365 mailboxes with Outlook
and mobile clients. This new Autodiscover DNS record has to use the same namespace that you're using
for your Office 365 organization. For example, if your cloud-based namespace is cloud.contoso.com, the
Autodiscover DNS record you need to create is autodiscover.cloud.contoso.com.
Office 365 uses a CNAME record to implement the Autodiscover service for Outlook and mobile clients.
The Autodiscover CNAME record must contain the following information:
Alias:autodiscover
Target:autodiscover.outlook.com
For more information, see Create DNS records for Office 365 when you manage your DNS records.
3. Decommission on-premises Exchange servers: After you've verified that all email is being routed
directly to the Office 365 mailboxes, have completed the migration, and no longer need to maintain your
on-premises email organization, you can uninstall Exchange.
For more information, see the following:
How to Remove an Exchange 2007 Organization
How to Uninstall Exchange Server 2003
NOTE
Decommissioning Exchange can have unintended consequences. Before decommissioning your on-premises
Exchange organization, we recommend that you contact Microsoft Support.
See also
What you need to know about a staged email migration to Office 365
Convert Exchange 2007 mailboxes to mail-enabled
users
After you have completed a staged migration, convert the mailboxes to mail-enabled users so that the mailboxes
can automatically connect to the cloud mailbox.
Why convert mailboxes to mail-enabled users?

If you've completed a staged Exchange migration to migrate your organization's Exchange 2007 on-premises
mailboxes to Office 365 and you want to manage cloud-based users from your on-premises organization—using
Active Directory—you should convert the on-premises mailboxes to mail-enabled users (MEUs). Why? Two things
happen after a mailbox is migrated to the cloud in a staged Exchange migration:
A user has an on-premises mailbox and a cloud mailbox.
Mail sent to the user's on-premises mailbox is forwarded to their cloud mailbox. This happens because
during the migration process, the TargetAddress property on the on-premises mailbox is populated with
the remote routing address of the cloud mailbox. This means that users need to connect to their cloud
mailboxes to access their e-mail.
This behavior results in two issues:
If a person uses Microsoft Outlook to open their mailbox, the Autodiscover service still tries to connect to
the on-premises mailbox, and the user won't be able to connect to their cloud mailbox. If there are users that
haven't been migrated to the cloud, you can't point your Autodiscover CNAME record to the cloud until all
users are migrated.
If an organization decommissions Exchange after all on-premises mailboxes are migrated to the cloud,
messaging-related user information on the cloud mailbox will be lost. The Microsoft Online Services
Directory Synchronization tool (DirSync) removes data (such as proxy addresses) from the cloud mailbox
object because the on-premises mailbox no longer exists and DirSync can't match it to the corresponding
cloud mailbox.
The solution is to convert the on-premises mailbox to a mail-enabled user (MEU ) in your on-premises
organization after the user's mailbox has been migrated to the cloud. When you convert an on-premises mailbox
to an MEU:
The proxy addresses from a cloud-based mailbox are copied to the new MEU; if you decommission
Exchange, these proxy addresses are still retained in Active Directory.
The properties of the MEU enable DirSync to match the MEU with its corresponding cloud mailbox.
The Autodiscover service uses the MEU to connect Outlook to the cloud mailbox after the user creates a
new Outlook profile.
PowerShell scripts to create MEUs

You can use the scripts below to collect information about the cloud-based mailboxes, and to convert the Exchange
2007 mailboxes to MEUs.
The following script collects information from your cloud mailboxes and saves it to a CSV file. Run this script first.
Copy the script below and give it a filename ExportO365UserInfo.ps1.
Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use the existing session or create a new
one
$session = Get-PSSession | ?{$_.ConfigurationName -eq 'Microsoft.Exchange'}
if($session -ne $null)
{
$a = Read-Host "An open session to Office 365 already exists. Do you want to use this session? Enter y to
use the open session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Office 365 Powershell Session." -ForeGroundColor Green
return
}
$session | Remove-PSSession
}
Write-Host "Please enter your Office 365 credentials" -ForeGroundColor Green
$cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -
Credential $cred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession -Prefix "Cloud" $s
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -ForegroundColor Red
Exit
}
#Import user list from migration.csv file

$MigrationCSV = Import-Csv $migrationCSVFileName
#Get mailbox list based on email addresses from CSV file

$MailBoxList = $MigrationCSV | %{$_.EmailAddress} | Get-CloudMailbox
$Users = @()
#Get LegacyDN, Tenant, and On-Premise Email addresses for the users
foreach($user in $MailBoxList)
{
$UserInfo = New-Object System.Object
$CloudEmailAddress = $user.EmailAddresses | ?{($_ -match 'onmicrosoft') -and ($_ -cmatch 'smtp:')}

if ($CloudEmailAddress.Count -gt 1)
{
$CloudEmailAddress = $CloudEmailAddress[0].ToString().ToLower().Replace('smtp:', '')
Write-Host "$user returned more than one cloud email address. Using $CloudEmailAddress" -ForegroundColor
Yellow
}
else
{
$CloudEmailAddress = $CloudEmailAddress.ToString().ToLower().Replace('smtp:', '')
}
$UserInfo | Add-Member -Type NoteProperty -Name LegacyExchangeDN -Value $user.LegacyExchangeDN

$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -Value $CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name OnPremiseEmailAddress -Value
$user.PrimarySMTPAddress.ToString()
$UserInfo | Add-Member -Type NoteProperty -Name MailboxGUID -Value $user.ExchangeGUID
$Users += $UserInfo
}
#Check for existing csv file and overwrite if needed
if(Test-Path ".\cloud.csv")
{
$delete = Read-Host "The file cloud.csv already exists in the current directory. Do you want to delete it?
Enter y to delete, anything else to exit this script."
if($delete.ToString().ToLower() -eq 'y')
{
Write-Host "Deleting existing cloud.csv file" -ForeGroundColor Red
Remove-Item ".\cloud.csv"
}
else
{
Write-Host "Will NOT delete current cloud.csv file. Exiting script." -ForeGroundColor Green
Exit
}
}
$Users | Export-CSV -Path ".\cloud.csv" -notype
(Get-Content ".\cloud.csv") | %{$_ -replace '"', ''} | Set-Content ".\cloud.csv" -Encoding Unicode
Write-Host "CSV File Successfully Exported to cloud.csv" -ForeGroundColor Green
}
O365Logon
Main
The following script converts on-premises Exchange 2007 mailboxes to MEUs. Run this script after you have ran
the script to collect information from the cloud mailboxes.
Copy the script below to a .txt file and then save the file and give it a filename Exchange2007MBtoMEU.ps1.
param($DomainController = [String]::Empty)
function Main
{
#Script Logic flow
#1. Pull User Info from cloud.csv file in the current directory
#2. Lookup AD Info (DN, mail, proxyAddresses, and legacyExchangeDN) using the SMTP address from the CSV file
#3. Save existing proxyAddresses
#4. Add existing legacyExchangeDN's to proxyAddresses
#5. Delete Mailbox
#6. Mail-Enable the user using the cloud email address as the targetAddress
#7. Disable RUS processing
#8. Add proxyAddresses and mail attribute back to the object
#9. Add msExchMailboxGUID from cloud.csv to the user object (for offboarding support)
if($DomainController -eq [String]::Empty)

{
Write-Host "You must supply a value for the -DomainController switch" -ForegroundColor Red
Exit
}
$CSVInfo = Import-Csv ".\cloud.csv"

foreach($User in $CSVInfo)
{
Write-Host "Processing user" $User.OnPremiseEmailAddress -ForegroundColor Green
Write-Host "Calling LookupADInformationFromSMTPAddress" -ForegroundColor Green
$UserInfo = LookupADInformationFromSMTPAddress($User)
#Check existing proxies for On-Premise and Cloud Legacy DN's as x500 proxies. If not present add them.
$CloudLegacyDNPresent = $false
$LegacyDNPresent = $false
foreach($Proxy in $UserInfo.ProxyAddresses)
{
if(("x500:$UserInfo.CloudLegacyDN") -ieq $Proxy)
{
$CloudLegacyDNPresent = $true
}
if(("x500:$UserInfo.LegacyDN") -ieq $Proxy)
{
$LegacyDNPresent = $true
}
}
if(-not $CloudLegacyDNPresent)
{
{
$X500Proxy = "x500:" + $UserInfo.CloudLegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -ForegroundColor Green
$UserInfo.ProxyAddresses += $X500Proxy
}
if(-not $LegacyDNPresent)
{
$X500Proxy = "x500:" + $UserInfo.LegacyDN
Write-Host "Adding $X500Proxy to EmailAddresses" -ForegroundColor Green
$UserInfo.ProxyAddresses += $X500Proxy
}
#Disable Mailbox
Write-Host "Disabling Mailbox" -ForegroundColor Green
Disable-Mailbox -Identity $UserInfo.OnPremiseEmailAddress -DomainController $DomainController -
Confirm:$false
#Mail Enable
Write-Host "Enabling Mailbox" -ForegroundColor Green
Enable-MailUser -Identity $UserInfo.Identity -ExternalEmailAddress $UserInfo.CloudEmailAddress -
DomainController $DomainController
#Disable RUS
Write-Host "Disabling RUS" -ForegroundColor Green
Set-MailUser -Identity $UserInfo.Identity -EmailAddressPolicyEnabled $false -DomainController
$DomainController
#Add Proxies and Mail

Write-Host "Adding EmailAddresses and WindowsEmailAddress" -ForegroundColor Green
Set-MailUser -Identity $UserInfo.Identity -EmailAddresses $UserInfo.ProxyAddresses -WindowsEmailAddress
$UserInfo.Mail -DomainController $DomainController
#Set Mailbox GUID. Need to do this via S.DS as Set-MailUser doesn't expose this property.
$ADPath = "LDAP://" + $DomainController + "/" + $UserInfo.DistinguishedName
$ADUser = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $ADPath
$MailboxGUID = New-Object -TypeName System.Guid -ArgumentList $UserInfo.MailboxGUID
[Void]$ADUser.psbase.invokeset('msExchMailboxGUID',$MailboxGUID.ToByteArray())
Write-Host "Setting Mailbox GUID" $UserInfo.MailboxGUID -ForegroundColor Green
$ADUser.psbase.CommitChanges()
Write-Host "Migration Complete for" $UserInfo.OnPremiseEmailAddress -ForegroundColor Green

Write-Host ""
Write-Host ""
}
}
function LookupADInformationFromSMTPAddress($CSV)
{
$Mailbox = Get-Mailbox $CSV.OnPremiseEmailAddress -ErrorAction SilentlyContinue
if($Mailbox -eq $null)

{
Write-Host "Get-Mailbox failed for" $CSV.OnPremiseEmailAddress -ForegroundColor Red
continue
}
$UserInfo | Add-Member -Type NoteProperty -Name OnPremiseEmailAddress -Value $CSV.OnPremiseEmailAddress

$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -Value $CSV.CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name CloudLegacyDN -Value $CSV.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name LegacyDN -Value $Mailbox.LegacyExchangeDN
$ProxyAddresses = @()
foreach($Address in $Mailbox.EmailAddresses)
{
$ProxyAddresses += $Address
}
$UserInfo | Add-Member -Type NoteProperty -Name ProxyAddresses -Value $ProxyAddresses
$UserInfo | Add-Member -Type NoteProperty -Name Mail -Value $Mailbox.WindowsEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name MailboxGUID -Value $CSV.MailboxGUID
$UserInfo | Add-Member -Type NoteProperty -Name Identity -Value $Mailbox.Identity
$UserInfo | Add-Member -Type NoteProperty -Name Identity -Value $Mailbox.Identity
$UserInfo | Add-Member -Type NoteProperty -Name DistinguishedName -Value (Get-User
$Mailbox.Identity).DistinguishedName
$UserInfo
}
Main
Setup steps to convert on-premises mailboxes to MEUs

Follow these steps to complete the process.
1. Copy ExportO365UserInfo.ps1, Exchange2007MBtoMEU.ps1, and the CSV file used to run the migration
batch to the same directory in your on-premises server.
2. Rename the migration CSV file to migration.csv.
3. In the Exchange Management Shell, run the following command. The script assumes that the CSV file is in
the same directory and is named migration.csv.
.\ExportO365UserInfo.ps1
You will be prompted to use the existing session or open a new session.
4. Type n and press Enter to open a new session.

The script runs and then saves the Cloud.csv file to the current working directory.
5. Enter the administrator credentials for your cloud-based organization and then click OK.
6. Run the following command in a new Exchange Management Shell session. This command assumes that
ExportO365UserInfo.ps1 and Cloud.csv are located in the same directory.
.\Exchange2007MBtoMEU.ps1 <FQDN of on-premises domain controller>
For example:
.\Exchange2007MBtoMEU.ps1 DC1.contoso.com
The script converts on-premises mailboxes to MEUs for all users included in the Cloud.csv.
7. Verify that the new MEUs have been created. In Active Directory Users and Computers, do the following:
8. Click Action > Find
9. Click the Exchange tab
10. Select Show only Exchange recipients, and then select Users with external email address.
11. Click Find Now.
The mailboxes that were converted to MEUs are listed under Search results.
12. Use Active Directory Users and Computers, ADSI Edit, or Ldp.exe to verify that the following MEU
properties are populated with the correct information.
legacyExchangeDN
mail
msExchMailboxGuid
proxyAddresses
targetAddress
Convert Exchange 2003 mailboxes to mail-enabled
users
After you have completed a staged migration, convert the mailboxes to mail-enabled users so that the mailboxes
can automatically connect to the cloud mailbox.
Why convert mailboxes to mail-enabled users?

If you've completed a staged Exchange migration to migrate your organization's Exchange 2003 on-premises
mailboxes to Office 365 and you want to manage cloud-based users from your on-premises organization—using
Active Directory—you should convert the on-premises mailboxes to mail-enabled users (MEUs).
This article includes a Windows PowerShell script that collects information from the cloud-based mailboxes and a
Visual Basic (VB ) script that you can run to convert Exchange 2003 mailboxes to MEUs. When you run this script,
the proxy addresses from the cloud-based mailbox are copied to the MEU, which resides in Active Directory. Also,
the properties of the MEU enable the Microsoft Online Services Directory Synchronization tool (DirSync) to match
the MEU with its corresponding cloud mailbox
It's recommended that you convert on-premises mailboxes to MEUs for a migration batch. After a staged
Exchange migration batch is finished and you have verified that all mailboxes in the batch are successfully
migrated and the initial synchronization of mailbox items to the cloud is complete, convert the mailboxes in the
migration batch to MEUs.
PowerShell script to collect data from cloud mailboxes

You can use the scripts below to collect information about the cloud-based mailboxes, and to convert the Exchange
2007 mailboxes to MEUs.
The following script collects information from your cloud mailboxes and saves it to a CSV file. Run this script first.
Copy the script below to a .txt file and then save the file and save it as ExportO365UserInfo.ps1.
Param($migrationCSVFileName = "migration.csv")
function O365Logon
{
#Check for current open O365 sessions and allow the admin to either use the existing session or create a new
one
$session = Get-PSSession | ?{$_.ConfigurationName -eq 'Microsoft.Exchange'}
if($session -ne $null)
{
$a = Read-Host "An open session to Office 365 already exists. Do you want to use this session? Enter y to
use the open session, anything else to close and open a fresh session."
if($a.ToLower() -eq 'y')
{
Write-Host "Using existing Office 365 Powershell Session." -ForeGroundColor Green
return
}
$session | Remove-PSSession
}
Write-Host "Please enter your Office 365 credentials" -ForeGroundColor Green
$cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -
Credential $cred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession $s
}
function Main
{
#Verify the migration CSV file exists
if(!(Test-Path $migrationCSVFileName))
{
Write-Host "File $migrationCSVFileName does not exist." -ForegroundColor Red
Exit
}
#Import user list from migration.csv file
$MigrationCSV = Import-Csv $migrationCSVFileName
#Get mailbox list based on email addresses from CSV file
$MailBoxList = $MigrationCSV | %{$_.EmailAddress} | Get-Mailbox
$Users = @()
#Get LegacyDN, Tenant, and On-Premise Email addresses for the users
foreach($user in $MailBoxList)
{
$CloudEmailAddress = $user.EmailAddresses | ?{($_ -match 'onmicrosoft') -and ($_ -cmatch 'smtp:')}
if ($CloudEmailAddress.Count -gt 1)
{
$CloudEmailAddress = $CloudEmailAddress[0].ToString().ToLower().Replace('smtp:', '')
Write-Host "$user returned more than one cloud email address. Using $CloudEmailAddress" -ForegroundColor
Yellow
}
else
{
$CloudEmailAddress = $CloudEmailAddress.ToString().ToLower().Replace('smtp:', '')
}
$UserInfo | Add-Member -Type NoteProperty -Name LegacyExchangeDN -Value $user.LegacyExchangeDN
$UserInfo | Add-Member -Type NoteProperty -Name CloudEmailAddress -Value $CloudEmailAddress
$UserInfo | Add-Member -Type NoteProperty -Name OnPremiseEmailAddress -Value
$user.PrimarySMTPAddress.ToString()
$Users += $UserInfo
}
#Check for existing csv file and overwrite if needed
if(Test-Path ".\cloud.csv")
{
Enter y to delete, anything else to exit this script."
if($delete.ToString().ToLower() -eq 'y')
{
Write-Host "Deleting existing cloud.csv file" -ForeGroundColor Red
Remove-Item ".\cloud.csv"
}
else
{
Write-Host "Will NOT delete current cloud.csv file. Exiting script." -ForeGroundColor Green
Exit
}
}
$Users | Export-CSV -Path ".\cloud.csv" -notype
(Get-Content ".\cloud.csv") | %{$_ -replace '"', ''} | Set-Content ".\cloud.csv" -Encoding Unicode
Write-Host "CSV File Successfully Exported to cloud.csv" -ForeGroundColor Green
}
O365Logon
Main
The following Visual Basic script converts on-premises Exchange 2003 mailboxes to MEUs. Run this script after
you have ran the script to collect information from the cloud mailboxes.
Copy the script below to a .txt file and then save the file as Exchange2003MBtoMEU.vbs.
'Globals/Constants
Const ADS_PROPERTY_APPEND = 3
Dim UserDN
Dim remoteSMTPAddress
Dim remoteSMTPAddress
Dim remoteLegacyDN
Dim domainController
Dim csvMode
csvMode = FALSE
Dim csvFileName
Dim lastADLookupFailed
Class UserInfo
public OnPremiseEmailAddress
public CloudEmailAddress
public CloudLegacyDN
public LegacyDN
public ProxyAddresses
public Mail
public MailboxGUID
public DistinguishedName
Public Sub Class_Initialize()
Set ProxyAddresses = CreateObject("Scripting.Dictionary")
End Sub
End Class
'Command Line Parameters
If WScript.Arguments.Count = 0 Then
'No parameters passed
WScript.Echo("No parameters were passed.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 And WScript.Arguments.Count = 2 Then
WScript.Echo("Missing DC Name.")
ShowHelp()
ElseIf StrComp(WScript.Arguments(0), "-c", vbTextCompare) = 0 Then
'CSV Mode
csvFileName = WScript.Arguments(1)
domainController = WScript.Arguments(2)
csvMode = TRUE
WScript.Echo("CSV mode detected. Filename: " & WScript.Arguments(1) & vbCrLf)
ElseIf wscript.Arguments.Count <> 4 Then
'Invalid Arguments
WScript.Echo WScript.Arguments.Count
Call ShowHelp()
Else
'Manual Mode
UserDN = wscript.Arguments(0)
remoteSMTPAddress = wscript.Arguments(1)
remoteLegacyDN = wscript.Arguments(2)
domainController = wscript.Arguments(3)
End If
Main()
'Main entry point
Sub Main
'Check for CSV Mode
If csvMode = TRUE Then
UserInfoArray = GetUserInfoFromCSVFile()
Else
WScript.Echo "Manual Mode Detected" & vbCrLf
Set info = New UserInfo
info.CloudEmailAddress = remoteSMTPAddress
info.DistinguishedName = UserDN
info.CloudLegacyDN = remoteLegacyDN
ProcessSingleUser(info)
End If
End Sub
'Process a single user (manual mode)
Sub ProcessSingleUser(ByRef UserInfo)
userADSIPath = "LDAP://" & domainController & "/" & UserInfo.DistinguishedName
WScript.Echo "Processing user " & userADSIPath
Set MyUser = GetObject(userADSIPath)
proxyCounter = 1
For Each address in MyUser.Get("proxyAddresses")
UserInfo.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
Next
UserInfo.OnPremiseEmailAddress = GetPrimarySMTPAddress(UserInfo.ProxyAddresses)
UserInfo.Mail = MyUser.Get("mail")
UserInfo.MailboxGUID = MyUser.Get("msExchMailboxGUID")
UserInfo.LegacyDN = MyUser.Get("legacyExchangeDN")
ProcessMailbox(UserInfo)
End Sub
'Populate user info from CSV data
Function GetUserInfoFromCSVFile()
CSVInfo = ReadCSVFile()
For i = 0 To (UBound(CSVInfo)-1)
lastADLookupFailed = false
Set info = New UserInfo
info.CloudLegacyDN = Split(CSVInfo(i+1), ",")(0)
info.CloudEmailAddress = Split(CSVInfo(i+1), ",")(1)
info.OnPremiseEmailAddress = Split(CSVInfo(i+1), ",")(2)
WScript.Echo "Processing user " & info.OnPremiseEmailAddress
WScript.Echo "Calling LookupADInformationFromSMTPAddress"
LookupADInformationFromSMTPAddress(info)
If lastADLookupFailed = false Then
WScript.Echo "Calling ProcessMailbox"
ProcessMailbox(info)
End If
set info = nothing
Next
End Function
'Populate user info from AD
Sub LookupADInformationFromSMTPAddress(ByRef info)
'Lookup the rest of the info in AD using the SMTP address
Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("DefaultNamingContext")
Set objRootDSE = nothing
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
BaseDN = "<LDAP://" & domainController & "/" & strDomain & ">"
adFilter = "(&(proxyAddresses=SMTP:" & info.OnPremiseEmailAddress & "))"
Attributes = "distinguishedName,msExchMailboxGUID,mail,proxyAddresses,legacyExchangeDN"
Query = BaseDN & ";" & adFilter & ";" & Attributes & ";subtree"
objCommand.CommandText = Query
Set objCommand.ActiveConnection = objConnection
On Error Resume Next
Set objRecordSet = objCommand.Execute
'Handle any errors that result from the query
If Err.Number <> 0 Then
WScript.Echo "Error encountered on query " & Query & ". Skipping user."
lastADLookupFailed = true
return
End If
'Handle zero or ambiguous search results
If objRecordSet.RecordCount = 0 Then
WScript.Echo "No users found for address " & info.OnPremiseEmailAddress
return
ElseIf objRecordSet.RecordCount > 1 Then
WScript.Echo "Ambiguous search results for email address " & info.OnPremiseEmailAddress
return
ElseIf Not objRecordSet.EOF Then
info.LegacyDN = objRecordSet.Fields("legacyExchangeDN").Value
info.Mail = objRecordSet.Fields("mail").Value
info.MailboxGUID = objRecordSet.Fields("msExchMailboxGUID").Value
proxyCounter = 1
For Each address in objRecordSet.Fields("proxyAddresses").Value
info.ProxyAddresses.Add proxyCounter, address
proxyCounter = proxyCounter + 1
Next
info.DistinguishedName = objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
objRecordSet.MoveNext
End If
objConnection = nothing
objCommand = nothing
objRecordSet = nothing
On Error Goto 0
End Sub
'Populate data from the CSV file
Function ReadCSVFile()
'Open file
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFS.OpenTextFile(csvFileName, 1, false, -1)
'Loop through each line, putting each line of the CSV file into an array to be returned to the caller
counter = 0
Dim CSVArray()
Do While NOT objTextFile.AtEndOfStream
ReDim Preserve CSVArray(counter)
CSVArray(counter) = objTextFile.ReadLine
counter = counter + 1
Loop
'Close and return
objTextFile.Close
Set objTextFile = nothing
Set objFS = nothing
ReadCSVFile = CSVArray
End Function
'Process the migration
Sub ProcessMailbox(User)
'Get user properties
userADSIPath = "LDAP://" & domainController & "/" & User.DistinguishedName
Set MyUser = GetObject(userADSIPath)
'Add x.500 address to list of existing proxies
existingLegDnFound = FALSE
newLegDnFound = FALSE
'Loop through each address in User.ProxyAddresses
For i = 1 To User.ProxyAddresses.Count
If StrComp(address, "x500:" & User.LegacyDN, vbTextCompare) = 0 Then
WScript.Echo "x500 proxy " & User.LegacyDN & " already exists"
existingLegDNFound = true
End If
If StrComp(address, "x500:" & User.CloudLegacyDN, vbTextCompare) = 0 Then
WScript.Echo "x500 proxy " & User.CloudLegacyDN & " already exists"
newLegDnFound = true
End If
Next
'Add existing leg DN to proxy list
If existingLegDnFound = FALSE Then
WScript.Echo "Adding existing legacy DN " & User.LegacyDN & " to proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" & User.LegacyDN)
End If
'Add new leg DN to proxy list
If newLegDnFound = FALSE Then
'Add new leg DN to proxy addresses
WScript.Echo "Adding new legacy DN " & User.CloudLegacyDN & " to existing proxy addresses"
User.ProxyAddresses.Add (User.ProxyAddresses.Count+1),("x500:" & User.CloudLegacyDN)
End If
'Dump out new list of addresses
WScript.Echo "Original proxy addresses updated count: " & User.ProxyAddresses.Count
For i = 1 to User.ProxyAddresses.Count
WScript.Echo " proxyAddress " & i & ": " & User.ProxyAddresses(i)
Next
'Delete the Mailbox
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailboxStore object"
Set Mailbox = MyUser
Wscript.Echo "Deleting Mailbox"
On Error Resume Next
Mailbox.DeleteMailbox
'Handle any errors deleting the mailbox
If Err.Number <> 0 Then
WScript.Echo "Error " & Err.number & ". Skipping User." & vbCrLf & "Description: "
WScript.Echo "Error " & Err.number & ". Skipping User." & vbCrLf & "Description: "
& Err.Description & vbCrLf
Exit Sub
End If
On Error Goto 0
'Save and continue
WScript.Echo "Saving Changes"
MyUser.SetInfo
WScript.Echo "Refeshing ADSI Cache"
MyUser.GetInfo
Set Mailbox = nothing
'Mail Enable the User
WScript.Echo "Opening " & userADSIPath & " as CDOEXM::IMailRecipient"
Set MailUser = MyUser
WScript.Echo "Mail Enabling user using targetAddress " & User.CloudEmailAddress
MailUser.MailEnable User.CloudEmailAddress
WScript.Echo "Disabling Recipient Update Service for user"
MyUser.PutEx ADS_PROPERTY_APPEND, "msExchPoliciesExcluded", Array("{26491CFC-9E50-4857-861B-0CB8DF22B5D7}")
MyUser.SetInfo
WScript.Echo "Refreshing ADSI Cache"
MyUser.GetInfo
'Add Legacy DN back on to the user
WScript.Echo "Writing legacyExchangeDN as " & User.LegacyDN
MyUser.Put "legacyExchangeDN", User.LegacyDN
'Add old proxies list back on to the MEU
WScript.Echo "Writing proxyAddresses back to the user"
For j=1 To User.ProxyAddresses.Count
MyUser.PutEx ADS_PROPERTY_APPEND, "proxyAddresses", Array(User.ProxyAddresses(j))
MyUser.SetInfo
MyUser.GetInfo
Next
'Add mail attribute back on to the MEU
WScript.Echo "Writing mail attribute as " & User.Mail
MyUser.Put "mail", User.Mail
'Add msExchMailboxGUID back on to the MEU
WScript.Echo "Converting mailbox GUID to writable format"
Dim mbxGUIDByteArray
Call ConvertHexStringToByteArray(OctetToHexString(User.MailboxGUID), mbxGUIDByteArray)
WScript.Echo "Writing property msExchMailboxGUID to user object with value " &
OctetToHexString(User.MailboxGUID)
MyUser.Put "msExchMailboxGUID", mbxGUIDByteArray
MyUser.SetInfo
WScript.Echo "Migration Complete!" & vbCrLf
End Sub
'Returns the primary SMTP address of a user
Function GetPrimarySMTPAddress(Addresses)
For Each address in Addresses
If Left(address, 4) = "SMTP" Then GetPrimarySMTPAddress = address
Next
End Function
'Converts Hex string to byte array for writing to AD
Sub ConvertHexStringToByteArray(ByVal strHexString, ByRef pByteArray)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Stream = CreateObject("ADODB.Stream")
Temp = FSO.GetTempName()
Set TS = FSO.CreateTextFile(Temp)
For i = 1 To (Len (strHexString) -1) Step 2
TS.Write Chr("&h" & Mid (strHexString, i, 2))
Next
TS.Close
Stream.Type = 1
Stream.Open
Stream.LoadFromFile Temp
pByteArray = Stream.Read
Stream.Close
FSO.DeleteFile Temp
Set Stream = nothing
Set FSO = Nothing
Set FSO = Nothing
End Sub
'Converts raw bytes from AD GUID to readable string
Function OctetToHexString (arrbytOctet)
OctetToHexStr = ""
For k = 1 To Lenb (arrbytOctet)
OctetToHexString = OctetToHexString & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
Sub ShowHelp()
WScript.Echo("This script runs in two modes, CSV Mode and Manual Mode." & vbCrLf & "CSV Mode
allows you to specify a CSV file from which to pull usernames." & vbCrLf& "Manual mode allows you to
run the script against a single user.")
WSCript.Echo("Both modes require you to specify the name of a DC to use in the local domain." & vbCrLf
& "To run the script in CSV Mode, use the following syntax:")
WScript.Echo(" cscript Exchange2003MBtoMEU.vbs -c x:\csv\csvfilename.csv dc.domain.com")
WScript.Echo("To run the script in Manual Mode, you must specify the users AD Distinguished Name, Remote
SMTP Address, Remote Legacy Exchange DN, and Domain Controller Name.")
WSCript.Echo(" cscript Exchange2003MBtoMEU.vbs " & chr(34) &
"CN=UserName,CN=Users,DC=domain,DC=com" & chr(34) & " " & chr(34) & "user@cloudaddress.com"
& chr(34) & " " & chr(34) & "/o=Cloud Org/ou=Cloud Site/ou=Recipients/cn=CloudUser" &
chr(34) & " dc.domain.com")
WScript.Quit
End Sub
What do the scripts do?

ExportO365UserInfo.ps1
This is a Windows PowerShell script that you run in your cloud based organization to collect information about the
cloud mailboxes that you migrated during the staged Exchange migration. It uses a CSV file to scope the batch of
users. It's recommended that you use the same migration CSV file that you used to migrate a batch of users
When you run the ExportO365UserInfo script:
The following properties are collected from the cloud mailboxes for the users listed in the input CSV file:
Primary SMTP address
Primary SMTP address of the corresponding on-premises mailbox
Other proxy addresses for the cloud mailbox
LegacyExchangeDN
The collected properties are saved to a CSV file named Cloud.csv.
Exchange2003MBtoMEU.vbs
This a VB script that you run in your on-premises Exchange 2003 organization to convert mailboxes to MEUs. It
uses the Cloud.csv file, which is output by the ExportO365UserInfo script.
When you run the Exchange2003MBtoMEU.vbs script, it does the following for each mailbox listed in input CSV
file:
Collects information from the input CSV file and from the on-premises mailbox.
Creates a list of proxy addresses from the on-premises and cloud mailbox to add to the MEU.
Deletes the on-premises mailbox.
Creates a MEU and populates the following properties:
legacyExchangeDN: Value from the on-premises mailbox.
mail: The primary SMTP of the cloud mailbox.
msExchMailboxGuid: Value from the on-premises mailbox.
proxyAddresses: Values from both the on-premises mailbox and the cloud mailbox.
targetAddress: Read from the on-premises mailbox; the value is the primary SMTP of the cloud
mailbox.
IMPORTANT
To enable off-boarding from Office 365 to Exchange 2003, you have to replace the value of
msExchMailboxGuid on the MEU with the Guid from the cloud-based mailbox. To obtain the Guids for the
mailboxes in your cloud organization and save them to a CSV file, run the following PowerShell command:
Get-Mailbox | Select PrimarySmtpAddress, Guid | Export-csv -Path .\guid.csv
This command extracts the primary SMTP address and Guid for all cloud mailboxes into the guid.csv
file, and then saves this file to the current directory.
Instead of using the input CSV file to convert a batch of mailboxes, you can run the Exchange2003MBtoMEU.vbs
script in manual mode to convert one mailbox at a time. To do this, you will need to provide the following input
parameters:
The distinguished name (DN )of the on-premises mailbox.
The primary SMTP address of the cloud mailbox.
The Exchange Legacy DN for the cloud mailbox.
A domain controller name in your Exchange 2003 organization.
Steps to convert on-premises mailboxes to MEUs

1. Run the ExportO365UserInfo in your cloud organization. Use the CSV file for the migration batch as the
input file. The script creates a CSV file named Cloud.csv.
.\ExportO365UserInfo.ps1 <CSV input file>
For example:
.\ExportO365UserInfo.ps1 .\MigrationBatch1.csv
This example assumes that the script and input CSV file are located in the same directory.
2. Copy Exchange2003MBtoMEU.vbs and Cloud.csv to the same directory in your on-premises organization.
3. In your on-premises organization, run the following command:
cscript Exchange2003MBtoMEU.vbs -c .\Cloud.csv <FQDN of on-premises domain controller>
For example:
cscript Exchange2003MBtoMEU.vbs -c .\Cloud.csv DC1.contoso.com
To run the script in manual mode, enter the following command. Use spaces between each value.
cscript Exchange2003MBtoMEU.vbs "<DN of on-premises mailbox>" "<Primary SMTP of cloud mailbox>" "
<ExchangeLegacyDN of cloud mailbox>" <FQDN of on-premises domain controller>
For example:
cscript Exchange2003MBtoMEU.vbs "CN=Ann Beebe,CN=Users,DC=contoso,DC=com" "annb@contoso.onmicrosoft.com"

"/o=First Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=d808d014cec5411ea6de1f70cc116e7b-annb" DC1.contoso.com
4. Verify that the new MEUs have been created. In Active Directory Users and Computers, do the following:
5. Click Action > Find.
6. Click the Exchange tab.
7. Select Show only Exchange recipients, and then select Users with external email address.
8. Click Find Now.
The mailboxes that were converted to MEUs are listed under **Search results**.
5. Use Active Directory Users and Computers, ADSI Edit, or Ldp.exe to verify that the following MEU properties
are populated with the correct information.
legacyExchangeDN
mail
msExchMailboxGuid*
proxyAddresses
targetAddress
* As previously explained, the Exchange2003MBtoMEU.vbs script retains the msExchMailboxGuid value
from the on-premises mailbox. To enable off-boarding from Office 365 to Exchange 2003, you have to
replace the value for the msExchMailboxGuid property on the MEU with the Guid from the cloud-based
mailbox.
What you need to know about migrating your IMAP
You can migrate the contents of user mailboxes from your source email system to Office 365. Use the Internet
Message Access Protocol (IMAP ) to migrate email when:
Your source email system supports IMAP.
If this option won't work for you, see Ways to migrate email to Office 365 for other options.
For Windows PowerShell steps, see Use PowerShell to perform an IMAP migration to Office 365.
Things to consider
Here are a few limitations to be aware of:
You can only migrate items in a user's inbox or other mail folders. This type of migration doesn't migrate
contacts, calendar items, or tasks.
You can migrate a maximum of 500,000 items from a user's mailbox (emails are migrated from newest to
oldest).
The biggest email you can migrate is 35 MB.
If you limited the connections to your source email system, it's a good idea to increase them to improve
migration performance. Common connection limits include client/server total connections, per-user
connections, and IP address connections on either the server or the firewall.
Impact of migration to users

To migrate email, you need access to the user mailboxes in your source email system. If you know the user
passwords or can access their mailboxes by using administrator credentials, there won't be any impact to users
until you shut down your source email system.
If you can't access user mailboxes, you'll have to reset the passwords. This lets you access the user mailboxes by
using a new password that you know. If users don't know the new passwords, they won't be able to get to their
old mailboxes during or after the email migration. You can distribute the new passwords after the migration if
you want users to get to their old mailboxes.
How does IMAP migration work?

The main steps you perform for an IMAP email migration are shown in the following illustration.
These general steps apply whether you are migrating from Gmail or another IMAP system.
1. First you have to create your users in Office 365 and assign licenses to them. The mailboxes have to exist
in Office 365 to use IMAP migration.
2. Prepare your IMAP source email system and get the information you need to migrate. If you plan to
migrate your domain to Office 365, verify that you own your domain with your domain registrar.
Depending on which type of email service you are migrating from, you might need to configure some
settings or simply record the name of your email server or service to use later. You also need to verify your
domain in your domain registry system if you have a custom domain.
3. Communicate changes to users.
It's a good idea to let users know about the email migration and how it impacts them. Give users
information about what tasks need to be done before, during, and after migration.
4. Set up admin credentials or get or reset user email passwords.
To perform the migration, you need an administrator account that has permissions, or the username and
password to each mailbox.
5. If you are using the steps described in Migrate Google Apps mailboxes to Office 365 or Migrate other
types of IMAP mailboxes to Office 365, you will create a list of mailboxes to migrate (CSV file). These
migrations instructions start from the Exchange admin center, and you will need to create a CSV file that
lists the email addresses, usernames, and passwords for the mailboxes you want to migrate.
You can also use the migrations page or setup instructions in the Admin center preview to migrate from
IMAP systems such as Gmail, Hotmail.com or Outlook.com. These steps are the best if you plan to migrate
mail for only a few users (less than 50). If you are migrating mail for more users it is easier to use a CSV
file to enter all the information for the accounts.
6. Connect Office 365 to email system.
To migrate email successfully, Office 365 needs to connect and communicate with the source email system.
To do this, Office 365 uses a migration endpoint, the settings that are used to create the connection.
7. Migrate mailboxes and then verify the migration.
To migrate mailboxes, you create a migration batch, and then start the migration. After the migration batch
is run, verify that the email was migrated successfully.
8. Optimize email settings (optional).
There are some settings you can configure so that it doesn't take as long for email to start showing up in
your new Office 365 mailboxes. See Tips for optimizing IMAP migrations.
9. Begin routing email to Office 365.
You need to change a DNS record called an MX record so that your email system can start routing mail to
Office 365.
10. Verify routing and then stop email synchronization.
After you verify that all email is being routed to Office 365, you can delete the migration batch to stop the
synchronization between your source email system and Office 365.
11. Send a welcome letter to users.
Let your users know about Office 365 and how to sign in to their new mailboxes.
Ready to start?
To finish an email migration successfully, it's a good idea to be comfortable doing these tasks:
You create a list of mailboxes to migrate in Excel. You add your users' email addresses, usernames, and
passwords to this file.
You use step-by-step wizards in Office 365 to configure and start the migration process.
After the mail has been migrated, you change your organization's MX record to point to Office 365 when
the migration is complete. Your MX record is how other mail systems find the location of your email
system. Changing your MX record allows other mail systems to begin to send email directly to the new
mailboxes in Office 365. To learn how to update your MX record, see Create DNS records at any DNS
hosting provider for Office 365 as well.
If you're comfortable with what's involved in migrating mailboxes to Office 365, you're ready to get started. The
first step is to determine which source email system you're migrating from:
Gmail
This procedure uses the Exchange admin center steps for an IMAP migration.
Some other IMAP enabled email system
This procedure uses the Exchange admin center steps for an IMAP migration.
IMAP migration in the Admin center
Use PowerShell to perform an IMAP migration to Office 365
See also
Tips for optimizing IMAP migrations
Learn more about setting up your IMAP server connection
Migrate G Suite mailboxes to Office 365
Migrate your IMAP mailboxes to Office 365 gives you an overview of the migration process. Read it first and
when you're familiar with the contents of that article, return to this topic to learn how to migrate mailboxes from G
Suite (formerly known as Google Apps) Gmail to Office 365. You must be a global admin in Office 365 to
complete IMAP migration steps.
Looking for Windows PowerShell commands? See User PowerShell to perform an IMAP migration to Office 365.
Want to migrate other types of IMAP mailboxes? See Migrate other types of IMAP mailboxes to Office 365 .
Migration from G Suite mailboxes using the Office 365 admin center
You can use the setup wizard in the Office 365 admin center for an IMAP migration. See IMAP migration in the
Office 365 admin center for instructions.
IMPORTANT: IMAP migration will only migrate emails, not calendar and contact information. Users can import
their own email, contacts, and other mailbox information to Office 365. See Migrate email and contacts to Office
365 to learn how.
Before Office 365 can connect to Gmail or G Suites, all the account owners need to create an app password to
access their account. This is because Google considers Outlook to be a less secure app and will not allow a
connection to it with a password alone. For instructions, see Prepare your G Suite account for connecting to
Outlook and Office 365. You'll also need to make sure your G Suite users can turn on 2-step verification.
Gmail Migration tasks
The following list contains the migration tasks given in the order in which you should complete them.
Step 1: Verify you own your domain
In this task, you'll first verify to Office 365 that you own the domain you used for your G Suite accounts.
NOTE
Another option is to use the your company name.onmicrosoft.com domain that is included with your Office 365
subscription instead of using your own custom domain. In that case, you can just add users as described in Add users
individually or in bulk to Office 365 - Admin Help and omit this task. Most people, however, prefer to use their own domain.
Domain verification is a task you will go through as you setup Office 365. During the setup Office 365 setup
wizard provides you with a TXT record you will add at your domain host provider. See Add a domain to Office 365
for the steps to complete in Office 365 admin center, and choose a domain registrar from the two following
options to see how to complete add the TXT record that your DNS host provider.
Your current DNS host provider is Google: If you purchased your domain from Google and they are the
DNS hosting provider, follow these instructions: Create DNS records when your domain is managed by
Google (Go Daddy).
You purchased your domain from another domain registrar: If you purchased your domain from a
different company, we provide instructions for many popular domain hosting providers.
Step 2: Add users to Office 365
You can add your users either one at a time, or several users at a time. When you add users you also add licenses
to them. Each user has to have a mailbox on Office 365 before you can migrate email to it. Each user also needs a
license that includes an Exchange Online plan to use his or her mailbox.
IMPORTANT
At this point you have verified that you own the domain and created your G Suite users and mailboxes in Office 365 with
your custom domain. Close the wizard at this step. Do not proceed to Set up domain, until your Gmail mailboxes are
migrated to Office 365. You'll finish the setup steps in task 7, Step 6: Update your DNS records to route Gmail directly to
Office 365.
Step 3: Create a list of Gmail mailboxes to migrate

For this task, you create a migration file that contains a list of Gmail mailboxes to migrate to Office 365. The
easiest way to create the migration file is by using Excel, so we use Excel in these instructions. You can use Excel
2013, Excel 2010, or Excel 2007.
When you create the migration file, you need to know the app password of each Gmail mailbox that you want to
migrate. We're assuming you don't know the user passwords, so you'll probably need to assign temporary
passwords (by resetting the passwords) to all mailboxes during the migration. You must be an administrator in G
Suite to reset passwords.
You don't have to migrate all Gmail mailboxes at once. You can do them in batches at your convenience. You can
include up to 50,000 mailboxes (one row for each user) in your migration file. The file can be as large as 10 MB.
1. Sign in to G Suite admin console using your administrator username and password.
2. After you're signed in, choose Users.
3. Select each user to identify each user's email address. Write down the address.
4. Sign in to the Office 365 admin center, and go to Users > Active users. Keep an eye on the username
column. You'll use this information in a minute. Keep the Office 365 admin center window open, too.
5. Start Excel.
6. Use the following screenshot as a template to create the migration file in Excel. Start with the headings in
row 1. Make sure they match the picture exactly and don't contain spaces. The exact heading names are:
EmailAddress in cell A1.
UserName in cell B1.
Password in cell C1.
7. Next enter the email address, username, and app password for each mailbox you want to migrate. Enter one
mailbox per row.
Column A is the email address of the Office 365 mailbox. This is what's shown in the username column in
Users > Active users in the Office 365 admin center.
Column B is the sign-in name for the user's Gmail mailbox—for example, alberta@contoso.com.
Column C is the app password for the user's Gmail mailbox. Creating the app password is described in
Migration from G Suite mailboxes using the Office 365 admin center.
8. Save the file as a CSV file type, and then close Excel.
Step 4: Connect Office 365 to Gmail

To migrate Gmail mailboxes successfully, Office 365 needs to connect and communicate with Gmail. To do this,
Office 365 uses a migration endpoint. Migration endpoint is a technical term that describes the settings that are
used to create the connection so you can migrate the mailboxes. You create the migration endpoint in this task.
2. In the EAC, go to Recipients > Migration > More > Migration endpoints.
3. Click New to create a new migration endpoint.

4. On the Select the migration endpoint type page, choose IMAP.
5. On the IMAP migration configuration page, set IMAP server to imap.gmail.com and keep the default
settings the same.
6. Click Next. The migration service uses the settings to test the connection to Gmail system. If the
connection works, the Enter general information page opens.
8. Click New to create the migration endpoint.

Step 5: Create a migration batch and start migrating Gmail mailboxes
You use a migration batch to migrate groups of Gmail mailboxes to Office 365 at the same time. The batch
consists of the Gmail mailboxes that you listed in the migration file in the previous Step 4: Connect Office 365 to
Gmail.
TIP
It's a good idea to create a test migration batch with a small number of mailboxes to first test the process. > Use migration
files with the same number of rows, and run the batches at similar times during the day. Then compare the total running
time for each test batch. This helps you estimate how long it could take to migrate all your mailboxes, how large each
migration batch should be, and how many simultaneous connections to the source email system you should use to balance
migration speed and internet bandwidth.
1. In the Office 365 admin center, navigate to Admin centers > Exchange.

3. Click New > Migrate to Exchange Online.
4. Choose IMAP migration > Next.

5. On the Select the users page, click Browse to specify the migration file you created. After you select your
migration file, Office 365 checks it to make sure:
It isn't empty.
It includes the required attributes in the header row.
It contains rows with the same number of columns as the header row.
If any one of these checks fails, you'll get an error that describes the reason for the failure. If you get an
error, you must fix the migration file and resubmit it to create a migration batch.
6. After Office 365 validates the migration file, it displays the number of users listed in the file as the number
of Gmail mailboxes to migrate.
7. Click Next.
8. On the Set the migration endpoint page, select the migration endpoint that you created in the previous
step, and click Next.
9. On the IMAP migration configuration page, accept the default values, and click Next.
10. On the Move configuration page, type the name (no spaces or special characters) of the migration batch
in the box—for example, Test5-migration. The default migration batch name that's displayed is the name of
the migration file that you specified. The migration batch name is displayed in the list on the migration
dashboard after you create the migration batch.
You can also enter the names of the folders you want to exclude from migration. For example, Shared, Junk
Email, and Deleted. Click Add to add them to the excluded list. You can also click Edit to change a
folder name and Delete to delete the folder name.
11. Click Next

12. On the Start the batch page, do the following:
Choose Browse to send a copy of the migration reports to other users. By default, migration reports are
emailed to you. You can also access the migration reports from the properties page of the migration batch.
Choose Automatically start the batch > new. The migration starts immediately with the status Syncing.
NOTE
If you have large user mailboxes and the status shows Syncing for a long time, you may be experiencing bandwidth limits
set by Google. For more information, see Bandwidth limits and Sync limits. You can try to unlock the Gmail user or use
alternative method to migrate the users. For more information, see Use network upload to import your organization PST
files to Office 365 and Third-party tools for Office 365 migrations.
Verify that the migration worked

In the Exchange admin center, go to Recipients > Migration. Verify that the batch is displayed in the
migration dashboard. If the migration completed successfully, the status is Synced.
If this task fails, check the associated Mailbox status reports for specific errors, and double-check that your
migration file has the correct Office 365 email address in the EmailAddress column.
Verify a successful mailbox migration to Office 365
Ask your migrated users to complete the following tasks:
Go to the Office 365 sign-in page, and sign in with your username and temporary password.
Update your password, and set your time zone. It's important that you select the correct time zone to
make sure your calendar and email settings are correct.
When Outlook Web App opens, send an email message to another Office 365 user to verify that you
can send email.
Choose Outlook, and check that your email messages and folders are all there.
Although this task is optional, doing it can help avoid delays in the receiving email in the new Office 365
mailboxes.
DNS server known as a time-to-live (TTL ). If you change the location of your email system before the TTL expires,
the sender's email system tries to send email to the old location before figuring out that the location changed. This
can result in a mail delivery delay. One way to avoid this is to lower the TTL that your DNS server gives to servers
more often.
Most email systems ask for an update each hour if a short interval such as 3,600 seconds (one hour) is set. We
recommend that you set the interval at least this low before you start the email migration. This setting allows all
the systems that send you email enough time to process the change. Then, when you make the final switch over to
Office 365, you can change the TTL back to a longer interval.
This lives in your public facing DNS. If you have more than one MX record, you need to change the value on each
record to 3,600 seconds or less.
Don't worry if you skip this task. It might take longer for email to start showing up in your new Office 365
mailboxes, but it will get there.
If you need some help configuring your DNS settings, see Create DNS records for Office 365 when you manage
your DNS records.
Step 6: Update your DNS records to route Gmail directly to Office 365
Email systems use a DNS record called an MX record to figure out where to deliver email. During the email
migration process, your MX record was pointing to your Gmail system. Now that you've completed your email
migration to Office 365, it's time to point your MX record to Office 365. After you change your MX record
following these steps, email sent to users at your custom domain is delivered to Office 365 mailboxes
For many DNS providers, there are specific instructions to change your MX record, see Create DNS records for
Office 365 when you manage your DNS records for instructions. If your DNS provider isn't included, or if you
want to get a sense of the general directions, general MX record instructions are provided as well. See Create
DNS records at any DNS hosting provider for Office 365 for instructions.
3. Select your domain and then choose Fix issues.
The status shows Fix issues because you stopped the wizard partway through so you could migrate your
Gmail email to Office 365 before switching your MX record.
4. For each DNS record type that you need to add, choose What do I fix?, and follow the instructions to add
the records for Office 365 services.
5. After you've added all the records, you'll see a message that your domain is set up correctly: Contoso.com
is set up correctly. No action is required.
record. Wait at least 72 hours before you proceed to stopping synchronization with Gmail.
Step 7: Stop synchronization with Gmail
During the last task, you updated the MX record for your domain. Now it's time to verify that all email is being
routed to Office 365. After verification, you can delete the migration batch and stop the synchronization between
Gmail and Office 365. Before you take this step:
Make sure that your users are using Office 365 exclusively for email. After you delete the migration batch,
email that is sent to Gmail mailboxes isn't copied to Office 365 This means your users can't get that email,
so make sure that all users are on the new system.
Let the migration batch run for at least 72 hours before you delete it. This makes the following two things
more likely:
Your Gmail mailboxes and Office 365 mailboxes have synchronized at least once (they synchronize
once a day).
The email systems of your customers and partners have recognized the changes to your MX records
and are now properly sending email to your Office 365 mailboxes.
When you delete the migration batch, the migration service cleans up any records related to the migration batch
and removes it from the migration dashboard.
Delete a migration batch
2. On the migration dashboard, select the batch, and then click Delete.
In the Exchange admin center, navigate to Recipients > Migration. Verify that the migration batch no longer
is listed on the migration dashboard.
Step 8: Users migrate their calendar and contacts
After your migrate their email, users can import their Gmail calendar and contacts to Outlook:
Import contacts to Outlook
Import Google Calendar to Outlook
Leave us a comment
Were these steps helpful? If so, please let us know at the bottom of this topic. If they weren't, and you're still
having trouble migrating your email, tell us about it and we'll use your feedback to double-check our steps.
Related Topics
Migrate your IMAP mailboxes to Office 365
Migrate other types of IMAP mailboxes to Office 365
As part of the process of deploying Office 365, you can choose to migrate the contents of user mailboxes from an
Internet Mail Access Protocol (IMAP ) email service to Office 365.
Looking for Windows PowerShell commands for general IMAP migrations? See Use PowerShell to perform an
IMAP migration to Office 365.
Migration tasks for IMAP mailboxes

NOTE
You'll have to create your users in Office 365 before you migrate their IMAP mailboxes from the source system. Each user
has to have an existing Office 365 mailbox to which you import their mail to. If you use a domain with your IMAP system
and also want to use it with Office 365, you will have to add it to Office 365 as an accepted domain before you create users
in Office 365. For instructions, see Add a domain to Office 365. If you are using Office 365 operated by 21Vianet in China,
see Add your domain and users to Office 365 operated by 21Vianet. To add users, see Add users individually or in bulk to
Office 365 - Admin Help, or for Office 365 operated by 21Vianet see Add, edit, delete or restore user accounts in Office 365
operated by 21Vianet - Admin Help.
Here are the tasks to do when you're ready to get started with migrating your IMAP mailboxes.
Step 1: Find the full name of your current email server
Office 365 needs the name of the source email system, sometimes referred to as a server, from which you want to
migrate mailboxes. There are many ways to get the name of your email system. The easiest way is by using an
email client that's connected to your email system. In this task, we describe how to get the name of the system by
using Outlook Web App . If your email client isn't described here, contact support for your source email system.
Get the name of your source email system using TE102821288
1. In Outlook Web App, on the toolbar click Settings > Options > Mail > Accounts > POP and IMAP.
Below your account information, you'll see a link that says Settings for POP and IMAP access. Your
IMAP server's name is listed under IMAP setting.
See Use POP or IMAP to connect to Office 365 for business or Microsoft Exchange accounts for more
information on IMAP connections in Office 365.
Step 2: Create the list of mailboxes to migrate
The steps followed to create the list of mailboxes to migrate depend on how you access the mailboxes. You need
access to user mailboxes before you can migrate them to Office 365. Here are two ways in which you can gain
access to the mailboxes:
You either know the passwords to each user's mailbox, or you reset the passwords to new passwords that
you do know. Follow the steps in Create the list of user mailboxes when you know the user passwords, or
you'll reset the passwords .
Your source email system lets you use mailbox admin credentials to access user mailboxes, which means
you don't need to know the passwords or reset them. Follow the steps in Create a list of user mailboxes
using admin credentials to access them to learn how to access user mailboxes.
Create the list of user mailboxes when you know the user passwords, or you'll reset the passwords
For this task, you create a migration file that contains a list of mailboxes to migrate to Office 365. We use Excel in
the instructions because it's the easiest way to create the migration file. You can use Excel 2013, Excel 2010, or
Excel 2007.
When you create the migration file, you must know the password of each mailbox to be migrated. We're
assuming you don't know user passwords, so you'll probably need to assign temporary passwords (by resetting
the passwords) to all mailboxes during the migration.
You don't have to migrate all mailboxes at once. You can do them in batches at your convenience. You can include
up to 50,000 mailboxes (one row for each user) in your migration file, which can be as large as 10 MB.
For more information, see CSV files for IMAP migration batches.
1. Go to your source email system (the one you're migrating from), and navigate to the list of mailboxes you
want to migrate.
We'd give you the exact steps if we could, but there are so many different email systems out there that you
need to find this out on your own. When you find the list of mailboxes, keep this window open.
2. Go to the Office 365 admin center.
3. Navigate to Users > Active users. Keep an eye on the username column. You'll use this information in a
minute. Keep the Office 365 admin center open, too.
4. Start Excel.
row 1. Make sure they match the picture exactly and don't contain spaces. The exact heading names are:
6. Next, enter the email address, username, and password for each mailbox you want to migrate. Enter one
mailbox per row:
Column A is the email address of the Office 365 mailbox. This is what is shown in the username column
under Users > Active users in the Office 365 admin center.
Column B is the sign-in name—for example, alberta, or often, alberta@contoso.com—for the user's
mailbox on the source email system.
NOTE
A lot of email systems use the entire email address as the sign-in name. Note also, if you are using the same domain
in Office 365 and your source email system, the columns A and B can be identical.
Column C is the password for the user's mailbox.
If you don't know the users' passwords, you'll need to reset them to passwords that you do know, and then
enter those passwords in the migration file. This is inconvenient for users, but there's no way around this
unless your source email system supports using superuser credentials.
If you want users to have access to the source email system, you can distribute new passwords to the
source email system after the migration is finished. We'll deal with getting the new passwords distributed
after the migration is finished.
7. Reset the passwords, and note the new passwords in your migration file. The exact steps will depend on
your source email system. You can probably find the option to reset a password when you view the user's
email account.
8. Save the file as a CSV file type, and close Excel.
Create a list of user mailboxes using admin credentials to access them

For this task, you create a migration file that contains a list of mailboxes to migrate to Office 365. The easiest way
to create the migration file is by using Excel, so we use Excel in these instructions. You can use Excel 2013, Excel
2010, or Excel 2007.
When you create a migration file in this task, you type your mailbox admin credentials and usernames using a
special format. This allows you to access user mailboxes without knowing or resetting the user passwords. We
provide the format used by Exchange, Dovecot, and Mirapoint IMAP servers. If your source email system isn't
listed here and you don't know the correct format, you still have the option of resetting user passwords. Skip this
task and go to Create the list of user mailboxes when you know the user passwords, or you'll reset the passwords
.
You don't have to migrate all mailboxes at once. You can migrate them in batches at your convenience. You can
include up to 50,000 mailboxes (one row for each user) in your migration file, which can be as large as 10 MB.
1. Go to your source email system (the one you're migrating from), and navigate to the list of mailboxes you
want to migrate. We'd give you the exact steps if we could, but there are so many different email systems
out there that you need to find out these steps on your own. When you find the list of mailboxes, keep the
window open so you can refer to them.
2. Go to the Office 365 admin center.
3. Navigate to Users > Active users. Keep an eye on the username column. You'll use this information in a
minute. Keep the Office 365 admin center page open, too.
4. Start Excel.
row 1. Make sure they match the screenshot exactly and don't contain spaces. The exact heading names
are:
6. Next, enter the email address, username, and password for each mailbox you want to migrate. Enter one
mailbox per row.
Column A is the email address of the user's Office 365 mailbox. This is what's shown in the username
column under Users > Active users in the Office 365 admin center.
Column B is the combination of the mailbox admin name and username that's specific to your source
email system. See Format mailbox admin credentials for different IMAP servers for formatting
instructions.
Column C is the password for the mailbox admin account.
7. Save the file as a CSV file type, and then close Excel.
Format mailbox admin credentials for different IMAP servers
In the migration file, each cell in the UserName column consists of two combined names: the username of the
person whose email is being migrated, and the username of the mailbox admin account. The supported format
for mailbox admin credentials is different depending on your source email system. Here are the formats for
several types of source email systems.
Microsoft Exchange
If you're migrating email from the IMAP implementation for Exchange, use the format
Domain/Admin_UserName/User_UserName for the UserName attribute in the migration file. Let's say
you're migrating email from Exchange for Alberta Greene, Bobby Overby, Irwin Hume, Katrina Hernandez, and
Mathew Slattery. You have a mailbox admin account, where the username is mailadmin and the password is
**P@ssw0rd**. Here's what your migration file would look like:
Dovecot
Source email systems such as a Dovecot IMAP server that support Simple Authentication and Security Layer
(SASL ), use the format User_UserName*Admin_UserName. Let's say you're migrating email from a Dovecot
IMAP server using the mailbox admin credentials mailadmin and **P@ssw0rd**. Here's what your migration
file would look like:
Mirapoint
If you're migrating email from Mirapoint Message Server, use the format
**#user@domain#Admin_UserName#**. Let's say you're migrating email using the mailbox admin credentials
mailadmin and **P@ssw0rd**. Here's what your migration file would look like:
Courier IMAP and Oracle IMAP

Some source email systems such as Courier IMAP and Oracle IMAP don't support using mailbox admin
credentials to migrate mailboxes to Office 365. Instead, you can set up your source email system to use virtual
shared folders. Virtual shared folders allow you to use the mailbox admin credentials to access user mailboxes on
the source email system. For more information about how to configure virtual shared folders for Courier IMAP,
see Shared Folders.
To migrate mailboxes after you set up virtual shared folders on your source email system, you have to include the
optional attribute UserRoot in the migration file. This attribute specifies the location of each user's mailbox in the
virtual shared folder structure on the source email system. For example, the path to Alberta's mailbox is
/users/alberta.
Here's an example of a migration file that contains the UserRoot attribute:
Step 3: Connect Office 365 to your email system

To migrate email successfully, Office 365 needs to connect and communicate with the source email system. To do
this, Office 365 uses a migration endpoint. This is a technical term that describes the settings that are used to
create the connection. You create the migration endpoint in this task.
2. In the Exchange admin center, go to Recipients > Migration > More > Migration endpoints.
3. Click New to create a new migration endpoint.

4. On the Select the migration endpoint type page, choose IMAP.
5. On the IMAP migration configuration page, enter the following information:
* IMAP server: Type the messaging server name (for example, imap.contoso.com) of the source email
server.
Leave the remaining information as the default settings; these will work for most cases.
6. Click Next. The migration service uses the settings to test the connection to your email server. If the
connection works, the Enter general information page appears.
8. Click New to create the migration endpoint.

Step 4: Create a migration batch and migrate your mailboxes
You use a migration batch to migrate groups of email to Office 365 mailboxes at the same time. The batch
consists of the mailboxes that you listed in the migration file in the previous task.
TIP
We recommend that you create a test migration batch with a small number of mailboxes to first test the process. > Use
migration files with the same number of rows, and run the batches at similar times during the day. Then compare the total
running time for each test batch. This comparison helps you estimate how long it could take to migrate all your mailboxes,
how large each migration batch should be, and how many simultaneous connections to the source email system you should
use to balance migration speed and internet bandwidth.

2. Click New > Migrate to Exchange Online.
3. Choose IMAP migration > Next.

4. On the Select the users page, click Browse to specify the migration file you created. After you select your
migration file, Office 365 checks it to make sure of the following:
It isn't empty.
It includes the required attributes in the header row.
It contains rows with the same number of columns as the header row.
If any one of these checks fails, you'll get an error that describes the reason for the failure. If you get an
error, you have to fix the migration file and resubmit it to create a migration batch.
5. After Office 365 validates the migration file, it displays the number of users listed in the file as the number
of mailboxes to migrate.
6. Click Next.
7. On the IMAP migration configuration page, click Next.
8. On this page, select the migration endpoint that you created in Step 3: Connect Office 365 to your email
system.
9. On the Move configuration page, type the name (no spaces or special characters) of the migration batch,
for example, Test5-migration, and then click Next.
The default migration batch name that's displayed is the name of the migration file that you specified. The
migration batch name is displayed in the list on the migration dashboard after you create the migration
batch.
You can also optionally enter the names of the folders you want to exclude from migrating, for example
Shared, Junk Email, and Deleted. Click New to add them to the excluded list. You can also click Edit to
change a folder name and Delete to delete a folder name.
IMPORTANT
If you're migrating email from Microsoft Exchange Server, we recommend that you exclude public folders from the
migration. If you don't, the contents of the public folders are copied to the Office 365 mailbox of every user in the
migration file.
10. Click Next.

11. On the Start the batch page, do the following:
Click Browse to send a copy of the migration reports to other users. By default, migration reports are
emailed to you. You can also access the migration reports from the properties page of the migration batch.
Choose Automatically start the batch. The migration starts as soon as you save the new migration
batch. The batch status is first Created and changes to Syncing after the migration starts.
Verify that this task worked

In the Exchange admin center, go to Recipients > Migration. Verify that the batch is displayed in the
migration dashboard. If the migration completed successfully, the Status is Synced.
If this step task fails, check the associated Mailbox status reports for specific errors, and double-check that
your migration file has the correct Office 365 email address in the EmailAddress column.
Verify a successful mailbox migration to Office 365
Ask users with migrated mailboxes to complete the following tasks:
Sign into Office 365 with your work or school account. Use your temporary password.
Update your password, and set your time zone. It's important that you select the correct time zone
to make sure your calendar and email settings are correct.
When Outlook Web App opens, send an email message to the another Office 365 user to verify that
you can send email.
Choose Outlook, and check that your email messages and folders are all there.
This task is optional. You don't need to do this task, but if you skip it, it might take longer for email to start
showing up in your new Office 365 mailboxes.
expires, they'll try to send you email at the old location first before figuring out that the location changed. This can
result in a mail delivery delay. One way to avoid this is to lower the TTL that your DNS server gives to servers
more often.
Using a short interval, such as 3,600 seconds (one hour) or less, means that most email systems will ask for an
updated location every hour. We recommend that you set the interval at least this low before you start the email
migration. This allows all the systems that send you email enough time to process the change. Then, when you
make the final switch over to Office 365, you can change the TTL back to a longer interval.
This lives on your public facing DNS system. If you have more than one MX record, you need to change the value
on each record to 3,600 or less.
Don't worry if you skip this task. It might take longer for email to start showing up in your new Office 365
mailboxes, but it will get there.
If you need some help configuring your DNS settings, head over to Create DNS records for Office 365 when you
manage your DNS records. If you are using Office 365 operated by 21Vianet in China, see this version of the
article instead: Create DNS records for Office 365 when you manage your DNS records.
Step 5: Route your email directly to Office 365
migration process, we left your MX record pointing to your source email system. Now that the email migration to
Office 365 is complete, it's time to point your MX record at Office 365. This helps ensure that email is delivered to
your Office 365T mailboxes. Moving the MX record will also let you turn off your old email system when you are
ready.
For many DNS providers, we have specific instructions to change your MX records, see Create DNS records for
Office 365 when you manage your DNS records. If you are using Office 365 operated by 21Vianet in China, see
this version of the article instead: Create DNS records for Office 365 when you manage your DNS records. If
your DNS provider isn't included, or you want to get a sense of the general directions, we've provided general MX
record instructions as well, see Create DNS records at any DNS hosting provider for Office 365, or for Office 365
in China, see this version of the article: Create DNS records at any DNS hosting provider for Office 365.
record. Wait at least 72 hours before you proceed to the next task to stop email synchronization.
Step 6: Stop email synchronization
During the last task, you changed the MX record. Now it's time to verify that all your email is being routed to
Office 365, and then you can go ahead and delete the migration batch. Doing this stops the synchronization
between your source email system and Office 365. Before you do, make sure of a few things:
Your users are using Office 365 exclusively for email. After you delete the migration batch, email that is
sent to mailboxes on your source email system isn't copied to Office 365. This means your users can't get
that email, so make sure that users are all on the new system.
Let the migration batch run for at least 72 hours before you delete it. This makes the following two things
much more likely:
Your source email system and Office 365 mailboxes were synchronized at least once (they
synchronize once a day).
The email systems of your customers and partners have recognized the changes to your MX
records and are now properly sending email to your Office 365 mailboxes.
When you delete the migration batch, the migration service cleans up any records related to the migration batch
and removes it from the migration dashboard.
Delete a migration batch
2. On the migration dashboard, select the batch, and then click Delete.
Confirm that the deletion worked
In the Exchange admin center, go to Recipients > Migration. Verify that the migration batch is no longer
listed on the migration dashboard.
See also
After you've added your users to Office 365, you can use Internet Message Access Protocol (IMAP ) to migrate
email for those users from their IMAP -enabled email servers.
In the Office 365 admin center, go to Setup > Data migration to start migrating IMAP enabled emails. The
email migrations page is pre-configured for migrations from Gmail, Outlook, Hotmail and Yahoo. You can also
enter your own IMAP server name and connection parameters to migrate from an email service that is not listed.
IMPORTANT
Before you can use an IMAP migration for your users, they must have been first added to your Office 365 tenant. For
instructions, see Add users to Office 365 for business.
Before you migrate, read What you need to know about migrating your IMAP mailboxes to Office 365.
To perform an IMAP migration by using the Exchange admin center (EAC ), see Migrate other types of IMAP
To migrate Exchange mail to Office 365, see Use express migration to migrate Exchange mailboxes to Office 365
Migrate IMAP mailboxes to Office 365

1. Sign into the About the Office 365 admin center.
2. Navigate to Setup > Data migration.
Select your data service dashboard opens.

3. Your provider is listed:
Choose the email provider you are migrating from.
IMPORTANT
If you're migrating email from Gmail, you need to ask your users to create an app password you will have to use
instead of their account password. If you're migrating email from Outlook.com or Hotmail.com, you need to
ask your users to set up two-step verification and obtain an app password. You will use their app password instead
of their account password when you establish a connection between Outlook.com or Hotmail.com and Office 365.
After you choose a provider, the Select users to start migrating email messages page will list all of your
users with the source email pre-filled in.
Your provider is not listed:

1. Choose Other email sources:
2. On the Select your data service page, fill in the appropriate IMAP connection data to test the connection.
You can use any account for this.
The example below is for a Google apps domain called contoso.com, and therefore the IMAP server name
is imap.gmail.com.
Because the example is for Google apps, note that the password is the 16-digit app password for the email
account that is entered to verify the connection to the server.
IMPORTANT
If you're migrating email from Google Apps where you own the domain, you need to ask your users to create an
app password you will have to use instead of their account password.
3. Click Save to test the connection. Once the connection is verified, the Email Migration Status page will
list all your added users with the email address that you provided.
4. This and the following steps apply for both a listed email provider or "Other":
Check the box next to the users whose email you want to migrate, and then fill in the email alias, and the
password (app password if you are migrating mail from Gmail or Google apps).
5. Choose Start Migration after you have entered the required information.
6. The migration status will be one of:

Starting
Queued
Syncing
Synced
When the status is Synced the IMAP migration will continue to synchronize with the source email
periodically until you choose Stop Migration.
When you're done, choose Close Connection. This also allows you to start a new migration if you want to
migrate emails from other providers as well.
7. If you are migrating from Google apps where you own the domain, you need to go Create DNS records at
Google Domains for Office 365 after you have completed email migration so that the mail will be sent to
Office 365 mailboxes instead of Google apps. If you are migrating from another IMAP provider where you
own the domain, check these instructions to find your domain provider.
If you have migrated as a part of the setup experience, you can return to the setup. The setup steps will
guide you through updating the DNS records.
Related Topics
Prepare your Gmail or Google Apps account for connecting to Outlook and Office 365
Prepare your Outlook.com or Hotmail.com account for IMAP migration
Learn more about setting up your IMAP server
connection
To migrate your email by using Internet Message Access Protocol (IMAP ) migration, Office 365 needs to know the
name and connection settings of your IMAP server.
Find your IMAP server name

Office 365 needs the name of the source email server from which you want to migrate mailboxes. In this task, we
describe how to get the name of the system by using Outlook Web App. If you don't have access to Outlook Web
App, or if your IMAP server name isn't listed there, either contact support or consult the help documentation for
your source email system.
To get the name of your source email system by using TE102821288
In Outlook Web App, on the toolbar, choose Settings > Options > Mail > Accounts > POP and
IMAP. Below your account information, you'll see a link to Settings for POP and IMAP access. Your
IMAP server name, if enabled, is listed under IMAP setting.
The IMAP server for Gmail is: imap.gmail.com.

See POP and IMAP email settings for Outlook for more information about IMAP connections in Office
365.
Values for security and port

Office 365 also needs the values for the encryption method and the Transmission Control Protocol (TCP ) port
number used by the source email IMAP server.
Security: This is the encryption method used by the IMAP server. The default value for secure sockets layer
(SSL ) is appropriate for most IMAP servers.
Port: This is the TCP port number used to connect to the IMAP server. Use port 143 for unencrypted
connections, port 143 for Transport Layer Security (TLS ) connections, or port 993 (the default), for SSL
connections. Port 993 is appropriate for most IMAP servers.
When you undertake an Internet Message Access Protocol (IMAP ) migration from an on-premises Exchange
Server to Office 365, you have a few choices for optimizing the migration performance.
Optimize IMAP migrations

Here are some tips for optimizing an IMAP migration:
Increase the connection limits to your IMAP server: Many firewalls and email servers have per-user
limits, per-IP address limits, and overall connection limits. Before you migrate mailboxes, make sure that
your firewall and IMAP server are configured to allow a large, or maximum, number of connections for the
following settings:
The total number of connections to the IMAP server.
The number of connections by a particular user. This is important if you use an administrator
account in the comma-separated value (CSV ) migration file because all connections to the IMAP
server are made by this user account.
The number of connections from a single IP address. This limit is typically enforced by the firewall or
the email server.
If your IMAP server is running Microsoft Exchange Server 2010 or Exchange 2007, the default
settings for connection limits are low. Be sure to increase these limits before you migrate email. By
default, Exchange 2003 doesn't limit the number of connections.
Exchange 2013: Set connection limits for IMAP4
Exchange 2010: View or Configure IMAP4 Properties
Exchange 2007: How to Set Connection Limits for IMAP4
Exchange 2003: How to Set Connection Limits
Change the DNS Time-to-Live (TTL ) setting on your MX record: Before you start migrating
mailboxes, change the Domain Name System (DNS ) TTL setting on your current MX record to a shorter
interval, such as 3,600 seconds (one hour). Then, when you change the MX record to point to your Office
365 email organization after all mailboxes are migrated, the updated MX record should propagate more
quickly because of the shortened TTL interval.
Run one or more test migration batches: Run a few small IMAP migration batches before you migrate
larger numbers of users. In a test migration, you can do the following:
Verify the format of the CSV file.
Test the migration endpoint used to connect to the IMAP server.
Verify that you can successfully migrate email by using administrator credentials, if applicable.
Determine the optimal number of simultaneous connections to the IMAP server that minimize the
impact on your internet bandwidth.
Verify that folders you exclude aren't migrated to Office 365 mailboxes.
Determine how long it takes to migrate a batch of users.
Use CSV files with the same number of rows and run the batches at similar times during the day.
Then compare the total running time for each test batch. This comparison will help you estimate
how long it will take to migrate all your mailboxes, how large each migration batch should be, and
how many simultaneous connections to the IMAP server you should use to balance migration speed
and internet bandwidth.
Use administrator credentials in the CSV file to migrate email: This method is the least disruptive
and inconvenient for users, and it will help minimize synchronization errors caused when users change the
password on their on-premises account. It also saves you from having to obtain or change user passwords.
If you use this method, be sure to verify that the administrator account you use has the necessary
permissions to access the mailboxes you're migrating.
NOTE
If you decide to use user credentials in the CSV file, consider globally changing users' passwords, and then
preventing users from changing their password on their on-premises account before you migrate their mailboxes. If
users change their password before their mailbox is migrated to the cloud-based mailbox, the migration will fail. If
they change their password after the mailbox is migrated, new email sent to their mailbox on the IMAP server won't
be migrated to their Office 365 mailbox.
Don't delete mailboxes or change their SMTP addresses during migration: The migration system
will report an error when it can't find a mailbox that's been migrated. Be sure to complete the migration
and delete the migration batch before you delete or change the SMTP address of an Office 365 or on-
premises mailbox that's been migrated.
Communicate with your users: Let users know ahead of time that you'll be migrating the content of their
on-premises mailboxes to your Office 365 organization. Consider the following:
Tell users that email messages larger than 35 MB won't be migrated. Ask users to save very large
messages and attachments to their local computer or to a removable USB drive.
Ask users to delete old or unnecessary email messages from their on-premises mailboxes before
migration. This helps reduce the amount of data that has to be migrated and can help reduce the
overall migration time. Or you can clean up their mailboxes yourself.
Suggest that users back up their Inboxes.
Tell users which folders won't be migrated, if applicable.
Folders with a forward slash ( / ) in the folder name aren't migrated. If users want to migrate folders
that contain forward slashes in their names, they have to rename the folders or replace the forward
slashes with a different character, such as an underscore character ( _ ) or a dash ( - ).
CSV files for IMAP migration batches
The comma-separated values (CSV ) file that you use to migrate the contents of users' mailboxes in an IMAP
migration contains a row for each user. Each row contains information about the user's Office 365 mailbox and
IMAP mailbox, and Office 365 uses this information to process the migration.
Required attributes
Here are the required attributes for each user:
EmailAddress specifies the user ID for the user's Office 365 mailbox.
UserName specifies the user logon name for the user's mailbox on the IMAP server. You can use either the
username or domain\username format. For example, hollyh or contoso\hollyh .
Password is the password for the user's account in the IMAP messaging system.
The migration will fail if any one of these attributes isn't included in the header row of the CSV file. Also, be sure to
type the attributes exactly as they're shown. Attributes can't contain spaces. They must be a single word. For
example, Email Address is invalid. You must use EmailAddress.
CSV file format

Here's an example of the format for the CSV file. In this example, user credentials are used to migrate three
mailboxes:
EmailAddress,UserName,Password
terrya@contoso.edu,contoso\terry.adams,1091990
annb@contoso.edu,contoso\ann.beebe,2111991
paulc@contoso.edu,contoso\paul.cannon,3281986
The first row, or header row, of the CSV file lists the names of the attributes, or fields, specified in the rows that
follow. Each attribute name is separated by a comma.
Each row under the header row represents one user and supplies the information that will be used to migrate the
user's mailbox. The attribute values in each row must be in the same order as the attribute names in the header
row. Each attribute value is separated by a comma.
Use any text editor, or an application like Microsoft Excel, to create the CSV file. Save the file as a .csv or .txt file.
TIP
If the CSV file contains non-ASCII or special characters, save the CSV file with UTF-8 or other Unicode encoding. Depending
on the application, saving the CSV file with UTF-8 or other Unicode encoding might be easier when the system locale of the
computer matches the language used in the CSV file.
Divide a large migration into several batches

The CSV file can contain up to 50,000 rows, one row for each user, and can be as large as 10 MB. But it's a good
idea to migrate users in several smaller batches.
If you plan to migrate lots of users, decide which ones to include in each batch. For example, if you have 10,000
accounts to migrate, you could run four batches with 2,500 users each. You could also divide the batches
alphabetically; by user type, such as faculty, students, and alumni; by class, such as freshman, sophomore, junior,
and senior; or in other ways that meet your organization's needs.
TIP
One strategy is to create Office 365 mailboxes and migrate email for the same group of users. For example, if you import
100 new users to your Office 365 organization, create a migration batch for those same 100 users. This is an effective way to
organize and manage your migration from an on-premises messaging system to Office 365.
Provide user or administrator credentials

In the CSV file, you have to provide the username and password for the user's on-premises account. This enables
the migration process to access the account. There are two ways to do this:
Use user credentials: This requires that you obtain users' passwords or that you change their passwords
to a value that you know so you can include it in the CSV file.
TIP
If you use this option, prevent users from changing the passwords of their on-premises accounts. If users change
their passwords after the initial migration, subsequent synchronizations between the mailboxes on the IMAP server
and Office 365 mailboxes will fail.
Use super-user or administrator credentials: This requires that you use an account in your IMAP
messaging system that has the necessary rights to access all user mailboxes. In the CSV file, you use the
credentials for this account for each row. To learn whether your IMAP server supports this approach and
how to enable it, see the documentation for your IMAP server.
NOTE
It's a good idea to use administrator credentials because it doesn't affect or inconvenience users. For example, it
won't matter if users change their passwords after the initial migration.
Format for the administrator credentials for different IMAP servers

You can use the username and password of an administrator account in the UserName and Password fields for
each row of the CSV file. The username for administrator credentials is a combination of the username for the
person whose email is being migrated and the username for an administrator account that has permission to
access all user mailboxes. The supported format for administrator credentials is different depending on the IMAP
server you're migrating email from. For more information about how to use administrator credentials, see the
documentation for your IMAP server.
NOTE
When you submit a new migration request, the CSV file is uploaded to the Microsoft datacenter over a Secure Sockets Layer
(SSL) connection. The information from the CSV file is encrypted and stored on the Microsoft Exchange servers at the
Microsoft datacenter.
The following sections explain how to format the administrator credentials in the CSV file that you use to migrate
email from different types of IMAP servers.
Microsoft Exchange
If you're migrating email from the IMAP implementation for Microsoft Exchange, use the format
Domain/Admin_UserName/User_UserName for the UserName attribute in the CSV file. Let's say you're
migrating email from Exchange for Terry Adams, Ann Beebe, and Paul Cannon. You have a mail administrator
account, where the username is mailadmin and the password is P@ssw0rd. Here's what your CSV file would look
like:
terrya@contoso.edu,contoso-students/mailadmin/terry.adams,P@ssw0rd
annb@contoso.edu,contoso-students/mailadmin/ann.beebe,P@ssw0rd
paulc@contoso.edu,contoso-students/mailadmin/paul.cannon,P@ssw0rd
Dovecot
For IMAP servers that support Simple Authentication and Security Layer (SASL ), such as a Dovecot IMAP server,
use the format User_UserName*Admin_UserName, where the asterisk ( * ) is a configurable separator
character. Let's say you're migrating those same users' email from a Dovecot IMAP server using the administrator
credentials mailadmin and P@ssw0rd. Here's what your CSV file would look like:
terrya@contoso.edu,terry.adams*mailadmin,P@ssw0rd
annb@contoso.edu,ann.beebe*mailadmin,P@ssw0rd
paulc@contoso.edu,paul.cannon*mailadmin,P@ssw0rd
Mirapoint
If you're migrating email from Mirapoint Message Server, use the format **#user@domain#Admin_UserName#**
for the administrator credentials. To migrate email from Mirapoint using the administrator credentials mailadmin
and P@ssw0rd, your CSV file would look like this:
terrya@contoso.edu,#terry.adams@contoso-students.edu#mailadmin#,P@ssw0rd
annb@contoso.edu,#ann.beebe@contoso-students.edu#mailadmin#,P@ssw0rd
paulc@contoso.edu,#paul.cannon@contoso-students.edu#mailadmin#,P@ssw0rd
Use the optional UserRoot attribute

Some IMAP servers, such as Courier IMAP, don't support using administrator credentials to migrate mailboxes to
Office 365. To use administrator credentials to migrate mailboxes, you can configure your IMAP server to use
virtual shared folders. Virtual shared folders allow administrators to use the administrator's logon credentials to
access user mailboxes on the IMAP server. For more information about how to configure virtual shared folders for
Courier IMAP, see Shared Folders.
To migrate mailboxes after you set up virtual shared folders on your IMAP server, you have to include the optional
attribute UserRoot in the CSV file. This attribute specifies the location of each user's mailbox in the virtual shared
folder structure on the IMAP server.
Here's an example of a CSV file that contains the UserRoot attribute:
EmailAddress,UserName,Password,UserRoot
terrya@contoso.edu,mailadmin,P@ssw0rd,/users/terry.adams
annb@contoso.edu,mailadmin,P@ssw0rd,/users/ann.beebe
paulc@contoso.edu,mailadmin,P@ssw0rd,/users/paul.cannon
Prepare your Gmail or G Suite account for
connecting to Outlook and Office 365
Before you connect to your Gmail account from Outlook on the web, or add a Gmail account to Outlook, you
need to prepare your Gmail account. You need to turn on 2-step verification for Gmail and then create an app
password that Office 365 will use with your Gmail address to make the connection.
You will also have to do this if your admin is planning to migrate your Gmail or G Suite Gmail to Office 365.
Enable IMAP for Gmail and G Suite Accounts

Please make sure that you have enabled IMAP before you start the migration process. Failure to do so
will result in migration-related issues.
To enable IMAP for Gmail or G Suite Accounts:
1. Sign in to your Gmail/G Suite account using a supported browser.
2. Click the gear icon located at the top right of the screen.
3. In the drop-down menu that appears, click Settings.
4. Switch to the Forwarding and POP/IMAP tab.
5. Scroll down to the IMAP access, and make sure that Enable IMAP is selected.
6. Scroll to the bottom. Click Save Changes.
Enable your Gmail to be connected by Office 365

To use an app password with Gmail, you have to first turn on 2-step verification, and then obtain the app
password. Once you have an app password you can use that in combination with your username to connect to
Gmail.
To turn on 2-step verification
1. Sign in to your Gmail account
2. Select Google apps > My Account.
3. On the My Account page choose Sign-in & security.

4. Under the Password & sign-in method, choose the arrow next to the 2-Step verification, and provide
your password if asked.
NOTE
If you have a google apps account and you can't see this setting, your admin has to first turn it on. For instructions
(for admin), see Enable 2-step verification for your G Suite users.
5. On the Signing in with 2-step verification page, choose Start setup.

6. Re-enter your password if asked, and in the Set up your phone step, enter or verify your cell phone. On
the next step enter the verification number sent to your cell phone and choose Verify.
7. In the Trust this computer step choose Next, and in the Turn on 2-step verification step choose
Confirm.
To create an app password
1. Sign in to your Gmail account
4. Under the Password & sign-in method, choose the arrow next to the App passwords, and provide your
password if asked.
5. On the App passwords page, in the Select app drop-down choose Other (custom name).
6. Type in a name, for example Myconnection > GENERATE.

Note the app password under Your app password for your device. You can use this with your Gmail
address in the app you are connecting to your Gmail account (or adding you Gmail account to). This
combination grants complete access to your Gmail account by the app that is using it.
After you have entered the app password, you do not have to remember it.
IMPORTANT
The 16-character app password is displayed with spaces so it is easier to read. When you enter it to the app you
want to connect, ignore the spaces and enter it as an unbroken string of 16 characters.
7. Now you're ready to add your Gmail account to Outlook. When you're prompted for a password, youenter
this app password for your Gmail account. Don't enter your Gmail password. For instructions on adding
your Gmail account to Outlook, see these articles:
Add an email account to Outlook
Connect email accounts in Outlook on the web (Office 365)
Optionally revoke the app password
If you need the Gmail connection for a brief time only, for example for an IMAP mailbox migration that your
admin is running, you can later revoke the App password.
To revoke the app password code
1. Sign in to you Gmail account
4. Under the Password & sign-in method, choose the arrow next to the App passwords, and provide your
password if asked.
5. On the App passwords page, select REVOKE next to the app password you want to revoke.
Related Topics
Migrate email and contacts to Office 365
Ways to migrate multiple email accounts to Office 365
Migrating your Outlook.com account to Office 365
If you are migrating your Outlook.com or Hotmail.com account to Office 365, you'll need to enable two-step
verification (also known as two-factor authentication).
Two-step verification helps protect you by making it more difficult for someone else to sign in to your email
account. It uses two different forms of identity: your password, and a contact method. Even if someone else finds
your password, they'll be stopped if they don't have access to your other devices or accounts.
You set up two-step verification with an email address, phone number, or authenticator app. When you sign in on a
new device or from a new location, we'll send you a security code that you enter on the sign-in page as a second
form of authentication in addition to your password.
After you have setup two-step verification, you can also obtain an app password that you will have to use in order
to use Internet Message Access Protocol (IMAP ) migration to copy email from your Outlook.com or Hotmail.com
account to your Office 365 for business account. If your Office 365 admin is moving email messages from your
Outlook.com or Hotmail.com account to Office 365 on your behalf, you'll need to give him your app password.
Turn on two-step verification and create an app password in

Outlook.com or Hotmail.com
1. Sign in to Outlook.com or Hotmail.com.
2. Go to the Security settings page. Enter your password if prompted.
If you want to navigate to the Security settings page, in Outlook.com click or tap your profile picture on the
upper right > View account and on the Account page, On your Account page, choose Security on the
blue bar and then, more security options.
3. Scroll down the page and choose Set up two-step verification under Two-step verification.
4. Choose Next to start the setup wizard.
5. On the Set up your smart phone with an app password page, under the Update your Windows
Phone 8 (or earlier) with an app password list, note the 16-digit app password in the list:
If you use a Windows Phone 8 (or earlier) you need to replace the password you use to sign in to your
email with the app password.
IMPORTANT
Even though the page indicates this is for Windows Phone 8 (or earlier), this list contains the app password your
admin needs to migrate you hotmail.com or outlook.com email to Office 365 for business. You will need this app
password even if you set up two-step verification by using an Android or iPhone.
This is also the app password you or your admin will use to migrate your hotmail.com or outlook.com email
to Office 365 for business.
6. On your mobile device, download the Microsoft Authenticator from your app store.
Choose on of the links take you to the Microsoft Authenticator for Windows Phone, Android or iOS.
7. Open the Microsoft Authenticator app on your mobile device, and choose +. Scan the code on the Set up
an authenticator app page.
8. In step 4 on the Set up an authenticator app page, type the 6-digit code that's displayed on your mobile
device (for example, 555111; you don't need to include any spaces).
You don't need to memorize this password; it changes constantly and a new ones are sent to you via the
Microsoft Authenticator app. This is why it's so secure. Whenever you sign in to your email account from a
new device or location, look at your Microsoft Authenticator app and sign in using latest app password
that's been sent to you instead of using your old static password.
9. You'll get a message that two-step verification is turned on. Print your new recovery code (this isn't your
app password). If you ever need to recover access to this account, this recovery code will help. It's a good
idea to keep it tucked away in a safe place.
10. Choose Next.
Enable 2-step verification for your Google apps users
If you want to migrate email for your google app users to Office 365, the users need to create an app password
that you will use together with their google apps password to connect to their Gmail. Before they can create an
app password, you will have to allow them to turn on 2-step verification in the Google Admin console.
Enable 2-step verification

In order for your users to create an app password, they will have to first enable 2-step verification.
To enable 2-step verification for your Google apps domain
1. Sign in to the Google Admin console.
2. On the console choose Security.
3. On the Security page, choose Basic settings.

And then check the check-box next to Allow users to turn on 2-step verification.
4. Your users can now turn on 2-step verification and create an app password as described here: Prepare your
Gmail account for connecting to Outlook and Office 365.
How to migrate mailboxes from one Office 365
tenant to another
This article explains how to migrate mailboxes and service settings from one Office 365 tenant to another Office
365 tenant in a business-merger scenario. If you have more than 500 users to migrate or a large amount of
SharePoint data to migrate, it's a good idea to work with an Office 365 partner.
The scenario in this article is based on two fictional companies - Contoso.com and Fabrikam.com - using two
separate Office 365 tenants. Contoso has purchased Fabrikam and is moving the Fabrikam users and data to the
contoso.com Office 365 tenant.
TENANT 1 (TARGET) TENANT 2 (SOURCE)
Custom email domain: contoso.com fabrikam.com
Office 365 initial domain: contoso.onmicrosoft.com fabrikam.onmicrosoft.com
Scenario: Migrate using a third party migration tool

This scenario assumes that user, group and other objects from the Fabrikam Company will be manually created in
Office 365, imported into the portal via script, or merged into the Contoso Active Directory through Active
Directory Domain Services (AD DS ) consolidation.
When complete, all Fabrikam accounts will exist in the Contoso.com Office 365 tenant, and will all use
@fabrikam.com for the UPN. The final addressing scheme was chosen for simplicity and brevity but can of course
be modified to meet your requirements.
Planning: Two weeks before you migrate

If using a third party migration tool to migrate your users, purchase the needed licenses for your migration.
Client considerations
For Outlook 2010 or above, you only need to remove the Outlook user profile and create it again.
For Outlook 2007 and Outlook 2010, when you are restarting the client, auto-discover will configure the client and
rebuild the .OST file.
For the skype for business client, once migration is complete, since the process creates a new profile, you will need
to add contacts.
Tenant preparation and licensing
The source tenant is the Fabrikam Office 365 tenant from which you are migrating users and data. The target
tenant is the Contoso Office 365 tenant to which you are migrating.
1. Increase licenses in Target Office 365 tenant to accommodate all mailboxes that will be migrated from the
source tenant.
2. Create Administrator accounts in source and target tenants for use in migrating from Office 365 to another
Office 365. Some migration tools may require more than one admin account in the source tenant to
optimize the data throughput.
Room, resource, distribution group, and user object creation in the target tenant
To create the resources in the target (Contoso) tenant:
1. If the Azure AD Connect tool will be used to sync all objects from the Contoso Active Directory Domain
Services (AD DS ), the objects from the source (Fabrikam) tenant AD DS must be created in the target tenant
(Contoso) AD DS through consolidation.
2. AD DS consolidation can be done using various AD DS tools. Consolidation can take extra time and
planning depending on how many objects are being moved, so it can be completed ahead of the migration
project.
3. Verify that all new users and groups are synced to the Contoso.com target tenant via directory
synchronization. The objects should appear as user@contoso.onmicrosoft.com in the new tenant since the
Fabrikam domain has not been moved over at this time. The primary email address for the users and groups
can be updated to @fabrikam.com after the domain move is complete.
4. If directory synchronization will not be used, or if any Rooms, Resources, Groups or Users are managed in
the Office 365 admin center of the source tenant; these objects must be created in the target tenant. Objects
can be created manually in the Office 365 admin center or for larger numbers import a CSV file by using
the bulk add feature in the Office 365 admin center, or by using Windows PowerShell.
End-user communications
To communicate the migration to the end users in your organization:
1. Create a communication plan and begin to notify users of the upcoming migration and service changes.
2. After migration, the nickname cache will have to be cleared on all Outlook clients. See How to reset the
nickname and the automatic completion caches in Outlook for an automated fix-it-tool that can be run by
the end users.
3. Make users aware of how to connect to Outlook Web App with their new sign on information in case they
have a problem after migration.
Preparation and pre -migration activities: Three days before you migrate
Domain preparation
To prepare the domain for migration, complete the following steps.
1. Begin domain verification process on target (Contoso) tenant for the Fabrikam.com email domain.
2. In the contoso.com Office 365 admin center, add the Fabrikam.com domain and create TXT records in
Domain Name Systems (DNS ) for verification.
NOTE
The verification will fail because the domain is still in use in the other tenant.
Performing this step now will allow the DNS record time to propagate as it can take up to 72 hours. Final
validation will occur later in the process.
Migration scheduling
To schedule the migration:
1. Create master list of user mailboxes you want to migrate.
2. Create mailbox mapping .CSV file for the third-party migration tool you are using. This mapping file will be
used by the migration tool to match the source mailbox with the target tenant mailbox when migration
occurs. We recommend that you use the *.onmicrosoft.com 'initial' domain for mapping the source accounts
since the custom email domain will be constantly changing.
Mail exchanger record (MX record) time to live (TTL ) test

Next, you'll schedule the TTL test.
1. In DNS, change the TTL value on the MX record for the primary email domain you wish to transfer to a
small number (i.e. 5 minutes). If the TTL cannot be lowered to 5 minutes, make note of the lowest value.
Example, if the lowest value is 4 hours, the MX record will have to be changed 4 hours before your
migration begins.
2. Mx Lookup can be used to verify MX and DNS changes.
Disable directory sync in source tenant
In the source tenant Office 365 admin center, disable directory sync. This process can take 24 hours or more so it
must be done ahead of the migration. Once disabled in the portal, any changes to the source tenant AD DS will no
longer sync to the Office 365 tenant. Adjust your existing user and group provisioning process accordingly.
Migration: The day you migrate
These are the steps you'll need the day you perform the migration.
MX record change - Stop inbound mail flow
Change your primary MX record from Office 365 to domain that is not reachable, i.e. "unreachable.example.com".
Internet mail servers attempting to deliver new mail will queue the mail and attempt redelivery for 24 hours. Using
this method, some email may return a non-delivery report (NDR ) depending on the server attempting to deliver
the email. If this is a problem use an MX record backup service. There are many third party services that will queue
your email for days or weeks. Once your migration is complete, these services will deliver the queued mail to your
new Office 365 tenant.
TIP
If your TTL is short, for example, five minutes, this step can be done at the end of the work day to cause less disruption. If
you have a larger TTL, you must change the MX record ahead of time to allow the TTL to expire. Example, a four hour TTL
must be changed before 2 PM if you plan to begin migrations at 6 PM.
Verify your MX and DNS changes if necessary. Nslookup or a service like MxToolbox can be used to verify MX and
DNS changes.
Source tenant preparation
The primary email domain, fabrikam.com, must be removed from all objects in the source tenant before the
domain can be moved to the target tenant.
1. If you had also set up your domain with a SharePoint Online public website, then before you can remove the
domain, you first have to set the website's URL back to the initial domain.
2. Remove all Lync licenses from the users in the source tenant using Lync admin portal. This will remove the
Lync Sip address connected to Fabrikam.com.
3. Reset default email addresses on Office 365 source mailboxes to the initial domain
(fabrikam.onmicrosoft.com).
4. Reset default email addresses on all Distribution Lists, Rooms and Resources to the initial domain
(fabrikam.onmicrosoft.com) in source tenant.
5. Remove all secondary email (proxy addresses) from user objects that are still using @fabrikam.com.
6. Set default domain in source tenant to fabrikam.onmicrosoft.com routing domain (in the admin portal, click
your company name in the upper right corner).
7. Use Windows PowerShell command Get-MsolUser -DomainName Fabrikam.com to retrieve a list of all
objects that are still using the domain and blocking removal.
8. For common domain removal issues, see You get an error message when you try to remove a domain from
Office 365.
Target tenant preparation
Complete the verification of the Fabrikam.com domain in the contoso.com tenant. You may have to wait one hour
after removing the domain from the old tenant.
1. Configure auto-discover CNAME (internal/External) optional.
2. If you are using AD FS, configure the new domain in target tenant for AD FS.
3. Begin mailbox activation in the contoso.com tenant > Assign licenses to all of the new user accounts.
4. Set the Fabrikam.com email domain as the primary address on the new users. This can be done by
selecting/editing multiple unlicensed users in the portal or by using Windows PowerShell.
5. If you are not using the password hash sync feature, pass-through authentication or AD FS, set password on
all mailboxes in the target (Contoso) tenant. If you are not using a common password, notify users of the
new password.
6. Once mailboxes are licensed and active, transition the mail routing. Point the Fabrikam MX record to Office
365 target (Contoso) tenant. When the MX TTL expires, mail will begin to flow into the new empty
mailboxes. If you are using an MX backup service, you can release the email to the new mailboxes.
7. Perform verification testing of mail flow to/from new mailboxes in the target tenant.
8. If you are using Exchange Online Protection (EOP ): In the target tenant recreate mail flow rules (also known
as transport rules), connectors, white/black lists etc. from source tenant.
Begin migration
To minimize downtime and user inconvenience, determine the best method for migration.
Migration for 500 users or less: Migrate Mail Calendar and contact data to target tenant mailboxes. Limit
mail migration by date if possible; for example, the last 6 months of data.
Migration for more than 500 users: Use a multi-pass approach where you migrate contacts, calendars and
only 1 week of email for all users, then on succeeding days or weeks, do multiple passes to fill in the
mailboxes with older email data.
Start your mail migration via the third party migration tool.
1. Monitor migration progress with the tools provided by the vendor. Send out periodic progress reports
during migration to management and migration team.
2. Do second or third pass migrations, optional after all migrations are complete.
At the end of migration, Outlook 2007 and 2010 will sync the entire mailbox for each user, consuming considerable
bandwidth depending on how much data you migrated into each mailbox. Outlook 2013 will only cache 12 months
of data by default. This setting can be configured to more or less data, for example, only 3 months of data, which
can lighten bandwidth usage.
Post migration: Cleanup
User may receive NDRs when replying to migrated email messages. The Outlook nickname cache needs to be
cleared. See How to reset the nickname and the automatic completion caches in Outlook. Alternatively, add the old
legacy DN as an x.500 proxy address to all users.
Sample Windows PowerShell scripts

Use the following sample Windows PowerShell scripts as a starting point for creating your own scripts.
Office 365 bulk password reset
1. Create a CSV file named password.csv.
2. Insert "upn" and "newpassword" columns in this file (Example: johnsmith@contoso.com,Password1)
3. Use the Windows PowerShell command:
Import-Csv password.csv|%{Set-MsolUserPassword -userPrincipalName $_.upn -NewPassword $_.newpassword -

ForceChangePassword $false}
Copy all Office 365 accounts with a specific proxy address into a CSV file
##########################################################################
# Script: showproxies.ps1
# Copies all accounts in Office 365 that contain/don't contain a specific
# proxyaddress to a .CSV file (addresses.csv)
#
# Change the following variable to the proxy address string you want to find:
# $proxyaddr = "onmicrosoft.com"
################################################################################
$proxyaddr = "onmicrosoft.com"
# Create an object to hold the results
$addresses = @()
# Get every mailbox in the Exchange Organisation
$Mailboxes = Get-Mailbox -ResultSize Unlimited
# Loop through the mailboxes
ForEach ($mbx in $Mailboxes) {
# Loop through every address assigned to the mailbox
Foreach ($address in $mbx.EmailAddresses) {
# If it contains XXX, Record it
if ($address.ToString().ToLower().contains($proxyaddr)) {
# This is an email address. Add it to the list
$obj = "" | Select-Object Alias,EmailAddress
$obj.Alias = $mbx.Alias
$obj.EmailAddress = $address.ToString() #.SubString(10)
$addresses += $obj
}
}
}
# Export the final object to a csv in the working directory
$addresses | Export-Csv addresses.csv -NoTypeInformation

# Open the csv with the default handler
Invoke-Item addresses.csv
##### END OF SHOWPROXIES.PS1
Bulk Create es in Office 365

################################################################################
# Script: create-rooms.ps1
# Description:*** RUN THIS SCRIPT FROM A WINDOWS POWERSHELL SESSION ***
#This script creates es in Office 365.
# Syntax:Create-Rooms.ps1 -inputfile "file name.csv"
#
# Dependencies: Input file should contain 3 columns: RoomName, RoomSMTPAddress, RoomCapacity
#
################################################################################
param( $inputFile )
Function Usage
{
$strScriptFileName = ($MyInvocation.ScriptName).substring(($MyInvocation.ScriptName).lastindexofany("\") +
1).ToString()
@"
NAME:
$strScriptFileName
EXAMPLE:
C:\PS> .\$strScriptFileName -inputfile `"file name.csv`"
"@
}
If (-not $inputFile) {Usage;Exit}
#Get MSO creds and initialize session
If ($cred -eq $NULL) {$Global:cred = Get-Credential}
#
If ($ExchRemoteCmdlets.AccessMode -ne "ReadWrite")
{
Write-Host
Write-Host Connecting to Office 365...
Write-Host
$NewSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
$Global:ExchRemoteCmdlets = Import-PSSession $NewSession
}
#Import the CSV file
$csv = Import-CSV $inputfile
#Create Rooms contained in the CSV file
$csv | foreach-object{
New-mailbox -Name $_.RoomName -room -primarysmtpaddress $_.RoomSMTPAddress -resourcecapacity $_.RoomCapacity
}
##### END OF CREATE-ROOMS.PS1
Bulk remove secondary email address from mailboxes

##########################################################################
# Script: remove-proxy.ps1
#Description:*** RUN THIS SCRIPT FROM A WINDOWS POWERSHELL SESSION ***
#This script will remove a secondary email address from many users
#
# Syntax:remove-proxy.ps1 -inputfile "filename.csv"
#
# Dependencies:Input file should contain 2 columns: Username, Emailsuffix
# Example: Username=tim, Emailsuffix=fabrikam.com
#Script will remove the address tim@fabrikam.com from the mailbox for Tim.
#NOTE: Address must be secondary; it will not remove primary email address.
#
################################################################################
param( $inputFile )
Function Usage
{
$strScriptFileName = ($MyInvocation.ScriptName).substring(($MyInvocation.ScriptName).lastindexofany
("\") + 1).ToString()
@"
NAME:
$strScriptFileName
EXAMPLE:
C:\PS> .\$strScriptFileName -inputfile `"file name.csv`"
"@
}
If (-not $inputFile) {Usage;Exit}
#Get MSO creds and initialize session
If ($cred -eq $NULL) {$Global:cred = Get-Credential}
#
If ($ExchRemoteCmdlets.AccessMode -ne "ReadWrite")
{
Write-Host
Write-Host Connecting to Office 365...
Write-Host
$NewSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
$Global:ExchRemoteCmdlets = Import-PSSession $NewSession
}
#Import the CSV file and change primary smtp address
$csv = Import-CSV $inputfile
$csv | foreach-object{
# Set variable for email address to remove
$removeaddr = $_.username + "@" + $_.emailsuffix
Write-Host ("Processing User: " + $_.UserName +" - Removing " + $removeaddr)
Set-Mailbox $_.Username -EmailAddresses @{Remove=$removeaddr}
}
##### END OF REMOVE-PROXY.PS1
Migrate from Lotus Notes to Office 365
When you are planning to migrate email from IBM Lotus Notes to Office 365, use the Microsoft Online Notes
Inspector (MONTI) application to evaluate how much data needs to be migrated from a customer's Lotus Notes
environment to Office 365.
Here's what MONTI does:
It processes mail files to determine the total database size, document count (calendar, contacts, groups, mail,
and tasks), and size by days.
It processes Mail-In Databases to determine the total database size, and Size by Days.
It posts results under the People, Mail-In Databases, and Logs views. You can create these reports manually
or on a scheduled basis.
Download the MONTI application and accompanying documentation from the Microsoft Download Center.
The documentation describes how to deploy, configure, and run the MONTI application in a customer's Domino
environment.
Some services, such as Outlook Anywhere, Cutover migration to Office 365, and Exchange ActiveSync, require
certificates to be configured on your Exchange 2013 server. This article shows you how to configure an SSL
certificate from a third-party certificate authority (CA).
What permissions do you need?

In order to add certificates, you need to be assigned the Organization Management role group on the Exchange
Server 2013.
Tasks for adding an SSL certificate

Adding an SSL certificate to Exchange Server 2013 is a three-step process.
1. Create a certificate request
2. Submit the request to certificate authority
3. Import the certificate
Create a certificate request

To create a certificate request
1. Open the Exchange admin center (EAC ) by browsing to the URL of your Client Access server, for example,
https://Ex2013CAS/ECP.
2. Enter your username and password by using the domain\username format for username, and choose Sign
in.
3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in
the Select server field, and then choose New .
4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification
authority and then choose Next.
5. Specify a name for this certificate, and then choose Next.
6. If you want to request a wildcard certificate, select Request a wild-card certificate, and then specify the
root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate
and instead want to specify each domain that you want to add to the certificate, leave this page blank.
Choose Next.
7. Choose Browse, and specify an Exchange server to store the certificate on. The server you select should be
the internet-facing Client Access server. Choose Next.
8. For each service in the list shown, verify that the external or internal server names that users will use to
connect to the Exchange server are correct. For example:
If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from
the internet) and Outlook Web App (when accessed from the intranet) should show owa.contoso.com.
Offline Address Book (OAB ) (when accessed from the internet) and OAB (when accessed from the intranet)
should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the
internet) should show owa.contoso.com, and Outlook Web App (when accessed from the intranet) should
show internal.contoso.com.
These domains will be used to create the SSL certificate request. Choose Next.
9. Add any additional domains you want included on the SSL certificate.
10. Select the domain that you want to be the common name for the certificate > Set as common name. For
example, contoso.com. Choose Next.
11. Provide information about your organization. This information will be included with the SSL certificate.
Choose Next.
12. Specify the network location where you want this certificate request to be saved. Choose Finish.
Submit the request to certificate authority

After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an
internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server
must trust the CA that you use. You can search the CA website for the specific steps for submitting your request.
Import the certificate

After you receive the certificate from the CA, complete the following steps.
To import the certificate request
1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous
steps.
2. In the certificate request details pane, choose Complete under Status.
3. On the complete pending request page, specify the path to the SSL certificate file > OK.
4. Select the new certificate you just added, and then choose Edit .
5. On the certificate page, choose Services.
6. Select the services you want to assign to this certificate. At a minimum, you should select SMTP and IIS.
Choose Save.
7. If you receive the warning Overwrite the existing default SMTP certificate?, choose Yes.
certificates to be configured on your Exchange 2010 server. This article shows you how to configure an SSL
certificate from a third-party certificate authority (CA).
What permissions do you need?

In order to add certificates, you need to be assigned the Organization Management role group on the Exchange
2010.

Adding an SSL certificate to Exchange 2010 is a three step process.

1. Open the Exchange Management Console (EMC ).
2. Select the server to which you want to add the certificate.
3. In the Actions pane, choose New Exchange Certificate.
4. In the New Exchange certificate wizard, specify a name for this certificate, and then choose Next.
5. In the Domain Scope page, specify the root domain for all subdomains in the Root domain field. If you
want to request a wildcard, select Enable wildcard certificate. If you don't want to request a wildcard
certificate, you will specify each domain you want to add to the certificate on the next page. Choose Next.
6. On the Exchange Configuration page for each service in the list shown, verify that the external or internal
server names that users will use to connect to the Exchange server are correct. For example:
If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from
the internet) and Outlook Web App (when accessed from the intranet) should show owa.contoso.com.
Offline Address Book (OAB ) (when accessed from the internet) and OAB (when accessed from the intranet)
should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the
internet) should show owa.contoso.com, and Outlook Web App (when accessed from the intranet) should
show internal.contoso.com.
7. These domains will be used to create the SSL certificate request. Choose Next.
8. On the Certificate Domains page, add any additional domains you want included on the SSL certificate.
Select the domain that you want to be the common name for the certificate > Set as common name. For
example, contoso.com. Choose Next.
9. On the Organization and Location page, provide information about your organization. This information
will be included with the SSL certificate.
Specify the network location where you want this certificate request to be saved. Choose Next.
10. On the Certificate Configuration page, review the summary information, choose New to create the
certificate, and then choose Finish on the Completion page.

After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an
internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server
must trust the CA that you use. You can search the CA website for the specific steps for submitting your request.

After you receive the certificate from the CA, complete the following steps.
1. Open the EMC.
2. Select the server to which you want to import the certificate.
3. In the Exchange Certificates pane, select the request you created earlier, and in the Actions pane, choose
Complete Pending Request.
4. On the Complete Pending Request page, specify the path to the SSL certificate file you received from
your CA > Complete.
5. On the Completion page, choose Finish.
6. To assign services to this certificate, on the EMC, select the Exchange server, and then select the certificate in
the Exchange Certificates tab.
In the Actions pane, choose Assign Services to Certificate.
7. On the Select Servers page of the Assign Services to Certificate wizard, select the name of the server to
which you're adding the certificate > Next.
8. On the Select Services page, select the services you want to assign to this certificate. At a minimum, you
should select SMTP and IIS. Choose Next.
9. On the Assign Services page, choose Assign.
If you receive the warning Overwrite the existing default SMTP certificate?, choose Yes > Finish.
certificates to be configured on your Microsoft Exchange Server 2007 server. This article shows you how to
configure an SSL certificate from a third-party certificate authority (CA).

Adding an SSL certificate to Microsoft Exchange Server 2007 is a three step process.

To create a certificate request in Microsoft Exchange Server 2007, use the New -ExchangeCertificate command. To
run the New-ExchangeCertificate command, the account you use must be in the Exchange Server Administrator
role and local Administrators group for the target server.
1. Open the Exchange Management Shell on the local server.
2. On the command line, type:
New-ExchangeCertificate -DomainName
"owa.servername.contoso.com","mail.servername.contoso.com","autodiscover.servername.contoso.com","sts.se
rvername,contoso.com","oos.servername.contoso.com","mail12.servername.contoso.com","edge.servername.cont
oso.com" -FriendlyName "Exchange 2007 Certificate" -GenerateRequest:$true -KeySize 2048 -Path
"C:\certlocation" -PrivateKeyExportable $true -SubjectName "c=us, o=ContosoCorporation,
cn=servername,contoso.com"
In the command example above, servername is the name of your server, contoso.com is an example of a
domain name, and certlocation is a file path to the location where you want to store the request once it is
generated. Replace all these placeholders with the information that appropriate for yourMicrosoft Exchange
Server 2007.
In the DomainName parameter, add the domain names for the certificate request. For example, if you
configured your internal and external URLs to be the same, the domain name for Outlook Web App (when
accessed from the internet) and Outlook Web App (when accessed from the intranet) should look like owa.
servername.contoso.com.
Use the SubjectName parameter to specify the Subject Name on the resulting certificate. This field is used
by DNS -aware services and binds a certificate to a particular domain name.
You must specify the GenerateRequest parameter as $true . Otherwise, you will create a self-signed
certificate.
3. After you run the above command, a certificate request is saved in the file location you specified by using
the Path parameter.
The New-ExchangeCertificate command also creates a Thumbprint output parameter that you use when
you submit the request to a third-party certificate authority in the next step.

After you've saved the certificate request, submit the request to your CA. This can be an internal CA or a third-
party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that
you use. You can search the CA website for the specific steps for submitting your request.

After you receive the certificate from the CA, use the Import-ExchangeCertificate command to import it.
1. Open the Exchange Management Shell on local server.
2. On the command line, type:
Import-ExchangeCertificate C:\filepath
The filepath parameter above specifies the location where you saved the certificate file that was provided by
the third-party CA.
When you run this command, it creates a Thumbprint output parameter that you use to enable to certificate
in the next step.
To enable the certificate
1. To enable the certificate, you use the Enable-ExchangeCertificate command. On the command line, type:
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services

iis,smtp,pop,imap
The Thumbprint parameter specifies the one you received as output when you ran the Import-
ExchangeCertificate command.
In the Services parameter, specify the services you want to assign to this certificate. At a minimum, you
should specify SMTP and IIS.
2. If you receive the warning Overwrite the existing default SMTP certificate?, type in A (yes for all).
See also
Blog article on adding an SSL to Exchange Server 2007
Enable your Gmail account for IMAP
Internet Message Access Protocol (IMAP ) is a protocol that allows you to download messages from a mail
provider's servers, such as those for Gmail, onto your computer so you can use Microsoft Outlook to view and edit
your email, even when aren't connected to the internet.
Enable IMAP on for your Gmail account

To make your Gmail messages accessible by Microsoft Outlook, you need to enable it for IMAP.
1. Sign in to your Gmail account by using a browser that is supported (Google Chrome, Firefox, Internet
Explorer, or Safari).
2. Choose or click the gear icon ( ) on the top right.

3. Choose Settings > Forwarding and POP/IMAP.
4. Select Enable IMAP, and then choose Save Changes.
Office 365 migration performance and best practices
There are many paths to migrate data from an on-premises email organization to Microsoft Office 365. When
planning a migration to Office 365, a common question is about how to improve the performance of data
migration and optimize migration velocity.
NOTE
The performance information listed in this topic doesn't apply to Office 365 service for dedicated subscription plans. For
more information about Dedicated Plans, see Office 365 Dedicated Plans Service Descriptions.
Overview of migrating email to Office 365

Office 365 supports several methods to migrate email, calendar, and contact data from your existing messaging
environment to Office 365 as described in Ways to migrate multiple email accounts to Office 365.
For more information about Office 365 networking and performance, see Network planning and performance
tuning for Office 365.
Frequently used migration methods
MIGRATION METHOD DESCRIPTION RESOURCES
Internet Message Access Protocol You can use the Exchange admin center Migrate your IMAP mailboxes to Office
(IMAP) migration or Exchange Online PowerShell to 365
migrate the contents of users'
mailboxes from an IMAP messaging
system to their Office 365 mailboxes.
This includes migrating your mailboxes
from other hosted email services, such
as Gmail or Yahoo Mail.
Cutover migration Using a cutover migration, you migrate Cutover migration to Office 365
all on-premises mailboxes to Office 365
over a few days. Use cutover migration
if you plan to move your entire email
organization to Office 365 and manage
user accounts in Office 365. You can
migrate a maximum of 2,000 mailboxes
from your on-premises Exchange
organization to Office 365 using a
cutover migration. The recommended
number of mailboxes, however, is 150.
Performance suffers with numbers
higher than that. The mail contacts and
distribution groups in your on-premises
Exchange organization are also
migrated.
MIGRATION METHOD DESCRIPTION RESOURCES
Staged migration You use a staged migration if you plan What you need to know about a staged
to eventually migrate all your email migration to Office 365
organization's mailboxes to Office 365.
Using a staged migration, you migrate
batches of on-premises mailboxes to
Office 365 over the course of a few
weeks or months.
Hybrid deployment A hybrid deployment offers Exchange Server 2013 Hybrid

organizations the ability to extend the Deployments
feature-rich experience and
administrative control they have with
their existing on-premises Exchange
organization to the cloud. A hybrid
deployment provides the seamless look
and feel of a single Exchange
organization between an on-premises
Exchange organization and Exchange
Online in Microsoft Office 365. In
addition, a hybrid deployment can
serve as an intermediate step to
moving completely to an Office 365
organization.
Third-party migration There are many tools available from Here are some third-party migration
third parties. They use distinctive tools and partners that can assist with
protocols and approaches to conduct Exchange migrations from third-party
email migrations from email platforms platforms:
like IBM Lotus Notes and Novell
GroupWise. Binary Tree: Provider of cross-platform
messaging migration and coexistence
software, with products that provide for
the analysis of and the coexistence and
migration between on-premises and
online enterprise messaging and
collaboration environments based on
IBM Lotus Notes and Domino and
Exchange and SharePoint.
BitTitan: Provider of migration solutions

to Office 365.
Metalogix: Provider of migration

solutions to Office 365 and SharePoint
Online.
Quadrotech: Provider of migration

solutions to Office 365.
SkyKick: Provider of automated

migration solutions to move on-
premises Exchange, Gmail, POP3, IMAP,
Lotus Notes to Office 365. The end-to-
end migration tools help partners with
the sales, planning, migration,
management, and onsite phases of the
migration project.
TransVault: Provider of migration

solutions to Office 365.
Performance for migration methods
The following sections compare mailbox migration workloads and the observed performance results for the
different migration methods for migrating mailboxes and mailbox data to Office 365. These results are based on
internal testing and actual customer migrations to Office 365.
IMPORTANT
Because of differences in how migrations are performed and when they're performed, your actual migration velocity may
vary.
Customer migration workloads

The following table describes the different workloads involved in a typical migration, and the challenges and
options for each.
WORKLOAD NOTES
Onboarding (Migrating to O365) Microsoft offers data migration capability and tools for
customers to use to migrate their data from Exchange Server
on-premises to Exchange Online (M365). There are a number
of methods for migrating mailboxes and mailbox data,
starting with Cutover migrations and Staged migrations,
which are based on merge and sync moves, and which are
described earlier in this article. The other main migration
method involves hybrid moves, which is currently the most
common method. You can decide exactly when you'd like to
migrate to Microsoft 365, based on your business needs.
Multi-Geo Multinational companies with offices around the world often

have a need to store their employee data at-rest in specific
regions, in order to meet their data residency requirements.
Multi-Geo enables a single Office 365 tenant to span across
multiple Office 365 datacenter geographies (geos), which
gives you the ability to store Exchange data, at-rest, on a per-
user basis, in your chosen geos. For more details, see Get
enterprise-grade global data location controls with Multi-Geo.
Encryption O365 Service Encryption with Customer Key is a feature that

allows a customer to provision and manage the root keys that
are used to encrypt data at-rest at the application layer in
Office 365. For a mailbox to become encrypted the first time,
a mailbox move is required. For more details, see Service
encryption with Customer Key for Office 365 FAQ.
GoLocal Microsoft continues to open new datacenters for Office 365 in

new regions, or geos. Existing customers, when eligible, can
request to have their Office 365 customer data from their
original datacenter moved to a new geo. The period of time in
which you can make this request is usually one or two years,
depending on the overall demand on the service. Note that
this period of time during which you can request to have your
customer data moved becomes shorter once a datacenter
(DC) for the new geo launches (at that point you have
approximately three to six months to request a move). Details
are available in Moving core data to new Office 365
datacenter geos.
When mailboxes are migrated within Microsoft 365 data centers, every mailbox move or bulk-mailbox move
requires time for the operation to complete. There are a number of factors, such as Microsoft 365 service activity,
that can affect exactly how much time. The service is designed to throttle discretionary workloads like mailbox
moves, to ensure that the service runs optimally for all users. You can still expect mailbox moves to be processed,
however, depending on the service's discretionary resource availability. More details about resource throttling can
be found in this blog post.
Estimated migration times
To help you plan your migration, the following tables present guidelines about when to expect bulk mailbox
migrations or individual migrations to complete. These estimates are based on a data analysis of previous
customer migrations. Because every environment is unique, your exact migration velocity may vary.
Mailbox migration duration based on mailbox size profiles:
1. Onboarding / PSTImport
MAILBOX SIZE (GB) 50TH PERCENTILE DURATION (DAYS) 90TH PERCENTILE DURATION (DAYS)
<1 1 7
1 - 10 1 7
10 - 50 3 14
50 - 100 3 30
100 - 200 8 45
> 200 Not supported Not supported
2. Multi-Geo / GoLocal / Encryption
MAILBOX SIZE (GB) 50TH PERCENTILE DURATION (DAYS) 90TH PERCENTILE DURATION (DAYS)
<1 1 7
1 - 10 1 10
10 - 50 3 30
50 - 100 15 45
100 - 200 30 60
> 200 Not supported Not supported
Migration duration to complete 90% of mailbox moves based on tenant size profiles:
TENANT SIZE (NUMBER OF MAILBOXES) DURATION (DAYS) MAY TAKE UP TO THIS MANY DAYS
< 1,000 5 14
1,000 - 5,000 10 30
5,000 - 10,000 20 45
TENANT SIZE (NUMBER OF MAILBOXES) DURATION (DAYS) MAY TAKE UP TO THIS MANY DAYS
10,000 - 50,000 30 60
50,000 - 100,000 45 90
> 1000,000 60 180
Note that some outlier mailboxes would take longer to complete based on the mailbox profile. Also, if a tenant has
larger mailboxes on average, this can also contribute to the extended duration of migration.
Migration performance factors

Email migration has several common factors that can affect migration performance.
Common migration performance factors
The following table provides a list of common factors that affect migration performance. More details are covered
in the sections describing the individual migration methods.
FACTOR DESCRIPTION EXAMPLE
Data source The device or service that hosts the Gmail limits how much data can be
data to be migrated. Many limitations extracted during a specific period of
might apply to the data source because time.
of hardware specifications, end-user
workload, and back-end maintenance
tasks.
Data type and density Because of the unique nature of a One 4-GB mailbox with 400 items, each
customer's business, the type and mix with 10 megabytes (MB) of
of mail items within mailboxes vary attachments, will migrate faster than
greatly. one 4-GB mailbox with 100,000 smaller
items.
Migration server Many migration solutions use a "jump Customers often use a low-
box" type of migration server or performance virtual machine to host
workstation to complete the migration. the MRSProxy service for hybrid
deployments or for client PC non-
hybrid migrations.
Migration engine The data migration engine responsible MRSProxy service has its own
for pulling data from the source server capabilities and limitations.
converts data, if necessary. The engine
then transmits the data over the
network and injects the data into the
Office 365 mailbox. mailbox.
On-premises network appliances The end-to-end network performance Firewall configuration and specifications
—from the data source to Exchange on the on-premises organization.
Online client access servers—affects
migration performance.
Office 365 service Office 365 has built-in support and The user-throttling policy has default
features to manage the migration settings and limits the overall maximum
workload. data transfer rate.
Network performance factors

This section describes best practices for improving network performance during migration. The discussion is
general because the biggest impact on network performance during migration is related to third-party hardware
and Internet service providers (ISPs).
Use the Exchange Analyzer to get a deeper understanding of your network connectivity with Office 365. To run the
Exchange Analyzer tests in Support and Recovery Assistant, go to Advanced Diagnostics > Exchange Online >
Check Exchange Online network connectivity > Yes. Read Fix Outlook and Office 365 issues with Support and
Recovery Assistant for Office 365 to learn more about Support and Recovery Assistant.
FACTOR DESCRIPTION BEST PRACTICES
Network capacity The amount of time it takes to migrate Identify your available network capacity
mailboxes to Office 365 is determined and determine the maximum upload
by the available and maximum capacity capacity.
of your network. Contact your ISP to confirm your
allocated bandwidth and to get details
about restrictions, such as the total
amount of data that can be transferred
in a specific period of time.
Use tools to evaluate your actual
network capacity. Make sure you test
the end-to-end flow of data from your
on-premises data source to the
Microsoft datacenter gateway servers.
Identify other loads on your network
(for example, backup utilities and
scheduled maintenance) that can affect
your network capacity.
Network stability A fast network doesn't always result in Network hardware and driver issues
fast migrations. If the network isn't often cause network stability problems.
stable, data transfer takes longer Work with your hardware vendors to
because of error correction. Depending understand your network devices and
on the migration type, error correction apply the vendor's latest recommended
can significantly affect migration drivers and software updates.
performance.
Network delays Intrusion detection functionality Evaluate network delays to all potential
configured on a network firewall often Microsoft datacenters to help ensure
causes significant network delays and that the result is consistent. (This also
affects migration performance. helps ensure a consistent experience for
Migrating data to Office 365 mailboxes end users.) Work with your ISP to
relies on your internet connection. address internet-related issues.
Internet delays affect overall migration Add IP addresses for Microsoft
performance. datacenter servers to your allow list, or
Also, users in the same company might bypass all migration-related traffic from
have cloud mailboxes that reside in your network firewall. For more
datacenters in different geographical information about the Office 365 IP
locations. Depending on the customer's ranges, see Office 365 URLs and IP
ISP, migration performance may vary. address ranges.
For a deeper analysis of migrations within your environment, check out our move analysis blog post. The post
includes a script to help you analyze move requests.
Office 365 throttling

Office 365 uses various throttling mechanisms to help ensure security and service availability. The following three
types of throttling can affect migration performance:
User throttling
Migration-service throttling
Resource health-based throttling
NOTE
The three types of Office 365 throttling don't affect all migration methods.
Office 365 user throttling

User throttling affects most third-party migration tools and the client-uploading migration method. These
migration methods use client access protocols, such as the Remote Procedure Call (RPC ) over HTTP Protocol, to
migrate mailbox data to Office 365 mailboxes. These tools are used to migrate data from platforms such as IBM
Lotus Domino and Novell GroupWise.
User throttling is the most restrictive throttling method in Office 365. Because user throttling is set up to work
against an individual end user, any application-level usage will easily exceed the throttling policy and result in
slower data migration.
Office 365 migration-service throttling
Migration-service throttling affects all Office 365 migration tools. Migration-service throttling manages migration
concurrency and service resource allocation for Office 365 migration solutions.
Migration-service throttling affects migrations performed by using the following migration methods:
IMAP migration
Cutover Exchange migration
Staged Exchange migration
Hybrid migrations (MRSProxy service-based moves in a hybrid environment)
An example of migration-service throttling is controlling the number of mailboxes that are migrated
simultaneously during simple Exchange migrations and IMAP migrations. The default value is 10. This means that
a maximum of 10 mailboxes from all migration batches are migrated at any particular time. You can increase the
number of concurrent mailbox migrations for a migration batch in either the Exchange Control Panel or Windows
PowerShell. To learn more about how to optimize this setting, see Manage migration batches in Office 365.
Office 365 resource health-based throttling
All migration methods are subject to the governance of availability throttling. Office 365 service throttling,
however, doesn't affect Office 365 migrations as much as the other types of throttling described previously.
Resource health-based throttling is the least aggressive throttling method. It occurs to prevent a service availability
issue that could affect end users and critical service operations.
Before performance of the service degrades to the point where end-user performance could be impacted, hybrid
migrations will be stalled until performance is recovered and the service returns to a level below the throttling
threshold.
The following are examples from an Exchange migration statistics report. They show the entries logged when the
service-throttling threshold is exceeded.
1/25/2018 12:56:01 AM [BL2PRD0410CA012] Copy progress: 723/1456 messages, 225.8 MB (236,732,045 bytes)/416.5
MB (436,712,733 bytes).
1/25/2018 12:57:53 AM [BL2PRD0410CA012] Move for mailbox '/o=ExchangeLabs/ou=Exchange Administrative Group

(FYDIBOHF23SPDLT)/cn=Recipients/cn=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx' is stalled because
DataMoveReplicationConstraint is not satisfied for the database 'NAMPRD04DG031-db081' (agent
MailboxDatabaseReplication). Failure Reason: Database edbf0766-1f2a-4552-9115-bb3a53a8380b doesn't satisfy
constraint SecondDatacenter. There are no available healthy database copies. Will wait until 1/25/2018 1:27:53
AM.
1/25/2018 12:58:24 AM [BL2PRD0410CA012] Request is no longer stalled and will continue.
6/30/2017 00:03:58 [CY4PR19MB0056] Relinquishing job because of large delays due to unfavorable server health
or budget limitations with a request throttling state 'StalledDueToTarget_DiskLatency'.
Solution and practice

If you experience a similar situation, wait for the Office 365 resources to become available.
Performance factors and best practices for non-hybrid deployment

migrations
This section describes factors that affect migrations using the IMAP, cutover, or staged migration methods. It also
identifies best practices to improve migration performance.
Factor 1: Data source
The following table describes the impact on migration by the source servers in your current email organization
and the best practices for mitigating the impact on migration.
CHECKLIST DESCRIPTION BEST PRACTICES

System performance Data extraction is an intensive task. The Monitor system performance during a
source system needs to have sufficient pilot migration test. If the system is
resources, such as CPU time and busy, we recommend avoiding an
memory, to provide optimal migration aggressive migration schedule for the
performance. During migration, the specific system because of potential
source system is often close to full migration slowness and service
capacity in terms of the regular end- availability issues. If possible, enhance
user workload. If system resources are the source system performance by
inadequate, the additional workload adding hardware resources and reduce
that results from migration can affect the load on the system by moving tasks
end users. and users to other servers that aren't
involved in the migration.

• Exchange 2013 Server Health and
Performance
• Understanding Exchange 2010
Performance
• Exchange 2007: Monitoring Mailbox
Servers
When migrating from an on-premises

Exchange organization where there are
multiple mailbox servers, we
recommend that you create a
migration-user list that is evenly
distributed across multiple mailbox
servers. Based on individual server
performance, the list can be further
fine-tuned to maximize throughput.
For example, if server A has 50 percent

more resource availability than server B,
it's reasonable to have 50 percent more
users from server A in the same
migration batch. Similar practices can be
applied to other source systems.
Perform migrations when servers have
maximum resource availability such as
after hours or on weekends and
holidays.
Back-end tasks Other back-end tasks that are running Review other system tasks that might
during migration time. Because it's a be running during migration. We
best practice to perform migration after recommend that you perform data
business hours, it's common that migration when no other resource-
migrations conflict with maintenance intensive tasks are running.
tasks—such as data backup—running Note: For customers using on-premises
on your on-premises servers. Exchange, the common back-end tasks
are backup solutions and Exchange
store maintenance.
Throttling policy It's a common practice to protect email Verify what throttling policy is deployed
systems with a throttling policy that for your email system. For example,
sets a specific limit on how fast and how Google Mail limits how much data can
much data can be extracted from the be extracted in a certain time period.
system during a certain amount of
time. Depending on the version, Exchange
has policies that restrict IMAP access to
the on-premises mail server (used by
IMAP migrations) and RPC over HTTP
Protocol access (used by cutover
Exchange migrations and staged
Exchange migrations).
To check the throttling settings in an

Exchange 2013 organization, run the
Get-ThrottlingPolicy cmdlet. For more
information, see Exchange Workload
Management.
For more information about IMAP

throttling, see Migrate your IMAP
For more information about RPC over

HTTP Protocol throttling, see:
• Exchange 2013 Workload
Management
• Exchange 2010: Understanding Client
Throttling Policies
Throttling
Factor 2: Migration server

IMAP, cutover, and staged migrations are cloud-initiated data-pull migration methods, so there's no need for a
dedicated migration server. The internet-facing protocol hosts ( IMAP or RPC over HTTP Protocol), however,
function as the migration server for migrating mailboxes and mailbox data to Office 365. Therefore, the migration
performance factors and best practices, described in the previous section about the data source server for your
current email organization, also apply to the internet edge servers. For Exchange 2007, Exchange 2010, and
Exchange 2013, organizations, the client access server functions as a migration server.
Exchange 2013 Workload Management
Exchange 2010: Client Access Server Counters
Exchange 2007: Monitoring Client Access Servers
Factor 3: Migration engine
IMAP, cutover, and staged Exchange migrations are performed by using the Migration dashboard in the Exchange
admin center . This is subject to Office 365 migration-service throttling.
Customers now can specify migration concurrency (for example, the number of mailboxes to migrate
simultaneously) by using Windows PowerShell. The default is 20 mailboxes. After you create a migration batch,
you can use the following Windows PowerShell cmdlet to increase this to a maximum of 100.
Set-MigrationEndPoint <Identity> -MaxConcurrentMigrations <value between 1 and 100>
For more information, see Manage migration batches in Office 365.
NOTE
If your data source doesn't have sufficient resources to handle all the connections, we recommend avoiding high
concurrency. Start with a small concurrency value, for example, 10. Increase this number while monitoring the data source
performance to avoid end-user access issues.
Factor 4: Network
Verification tests
Depending on the migration method, you can try the following verification tests:
IMAP migrations: Prepopulate a source mailbox with sample data. Then from the internet (outside your
on-premises network), connect to the source mailbox by using a standard IMAP email client such as
Microsoft Outlook, and then measure network performance by determining how long it takes to download
all the data from the source mailbox. The throughput should be similar to what customers can get by using
the IMAP migration tool in Office 365, given that there are no other constraints.
Cutover and staged Exchange migrations: Prepopulate a source mailbox with sample data. Then, from
the internet (outside of your on-premises network), connect to the source mailbox with Outlook by using
RPC over HTTP Protocol. Make sure that you're connecting by using cache mode. Measure network
performance by checking how long it takes to synchronize all data from the source mailbox. The throughput
should be similar to what customers can get by using the simple Exchange migration tools in Office 365,
given that there are no other constraints.
There is some overhead during an actual IMAP, cutover, or staged Exchange migration. The actual throughput,
however, should be similar to the results of these verification tests.
Factor 5: Office 365 service
Office 365 resource health-based throttling affects migrations using the native Office 365 simple migration tools.
See the Office 365 resource health-based throttling section.
Move requests in the Office 365 service

For general information about getting status information for move requests, see View Move Request Properties.
In the Office 365 service, unlike in on-premises Exchange 2010, the migration queue and the service resources
allocated for migrations are shared among tenants. This sharing affects how move requests are handled in each
stage of the move process.
There are two types of move requests in Office 365:
Onboarding move requests: New customer migrations are considered onboarding move requests. These
requests have regular priority.
Datacenter internal move requests: These are mailbox move requests initiated by datacenter operation
teams. These requests have a lower priority because the end-user experience isn't affected if the move
request is delayed.
Potential impact and delays to move requests with a status of "Queued" and "In Progress"
Queued move requests: This status specifies that the move has been queued and is waiting to be picked
up by the Exchange Mailbox Replication Service. For Exchange 2003 move requests, users can still access
their mailboxes at this stage.
Two factors influence which request will be picked up by the Mailbox Replication Service:
Priority: Queued move requests with a higher priority are picked up before lower-priority move
requests. This helps ensure that customer-migration move requests always get processed before
datacenter internal move requests.
Position in the queue: If move requests have the same priority, the earlier the request gets into the
queue, the earlier it will be picked up by the Mailbox Replication Service. Because there might be
multiple customers performing mailbox migrations at the same time, it's normal that new move
requests remain in the queue before they're processed.
Often, the time that mailbox requests wait in the queue before being processed isn't considered during migration
planning. This results in customers not being allocated enough time to complete all planned migrations.
In-progress move requests: This status specifies that the move is still in progress. If this is an online mailbox
move, the user will still be able to access the mailbox. For offline mailbox moves, the user's mailbox will be
unavailable.
After the mailbox move request has a status of "In Progress," the priority no longer matters and a new move
request won't be processed until an existing "In Progress" move request is completed, even if the new move
request has a higher priority.
Best practices
Planning: As previously mentioned, because Exchange 2003 users lose access during a hybrid migration,
Exchange 2003 customers are usually more concerned about when to schedule migrations and how long they will
take.
When planning how many mailboxes to migrate during a specific time period, consider the following:
Include the amount of time the move request waits in the queue. Use the following to calculate this:
(total number of mailboxes to migrate) = ((total time) - (average queue time)) * (migration throughput)
where the migration throughput equals the total number of mailboxes that can be migrated per hour.
For example, assume you have a six-hour window to migrate mailboxes. If the average queue time is one hour and
you have a migration throughput of 100 mailboxes per hour, you can migrate 500 mailboxes in the six-hour time
frame: 500 = (6 - 1) * 100.
Start the migration sooner than initially planned to mitigate time in the queue. When mailboxes are queued,
Exchange 2003 users can still access their mailboxes.
Determine queue time: The queue time is always changing because Microsoft doesn't manage customers'
migration schedules.
To determine the potential queue time, a customer can try to schedule a test move several hours before the actual
migration starts. Then, based on the observed amount of time the request is in the queue, the customer can better
estimate when to start the migration and how many mailboxes can be moved in a specific period of time.
For example, if a test migration was completed four hours before the start of a planned migration. The customer
determines the queue time for the test migration was about one hour. Then, the customer should consider starting
the migration one hour earlier than originally planned to make sure there is enough time to complete all
migrations.
Third-party tools for Office 365 migrations

Third-party tools are mostly used in migration scenarios that don't involve Exchange, such as those from Google
Mail, IBM Lotus, Domino, and Novell GroupWise. This section focuses on the migration protocols used by third-
party migration tools, rather than on the actual products and migration tools. The following table provides a list of
factors that apply to third-party tools for Office 365 migration scenarios.
Factor 1: Data source
System performance Data extraction is an intensive task. The Monitor system performance during a
source system must have sufficient pilot migration test. If the system is
resources, such as CPU time and busy, we recommend avoiding an
memory, to provide optimal migration aggressive migration schedule for the
performance. During migration, the specific system because of potential
source system is often close to full migration slowness and service
capacity in terms of the regular end- availability issues. If possible, enhance
user workload. If system resources are the source system performance by
inadequate, the additional workload adding hardware resources and by
that results from migration can affect reducing the load on the system. The
end users. system load can be reduced by moving
tasks and users to other servers that
aren't part of the migration.

• Exchange 2013 Server Health and
Performance
• Understanding Exchange 2010
Performance
• Exchange 2007: Monitoring Mailbox
Servers
When migrating from an on-premises

Exchange organization where there are
multiple mailbox servers, we
recommend that you create a migration
user list that's evenly distributed across
multiple mailbox servers. Based on
individual server performance, the list
can be further fine-tuned to maximize
throughput.
For example, if server A has 50 percent

more resource availability than server B,
it is reasonable to have 50 percent
more users from server A in the same
migration batch. A similar practice can
be applied to other source systems.
Perform migration when the system has

maximum resource availability, such as
after hours or on weekends and
holidays.
Back-end tasks Other back-end tasks usually run Review other system tasks that are
during migration time. Because it's a running during migration. We
best practice to perform migration after recommend that you create a clean
business hours, it's common that time window just for data migration,
migrations conflict with other when there are no other resource-
maintenance tasks running on your on- heavy tasks.
premises servers, such as data backup.
For Exchange on-premises customers,
the common tasks are backup
solutions. For more information, see
Exchange Store Maintenance.
Throttling policy It's a common practice to protect email Verify what throttling policy is deployed
systems with a throttling policy, which for your email system. For example,
sets a specific limit on how fast and how Google Mail limits how much data can
much data can be extracted from the be extracted in a certain time period.
system within a certain amount of time
and by using a specific migration Depending on the version, Exchange
method. has policies that restrict IMAP access to
the on-premises mail server (used by
IMAP migrations) and RPC over HTTP
Protocol access (used by cutover
Exchange migrations and staged
Exchange migrations).
For more information about IMAP

throttling, see Tips for optimizing IMAP
migrations.
For more information about RPC over

HTTP Protocol throttling, see:
• Exchange 2013 Workload
Management
Throttling Policies
Throttling
For more information about how to

configure Exchange Web Services
throttling, see Exchange 2010:
Understanding Client Throttling Policies.
Factor 2: Migration server

Most third-party tools for Office 365 migrations are client initiated and push data to Office 365. These tools
typically require a migration server. Factors such as system performance, back-end tasks, and throttling policies for
the source servers apply to these migration servers.
NOTE
Some third-party migration solutions are hosted on the internet as cloud-based services and don't require an on-premises
migration server.

To improve migration performance when using a migration server, apply the same best practices as the ones
described in the Factor 1: Data source section.
Factor 3: Migration engine
For third-party migration tools, the most common protocols used are Exchange Web Services and RPC over HTTP
Protocol.
Exchange Web Services
Exchange Web Services is the recommended protocol to use for migrating to Office 365 because it supports large
data batches and has better service-oriented throttling. In Office 365, when used in impersonation mode,
migrations using Exchange Web Services don't consume the user's budgeted amount of Office 365Exchange Web
Services resources, consuming instead a copy of the budgeted resources:
All Exchange Web Services impersonating calls made by the same administrator account are calculated
separately from the budget applied to this administrator account.
For each impersonation session, a shadow copy of the actual user's budget is created. All migrations for this
particular session will consume this shadow copy.
Throttling under impersonation is isolated to each user migration session.
Best practices
Migration performance for customers using third-party migration tools that use EWA impersonation
competes with Exchange Web Services-based migrations and service resource usage by other tenants.
Therefore, migration performance will vary.
Whenever possible, customers should use third-party migration tools that use Exchange Web Services
impersonation because it's usually faster and more efficient than using client protocols such as RPC over
HTTP Protocol.
RPC over HTTP Protocol
Many traditional migration solutions use the RPC over HTTP Protocol. This method is completely based on a
client access model such as that of Outlook, and scalability and performance are limited because the Office 365
service throttles access on the assumption that usage is by a user instead of by an application.
Best practices
For migration tools that use RPC over HTTP Protocol, it's a common practice to increase migration
throughput by adding more migration servers and using multiple Office 365 administrative user accounts.
This practice can gain data injection parallelism and achieve higher data throughput because each
administrative user is subject to Office 365 user throttling. We have received reports that many enterprise
customers had to set up more than 40 migration servers to obtain 20-30 GB/hour of migration throughput.
In a migration tool development phase, it's critical to consider the number of RPC operations needed to
migrate a message. To illustrate this, we have collected logs captured by Office 365 services for two third-
party migration solutions (developed by third-party companies) used by customers to migrate mailboxes to
Office 365. We compared two migration solutions developed by third-party companies. We compared the
migration of two mailboxes for each migration solution, and we also compared them to uploading a .pst file
in Outlook. Here are the results.
TOTAL RPC AVERAGE AVGCASRPCPR

TIME TO TRANSACTION CLIENT OCESSINGTIME
METHOD MAILBOX SIZE ITEM COUNT MIGRATE S LATENCY (MS) (MS)
Solution A 376.9 MB 4,115 4:24:33 132,040 48.4395 18.0807

(mailbox 1)
Solution A 249.3 MB 12,779 10:50:50 423,188 44.1678 4.8444

(mailbox 2)
Solution B 618.1 MB 4,322 1:54:58 12,196 37.2931 8.3441

(mailbox 1)
Solution B 56.7 MB 2,748 0:47:08 5,806 42.1930 7.4439

(mailbox 2)
Outlook 201.9MB 3,297 0:29:47 15,775 36.9987 5.6447
Note that the client and service process times are similar, but solution A takes a lot more RPC operations to
migrate data. Because each operation consumes client-latency time and server-process time, solution A is much
slower to migrate the same amount of data compared to Solution B and to Outlook.
Factor 4: Network
Best practice
For third-party migration solutions that use the RPC over HTTP Protocol, here's a good way to measure potential
migration performance:
1. From the migration server, connect to the Office 365 mailbox with Outlook by using RPC over HTTP
Protocol. Make sure that you aren't connecting by using cache mode.
2. Import a large .pst file with sample data to the Office 365 mailbox.
3. Measure migration performance by timing how long it takes to upload the .pst file. The migration
throughput should be similar to what customers can get from a third-party migration tool that uses RPC
over HTTP Protocol, given no other constraints. There's overhead during an actual migration, so the
throughput might be slightly different.
Factor 5: Office 365 service
Office 365 resource health-based throttling affects migrations using third-party migration tools. See Office 365
resource health-based throttling for more details.
Assign Exchange permissions to migrate mailboxes to
Office 365
When you migrate on-premises Exchange mailboxes to Office 365, certain permissions to access and, in some
cases, modify those mailboxes, are required. The user account used to connect to your on-premises Exchange
organization during the migration needs those permissions. Known as the migration administrator, the user
account is used to create a migration endpoint to your on-premises organization.
The migration administrator must have the necessary administrative privileges in your on-premises Exchange
organization to successfully create a migration endpoint. Those same administrative privileges are required if the
migration administrator wants to create a migration batch if your organization has no migration endpoints. The
following list shows the administrative privileges required for the migration administrator account to migrate
mailboxes to Office 365 by using the different types of migration:
Staged Exchange migration
For a staged migration, the migration administrator account must be:
A member of the Domain Admins group in Active Directory Domain Services (AD DS ) in the on-
premises organization.
or
Assigned the FullAccess permission for each on-premises mailbox AND the WriteProperty
permission to modify the TargetAddress property on the on-premises user account.
or
Assigned the Receive As permission on the on-premises mailbox database that stores the user
mailboxes AND the WriteProperty permission to modify the TargetAddress property for the on-
premises user account.
Cutover Exchange migration
For a cutover migration, the migration administrator account must be:
A member of the Domain Admins group in Active Directory Domain Services (AD DS ) in the on-
or
Assigned the FullAccess permission for each on-premises mailbox.
or
Assigned the Receive As permission on the on-premises mailbox database that stores the user
mailboxes.
Internet Message Access Protocol 4 (IMAP4) migration
For an IMAP4 migration, the comma-separated value (.csv) file for the migration batch must contain:
The username and password for each mailbox that you want to migrate.
or
The username and password for an account in your IMAP4 messaging system that has the
necessary administrative privileges to access all user mailboxes. To learn whether your IMAP4 server
supports this approach and how to enable it, see the documentation for your IMAP4 server.
You can use Exchange Online PowerShell in your on-premises organization to quickly assign the necessary
permissions to migrate mailboxes to Office 365.
NOTE
Because Exchange Server 2003 doesn't support Exchange Online PowerShell, you have to use Active Directory Users and
Computers to assign the FullAccess permission and Exchange Server Manager to assign the Receive As permission. For more
information, see How to assign service account access to all mailboxes in Exchange Server 2003.
For information about migrating mailboxes to Office 365 by using different migration types, see Ways to migrate
multiple email accounts to Office 365.

permissions you need, see the "Permissions and delegation" entry in the "Recipient Provisioning
Permissions" section in the Recipient Permissions topic.
Assign the FullAccess permission

The following examples show different ways to use the Exchange Online PowerShell Add-MailboxPermission
cmdlet to assign the FullAccess permission to the migration administrator account for mailboxes in your on-
Example 1
FullAccess permission to the mailbox of Terry Adams is assigned to the migration administrator account (for
example, migadmin).
Add-MailboxPermission -Identity "Terry Adams" -User migadmin -AccessRights FullAccess -InheritanceType all
Example 2
FullAccess permission for all members of the distribution group MigrationBatch1 is assigned to the migration
Get-DistributionGroupMember MigrationBatch1 | Add-MailboxPermission -User migadmin -AccessRights FullAccess -

InheritanceType all
Example 3
FullAccess permission for all mailboxes that have the value of MigBatch2 for CustomAttribute10 is assigned to the
migration administrator.
Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute10 -eq 'MigBatch2')} | Add-MailboxPermission -User

migadmin -AccessRights FullAccess -InheritanceType all
Example 4
FullAccess permission to all user mailboxes in the on-premises organization is assigned to the migration
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -

User migadmin -AccessRights FullAccess -InheritanceType all
For detailed syntax and parameter information, see the following topics:
add-MailboxPermission
Filterable Properties for the -Filter Parameter
How do you know the assignment of permission worked?
Run one of the following commands to verify you successfully assigned FullAccess permission to the migration
administrator account in each example.
Get-MailboxPermission -Identity <mailbox> -User migadmin
Get-DistributionGroupMember MigrationBatch1 | Get-MailboxPermission -User migadmin
Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute10 -eq 'MigBatch2')} | Get-MailboxPermission -User

migadmin
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Get-MailboxPermission -

User migadmin
Assign the Receive As permission

The following example shows how to use the Exchange Online PowerShell Add-ADPermission cmdlet to assign
the Receive As permission to the migration administrator account for "Mailbox Database 1900992314."
Add-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin -ExtendedRights receive-as
For detailed syntax and parameter information, see add-ADPermission.

Verify you successfully assigned ReceiveAs permission to the migration administrator account in the example. Run
the following command.
Get-ADPermission -Identity "Mailbox Database 1900992314" -User migadmin
Assign the WriteProperty permission

The following examples show different ways to use the Exchange Online PowerShell Add-ADPermission cmdlet
to assign the migration administrator account the WriteProperty permission to modify the TargetAddress property
for on-premises user accounts. This capability is required to perform a staged Exchange migration if the migration
administrator isn't a member of the Domain Admins group.
Example 1
WriteProperty permission to modify the TargetAddress property for the user account of Rainer Witte is assigned
to the migration administrator account (for example, migadmin).
Add-ADPermission -Identity "Rainer Witte" -User migadmin -AccessRights WriteProperty -Properties TargetAddress
Example 2
WriteProperty permission to modify the TargetAddress property for all members of the distribution group
StagedBatch1 is assigned to the migration administrator account.
Get-DistributionGroupMember StagedBatch1 | Add-ADPermission User migadmin -AccessRights WriteProperty -

Properties TargetAddress
Example 3
WriteProperty permission to modify the TargetAddress property for all user accounts that have the value of
StagedMigration for CustomAttribute15 is assigned to the migration administrator account.
Get-User -ResultSize unlimited -Filter {(CustomAttribute15 -eq 'StagedMigration')} | Add-ADPermission -User

migadmin -AccessRights WriteProperty -Properties TargetAddress
Example 4
WriteProperty permission to modify the TargetAddress property for user mailboxes in the on-premises
organization is assigned to the migration administrator account.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-ADPermission -User

migadmin -AccessRights WriteProperty -Properties TargetAddress
add-ADPermission
Filterable Properties for the -Filter Parameter
Verify you successfully assigned the WriteProperty permission to the administrator account, Run one of the
following commands to confirm the permission was given to modify the TargetAddress property by using the
command in each example.
Get-ADPermission -Identity <mailbox> -User migadmin
Get-DistributionGroupMember MigrationBatch1 | Get-ADPermission -User migadmin
Get-Mailbox -ResultSize unlimited -Filter {(CustomAttribute15 -eq 'StagedMigration')} | Get-MailboxPermission

-User migadmin
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Get-ADPermission -User

migadmin
Manage migration batches in Office 365
You can use the Migration dashboard in the Office 365 Exchange admin center (EAC ) to manage mailbox
migration to Office 365 using a cutover or staged Exchange migration. You can also use the Migration dashboard
to migrate the contents of users' mailboxes from an on-premises IMAP server to existing Office 365 mailboxes.
The Migration dashboard displays statistics about the overall migration in addition to statistics about a specific
migration batch. You can create, start, stop, pause, and edit migration batches.
The Migration dashboard

To access the Migration dashboard in the EAC, select Recipients > Migration. The following screenshot identifies
the different areas of the Migration dashboard that you can use to get migration information and manage
migration batches.
Overall migration statistics

Click Status for all batches to display the overall statistics about all migration batches that have been created.
The following fields display cumulative information about all migration batches.
FIELD DESCRIPTION
Total mailboxes The total number of mailboxes from all current migration
batches.
Synced mailboxes The number of mailboxes from all migration batches that were
successfully migrated.
FIELD DESCRIPTION
Finalized mailboxes The number of mailboxes from all migration batches that have
been finalized. Finalization occurs only when you use remote
move migrations to migrate mailboxes between your on-
premises Exchange organization and Office 365 in an
Exchange hybrid deployment. Mailboxes can be finalized after
the initial synchronization is successfully completed. For more
information about finalizations in remote move migrations,
see Complete-MigrationBatch.
Failed mailboxes The number of mailboxes from all migration batches for which
migration failed.
Migration batches
Migration batches that are created are listed in the migration queue. The following columns display information
about each migration batch.
COLUMN DESCRIPTION
Name The name of the migration batch that was defined when it
was created.
Status The status of the migration batch. The following is a list of the
different status states for migration batches, along with what
you can do with migration batches in each of these states:
Stopped: The migration batch has been created, but it hasn't
been started. In this state, you can start, edit, or delete it.
Syncing: The migration batch has been started, and
mailboxes in the migration batch are being actively migrated.
When a migration batch is in this state, you can stop it.
**Stopping:**Immediately after you run Stop-MigrationBatch
cmdlet.
Stopped: The migration batch is stopped, and no more
mailboxes from the batch are being migrated. When a
migration batch is in this state, you can restart it.
**Starting:**Immediately after you run Start-MigrationBatch
cmdlet.
**Completing:**Immediately after you run Complete-
MigrationBatch cmdlet.
**Removing:**Immediately after you run Remove-
MigrationBatch cmdlet.
Synced: The migration batch has completed, and no
mailboxes are being actively migrated. A migration batch in
this state may contain errors if mailboxes weren't migrated.
For cutover Exchange migrations and IMAP migrations with
this status, on-premises mailboxes and the corresponding
Office 365 mailboxes are synchronized every 24 hours during
incremental synchronization.
**Completed:**The migration batch is complete.
Synced with errors: The migration batch has completed, but
some mailboxes failed migration. Mailboxes that were
successfully migrated in migration batches with errors are still
synchronized every 24 hours during incremental
synchronization.
Total Indicates the number of mailboxes in the migration batch.

COLUMN DESCRIPTION
Synced Indicates the number of mailboxes that were successfully

migrated.
Finalized The number of mailboxes in the migration batch that have

been finalized. Finalization is performed only for migration
batches for remote move migrations in an Exchange hybrid
deployment. For more information about the finalization
process, see Complete-MigrationBatch.
Failed The number of mailboxes in the migration batch for which the
migration failed. You can display information about specific
mailboxes that have migration errors. For more information,
see Migration users status report.
IMPORTANT
Migration batches with a status of Synced that have no administrator-initiated activity (for example, no administrator has
stopped and restarted a migration batch or edited a migration batch) for the last 60 days will be stopped. All batches with
Stopped or Failed status will be removed after 90 days. All batches with Completed status will be removed after 60 days.
The Migration dashboard contains a set of commands that you can use to manage migration batches. After you
create a migration batch, you can select it, and then click one of the following commands. If a migration batch is in
a status state that isn't supported by a command, the command is either dimmed or not displayed because it's
unavailable.
COMMAND DESCRIPTION
New Create a new migration batch. Use this command to migrate

on-premises mailboxes to Office 365 (also called onboarding)
or to migrate Office 365 mailboxes back to your on-premises
Exchange organization in a hybrid deployment.
Edit Edit an existing migration batch. For staged Exchange

migrations and IMAP migrations, you can submit a different
CSV file. You can also change the migration endpoint used for
the migration batch. You can edit only a migration batch that
has a status of Created.
Start Start a migration batch that's been created. After the batch is
started, the status is changed to Syncing.
Resume Resume the running of a migration batch that was paused

and has a status of Stopped. If there are errors for a
migration batch, you can restart it with this command, and
Office 365 will attempt to migrate the mailboxes that failed.
Pause Stop a migration batch that's currently running or that's been

started but has a status of Queued. You can also stop a
cutover Exchange migration batch or an IMAP migration
batch that's completed the initiation synchronization phase
and has a status of Synced. This will stop incremental
synchronizations. You can resume incremental
synchronizations by selecting the migration batch and clicking
Resume.
COMMAND DESCRIPTION
Delete Delete a migration batch after you verify that all mailboxes in
the migration batch have been successfully migrated. Verify
also that mail is being routed directly to cloud-based
mailboxes after you've configured your MX record to point to
Office 365. When you delete a migration batch, Office 365
cleans up any records related to the migration batch and
removes it from the list.
More Click this command, and then click Migration endpoints to

create new migration endpoints or view and edit existing
migration endpoints.
Refresh Refresh the Migration dashboard to update the information

displayed for the overall migration statistics, the list of
migration batches, and the statistics for the selected migration
batch.
Migration batch statistics

The details pane in the Migration dashboard displays the following information about the selected migration
batch.
FIELD DESCRIPTION
Type Indicates the migration type of the selected migration batch.

The value of this field also denotes the type of migration
endpoint associated with the migration batch.
Exchange Outlook Anywhere: The migration batch is either
a cutover Exchange migration or a staged Exchange migration.
IMAP: The migration batch is an IMAP migration.
Remote move migration: The migration batch is either an
onboarding or offboarding remote move migration in an
Exchange hybrid deployment.
Direction Indicates if mailboxes are being migrated to Office 365 or to

your on-premises Exchange organization.
Onboarding: Indicates that mailboxes are being migrated to
Office 365. Onboarding migration types are staged
migrations, cutover migrations, IMAP migrations, and
onboarding remote move migrations.
Offboarding: Indicates that Office 365 mailboxes are being
migrated to your on-premises Exchange organization.
Offboarding remote move migrations are the only type of
offboarding migration.
Status The current state of the selected migration batch.

Stopeed
Syncing
Stopped
Synced
Synced with errors
See the previous description of each of these states.
Requested The number of mailboxes to be migrated in the migration

batch. This number corresponds to the number of rows in the
migration CSV file for IMAP, staged, or remote move
migrations, or the number of on-premises mailboxes in a
cutover Exchange migration.
FIELD DESCRIPTION
Synced mailboxes The number of mailboxes out of the total number in the
migration batch that have successfully completed initial
synchronization. This field is updated during the migration.
Finalized The number of mailboxes out of the total number in the

migration batch that have successfully been finalized.
Finalization only occurs in onboarding and offboarding remote
move migrations.
Failed mailboxes The number of mailboxes that failed initial synchronization.
View details Click View details to display status information for each
mailbox in the migration batch. For more information, see
Migration users status report.
Created by The email address of the Office 365 administrator who created
the migration batch.
Create time The date and time when the migration batch was created.
Start time The date and time when the migration batch was started.
Initial sync time The date and time when the migration batch completed initial
synchronization.
Initial sync duration The amount of time it took to complete the initial
synchronization for all mailboxes in the migration batch.
Last sync time The last time the migration batch was restarted or the last
time that incremental synchronization was performed for the
batch. As previously stated, incremental synchronization
occurs every 24 hours for IMAP migrations and cutover
Exchange migrations.
Associated endpoint The name of the migration endpoint being used by the
migration batch. You can click View details to view the
migration endpoint settings. You can also edit the settings if
none of the migration batches using the endpoint are
currently running.
Migration users status report
You can use the Migration dashboard in the Exchange administration center (EAC ) to display the migration status
information for all users in a migration batch. You can also display detailed migration information for each user in
a migration batch. This information, also called migration user statistics, can help you troubleshoot issues that
might prevent the migration of a user's mailbox or mailbox items. You can display this migration status
information for migration batches that are currently running, that have been stopped, or that are complete.
You can also use Exchange Online PowerShell to display migration user statistics. For more information, see:
Get-MigrationUser
Get-MigrationUserStatistics
Migration users report

To access the migration users report for a migration batch, select Recipients > Migration, select the migration
batch, and then in the details pane, under Mailbox status, click View details.
The name of the migration batch and the following commands are displayed at the top of the window.
COMMAND DESCRIPTION
Delete Delete the selected user from the list of migration users.
Refresh Refresh the list of migration users to update the information

displayed for the users in the migration batch.
Columns in the list of migration users
COLUMN DESCRIPTION
Identity The user's email address.
Status The user's migration status. See the status descriptions in the
table in the next section.
Items Synced The number of items in the user's on-premises mailbox that
were successfully migrated to the Office 365 mailbox.
Items Skipped The number of items in the user's on-premises mailbox that
weren't migrated to the Office 365 mailbox.
Migration user statistics for a specific user

To view status information (also called migration user statistics) for a specific mailbox, mail contact, or distribution
group, click the mailbox, contact, or distribution group in the list. Status information for the selected mail object is
displayed in the details pane. The following table describes each field displayed in the details pane.
FIELD DESCRIPTION
Status Identifies the specific point in the migration process for each
mail object in the migration batch. This status is more specific
than the high-level status summary displayed in the list of
migration users. The following list describes each status state.
• Queued: The object is in a migration batch that is running,
but the migration of the object hasn't started yet. Objects
typically have a status of Queued when all of the connections
in the migration endpoint associated with the migration batch
are being used.
• Provisioning: The migration process has started for the
mail object, but it isn't provisioned yet.
• Provision updating: The mail object has been provisioned,
but not all the object's properties were migrated. For example,
after a distribution group has been migrated, this state occurs
when members of the group haven't been migrated yet or
there's a problem migrating a user who is a member of the
group. In this case, the status indicates the migration process
can't update the group membership because not all group
members have been migrated.
• Synced: The migration process successfully provisioned the
Office 365 mailbox and completed the initial synchronization
where all mailbox items were copied to the cloud-based
mailbox. For cutover Exchange migrations and IMAP
migrations, this status can also indicate that incremental
synchronization completed successfully.
• Failed: The provisioning or the initial synchronization of the
mail object failed. If an Office 365 mailbox is successfully
created for a user, but the migration of mailbox items fails, the
status for the user will be Failed.
FIELD DESCRIPTION
Skipped item details Click Skipped item details to display information about each
item that was skipped for the selected user. The following
information about each skipped item is displayed:
• Date: The time stamp of the mailbox item.
• Subject: The subject line of the message.
• Kind: The type of error that caused the item to be skipped.
• Folder name: The folder where the skipped item is located.
Data migrated The total amount of data (in bytes and megabytes (MB)) for
the mailbox items that have been migrated to the Office 365
mailbox. This number includes items migrated in both the
initial and incremental synchronizations. This field doesn't
have a value for IMAP migrations.
Migration rate The average transfer rate (in bytes or MB per minute) of data
copied to the Office 365 mailbox. This field doesn't have a
value for IMAP migrations.
Error If the migration for the user failed, this field displays a
description of the error. This error description is also included
in the Migration Errors report.
Report Click Download the report for this user to open or save a
detailed migration report that contains diagnostic information
about the migration status of the user. You or Microsoft
Support can use the information in this report to
troubleshoot failed migrations.
Last successful sync date The last time that any new items in the on-premises mailbox
were copied to the cloud-based mailbox.
Click More details to display the following additional information about the selected migration user.
FIELD DESCRIPTION
Queued duration The length of time the user had a status of Queued.
In-progress duration The length of time the user was actively being migrated.
Synced duration The length of time the migration user had a status of Synced.
Stalled duration The length of time the migration process was stalled for the
user.
Migration phases
To help you understand the migration status states described in the previous sections, it's helpful to be familiar
with the phases of the migration process. The following table describes these phases and indicates whether the
phase is included in each type of migration.
CUTOVER EXCHANGE STAGED EXCHANGE
MIGRATION PHASE MIGRATION MIGRATION IMAP MIGRATION
Provisioning: The migration Yes (includes distribution Yes (includes mail contacts) No
process creates the new groups and mail contacts)
Office 365 mailbox.
Initial synchronization: Yes (includes calendar times Yes (includes calendar times Yes
After Office 365 mailboxes and contacts) and contacts)
are provisioned, the
migration process migrates
mailbox items to the newly
provisioned cloud-based
mailboxes.
Incremental Yes No Yes

synchronization: The
migration process
synchronizes the on-
premises and the
corresponding Office 365
mailbox every 24 hours.
CSV files for Mailbox migration
You can use a comma-separated values (CSV ) file to bulk migrate a large number of user mailboxes. You can
specify a CSV file when you use the Exchange admin center (EAC ) or the New -MigrationBatch cmdlet in Exchange
Online PowerShell to create a migration batch. Using a CSV to specify multiple users to migrate in a migration
batch is supported in the following migration scenarios:
Onboarding and offboarding in Office 365
Onboarding remote move migration: In an Exchange hybrid deployment, you can move
mailboxes from an on-premises Exchange organization to Office 365. This is also known as an
onboarding remote move migration because you onboard mailboxes to Office 365.
Offboarding remote move migration: You can also perform an offboarding remote move
migration, where you migrate Office 365 mailboxes to your on-premises Exchange organization.
NOTE
Both onboarding and offboarding remote move migrations are initiated from your Office 365 organization.
Staged Exchange migration: You can also migrate a subset of mailboxes from an on-premises
Exchange organization to Office 365. This is another type of onboarding migration. You can migrate
only Exchange 2003 and Exchange 2007 mailboxes using a staged Exchange migration. Migrating
Exchange 2010 and Exchange 2013 mailboxes isn't supported using a staged migration. Prior to
running a staged migration, you have to use directory synchronization or some other method to
provision mail users in your Office 365 organization.
IMAP migration: This onboarding migration type migrates mailbox data from an IMAP server
(including Exchange) to Office 365. For an IMAP migration, you must provision mailboxes in Office
365 before you can migrate mailbox data.
NOTE
A cutover Exchange migration doesn't support a using a CSV file because all on-premises user mailboxes are migrated to
Office 365 in a single batch.
Supported attributes for CSV files for bulk moves or migrations

The first row, or header row, of a CSV file used for migrating users lists the names of the attributes, or fields,
specified on the rows that follow. Each attribute name is separated by a comma. Each row under the header row
represents an individual user and supplies the information required for the migration. The attributes in each
individual user row must be in the same order as the attribute names in the header row. Each attribute value is
separated by a comma. If the attribute value for a particular record is null, don't type anything for that attribute.
However, make sure that you include the comma to separate the null value from the next attribute.
Attribute values in the CSV file override the value of the corresponding parameter when that same parameter is
used when creating a migration batch with the EAC or Exchange Online PowerShell. For more information and
examples, see the section Attribute values in the CSV file override the values for the migration batch.
TIP
You can use any text editor to create the CSV file, but using an application like Microsoft Excel will make it easier to import
data and configure and organize CSV files. Be sure to save CSV files as a .csv or .txt file.
The following sections describe the supported attributes for the header row of a CSV file for each migration type.
Each section includes a table that lists each supported attribute, whether it's required, an example of a value to use
for the attribute, and a description.
NOTE
In the following sections, source environment denotes the current location of a user mailbox or a database. Target
environment denotes the location that the mailbox will be migrated to or the database that the mailbox will be moved to.
Staged Exchange migrations

You have to use a CSV file to identify the group of users for a migration batch when you want to use a staged
Exchange migration to migrate Exchange 2003 and Exchange 2007 on-premises mailboxes to Office 365. There
isn't a limit for the number of mailboxes that you can migrate to the cloud using a staged Exchange migration.
However, the CSV file for a migration batch can contain a maximum of 2,000 rows. To migrate more than 2,000
mailboxes, you have to create additional CSV files and then use each one to create a new migration batch. For
more information about staged Exchange migrations, see What you need to know about a staged email migration
to Office 365.
The following table describes the supported attributes for a CSV file for a staged Exchange migration.
ATTRIBUTE REQUIRED OR OPTIONAL ACCEPTED VALUES DESCRIPTION
EmailAddress Required SMTP address for the user Specifies the email address
for the mail-enabled user (or
a mailbox if you're retrying
the migration) in Office 365
that corresponds to the on-
premises user mailbox that
will be migrated. Mail-
enabled users are created in
Office 365 as a result of
directory synchronization or
another provisioning
process. The email address of
the mail-enabled user must
match the
WindowsEmailAddress
property for the
corresponding on-premises
mailbox.
Password Optional A password has to have a This password is set on the

minimum length of eight user account when the
characters, and satisfy any corresponding mail-enabled
password restrictions that user in Office 365 is
are applied to your Office converted to a mailbox
365 organization. during the migration.
ForceChangePassword Optional True or False Specifies whether a user

must change the password
the first time they sign in to
their Office 365 mailbox.
Note: If you've implemented
a single sign-on (SSO)
solution by deploying Active
Directory Federation Services
2.0 (AD FS 2.0) in your on-
premises organization, you
must use False for the
value of this attribute.
IMAP migrations
A CSV file for an IMAP migration batch can have maximum of 50,000 rows. But it's a good idea to migrate users in
several smaller batches. For more information about IMAP migrations, see the following topics:
CSV files for IMAP migration batches
The following table describes the supported attributes for a CSV file for an IMAP migration.
EmailAddress Required SMTP address for the user. Specifies the user ID for the
user's Office 365 mailbox
UserName Required String that identifies the user Specifies the logon name for
on the IMAP messaging the user's account in the
system, in a format IMAP messaging system (the
supported by the IMAP source environment). In
server. addition to the username,
you can use the credentials
of an account that has been
assigned the necessary
permissions to access
mailboxes on the IMAP
server. For more information,
see CSV files for IMAP
migration batches.
Password Required Password string. Specifies the password for

the user account specified by
the UserName attribute.
Attribute values in the CSV file override the values for the migration
batch
Attribute values in the CSV file override the value of the corresponding parameter when that same parameter is
used when creating a migration batch with the EAC or Exchange Online PowerShell. If you want the migration
batch value to be applied to a user, you would leave that cell blank in the CSV file. This lets you mix and match
certain attribute values for selected users in one migration batch.
In this example, let's say you create a batch for an onboarding remote move migration in a hybrid deployment to
move archive mailboxes to Office 365 with the following New -MigrationBatch command.
New-MigrationBatch -Name OnBoarding1 -SourceEndpoint RemoteEndpoint1 -TargetDeliveryDomain cloud.contoso.com -
CSVData ([System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\OnBoarding1.csv")) -ArchiveOnly:$true -
AutoStart
But you also want to move the primary mailboxes for selected users, so a portion of the OnBoarding1.csv file for
this migration batch would look like this:
EmailAddress,MailboxType
user1@contoso.com,
user2@contoso.com,
user3@cloud.contoso.com,PrimaryAndArchive
user4@cloud.contoso.com,PrimaryAndArchive
...
Because the value for mailbox type in the CSV file overrides the values for the MailboxType parameter in the
command to create the batch, only the archive mailbox for user1 and user2 is migrated to Office 365. But the
primary and archive mailboxes for user3 and user4 are moved to Office 365.
Collaboration in Exchange Online
Office 365 and Exchange Online provides several features that can help your end users easily collaborate in email.
Each of these features, described in the following sections, has a different user experience and feature set and
should be used based on what your users need to accomplish and what your organization can provide.
This topic compares these collaboration features to help you decide which features to offer your users.
Public folders
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization.
Public folders organize content in a deep hierarchy that's easy to browse. Users discover interesting and relevant
content by browsing through branches of the hierarchy that are relevant to them. Users always see the full
hierarchy in their Outlook folder view. Public folders are a great technology for distribution group archiving. A
public folder can be mail-enabled and added as a member of the distribution group. Email sent to the distribution
group is automatically added to the public folder for later reference. Public folders also provide simple document
sharing and don't require SharePoint to be installed in your organization. Finally, end users can use public folders
with the following supported Outlook clients: Outlook 2010 or later and Outlook on the web (formerly known as
Outlook Web App), but with some limitations.
To learn more, see Public folders in Office 365 and Exchange Online.
Shared mailboxes
A shared mailbox is a mailbox that multiple designated users can access to read and send email messages and to
share a common calendar. Shared mailboxes can provide a generic email address (such as info@contoso.com or
sales@contoso.com) that customers can use to inquire about your company. If the shared mailbox has the Send As
permission assigned when a delegated user responds to the email message, it can appear as though the mailbox
(for example, sales@contoso.com) is responding, not the actual user.
To learn more, see Shared Mailboxes.
Groups
Groups (also called distribution groups) are a collection of two or more recipients that appears in the shared
address book. When an email message is sent to a group, it's received by all members of the group. Distribution
groups can be organized by a particular discussion subject (such as "Dog Lovers") or by users who share a
common work structure that requires them to communicate frequently.
To learn more, see Recipients in Exchange Online.
Which one to use?

The following table gives you a quick glance at each of the collaboration features to help you decide which one to
use.
PUBLIC FOLDERS SHARED MAILBOXES GROUPS
Type of group With the proper permissions, Delegates working on behalf Users who need to send
everyone in your of a virtual identity, and they email to a group of
organization can access and can respond to email as that recipients with a common
search public folders. Public shared mailbox identity. interest or characteristic.
folders are ideal for Example:
maintaining history or support@tailspintoys.com
distribution group
conversations.
Ideal group size Large Small Large
Access Accessible by anyone in your Users can be granted Full For distribution groups,
organization. Access and/or Send As members must be manually
permissions. If granted Full added. For dynamic
Access permissions, users distribution groups,
must also add the shared members are added based
mailbox to their Outlook on filtering criteria.
profile to access the shared
mailbox.
Shared calendar? Yes Yes No
Email arrives in user's No. Email arrives in the No. Email arrives in the Yes. Email arrives in the
personal Inbox? public folder. Inbox of the shared mailbox. Inbox of a distribution group
member.
Supported clients Outlook 2010 or later Outlook 2010 or later Outlook 2010 or later
Outlook on the web Outlook on the web Outlook on the web
Public folders in Office 365 and Exchange Online
information with other people in your workgroup or organization. Public folders help organize content in a deep
hierarchy that's easy to browse. Users will see the full hierarchy in Outlook, which makes it easy for them to
browse for the content they're interested in.
NOTE
Public folders are available in the following Outlook clients: Outlook Web App for Exchange, Outlook 2007, Outlook 2010,
Outlook 2013, and Outlook for Mac.
Public folders can also be used as an archiving method for distribution groups. When you mail-enable a public
folder and add it as a member of the distribution group, email sent to the group is automatically added to the
public folder for later reference.
Public folders aren't designed for the following purposes:
Data archiving. Users who have mailbox limits sometimes use public folders instead of mailboxes to
archive data. This practice isn't recommended because it affects storage in public folders and undermines
the goal of mailbox limits. Instead, we recommend that you use In-Place Archiving as your archiving
solution.
Document sharing and collaboration. Public folders don't provide versioning or other document
management features, such as controlled check-in and check-out functionality and automatic notifications
of content changes. Instead, we recommend that you use SharePoint Online as your documentation sharing
solution.
For more information about public folders and other collaboration methods in Office 365 and Exchange Online,
see Collaboration in Exchange Online.
For a list of frequently asked questions regarding public folders in Office 365 and Exchange Online, see FAQ:
Public folders.
For more information about public folder quotas in Office 365 and Exchange Online, see the service description
topics Sharing and Collaboration and Exchange Online Limits.
For a list of public folder management tasks, see Public folder procedures in Office 365 and Exchange Online.
For more information about the public folder limits in Office 365 and Exchange Online, see Exchange Online
Limits.
Looking for the Exchange Server version of this topic? See Public Folders.
Public folder architecture

Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the
content. The main architectural components of public folders are the public folder mailboxes.
Public folder mailboxes
There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes.
Both types of mailboxes can contain content:
Primary hierarchy mailbox: The primary hierarchy mailbox is the one writable copy of the public folder
hierarchy. The public folder hierarchy is copied to all other public folder mailboxes, but these will be read-
only copies.
Secondary hierarchy mailboxes: Secondary hierarchy mailboxes contain public folder content as well
and a read-only copy of the public folder hierarchy.
There are two ways you can manage public folder mailboxes:
In the Exchange admin center (EAC ), navigate to Public folders > Public folder mailboxes.
In Exchange Online PowerShell, use the *-Mailbox set of cmdlets.
Public folder hierarchy
The public folder hierarchy contains the folders' properties and organizational information, including tree
structure. Each public folder mailbox contains a copy of the public folder hierarchy. There's only one writeable copy
of the hierarchy, which is in the primary public folder mailbox. For a specific folder, the hierarchy information is
used to identify the following:
Permissions on the folder
The folder's position in the public folder tree, including its parent and child folders
NOTE
The hierarchy doesn't store information about email addresses for mail-enabled public folders. Email addresses are stored in
the directory.
Hierarchy synchronization
The public folder hierarchy synchronization process uses Incremental Change Synchronization (ICS ), which
provides a mechanism to monitor and synchronize changes to an Exchange store hierarchy or content. The
changes include creating, modifying, and deleting folders and messages. When users are connected to and using
content mailboxes, synchronization occurs every 15 minutes. If no users are connected to content mailbox,
synchronization will be triggered less often (every 24 hours).If a write operation such as a creating a folder is
performed on the primary hierarchy, synchronization is triggered immediately (synchronously) to the content
mailbox.
IMPORTANT
Because there's only one writeable copy of the hierarchy, folder creation is proxied to the hierarchy mailbox by the content
mailbox users are connected to.
For more information, see Update the public folder hierarchy.

Public folder content
Public folder content can include email messages, posts, documents, and eForms. The content is stored in the
public folder mailbox but isn't replicated across multiple public folders mailboxes. All users access the same public
folder mailbox for the same set of content. Although a full text search of public folder content is available, public
folder content isn't searchable across public folders and the content isn't indexed by Exchange Search.
Considerations
Although there are many advantages to using public folders in Office 365 and Exchange Online, there are some
things to consider before implementing them in your organization:
Outlook Web App is supported, but with limitations. You can add and remove favorite public folders and
perform item-level operations such as creating, editing, deleting posts, and replying to posts. However, you
can't create or delete public folders from Outlook Web App.
Although a full text search of public folder content is available, public folder content isn't searchable across
public folders and the content isn't indexed by Exchange Search.
You must use Exchange Online supported Outlook client or later to access public folders in Office 365 and
Exchange Online.
Migrating public folders to Office 365 and Exchange Online

When you migrate your public folders, you'll use a process called batch public folder migration. Batch public folder
migration (or simply batch migration) creates a mailbox migration request for each public folder mailbox that will
exist in Exchange Online. Using multiple requests means the migration will move along much faster because it's
able to make more efficient use of available network bandwidth. It's also more reliable because it reduces the
possibility of a single failure or bottleneck affecting the entire migration.
While batch migrations need to be started using the New-MigrationBatch cmdlet in Exchange Online
PowerShell, the progress and completion of the migration can be viewed and managed in the EAC. Because the
New-MigrationBatch cmdlet initiates a mailbox migration request for each public folder mailbox, you can view
the status of these requests using the mailbox migration page. You can get to the mailbox migration page, and
create migration reports that can be emailed to you, by opening the EAC in Exchange Online and navigating to
Mailbox > Migration.
To use batch migration to migrate your public folders to Exchange Online, your legacy Exchange server needs to
meet the requirements in the following list. If it does, and you're ready to start, check out Use batch migration to
migrate legacy public folders to Office 365 and Exchange Online.
Exchange supports moving your public folders to Office 365 and Exchange Online from the following legacy
versions of Exchange Server:
Exchange Server 2010 SP3 RU8 or later
See Use batch migration to migrate Exchange 2013 public folders to Exchange Online to migrate your Exchange
Server public folders.
We recommend that you use batch migration instead of Outlook's PST export feature to migrate public folders to
Office 365 and Exchange Online. Office 365 public folder mailbox growth is managed using an auto-split feature
that splits the public folder mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth of
public folder mailboxes when you use PST export to migrate your public folders and you might have to wait for up
to two weeks for auto-split to move the data from the primary mailbox. We provide batch migration instructions in
Use batch migration to migrate legacy public folders to Office 365 and Exchange Online and Use batch migration
to migrate Exchange 2013 public folders to Exchange Online. However, if you've elected to do a PST migration and
have run into an issue where the primary mailbox is full, you have two options for recovering the PST migration:
1. Wait for the auto-split to move the data from the primary mailbox. This may take up to two weeks.
However, all the public folders in a completely filled public folder mailbox won't be able to receive new
content until the auto-split completes.
2. Create a public folder mailbox and then use the [New-PublicFolder] cmdlet with the Mailbox parameter
to create the remaining public folders in the secondary public folder mailbox. This example creates a new
public folder named PF201 in the secondary public folder mailbox.
New-PublicFolder -Name PF201 -Mailbox SecondaryPFMbx

Public folder procedures in Office 365 and Exchange
Online
Use batch migration to migrate legacy public folders to Office 365 and Exchange Online
Use batch migration to migrate Exchange 2013 public folders to Exchange Online
Configure legacy on-premises public folders for a hybrid deployment
Configure Exchange Server public folders for a hybrid deployment
Configure Exchange Online public folders for a hybrid deployment
Set up public folders in a new organization
Accessing public folders with Outlook 2016 for Mac
Create a public folder mailbox
Create a public folder
Recover a deleted public folder mailbox
Use favorite public folders in Outlook on the web
Mail-enable or mail-disable a public folder
Update the public folder hierarchy
Remove a public folder
View statistics for public folders and public folder items
Use batch migration to migrate legacy public folders
to Office 365 and Exchange Online
Summary: Use these procedures to move your Exchange 2010 public folders to Office 365.
This topic describes how to migrate your public folders in a cutover or staged migration from Update Rollup 8 for
Exchange Server 2010 Service Pack 3 (SP3) to Office 365 or Exchange Online.
This topic refers to the Exchange 2010 SP3 RU8 server as the legacy Exchange server. Also, the steps in this topic
apply to both Exchange Online and Office 365. The terms may be used interchangeably in this topic.
NOTE
The batch migration method described in this article is the only supported method for migrating legacy public folders to
Office 365 and Exchange Online. The old serial migration method for migrating public folders is no longer supported by
Microsoft.
We recommend that you don't use Outlook's PST export feature to migrate public folders to Office 365 or
Exchange Online. Office 365 and Exchange online public folder mailbox growth is managed using an auto-split
feature that splits the public folder mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth
of public folder mailboxes when you use PST export to migrate your public folders and you may have to wait for
up to two weeks for auto-split to move the data from the primary mailbox. We recommend that you use the
cmdlet-based instructions in this document to migrate public folders to Office 365 and Exchange Online.
However, if you elect to migrate public folders using PST export, see the section Migrate Public Folders to Office
365 by using Outlook PST export later in this topic.
You'll perform the migration using the *-MigrationBatch cmdlets, in addition to the following PowerShell scripts:
Export-PublicFolderStatistics.ps1 : This script creates the folder name-to-folder size mapping file. You'll
run this script on the legacy Exchange server.
: This support file is used by the
Export-PublicFolderStatistics.psd1 Export-PublicFolderStatistics.ps1
script and should be downloaded to the same location.
PublicFolderToMailboxMapGenerator.ps1: This script creates the public folder-to-mailbox mapping file by
using the output from the Export-PublicFolderStatistics.ps1 script. You'll run this script on the legacy
Exchange server.
PublicFolderToMailboxMapGenerator.strings.psd1 : This support file is used by the
PublicFolderToMailboxMapGenerator.ps1 script and should be downloaded to the same location.
Create-PublicFolderMailboxesForMigration.ps1 : This script creates the target public folder mailboxes for the
migration. In addition, this script calculates the number of mailboxes necessary to handle the estimated
user load, based on the guidelines for the number of user logons per public folder mailbox recommended
in Limits for Public Folders.
: This support file is used by the Create-
Create-PublicFolderMailboxesForMigration.strings.psd1
PublicFolderMailboxesForMigration.ps1 script and should be downloaded to the same location.
: This script synchronizes mail-enabled public folder objects between your local
Sync-MailPublicFolders.ps1
Exchange deployment and Office 365. You'll run this script on the legacy Exchange server.
SyncMailPublicFolders.strings.psd1: This is a support file used by the Sync-MailPublicFolders.ps1 script
and should be copied to the same location as the preceding scripts.
Step 1: Download the migration scripts provides details about where to download these scripts. Make sure all
scripts are downloaded to the same location.
For additional management tasks related to public folders, see Public Folder Procedures.
What versions of Exchange are supported for migrating public folders

to Office 365 and Exchange Online?
Exchange supports moving your public folders to Office 365 and Exchange Online from the following legacy
versions of Exchange Server:
Exchange 2010 SP3 RU8 or later
If you need to move your public folders to Exchange Online but your on-premises servers aren't running the
minimum support versions of Exchange 2010, we strongly recommend that you upgrade your on-premises
servers and use batch migration, which is the only supported public folder migration method.
You can't migrate public folders directly from Exchange 2003. If you're running Exchange 2003 in your
organization, you need to move all public folder databases and replicas to Exchange 2010 SP3 RU8 or later. No
public folder replicas can remain on Exchange 2003. Additionally, mail destined for an Exchange 2013 public
folder can't be routed through an Exchange 2003 server.

The Exchange 2010 server needs to be running Exchange 2010 SP3 RU8 or later.
In Office 365 and Exchange Online, you need to be a member of the Organization Management role group.
This role group is different from the permissions assigned to you when you subscribe to Office 365 or
Exchange Online. For details about how to enable the Organization Management role group, see Manage
Role Groups.
In Exchange 2010, you need to be a member of the Organization Management or Server Management
RBAC role groups. For details, see Add Members to a Role Group.
Before migration, if any public folder in your organization is greater than 2 GB, we recommend either
deleting content from that folder or splitting it up into multiple public folders. If either of these options isn't
feasible, we recommend that you do not move your public folders to Office 365 and Exchange Online.
In Office 365 and Exchange Online, you can create a maximum of 1,000 public folder mailboxes.
Before you migrate your public folders, we recommend that you first move all user mailboxes to Office 365
and Exchange Online. For details, see Ways to migrate multiple email accounts to Office 365.
Outlook Anywhere needs to be enabled on the legacy Exchange server. For details about enabling Outlook
Anywhere on Exchange 2010 servers, see Enable Outlook Anywhere.
You can't use the Exchange admin center (EAC ) or the Exchange Management Console (EMC ) to perform
this procedure. On the legacy Exchange servers, you need to use the Exchange Management Shell. For
Exchange Online, you need to use Exchange Online PowerShell. For more information, see Connect to
Exchange Online Using Remote PowerShell.
You must use a single migration batch to migrate all of your public folder data. Exchange allows creating
only one migration batch at a time. If you attempt to create more than one migration batch simultaneously,
the result will be an error.
Before you begin, we recommend that you read this topic in its entirety as downtime is required for some
steps.
TIP
Step 1: Download the migration scripts

1. Download all scripts and supporting files from Public Folders Migration Scripts.
2. Save the scripts to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
Make sure all scripts are saved in the same location.
3. Download the following files from Mail-enabled Public Folders - directory sync script:
SyncMailPublicFolders.strings.psd1
4. Save the scripts to the same location you did for step 2. For example, C:\PFScripts.
Step 2: Prepare for the migration

Perform the following prerequisite steps before you begin the migration.
General prerequisite steps
Make sure that there are no orphaned public folder mail objects in Active Directory, meaning objects in
Active Directory without a corresponding Exchange object.
Confirm that SMTP email address configured for public folders in Active Directory match the SMTP email
addresses on the Exchange objects.
Make sure that there are no duplicate public folder objects in Active Directory, to avoid a situation where
two or more Active Directory objects are pointing to the same mail-enabled public folder.
Prerequisite steps on the legacy Exchange server
1. On the legacy Exchange server, make sure that routing to the mail-enabled public folders that will exist in
Office 365 or Exchange Online continues to work until all DNS caches over the internet are updated to
point to the Office 365 or Exchange Online DNS where your organization now resides. To do this, run the
following command to configure an accepted domain with a well-known name that will properly route
email messages to the Office 365 or Exchange Online domain.
New-AcceptedDomain -Name "PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99" -DomainName

contoso.onmicrosoft.com -DomainType InternalRelay
If the name of a public folder contains a backslash ( \ ) or a forward slash ( / ), the public folders might be
created in the parent public folder when migration occurs. Before you migrate, we recommend that you
rename any public folders that have a backslash or a forward slash in the name.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {($_.Name -like "*\*") -or ($_.Name -like
"*/*") } | Format-List Name,Identity
2. If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
3. Make sure there isn't a previous record of a successful migration. If there is, you'll need to set that value to
$false . If the value is set to $true , the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration,PublicFolderMigrationComplete
4. If the status of the PublicFoldersLockedforMigration or PublicFolderMigrationComplete properties is

$true , run the following command to set the value to $false .
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false
Cau t i on
After resetting these properties, you need to wait for Exchange to detect the new settings. This may take up
to two hours to complete.
5. For verification purposes at the end of migration, we recommend that you first run the following Exchange
Management Shell commands on the legacy Exchange server to take snapshots of your current public
folder deployment.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:\PFMigration\Legacy_PFStructure.xml
Run the following command to take a snapshot of public folder statistics such as item count, size, and
owner.
Get-PublicFolderStatistics -ResultSize Unlimited | Export-CliXML C:\PFMigration\Legacy_PFStatistics.xml
Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -

ExpandProperty AccessRights | Export-CliXML C:\PFMigration\Legacy_PFPerms.xml
Save the information from the preceding commands for comparison at the end of the migration.
6. If you are using Microsoft Azure Active Directory Connect (Azure AD Connect) to synchronize your on-
premises directories with Azure Active Directory, you need to do the following (if you are not using Azure
AD Connect, you can skip this step):
a. On an on-premises computer, open Microsoft Azure Active Directory Connect, and then select
Configure.
b. On the Additional tasks screen, select Customize synchronization options, and then click Next.
c. On the Connect to Azure AD screen, enter the appropriate credentials, and then click Next. Once
connected, keep clicking Next until you are on the Optional Features screen.
d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected, you can continue to the
next section, Prerequisite steps in Office 365 or Exchange Online. If it is selected, click to clear the check box,
NOTE
If you don't see Exchange Mail Public Folders as an option on the Optional Features screen, you can exit
Microsoft Azure Active Directory Connect and proceed to the next section, Prerequisite steps in Office 365 or
Exchange Online.
7. After you have cleared the Exchange Mail Public Folders selection, keep clicking Next until you are on
the Ready to configure screen, and then click Configure.
New -AcceptedDomain
Get-PublicFolder
Get-PublicFolderDatabase
Set-PublicFolder
get-PublicFolderStatistics
Get-PublicFolderClientPermission
Get-OrganizationConfig
Set-OrganizationConfig
Prerequisite steps in Office 365 or Exchange Online
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step isn't required in all cases; it's only required if you think there may be an
existing migration request in the pipeline.
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting requests for each type and for removing requests of each type are as follows.
IMPORTANT
Before removing a migration request, it is important to understand why there was an existing one. Running the
following commands will determine when a previous request was made and help you diagnose any problems that
may have occurred. You may need to communicate with other administrators in your organization to determine why
the change was made.
The following example will discover any existing serial migration requests.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-

List
The following example removes any existing public folder serial migration requests.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
The following example will discover any existing batch migration requests.
$batch = Get-MigrationBatch | ?{$_.MigrationType.ToString() -eq "PublicFolder"}
The following example removes any existing public folder batch migration requests.
$batch | Remove-MigrationBatch -Confirm:$false
2. Make sure no public folders or public folder mailboxes exist in Office 365.
IMPORTANT
If you do see public folders in Office 365 or Exchange Online, it is important to determine why they are there and who in
your organization started a public folder hierarchy before removing the public folders and public folder mailboxes.
1. In Office 365 or Exchange Online PowerShell, run the following command to see if any public folders
mailboxes exist.
Get-Mailbox -PublicFolder
2. If the command didn't return any public folder mailboxes, continue to Step 3: Generate the .csv files. If the
command returned any public folders mailboxes, run the following command to see if any public folders
exist:
Get-PublicFolder
3. If you have any public folders in Office 365 or Exchange Online, run the following PowerShell command to
remove them. Make sure you've saved any information that was in the public folders in Office 365. All
information contained in the public folders will be permanently deleted when you remove the public
folders.
Get-MailPublicFolder | where {$_.EntryId -ne $null}| Disable-MailPublicFolder -Confirm:$false

Get-PublicFolder -GetChildren \ | Remove-PublicFolder -Recurse -Confirm:$false
4. After the public folders are removed, run the following commands to remove all public folder mailboxes.
$hierarchyMailboxGuid = $(Get-OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false
Get-MigrationBatch
Get-PublicFolderMigrationRequest
Remove-PublicFolderMigrationRequest
Get-Mailbox
Get-PublicFolder
get-MailPublicFolder
Disable-MailPublicFolder
remove-PublicFolder
Remove-Mailbox
Step 3: Generate the .csv files

1. On the legacy Exchange server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-
to-folder size mapping file. This script needs to always be run by a local administrator. The file will contain
two columns: FolderName and FolderSize. The values for the FolderSize column will be displayed in
bytes. For example, \PublicFolder01,10000.
.\Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>
FQDN of source server equals the fully qualified domain name of the Mailbox server where the
public folder hierarchy is hosted.
Folder to size map path equals the file name and path on a network shared folder where you want
the .csv file saved. Later in this topic, you'll need to use the Exchange Online PowerShell to access
this file. If you specify only the file name, the file will be generated in the current PowerShell
directory on the local computer.
If necessary, remove any mail-enabled system folders from the script output before proceeding.
2. Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file.
This file is used to calculate the correct number of public folder mailboxes in Exchange Online.
.\PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path>

<Folder to mailbox map path>
Before you run the script, use the following command to check the current public folder limits in
your Exchange Online tenant. Then, note the current quota values for public folders.
Get-OrganizationConfig | Format-List *quota*
In Exchange Online, the default value is 1.7 GB for DefaultPublicFolderIssueWarningQuota and

2 GB for DefaultPublicFolderProhibitPostQuota.
Maximum mailbox size in bytes equals the maximum size that you want to set for the new public
folder mailboxes. In Exchange Online, the maximum size of public folder mailboxes is 100 GB. We
recommend that you use a setting of 15 GB so that each public folder mailbox has room to grow.
Exchange Online has a default public folder "prohibit post" quota of 2 GB. If you have individual
public folders that are larger than 2 GB, you can use any of the following options to fix this issue:
Before you start the migration batch, increase the default public folder "prohibit post" quota by
running the following command:
Set-OrganizationConfig -DefaultPublicFolderProhibitPostQuota <size value> -

DefaultPublicFolderIssueWarningQuota <size value>
Before you start the migration batch, delete public folder content to reduce the size of the content to
2 GB or less.
Before you start the migration batch, split the public folder into multiple public folders that are each
2 GB or less.
NOTE
If the public folder is larger than 30 GB, and if it isn't feasible to delete content or split it into multiple public
folders, we recommend that you don't move your public folders to Exchange Online.
Folder to size map path equals the file path of the .csv file that you created when you ran the
Export-PublicFolderStatistics.ps1 script.
Folder to mailbox map path equals the file name and path of the folder-to-mailbox .csv file that you
create in this step. If you specify only the file name, the file is generated in the current PowerShell
NOTE
After the scripts are run and the .csv files are generated, any new public folders or updates to existing public folders will not
be collected.
Step 4: Create the public folder mailboxes in Exchange Online

Run the following command to create the target public folder mailboxes. The script will create a target mailbox for
each mailbox in the .csv file that you generated previously in Step 3, by running the
PublicFoldertoMailboxMapGenerator.ps1 script.
.\Create-PublicFolderMailboxesForMigration.ps1 -FolderMappingCsv Mapping.csv -

EstimatedNumberOfConcurrentUsers:<estimate>
Mapping.csv is the file generated by the PublicFoldertoMailboxMapGenerator.ps1 script in Step 3. The estimated
number of simultaneous user connections browsing a public folder hierarchy is usually less than the total number
of users in an organization.
Step 5: Start the migration request

1. On the legacy Exchange server, run the following command to synchronize mail-enabled public folders
from your local Active Directory to Exchange Online.
.\Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv
Credential is your Office 365 username and password. CsvSummaryFile is the file path to where you would
like to log, in .CSV format, synchronization operations and errors.
NOTE
We recommend that you first simulate the actions that the script would take before actually executing it, which you
can do by running the script with a -WhatIf parameter.
2. On the legacy Exchange server, get the following information that's needed to run the migration request:
a. Find the LegacyExchangeDN of the user's account who is a member of the Public Folder Administrator
role. This will be the same user whose credentials you need in step 3 of this procedure.
Get-Mailbox <PublicFolder_Administrator_Account> | Select-Object LegacyExchangeDN
b. Find the LegacyExchangeDN of any Mailbox server that has a public folder database.
Get-ExchangeServer <public folder server> | Select-Object -Expand ExchangeLegacyDN
c. Find the FQDN of the Outlook Anywhere host name. If you have multiple instances of Outlook
Anywhere, we recommend that you select the instance that is either closest to the migration endpoint or
the one that is closest to the public folder replicas in the legacy Exchange organization. The following
command will find all instances of Outlook Anywhere:
Get-OutlookAnywhere | Format-Table Identity,ExternalHostName
3. In Office 365 PowerShell, run the following commands to pass the information that was returned in the
previous step to variables that will then be used in the migration request.
a. Pass the credential of a user who has administrative permissions on the legacy Exchange server into the
variable $Source_Credential . The migration request that's run in Exchange Online will use this credential
to gain access to your legacy Exchange servers to copy the content over.
$Source_Credential = Get-Credential <source_domain\PublicFolder_Administrator_Account>
b. Use the ExchangeLegacyDN of the migration user on the legacy Exchange server that you found in step 2a
and pass it into the variable $Source_RemoteMailboxLegacyDN .
$Source_RemoteMailboxLegacyDN = "<paste the value here>"
c. Use the ExchangeLegacyDN of the public folder server that you found in step 2b above and pass it into
the variable $Source_RemotePublicFolderServerLegacyDN .
$Source_RemotePublicFolderServerLegacyDN = "<paste the value here>"
d. Use the External Host Name of Outlook Anywhere that you found in step 2c above and pass it into the
variable $Source_OutlookAnywhereExternalHostName .
$Source_OutlookAnywhereExternalHostName = "<paste the value here>"
4. Finally, in Exchange Online PowerShell, run the following commands to create the migration request.
NOTE
The authentication method in the following Exchange Management Shell example needs to match your Outlook
Anywhere settings, otherwise the command will fail.
$PfEndpoint = New-MigrationEndpoint -PublicFolder -Name PublicFolderEndpoint -RPCProxyServer
$Source_OutlookAnywhereExternalHostName -Credentials $Source_Credential -SourceMailboxLegacyDN
$Source_RemoteMailboxLegacyDN -PublicFolderDatabaseServerLegacyDN
$Source_RemotePublicFolderServerLegacyDN -Authentication Basic
[byte[]]$bytes = Get-Content -Encoding Byte <folder_mapping.csv>
New-MigrationBatch -Name PublicFolderMigration -CSVData $bytes -SourceEndpoint $PfEndpoint.Identity -
NotificationEmails <email addresses for migration notifications>
Where the <folder_mapping.csv> file is the file that was generated in Step 3: Generate the .csv files.
5. Start the migration using the following command:
Start-MigrationBatch PublicFolderMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in the Exchange Management
Shell, the progress and completion of the migration can be viewed and managed in the EAC. Because the New-
MigrationBatch cmdlet initiates a mailbox migration request for each public folder mailbox, you can view the
status of these requests using the mailbox migration page. You can get to the mailbox migration page, and create
migration reports that can be emailed to you, by doing the following:
1. Log into Exchange Online and open the EAC.
2. Navigate to Mailbox > Migration.
3. Select the migration request that was just created and then click View Details in the Details pane.
Get-Mailbox
Get-ExchangeServer
Get-OutlookAnywhere
New -PublicFolderMigrationRequest
Get-PublicFolderDatabase
Get-PublicFolderMigrationRequest
Get-PublicFolderMigrationRequestStatistics
Step 6: Lock down the public folders on the legacy Exchange server for
final migration (downtime required)
Until this point in the migration process, users have been able to access public folders. The next steps will log
users off from the legacy public folders and lock the folders while the migration completes its final
synchronization. Users won't be able to access public folders during this process. Also, any mail sent to mail-
enabled public folders will be queued and won't be delivered until the public folder migration is complete.
Before you run the PublicFoldersLockedForMigration command as described below, make sure that all jobs are in
the Synced state. You can do this by running the Get-PublicFolderMailboxMigrationRequest command. Continue
with this step only after you've verified that all jobs are in the Synced state.
On the legacy Exchange server, run the following command to lock the legacy public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
For detailed syntax and parameter information, see set-OrganizationConfig.
If your organization has multiple public folder databases, you'll need to wait until public folder replication is
complete to confirm that all public folder databases have picked up the PublicFoldersLockedForMigration flag and
any pending changes users recently made to folders have converged across the organization. This may take
several hours.
Step 7: Finalize the public folder migration (downtime required)

To complete the public folder migration, run the following command:
Complete-MigrationBatch PublicFolderMigration
When you complete the migration, Exchange will perform a final synchronization between the legacy Exchange
server and Exchange Online. If the final synchronization is successful, the public folders in Exchange Online will be
unlocked and the status of the migration batch will changed to Completed. It is common for the migration batch
to take a few hours before its status changes from Synced to Completing, at which point the final
synchronization will begin.
If you've configured a hybrid deployment between your on-premises Exchange servers and Office 365, you need
to run the following command in Exchange Online PowerShell after migration is complete:
Set-OrganizationConfig -RemotePublicFolderMailboxes $Null -PublicFoldersEnabled Local
Step 8: Test and unlock the public folder migration

After you finalize the public folder migration, you should run the following test to make sure that the migration
was successful. This allows you to test the migrated public folder hierarchy before you switch to using Office 365
or Exchange Online public folders.
1. In Office 365 or Exchange Online PowerShell, assign some test mailboxes to use any newly migrated public
folder mailbox as the default public folder mailbox.
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>
2. Log on to Outlook 2010 or later with the test user identified in the previous step, and then perform the
following public folder tests:
View the hierarchy.
Check permissions.
Create and delete public folders.
Post content to and delete content from a public folder.
3. If you run into any issues, see Roll back the migration later in this topic. If the public folder content and
hierarchy is acceptable and functions as expected, continue to the next step.
4. On the legacy Exchange server, run the following command to indicate that the public folder migration is
complete:
Set-OrganizationConfig -PublicFolderMigrationComplete:$true
5. After you've verified that migration is complete, run the following command in Exchange Online
PowerShell to make sure that the PublicFoldersEnabled parameter on Set-OrganizationConfig is set to
Local :
Set-OrganizationConfig -PublicFoldersEnabled Local
Set-Mailbox
Get-Mailbox
set-OrganizationConfig
How do I know this worked?

In Step 2: Prepare for the migration, you were instructed to take snapshots of the public folder structure, statistics,
and permissions before the migration began. The following steps will help verify that your public folder migration
was successful by taking the same snapshots after the migration is complete. You can then compare the data in
both files to verify success.
1. In Exchange Online PowerShell, run the following command to take a snapshot of the new folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:\PFMigration\Cloud_PFStructure.xml
2. In Exchange Online PowerShell, run the following command to take a snapshot of the public folder
statistics such as item count, size, and owner.
Get-PublicFolderStatistics -ResultSize Unlimited | Export-CliXML C:\PFMigration\Cloud_PFStatistics.xml
3. In Exchange Online PowerShell, run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -

ExpandProperty AccessRights | Export-CliXML C:\PFMigration\Cloud_PFPerms.xml
Remove public folder databases from the legacy Exchange servers

After the migration is complete, and you have verified that your Exchange Online public folders are working as
expected, you should remove the public folder databases on the legacy Exchange servers.
IMPORTANT
Since all of your mailboxes have been migrated to Office 365 prior to the public folder migration, we strongly recommend
that you route the traffic through Office 365 (decentralized mail flow) instead of centralized mail flow through your on-
premises environment. If you choose to keep mail flow centralized, it could cause delivery issues to your public folders, since
you've removed the public folder mailbox databases from your on-premises organization.
For details about how to remove public folder databases from Exchange 2010 servers, see Remove Public
Folder Databases.
Roll back the migration

If you run into issues with the migration and need to reactivate your legacy Exchange public folders, perform the
following steps.
Cau t i on
If you roll your migration back to the legacy Exchange servers, you will lose any email that was sent to mail-
enabled public folders or content that was posted to public folders after the migration. To save this content, you
need to export the public folder content to a .pst file and then import it to the legacy public folders when the
rollback is complete.
1. On the legacy Exchange server, run the following command to unlock the legacy Exchange public folders.
This process may take several hours.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$False
2. In Exchange Online PowerShell, run the following commands to remove all Exchange Online public folders.
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Mailbox -PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder:$true | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
3. On the legacy Exchange server, run the following command to set the PublicFolderMigrationComplete flag
to $false .
Set-OrganizationConfig -PublicFolderMigrationComplete:$False
Migrate Public Folders to Office 365 by using Outlook PST export

We recommend that you don't use Outlook's PST export feature to migrate public folders to Office 365 or
Exchange Online if your on-premises public folder hierarchy is greater than 30 GB. Office 365 online public folder
mailbox growth is managed using an auto-split feature that splits the public folder mailbox when it exceeds size
quotas. Auto-split can't handle the sudden growth of public folder mailboxes when you use PST export to migrate
your public folders and you may have to wait for up to two weeks for auto-split to move the data from the
primary mailbox. In addition, consider the following before using Outlook PST to export public folders to Office
365 or Exchange Online:
Public folder permissions will be lost during this process. Capture the current permissions before migration
and manually add them back once the migration is completed.
If you use complex permissions or have many folders to migrate, we recommend that you use the cmdlet
method for migration.
Any item and folder changes made to the source public folders during the PST export migration will be
lost. Therefore, we recommend that you use the cmdlet method if this export and import process will take a
long time to complete.
If you still want to migrate your public folders by using PST files, follow these steps to ensure a successful
migration.
1. Use the instructions in Step 1: Download the migration scripts to download the migration scripts. You only
need to download the PublicFolderToMailboxMapGenerator.ps1 file.
2. Follow step 2 of Step 3: Generate the .csv files to create the public folder-to-mailbox mapping file. This file
is used to calculate the correct number of public folder mailboxes in Exchange Online.
3. Create the public folder mailboxes that you'll need based on the mapping file. For more information, see
Create a public folder mailbox.
4. Use the [New-PublicFolder] cmdlet to create the top-most public folder in each of the public folder
mailboxes by using the Mailbox parameter.
5. Export and import the PST files using Outlook.
6. Set the permissions on the public folders using the EAC. For more information, follow Step 3: Assign
permissions to the public folder in the Set up public folders in a new organization topic.
Cau t i on
If you've already started a PST migration and have run into an issue where the primary mailbox is full, you have
two options for recovering the PST migration: > Wait for the auto-split to move the data from the primary
mailbox. This may take up to two weeks. However, all the public folders in a completely filled public folder mailbox
won't be able to receive new content until the auto-split completes. > Create a public folder mailbox and then use
the [New-PublicFolder] cmdlet with the Mailbox parameter to create the remaining public folders in the
secondary public folder mailbox. This example creates a new public folder named PF201 in the secondary public
folder mailbox.
Use batch migration to migrate Exchange 2013 public
folders to Exchange Online
Summary: This article tells you how to move modern public folders from Exchange 2013 to Office 365.
Migrating your Exchange 2013 public folders to Exchange Online requires Exchange Server 2013 CU15 or later
running in your on-premises environment.
NOTE
If you have both Exchange 2013 and Exchange 2016 public folders in your organization, and you want to move them all to
Exchange Online, use the Exchange 2016 version of this article to plan and execute your migration. Your Exchange 2013
servers will still need to have CU15 or later installed.

When you upgrade to Exchange Server 2013 CU15 or later, you must also prepare Active Directory or your
public folder migration will fail. This Active Directory preparation ensures that all relevant PowerShell
cmdlets and parameters are available to you for preparing and running the migration. See Prepare Active
Directory and Domains for more information.
In Exchange Online, you need to be a member of the Organization Management role group. This role
group is different from the permissions assigned to you when you subscribe to Office 365 or Exchange
Online. For details about how to enable the Organization Management role group, see Manage Role
Groups.
In Exchange Server 2013, you need to be a member of the Organization Management or Server
Management RBAC role groups. For details, see Add Members to a Role Group.
Before you begin the public folder migration, if any single public folder in your organization is larger than
25 GB, we recommend that you delete content from that folder to make it smaller, or divide the public
folder's content into multiple, smaller public folders. Note that the 25 GB limit cited here only applies to the
public folder and not to any child or sub-folders the folder in question may have. If neither option is
feasible, we recommend that you do not move your public folders to Exchange Online. See Exchange
Online Limits for more information.
NOTE
If your current public folder quotas in Exchange Online are less than 25 GB, you can use the Set-OrganizationConfig
cmdlet to increase them with the DefaultPublicFolderIssueWarningQuota and DefaultPublicFolderProhibitPostQuota
parameters.
In Office 365 and Exchange Online, you can create a maximum of 1000 public folder mailboxes.
If you intend to migrate users to Office 365, you should complete your user migration prior to migrating
your public folders. For more information, see Ways to migrate multiple email accounts to Office 365.
MRS Proxy needs to be enabled on at least one Exchange server, a server that is also hosting public folder
mailboxes. See Enable the MRS Proxy Endpoint for Remote Moves for details.
To perform the migration procedures in this article, you can't use the Exchange admin center (EAC ). Instead,
you need to use the Exchange Management Shell on your Exchange 2013 servers. In Exchange Online, you
need to use Exchange Online PowerShell. For more information, see Connect to Exchange Online
PowerShell.
Migrating deleted items and deleted folders from Exchange 2013 to Exchange Online is supported. Before
you begin your migration, we recommend that you review all deleted folders and folder items and
permanently delete anything you won't need in Exchange Online. Note that once something is permanently
deleted, it can't be recovered.
You can use the following commands to list deleted public folders present in the Exchange dumpster (in
your Exchange on-premises environment):
Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse | ?{$_.FolderClass -ne "$null"} | ft

name,foldersize
To permanently delete a specific folder, use the following command (this example uses a folder named
'Calendar2'):
Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse | ?{$_.FolderClass -ne "$null" -and $_.Name -

eq "Calendar2"} | Remove-PublicFolder
Before you begin, please read this article in its entirety. For some steps there is downtime required. During
this downtime, public folders will not be accessible by anyone.
TIP
Step 1: Download the migration scripts

1. Download all scripts and supporting files from Exchange 2013/2016 Public Folders Migration Scripts.
2. Save the scripts to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
Make sure all scripts are saved in the same location.
The scripts and files you're downloading are:
: This script synchronizes mail-enabled public folder objects between
Sync-ModernMailPublicFolders.ps1
your Exchange on-premises environment and Office 365. You'll run this script on an Exchange 2013 server.
: This support file is used by the Sync-
SyncModernMailPublicFolders.strings.psd1
ModernMailPublicFolders.ps1 script and should be downloaded to the same location.
Export-ModernPublicFolderStatistics.ps1 : This script creates the folder name-to-folder size and deleted
item size mapping file. You'll run this script on the Exchange 2013 server.
Export-ModernPublicFolderStatistics.strings.psd1: This support file is used by the Export-
ModernPublicFolderStatistics.ps1 script and should be downloaded to the same location.
ModernPublicFolderToMailboxMapGenerator.ps1 : This script creates the public folder-to-mailbox mapping file
by using the output from the Export-ModernPublicFolderStatistics.ps1 script. You'll run this script on an
Exchange 2013 server.
ModernPublicFolderToMailboxMapGenerator.strings.psd1
ModernPublicFolderToMailboxMapGenerator.ps1 script and should be downloaded to the same location.
SetMailPublicFolderExternalAddress.ps1 : This script updates ExternalEmailAddress of mail-enabled public
folders in your on-premises environment to that of their Exchange Online counterparts. This ensures that,
post-migration, emails addressed to mail-enabled public folders are properly routed to Exchange Online.
You need to run this script on an Exchange 2013 server.
SetMailPublicFolderExternalAddress.strings.psd1
SetMailPublicFolderExternalAddress.ps1 script and should be downloaded to the same location.

Perform all prerequisite steps in the following sections before you begin the public folder migration.
General prerequisite steps
For your migration to be successful, you should:
Make sure that there are no orphaned public folder mail objects in Active Directory. These are objects in
Active Directory without a corresponding Exchange object.
Confirm that the SMTP email addresses configured for public folders in Active Directory match the SMTP
email addresses on the Exchange objects.
Confirm that there are no duplicate public folder objects in Active Directory. This is necessary to avoid
having two or more Active Directory objects that are pointing to the same mail-enabled public folder.
Prerequisite steps in the on-premises Exchange 2013 server environment
In the Exchange Management Shell (on-premises) perform the following steps:
1. Once your migration is complete, it will take some time for DNS caches across the internet to direct
messages to your mail-enabled public folders in their new location in Exchange Online. You can ensure that
your newly migrated mail-enabled public folders receive messages during this DNS transition period by
creating an accepted domain with a well-known name. To do this, run the following command in your
Exchange on-premises environment. In this example, target domain is your Office 365 or Exchange Online
domain, for which a send connector has already been configured by the Hybrid Configuration Wizard.
New-AcceptedDomain -Name PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 -DomainName

<target domain> -DomainType InternalRelay
Example:
New-AcceptedDomain -Name PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 -DomainName

"contoso.mail.onmicrosoft.com" -DomainType InternalRelay
If the accepted domain already exists in your on-premises environment, rename it to

PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 and leave the other attributes intact.
To check if the accepted domain is already present in your on-premises environment:
Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"}

To rename the accepted domain to PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99 , run the
following:
Get-AcceptedDomain | Where {$_.DomainName -eq "<target domain>"} | Set-AcceptedDomain -Name

PublicFolderDestination_78c0b207_5ad2_4fee_8cb9_f373175b3f99
NOTE
If you're expecting your mail-enabled public folders in Exchange Online to receive external emails from the internet,
you have to disable Directory Based Edge Blocking (DBEB) in Exchange Online and Exchange Online Protection (EOP).
See Use Directory Based Edge Blocking to reject messages sent to invalid recipients for more information.
2. If the name of a public folder contains a backslash \ or a forward slash /, it may not get migrated to its
designated mailbox during the migration process. Before you migrate, rename any such folders to remove
these characters.
a. To locate public folders that have a backslash in the name, run the following command:
Get-PublicFolder -Recurse -ResultSize Unlimited | Where {$_.Name -like "*\*" -or $_.Name -like
"*/*"} | Format-List Name, Identity, EntryId
b. If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity "<public folder EntryId>" -Name "<new public folder name>"
3. Take the following steps to confirm there isn't a record of a previous, successful migration in your
organization. If there is, you need to set that value to $false .
Before changing the values, please confirm that the previous migration attempt can be discarded so that
you don't accidentally perform a second migration.
a. Run the following command to check for any previous migrations, and the status of those
migrations:
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration,

PublicFolderMigrationComplete, PublicFolderMailboxesLockedForNewConnections,
PublicFolderMailboxesMigrationComplete
NOTE
If either the PublicFoldersLockedforMigration or PublicFolderMigrationComplete parameters are
$true , it means you have migrated legacy public folders at some point. Make sure any legacy public folder
databases have been decommissioned before you continue to step 3b.
b. If any of the above is returned with a value set to $true , make them $false by running:
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -
PublicFolderMigrationComplete:$false -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false
4. For the purpose of verifying the success of the migration upon its completion, we recommend that you run
the following commands on all appropriate Exchange 2013 servers. This will take snapshots of your current
public folder deployment that you can later use to compare with your newly migrated public folders.
NOTE
Depending on the size of your Exchange organization, it could take some time for these commands to run.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML OnPrem_PFStructure.xml
Run the following command to take a snapshot of public folder statistics such as item count, size, and
owner.
Get-PublicFolderStatistics -ResultSize Unlimited | Export-CliXML OnPrem_PFStatistics.xml
Run the following command to take a snapshot of public folder permissions.
Get-PublicFolder -Recurse -ResultSize Unlimited | Get-PublicFolderClientPermission | Select-Object

Identity,User -ExpandProperty AccessRights | Export-CliXML OnPrem_PFPerms.xml
Run the following command to take a snapshot of your mail-enabled public folders:
Get-MailPublicFolder -ResultSize Unlimited | Export-CliXML OnPrem_MEPF.xml
Save the files generated from the preceding commands in a safe place in order to make a comparison at
the end of the migration.
5. If you are using Microsoft Azure Active Directory Connect (Azure AD Connect) to synchronize your on-
premises directories with Azure Active Directory, you must take the following actions (if you are not using
Azure AD Connect, you can skip this step):
a. On an on-premises computer, open Microsoft Azure Active Directory Connect, and then select
Configure.
b. On the Additional tasks screen, select Customize synchronization options, and then click Next.
c. On the Connect to Azure AD screen, enter the appropriate credentials, and then click Next. Once
connected, keep clicking Next until you are on the Optional Features screen.
d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected, you can continue
to the next section, Prerequisite steps in Exchange Online. If it is selected, click to clear the check box,
NOTE
If you don't see Exchange Mail Public Folders as an option on the Optional Features screen, you can exit
Microsoft Azure Active Directory Connect and proceed to the next section, Prerequisite steps in Exchange
Online.
e. After you have cleared the Exchange Mail Public Folders selection, keep clicking Next until you
are on the Ready to configure screen, and then click Configure.
Prerequisite steps in Exchange Online
In Exchange Online PowerShell, do the following:
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step is only required if you think there may be an existing migration request
in the pipeline (one that has failed or that you wish to abort).
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting, and removing, each type of request are as follows.
The following example will discover any existing serial migration requests:
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics
The following example removes any existing public folder serial migration requests:
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
The following example will discover any existing batch migration requests:
Get-MigrationBatch | ?{$_.MigrationType.ToString() -eq "PublicFolder"}
The following example removes any existing public folder batch migration requests:
Remove-MigrationBatch <name of migration batch> -Confirm:$false
2. You need to have the migration feature PAW enabled for your Office 365 tenant. You can check this by
running the following command in Exchange Online PowerShell:
Get-MigrationConfig
If the output under Features has PAW, then the feature is enabled and you can continue to the next step.
If PAW is not yet enabled for your tenant, it could be because you have some existing migration batches,
either public folder batches or user batches. These batches could be in any state, including Completed. If
this is the case, please complete and remove any migration batches until no records are returned when you
run Get-MigrationBatch . Once all the existing batches are removed, PAW should get enabled automatically.
Note that the change may not reflect in Get-MigrationConfig immediately, but that is okay. In the case of
user migrations, you can continue creating new batches once this step is completed.
3. Make sure there aren't any existing public folders or public folder mailboxes in Exchange Online. If you do
discover public folders in Exchange Online after following the steps below, it's important to determine why
they are there and who in your organization started a public folder hierarchy before you begin removing
any public folders and public folder mailboxes.
a. In Office 365 or Exchange Online PowerShell, run the following command to see if any public
folders mailboxes exist.
Get-Mailbox -PublicFolder
b. If the command doesn't return any public folder mailboxes, continue to Step 3: Generate the .csv
files. If the command does return any public folders mailboxes, run the following command to see if
any public folders exist:
Get-PublicFolder -Recurse
c. If you do have any public folders in Office 365 or Exchange Online, run the following PowerShell
command to remove them (after confirming that they are not needed). Make sure that you've saved
any information within these public folders before deleting them, because all information will be
permanently deleted when you remove the public folders.
Get-MailPublicFolder -ResultSize Unlimited | where {$_.EntryId -ne $null}| Disable-

MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren \ -ResultSize Unlimited | Remove-PublicFolder -Recurse -
Confirm:$false
d. After the public folders are removed, run the following commands to remove all public folder
mailboxes:
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-
Get-Mailbox -PublicFolder -SoftDeletedMailbox | Remove-Mailbox -PublicFolder -
PermanentlyDelete:$true
Step 3: Generate the .csv files

Use the previously downloaded scripts to generate the .csv files that will be used in the migration.
1. From the Exchange Management Shell (on premises), run the Export-ModernPublicFolderStatistics.ps1
script to create the folder name-to-folder size mapping file. You must have local administrator permissions
to run this script. The resulting file will contain three columns: FolderName, FolderSize, and
DeletedItemSize. The values for the FolderSize and DeletedItemSize columns will be displayed in
bytes. For example, \PublicFolder01,10240, 100 means the public folder in the root of your hierarchy
named PublicFolder01 is 10240 bytes, or 10.240 MB, in size, and there are 100 bytes of recoverable items
in it.
.\Export-ModernPublicFolderStatistics.ps1 <Folder-to-size map path>
Example:
.\Export-ModernPublicFolderStatistics.ps1 stats.csv
2. Run the ModernPublicFolderToMailboxMapGenerator.ps1 script to create a .csv file that maps source public
folders to public folder mailboxes in your Exchange Online destination. This file is used to calculate the
correct number of public folder mailboxes in Exchange Online.
NOTE
The file generated by ModernPublicFolderToMailboxMapGenerator.ps1 will not contain the name of every public
folder in your organization. It will contain references to the parent folders of larger folder trees, or the names of
folders which themselves are significantly large. You can think of this file as an "exception" file used to make sure
certain folder trees and larger folders get placed into specific public folder mailboxes. It is normal to not see every
one of your public folders in this file. Child folders of any folder listed in this mapping file will also be migrated to the
same public folder mailbox as their parent folder (unless explicitly mentioned on another line within the mapping file
that directs them to a different public folder mailbox).
.\ModernPublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes><Maximum mailbox

recoverable item size in bytes><Folder-to-size map path><Folder-to-mailbox map path>
<Maximum mailbox size in bytes> is the maximum amount of data you want to migrate into any
single public folder mailbox in Exchange Online. The maximum size of this field is currently 50 GB,
but we recommend you use a smaller size, such as 50% of maximum size, to allow for future growth.
<Maximum mailbox recoverable items size in bytes> is the recoverable items quota on your
Exchange Online mailboxes. The maximum size of public folder mailboxes In Exchange Online is
currently 50 GB. We recommend setting RecoverableItemsQuota `_ to 15 GB or less.
<Folder-to-size map path> is the file path of the .csv file you created when you ran the
Export-ModernPublicFolderStatistics.ps1 script.
<Folder-to-mailbox map path> is the file path of the folder-to-mailbox .csv file that you are creating
in this step. If you only specify a file name, the file will be generated in the current PowerShell
Example:
.\ModernPublicFolderToMailboxMapGenerator.ps1 -MailboxSize 25GB -MailboxRecoverableItemSize 1GB

-ImportFile .\stats.csv -ExportFile map.csv
NOTE
We don't support migrating public folders to Exchange Online if the number of unique public folder
mailboxes in Exchange Online is more than 100.
Step 4: Create the public folder mailboxes in Exchange Online

Next, in Exchange Online PowerShell, create the target public folder mailboxes that will contain your migrated
public folders.
Run the following script to create the target public folder mailboxes. The script will create a target mailbox for each
mailbox in the .csv file that you generated previously in Step 3: Generate the .csv files, when you ran the
ModernPublicFoldertoMailboxMapGenerator.ps1 script.
$mappings = Import-Csv <Folder-to-mailbox map path>

$primaryMailboxName = ($mappings | Where-Object FolderPath -eq "\" ).TargetMailbox
New-Mailbox -HoldForMigration:$true -PublicFolder -IsExcludedFromServingHierarchy:$false $primaryMailboxName
($mappings | Where-Object TargetMailbox -ne $primaryMailboxName).TargetMailbox | Sort-Object -unique |
ForEach-Object { New-Mailbox -PublicFolder -IsExcludedFromServingHierarchy:$false $_ }
Folder-to-mailbox map path is the file path of the folder-to-mailbox .csv file that was generated by the
ModernPublicFoldertoMailboxMapGenerator.ps1 script in Step 3: Generate the .csv files.

A number of commands now need to be run in your Exchange 2013 on-premises environment and in Exchange
Online.
1. From any of your Exchange 2013 servers hosting public folder mailboxes, execute the following script. This
script will synchronize mail-enabled public folders from your local Active Directory to Exchange Online.
Make sure that you have downloaded the latest version of this script and that you are running it from the
Exchange Management Shell.
.\Sync-ModernMailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv
You're prompted for your Exchange Online administrative username and password.
CsvSummaryFile is the file path to where you want your log file of synchronization operations and
errors located. The log will be in .csv format.
2. On the Exchange 2013 server, find the MRS proxy endpoint server and make note of it. You will need this
information to run the migration request. Save this information for step 3b below.
3. In Exchange Online PowerShell, run the following commands to pass credential information and the MRS
information from the previous step to cmdlet variables that will be used in the migration request.
a. Pass the credential of a user who has administrator permissions in the Exchange 2013 on-premises
environment into the variable $Source_Credential . The migration request that you run in Exchange
Online will use this credential to gain access to your on-premises Exchange 2013 servers to copy the
public folder content over to Exchange Online.
$Source_Credential = Get-Credential <source_domain>\<PublicFolder_Administrator_Account>
b. Take the MRS Proxy Server information from the Exchange 2013 environment that you found in
step 2 above and pass it into the variable:
$Source_RemoteServer = "<paste the value here>"
4. In Exchange Online PowerShell, run the following commands to create the public folder migration endpoint
and the public folder migration request:
$PfEndpoint = New-MigrationEndpoint -PublicFolder -Name PublicFolderEndpoint -RemoteServer

$Source_RemoteServer -Credentials $Source_Credential
[byte[]]$bytes = Get-Content -Encoding Byte <folder_mapping.csv>
New-MigrationBatch -Name PublicFolderMigration -CSVData $bytes -SourceEndpoint $PfEndpoint.Identity -
NotificationEmails <email addresses for migration notifications>
NOTE
Separate multiple email addresses with commas.
Where folder_mapping.csv is the map file that was generated in Step 3: Create the .csv files. Be sure to
provide the full file path. If the map file was moved for any reason, be sure to use the new location.
5. Finally, start the migration using the following command in Exchange Online PowerShell:
Start-MigrationBatch PublicFolderMigration
While batch migrations need to be created using the New -MigrationBatch cmdlet in Exchange Online PowerShell,
the progress and completion of the migration can be viewed and managed in the EAC or by running the Get-
MigrationBatch cmdlet. The New -MigrationBatch cmdlet initiates a mailbox migration request for each public
folder mailbox, and you can view the status of these requests using the mailbox migration page.
To go to the mailbox migration page:
1. Log on to Exchange Online and open the EAC.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
Before moving on to Step 6: Lock down the public folders on the Exchange 2013 server, verify that all data has
been copied and that there are no errors in the migration. Once you have confirmed that the batch has moved to
the state of Synced, run the commands mentioned in Step 2: Prepare for the migration, in the final step under
Prerequisite steps in the on-premises Exchange 2013 server environment, to take a snapshot of the public
folders on-premises. Once these commands have run, you can proceed to the next step. Note that these
commands could take a while to complete depending on the number of folders you have.
Step 6: Lock down the public folders in the Exchange 2013

environment for final migration (public folder downtime required)
Until this point in the migration process, users have been able to access your on-premises public folders. The
following steps will now log off users off from Exchange 2013 public folders and then lock the folders as the
migration process completes its final synchronization. Users won't be able to access public folders during this
time, and any messages sent to these mail-enabled public folders will be queued and remain undelivered until the
public folder migration is complete.
Before you run the PublicFolderMailboxesLockedForNewConnections command as described below, make sure that
all jobs are in the Synced state. You can do this by running the Get-PublicFolderMailboxMigrationRequest
command. Continue with this step only after you've verified that all jobs are in the Synced state.
In your on-premises environment, run the following command to lock the Exchange 2013 public folders for
finalization.
Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections $true
NOTE
If you are not able to access the -PublicFolderMailboxesLockedForNewConnections parameter, it could be because your
Active Directory was not prepared during the CU upgrade, as we advised above in What do you need to know before you
begin? See Prepare Active Directory and Domains for more information. > Also note that any users who need access to
public folders should be migrated first, before you migrate the public folders themselves.
If your organization has public folder mailboxes on multiple Exchange 2013 servers, you'll need to wait until AD
replication is complete. Once complete, you can confirm that all public folder mailboxes have picked up the
PublicFolderMailboxesLockedForNewConnections flag, and that any pending changes users recently made to their
public folders have converged across the organization. All of this could take several hours.
Run the following On-Premises to ensure the public folders are locked:
Get-PublicFolder \
Expected outout, if public folders are locked, is:
[PS ] C:>Get-PublicFolder
Couldn't find the public folder mailbox. + CategoryInfo : NotSpecified: (:) [Get-PublicFolder],
ObjectNotFoundException
Step 7: Finalize the public folder migration (public folder downtime

required)
Before you can complete your public folder migration, you need to confirm that there are no other public folder
mailbox moves or public folder moves going on in your on-premises Exchange environment. To do this, use the
Get-MoveRequest and Get-PublicFolderMoveRequest cmdlets to list any existing public folder moves. If there are any
moves in progress, or in the Completed state, remove them.
Next, to complete the public folder migration, run the following command in Exchange Online PowerShell:
Complete-MigrationBatch PublicFolderMigration
When you run this command, Exchange will do a final synchronization between your Exchange on-premises
organization and Exchange Online. During this period, the status of the migration batch will change from Synced
to Completing, and then finally to Completed. If the final synchronization is successful, the public folders in
Exchange Online will be unlocked.
It is common for the migration batch to take a few hours before its status changes from Synced to Completing,
at which point the final synchronization will begin.
Step 8: Test and unlock public folders in Exchange Online

Once the public folder migration is complete, take the following steps to test the success of the migration, and to
officially verify its completion. These final tasks allow you to test the migrated public folder hierarchy before you
permanently switch your organization to Exchange Online public folders.
1. In Exchange Online PowerShell, assign some test user mailboxes to use one of your newly migrated public
folder mailbox as their default public folder mailbox.:
Set-Mailbox -Identity <test user> -DefaultPublicFolderMailbox <public folder mailbox identity>
Make sure that your test users have necessary permissions to create public folders.
2. Log on to Outlook with the test user you designated in the previous step, and then take the following public
folder tests. Note that it may take 15 to 30 minutes for changes to take effect. Once Outlook is aware of the
changes, it might prompt you to restart a couple of times.
a. View the hierarchy.
b. Check permissions.
c. Create some public folders and then delete them.
d. Post content to, and delete content from, a public folder.
If you run into any issues and determine that you're not ready to switch your organization's public folders
entirely to Exchange Online, see Roll back a public folder migration from Exchange 2013 to Exchange
Online.
3. Run the following command in Exchange Online PowerShell to unlock your public folders in Exchange
Online. After you run the command, it may take approximately 15 to 30 minutes for the changes to take
effect. After Outlook becomes aware of the changes, it might prompt your users to restart the program
several times.
Set-OrganizationConfig -RemotePublicFolderMailboxes $Null -PublicFoldersEnabled Local
Step 9: Finalize the migration on-premises

To enable emails to mail-enabled public folders on-premises, follow these steps:
1. In your on-premises environment, run the following script to make sure all emails to mail-enabled public
folders are correctly routed to Exchange Online. The script will stamp mail-enabled public folders with an
ExternalEmailAddress that points them to their Exchange Online counterparts:
.\SetMailPublicFolderExternalAddress.ps1 -ExecutionSummaryFile:mepf_summary.csv
2. If your testing is successful, in your on-premises environment, run the following command to indicate that
the public folder migration is complete:
Set-OrganizationConfig -PublicFolderMailboxesMigrationComplete:$true -PublicFoldersEnabled Remote

In Step 2: Prepare for the migration, you took snapshots of your on-premises public folder structure, statistics, and
permissions. The following steps will help you verify your public folder migration was successful by taking the
same snapshots in Exchange Online post-migration. Compare the data in both files to verify success.
1. In Exchange Online PowerShell, run the following command to take a snapshot of the new folder structure:
Get-PublicFolder -Recurse -ResultSize Unlimited | Export-CliXML Cloud_PFStructure.xml
2. In Exchange Online PowerShell, run the following command to take a snapshot of the public folder
statistics, including item count, size, and owner:
Get-PublicFolder -Recurse -ResultSize Unlimited | Get-PublicFolderStatistics | Export-CliXML

Cloud_PFStatistics.xml
3. In Exchange Online PowerShell, run the following command to take a snapshot of the permissions:
Get-PublicFolder -Recurse -ResultSize Unlimited | Get-PublicFolderClientPermission | Select-Object

Identity,User, AccessRights | Export-CliXML Cloud_PFPerms.xml
4. In Exchange Online PowerShell, run the following command to take a snapshot of the mail-enabled public
folders:
Get-MailPublicFolder -ResultSize Unlimited | Export-CliXML Cloud_MEPF.xml

Known issues
The following are common public folder migration issues that you may experience in your organization.
We don't support migrating public folders to Exchange Online if the number of unique public folder
mailboxes in Exchange Online is more than 100.
Permissions for the root public folder and the EFORMS REGISTRY folder will not be migrated to Exchange
Online, and you will have to manually apply them in Exchange Online. To do this, run the following
command in your Exchange Online PowerShell. Run the command once for each permission entry that is
present on-premises but missing in Exchange Online:
Add-PublicFolderClientPermission "\" -User <user> -AccessRights <access rights>

Add-PublicFolderClientPermission "\NON_IPM_SUBTREE\EFORMS REGISTRY" -User <user> -AccessRights <access
rights>
Some public folder migrations will fail if some public folder mailboxes are not serving the public folder
hierarchy. This means that the IsExcludedFromServingHierarchy parameter on one or more mailboxes is set
to $true . To avoid this, set all mailboxes in Exchange Online to serve the hierarchy.
Send As and Send on Behalf permissions don't get migrated to Exchange Online. If this happens with
your migration, use the following commands in your on-premises environment to note who has these
permissions.
To see which public folders have Send As permissions on-premises:
Get-MailPublicFolder | Get-ADPermission | ?{$_.ExtendedRights -like "*Send-As*"}
To see which public folders have Send on Behalf permissions on-premises:
Get-MailPublicFolder | ?{$_.GrantSendOnBehalfTo -ne "$null"} | ft name,GrantSendOnBehalfTo
To add Send As permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Add-RecipientPermission -Identity <mail-enabled public folder primary SMTP address> -Trustee <name of
user to be assigned permission> -AccessRights SendAs
Example:
Add-RecipientPermission -Identity send1 -Trustee Exo1 -AccessRights SendAs
To add Send on Behalf permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Set-MailPublicFolder -Identity <name of public folder> -GrantSendOnBehalfTo <user or comma-separated

list of users>
Example:
Set-MailPublicFolder send2 -GrantSendOnBehalfTo exo1,exo2

Having more than 10,000 folders under the "\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder can cause
the migration to fail. Therefore, check the "\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder to see if
there are more than 10,000 folders directly under it (immediate children). You can use the following
command to find the number of public folders in this location:
(Get-PublicFolder -GetChildren "\NON_IPM_SUBTREE\DUMPSTER_ROOT").Count
Exchange Online does not support more than 10,000 subfolders, which is why migrations of more than
10,000 folders will fail. We are currently developing a script to unblock such configurations. In the
meantime, we suggest waiting to migrate your public folders.
Migration jobs are not making progress or are stalled. This can happen if there are too many jobs running
in parallel, causing jobs to fail with intermittent errors. You can reduce the number of concurrent jobs by
modifying MaxConcurrentMigrations and MaxConcurrentIncrementalSyncs to a smaller number. Use the
following example to set these values:
Set-MigrationEndpoint <PublicFolderEndpoint> -MaxConcurrentMigrations 30 -MaxConcurrentIncrementalSyncs

20 -SkipVerification
Migration jobs fail with the error "Error: Dumpster of the Dumpster folder." If you see this error, it should be
resolved if you stop the batch and then restart it.
Migration jobs fail and generate a "Request was quarantined because of the following error: The given key
was not present in the dictionary" error message. This happens when a corrupted item is present in a folder
that migration jobs cannot copy. To work around this issue:
1. Stop the migration batch.
2. Identify the folder containing the bad item. The migration report should include references to the
folder that was being copied when the error occurred.
3. In your on-premises environment, move the affected folder to the primary public folder mailbox. You
can use the New-PublicFolderMoveRequest cmdlet to move folders.
4. Wait for the folder move to complete. After it is completed, remove the move request. Then, restart
the migration batch.
Remove public folder mailboxes from your Exchange on-premises

environment
After the migration is complete and you have verified that your public folders in Exchange Online are working as
expected and contain all expected data, you can remove your on-premises public folder mailboxes.
Be aware that this step is irreversible, because once public folder mailboxes are deleted, they cannot be recovered.
Therefore, we strongly recommend that, in addition to verifying the success of your migration, you also monitor
your Exchange Online public folders for a few weeks before you remove the on-premises public folder mailboxes.
Roll back a public folder migration from Exchange
Server to Exchange Online
Summary: Follow these steps to return your public folder infrastructure to its pre-migration state in your
Exchange Server on-premises organization.
If you run into issues with your public folder migration to Exchange Online, or for any other reason need to
reactivate your Exchange Server public folders, follow the steps below.
Roll back the migration

Note that if you roll back your migration, you will lose any content that was added to public folders in Exchange
Online post-migration, either through clients or via email for mail-enabled public folders. To save this content, you
can export the post-migration public folder content to a .pst file, which can then be imported into the on-premises
public folders when the rollback is complete.
1. In your Exchange on-premises environment, run the following command to unlock your Exchange Server
public folders (note that the unlocking may take several hours):
Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false -PublicFoldersEnabled Local
2. In your Exchange on-premises environment, revert the ExternalEmailAddress of any mail-enabled public
folder that was updated by SetMailPublicFolderExternalAddress.ps1 (the script used in Step 8: Test and
unlock public folders in Exchange Online of Use batch migration to migrate Exchange Server public folders
to Exchange Online). You can refer to the summary file created by the script to identify the ones that were
modified, or use the file OnPrem_MEPF.xml file generated earlier in the same batch migriont process to get
the original properties for all mail-enabled public folders.
3. In Exchange Online PowerShell, run the following commands to remove all Exchange Online public folders
and mailboxes:
Get-MailPublicFolder -ResultSize Unlimited | where {$_.EntryId -ne $null}| Disable-MailPublicFolder -

Confirm:$false
Get-PublicFolder -GetChildren \ -ResultSize Unlimited | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-Mailbox -
PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-Mailbox -
PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder -SoftDeletedMailbox | Remove-Mailbox -PublicFolder -PermanentlyDelete:$true
4. Run the following command in your Exchange Online environment to redirect public folder traffic back to
on-premises (Exchange Server):
Set-OrganizationConfig -PublicFoldersEnabled Remote
5. See Configure Exchange Server public folders for a hybrid deployment for instructions on reconfiguring
access to your on-premises public folders, so your Exchange Online users can access them.
Migrate your public folders to Office 365 Groups
Summary: Why you should or shouldn't migrate your Exchange public folders to Office 365 Groups.
This article provides a comparison of public folders and Office 365 Groups, and how one or the other might be the
best solution for your organization. Public folders have been around as long as Exchange, whereas Groups were
introduced more recently. If you want to migrate some or all of your public folders to Groups, this article describes
how the process works, and provides links to the articles that walk you through the process, step by step.
What are public folders?

Public Folders contain different kinds of data and are organized in a hierarchical structure.
Public folders are not recommended for the following situations:
Archiving data. Users with mailbox limits sometimes use public folders instead of mailboxes to archive
data. This practice isn't recommended because it affects storage in public folders and undermines the goal of
mailbox limits.
Document sharing and collaboration. Public folders don't provide document management features, such
as versioning, controlled check-in and check-out functionality, and automatic notifications of content
changes.
What are Office 365 Groups?

Groups in Office 365 let you choose a set of people who you wish to collaborate with, and then easily set up a
collection of resources for those people to share. You don't have to worry about manually assigning permissions to
those resources, because adding members to your group automatically gives the members the permissions they
need to access the tools and resources your group provides. Groups are also the new and improved experience for
those tasks that were previously handled by distribution lists and shared mailboxes.
For the full Groups story, see Learn about Office 365 Groups.
Should you migrate your public folders to Office 365 Groups?

Office 365 Groups is the latest collaboration offering from Microsoft, which means there are many reasons why
they would be a preferable solution over public folders, a much older technology. In Outlook, for example, Groups
can replace mail-enabled public folders altogether. Compiling a list of every scenario in which Office 365 Groups
works better than public folders is impossible, but here are the highlights:
Collaboration over email. Groups in Outlook has a dedicated Conversations space that stores all the
emails and lets users collaborate over them. The group can even be set up to receive messages from people
outside the group or from outside the organization. If you're currently using mail-enabled public folders to
store project-related discussions, for example, or purchase orders that need to be viewed by a team of
people, using groups would be an improvement. Groups are also better for situations when you simply want
to broadcast information to a set of users.
Collaboration over documents. In Outlook, Groups has a dedicated Files tab that displays all files from
the group's SharePoint team site, as well as from mail attachments. You get one view of all the files, so you
don't have to go searching for them like you would in public folders. Co-authoring also becomes easier. If
you're using public folders for storing files meant to be consumed by multiple people, consider migrating to
Groups.
Shared calendar. Upon creation every group gets a shared calendar. Any member of the group can create
events on that calendar. When you favorite a group, that group's calendar can be displayed alongside your
personal calendar. You can also subscribe to a group's events, in which case events created in that group
appear in your personal calendar. If you're using public folders to host calendars for your team, such as a
schedule or a timetable, Groups would be an improved experience.
Simplified permissions. When you assign users to a group, they immediately get the permissions they
need, whereas with public folders you need to manually assign the proper permissions. Members can be
added as "owners" or "members." Owners have full rights in the group, including the ability to perform
group management tasks. Members can also create content and edit files like owners, but members cannot
delete content that they have not created. If the public folders' permissions model is too overwhelming for
you and you want something simple and quick, Office 365 Groups is the way to go.
Mobile and Web presence. Public folders can't be accessed through mobile devices and have a limited set
of functionality on the Web. Office 365 Groups, on the other hand, is accessible through Outlook mobile
apps and has a richer set of features on the Web. If your team is on the move and requires mobile access,
then you should be using Office 365 Groups.
Access to a wide range of Office 365 apps. When you create a group, you unlock access to a wide range
of apps from the Office 365 suite. You get a SharePoint team site for storing files and a plan on Planner to
track your tasks. Office 365 Groups is the membership service that combines elements of the entire Office
365 suite.
While Office 365 Groups offers many advantages, you should be aware of a few major differences that you'll
notice after leaving the public folders experience. These are primarily:
Folder hierarchy. While public folders are often used to organize content in deep rooted hierarchy, Office
365 Groups has a flat structure. All emails in the group reside in the Conversations space and all the
documents go into the Files tab. Also, you can't create sub-folders in Office 365 groups.
Granular permission roles. While public folders have a variety of permission roles, Office 365 Groups only
provides two: owner and member.
Before you move to Groups, it's also a good idea to make note of the various limits that come with creating and
maintaining groups. See How do I manage my groups? in Learn about Office 365 Groups for more information.
Migrating public folders to Office 365 Groups

If you decide to switch to Office 365 Groups, you can use a process known as batch migration to move your email
and calendar content from your existing public folders to Groups. The specific steps for running a batch migration
depends on which version of Exchange currently hosts your public folder hierarchy. At the end of this article, you
will find links to instructions that walk you through the batch migration process.
NOTE
When you finish migrating a mail-enabled public folder to a particular group in Office 365, all the emails addressed to the
public folder will at that point be received by the group.
Key benefits of batch migrations are:

Mailbox Replication Service (MRS )-based migration. The migration process uses migration batch
cmdlets. Migration to multiple groups can be triggered together in a single migration batch. There are also
scripts available to assist in the migration process.
Supports mail and calendar public folders. Copied emails and posts will appear as in Groups as group
conversations, and copied calendar items will be visible in group calendars. Other public folder types, such
as tasks and contacts, are currently not supported for this migration.
On-premises public folders can be migrated directly to Office 365 Groups. This migration does not
require you to first move your public folders to Office 365 and then move to Groups. The MRS data copy
cmdlets read the public folder data directly from your on-premises environment and then copy the data to
Office 365 Groups. Note that Exchange 2010 public folders will require an Outlook Anywhere endpoint.
Exchange 2013 public folders will require an MRS Proxy-based endpoint.
Not an "all or nothing" migration. You get to choose specific public folders to migrate to Groups, and
only those chosen public folders get migrated.
One-shot data copy. Batch migrations are designed to be a simple one-time data copy from source public
folders to target groups, without the complexities of incremental synchronization and finalization.
Merges public folder data with existing data in a group. The data copy will merge the public folder
content with the existing group's content, if any. If there is a need for incremental data copy, you can simply
run the data copy as many times as you need. This will copy incremental data over to the group.
Overview of batch migrations
The following steps outline the overall process of migrating your public folder content to Office 365 Groups in a
batch migration. The specific details are contained in the articles listed below.
1. Select source: Choose the public folders that you want to migrate. You can choose any folder containing
mail or calendar content.
2. Create target: Create corresponding groups for your folders, with the desired configurations, such as
members, privacy settings, and data classification.
3. Copy data: Use the migration batch cmdlets to copy data from public folders to Groups.
4. Lock source: Lock the public folders once you have verified the data in Groups.
5. Cutover: Copy any new data that has been created between steps 3 and 4.
Note that your public folders and their corresponding groups will remain online for your users during steps 1
through 3 above. After step 3, you can evaluate whether or not to proceed with the rest of the migration, based on
the Groups experience and whether or not it suits your users and your organization. You can roll back your
migration and resume using public folders at that point. If you do proceed with the migration, after step 5
completes, you can delete the original public folders. Even post-migration it is possible to roll back to public
folders, provided you have saved your backup files from the migration process and you have not deleted your
original public folders.
Batch migration prerequisites and step-by-step instructions
The following prerequisites are required in your Exchange environment before you can run a batch migration. The
specific prerequisites depend on which version of Exchange you're currently running.
1. If your public folders are on-premises, your servers need to be running one of the following versions:
Exchange 2010 SP3 RU8 or later
Exchange 2013 CU15 or later
Exchange 2016 CU4 or later
2. If your public folders are on-premises, you must have an Exchange Hybrid environment set up. See Exchange
Server Hybrid Deployments for more information.
Migration instructions
Select the appropriate link below for step-by-step instructions on running a batch migration.
Use batch migration to migrate Exchange Online public folders to Office 365 Groups
Use batch migration to migrate Exchange 2010 public folders to Office 365 Groups
Use batch migration to migrate Exchange Online
public folders to Office 365 Groups
Summary: How to move your Exchange Online public folders to Office 365 Groups.
Through a process known as batch migration, you can move some or all of your Exchange Online public folders to
Office 365 Groups. Groups is a new collaboration offering from Microsoft that offers certain advantages over
public folders. See Migrate your public folders to Office 365 Groups for an overview of the differences between
public folders and Groups, and reasons why your organization may or may not benefit from switching to Groups.
This article contains the step-by-step procedures for performing the actual batch migration of your Exchange
Online public folders.

Ensure that all of the following conditions are met before you begin preparing your migration.
Only public folders of type calendar and mail can be migrated to Office 365 Groups at this time; migration
of other types of public folders is not supported. Also, the target groups in Office 365 are expected to be
created prior to the migration.
Office 365 Groups doesn't support the permission roles and access rights that are available in public
folders. In Office 365 Groups, the users are designated as either members or owners.
The batch migration process only copies messages and calendar items from public folders for migration to
Office 365 Groups. It doesn't copy other types of public folder content like rules and permissions since
those are not supported in Office 365 Groups.
Office 365 Groups comes with a 50GB mailbox. Ensure that the sum of public folder data that you are
migrating totals less than 50GB. In addition, leave storage space for additional content to be added by your
users in the future, post-migration. We recommend migrating public folders no bigger than 25GB in total
size.
This is not an "all or nothing" migration. You can pick and choose specific public folders to migrate, and only
those public folders will be migrated. If the public folder being migrated has sub-folders, those sub-folders
will not be automatically included in the migration. If you need to migrate them, you need to explicitly
include them.
The public folders will not be affected in any manner by this migration. However, once you use our lock-
down script to make the migrated public folders read-only, your users will be forced to use Office 365
Groups instead of public folders.
Before you begin, we recommend that you read this article in its entirety, as downtime is required for some
steps.
Step 1: Get the scripts

The batch migration to Office 365 Groups requires running a number of scripts at different points in the migration,
as described below in this article. Download the scripts and their supporting files from this location. After all the
scripts and files are downloaded, save them to the same location, such as c:\PFtoGroups\Scripts .
Before proceeding, verify you have downloaded and saved all of the following scripts and files:
NOTE
Make sure to save all scripts and files to the same location.
AddMembersToGroups.ps1. This script adds members and owners to Office 365 Groups based on
permission entries in the source public folders.
AddMembersToGroups.strings.psd1. This support file is used by the script AddMembersToGroups.ps1 .
LockAndSavePublicFolderProperties.ps1. This script makes public folders read-only to prevent any
modifications, and it transfers the mail-related public folder properties (provided the public folders are mail-
enabled) to the target groups, which will re-route emails from the public folders to the target groups. This
script also backs up the permission entries and the mail properties before modifying them.
LockAndSavePublicFolderProperties.strings.psd1: This support file is used by the script
LockAndSavePublicFolderProperties.ps1 .
UnlockAndRestorePublicFolderProperties.ps1. This script restores access rights and mail properties of

the public folders using backup files created by LockandSavePublicFolderProperties.ps1 .
UnlockAndRestorePublicFolderProperties.strings.psd1. This support file is used by the script
UnlockAndRestorePublicFolderProperties.ps1 .
WriteLog.ps1. This script enables the preceding three scripts to write logs.
RetryScriptBlock.ps1. This script enables the AddMembersToGroups , LockAndSavePublicFolderProperties , and
UnlockAndRestorePublicFolderProperties scripts to retry certain actions in the event of transient errors.
For details about AddMembersToGroups.ps1 , , and

LockAndSavePublicFolderProperties.ps1
UnlockAndRestorePublicFolderProperties.ps1 , and the tasks they execute in your environment, see Migration scripts
later in this article.

The following steps are necessary to prepare your organization for the migration:
1. Compile a list of public folders (mail and calendar types) that you want to migrate to Office 365 Groups.
2. Have a list of corresponding target groups for each public folder being migrated. You can either create a
new group in Office 365 for each public folder or use an existing group. If you're creating a new group, see
Learn about Office 365 Groups to understand the settings a group must have. If a public folder that you are
migrating has the default permission set to Author or above, you should create the corresponding group in
Office 365 with the Public privacy setting. However, for users to see the public group under the Groups
node in Outlook, they will still have to join the group.
3. Rename any public folders that contain a backslash ( \) in their name. Otherwise, those public folders may
not get migrated correctly.
4. You need to have the migration feature PAW enabled for your Office 365 tenant. To verify this, run the
following command in Exchange Online PowerShell:
Get-MigrationConfig
If the output under Features lists PAW, then the feature is enabled and you can continue to Step 3: Create
the .csv file.
If PAW is not yet enabled for your tenant, it could be because you have some existing migration batches,
either public folder batches or user batches. These batches could be in any state, including Completed. If this
is the case, please complete and remove any existing migration batches until no records are returned when
you run Get-MigrationBatch . Once all existing batches are removed, PAW should get enabled automatically.
Note that the change may not reflect in Get-MigrationConfig immediately, which is okay. Once this step is
completed, you can continue creating new batches of user migrations.
Step 3: Create the .csv file

Create a .csv file, which will provide input for one of the migration scripts.
The .csv file needs to contain the following columns:
FolderPath. Path of the public folder to be migrated.
TargetGroupMailbox. SMTP address of the target group in Office 365. You can run the following
command to see the primary SMTP address.
Get-UnifiedGroup <alias of the group> | Format-Table PrimarySmtpAddress
An example .csv:
"FolderPath","TargetGroupMailbox"
"\Sales","sales@contoso.onmicrosoft.com"
"\Sales\EMEA","emeasales@contoso.onmicrosoft.com"
Note that a mail folder and a calendar folder can be merged into a single group in Office 365. However, any other
scenario of multiple public folders merging into one group isn't supported within a single migration batch. If you
do need to map multiple public folders to the same Office 365 group, you can accomplish this by running different
migration batches, which should be executed consecutively, one after another. You can have up to 500 entries in
each migration batch.
One public folder should be migrated to only one group in one migration batch.

In this step, you gather information from your Exchange environment, and then you use that information in
Exchange Online PowerShell to create a migration batch. After that, you start the migration.
1. In Exchange Online PowerShell, run the following command to create a new public folder-to-Office 365 group
migration batch. In this command:
CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to this
file. If the file was moved for any reason, be sure to verify and use the new location.
AutoStart is an optional parameter which, when used, starts the migration batch as soon as it is created.
PublicFolderToUnifiedGroup is the parameter to indicate that it is a public folder to Office 365 Groups
migration batch.
New-MigrationBatch -Name PublicFolderToGroupMigration -CSVData (Get-Content <path to .csv file> -
Encoding Byte) -PublicFolderToUnifiedGroup [-AutoStart]
2. Start the migration by running the following command in Exchange Online PowerShell. Note that this step
is necessary only if the -AutoStart parameter was not used while creating the batch above in step 1.
Start-MigrationBatch PublicFolderToGroupMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in Exchange Online PowerShell,
the progress of the migration can be viewed and managed in Exchange admin center. You can also view the
progress of the migration by running the Get-MigrationBatch and Get-MigrationUser cmdlets. The
New-MigrationBatch cmdlet initiates a migration user for each Office 365 group mailbox, and you can view the
status of these requests using the mailbox migration page.
To view the mailbox migration page:
1. In Exchange Online, open Exchange admin center.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
When the batch status is Completed, you can move on to Step 5: Add members to Office 365 groups from public
folders.
Step 5: Add members to Office 365 groups from public folders

You can add members to the target group in Office 365 manually as required. However, if you want to add
members to the group based on the permission entries in public folders, you need to do that by running the script
AddMembersToGroups.ps1 as shown in the following command. To know which public folder permissions are eligible
to be added as members of a group in Office 365, see Migration scripts later in this article.
In the following command:
MappingCsv is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to
this file. If the file was moved for any reason, be sure to verify and use the new location.
BackupDir is the directory where the migration log files will be stored.
ArePublicFoldersOnPremises is a parameter to indicate whether public folders are located on-premises
or in Exchange Online.
.\AddMembersToGroups.ps1 -MappingCsv <path to .csv file> -BackupDir <path to backup directory> -

ArePublicFoldersOnPremises $false
Once users have been added to a group in Office 365, they can begin using it.
Step 6: Lock down the public folders (public folder downtime required)
When the majority of the data in your public folders has migrated to Office 365 Groups, you can run the script
LockAndSavePublicFolderProperties.ps1 to make the public folders read-only. This step ensures that no new data is
added to public folders before the migration completes.
NOTE
If there are mail-enabled public folders (MEPFs) among the public folders being migrated, this step will copy some properties
of MEPFs, such as SMTP addresses, to the corresponding group in Office 365 and then mail-disable the public folder. Because
the migrating MEPFs will be mail-disabled after the execution of this script, you will start seeing emails sent to MEPFs instead
being received in the corresponding groups. For more details, see Migration scripts later in this article.
In the following command:

MappingCsv is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to
this file. If the file was moved for any reason, be sure to verify and use the new location.
BackupDir is the directory where the backup files for permission entries, MEPF properties, and migration
log files will be stored. This backup will be useful in case you need to roll back to public folders.
.\LockAndSavePublicFolderProperties.ps1 -MappingCsv <path to .csv file> -BackupDir <path to backup directory>

-ArePublicFoldersOnPremises $false
Step 7: Finalize the public folder to Office 365 Groups migration

After you've made your public folders read-only, you'll need to perform the migration again. This is necessary for a
final incremental copy of your data. Before you can run the migration again, you'll have to remove the existing
batch, which you can do by running the following command:
Remove-MigrationBatch <name of migration batch>
Next, create a new batch with the same .csv file by running the following command. In this command:
CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to this
file. If the file was moved for any reason, be sure to verify and use the new location.
NotificationEmails is an optional parameter that can be used to set email addresses that will receive
notifications about the status and progress of the migration.
AutoStart is an optional parameter which, when used, starts the migration batch as soon as it is created.
New-MigrationBatch -Name PublicFolderToGroupMigration -CSVData (Get-Content <path to .csv file> -Encoding

Byte) -PublicFolderToUnifiedGroup [-NotificationEmails <email addresses for migration notifications>] [-
AutoStart]
After the new batch is created, start the migration by running the following command in Exchange Online
PowerShell. Note that this step is only necessary if the -AutoStart parameter was not used in the preceding
command.
Start-MigrationBatch PublicFolderToGroupMigration
After you have finished this step (the batch status is Completed), verify that all data has been copied to Office 365
Groups. At that point, provided you are satisfied with the Groups experience, you can begin deleting the migrated
public folders from your Exchange Online environment.
IMPORTANT
While there are supported procedures for rolling back your migration and returning to public folders, this isn't possible after
the source public folders have been deleted. See How do I roll back to public folders from Office 365 Groups? for more
information.
Known issues
The following known issues can occur during a typical public folders to Office 365 Groups migration.
The script that transfers SMTP address from mail-enabled public folders to Office 365 Group only adds the
addresses as secondary email addresses in Exchange Online. Because of this, if you have Exchange Online
Protection (EOP ) or Centralized Mail Flow setup in your environment, will have issues sending email to the
groups (to the secondary email addresses) post-migration.
If the .csv mapping file has an entry with invalid public folder path, the migration batch displays as
Completed without throwing an error, and no further data is copied.
Migration scripts
For your reference, this section provides in-depth descriptions for three of the migration scripts and the tasks they
execute in your Exchange environment. You can download all of the scripts and supporting files from this location.
AddMembersToGroups.ps1
This script will read the permissions of the public folders being migrated and then add members and owners to
Office 365 Groups as follows:
Users with the following permission roles will be added as members to a group in Office 365. Permission
roles: Owner, PublishingEditor, Editor, PublishingAuthor, Author
In addition to the above, users with the following minimum access rights will also be added as members to
a group in Office 365. Access rights: ReadItems, CreateItems, FolderVisible, EditOwnedItems,
DeleteOwnedItems
Users with access right "Owner" will be added as owners to a group and users with other eligible access
rights will be added as members.
Security groups cannot be added as members to groups in Office 365. Therefore they will be expanded, and
then the individual users will be added as members or owners to the groups based on the access rights of
the security group.
When users in security groups that have access rights over a public folder have themselves explicit
permissions over the same public folder, explicit permissions will be given preference. For example, consider
a case in which a security group called "SG1" has members User1 and User2. Permission entries for the
public folder "PF1" are as follows:
SG1: Author in PF1
User1: Owner in PF1
In this case, User1 will be added as an owner to the group in Office 365.
When the default permission of a public folder being migrated is 'Author' or above, the script will suggest
setting the corresponding group's privacy setting as 'Public'.
This script can be run even after the lock-down of public folders, with parameter ArePublicFoldersLocked set to
$true . In this scenario, the script will read permissions from the back up file created during lock-down.
LockAndSavePublicFolderProperties.ps1
This script makes the public folders being migrated read-only. When mail-enabled public folders are migrated,
they will first be mail-disabled and their SMTP addresses will be added to the respective groups in Office 365.
Then the permission entries will be modified to make them read-only. A back up of the mail properties of mail-
enabled public folders, as well as the permission entries of all the public folders, will be copied, before performing
any modification on them.
If there are multiple migration batches, a separate backup directory should be used with each mapping .csv file.
The following mail properties will be stored, along with respective mail-enabled public folders and Office 365
groups:
PrimarySMTPAddress
EmailAddresses
ExternalEmailAddress
EmailAddressPolicyEnabled
GrantSendOnBehalfTo
SendAs Trustee list
The above mail properties will be stored in a .csv file, which can be used in the roll back process (if you want to
return to using public folders, see How do I roll back to public folders from Office 365 Groups? for more
information). A snapshot of the mail-enabled public folders' properties will also be stored in a file called
PfMailProperties.csv. This file is not necessary for the roll back process, but can still be used for your reference.
The following mail properties will be migrated to target group as part of the lock down:
PrimarySMTPAddress
EmailAddresses
SendAs Trustee list
GrantSendOnBehalfTo
The script ensures that the PrimarySMTPAddress and EmailAddresses of migrating mail-enabled public folders
will be added as secondary SMTP addresses of the corresponding groups in Office 365. Also, SendAs and
SendOnBehalfTo permissions of users on mail-enabled public folders will be given equivalent permission in the
corresponding target groups.
Access rights allowed
Only the following access rights will be allowed for users to ensure that the public folders are made read-only for
all users. These are stored in ListOfAccessRightsAllowed.
ReadItems
CreateSubfolders
FolderContact
FolderVisible
The permission entries will be modified as follows:
1.
BEFORE LOCK DOWN AFTER LOCK DOWN
None None
AvailabilityOnly AvailabilityOnly
LimitedDetails LimitedDetails
Contributor FolderVisible
Reviewer ReadItems, FolderVisible
NonEditingAuthor ReadItems, FolderVisible
Aughor ReadItems, FolderVisible
Editor ReadItems, FolderVisible
PublishingAuthor ReadItems, CreateSubfolders, FolderVisible
PublishingEditor ReadItems, CreateSubfolders, FolderVisible
Owner ReadItems, CreateSubfolders, FolderContact, FolderVisible
2. Access rights for users without read permissions will be left untouched, and they will continue to be blocked
from read rights.
3. For users with custom roles, all the access rights that are not in ListOfAccessRightsAllowed will be
removed. In the event that the users don't have any access rights from the allowed list after filtering, these
users' access right will be set to 'None'.
There might be an interruption in sending emails to mail-enabled public folders during the time between when the
folders are mail-disabled and their SMTP addresses are added to Office 365 Groups.
UnlockAndRestorePublicFolderProperties.ps1
This script will re-assign permissions back to public folders, based on the back up file taken during public folder
lock-down. This script will also mail-enable public folders that had been mail-disabled, after it removes the folders'
SMTP addresses from their respective groups in Office 365. There might be slight downtime during this process.
How do I roll back to public folders from Office 365 Groups?

In the event that you change your mind and want to return to using public folders after using Office 365 Groups,
the command listed below will restore your environment to the state it was pre-migration. A roll back can be
performed as long as the backup files exist and as long as you didn't delete the public folders post-migration.
Run the following command. In this command:
BackupDir is the directory where the backup files for permission entries, MEPF properties, and migration
log files will be stored. Make sure you use the same location you specified in Step 6: Lock down the public
folders to cut-over (public folder downtime required ).
.\UnlockAndRestorePublicFolderProperties.ps1 -BackupDir <path to backup directory> -ArePublicFoldersOnPremises
$false
Be aware that any items added to the groups in Office 365, or any edit operations performed in the groups, are not
copied back to your public folders. Therefore there will be data loss, assuming new data was added while the public
folder was a group.
Note also that it's not possible to restore a subset of public folders, which means all of the public folders there were
migrated should be restored.
The corresponding groups in Office 365 won't be deleted as part of the roll back process. You'll have to clean or
delete those groups manually.
Configure legacy on-premises public folders for a
hybrid deployment
Summary: Use the steps in this article to synchronize public folders between Office 365 and your Exchange
Server 2010 on-premises deployment.
In a hybrid deployment, your users can be in Exchange Online , on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Public folders can reside in only one place, so you must decide whether
your public folders will be in Exchange Online or on-premises. They can't be in both locations. Public folder
mailboxes are synchronized to Exchange Online by the Directory Synchronization service. However, mail-enabled
public folders aren't synchronized across premises.
This topic describes how to synchronize mail-enabled public folders if your users are in Office 365 and your
Exchange Server 2010 SP3 public folders are on-premises. However, an Office 365 user who is not represented by
a MailUser object on-premises (local to the target public folder hierarchy) won't be able to access legacy or
modern on-premises public folders.
NOTE
This topic refers to the Exchange Server 2010 SP3 servers as the legacy Exchange server.
You will sync your mail-enabled public folders by using the following scripts, which are initiated by a Windows
task that runs in the on-premises environment:
Sync-MailPublicFolders.ps1 : This script synchronizes mail-enabled public folder objects from your local
Exchange on-premises deployment with Office 365. It uses the local Exchange on-premises deployment as
master to determine what changes need to be applied to O365. The script will create, update, or delete mail-
enabled public folder objects on O365 Active Directory based on what exists in the local on-premises
Exchange deployment.
SyncMailPublicFolders.strings.psd1 : This is a support file used by the preceding synchronization script and
should be copied to the same location as the preceding script.
When you complete this procedure your on-premises and Office 365 users will be able to access the same on-
premises public folder infrastructure.
What hybrid versions of Exchange will work with public folders?

The following table describes the version and location combinations of user mailboxes and public folders that are
supported. "Hybrid not applicable" is still a supported scenario, but is not considered a hybrid scenario since both
the public folders and the users are residing in the same location.
ON-PREMISES EXCHANGE 2010 ON-PREMISES EXCHANGE 2013 EXCHANGE ONLINE USER

USER MAILBOX USER MAILBOX MAILBOX
On-Premises Exchange 2010 Hybrid not applicable Hybrid not applicable Supported
Public Folders
ON-PREMISES EXCHANGE 2010 ON-PREMISES EXCHANGE 2013 EXCHANGE ONLINE USER
USER MAILBOX USER MAILBOX MAILBOX
On-Premises Exchange 2013 Hybrid not applicable Hybrid not applicable Supported
Public Folders
Exchange Online Public Not supported Supported Hybrid not applicable

Folders
NOTE
Outlook 2016 does not support accessing Exchange 2007 legacy public folders. If you have users who are using Outlook
2016, you must move your public folders to a more recent version of Exchange Server. More information about Outlook
2016 and Office 2016 compatibility with Exchange 2007 and earlier versions can be found in this article.
Step 1: What do you have to know before you begin?

These instructions assume that you have used the Hybrid Configuration Wizard to configure and
synchronize your on-premises and Exchange Online environments, and that the DNS records that are used
for the Autodiscover service for most users reference an on-premises end point. For more information, see
Hybrid Configuration Wizard.
These instructions assume that Outlook Anywhere is enabled and functional on all the on-premises legacy
Exchange public folder servers. For information about how to enable Outlook Anywhere, see Outlook
Anywhere.
Implementing legacy public folder coexistence for a hybrid deployment of Exchange with Office 365 may
require you to fix conflicts during the import procedure. Conflicts can occur because a non-routable email
address that's assigned to mail-enabled public folders, conflicts with other users and groups in Office 365,
and other reasons.
These instructions assume that your Exchange Online organization has been upgraded to a version that
supports public folders.
In Exchange Online, you must be a member of the Organization Management role group. This role group is
different from the permissions assigned to you when you subscribe to Exchange Online. For information
about how to enable the Organization Management role group, see Manage Role Groups.
In Exchange 2010, you must be a member of the Organization Management or Server Management RBAC
role groups. For details, see Add Members to a Role Group
To access public folders cross-premises, users must upgrade their Outlook clients to the November 2012
Outlook public update or a later version.
1. To download the November 2012 Outlook update for Outlook 2010, see Update for Microsoft
Outlook 2010 (KB2687623) 32-Bit Edition.
2. To download the November 2012 Outlook Update for Outlook 2007, see Update for Microsoft
Office Outlook 2007 (KB2687404).
Outlook 2016 for Mac (and earlier versions) and Outlook for Mac for Office 365 are not supported for
cross-premises legacy public folders. Users must be in the same location as the public folders to access
them with Outlook for Mac or Outlook for Mac for Office 365. Additionally, users whose mailboxes are in
Exchange Online won't be able to access on-premises public folders using Outlook Web App.
After you follow the instructions in this article to configure your on-premises public folders for a hybrid
deployment, users who are external to your organization won't be able to send messages to your on-
premises public folders unless you take additional steps. You can either set the accepted domain for the
public folders to Internal Relay (see Manage accepted domains in Exchange Online) or you can disable
Directory Based Edge Blocking (DBEB ) (see Use Directory Based Edge Blocking to reject messages sent to
invalid recipients).
Step 2: Make remote public folders discoverable

1. If your public folders are on Exchange 2010 or later servers, you must install the Client Access server (CAS )
role on all mailbox servers that have a public folder database. This allows the Microsoft Exchange
RpcClientAccess service to be running so that all clients can access public folders. For more information,
see Install Exchange Server 2010.
NOTE
This server doesn't have to be part of the Client Access load balancing. For more information, see Understanding
Load Balancing in Exchange 2010.
2. Create an empty mailbox database on each public folder server.

For Exchange 2010, run the following command. This command excludes the mailbox database from the
mailbox provisioning load balancer. This prevents new mailboxes from being added automatically to this
database.
New-MailboxDatabase -Server <PFServerName_with_CASRole> -Name <NewMDBforPFs> -

IsExcludedFromProvisioning $true
NOTE
We recommend that the only mailbox that you add to this database is the proxy mailbox that you'll create in step 3.
No other mailboxes should be created on this mailbox database.
3. Create a proxy mailbox within the new mailbox database, and hide the mailbox from the address book. The
SMTP of this mailbox will be returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP, so that
by resolving this SMTP the client can reach the legacy exchange server for public folder access.
New-Mailbox -Name <PFMailbox1> -Database <NewMDBforPFs>
Set-Mailbox -Identity <PFMailbox1> -HiddenFromAddressListsEnabled $true
4. For Exchange 2010, enable AutoDiscover to return the proxy public folder mailboxes.
Set-MailboxDatabase <NewMDBforPFs> -RPCClientAccessServer <PFServerName_with_CASRole>
5. Repeat the preceding steps for every public folder server in your organization.
Step 3: Download the scripts

2. Save the files to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
Step 4: Configure directory synchronization

The Directory Synchronization service doesn't synchronize mail-enabled public folders. Running the following
script will synchronize the mail-enabled public folders across premises. Special permissions assigned to mail-
enabled public folders will need to be recreated in the cloud since cross-premise permission are not supported in
Hybrid Deployment scenarios. For more information, see Exchange Server Hybrid Deployment.
NOTE
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable
in the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
the Add-RecipientPermission command.
On the legacy Exchange server, run the following command to synchronize mail-enabled public folders from your
local on-premises Active Directory to O365.
```
Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile "<sync_summary.csv>"
```
Where you're prompted for your Office 365 username and password, and <sync_summary.csv> is the path to
where you would like to log synchronization operations and errors, in .csv format.
NOTE
Before running the script, we recommend that you first simulate the actions that the script would take in your environment
by running it as described above with the WhatIf parameter. > We also recommend that you run this script daily to
synchronize your mail-enabled public folders.
Step 5: Configure Exchange Online users to access on-premises public

folders
The final step in this procedure is to configure the Exchange Online organization and to allow access to the legacy
on-premises public folders.
Enable the exchange online organization to access the on-premises public folders. You will point to all of the proxy
public folder mailboxes that you created in Step 2: Make remote public folders discoverable.
Run the following command in Exchange Online PowerShell:
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes

PFMailbox1,PFMailbox2,PFMailbox3
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to
3 hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you
can force directory synchronization at any time. For detailed steps to do force directory synchronization, see
Method 1: Manually verify that the service is started and that the admin account can sign in . Office 365 randomly
selects one of the public folder mailboxes that's supplied in this command.
IMPORTANT
An Office 365 user who is not represented by a MailUser object on-premises (local to the target public folder hierarchy)
won't be able to access legacy or Exchange 2013 on-premises public folders. See the Knowledge Base article Exchange Online
users can't access legacy on-premises public folders for a solution.

Log on to Outlook for a user who is in Exchange Online, and then run the following public folder tests:
View the hierarchy.
Check permissions.
Configure Exchange Server public folders for a
hybrid deployment
Summary: Instructions for enabling Exchange Online users to access on-premises public folders in your
Exchange Server environment.
In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your
Exchange Server on-premises environment. Similarly, Exchange Server users may need to access public folders in
Office 365 or Exchange Online.
NOTE
If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.
This article describes how to enable your Exchange Online/Office 365 users to access public folders in Exchange
Server. To enable on-premises Exchange Server users to access public folders in Exchange Online, see Configure
Exchange Online public folders for a hybrid deployment.
An Exchange Online/Office 365 user must be represented by a MailUser object in the Exchange on-premises
environment in order to access Exchange Server public folders. This MailUser object must also be local to the
target Exchange Server public folder hierarchy. If you have Office 365 users who aren't currently represented on-
premises by MailUser objects, refer to Microsoft Knowledge Base article 3106618 "Exchange Online users can't
access legacy on-premises public folders" to create matching on-premises entities.

1. These instructions assume that you have used the Hybrid Configuration Wizard to configure and
synchronize your on-premises and Exchange Online environments and that the DNS records used for most
users' AutoDiscover references an on-premises end-point. For more information, see Hybrid Configuration
Wizard.
2. Implementing public folder coexistence for a hybrid deployment of Exchange with Office 365 may require
you to fix conflicts during the import procedure. Conflicts can happen due to non-routable email address
assigned to mail enabled public folders, conflicts with other users and groups in Office 365, and other
attributes.
3. In order to access public folders cross-premises, users must upgrade their Outlook clients to the November
2012 Outlook public update or later.
To download the November 2012 Outlook update for Outlook 2010, see Update for Microsoft
To download the November 2012 Outlook Update for Outlook 2007, see Update for Microsoft
4. Outlook 2011 for Mac and Outlook for Mac for Office 365 are not supported for cross-premises public
folders. Users must be in the same location as the public folders to access them with Outlook 2011 for Mac
or Outlook for Mac for Office 365. In addition, users whose mailboxes are in Exchange Online won't be able
to access on-premises public folders using Outlook Web App.
NOTE
Outlook 2016 for Mac is supported for cross-premises public folders. If clients in your organization use Outlook
2016 for Mac, make sure they have installed the April 2016 update. Otherwise, those users will not be able to access
public folders in a hybrid topology. For more information, see Accessing public folders with Outlook 2016 for Mac.
5. You must synchronize the Active Directory container where your public folder mailboxes are stored (such
as the Users container) with the AAD Connect tool. Otherwise your public folder mailbox objects won't be
synchronized with Exchange Online.


The Directory Synchronization service doesn't synchronize mail-enabled public folders. Running the following
script will synchronize the mail-enabled public folders across premises and Office 365. Special permissions
assigned to mail-enabled public folders will need to be recreated in the cloud since cross-premise permission are
not supported in Hybrid Deployment scenarios. For more information, see Exchange Server Hybrid Deployment.
NOTE
in the EExchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
1. On Exchange Server, run the following command to synchronize mail-enabled public folders from your
local on-premises Active Directory to O365.
Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv
Where Credential is your Office 365 username and password, and CsvSummaryFile is the path to where
you would like to log synchronization operations and errors, in .csv format.
NOTE
Before running the script, we recommend that you first simulate the actions that the script would take in your environment
by running it as described above with the -WhatIf parameter. > We also recommend that you run this script daily to
synchronize your mail-enabled public folders.
Step 3: Configure Exchange Online users to access Exchange Server

on-premises public folders
The final step in this procedure is to configure the Exchange online organization and to allow access to the
Exchange Server public folders.
Enable the exchange online organization to access the on-premises public folders. You will point to all of you on-
premises public folder mailboxes.
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes

PFMailbox1,PFMailbox2,PFMailbox3
NOTE
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to 3 hours
to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can force
directory synchronization at any time. For detailed steps to do force directory synchronization, see Force directory
synchronization.

Log on to Outlook for a user who is in Exchange Online and perform the following public folder tests:
View the hierarchy.
Check permissions
Configure Exchange Online public folders for a
hybrid deployment
Summary: Instructions for enabling on-premises Exchange Server users to access public folders in Exchange
Online.
In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are
either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your
Exchange Server on-premises environment. Similarly, Exchange Server users may need to access public folders in
Office 365 or Exchange Online.
This article describes how to enable users in your Exchange Server on-premises environment to access Exchange
Online/Office 365 public folders. To enable Exchange Online/Office 365 users to access on-premises Exchange
Server public folders, see Configure Exchange Server public folders for a hybrid deployment.
NOTE
If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.

1. These instructions assume that you have used the Hybrid Configuration Wizard to configure and
synchronize your on-premises and Exchange Online environments and that the DNS records used for most
users' AutoDiscover references an on-premises end-point. For more information, see Hybrid Configuration
Wizard.
2. These instructions assume that Outlook Anywhere is enabled and functional on the on-premises Exchange
server(s). For information on how to enable Outlook Anywhere, see Outlook Anywhere.
3. Implementing public folder coexistence for a hybrid deployment of Exchange with Office 365 may require
you to fix conflicts during the import procedure. Conflicts can happen due to non-routable email address
assigned to mail enabled public folders, conflicts with other users and groups in Office 365, and other
attributes.
4. In order to access public folders cross-premises, users must upgrade their Outlook clients to the November
2012 Outlook public update or later.
a. To download the November 2012 Outlook update for Outlook 2010, see Update for Microsoft
b. To download the November 2012 Outlook Update for Outlook 2007, see Update for Microsoft
5. Outlook 2011 for Mac and Outlook for Mac for Office 365 are not supported for cross-premises public
folders. Users must be in the same location as the public folders to access them with Outlook 2011 for Mac
or Outlook for Mac for Office 365. In addition, users whose mailboxes are in Exchange Online won't be able
to access on-premises public folders using Outlook Web App.
NOTE
Outlook 2016 for Mac is supported for cross-premises public folders. If clients in your organization use Outlook
2016 for Mac, make sure they have installed the April 2016 update. Otherwise, those users will not be able to access
public folders in a co-existence or hybrid topology. For more information, see Accessing public folders with Outlook
2016 for Mac.

1. Download the following files from Mail-enabled Public Folders - directory sync from EXO to On-prem script.
Import-PublicFolderMailboxes.ps1
ImportPublicFolderMailboxes.strings.psd1
Sync-MailPublicFoldersCloudToOnprem.ps1
Sync-MailPublicFoldersCloudToOnprem.strings.psd1

Running the script Sync-MailPublicFoldersCloudToOnprem.ps1 will synchronize the mail-enabled public folders
between Exchange Online and your Exchange Server on-premises environment. Special permissions assigned to
mail-enabled public folders will need to be recreated in the cloud since cross-premise permissions are not
supported in Hybrid Deployment scenarios. For more information, see Exchange Server Hybrid Deployment.
NOTE
in the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use
On Exchange Server, run the following command to synchronize mail-enabled public folders from Exchange
Online/Office 365 to your local on-premises Active Directory.
```
Sync-MailPublicFoldersCloudToOnprem.ps1 -Credential (Get-Credential)
```
Where Credential is your Office 365 username and password.
NOTE
We recommend that you run this script daily to synchronize your mail-enabled public folders.
Step 3: Configure on-premises users to access Exchange Online public

folders
The final step in this procedure is to configure the Exchange Server on-premises organization to allow access to
Exchange Online public folders.
Running the script Import-PublicFolderMailboxes.ps1 will import public folder mailbox objects from the cloud as
mail-enabled users to your on-premises environment. The script will also configure the imported objects as
remote public folder mailboxes.
1. On Exchange Server, run the following command to import public folder mailbox objects from the cloud to
your on-premises Active Directory.
Import-PublicFolderMailboxes.ps1 -Credential (Get-Credential)
Where Credential is your Office 365 username and password.
NOTE
We recommend that you run this script daily to import your public folder mailbox objects because whenever public
folder mailboxes reach their threshold capacity, they automatically split into multiple new mailboxes. Therefore, you
always want to ensure you have imported the most recent public folder mailboxes from the cloud.
2. Enable the Exchange 2013 on-premises organization to access the Exchange Online public folders.
Set-OrganizationConfig -PublicFoldersEnabled Remote
NOTE
You must wait until ActiveDirectory synchronization has completed to see the changes. This process can take up to 3
hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you can
force directory synchronization at any time. For detailed steps to do force directory synchronization, see Force
directory synchronization.

Log on to Outlook for a user who is in Exchange Online and perform the following public folder tests:
View the hierarchy.
Check permissions
Set up public folders in a new organization
Summary: How to set up public folders, including assigning permissions to them in the EAC.
This topic shows you how to get public folders configured and running in a new organization or in an organization
that has never previously had public folders.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics: > For public folders in
Office 365, see Exchange Online Limits. > For public folders in on-premises Exchange Server, see Limits for public folders.

Estimated time to complete this task: 30 minutes.
permissions you need, see the "Public folders" entry in the Sharing and collaboration permissions topic.
TIP
Step 1: Create the primary public folder mailbox

The primary public folder mailbox contains a writeable copy of the public folder hierarchy plus content and is the
first public folder mailbox that you create for your organization. Subsequent public folder mailboxes will be
secondary public folder mailboxes, which will contain a read-only copy of the hierarchy plus content.
For detailed steps, see Create a public folder mailbox.
Step 2: Create your first public folder

For detailed steps, see Create a public folder.
Step 3: Assign permissions to the public folder

After you create the public folder, you'll need to assign the Owner permissions level so that at least one user can
access the public folder from the client and create subfolders. Any public folders created after this one will inherit
the permissions of the parent public folder.
1. In the Exchange admin center (EAC ), navigate to Public folders > Public folders.
2. In the list view, select the public folder.
3. In the details pane, under Folder permissions, click Manage.
4. In Public Folder Permissions, click Add .
5. Click Browse to select a user.
6. In the Permission level list, select a level. At least one user should be an Owner.
7. Click Save.
8. You can add multiple users by clicking Add and assigning the appropriate permissions using the steps
above. You can also customize the permission level by selecting or clearing the check boxes. When you edit
a predefined permission level such as Owner, the permission level will change to Custom.
For information about how to use Exchange Online PowerShell to assign permissions to a public folder, see Add-
PublicFolderClientPermission.
Step 4 (Optional): Mail-enable the public folder

If you want users to send mail to the public folder, you can mail-enable it. This step is optional. If you don't mail-
enable the public folder, users can post messages to the public folder by dragging items into it from within
Outlook.
1. In the EAC, navigate to Public folders > Public folders.
2. In the list view, select the public folder you want to mail-enable.
3. In the details pane, under Mail settings - Disabled, click Enable.
A warning displays asking if you are sure you want to enable mail for the public folder. Click Yes.
The public folder will be mail-enabled and the name of the public folder will become the alias of the public folder. If
you have multiple recipients with that name, the public folder's alias will be appended with a number. For example,
if you have a distribution group named SalesTeam and you create a public folder named SalesTeam and then mail-
enable it, the alias of that public folder will be SalesTeam1.
For information about how to use Exchange Online PowerShell to mail-enable a public folder, see Enable-
MailPublicFolder.
Accessing public folders with Outlook 2016 for Mac
Summary: The most recent supported Exchange topologies that allow users to access public folders with Outlook
2016 for Mac.
Users of Outlook 2016 for Mac can now access public folders in Exchange Online in a number of different
topologies.
Outlook for Mac limitations

All versions of Outlook for Mac can access Exchange public folders, but until recently these clients could not
access public folders in the following deployment scenario:
Hybrid topologies: On-premises users with a mailbox based in Exchange Online could not use Outlook for
Mac to access on-premises modern public folders. Similarly, users with an Exchange 2013 or Exchange 2016
mailbox on-premises could not use Outlook for Mac to access public folders deployed in Exchange Online.
Outlook 2016 for Mac

With the April 2016 update for Outlook 2016 for Mac, as well as CU14 for Exchange 2013 and CU2 for Exchange
2016, the above scenario will now work for Outlook 2016 for Mac clients.
The following table summarizes the supported topologies for users with Outlook 2016 for Mac clients trying to
access public folders in Exchange Online.
NOTE
The scenarios shown in the following table assume that the April 2016 update for Outlook 2016 for Mac has been applied
to all clients.
USER MAILBOX IS ON USER MAILBOX IS ON USER MAILBOX IS ON USER MAILBOX IS ON

PUBLIC FOLDERS ARE EXCHANGE 2010 SP3 EXCHANGE 2013 CU13 EXCHANGE 2016 CU2 OFFICE 365/EXCHANGE
DEPLOYED ON... OR LATER OR LATER OR LATER ONLINE
Exchange Server 2010 Supported Supported Supported Not supported

SP3 or later
Exchange Server 2013 Not supported Supported Supported Supported

CU13 or later
Exchange Server 2016 Not supported Supported Supported Supported

CU2 or later
Office 365 / Exchange Not supported Supported Supported Supported

Online
The following articles describe how to deploy public folders in your Exchange organization in a co-existence or
hybrid topology. As long as your Outlook 2016 for Mac clients have installed the April 2016 update, they will be
able to access public folders in the configurations detailed in these articles:
Configure legacy public folders where user mailboxes are on Exchange 2013 servers
Configure Exchange 2013 public folders for a hybrid deployment
Configure Exchange Online public folders for a hybrid deployment
Before you can create a public folder, you must first create a public folder mailbox. Public folder mailboxes contain
the hierarchy information plus the content for public folders. The first public folder mailbox you create will be the
primary hierarchy mailbox, which contains the only writable copy of the hierarchy. Any additional public folder
mailboxes you create will be secondary mailboxes, which contain a read-only copy of the hierarchy.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics:
For public folders in Office 365, see Exchange Online Limits.
For public folders in on-premises Exchange Server, see Limits for public folders.
For additional management tasks related to public folders in Exchange Server, see Public Folder Procedures.
For additional management tasks related to public folders in Exchange Online, see Public folder procedures in
Office 365 and Exchange Online.

Estimated time to complete: less than 5 minutes.
Exchange Server public folders and public folders on legacy Exchange servers can't exist in the same
organization. If you try to create a public folder mailbox when you still have legacy public folders, you'll
receive the error An existing Public Folder deployment has been detected. To migrate existing
Public Folder data, create new Public Folder mailbox using -HoldForMigration switch.
Before you can create public folders in Exchange Server, you need to migrate your legacy public folders to
Exchange Server. To do this, follow the steps in Migrate Public Folders to Exchange 2013 From Previous
Versions. These steps will show you how to create a public folder mailbox that can be used to store your
migrated public folders.
Use the EAC to create a public folder mailbox

1. Navigate to Public folders > Public folder mailboxes, and then click New .
2. In Public Folder Mailbox, provide a name for the public folder mailbox.
3. Click Save.
Use Exchange Online PowerShell to create a public folder mailbox

This example creates the primary public folder mailbox.
New-Mailbox -PublicFolder -Name MasterHierarchy
This example creates a secondary public folder mailbox. The only difference between creating the primary
hierarchy mailbox and a secondary hierarchy mailbox is that the primary mailbox is the first one created in the
organization. You can create additional public folder mailboxes for load balancing purposes.
New-Mailbox -PublicFolder -Name Istanbul

To verify that you have successfully created the primary public folder mailbox, run the following command in
Exchange Online PowerShell:
Get-OrganizationConfig | Format-List RootPublicFolderMailbox
For detailed syntax and parameter information, see get-OrganizationConfig.

Protection.
information with other people in your workgroup or organization.
By default, a public folder inherits the settings of its parent folder, including the permissions settings.
NOTE
For more information about the storage quotas and limits for public folders, see the following topics:
For public folders in Office 365, see Exchange Online Limits.
For public folders in on-premises Exchange Server, see Limits for public folders.

You can't create a public folder unless you've first created a public folder mailbox. For more information
about how to create a public folder mailbox, see Create a public folder mailbox.
Use the EAC to create a public folder

When using the EAC to create a public folder, you'll only be able to set the name and the path of the public folder.
To configure additional settings, you'll need to edit the public folder after it's created.
1. Navigate to Public folders > Public folders.
2. If you want to create this public folder as a child of an existing public folder, click the existing public folder in
the list view. If you want to create a top-level public folder, skip this step.
3. Click New .
4. In Public Folder, type the name of the public folder.
IMPORTANT
Don't use a backslash ( \ ) in the name when creating a public folder.
5. In the Path box, verify the path to the public folder. If this isn't the desired path, click Cancel and follow
Step 2 of this procedure.
6. Click Save.
Use Exchange Online PowerShell to create a public folder

This example creates a public folder named Reports in the path Marketing\2013.
New-PublicFolder -Name Reports -Path \Marketing\2013
IMPORTANT
Don't use a backslash (\) in the name when creating a public folder.
For detailed syntax and parameter information, see New -PublicFolder.

To verify that you've successfully created a public folder, do the following:
In the EAC, click Refresh to refresh the list of public folders. Your new public folder should be displayed in
the list.
In Exchange Online PowerShell, run any of the following commands:
Get-PublicFolder -Identity \Marketing\2013\Reports | Format-List
Get-PublicFolder -Identity \Marketing\2013 -GetChildren
Get-PublicFolder -Recurse
TIP
Recover a deleted public folder mailbox
Summary: This article describes how to recover a public folder mailbox in Office 365 that was previously soft-
deleted, meaning the mailbox retention period has not yet elapsed and the recycle bin has not been purged.
You can delete public folder mailboxes either in the EAC or through the Remove-Mailbox -PublicFolder cmdlet. To
delete a primary mailbox, all other mailboxes must be deleted first. After a mailbox is deleted it will no longer be
visible in the EAC.
Deleted Public Folder mailboxes are recoverable for a period of up to 90 days.

Estimated time to complete: 5-10 minutes.
A public folder mailbox can only be deleted once all folders within that mailbox have been deleted. However,
you can bypass this restriction by using the -Force switch, as in Remove-Mailbox -PublicFolder -Force .
A deleted public folder mailbox is only recoverable for a period of 90 days after the mailbox is soft-deleted.
The retention period for a soft-deleted mailbox is 90 days, after which the mailbox is permanently deleted
and you won't be able to restore it.
NOTE
For deleted public folder mailboxes that contain folders, the folders will be automatically recovered along with the mailbox
that contains them when you use one of the following procedures to recover the mailbox.
Restore a primary mailbox

To restore a primary public folder mailbox:
1. Type the following command to find the soft-deleted mailbox:
Get-Mailbox -PublicFolder -SoftDeletedMailbox
2. Type the following command to restore the chosen mailbox:
Undo-SoftDeletedMailbox -PublicFolder
Restore a primary mailbox and secondary mailboxes

The Type field, part of the information returned by the Get-Mailbox cmdlet, identifies public folder mailboxes as
either Primary or Secondary. Primary public folder mailboxes must be restored first.
Perform the following steps to restore both a primary public folder mailbox and any relevant secondary mailboxes.
1. Type the following command to find the soft-deleted mailboxes:
2. Type the following command to restore the primary mailbox:
3. Type the following for each secondary public folder mailbox that you want to restore (once per mailbox).
Restore secondary mailboxes

Use this procedure if you want to restore one or more secondary public folder mailboxes that were soft-deleted,
and the primary mailbox still exists within your organization.
1. Type the following command to find the soft-deleted mailboxes:
You will be able to distinguish primary from secondary public folder mailboxes by the information in the
Type field.
2. Type the following for each secondary public folder mailbox that you want to restore (once per mailbox).
NOTE
If a primary public folder has been deleted from an organization, any secondary mailbox associated with it can't be restored.
Use favorite public folders in Outlook on the web
In the Outlook client, users in your organization can add public folders to their Favorites folders. Then, depending
on your organization's policies, they can use Outlook on the web to add those same public folders to their Favorites
and perform certain functions in Outlook on the web that they use in the Outlook client.
Add public folders to Favorites in Outlook

In order for users to perform certain tasks on public folders in their Favorites folder, they must first use the
Outlook client to add public folders to the Favorites folder.
NOTE
For more information about creating and configuring public folders, users in your organization can see Create a public folder
in Outlook.
1. In Outlook, go to the Folders view. Click the three dots on the Navigation Bar, and the click Folders.
Users with Outlook 2010 clients can click Folders at the bottom of the Navigation Pane.
2. If necessary, scroll to the Public Folders node in the Navigation Pane. Click to expand the All Public
Folders folder.
3. Right-click the public folder that you want to add to Favorites, then select Add to Favorites....
NOTE
By default, the Favorites folder is directly beneath the All Public Folders folder in the Navigation Bar.
4. In the Add to Favorites dialog, you have the option to rename the folder for your Favorites only. Click
Add to add the folder to Favorites.
IMPORTANT
There are several types of public folders. In order for users to be able to work with a favorite public folder in Outlook on the
web, the public folder must be of type Mail and Post items, Calendar items, or Contact items.
Add favorite public folders in Outlook on the web
In order for users to access their Outlook favorite public folders, they must also add them to their Favorites in
Outlook on the web. The Outlook client does not automatically sync public folders with Outlook on the web.
To add a public folder in Outlook on the web, right-click Folders, and then choose Add public folder to
Favorites. Locate the folder and click Add.
Your users can now use Outlook on the web to perform the following tasks in their favorite Calendar, Contact, or
Mail and Post public folders:
Create items in the public folders
Retrieve items
Update items
Delete items
See also
Create a public folder in Outlook
Mail-enable or mail-disable a public folder
information with other people in your workgroup or organization. Mail-enabling a public folder allows users to
post to the public folder by sending an email message to it. When a public folder is mail-enabled additional
settings become available for the public folder in the Exchange admin center (EAC ), such as email addresses and
mail quotas. In Exchange Online PowerShell, before a public folder is mail-enabled, you use the Set-PublicFolder
cmdlet to manage all of its settings. After the public folder is mail-enabled, you use the Set-PublicFolder and the
Set-MailPublicFolder cmdlets to manage the settings.
If you want users on the internet to send mail to a mail-enabled public folder, you need to set addition permissions
using the Add-PublicFolderClientPermission cmdlet.
For additional management tasks related to managing public folders, see Public Folder Procedures.
For additional management tasks related to public folders, see Public folder procedures in Office 365 and
Exchange Online.

To ensure that users on the internet can send e-mail messages to a mail-enabled public folder, the public
folder needs to have at least the CreateItems access right granted to the Anonymous account. If you want to
learn how to do this, check out Allow anonymous users to send email to a mail-enabled public folder.
TIP
Use the EAC to mail-enable or mail-disable a public folder

2. In the list view, select the public folder that you want to mail-enable or mail-disable.
3. In the details pane, under Mail settings, click Enable or Disable.
4. A warning box displays asking if you are sure you want to enable or disable email for the public folder. Click
Yes to continue.
If you want external users to send mail to this public folder, make sure you follow the steps in Allow anonymous
users to send email to a mail-enabled public folder.
Use Exchange Online PowerShell to mail-enable a public folder

This example mail-enables the public folder Help Desk.
Enable-MailPublicFolder -Identity "\Help Desk"
This example mail-enables the public folder Reports under the Marketing public folder, but hides the folder from
address lists.
Enable-MailPublicFolder -Identity "\Marketing\Reports" -HiddenFromAddressListsEnabled $True
If you want external users to send mail to this public folder, make sure you follow the steps in Allow anonymous
users to send email to a mail-enabled public folder.
For detailed syntax and parameter information, see Enable-MailPublicFolder.
Use Exchange Online PowerShell to mail-disable a public folder

This example mail-disables the public folder Marketing\Reports.
Disable-MailPublicFolder -Identity "\Marketing\Reports"
For detailed syntax and parameter information, see Disable-MailPublicFolder.
Allow anonymous users to send email to a mail-enabled public folder

You can use either Outlook or Exchange Online PowerShell to set permissions on a public folder's Anonymous
account. You can't use the EAC to set permissions on the Anonymous account.
Use Outlook to set permissions for the Anonymous account
1. Open Outlook using an account that's been granted Owner permissions on the email-enabled public folder
you want anonymous users to send mail to.
2. Navigate to Public folders - <user's name>.
3. Navigate to the public folder you want to change.
4. Right-click on the public folder, click Properties and then select the Permissions tab.
5. Select the Anonymous account, select Create items under Write, and then click OK.
Use Exchange Online PowerShell to set permissions for the Anonymous account
This example sets the CreateItems permission for the Anonymous account on the "Customer Feedback" mail-
enabled public folder.
Add-PublicFolderClientPermission "\Customer Feedback" -AccessRights CreateItems -User Anonymous
For detailed syntax and parameter information, see Add-PublicFolderClientPermission.

You only need to update the public folder hierarchy if you want to manually invoke the hierarchy synchronizer and
the mailbox assistant. Both these are invoked at least once every 24 hours for each public folder mailbox in the
organization. The hierarchy synchronizer is invoked every 15 minutes if any users are logged on to a secondary
mailbox through Microsoft Outlook or a Microsoft Exchange Web Services client.

You can't perform this procedure in the EAC. You must use Exchange Online PowerShell.
We recommend that when you run this command with the InvokeSynchronizer parameter, you use the
SuppressStatus parameter. If you don't use this parameter in the command, the output will display status
messages every 3 seconds for up to one minute. Until the minute passes, you can't use that instance of
TIP

This example updates the public folder hierarchy on the public folder mailbox PF_marketing and suppresses the
command's output.
Update-PublicFolderMailbox -Identity PF_marketing -InvokeSynchronizer -SuppressStatus
This example updates all public folder mailboxes and suppresses the command's output.
Get-Mailbox -PublicFolder | Update-PublicFolderMailbox -InvokeSynchronizer -SuppressStatus

Remove a public folder
You may need to remove public folders that are no longer being used in your organization. To help determine
which public folders should be removed, see View statistics for public folders and public folder items.

You can't delete a mail-enabled public folder. Before you can delete it, you must first disable email for the
public folder. For more information, see Mail-enable or mail-disable a public folder.
TIP
Use the EAC to remove a public folder

2. In the list view, select the public folder you want to delete. Note that clicking on the folder name will display
sub-folders within that folder, if there are any. At that point you can click to select a specific sub-folder to
remove.
To delete a folder or sub-folder, click anywhere on the folder's row except the underlined name of the folder,
and then click Delete . If you click the underlined name of the folder, the Delete option will not be
available to select.
3. A warning box displays asking if you're sure you want to delete the public folder. ClickYes to continue.
Use Exchange Online PowerShell to delete a public folder

This example deletes the public folder Help Desk\Resolved. This command assumes that the Resolved public folder
doesn't have any subfolders.
Remove-PublicFolder -Identity "\Help Desk\Resolved"
This example tests the previous command without making any modifications.
Remove-PublicFolder -Identity "\HelpDesk\Resolved" -WhatIf
This example removes the public folder Marketing and all its subfolders because the command runs recursively.
Remove-PublicFolder -Identity "\Marketing" -Recurse:$True
For detailed syntax and parameter information, see Remove-PublicFolder.

View statistics for public folders and public folder
items
This topic explains how to retrieve statistics about a public folder, such as the display name, creation time, last user
modified time, last user access, and item size. You can use this information to make decisions about deleting or
retaining public folders.
NOTE
In the Exchange admin center (EAC), you can view some of the quota and usage information for public folders by navigating
to Public Folders > Edit > Mailbox usage. However, this information is incomplete, and we recommend that you use
Exchange Online PowerShell to view public folder statistics.

You can't use the EAC to retrieve public folder statistics.
TIP
Use Exchange Online PowerShell to retrieve public folder statistics

This example returns the statistics for the public folder Marketing with a piped command to format the list.
Get-PublicFolderStatistics -Identity \Marketing | Format-List
NOTE
The value for the Identity parameter must include the path to the public folder. For example, if the public folder Marketing
existed under the parent folder Business, you would provide the following value: \Business\Marketing
For detailed syntax and parameter information, see Get-PublicFolderStatistics.
Use Exchange Online PowerShell to view statistics for public folder

items
You can view the following information about items within a public folder:
Type of item
Subject
Last user modification time
Last user access time
Creation time
Attachments
Message size
You can use this information to make decisions about what actions to take for your public folders, such as which
public folders to delete. For example, you may want to delete a public folder if the items haven't been accessed for
over two years, or you may want to convert a public folder that's being used as a document repository to another
client access application.
This example returns default statistics for all items in the public folder Pamphlets under the path \Marketing\2013.
Default information includes item identity, creation time, and subject.
Get-PublicFolderItemStatistics -Identity "\Marketing\2013\Pamphlets"
This example returns additional information about the items within the public folder Pamphlets, such as subject,
last modification time, creation time, attachments, message size, and the type of item. It also includes a piped
command to format the list.
Get-PublicFolderItemStatistics -Identity "\Marketing\2010\Pamphlets" | Format-List
For detailed syntax and parameter information, see Get-PublicFolderItemStatistics.
Use Exchange Online PowerShell to export the output of the Get-

PublicFolderItemStatistics cmdlet to a .csv file
This example exports the output of the cmdlet to the PFItemStats.csv file that includes the following information
for all items within the public folder \Marketing\Reports:
Subject of the message ( Subject )
Date and time that the item was last modified ( LastModificationTime )
Whether the item has attachments ( HasAttachments )
Type of item ( ItemType)
Size of the item ( MessageSize )
Get-PublicFolderItemStatistics -Identity "\Marketing\Reports" | Select

Subject,LastModificationTime,HasAttachments,ItemType,MessageSize | Export-CSV C:\PFItemStats.csv
For detailed syntax and parameter information, see Get-PublicFolderItemStatistics.

Shared mailboxes in Exchange Online
Summary: About shared mailboxes in Exchange Online, and how to create them.
Shared mailboxes makes it easy for a group of people in your company to monitor and send email from a common
account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a message
sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual user.
IMPORTANT
If you're using Office 365 for business, you should create your shared mailbox in the Office 365 admin center. See Create
shared mailboxes in Office 365.
If your organization uses a hybrid Exchange environment, you should use the on-premises Exchange admin center
(EAC ) to create and manage shared mailboxes. To learn more about shared mailboxes, see Shared Mailboxes.
Use the EAC to create a shared mailbox

permissions you need, see the "User mailboxes" entry in the Recipients permissions topic.
1. Go to Recipients > Shared > New .
2. Fill-in the required fields:
Display name
Email address
3. To grant Full Access or Send As permissions, click Add , and then select the users you want to grant
permissions to. You can use the CTRL key to select multiple users. Confused about which permission to use?
See Which permission should you use? later in this topic.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.
4. Click Save to save your changes and create the shared mailbox.
Use the EAC to edit shared mailbox delegation
1. Go to Recipients > Shared > Edit .
2. Click Mailbox delegation
3. To grant or remove Full Access and Send As permissions, click Add or Remove and then select the
users you want to grant permissions to.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions are
required for successful shared mailbox operation.
4. Click Save to save your changes.
Use a shared mailbox

To learn how users can access and use shared mailboxes, check out the following:
Open and use a shared mailbox in Outlook 2016 and Outlook 2013
Open and use a shared mailbox in Outlook on the web for business
Use Exchange Online PowerShell to create a shared mailbox

This example creates the shared mailbox Sales Department and grants Full Access and Send on Behalf permissions
for the security group MarketingSG. Users who are members of the security group will be granted the permissions
to the mailbox.
NOTE
This example assumes that you've already created the security group MarketingSG and that security group is mail-enabled.
See Manage mail-enabled security groups.
New-Mailbox -Shared -Name "Sales Department" -DisplayName "Sales Department" -Alias Sales | Set-Mailbox -
GrantSendOnBehalfTo MarketingSG | Add-MailboxPermission -User MarketingSG -AccessRights FullAccess -
InheritanceType All
Which permissions should you use?

You can use the following permissions with a shared mailbox.
Full Access: The Full Access permission lets a user open the shared mailbox and act as the owner of that
mailbox. After accessing the shared mailbox, a user can create calendar items; read, view, delete, and change
email messages; create tasks and calendar contacts. However, a user with Full Access permission can't send
email from the shared mailbox unless they also have Send As or Send on Behalf permission.
Send As: The Send As permission lets a user impersonate the shared mailbox when sending mail. For
example, if Kweku logs into the shared mailbox Marketing Department and sends an email, it will look like
the Marketing Department sent the email.
Send on Behalf: The Send on Behalf permission lets a user send email on behalf of the shared mailbox. For
example, if John logs into the shared mailbox Reception Building 32 and sends an email, it look like the mail
was sent by "John on behalf of Reception Building 32". You can't use the EAC to grant Send on Behalf
permissions, you must use Set-Mailbox cmdlet with the GrantSendonBehalf parameter.
More information
TIP
Address books in Exchange Online
Exchange Online uses address books to organize and store email address information for recipients in the
organization. The topics that will help you learn about and configure email addresses and address books in
Exchange Online are described in the following table.
KEY TERMINOLOGY DESCRIPTION TOPIC
Address book policies The global address list (GAL) is the Address book policies in Exchange
master list of all recipients in your Online
Exchange Online organization. Address
book policies (ABPs) provide a simpler
mechanism for GAL segmentation in
organizations that require multiple
GALs. An ABP defines a GAL, an offline
address book (OAB), a room list, and
one or more address lists. You can then
assign the ABP to users.
Address lists An address list is a subset of a GAL. Address lists

Each address list is a dynamic collection
of one or more types recipients. You can
use address lists to help users find the
recipients and resources that they need.
Hierarchical address books The hierarchical address book (HAB) Hierarchical address books
presents recipients in the GAL by using
your organization's unique business
structure (for example, seniority or
management hierarchy), which provides
an efficient method for locating internal
recipients.
Offline address books An offline address book (OAB) is a Offline address books in Exchange
collection of address lists that can be Online
downloaded and used in Outlook by
users that are disconnected from the
Exchange Online organization.
Note: Email address policies are available in Exchange Online, but only for Office 365 groups. For more
information, see Choose the domain to use when creating Office 365 Groups.
For help with everyday email tasks, such as organizing your contacts in Outlook, check the Office 365 Learning
Center. You can find help including:
Add an email contact
Import your contacts
Create a contact group
Send an email message to a contact group
Address book policies in Exchange Online
Address book policies (ABPs) lets admins segment users into specific groups to provide customized views of the
organization's global address list (GAL ). The goal of an ABP is to provide a simpler mechanism for GAL
segmentation (also known as GAL segregation) in organizations that require multiple GALs.
An ABP contains these elements:
One GAL. For more information about GALs, see Default address lists in Exchange Online.
One offline address book (OAB ). For more information about OABs, see Offline address books in
Exchange Online.
One room list. Note that this room list is a custom address list that specifies rooms (contains the filter
RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a room finder that you create with the
RoomList switch on the New-DistributionGroup or Set-DistributionGroup cmdlet. For more
information, see Create and manage room mailboxes in Exchange Online.
One or more address lists. For more information about address lists, see Custom Address Lists in
Exchange Online.
For procedures involving ABPs, see Address book policy procedures in Exchange Online.
Notes:
ABPs create only a virtual separation of users from a directory perspective, not a legal separation.
Implementing an ABP is a multi-step process that requires planning. For more information, see Scenario:
Deploying Address Book Policies.
How ABPs Work

The following diagram shows how ABPs work. The user is assigned Address Book Policy A that contains a subset
of address lists that are available in the organization. When the ABP is created and assigned to the user, the ABP
becomes the scope of the address lists that the user is able to view.
To turn on ABP email routing in your Exchange Online organization, see Turn on address book policy routing in
Exchange Online.
To assign ABPs to users, see Assign an address book policy to users in Exchange Online.
APBs take effect when a user connects to their Exchange Online Mailbox. If you change an ABP, the updated APB
takes effect when a user restarts or reconnects their email client app.
ABP example
In the following diagram, Fabrikam and Tailspin Toys share the same Exchange Online organization and the same
CEO. The CEO is the only employee common to both companies.
The suggested configuration includes three ABPs:

One ABP is assigned to Fabrikam employees. The GAL and address lists in the ABP include Fabrikam
employees and the CEO.
One ABP is assigned to Tailspin Toys employees. The GAL and address lists in the ABP include Tailspin
Toys employees and the CEO.
One ABP is assigned to only the CEO. The (default) GAL and address lists in the ABP include all
employees (Fabrikam, Tailspin Toys, and the CEO ).
Based on this configuration, the ABPs help to enforce these requirements:
The users in Tailspin Toys can only see Tailspin Toys employees and the CEO when they browse the GAL.
The users in Fabrikam can only see Fabrikam employees and the CEO when they browse the GAL.
The CEO can see all Fabrikam and Tailspin Toys employees when she browses the GAL.
Users who view the CEO's group membership can see only groups that belong to their company. They
can't see groups that belong to the other company.
ABPs for Entourage and Outlook for Mac users

Entourage and Outlook for Mac clients that connect to their Exchange Online mailboxes can use an OAB or
Exchange Web Services (EWS ), which allows them to search the GAL based on the assigned ABP.
In hybrid environments where the user account is in your on-premises organization and the mailbox is in
Exchange Online, ABPs won't function for Entourage and Outlook for Mac users who connect to their mailboxes
from inside the corporate network, because Entourage and Outlook for Mac connect directly to global a catalog
server to query Active Directory (which bypasses the ABPs). Outside the corporate network, they can use an OAB
or Exchange Web Services (EWS ), which allows them to search the GAL based on the assigned ABP.
To learn more about administering Outlook for Mac 2011, see Planning for Outlook for Mac 2011.
Address book policy procedures in Exchange Online
Turn on address book policy routing in Exchange Online

Create an address book policy in Exchange Online
Assign an address book policy to users in Exchange Online
Change the settings of an address book policy in Exchange Online
Remove an address book policy in Exchange Online
Turn on address book policy routing in Exchange
Online
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Online.
ABP routing creates the virtual organizations within a single Exchange Online organization. Your virtual
organization is determined by the global address list (GAL ) you reside in. When ABP routing is turned on, users
that are assigned to different GALs appear as external recipients and won't be able to view each other's contact
cards.
In Exchange Online, you can only turn on ABP routing in Exchange Online PowerShell.
Looking for the Exchange Server version of this topic? See Install and Configure the Address Book Policy Routing
Agent.

You need to be a member of the Organization Management role group in Exchange Online (or an Office
365 global administrator) before you can perform the procedure in this topic.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange
Online Protection.
Use Exchange Online PowerShell to turn on ABP routing

To enable ABP routing in the Exchange Online organization, run the following command:
Set-TransportConfig -AddressBookPolicyRoutingEnabled $true
For detailed syntax and parameter information, see Set-TransportConfig.

To verify that you've successfully turned on ABP routing, use any of the following steps:
In Exchange Online PowerShell, run the following command to verify that ABP routing is enabled for the
organization:
Get-TransportConfig | Format-List AddressBookPolicyRoutingEnabled
Have a user that's assigned an ABP send an email message to an user that's assigned a different ABP, and
verify that the sender's email address doesn't resolve to their display name.
Create an address book policy in Exchange Online
In Exchange Online, you can only create ABPs in Exchange Online PowerShell.
An ABP requires one global address list (GAL ), one offline address book (OAB ), one room list, and one or more
address lists. To view the available objects, use the Get-GlobalAddressList, Get-OfflineAddressBook, and Get-
AddressList cmdlets.
Note: The room list that's required for an ABP is an address list that specifies rooms (contains the filter
RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a room finder distribution group that you create with
the RoomList switch on the New-DistributionGroup or Set-DistributionGroup cmdlets.

Estimated time to complete: Less than 5 minutes.
By default, the Address List role isn't assigned to any role groups in Exchange Online. To use any cmdlets or
features that require the Address List role, you need to add the role to a role group. For more information,
see Modify role groups.
Creating an ABP for an organization is a multi-step process that requires planning. For more information,
see Scenario: Deploying Address Book Policies.
Online Protection.
Use Exchange Online PowerShell to create an ABP

To create an ABP, use this syntax:
New-AddressBookPolicy -Name "<Unique Name>" -GlobalAddressList "<GAL>" -OfflineAddressBook "<OAB>" -RoomList "
<RoomList>" -AddressLists "<AddressList1>","<AddressList2>"...
This example creates an ABP with the following settings:

Name: All Fabrikam ABP
GAL: All Fabrikam
OAB: Fabrikam-All-OAB
Room list: All Fabrikam Rooms
Address lists: All Fabrikam, All Fabrikam Mailboxes, All Fabrikam DLs, and All Fabrikam Contacts
New-AddressBookPolicy -Name "All Fabrikam ABP" -AddressLists "\All Fabrikam","\All Fabrikam Mailboxes","\All
Fabrikam DLs","\All Fabrikam Contacts" -OfflineAddressBook \Fabrikam-All-OAB -GlobalAddressList "\All
Fabrikam" -RoomList "\All Fabrikam Rooms"
For detailed syntax and parameter information, see New -AddressBookPolicy.

To verify that you've successfully created an ABP, use either of these procedures in Exchange Online PowerShell:
Run the following command to verify that the ABP is listed:
Get-AddressBookPolicy
Replace <ABPName> with the name of the ABP, and run the following command to verify the property
values:
Get-AddressBookPolicy -Identity "<ABPName>" | Format-List

After you create an ABP, you need to assign the ABP to users. For instructions, see Assign an address book policy
to users in Exchange Online.
Assign an address book policy to users in Exchange
Online
Users aren't automatically assigned an ABP when you create mailboxes. If you don't assign an ABP to a mailbox,
the GAL for your entire organization is visible to the user in Outlook and Outlook on the web.
To identify your virtual organizations for ABPs, we recommend that you use the CustomAttribute1 to
CustomAttribute15 attributes on mailboxes, contacts, and groups, because these attributes are the most widely
available and manageable for all recipient types. For more information, see Scenario: Deploying Address Book
Policies.
To assign ABPs to mailboxes, you select the ABP in Exchange admin center (EAC ), or specify the ABP in Exchange
Online PowerShell.

TIP
Use the EAC to assign an ABP to a mailbox

2. In the list of mailboxes, find the mailbox that you want to modify. You can:
Scroll through the list of mailboxes.
Click Search and enter part of the user's name, email address, or alias.
Click More options > Advanced search to find the mailbox.
Once you've found the mailbox that you want to modify, select it, and then click Edit .
3. On the mailbox properties page that opens, click Mailbox features.
4. Click the drop-down arrow in Address book policy, and select the ADP that you want to apply.
Use the EAC to assign an ABP to multiple mailboxes

2. In the list of mailboxes, find the mailboxes that you want to modify. For example:
a. Click More options > Advanced search.
b. In the Advanced search window that opens, select Recipient types and verify the default value
User mailbox.
c. Click More options, and then click Add a condition.
d. In the Select one drop-down box that appears, select the appropriate Custom attribute 1 to
Custom attribute 15 values that defines your virtual organizations.
e. In the Specify words or phrases dialog that appears, enter the value that you want to search for,
and then click OK.
f. Back on the Advanced search window, click OK. In the EAC at Recipients > Mailboxes, click
More options > Advanced search to find user mailboxes.
3. In the list of mailboxes, select multiple mailboxes of the same type (for example, User) from the list. For
example:
Select a mailbox, hold down the Shift key, and select another mailbox that's farther down in the list.
Hold down the CTRL key as you select each mailbox.
After you select multiple mailboxes of the same type, the title of the details pane changes to Bulk Edit.
4. In the details pane, scroll down and click More options, scroll down to Address Book Policy, and then
click Update.
5. In the Bulk assign address book policy window that opens, select the ABP by clicking the drop-down
arrow in Select Address Book Policy, and then click Save.
Use Exchange Online PowerShell to assign an ABP to mailbox users

There are three basic methods you can use to apply an ABP to mailboxes:
Individual mailboxes: Use the following syntax:
Set-Mailbox -Identity <MailboxIdentity> -AddressBookPolicy <ABPIdentity>
This example assigns the ABP named All Fabrikam to the mailbox joe@fabrikam.com.
Set-Mailbox -Identity joe@fabrikam.com -AddressBookPolicy "All Fabrikam"
Filter mailboxes by attributes: This method uses the unique filterable attribute that defines the virtual
organization (for example, the CustomAttribute1 through CustomAttribute15 attribute value).
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the
ABP to the mailboxes):
$<VariableName> = Get-Mailbox -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy

<ABPIdentity>}
This example assigns the ABP named All Fabrikam to all mailbox users whose CustomAttribute15 value is
FAB .
$Fabrikam = Get-Mailbox -Filter {(CustomAttribute15 -eq 'FAB')}
$Fabrikam | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy "All

Fabrikam"}
Use a list of specific mailboxes: This method requires a text file to identify the mailboxes. Values that
don't contain spaces (for example, the user account) work best. The text file must contain one user account
on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
The syntax uses the following two commands (one to identify the user accounts, and the other to apply the
policy to those users):
$<VariableName> = Get-Content "<text file>"
$<VariableName> | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy

<ABPIdentity>}
This example assigns the ABP policy named All Fabrikam to the mailboxes specified in the file C:\My
Documents\Fabrikam.txt.
$Fab = Get-Content "C:\My Documents\Fabrikam.txt"
$Fab | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy "All Fabrikam"}
For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.
To verify that you've successfully applied an ABP to a mailbox, use any of the following steps:
In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit . In the properties of the
mailbox window that opens, click Mailbox features, and verify the ABP in the Address book policy field.
name of the mailbox, and run the following command to verify the value of the AddressBookPolicy
property:
Get-Mailbox -Identity "<MailboxIdentity>" | Format-List AddressBookPolicy
In Exchange Online PowerShell, run the following command to verify the value of the AddressBookPolicy
property:
Get-Mailbox -ResultSize unlimited | Format-Table Name,AddressBookPolicy -Auto
More information
To remove the ABP assignment from a mailbox, you select the value [No Policy] in the EAC, or use the value
$null for the AddressBookPolicy parameter in Exchange Online PowerShell.
Change the settings of an address book policy
After you create an ABP, you can view or modify the name and the assigned address lists: the global address list
(GAL ), offline address book (OAB ), room list, and other address lists.
In Exchange Online, you can only modify ABPs in Exchange Online PowerShell.
For additional management tasks related to ABPs, see Address book policy procedures in Exchange Online.

Online Protection.
Use Exchange Online PowerShell to modify address book policies

To modify an ABP, use this syntax:
Set-AddressBookPolicy -Identity "<ABPName>" [-Name "<Unique Name>"] [-GlobalAddressList "<GAL>"] [-

OfflineAddressBook "<OAB>"] [-RoomList "<RoomList>"] [-AddressLists <AddressLists>]
The Name, GlobalAddressList, OfflineAddressBook, and RoomList parameters all take single values, so the
value you specify replaces the existing value.
This example modifies the ABP named "All Fabrikam ABP" by replacing the OAB with the specified OAB.
Set-AddressBookPolicy -Identity "All Fabrikam ABP" -OfflineAddressBook \Fabrikam-OAB-2
The AddressLists parameter takes multiple values, so you need to decide whether you want to replace the
existing address lists in the ABP, or add and remove address lists without affecting the other address lists in
the ABP.
This example replaces the existing address lists in the ABP named Government Agency A with the specified
address lists.
Set-AddressBookPolicy -Identity "Government Agency A" -AddressLists "GovernmentAgencyA-

Atlanta","GovernmentAgencyA-Moscow"
To add address lists to an ABP, you need to specify the new address lists and any existing address lists that
you want to keep.
This example adds the address list named Contoso-Chicago to the ABP named ABP Contoso, which is
already configured to use the address list named Contoso-Seattle.
Set-AddressBookPolicy -Identity "ABP Contoso" -AddressLists "Contoso-Chicago","Contoso-Seattle"
To remove address lists from an ABP, you need to specify the existing address lists that you want to keep,
and omit the address lists that you want to remove.
For example, the ABP named ABP Fabrikam uses the address lists named Fabrikam-HR and Fabrikam-
Finance. To remove the Fabrikam-HR address list, specify only the Fabrikam-Finance address list.
Set-AddressBookPolicy -Identity "ABP Fabrikam" -AddressLists Fabrikam-Finance
For detailed syntax and parameter information, see Set-AddressBookPolicy.

To verify that you've successfully modify an ABP, replace <ABPName> with the name of the ABP, and run the
following command in Exchange Online PowerShell to verify the property values:
Get-AddressBookPolicy -Identity "<ABPName>" | Format-List

Remove an address book policy
You can only remove ABPs from your Exchange Online organization using Exchange Online PowerShell, and only
if the ABP isn't assigned to a mailbox (active mailboxes or soft-deleted mailboxes that are still recoverable).

TIP
Use Exchange Online PowerShell to remove an ABP

Step 1: Verify the ABP isn't assigned to a mailbox
1. Replace <ABPName> with the name of the ABP, and run the following command to get the
DistinguishedName (DN ) value of the ABP that you want to remove:
Get-AddressBookPolicy -Identity "<ABPName>" | Format-List DistinguishedName
2. To see if the ABP is assigned to an active mailbox, replace <ABPDistinguishedName> with the DN of the
ABP and run the following command:
Get-Mailbox -ResultSize unlimited -Filter {AddressBookPolicy -eq '<ABPDistinguishedName>'}
To remove the ABP assignment from any active mailboxes that you find, replace <ABPDistinguishedName>
with the DN of the ABP and run the following commands:
$a = Get-Mailbox -ResultSize unlimited -Filter {AddressBookPolicy -eq '<ABPDistinguishedName>'}
$a | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy $null}
3. To see if the ABP is assigned to a soft-deleted (recoverable) mailbox, replace <ABPDistinguishedName>

with the DN of the ABP and run the following command:
Get-Mailbox -SoftDeletedMailbox -ResultSize unlimited -Filter {AddressBookPolicy -eq
'<ABPDistinguishedName>'}
To remove the ABP assignment from any soft-deleted mailboxes that you find, replace
<ABPDistinguishedName> with the DN of the ABP and run the following commands:
$s = Get-Mailbox -SoftDeletedMailbox -ResultSize unlimited -Filter {AddressBookPolicy -eq

'<ABPDistinguishedName>'}
$s | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -AddressBookPolicy $null}
Note: If you don't assign an ABP to a mailbox, the GAL for your entire organization will be visible to the user in
Outlook and Outlook on the web. Instead of using the value $null , you can specify the name of a different ABP
(enclosed in quotation marks if the name contains spaces).
Step 2: Remove the ABP
To remove an ABP, use this syntax:
Remove-AddressBookPolicy -Identity <ABPIdentity>
This example removes the ABP named ABP TailspinToys.
Remove-AddressBookPolicy -Identity "ABP TailspinToys"
For detailed syntax and parameter information, see Remove-AddressBookPolicy.

To verify that you've successfully removed an ABP, use either of these procedures in Exchange Online PowerShell:
Run the following command to verify that the ABP isn't listed:
Get-AddressBookPolicy
Replace <ABPName> with the name of the ABP, and run the following command to confirm that an error
is returned:
Get-AddressBookPolicy -Identity "<ABPName>"

Address lists in Exchange Online
An address list is a collection of mail-enabled recipient objects in Exchange Online. Address lists are based on
recipient filters. You can filter by recipient type (for example, mailboxes and mail contacts), recipient properties (for
example, Company or State or Province), or both. Address lists aren't static; they're updated dynamically. When you
create or modify recipients in your organization, they're automatically added to the appropriate address lists. These
are the different types of address lists that are available:
Global address lists (GALs): The built-in GAL that's automatically created by Exchange Online includes
every mail-enabled object in the organization. You can create additional GALs to separate users by
organization or location, but a user can only see and use one GAL.
Address lists: Address lists are subsets of recipients that are grouped together in one list, which makes them
easier to find by users. Exchange Online comes with several built-in address lists, and you can create more
based on you organization's needs.
Offline address books (OABs): OABs contain address lists and GALs. OABs are used by Outlook clients in
cached Exchange mode to provide local access to address lists and GALs for recipient look-ups. For more
information, see [Offline address books in Exchange Online].
Users in your organization use address lists and the GAL to find recipients for email messages. Here's an example
of what address lists look like in Outlook 2016:
For procedures related to address lists, see Address list procedures in Exchange Online.
Notes:
Precanned recipient filters or custom recipient filters identify the recipients that are included in address lists
and GALs. For more information, see Recipient filters for address lists in Exchange Online PowerShell.
You can hide recipients from all address lists and GALs. For more information, see Hide recipients from
address lists.
Global address lists

By default, a new Exchange Online organization has a GAL named Default Global Address List that's the primary
repository of all recipients in the organization. Typically, most organizations have only one GAL, because users can
only see and use one GAL in Outlook and Outlook on the web (formerly known as Outlook Web App). You might
need to create multiple GALs if you want to prevent groups of recipients from seeing each other (for example, you
single Exchange Online organization contains two separate companies). If you plan on creating additional GALs,
consider the following issues:
You can only use the Exchange Online PowerShell to create, modify, remove, and update GALs.
The GAL that users see in Outlook and Outlook on the web is named Global Address List, even though the
default GAL is named Default Global Address List, and any new GALs that you create will require a unique
name (users can't tell which GAL that they're using by name).
Users can only see a GAL that they belong to (the recipient filter of the GAL includes them). If a user belongs
to multiple GALs, they'll still see only one GAL based on the following conditions:
The user needs permissions to view the GAL. You assign user permissions to GALs by using address
book policies (ABPs). For more information, see Address book policies in Exchange Online.
If a user is still eligible to see multiple GALs, only the largest GAL is used (the GAL that contains the
most recipients).
Each GAL needs a corresponding offline address book (OAB ) that includes the GAL. To create OABs,
see Create an offline address book in Exchange Online.
Default address lists

By default, Exchange Online comes with five built-in address lists and one GAL. These address lists are described in
the following table. Note that by default, system-related mailboxes like arbitration mailboxes and public folder
mailboxes are hidden from address lists.
NAME TYPE DESCRIPTION RECIPIENT FILTER USED
All Contacts Address list Includes all mail contacts in {Alias -ne $null -and
the organization. To learn (ObjectCategory -like
'person' -and
more about mail contacts, ObjectClass -eq
see Recipients in Exchange 'contact')}
Online.
All Distribution Lists Address list Includes all distribution {Alias -ne $null -and
groups, mail-enabled ObjectCategory -like
'group'}
security groups, and
dynamic distribution groups
in the organization. To learn
more about mail-enabled
groups, see Recipients in
Exchange Online.
NAME TYPE DESCRIPTION RECIPIENT FILTER USED
All Rooms Address list Includes all room mailboxes. {Alias -ne $null -and
Equipment mailboxes aren't (RecipientDisplayType -eq
'ConferenceRoomMailbox' -or
included. To learn more RecipientDisplayType -eq
about room and equipment 'SyncedConferenceRoomMailbox')}
(resource) mailboxes, see
Recipients in Exchange
Online.
All Users Address list Includes all user mailboxes, {((Alias -ne $null) -and
linked mailboxes, remote (((((((ObjectCategory -like
'person') -and (ObjectClass -
mailboxes (Office 365 eq 'user') -and (-
mailboxes), shared not(Database -ne $null)) -and
mailboxes, room mailboxes, (-not(ServerLegacyDN -ne
$null)))) -or
equipment mailboxes, and (((ObjectCategory -like
mail users in the 'person') -and (ObjectClass -
organization. To learn more eq 'user') -and (((Database -
ne $null) -or (ServerLegacyDN
about these recipient types, -ne $null))))))) -and (-
see Recipients in Exchange not(RecipientTypeDetailsValue
Online. -eq 'GroupMailbox')))))}
Default Global Address List GAL Includes all mail-enabled {((Alias -ne $null) -and
recipient objects in the (((ObjectClass -eq 'user') -or
(ObjectClass -eq 'contact') -or
organization (users, contacts, (ObjectClass -eq
groups, dynamic distribution 'msExchSystemMailbox') -or
groups, and public folders. (ObjectClass -eq
'msExchDynamicDistributionList')
-or (ObjectClass -eq 'group') -
or (ObjectClass -eq
'publicFolder'))))}
Public Folders Address list Includes all mail-enabled {Alias -ne $null -and
public folders in your ObjectCategory -like
'publicFolder'}
organization. Access
permissions determine who
can view and use public
folders. For more
information about public
folders, see Public folders in
Office 365 and Exchange
Online.
Custom Address Lists

An Exchange Online organization might contain thousands of recipients, so the built-in address lists could become
quite large. To prevent this, you can create custom address lists to help users find what they're looking for.
For example, consider a company that has two large divisions in one Exchange Online organization:
Fourth Coffee, which imports and sells coffee beans.
Contoso, Ltd, which underwrites insurance policies.
For most day-to-day activities, employees at Fourth Coffee don't communicate with employees at Contoso, Ltd.
Therefore, to make it easier for employees to find recipients who exist only in their division, you can create two new
custom address lists—one for Fourth Coffee and one for Contoso, Ltd. However, if an employee is unsure about
where recipient exists, they can search in the GAL, which contains all recipients from both divisions.
In Exchange Online, you can only use PowerShell to create custom address lists.
Best Practices for Creating Address Lists
Although address lists are useful tools for users, poorly planned address lists can cause frustration. To make sure
that your address lists are practical for users, consider the following best practices:
Address lists should make it easier for users to find recipients.
Avoid creating so many address lists that users can't tell which list to use.
Use a naming convention and location hierarchy for your address lists so users can immediately tell what the
list is for (which recipients are included in the list). If you have difficulty naming your address lists, create
fewer lists and remind users that they can find anyone in your organization by using the GAL.
For detailed instructions about creating address lists in Exchange Server, see Address list procedures in Exchange
Online.
Address list procedures in Exchange Online
Manage address lists in Exchange Online

Create an address list in Exchange Online by using recipient filters
Remove a global address list in Exchange Online
Configure global address list properties in Exchange Online
Create a global address list in Exchange Online
Manage address lists in Exchange Online
An address list is a collection of mail-enabled recipient objects in Exchange Online. Address lists are based on
recipient filters. For more information about address lists, see Address lists in Exchange Online.
For additional management tasks related to manage address lists, see Address list procedures in Exchange Online.
Looking for the Exchange Server version of this topic? See Create an Address List.

By default, the Address List role isn't assigned to any role groups in Exchange Online. To use any cmdlets
that require the Address List role, you need to add the role to a role group. For more information, see
Modify role groups.
You can only use Exchange Online PowerShell to perform virtually all of the procedures in this topic
(everything except hiding recipients from address lists). To connect to Exchange Online PowerShell, see
Connect to Exchange Online PowerShell.
TIP
Use Exchange Online PowerShell to create address lists

You can create address lists with or without recipient filters. For details about recipient filters, see Recipient filters
for address lists in Exchange Online PowerShell.
To create an address list, use the following syntax:
New-AddressList -Name "<Address List Name>" [-Container <ExistingAddressListPath>] [<Precanned recipient

filter | Custom recipient filter>] [-RecipientContainer <OrganizationalUnit>]
This example creates an address list with a precanned recipient filter:

Name: Southeast Offices
Location: Under the root (" \ ", also known as All Address Lists) because we didn't use the Container
parameter, and the default value is " \ ".
Precanned recipient filter: All users with mailboxes where the State or province value is GA, AL, or LA
(Georgia, Alabama, or Louisiana).
New-AddressList -Name "Southeast Offices" -IncludedRecipients MailboxUsers -ConditionalStateorProvince

"GA","AL","LA"
This example creates an address list with a custom recipient filter:

Name: Northwest Executives
Location: Under the existing address list named North America.
Custom recipient filter: All users with mailboxes where the Title value contains Director or Manager, and
the State or province value is WA, OR, or ID (Washington, Oregon, or Idaho).
New-AddressList -Name "Northwest Executives" -Container "\North America"-RecipientFilter {(RecipientType -eq

'UserMailbox') -and (Title -like '*Director*' -or Title -like '*Manager*') -and (StateOrProvince -eq 'WA' -or
StateOrProvince -eq 'OR' -or StateOrProvince -eq 'ID')}
For detailed syntax and parameter information, see New -AddressList.

This example creates the address list named Oregon and Washington Users by using the RecipientFilter parameter
and includes recipients that are mailbox users and have StateOrProvince set to Washington or Oregon .
New-AddressList -Name "Oregon and Washington" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and
((StateOrProvince -eq 'Washington') -or (StateOrProvince -eq 'Oregon')))}
This example creates the child address list Building 34 Meeting Rooms in the All Rooms parent container, using
built-in conditions.
New-AddressList -Name "Building 34 Meeting Rooms" -Container "\All Rooms" -IncludedRecipients Resources -
ConditionalCustomAttribute1 "Building 34"
For detailed syntax and parameter information, see New -AddressList.

To verify that you've successfully created an address list, replace <AddressListIdentity> with the path\name of the
address list, and run the following command in Exchange Online Powershell to verify the property values:
Get-AddressList -Identity "<AddressListIdentity>" | Format-List

Name,RecipientFilterType,RecipientFilter,IncludedRecipients,Conditional*
Use Exchange Online Powershell to view members of address lists

Technically, this procedure returns all recipients (including hidden recipients) that match the recipient filters for the
address list. The recipients that are actually visible in the address list have the HiddenFromAddressListsEnabled
property value False .
To view the members of an address list, use the following syntax:
$<VariableName> = Get-AddressList -Identity <AddressListIdentity>; Get-Recipient -ResultSize unlimited -

RecipientPreviewFilter $<VariableName>.RecipientFilter | select
Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled
This example returns the members of the address list named Southeast Offices.
$AL = Get-AddressList -Identity "Southeast Offices"; Get-Recipient -ResultSize unlimited -

RecipientPreviewFilter $AL.RecipientFilter | select Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled
This example exports the results to the file C:\My Documents\Southeast Offices Export.csv.
$AL = Get-AddressList -Identity "Southeast Offices"; Get-Recipient -ResultSize unlimited -
RecipientPreviewFilter $AL.RecipientFilter | select Name,PrimarySmtpAddress,HiddenFromAddressListsEnabled |
Export-Csv -NoTypeInformation -Path "C:\My Documents\Southeast Offices Export.csv"
Use Exchange Online PowerShell to update address lists

The Update-AddressList cmdlet (or Update-GlobalAddressList) isn't available in Exchange Online PowerShell.
If recipients that should appear an address list do not, you need to change the required property value for those
users to a temporary value, and then back to the value that's required by the address list. You can update the user
property values in the Exchange admin center (EAC ) or Exchange Online PowerShell, but it's quicker to do bulk
operations in PowerShell.
For example, suppose the address list named Oregon and Washington Users uses the filter
{((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'Washington') -or (StateOrProvince -eq
'Oregon')))}
, but the address list doesn't include everyone whose StateOrProvince property values are set correctly. To update
the address list, perform the following steps:
1. Use the query from the address list to find all users that should be in the address list. For example:
$Before = Get-User -Filter {((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'Oregon') -or
(StateOrProvince -eq 'Washington')))} -ResultSize Unlimited
2. Change the required property to a temporary value. For example, change the StateOrProvince values
from Oregon to OR , and Washington to WA :
$Before | where {$_.StateOrProvince -eq 'Oregon'} | foreach {Set-User $_.Identity -StateOrProvince OR}
$Before | where {$_.StateOrProvince -eq 'Washington'} | foreach {Set-User $_.Identity -StateOrProvince

WA}
3. Find those same users again by using the temporary property values. For example:
$After = Get-User -Filter {((RecipientType -eq 'UserMailbox') -and ((StateOrProvince -eq 'OR') -or
(StateOrProvince -eq 'WA')))} -ResultSize Unlimited
4. Change the temporary value back to the required value. For example, change the StateOrProvince values
from OR to Oregon , and WA to Washington :
$After | where {$_.StateOrProvince -eq 'OR'} | foreach {Set-User $_.Identity -StateOrProvince Oregon}
$After | where {$_.StateOrProvince -eq 'WA'} | foreach {Set-User $_.Identity -StateOrProvince

Washington}
Notes:
Title, department and address properties require the Get-User and Set-User cmdlets. CustomAttribute1
through CustomAttribute15 properties require the Get-Mailbox and Set-Mailbox cmdlets. For more
information about what properties are available on which cmdlet, see the following topics:
Set-User
Set-Mailbox
If a only small number of users don't appear in the address list, you can modify the required property value
for each user. For example:
1. Set a temporary property value for the user:
Set-User -Identity <UserIdentity> -StateOrProvince WA
2. Change the temporary value back to the required value:
Set-User -Identity <Identity> -StateOrProvince Washington

To verify that you've successfully updated an address list, replace <AddressListIdentity> with the name of the
address list, and run the following command in Exchange Online PowerShell to verify the RecipientFilterApplied
property value:
Get-AddressList -Identity <AddressListIdentity> | Format-Table Name,RecipientFilterApplied -Auto
Use Exchange Online PowerShell to modify address lists

The same basic settings are available as when you created the address list. For more information, see the Use
Exchange Online PowerShell to create address lists section in this topic.
To modify an existing address list, use the following syntax:
Set-AddressList -Identity <AddressListIdentity> [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>] [-RecipientContainer <OrganizationalUnit>]
When you modify the Conditional parameter values, you can use the following syntax to add or remove values
without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing address list named Southeast Offices by adding the State or province value
TX (Texas) to the precanned recipient filter.
Set-AddressList -Identity "Southeast Offices" -ConditionalStateOrProvince @{Add="TX"}
For detailed syntax and parameter information, see Set-AddressList.

To verify that you've successfully modified an address list, replace <AddressListIdentity> with the path\name of the
address list, and run the following command in Exchange Online Powershell to verify the property values:
Get-AddressList -Identity "<AddressListIdentity>" | Format-List

Use Exchange Online PowerShell to delete address lists

To remove an address list, use the following syntax:
Remove-AddressList -Identity "<AddressListName>"
This example removes the address list Sales Department, which doesn't contain child address lists.
Remove-AddressList -Identity "Sales Department"
For detailed syntax and parameter information, see Remove-AddressList.

To verify that you've successfully removed an address list, run the following command in Exchange Online
Powershell to verify that the address list isn't listed:
Get-AddressList
Hide recipients from address lists

Hiding a recipient from address lists doesn't prevent the recipient from receiving email messages; it prevents users
from finding the recipient in address lists. The recipient is hidden from all address lists and GALs (effectively,
they're exceptions to the recipient filters in all address lists). If you want to selectively include the recipient in some
address lists but not others, you need to adjust the recipient filters in the address lists to include or exclude the
recipient.
Hiding a mailbox from address lists also prevents Outlook from finding the mailbox in GAL when you create a new
profile, or add an additional mailbox to an existing profile. To add the hidden mailbox in Outlook, you can
temporarily make the mailbox visible in address lists, configure Outlook, and then hide the mailbox from address
lists again.
Use the EAC to hide recipients from address lists
To open the EAC, see Exchange admin center in Exchange Online.
You can't use the EAC to hide Office 365 groups from address lists.
1. In the EAC, go to one of the following locations based on the recipient type:
Recipients > Mailboxes: User mailboxes.
Recipients > Groups: Distribution groups, mail-enabled security groups, and dynamic distribution groups.
Recipients > Resources: Room and equipment mailboxes.
Recipients > Contacts: Mail users and mail contacts.
Recipients > Shared: Shared mailboxes.
Public folders > Public folders: Mail-enabled public folders.
2. Select the recipient that you want to hide from address lists, and then click Edit ( ).
3. The recipient properties window opens. What you do next depends on the recipient type:
Mailboxes, Contacts, and Shared: On the General tab, select Hide from address list.
Groups: On the General tab, select Hide this group from address lists.
Resources: On the General tab, click More options, and then select Hide from address lists.
Public folders: On the General mail properties tab, select Hide from Exchange address list.
Use Exchange Online PowerShell to hide recipients from address lists
To hide a recipient from address lists, use the following syntax:
Set-<RecipientType> -Identity <RecipientIdentity> -HiddenFromAddressListsEnabled $true
<RecipientType> is one of these values:

DistributionGroup
DynamicDistributionGroup
Mailbox
MailContact
MailPublicFolder
MailUser
UnifiedGroup
This example hides the distribution group named Internal Affairs from address lists.
Set-DistributionGroup -Identity "Internal Affairs" -HiddenFromAddressListsEnabled $true
This example hides the mailbox michelle@contoso.com from address lists.
Set-Mailbox -Identity michelle@contoso.com -HiddenFromAddressListsEnabled $true
Note: To make the recipient visible in address lists again, use the value $false for the
HiddenFromAddressListsEnabled parameter.
You can verify that you've successfully hidden a recipient from address lists by using any of the following
procedures:
In the EAC, select the recipient, click Edit ( ) and verify the hide from address lists setting is selected.
In Exchange Online PowerShell, run the following command and verify the recipient is listed:
Get-Recipient -ResultSize unlimited -Filter {HiddenFromAddressListsEnabled -eq $true}
Open the GAL in Outlook or Outlook on the web (formerly known as Outlook Web App), and verify the
recipient isn't visible.
Recipient filters for address lists in Exchange Online
PowerShell
Recipient filters identify the recipients that are included in address lists and GALs. There are two basic options:
precanned recipient filters and custom recipient filters. These are basically the same recipient filtering
options that are used by dynamic distribution groups and email address policies.
Precanned recipient filters
Uses the required IncludedRecipient parameter with the AllRecipients value or one or more of the
following values: MailboxUsers , MailContacts , MailGroups , MailUsers , or Resources . You can
specify multiple values separated by commas.
You can also use any of the optional Conditional filter parameters: ConditionalCompany,
ConditionalCustomAttribute[1to15 ], ConditionalDepartment, and ConditionalStateOrProvince.
You specify multiple values for a Conditional parameter by using the syntax "<Value1>","<Value2>"... .
Multiple values of the same property implies the or operator. For example, "Department equals Sales or
Marketing or Finance".
Custom recipient filters: Uses the required RecipientFilter parameter with an OPATH filter.
The basic OPATH filter syntax is
{<Property1> -<Operator> '<Value1>' <Property2> -<Operator> '<Value2>'...} .
Braces { } are required around the whole OPATH filter.
Hyphens ( - ) are required before all operators. Here are some of the most frequently used
operators:
and , or , and not .
eq and ne (equals and does not equal; not case-sensitive).
lt and gt (less than and greater than).
like and notlike (string contains and does not contain; requires at least one wildcard in the string.
For example, {Department -like 'Sales*'} .
Use parentheses to group <Property> -<Operator> '<Value>' statements together in complex filters.
For example,
{(Department -like 'Sales*' -or Department -like 'Marketing*') -and (Company -eq 'Contoso' -or
Company -eq 'Fabrikam')}
. Exchange stores the filter in the RecipientFilter property with each individual statement enclosed
in parentheses, but you don't need to enter them that way.
For more information about address lists, see Address lists in Exchange Online.
For address list procedures that use recipient filters, see Address list procedures in Exchange Online.
Remove a global address list in Exchange Online
The built-in global address list (GAL ) that's automatically created by Exchange Online includes every mail-enabled
object in the organization. You can create additional GALs to separate users by organization or location, but a user
can only see and use one GAL. For more information about address lists, see Address lists in Exchange Online.
You can use the procedures in this topic to remove any custom GALs that you've created. You can't remove:
The GAL named Default Offline Address Book, which is the built-in GAL that's available in Exchange Online,
and the only GAL that has the IsDefaultGlobalAddressList property value True .
A GAL that's defined in an offline address book (OAB ). For OAB procedures, see Offline address book
procedures.
For additional GAL management tasks, see Address list procedures in Exchange Online.

Modify role groups.
TIP
Use Exchange Online PowerShell to remove a GAL

To remove a GAL, use the following syntax:
Remove-GlobalAddressList -Identity <GALIdentity>
This example removes the address list named Agency A GAL.
Remove-GlobalAddressList -Identity "Agency A GAL"
For detailed syntax and parameter information, see Remove-GlobalAddressList.

To verify that you've successfully removed a GAL, run the following command in Exchange Online PowerShell to
verify that the GAL isn't listed:
Get-GlobalAddressList
Configure global address list properties in Exchange
Online
The same settings to configure a GAL are available as when you created the GAL. For more information, see
Create a global address list in Exchange Online. For additional GAL management tasks, see Address list
procedures in Exchange Online.

Modify role groups.
You can't modify the GAL named Default Offline Address Book, the built-in GAL that's available in
Exchange Online, and the only GAL that has the IsDefaultGlobalAddressList property value True .
You can't replace a custom recipient filter with a precanned recipient filter or vice-versa in an existing GAL.
For details about recipient filters in the Exchange Online PowerShell, see Recipient filters for address lists in
TIP
Use the Exchange Online PowerShell to modify global address lists

To modify a GAL, use the following syntax:
Set-GlobalAddressList -Identity <GALIdentity>] [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>]
When you modify the precanned Conditional parameter values, you can use the following syntax to add or remove
values without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing GAL named Contoso GAL by adding the Company value Fabrikam to the
precanned recipient filter.
Set-GlobalAddressList -Identity "Contoso GAL" -ConditionalCompany @{Add="Fabrikam"}

For detailed syntax and parameter information, see Set-GlobalAddressList.
To verify that you've successfully modified a GAL, replace <GAL Name> with the name of the GAL and run the
Get-GlobalAddressList -Identity "<GAL Name>" | Format-List

Create a global address list in Exchange Online
If your organization uses address book policies (ABPs), you'll need to create additional GALs. To learn more, see
Address book policies in Exchange Online.
For additional GAL management tasks, see Address list procedures in Exchange Online.

Modify role groups.
For details about recipient filters in the Exchange Online PowerShell, see Recipient filters for address lists in
TIP
Use Exchange Online PowerShell to create global address lists

To create a GAL, use the following syntax:
New-GlobalAddressList -Name "<GAL Name>" [<Precanned recipient filter | Custom recipient filter>]
This example creates a GAL with a precanned recipient filter:

Name: Contoso GAL
Precanned recipient filter: All recipient types where the Company value is Contoso.
New-GlobalAddressList -Name "Contoso GAL" -IncludedRecipients AllRecipients -ConditionalCompany Contoso
This example creates a GAL with a custom recipient filter:

Name: Agency A GAL
Custom recipient filter: All recipient types where the CustomAttribute15 property contains the value
AgencyA.
New-GlobalAddressList -Name "Agency A GAL" -RecipientFilter {CustomAttribute15 -like "*AgencyA*"}
For detailed syntax and parameter information, see New -GlobalAddressList.

To verify that you've successfully created a GAL, replace <GAL Name> with the name of the GAL and run the
Get-GlobalAddressList -Identity "<GAL Name>" | Format-List

Hierarchical address books in Exchange Online
The hierarchical address book (HAB ) allows users to look for recipients in their address book using an
organizational hierarchy. Normally, users are limited to the default global address list (GAL ) and its recipient
properties and the structure of the GAL often doesn't reflect the management or seniority relationships of
recipients in your organization. Being able to customize an HAB that maps to your organization's unique business
structure provides your users with an efficient method for locating internal recipients.
Using hierarchical address books

In an HAB, your root organization (for example, Contoso, Ltd) is used as the top-level tier. Under this top-level tier,
you can add several child tiers to create a customized HAB that's segmented by division, department, or any other
organizational tier you want to specify. The following figure illustrates an HAB for Contoso, Ltd with the following
structure:
The top-level tier represents the root organization Contoso, Ltd.
The second-level child tiers represent the business divisions within Contoso, Ltd: Corporate Office, Product
Support Organization, and Sales & Marketing Organization.
The third-level child tiers represent departments within the Corporate Office division: Human Resources,
Accounting Group, and Administration Group.
You can provide an additional level of hierarchical structure by using the SeniorityIndex parameter. When creating
an HAB, use the SeniorityIndex parameter to rank individual recipients or organizational groups by seniority within
these organizational tiers. This ranking specifies the order in which the recipients or groups are displayed in the
HAB. For example, in the preceding example, the SeniorityIndex parameter for the recipients in the Corporate
Office division is set to the following:
100 for David Hamilton
50 for Rajesh M. Patel
25 for Amy Alberts
NOTE
If the SeniorityIndex parameter isn't set or is equal for two or more users, the HAB sorting order uses the
PhoneticDisplayName parameter value to list the users in ascending alphabetical order. If the PhoneticDisplayName
parameter value isn't set, the HAB defaults to the DisplayName parameter value and lists the users in ascending alphabetical
order.
Configuring hierarchical address books

Detailed instructions for creating HABs are included in the topic Enable or disable hierarchical address books. The
general steps are as follows:
1. Create a distribution group that will be used for the root organization (top-level tier).
2. Create distribution groups for the child tiers and designate them as members of the HAB. Modify the
SeniorityIndex parameter of these groups so they're listed in the proper hierarchical order within the root
organization.
3. Add organization members. Modify the SeniorityIndex parameter of the members so they're listed in the
proper hierarchical order within the child tiers.
4. For accessibility purposes, you can use the PhoneticDisplayName parameter, which specifies a phonetic
pronunciation of the DisplayName parameter, and is also used for the sort order if the SeniorityIndex
parameter value isn't set.
Enable or disable hierarchical address books in
Exchange Online
The hierarchical address book (HAB ) allows users to look for recipients in their address book using an
organizational hierarchy. For more information, see Hierarchical address books.
The cmdlets and parameters that you use to configure a HAB are described in the following table:
CMDLET PARAMETER DESCRIPTION
Set-OrganizationConfig HierarchicalAddressBookRoot Enables or disables the HAB in the

organization.
A valid value is a distribution group or

mail-enabled security group. You can't
use a dynamic distribution group or an
Office 35 group.
Set-Group IsHierarchicalGroup Specifies whether the distribution group

or mail-enabled security group is used
in the hierarchy of the HAB. Valid values
are $true or $false (the default
value is $false ).
Set-Contact SeniorityIndex SeniorityIndex: A numerical value that

Set-Group PhoneticDisplayName sorts users, contacts, or groups in
Set-User descending order in the HAB (higher
values are shown before lower values).
PhoneticDisplayName: When multiple

users, contacts or groups have the
same SeniorityIndex value or the value
isn't set, the users, contacts, or groups
are listed in ascending alphabetical
order. If PhoneticDisplayName isn't
configured, the users, contacts, or
groups are listed in ascending
alphabetical order based on the
DisplayName parameter value (which is
also the default sort order without the
HAB).

permissions you need, see the "Distribution groups" entry in the Recipients permissions topic.
This topic uses Exchange Online PowerShell examples to create distribution groups, but you can also use
the Exchange admin center (EAC ) to create and add members to distribution groups. For details, see Create
and manage distribution groups.
After you create the HAB, you can use the EAC to manage the membership of the groups in the
organizational hierarchy. However, you can only use Exchange Online PowerShell to configure the
SeniorityIndex parameter for any new groups or users that you create.
TIP
Enable and configure a hierarchical address book

Step 1: Create the distribution groups for the HAB structure
This example uses the following hierarchy:
The distribution group named "Contoso,Ltd" is the top-level organization in the hierarchy (the root
organization).
Distribution groups named Corporate Office, Product Support Organization, and Sales & Marketing
Organization are child organizations under Contoso,Ltd (members of the Contoso,Ltd group).
The distribution groups named Human Resources, Accounting Group, and Administration Group are child
organizations under Corporate Office (members of the Corporate Office group).
New-DistributionGroup -Name "Contoso,Ltd" -Alias "ContosoRoot"
New-DistributionGroup -Name "Corporate Office"
New-DistributionGroup -Name "Product Support Organization" -Alias ProductSupport
New-DistributionGroup -Name "Sales & Marketing Organization" -Alias "Sales&Marketing"
New-DistributionGroup -Name "Human Resources"
New-DistributionGroup -Name "Accounting Group" -Alias Accounting
New-DistributionGroup -Name "Administration Group" -Alias Administration
Note: If you don't use the Alias parameter when you create a distribution group, the value of the Name parameter
is used with spaces removed.
For detailed syntax and parameter information, see New -DistributionGroup.
Step 2: Use Exchange Online PowerShell to specify the root organization for the HAB
This example specifies the distribution group named "Contoso,Ltd" from the previous step as the root organization
for the HAB.
Set-OrganizationConfig -HierarchicalAddressBookRoot "Contoso,Ltd"
Step 3: Use Exchange Online PowerShell to designate distribution groups as hierarchical groups
The following examples designate the groups that we previously created as hierarchical groups:
Set-Group -Identity "Contoso,Ltd" -IsHierarchicalGroup $true
Set-Group -Identity "Corporate Office" -IsHierarchicalGroup $true
Set-Group -Identity "Product Support Organization" -IsHierarchicalGroup $true
Set-Group -Identity "Sales & Marketing Organization" -IsHierarchicalGroup $true
Set-Group -Identity "Human Resources" -IsHierarchicalGroup $true
Set-Group -Identity "Accounting Group" -IsHierarchicalGroup $true
Set-Group -Identity "Administration Group" -IsHierarchicalGroup $true
For detailed syntax and parameter information, see Set-Group.

Step 4: Add the child groups as members of the appropriate groups in the hierarchy
This example adds the groups named Corporate Office, Product Support Organization, and Sales & Marketing
Organization as members of Contoso,Ltd (the root organization).
Update-DistributionGroupMember -Identity "Contoso,Ltd" -Members "Corporate Office","Product Support

Organization","Sales & Marketing Organization"
This example adds the groups named Human Resources, Accounting Group, and Administration Group as
members of Corporate Office.
Update-DistributionGroupMember -Identity "Corporate Office" -Members "Human Resources","Accounting

Group","Administration Group"
For detailed syntax and parameter information, see Update-DistributionGroupMember.

Step 5: Add users to the appropriate groups in the HAB
This example adds the users Amy Alberts, David Hamilton, and Rajesh M. Patel to the group named Corporate
Office without affecting other existing members.
Update-DistributionGroupMember -Identity "Corporate Office" -Members

@{Add="aalberts@contoso.com","dhamilton@contoso.com","rmpatel@contoso.com"}
For detailed syntax and parameter information, see Update-DistributionGroupMember.

Step 6: Use Exchange Online PowerShell to configure the sort order for groups in the HAB
The SeniorityIndex parameter value for a group affects how the groups are sorted in the HAB (higher values are
displayed first).
The following examples configure the child groups of the Corporate Office group to display in the following order:
Human Resources
Accounting Group
Administration Group
Set-Group -Identity "Human Resources" -SeniorityIndex 100
Set-Group -Identity "Accounting Group" -SeniorityIndex 50
Set-Group -Identity "Administration Group" -SeniorityIndex 25
For detailed syntax and parameter information, see Set-Group.

Step 7: Use Exchange Online PowerShell to configure the sort order for users in the HAB
The SeniorityIndex parameter value for a user affects how the users are sorted in groups in the HAB (higher values
are displayed first).
The following examples configure the members of the Corporate Office group to display in the following order:
David Hamilton
Rajesh M. Patel
Amy Alberts
Set-User -Identity DHamilton -SeniorityIndex 100
Set-User -Identity RMPatel -SeniorityIndex 50
Set-User -Identity AAlberts -SeniorityIndex 25
For detailed syntax and parameter information, see Set-User.

To verify that you've successfully enabled and configured a hierarchical address book, use any of the following
steps:
Open Outlook in a profile that's connected to a mailbox in your Exchange Online organization, and click
Address Book or press Ctrl+Shift+B. The HAB is displayed on the Organization tab, similar to the
following figure.
In Exchange Online PowerShell, run the following commands to verify the property values:
Get-OrganizationConfig | Format-List HierarchicalAddressBookRoot
Get-Group -ResultSize unlimited | where {$_.IsHierarchicalGroup -match 'True'} | Format-Table

SeniorityIndex,PhoneticDisplayName,DisplayName -Auto
Get-Group -ResultSize unlimited | Format-Table SeniorityIndex,PhoneticDisplayName,DisplayName -Auto
Use Exchange Online PowerShell to disable a hierarchical address book

To disable a HAB, you don't need to delete the groups that are associated with the HAB structure or reset the
SeniorityIndex values for groups or users. Disabling the HAB only prevents the HAB from being displayed in
Outlook. To re-enable the HAB with the same configuration settings, you only need to specify the root organization
for the HAB.
This example disables the hierarchical address book.
Set-OrganizationConfig -HierarchicalAddressBookRoot $null

To verify that you've successfully disabled hierarchical address book, use any of the following steps:
Open Outlook in a profile that's connected to a mailbox in your Exchange Online organization, and click
Address Book or press Ctrl+Shift+B. Verify that the entries in the address book are displayed in
alphabetical order.
In Exchange Online PowerShell, run the following command to verify that the
HierarchicalAddressBookRoot property value is blank:
Offline address books in Exchange Online
An offline address book (OAB ) is a downloadable address list collection that Outlook users can access while
disconnected from Exchange Online. Admins can decide which address lists are made available to users who work
offline.
Offline address books are generated every 8 hours.
For more information about address lists in Exchange Online, see Address lists.
For OAB procedures, see Offline address book procedures.
Looking for the Exchange Server version of this topic? See Offline Address Books in Exchange Server.
How users download offline address books

1. In Outlook, click File > Account Settings > Download Address Book.
2. On the Offline address book dialog box that's displayed, make the following selections:
Download changes since last Send/Receive: By default, this check box is selected. Unchecking
this box causes a full download of the OAB.
Choose address book: This drop-down list will display the offline address books that are available
to you. Depending on what an admin has configured, you might see only one value here (for
example, the global address list).
3. Click OK. The OAB is downloaded and saved on your computer.
Conditions that cause a full download of the OAB
There are situations where Outlook will always perform a full OAB download. For example:
There's no OAB on the client computer (for example, this is the first time you've connected to your
Exchange Online mailbox in Outlook on this computer).
The version of the OAB on the server and the client don't match (a more recent version of the OAB is
present on the server).
One or more OAB files are missing from the client computer.
A previous full download failed, and Outlook has to start over.
When a user has multiple MAPI profiles on the same Outlook client computer and they switch between the
two profiles that both use Cached Exchange Mode, multiple full OAB downloads of the same OAB files will
occur. Outlook supports only one OAB per user account on a computer. If you have multiple profiles, only
one profile can download the OAB. If you have to use two or more profiles that use Cached Exchange
Mode, make sure that one of the profiles is configured to not download the OAB.
Offline address book procedures
Create an offline address book

Add an address list to or remove an address list from an offline address book
Change the default offline address book
Provision recipients for offline address book downloads
Remove an offline address book
Create an offline address book
An offline address book (OAB ) is a downloadable address list collection that Outlook users can access while
disconnected from Exchange Online. An OAB allows Outlook users to access the information within the specified
address lists while disconnected from Exchange Online. Admins can decide which address lists are made available
to users who work offline.
For additional management tasks related to OABs, see Offline address book procedures.

Modify role groups.
TIP
Use Exchange Online PowerShell to create an OAB with web-based

distribution
This example creates an OAB named OAB_Contoso that contains the default global address list.
New-OfflineAddressBook -Name "OAB_Contoso" -AddressLists "\Default Global Address List"
For detailed syntax and parameter information, see New -OfflineAddressBook.

Add an address list to or remove an address list from
an offline address book in Exchange Online
You can use Exchange Online PowerShell to add or remove an address list from an offline address book (OAB ). By
default, there is an OAB named the Default Offline Address Book that contains the global address list (GAL ). OABs
are generated based on the address lists that they contain. To create custom OABs that users can download, you
can add or remove address lists from OABs.

Changes to the address list aren't available for client download until after the OAB in which the address list
resides has been generated.
Modify role groups.
TIP
Use Exchange Online PowerShell to add and remove address lists from
offline address books
When you modify the address lists that are configured in an OAB, the values that you specify will replace any
address lists in the OAB. To add address lists to the OAB, specify the current address lists plus the ones you want to
add. To remove address lists from the OAB, specify the current address lists minus the ones you want to remove.
In this example, the OAB named Marketing OAB is already configured with Address List 1 and Address List 2. To
keeps those address lists and add Address List 3, run the following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -Address Lists "Address List1","Address List 2","Address List
3"
Similarly, to keep the OAB configured with Address List 1 and Address 2, but remove Address List 3, run the
following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -AddressLists "Address List 1","Address List 2"
For detailed syntax and parameter information, see Set-OfflineAddressBook.

To verify that you've successfully added or removed address lists from an OAB, run the following command to
verify the property AddressLists property values:
Get-OfflineAddressBook | Format-List Name,AddressLists

Change the default offline address book in Exchange
Online
By default, the automatically-created OAB named Default Offline Address Book is the default OAB. You can set any
OAB in your Exchange Online organization as the default OAB. The default OAB is used by:
Mailboxes without an address book policy (ABP ) assigned, or where the assigned ABP policy has no OAB
defined (by default, there are no ABPs).
Mailboxes without an OAB assigned (by default, all mailboxes).
If you delete the default OAB, Exchange Online doesn't automatically assign another OAB as the default. You need
to manually designate another OAB as the default.

Estimated time to complete this procedure: 5 minutes.
Modify role groups.
TIP
Use Exchange Online PowerShell to change the default OAB

This example sets the OAB named My OAB as the default OAB.
Set-OfflineAddressBook -Identity "My OAB" -IsDefault $true
For detailed syntax and parameter information, see Set-OfflineAddressBook.

To verify that you've successfully changed the default OAB, run the following command to verify the IsDefault
property value:
Get-OfflineAddressBook | Format-List Name,IsDefault

Provision recipients for offline address book
downloads in Exchange Online
If you use multiple offline address books (OABs) in your organization, you have different options for assigning the
OAB to users:
Per mailbox: You can use the Set-Mailbox cmdlet in Exchange Online PowerShell to assign the OAB to a
mailbox. You can also assign the OAB to a filtered list of mailboxes.
Per address book policy: You can assign an address book policy (ABP ) to a user, and the ABP specifies the
OAB. If you assign an ABP to a user that already has an OAB assigned to their mailbox, the OAB that's
assigned to the mailbox will take precedence. For more information, see Assign an address book policy to
mail users.

topic.
You can't use the Exchange admin center (EAC ) to perform this procedure. You can only use Exchange
Online PowerShell. To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell.
TIP
Use Exchange Online PowerShell to assign OABs to mailboxes

To assign an OAB to a mailbox, use the following syntax:
Set-Mailbox -Identity <MailboxIdentity> -OfflineAddressBook <OfflineAddressBookIdentity>
This example assigns the OAB named Contoso Executives to the mailbox laura@contoso.com.
Set-Mailbox -Identity laura@contoso.com -OfflineAddressBook "Contoso Executives OAB"
This example assigns the OAB named Contoso US to a filtered list of mailboxes. This first command identifies the
mailboxes. The second command assigns the OAB to the identified mailboxes.
$USContoso = Get-User -ResultSize Unlimited -Filter {RecipientType -eq "UserMailbox" -and Company -eq
"Contoso" -and CountryOrRegion -eq "US"}
$USContoso | foreach {Set-Mailbox $_.Identity -OfflineAddressBook "Contoso United States"}

To verify that you've successfully assigned an OAB to a mailbox, replace with the identity of the mailbox, and run
the following command:
Get-Mailbox -Identity "<MailboxIdentity>" | Format-Table Name,OfflineAddressBook -Auto

Remove an offline address book
This topic explains how to remove an offline address book (OAB ) from Exchange Online. If you remove the default
OAB, you must assign a different OAB as the default OAB. For instructions about how to change the default OAB,
see Change the default offline address book.

Modify role groups.
TIP
Use Exchange Online PowerShell to remove an OAB

This example removes an OAB named My OAB.
Remove-OfflineAddressBook -Identity "My OAB"
For detailed syntax and parameter information, see Remove-OfflineAddressBook.

To verify that you've successfully removed the OAB, run the following command to verify that the OAB is gone.
Get-OfflineAddressBook
Sharing in Exchange Online
You may need to coordinate schedules with people in different organizations or with friends and family members
so that you can work together on projects or plan social events. With Office 365, administrators can set up different
levels of calendar access in Exchange Online to allow businesses to collaborate with other businesses and to let
users share their schedules with others. Business-to-business calendar sharing is set up by creating organization
relationships. User-to-user calendar sharing is set up by applying sharing policies.
Sharing Scenarios in Exchange Online

The following sharing scenarios are supported in Exchange Online:
SHARING GOAL SETTING TO USE REQUIREMENTS
Share calendars with another Office 365 Organization relationships None, ready to configure
organization
Share calendars with an on-premises Organization relationships The on-premises Exchange

Exchange organization administrator has to set up an
authentication relationship with the
cloud (also known as "federation") and
must meet minimum software
requirements
Share an Office 365 user's calendar with Sharing policies None, ready to configure
another internet user
Share an Office 365 user's calendar with Sharing policies The on-premises Exchange
an Exchange on-premises user administrator has to set up an
authentication relationship with the
cloud (also known as "federation") and
must meet minimum software
requirements
Sharing documentation
The following table contains links to topics that will help you learn about and manage sharing in Exchange Online.
TOPIC DESCRIPTION
Organization relationships in Exchange Online Learn more about the one-to-one relationships between
organizations that enable calendar free/busy sharing.
Sharing policies in Exchange Online Learn more about the person-to-person policies that enable
calendar sharing.
Organization relationships in Exchange Online
Set up an organization relationship to share calendar information with an external business partner. Office 365
admins can set up an organization relationship with another Office 365 organization or with an Exchange on-
premises organization. If you want to share calendars with an on-premises Exchange organization, the on-
premises Exchange administrator has to set up an authentication relationship with the cloud (also known as
"federation") and must meet minimum software requirements.
An organization relationship is a one-to-one relationship between businesses to allow users in each organization
to view calendar availability information. When you set up the organization relationship, you are setting up your
side of the relationship and specifying the level of information that the users in the external organization can view.
The external organization may set up the same or different settings on their side. For example, if Contoso creates
an organization relationship with Tailspin Toys, the users at Tailspin Toys will be able to schedule meetings with the
users at Contoso by adding their email address to the meeting invitation. The availability of the invited Contoso
user would display to the Tailspin Toys user. However, before Contoso can also see availability for users at Tailspin
Toys, their administrator needs to set up an organization relationship with Contoso.
There are three of levels of access that you can specify:
No access
Access to availability (free/busy) time only
Access to free/busy, including time, subject, and location
NOTE
If users don't want to share their free/busy information with others, they can change their permissions entry in Outlook. To
do this, users go to the Calendar Properties > Permissions tab, select one or more users/groups, and select any of the
Permissions options.
To completely hide their calendar, they can remove the user/group from the list of those with which the calendar is shared.
Their free/busy information won't be seen by internal or external users, even if an organization relationship exists. The
permissions set by the user will apply.
The following topics will help you configure and manage organization relationships:
Create an organization relationship in Exchange Online
Modify an organization relationship in Exchange Online
Remove an organization relationship in Exchange Online
Create an organization relationship in Exchange
Online
Set up an organization relationship to share calendar information with an external business partner. Office 365
admins can set up an organization relationship with another Office 365 organization or with an Exchange on-

permissions you need, see the Permissions in Exchange Online topic.
If you want to share calendars with an on-premises Exchange organization, the on-premises Exchange
administrator has to set up an authentication relationship with the cloud (also known as "federation") and
must meet minimum software requirements.
Use the Exchange admin center to create an organization relationship

1. From the Office 365 admin center dashboard, go to Admin > Exchange.
2. Go to organization > sharing.
3. Under Organization Sharing, click New .
4. In new organization relationship, in the Relationship name box, type a friendly name for the
organization relationship.
5. In the Domains to share with box, type the domain for the external Office 365 or Exchange on-premises
organization you want to let see your calendars. If you need to enter more than one domain, separate the
domain names with a comma. For example, contoso.com, service.contoso.com.
6. Select the Enable calendar free/busy information sharing check box to turn on calendar sharing with
the domains you listed. Set the sharing level for calendar free/busy information and set which users can
share calendar free/busy information.
To set the free/busy access level, select one of the following:
Calendar free/busy information with time only
Calendar free/busy with time, subject, and location
To set which users will share calendar free/busy information, select one of the following:
Everyone in your organization
A specified security group
Click browse to pick the security group from a list, then click ok.
7. Click save to create the organization relationship.
Use Exchange Online PowerShell to create an organization relationship
This example creates an organization relationship with Contoso, Ltd with the following conditions:
An organization relationship is set up with contoso.com, northamerica.contoso.com, and
europe.contoso.com.
Free/busy access is enabled.
Contoso.com and the subdomains get free/busy time, subject, and location information from your
organization.
New-OrganizationRelationship -Name "Contoso" -DomainNames

"contoso.com","northamerica.contoso.com","europe.contoso.com" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails
If you're not sure which domains Contoso has set up for cloud-based authentication, you can run this command to
automatically find the configuration information. The Get-FederationInformation cmdlet is used to find the right
information, which is then passed to the New-OrganizationRelationship cmdlet.
Get-FederationInformation -DomainName Contoso.com | New-OrganizationRelationship -Name "Contoso" -

FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
For detailed syntax and parameter information, see Get-FederationInformation and New -
OrganizationRelationship.
If you're setting up an organization relationship with an on-premises Exchange organization, you may want to
provide the connection settings. This example creates an organization relationship with Fourth Coffee and specifies
the connection settings to use. The following conditions apply:
The organization relationship is established with the domain fourthcoffee.com.
The Exchange Web Services application URL is mail.fourthcoffee.com.
The Autodiscover URL is https://mail.fourthcoffee.com/autodiscover/autodiscover.svc/wssecurity.
Free/busy access is enabled.
Fourth Coffee sees free/busy information with the time.
New-OrganizationRelationship -Name "Fourth Coffee" -DomainNames "fourthcoffee.com" -FreeBusyAccessEnabled

$true -FreeBusyAccessLevel AvailabilityOnly -TargetAutodiscoverEpr
"https://mail.fourthcoffee.com/autodiscover/autodiscover.svc/wssecurity" -TargetApplicationUri
"mail.fourthcoffee.com"
For detailed syntax and parameter information, see New -OrganizationRelationship.

The successful completion of the New organization relationship wizard indicates that the organization
relationship was created.
You can also run the following command to verify the organization relationship information:
Get-OrganizationRelationship | format-list
TIP
Modify an organization relationship in Exchange
Online
An organization relationship lets users in your Office 365 organization share calendar free/busy information with
other Office 365 or on-premises Exchange organizations. You may want to change the settings of an organization
relationship, such as changing the name, temporarily disabling calendar sharing, changing the access level, or
changing which security groups will share calendars.
To learn more about organization relationships, see Organization relationships in Exchange Online.

If you want to share calendars with an on-premises Exchange organization, the on-premises Exchange
administrator has to set up an authentication relationship with the cloud (also known as "federation") and
must meet minimum software requirements.
The procedures in this topic make changes to an organization relationship named Contoso. The examples
show how to:
Add a domain named service.contoso.com to the organization relationship.
Disable free/busy sharing for the organization relationship.
Change the free/busy access level from Calendar free/busy information with time, subject, and
location to Calendar free/busy information with time only.
Use the Exchange admin center to add a domain to an organization

relationship
1. From the Office 365 admin center go to Admin > Exchange.
3. In list view, under Organization Sharing, select the organization relationship Contoso, and then click Edit
.
4. In organization relationship, general don't change the Name for the organization relationship.
5. In the Domains to share with box, enter the domain service.contoso.com, then click Add .
6. Click save to update the organization relationship.
Use the Exchange admin center to disable free/busy sharing for the
organization relationship
3. In the list view, under Organization Sharing, select the organization relationship Contoso, and then click
Edit .
4. In organization relationship click sharing.
5. Clear the Enable calendar free/busy information sharing check box to disable free/busy sharing. The
free/busy access level and security group buttons will also be disabled.
Use the Exchange admin center to change the free/busy access level
for the organization relationship
3. In list view, under Organization Sharing, select the organization relationship Contoso, and then click Edit
.
4. In organization relationship, click sharing
5. Select Calendar free/busy information with time only.
Use Exchange Online PowerShell to modify the organization

relationship
This example adds the domain name service.contoso.com to the organization relationship Contoso.
$domains = (Get-OrganizationRelationship Contoso).DomainNames

$domains += 'service.contoso.com'
Set-OrganizationRelationship -Identity Contoso -DomainNames $domains
This example disables the organization relationship Contoso.
Set-OrganizationRelationship -Identity Contoso -Enabled $false
This example enables calendar availability information access for the organization relationship
WoodgroveBank and sets the access level to AvailabilityOnly (calendar free/busy information with time
only).
Set-OrganizationRelationship -Identity Contoso -FreeBusyAccessEnabled $true -FreeBusyAccessLevel

AvailabilityOnly
For detailed syntax and parameter information, see Get-OrganizationRelationship and Set-
OrganizationRelationship.

To verify that you have successfully updated the organization relationship, run the following command and verify
the organization relationship information.
Get-OrganizationRelationship | format-list
TIP
Remove an organization relationship in Exchange
Online
An organization relationship lets users in your Office 365 organization share calendar free/busy information with
other Office 365 or on-premises Exchange organizations. You can remove an organization relationship to disable
calendar sharing with the other organization.
To learn more about organization relationships, see Organization relationships in Exchange Online.

Use the Exchange admin center to remove an organization relationship

3. Under Organization Sharing, select an organization relationship, and then click Delete .
4. In the warning that appears, click yes.
Use Exchange Online PowerShell to remove an organization

relationship
This example removes the organization relationship Contoso.
Remove-OrganizationRelationship -Identity "Contoso"
For detailed syntax and parameter information, see Remove-OrganizationRelationship.

To verify that you have successfully removed the organization relationship, do one of the following:
In the Exchange admin center, go to organization > sharing and verify that the organization relationship
isn't displayed in the list view under Organization Sharing.
Run the following command to verify the organization relationship information is removed.
Get-OrganizationRelationship | Format-List
TIP
Sharing policies in Exchange Online
People in your organization may want to share calendars with individual business associates, friends, or family
members. Sharing policies control how your users share their calendars with people outside your organization.
The sharing policy that an admin applies to the user's mailbox determines what level of access a user can share and
with whom. If you don't change anything, then all users can invite anyone with an email address to view their
calendar. You may decide to apply a more restrictive policy.
An admin defines the rules that make up a sharing policy. You can specify the domains that users can share with,
and the following levels of access to calendars:
Free/busy information with time only
Free/busy information with time, subject, and location
Free/busy information, including time, subject, location, and title
After you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. Sharing
policies are applied to individual user's mailboxes. An admin can also disable a user's sharing policy to prevent
external access to calendars.
Users share their calendar by sending an email invitation to the external user. Outlook 2010 or later or Outlook
Web App can send this type of invitation. The calendar can be opened through a URL link, or can be accessed as an
additional calendar folder if the external user has Outlook 2010 or later or is using Outlook Web App.
These topics will help you learn how to manage sharing policies for your Office 365 organization:
Create a sharing policy in Exchange Online
Apply a sharing policy to mailboxes in Exchange Online
Modify, disable, or remove a sharing policy in Exchange Online
Create a sharing policy in Exchange Online
Create a new Sharing Policy to change how people in your organization share calendars with individual business
associates, friends, or family members. Sharing policies control how your users share their calendars with people
outside your organization. By default, all users can invite anyone with an email address to view their calendar. After
you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. To apply a specific
sharing policy to users, see Apply a sharing policy to mailboxes in Exchange Online.

Only Outlook 2010 or later and Outlook Web App users can create sharing invitations.
Use the wizard to create a sharing policy

3. In the list view, under Individual Sharing, click New .
4. In new sharing policy, type a friendly name for the sharing policy in the Policy name box.
5. Click Add to define the sharing rules for the policy.
6. In sharing rule, select one of the following options to specify the domains you want to share with:
Sharing with all domains
Sharing with a specific domain
7. If you select Sharing with a specific domain, type the name of the domain you want to share with. If you
need to enter more than one domain for this sharing policy, save the settings for the first domain, then edit
the sharing rules to add more domains.
8. To specify the information that can be shared, select the Share your calendar folder check box, and then
select one of the following options:
Calendar free/busy information with time only
Calendar free/busy information with time, subject, and location
All calendar appointment information, including time, subject, location and title
9. Click save to set the rules for the sharing policy.
10. If you want to set this sharing policy as the new default sharing policy for all users in your Office 365
organization, select the Make this policy my default sharing policy check box.
11. Click save to create the sharing policy.
Use Exchange Online PowerShell to create a sharing policy
This example creates the sharing policy Contoso. This policy allows users in the contoso.com domain to see
your user's detailed calendar availability (free/busy) information. By default, this policy is enabled.
New-SharingPolicy -Name "Contoso" -Domains contoso.com: CalendarSharingFreeBusyDetail
This example creates the sharing policy ContosoWoodgrove for two different domains (contoso.com and
woodgrovebank.com) with different sharing settings configured for each domain. The policy is disabled.
New-SharingPolicy -Name "ContosoWoodgrove" -Domains 'contoso.com: CalendarSharingFreeBusySimple',

'woodgrovebank.com: CalendarSharingFreeBusyDetail' -Enabled $false
For detailed syntax and parameter information, see New -SharingPolicy.

To verify that you have successfully created the sharing policy, run the following command to view the sharing
policy information.
Get-SharingPolicy <policy name> | format-list
TIP
Apply a sharing policy to mailboxes in Exchange
Online
Sharing policies control how your users share their calendars with people outside your organization. The sharing
policy that an admin applies to the user's mailbox determines what level of access a user can share and with
whom. If you don't change anything, then all users can invite anyone with an email address to view their calendar.
If you create a new sharing policy, you have to apply that policy to mailboxes before it takes effect. Sharing policies
are applied to individual user's mailboxes. An admin can also disable a user's sharing policy to prevent external
access to calendars.

A sharing policy must exist. For details, see Create a sharing policy in Exchange Online.
Use the Exchange admin center to apply a sharing policy to one

mailbox
2. Go to recipients > mailboxes.
3. In the list view, select the mailbox you want, and then click Edit .
4. In User Mailbox, click mailbox features.
5. In the Sharing policy list, select the sharing policy you want to apply to this mailbox.
6. Click save to apply the sharing policy.
Use the Exchange admin center to apply a sharing policy to multiple

mailboxes
2. Go to recipients > mailboxes.
3. In the list view, hold the Ctrl key while you select multiple mailboxes.
4. In the details pane, the mailbox properties will be configured for bulk edit. Scroll down to click More
options.
5. Under Sharing Policy, click Update.
6. In bulk assign sharing policy, select the sharing policy from the list.
7. Click save to apply the sharing policy to the selected mailboxes.
Use Exchange Online PowerShell to apply a sharing policy to one or
more mailboxes
This example applies the sharing policy Contoso to Barbara's mailbox.
Set-Mailbox -Identity Barbara -SharingPolicy "Contoso"
This example finds all user mailboxes in the Marketing department and then applies the sharing policy Contoso
Marketing.
Get-Mailbox -Filter {Department -eq "Marketing"} | Set-Mailbox -SharingPolicy "Contoso Marketing"
This example shows all mailboxes that have the sharing policy Contoso applied, and it sorts the users into a table
that displays only their aliases and email addresses.
Get-Mailbox -ResultSize unlimited | Where {$_.SharingPolicy -eq "Contoso"} | format-table Alias,EmailAddresses
For detailed syntax and parameter information, see Set-Mailbox and Get-Mailbox.

To verify that you have successfully applied the sharing policy to a user mailbox, do one of the following:
In the Exchange admin center, go to recipients > mailboxes, and then select the mailbox to which you
applied the sharing policy. Click Edit , click mailbox features, and then confirm that the correct sharing
policy displays in the Sharing policy.
Run the following command to verify the sharing policy was assigned to a user mailbox. Verify that the
correct sharing policy is listed for the SharingPolicy parameter.
Get-Mailbox <username> | format-list
TIP
Modify, disable, or remove a sharing policy in
Exchange Online
Sharing policies control how your users share their calendars with people outside your organization. You may want
to change some sharing policy properties, such as changing sharing rules, changing the free/busy access level,
temporarily disabling a sharing policy, or removing a sharing policy entirely.
For details about how to create a sharing policy, see Create a sharing policy in Exchange Online

Use the Exchange admin center to change a sharing policy

3. Under Individual Sharing, select a sharing a policy, and then click Edit .
4. In sharing policy, click Edit .
5. In sharing rule, change the settings such as the domain you want to share information with and the sharing
level for calendars. Click save to update the rule.
6. In sharing policy, click save to update the sharing policy.
Use the Exchange admin center to set a sharing policy as the default
sharing policy
3. Under Individual Sharing, select a sharing a policy, and then click Edit .
4. In sharing policy, select the Make this policy my default sharing policy check box.
5. Click save to update the sharing policy.
Use the Exchange admin center to disable a sharing policy

3. Under Individual Sharing, select a sharing a policy.
4. In the On column, clear the check box for the sharing policy you want to disable.
Use the Exchange admin center to remove a sharing policy
IMPORTANT
Before you remove a sharing policy, the sharing policy must be removed from all user mailboxes.
3. Under Individual Sharing, select a sharing a policy, and then click Delete .
4. In the warning, click yes to delete the sharing policy.
Use Exchange Online PowerShell to modify, disable or remove a

sharing policy
This example modifies the sharing policy Contoso. This policy allows users in the Contoso domain to see
simple free/busy information.
Set-SharingPolicy -Identity Contoso -Domains 'sales.contoso.com: CalendarSharingFreeBusySimple'
This example adds a second domain to the sharing policy Contoso. When you're adding a domain to an
existing policy, you must include any previously included domains.
Set-SharingPolicy -Identity Contoso -Domains 'contoso.com: CalendarSharingFreeBusySimple',

'atlanta.contoso.com: CalendarSharingFreeBusyReviewer', 'beijing.contoso.com:
CalendarSharingFreeBusyReviewer'
This example sets the sharing policy Contoso as the default sharing policy.
Set-SharingPolicy -Identity Contoso -Default $True
This example disables the sharing policy Contoso.
Set-SharingPolicy -Identity "Contoso" -Enabled $False
The first example removes the sharing policy Contoso. The second example removes the sharing policy
Contoso and suppresses the confirmation that you want to remove the policy.
Remove-SharingPolicy -Identity Contoso
Remove-SharingPolicy -Identity Contoso -Confirm
For detailed syntax and parameter information, see Set-SharingPolicy and Remove-SharingPolicy.
Voice mail in Exchange Online: Unified Messaging
NOTE
Cloud Voicemail takes the place of Exchange Unified Messaging (UM) in providing voice messaging functionality for Skype for
Business 2019 voice users who have mailboxes on Exchange Server 2019 or Exchange Online, and for Skype for Business
Online voice users. For more information please check Plan Cloud Voicemail service.
Unified Messaging (UM ) enables users to use voice mail features, including Outlook Voice Access and Call
Answering Rules. UM combines voice messaging and email messaging into one mailbox that can be accessed from
many different devices. Users can read or listen to their messages from their email Inbox or by using Outlook Voice
Access from any telephone. You have control over how users place outgoing calls, and the experience callers have
when they call in to your organization.
Today, messaging administrators in organizations frequently manage the voice mail and email systems for their
organizations as separate systems. Voice mail and email messages are located in separate mailboxes that are
hosted on separate servers. Users can access messages through the desktop for email and through the telephone
for voice mail.
UM in Office 365 makes it possible for online administrators to combine voice messaging and email messaging
into one mailbox so their users can read or listen to their voice mail messages in their Inbox or by using Outlook
Voice Access from any telephone. UM uses a user's mailbox to store both email and voice mail messages.
Unified Messaging features

The voice mail features found in UM offer benefits for both users and administrators in your organization and in
Exchange Online.
Features for users
When you configure UM for your organization, users can access voice mail, email, personal Contacts and calendar
information that's located in their mailbox from an email client, for example, Microsoft Outlook or Outlook Web
App, from a mobile phone with Microsoft Exchange ActiveSync set up, such as a Windows Phone, or from a
telephone. Additionally, users can use the following features:
Access to their Exchange mailbox: Users can access a full set of voice mail features from internet-capable
mobile phones, Outlook 2007 or later versions, and Outlook Web App. These features include many voice
mail configuration options and the ability to play a voice message from either the reading pane, using an
integrated Windows Media Player, or the message list, using computer speakers.
Play on Phone: The Play on Phone feature lets users play voice messages over a telephone. If the user
works in an office cubicle, is using a public computer or a computer that isn't enabled for multimedia, or is
listening to a voice message that's confidential, they might not want to or be able to listen to a voice
message through computer speakers. They can play the voice message using any telephone, including a
home, office, or mobile telephone.
Voice mail form: The voice mail form resembles the default email form. It gives users an interface for
performing actions such as playing, stopping, or pausing voice messages, playing voice messages on a
telephone, and adding and editing notes.
The voice mail form includes the embedded Windows Media Player and an Audio notes field. The
embedded Windows Media Player and notes field are displayed either in the reading pane when users
preview a voice message or in a separate window when they open the voice message. If users aren't enabled
for UM, or if a supported email client hasn't been installed on the client computer, they view voice messages
as email attachments, and the voice mail form isn't available.
User configuration: Users can configure several voice mail options for UM using Outlook Web App. For
example, the user can record personal greetings, configure missed call and text message notifications and a
voice mail Play on Phone number, and reset a voice mail access PIN.
Call answering: Call answering includes answering incoming calls on behalf of users, playing their personal
greetings, recording messages, and then sending the voice mail to their Inbox as an email message.
Call Answering Rules: The Call Answering Rules feature lets users who are enabled for voice mail
determine how their incoming call answering calls should be handled. The way call answering rules are
applied to incoming calls is similar to the way Inbox rules are applied to incoming email messages. By
default, no call answering rules are configured. If an incoming call is answered, the caller is prompted to
leave a voice message for the person being called. By using call answering rules, a caller can:
Leave a voice message for the user.
Transfer to an alternate contact of the user.
Transfer to the alternate contact's voice mail.
Transfer to other phone numbers that the user has configured.
Use the Find Me feature or locate the user through a transfer from an operator.
Voice Mail Preview: Unified Messaging uses Automatic Speech Recognition (ASR ) on newly created voice
mail messages. When users receive voice messages, the messages contain both a recording and text that's
been created from the voice recording. Users see the voice message text displayed in an email message
from within Outlook Web App or another supported email client.
Message Waiting Indicator: Message Waiting Indicator is a feature found in most legacy voice mail
systems and can refer to any mechanism that indicates the existence of a new message. Enabling or
disabling Message Waiting Indicator is done on the user's mailbox or on a UM mailbox policy.
Missed call and voice mail notifications using SMS: When users are part of a hybrid or Office 365
deployment, and they configure their voice mail settings with their mobile phone number and configure call
forwarding, they can receive notifications about missed calls and new voice messages on their mobile
phones in a text message through the Short Messaging Service (SMS ). However, to receive these types of
notifications, the users must first configure text messaging and also enable notifications on their account.
Protected Voice Mail: Protected Voice Mail is a feature that enables users to send private mail. This voice
mail is protected and users are restricted from forwarding, copying, or extracting the voice file from email.
Protected Voice Mail increases the confidentiality of voice mail messages, and lets users limit the audience
for voice messages.
Outlook Voice Access: There are two UM user interfaces available to users: the telephone user interface
(TUI) and the voice user interface (VUI). These two interfaces together are called Outlook Voice Access.
Outlook Voice Access users can use Outlook Voice Access when they access the voice mail system from an
external or internal telephone. Users who dial in to the voice mail system can access their mailbox using
Outlook Voice Access. However, when a user is searching the directory for your organization, they must use
the key pad on their phone to search for a user. Using their voice to search the directory isn't available. Using
a telephone, a UM -enabled user can:
Access voice mail.
Listen to, forward, or reply to email messages.
Listen to calendar information.
Access or dial contacts who are stored in the organization's directory or a single contact or contact
group located in their personal Contacts.
Accept or cancel meeting requests.
Set a voice message to let callers know the called party is away.
Set user security preferences and personal options.
Search for users in the directory of the organization.
Group addressing using Outlook Voice Access: Users can send a single email message to a single user
in their personal Contacts, to multiple recipients from the directory by adding each recipient individually, or
by adding the name of a distribution list from the directory for your organization. In UM in Office 365, when
a user signs in to their mailbox using Outlook Voice Access, they can also send email and voice messages to
users in a group stored in their personal Contacts.
Administrative features
Currently, most users and IT departments manage their voice mail separately from their email. Voice mail and
email exist as separate inboxes hosted on separate servers accessed through the desktop for email and through the
telephone for voice mail. UM offers an integrated store for all messages and access to content through the
computer and the telephone.
Exchange administrators can manage UM using the same interface they use to manage the rest of Exchange, using
the Exchange admin center (EAC ) and Exchange Online PowerShell. They can:
Manage voice mail and email from a single platform.
Manage UM using scriptable commands.
Build a highly available and reliable UM infrastructure.
Office 365 UM offers administrators:
Consolidation of voice mail systems: Currently, most voice messaging systems require that all the voice
messaging components be installed in every physical office location in an organization. In this kind of
arrangement, the voice messaging systems in branch offices are located outside the central office and must
be administered onsite. This frequently results in increased administration costs and complexity. UM lets you
manage your voice mail system from a central location. To create a centralized management system for UM,
you integrate your VoIP gateways, IP PBXs or PBXs, and your phone system and then deploy session border
controllers (SBCs) to connect your phone system with your Office 365 deployment. Deploying a centralized
voice messaging system this way can result in a significant savings in hardware and administrative costs.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will
end in July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in
Exchange Online Unified Messaging for more information.
Built-in UM administrative roles: The set of UM -specific administrative roles for managing UM and voice
mail features includes the following:
UM Mailboxes
UM Prompts
Unified Messaging
Incoming fax support: UM provides built-in incoming fax support for users who have a UM -enabled
mailbox. They can receive fax messages through calls placed to their extension number.
Customers who require a fax solution will have to deploy a fax partner solution. Fax partner solutions are
available from several fax partners. The fax partner solutions are designed to be tightly integrated with
Exchange and enable UM -enabled users to receive incoming fax messages. You can find a fax partner
solution by visiting Microsoft Pinpoint for Fax Partners.
Support for multiple languages: All available language packs contain support for the Text-to-Speech
(TTS ) engine and the prerecorded prompts for a specified language and ASR support. However, only some
language packs contain support for Voice Mail Preview.
Auto attendant: An auto attendant is a set of voice prompts that gives external and internal users access to
the voice mail system. Users can use the telephone keypad or speech inputs to move through the auto
attendant menu, place a call to a user, or locate a user in your organization and then place a call to them. An
auto attendant gives the administrator the ability to:
Create a customized menu for external users.
Define informational greetings, business hours greetings, and non-business hours greetings.
Define holiday schedules.
Describe how to search the organization's directory.
Describe how to connect to a user's extension so that external callers can call users by specifying their
extension.
Describe how to search the organization's directory so that external callers can search the directory
and call a specific user.
Enable external users to call the operator.
Planning and deploying UM

Unified Messaging requires that you integrate your existing telephony system for your organization within Office
365 by using SBCs. A successful deployment requires you to make a careful analysis of your existing telephony
infrastructure and to perform the correct planning steps to deploy and manage voice mail in UM.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will end in
July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in Exchange Online
Unified Messaging for more information.
When you plan to use UM in Office 365, you need to consider design and other issues that may affect your ability
to reach your organizational goals when you configure UM. Generally, the simpler the UM setup is, the easier UM
is to configure and maintain. As a general rule, create as few UM components like UM dial plans, auto attendants,
and UM mailbox policies as you need to support your business and organizational goals. Large enterprises with
complex network and telephony environments, multiple business units, or other complexities will require more
planning than smaller organizations with relatively straightforward UM needs.
You need to consider and evaluate many areas to be able to successfully deploy UM. You need to understand the
different aspects of UM and each component and feature so that you can plan your UM infrastructure and
deployment appropriately. Allocating time to plan and work through these issues will help prevent problems when
you deploy UM in your organization. The following are some of the areas that you should consider and evaluate
when planning for UM in your organization:
The needs of your organization.
The security requirements in your organization.
Your existing telephony, circuit-switched network, and voice mail system.
Your current packet-switched IP network design. This includes your local area network (LAN ) and WAN
connectivity points and devices.
The number of users that you'll have to support.
Whether you'll be integrating UM with Lync Server to enable Enterprise Voice in Office 365.
The placement of VoIP gateways, telephony equipment, and SBCs.
The storage requirements for voice mail users.
Managing UM with the EAC and Exchange Online PowerShell

EAC management
Office 365 provides a single unified management console for your organization that includes all UM components
and features. The EAC provides a streamlined, optimized interface for management of Exchange Online
deployments. Some of the EAC features include:
List view: The list view in the EAC has been designed to display recipients, mailboxes, and settings for
features that you are using within your organization. Paging within the list view allows you to see results per
page. You can also configure page size and the number of entries, and export entries to a CSV file.
Add/Remove columns in the Recipient list view: You can choose which columns to view, and you can
save your custom list views.
Public folder management: Public folder management is available in the EAC, and you don't need
separate tools to manage public folders.
Notifications: The EAC now has a Notification viewer so that you can view the status of long-running
processes and, if you choose, receive notification through an email message when the process completes.
Role Based Access Control (RBAC ) User Editor: Within Office 365, the RBAC User Editor functionality is
in the EAC, and you don't need a separate tool to manage RBAC.
UM tools: In Office 365 you can use the Call Statistics and User Call Logs tools to help provide UM
statistics and information about specific calls for a user.
For more information about the EAC, see Exchange admin center in Exchange Online.
Exchange Online PowerShellShell management
Exchange Online PowerShell is a powerful command-line interface that enables automation of administrative tasks.
Exchange Online PowerShell can perform every task that can be performed by the EAC plus tasks that can't be
done in the EAC. In fact, when you do something in the EAC, it's Exchange Online PowerShell that's doing the work
behind the scenes.
For more information about Exchange Online PowerShell, see Exchange Online PowerShell.
Voice mail greetings, announcements, menus, and
prompts in Exchange Online
When you install Unified Messaging (UM ), a common set of default audio files used for the voice mail system and
for menu prompts, greetings, and informational announcements is installed. Although you can create a fully
functional UM auto attendant or dial plan that uses only the default audio prompts, these prompts are too generic
to serve as an acceptable public interface for many companies. This topic discusses the system and menu prompts,
greetings, and informational announcements that are used by UM dial plans and auto attendants and how they're
used when callers access the voice mail system.
Overview of audio prompts and greetings

These system audio files or prompts should never be replaced. However, UM enables you to customize UM dial
plan and auto attendant welcome greetings, main menu prompts, and informational announcements.
The following table summarizes the prompts and greetings used with UM dial plans.
Audio prompts for UM dial plans
PROMPTS AND GREETINGS DESCRIPTION
System prompts Must not be modified.
Welcome greeting The default welcome greeting is a system prompt that is

played by default. However, you can use a customized
greeting file that you create.
Informational announcement By default, informational announcements are disabled. If you

enable an informational announcement, you must specify a
customized greeting file.
The following table summarizes the prompts and greetings used with UM auto attendants.
Audio prompts for UM auto attendants
System prompts Must not be modified.
Business hours menu prompts By default, business hours menu prompts are enabled and a
system prompt is played. However, you can use a customized
greeting file that you create.
Non-business hours menu prompts By default, non-business hours menu prompts are enabled
and a system prompt is played. However, you can use a
customized greeting file that you create.
Business hours greeting By default, a business hours greeting is enabled and a system
prompt is played. However, you can use a customized greeting
file that you create. This is also known as a welcome greeting.
Non-business hours greeting By default, a non-business hours greeting is enabled and a

system prompt is played. However, you can use a customized
greeting file that you create. This is also known as a welcome
greeting.
Informational announcement By default, informational announcements are disabled. If you

enable an informational announcement, you must specify a
customized greeting file.
System prompts
Unified Messaging uses a set of default audio prompts for Outlook Voice Access, dial plans, and auto attendants.
Hundreds of system prompts for each language are available. Unified Messaging plays the audio files for these
system prompts to callers when they access the voice mail system. The following are some examples of these
system prompts:
"Please enter your PIN."
"To access your mailbox, enter your extension."
"To contact someone, press the # key."
"Spell the name of the person you are calling, last name first."
"To reach a specific person, just tell me the name."
Cau t i on
Modifying any UM system prompts isn't supported.
UM dial plan greetings and announcements

After you create a UM dial plan, you have the option to use the audio files for the default system prompts or to
create customized audio files that can be used with UM dial plans.
UM dial plans have a welcome greeting and an optional informational announcement you can modify. The
welcome greeting is used when an Outlook Voice Access user or another caller calls an Outlook Voice Access
number. The callers hear a default welcome greeting that says, "Welcome, you are connected to Microsoft
Exchange." You might want to change this default greeting and provide an alternative welcome greeting specific to
your company, for example, "Welcome to Outlook Voice Access for Woodgrove Bank." If you customize this
greeting, you can record the customized greeting and save it as a .wav file, and then you can configure the dial plan
to use this customized greeting.
Unified Messaging allows for an informational announcement to follow the welcome greeting. By default, there is
no informational announcement configured. However, you may want to provide one for callers. You can use the
informational announcement for general announcements that change more often than the welcome greeting or for
announcements required by corporate compliance policies. When it's important that the whole informational
announcement is heard, you can configure it to be uninterruptible. This prevents a caller from pressing a key or
speaking a command to interrupt and stop the informational announcement.
The following table describes the UM dial plan greetings and informational announcements.
UM dial plan greetings and informational announcements
GREETING DEFAULT EXAMPLE CUSTOMIZED EXAMPLE
Welcome greeting "Welcome, you are connected to "Welcome to Outlook Voice Access for
Microsoft Exchange." Woodgrove Bank."
Informational announcement By default, an informational "By using this system you agree to
announcement isn't configured. adhere to all corporate policies when
you are accessing this system."
When you are customizing and configuring greetings and announcements, make sure the language setting
configured on the UM dial plan is the same as the language of the custom prompts you create. If not, a caller may
hear a message or greeting in one language and another message or greeting in a different language.
UM auto attendant greetings, announcements, and menu prompts

As with UM dial plans, UM auto attendants have a welcome greeting, an optional informational announcement,
and an optional custom menu prompt. You can configure different versions of the welcome greeting and menu
prompt for business hours and non-business hours. You can modify all of them.
The welcome greeting is the first thing a caller hears when a UM auto attendant answers the call. By default, this
says, "Welcome to the Microsoft Exchange auto attendant." The audio file that is played for the call is the default
system prompt for the UM auto attendant. However, you may want to provide an alternative greeting specific to
your company, for example, "Thank you for calling Woodgrove Bank." To customize this welcome greeting, record
the customized greeting and save it as a .wav file, and then configure the auto attendant to use this customized
greeting. As with the welcome greetings, you can also customize the menu prompts.
Unified Messaging also allows for an informational announcement to follow a business hours greeting or a non-
business hour greeting. By default, no informational announcement is configured, but you may want to provide
one to callers. The informational announcement can announce your company's business hours, for example, "Our
business hours are 8:00 A.M. to 5:00 P.M., Monday through Friday, and 8:30 A.M. to 1:00 P.M. on Saturday." The
informational announcement can also provide information required for compliance with corporate policies, for
example, "Calls may be monitored for training purposes." When it's important that the whole informational
announcement is heard, you can configure it to be uninterruptible. This prevents the caller from pressing a key or
speaking a command to interrupt and stop the informational announcement.
The following table describes the UM auto attendant greetings and informational announcements.
UM auto attendant greetings, informational announcement, and menu prompts
Business hours greeting "Welcome to the Microsoft Exchange "Thank you for calling Woodgrove
auto attendant." Bank."
Non-business hours greeting No default non-business hours greeting "You have reached Woodgrove Bank
is played until you configure the after business hours. Our business
business hours for the auto attendant. hours are from 8:00 A.M. until 5:00
However, the business hours greeting is P.M., Monday through Friday."
played for callers during all times of the
day.
Informational announcement By default, informational "Calls may be monitored for training

announcements aren't configured. purposes."
Business hours main menu prompt No default business hours main menu "For technical support, press or say 1.
prompt will be played until you For corporate offices and
configure key mappings on the auto administration, press or say 2. For sales,
attendant. press or say 3."
Non-business hours main menu prompt No default non-business hours main "Your call is very important to us.
menu prompt will be played until you However, you have reached Woodgrove
configure key mappings and the Bank after business hours. If you want
business hours schedule on the auto to leave a message, please press or say
attendant. 1, and we will return your call as soon
as possible."
As with UM dial plans, make sure the language setting configured on the UM auto attendant is the same as the
language of the custom greetings you create and is set to the same language as the UM dial plan. If not, a caller
may hear a message or greeting in one language and another message or greeting in a different language.
Customizing greetings, announcements, and menu prompts, and

navigation menus
By default, when you create a UM auto attendant, the business and non-business hours greetings or prompts aren't
configured and no key mappings are defined for business or non-business hours main menu prompts. To correctly
configure customized greetings and prompts for an auto attendant, you must:
Configure business and non-business hours on the Business hours page.
Create the greeting audio (.wav or .wma) files that will be used for the business and non-business hours
welcome greetings.
Configure the business and non-business hours welcome greetings on the Greetings page.
Create the greeting files that will be used for the business and non-business hours main menu prompt
greetings.
Configure the business and non-business hours main menu prompt greetings on the Greetings page.
Enable and configure the business and non-business hours menu navigation on the Menu navigation
page.
Set the default language on a dial plan
Use the EAC to set the default language on a UM dial plan

1. In the EAC, navigate to Unified Messaging > UM dial plans.
2. In the list view, select the UM dial plan that you want to modify, and then, on the toolbar, clickEdit .
3. On the UM dial plan page, click Configure.
4. On the Settings page, under Audio language, select the language you want to set from the drop-down
list.
5. Click Save to accept your changes.
Use Exchange Online PowerShell to set the default language on a UM dial plan
This example sets the default language on a UM dial plan named MyUMDialPlan to German.
Set-UMDialPlan -Identity MyUMDialPlan -DefaultLanguage de-DE
This example sets the default language on a UM dial plan named MyUMDialPlan to Japanese.
Set-UMDialPlan -Identity MyUMDialPlan -DefaultLanguage ja-JP
This example sets the default language on a UM dial plan named MyUMDialPlan to Australian English.
Set-UMDialPlan -Identity MyUMDialPlan -DefaultLanguage en-AU

Select the language for an auto attendant
You can configure the default prompt language setting on a Unified Messaging (UM ) auto attendant. The language
setting available on a UM auto attendant enables you to configure the default prompt language on the auto
attendant. When you're using the default system prompts for the auto attendant, this is the language that the caller
hears when the auto attendant answers the incoming call. This setting doesn't affect custom prompts that are
configured on an auto attendant.
Use the EAC to configure the default language setting
2. In the list view, select the UM dial plan you want to modify, and then on the toolbar, clickEdit .
3. On the UM dial plan page, under UM Auto Attendants, select the UM auto attendant you want to
change, and then click Edit .
4. On the General page, under Language for automated voice interface, select the required language from
the drop-down list.
5. Click Save to accept your changes.
Use Exchange Online PowerShell to configure the default language setting
This example sets the default language on the UM auto attendant MyUMAutoAttendant to English (Great Britain).
Set-UMAutoAttendant -Identity MyUMAutoAttendant -Language en-GB
This example sets the default language on the UM auto attendant MyUMAutoAttendant to German.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -Language de-DE

Enable custom prompt recording using the telephone
user interface
You can use Exchange Online PowerShell to enable the recording of custom prompts and greetings for Unified
Messaging (UM ) dial plans and auto attendants using the telephone user interface (TUI). This can be useful when
you want to change a custom greeting or announcement by using the EAC or Exchange Online PowerShell, or
when there's an emergency such as an organization closure because of severe weather. When you're changing a
custom greeting or announcement on a UM auto attendant, you must enable TUI prompt recording on the dial
plan that the UM auto attendant is linked to.
For additional management tasks related to UM auto attendants, see UM auto attendant procedures.

permissions you need, see the "UM dial plans" and "UM auto attendants" entries in the Unified Messaging
Permissions topic.
Before you perform these procedures, confirm that a UM dial plan has been created. For detailed steps, see
Create a UM dial plan.
Before you perform these procedures, confirm that a UM auto attendant has been created. For detailed
steps, see Create a UM auto attendant.
TIP
Use Exchange Online PowerShell to enable a custom prompt or

greeting recording using the TUI
To record custom prompts and greetings by using the telephone user interface (TUI), follow these steps:
1. Create a domain user account that cannot log on interactively.
2. Delegate the Exchange Organization Administrator role to the domain user account.
3. Create a mailbox for the domain user.
4. Enable the domain user's mailbox for Unified Messaging.
IMPORTANT
Allow only those administrators who are managing prompts and greetings access to the extension number and PIN
for the user account. Use this user account only for managing prompts over the telephone.
5. Create and save a .wav or .wma file to use for a custom greeting for the UM dial plan or auto attendant.
NOTE
MP3 files can't be used for custom prompts.
6. Use the EAC or Exchange Online PowerShell to configure the dial plan to use the custom welcome greeting
or configure the auto attendant to use the business or non-business hours greeting. For details about
configuring a dial plan, see Enable a customized greeting for Outlook Voice Access users. For details about
configuring an auto attendant, see Enable a customized business hours greeting or Enable a customized
non-business hours greeting.
7. Run the following cmdlet:
Set-UMDialPlan -identity MyUMDialPlan -TUIPromptEditingEnabled $true
NOTE
Before you can enable the recording of a custom prompt or greeting, you must sign in to the mailbox that's set up for
recording prompts. After you record the new prompt or greeting, you must sign out and then sign back in before you can
hear the new prompt or greeting when you use the TUI.
Perform TUI prompt recording on a UM auto attendant

1. Verify that the auto attendant is linked to the dial plan that you've enabled for TUI prompt recording.
2. Call a phone number that's been configured on the UM auto attendant.
3. While the non-business or business hours greeting for the auto attendant is being played, press the pound
key (#), and then press the star key (*).
4. You'll be prompted to enter the extension number for the user. Enter the extension number of the UM -
enabled user who has permission to perform TUI prompt recording.
5. You'll be prompted for a PIN. Enter the user's PIN.
6. Follow the system prompts to edit or update the greeting or informational announcement for the auto
attendant.
Perform TUI prompt recording on a UM dial plan

1. Call an Outlook Voice Access number you use to sign in to Outlook Voice Access.
2. While the welcome greeting for the dial plan is being played, press the pound key (#), and then press the
star key (*).
3. If you're calling from a phone that's used by a UM -enabled user, you'll be prompted for a PIN. Instead of
entering the PIN, press the star key (*). You'll be prompted for an extension number. Enter the extension
number of the UM -enabled user who has permission to perform TUI prompt recording.
4. If you're calling from a phone that's not used by a UM -enabled user, you'll automatically be prompted for an
extension number. Enter the extension number of the UM -enabled user who has permission to perform TUI
prompt recording.
5. You'll be prompted for a PIN. Enter the user's PIN.
6. Follow the system prompts to edit or update the welcome greeting for the dial plan or the informational
announcement.
Telephone system integration with UM
To successfully deploy Unified Messaging (UM ), you must have a good understanding of basic telephony concepts
and telephony components. After you understand telephony basics, you can integrate UM into an Exchange
organization. Basic concepts and components include the following:
Circuit-switched and packet-switched networks
Private Branch eXchange (PBX)
IP PBX
Voice over Internet Protocol (VoIP )
VoIP gateways
In an on-premises, hybrid, or Office 365 environment, connecting and configuring the required telephony
components is the most complex and important step in successfully deploying UM, with or without Lync Server
Enterprise Voice. You'll need to connect and configure VoIP gateways, advanced VoIP gateways, PBXs, IP PBXs,
and session border controllers (SBCs) for a traditional telephony network and connect to a telephony network if
you'll be using Microsoft Lync Server and UM.
Planning and deploying a new deployment of UM or upgrading a legacy voice mail system can pose challenges for
organizations. It requires significant knowledge about VoIP gateways, PBXs, IP PBXs, Microsoft Lync Server, and
Unified Messaging. Depending on your technical experience with Exchange and voice mail systems, you might
want to obtain the assistance of a Unified Messaging specialist. An Exchange Unified Messaging specialist will help
make sure that there's a smooth transition from a legacy or third-party voice mail system to Exchange Unified
Messaging.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs has ended in
July 2018. Please see the Exchange team blog Discontinuation of support for Session Border Controllers in Exchange Online
Unified Messaging for more information.
Integrating your telephony network

Unified Messaging requires that you integrate your Exchange Server deployment with your existing telephony
network or integrate UM with Microsoft Lync Server for your organization. To successfully deploy and manage UM
voice mail you need to make a careful analysis of your existing telephony infrastructure or your Microsoft Lync
Server Enterprise Voice deployment and complete the necessary planning steps.
VoIP gateways
When you're deploying UM in an Exchange organization, you must either install, deploy, and configure a single or
multiple VoIP gateways to connect to the PBXs in your telephony network, or install, deploy, and configure Session
Initiation Protocol (SIP )-enabled PBXs or IP PBXs.
A VoIP gateway is a third-party hardware device that connects a legacy PBX to your LAN. The VoIP gateway lets
the PBX system communicate with the Exchange servers in your organization.
UM relies on the VoIP gateway's ability to translate or convert Time Division Multiplexing (TDM ) or circuit-
switched based protocols like ISDN and QSIG from a PBX to IP -based or VoIP -based protocols like SIP, Realtime
Transport Protocol (RTP ), or T.38 for Realtime Fax Transport. The VoIP gateway is integral to the functionality and
operation of UM. The VoIP gateway can also connect to PBX systems that use VoIP instead of public switched
telephone network (PSTN ) circuit-switched protocols.
Choosing the correct VoIP gateway, IP PBX, SIP -enabled PBX, or SBC is only the first part of integrating your
telephony network with UM. You must configure those devices to work with UM. In both on-premises and hybrid
deployments, you would need to deploy the required Client Access and Mailbox servers, and create and configure
all necessary UM components. For Office 365 with hosted voice mail, you're not required to install and configure
any server. The components allow you to make the connection from your telephony, circuit-switched network to
your IP data network and to enable voice mail for the users in your organization. For details and supported
telephony devices, see the following resources:
Configuration notes for supported VoIP gateways, IP PBXs, and PBXs
Configuration notes for supported session border controllers
Microsoft Lync Server
Unified Messaging can use Microsoft Lync Server to combine voice messaging, instant messaging, enhanced
presence, audio/video conferencing, and email into a familiar, integrated communications experience. Providing
Enterprise Voice features to the users in your organization by integrating UM and Microsoft Lync Server has the
following benefits:
Enhanced presence notifications across a variety of applications that keep users informed of the availability
of contacts.
Integration of instant messaging, voice messaging, conferencing, email, and other communication modes,
which enables users to select the most appropriate mode for the task. Users can also switch from one mode
to another as needed.
Availability of communications alternatives from any location where an internet connection is available.
A smart client (Microsoft Lync) for telephony, instant messaging, and conferencing.
Continuity of the user experience across multiple devices.
The Exchange UM routing component handles voice mail routing between Lync Server and Exchange servers to
integrate Lync Server with Unified Messaging features. The Exchange UM routing component found in Lync Server
also handles rerouting of voice mail over the PSTN if Exchange servers aren't available. If you have Enterprise
Voice deployed at branch office sites, and those sites don't have a resilient WAN link to a central site, a Survivable
Branch Appliance that you deploy at the branch site provides voice mail for branch users if a WAN link goes down.
When the WAN link is unavailable, the Survivable Branch Appliance does the following:
Reroutes unanswered calls over the PSTN to an Exchange server in the central site.
Provides the ability for a user to retrieve voice messages over the PSTN.
Queues missed call notifications, and then uploads them to the Exchange server when the WAN link is
restored.
For more information about Microsoft Lync Server, see Microsoft Lync Server.
Cau t i on
When you're integrating Unified Messaging and Lync Server in an on-premises or hybrid deployment, missed call
notifications aren't available to users who have a mailbox located on Exchange 2007 or Exchange 2010 Mailbox
servers. A missed call notification is generated when a user disconnects before the call is sent to a Mailbox server.
Unified Messaging (UM ) requires that you integrate Microsoft Exchange with the existing telephony system for
your organization. A successful deployment requires you to make a careful analysis of your existing telephony
infrastructure and to perform the correct planning steps to deploy Unified Messaging.
The planning phase can be a significant challenge to Exchange administrators who have little or no experience with
a telephony network. To help address this challenge, see the following section Resources to help with your UM
deployment.
The other sections in this topic cover the supported VoIP gateways for Unified Messaging, how to determine
whether your PBX is supported using a specific VoIP gateway model or manufacturer, whether your IP PBX is
supported using a direct SIP connection, and supported session border controllers (SBCs) for Exchange Online
UM.
Resources to help with your UM deployment

It's challenging to create guidelines for deploying telephony networks. They can be very different from one
another because they can include VoIP gateways, IP PBXs, and PBXs with different configuration settings,
firmware, and requirements. However, several resources are available to help you successfully deploy Unified
Messaging:
Unified Messaging specialists: UM specialists are systems integrators who have received technical
training about Exchange Unified Messaging conducted by the Exchange engineering team. To help ensure a
smooth transition to Unified Messaging from legacy voice mail systems, Microsoft recommends that all
customers engage a UM specialist. For contact information, visit Microsoft Exchange Server 2013 Unified
Messaging (UM ) Specialists or Microsoft Pinpoint for Unified Messaging.
Configuration Notes for Supported VoIP Gateways, IP PBXs and PBXs: These configuration notes
contain settings and other information that's very useful when you're configuring VoIP gateways, IP PBXs,
and PBXs to communicate with the Unified Messaging servers that are on your network. For more
information, see Configuration notes for supported VoIP gateways, IP PBXs, and PBXs.
Configuration Notes for Supported Session Border Controllers: These configuration notes contain
settings and other information that's very useful when you're configuring session border controllers (SBCs)
to communicate with the Unified Messaging servers in hybrid and Exchange Online UM deployments. For
more information, see Configuration notes for supported session border controllers.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will
end in July 2018. Please see the Exchange team blog Discontinuation of support for session border controllers in
Exchange Online unified messaging for more information.
Before you engage a Unified Messaging specialist, you should be able to answer key questions that they'll ask.
Having the answers to the following questions will help make the conversation between you and the UM specialist
productive:
How many existing telephone or voice mail users, or both, are in your organization?
How many users do you intend to provide with Unified Messaging?
Which PBX or PBXs do you intend to use for integration with Unified Messaging?
How many PBXs does your organization have? Specify the vendors, types (circuit- or IP -based), models,
and firmware versions.
Are the PBXs networked, and are they centralized or located in multiple locations?
What voice mail system or systems does your organization currently use? Specify the vendors, types,
models, and firmware versions.
How are the voice mail systems integrated into your PBXs (Analog, T1/E1, PRI, Digital set emulation, VoIP,
other)?
Are you currently using voice networking?
What type of fax system or systems does your organization use, and does the fax system or systems
support inbound fax routing to Exchange?
Does your organization use automated attendants?
Do you need support for phone-only users, that is, users who won't have email access?
Supported VoIP gateways

Integrating Unified Messaging with PBXs requires you to use one or more VoIP gateways to translate the circuit-
switched protocols that are used by TDM -based PBXs to IP -based, packet-switched protocols that are used by
Unified Messaging. VoIP gateway vendors with several models of VoIP and media gateways have been tested and
are supported for Unified Messaging.
Interoperability testing of Unified Messaging with VoIP gateways, IP PBXs, and SBCs is now integrated with the
Microsoft Unified Communications Open Interoperability Program. For more information, see Microsoft Unified
Communications Open Interoperability Program.
The Microsoft Unified Communications Open Interoperability Program qualification program for VoIP gateways,
IP PBXs, and advanced VoIP gateways ensures that customers have a seamless setup and support experience
when they're using qualified telephony VoIP gateways and IP PBXs with Microsoft Unified Communications
software. Only products that meet rigorous and extensive testing requirements and conform to the specifications
and test plans receive qualification.
For details about configuring supported VoIP gateways, IP PBXs, PBXs, and SBCs, see one of the following
resources:
Configuration notes for supported VoIP gateways, IP PBXs, and PBXs
Configuration notes for supported session border controllers
Interoperability was verified for the following VoIP gateway vendors:
AudioCodes
Dialogic
The following table shows the VoIP gateway vendor, the VoIP gateway model, and the protocols that are
supported by each model.
Supported VoIP gateways for Unified Messaging
VENDOR MODEL SUPPORTED PROTOCOLS
AudioCodes MediaPack 114/8 FXO Analog with In-Band DTMF

Analog with SMDI
AudioCodes Mediant 1000 Analog with In-Band DTMF

Analog with SMDI
BRI Q.SIG
T1/E1 Q.SIG
IP-to-IP
AudioCodes Mediant 2000 T1/E1 CAS

T1/E1 Q.SIG
IP-to-IP
Dialogic DMG1000PBXDNIW Digital Set Emulation
Dialogic DMG1000LSW Analog with In-Band DTMF

Analog with SMDI
Dialogic DMG2000 T1 CAS

T1/E1 Q.SIG
Dialogic DMG3000 BRI Q.SIG
NET VX1200 T1 Q.SIG
Sonus SBC 1000/2000 2.2.1 or later TDM Signaling (ISDN): AT&T 4ESS/5ESS,
Nortel DMS- 100, Euro ISDN (ETSI 300-
102), QSIG, NTT InsNet (Japan), ANSI
National ISDN-2 (NI-2)
TDM Signaling (CAS): T1 CAS (E&M,
Loop start); E1 CAS (R2)
Quintum Tenor DX Series T1 Q.SIG
Supported PBXs when using an AudioCodes VoIP gateway

The following table shows the PBXs that are supported using AudioCodes VoIP gateways, including MediaPack-
114 FXO, MediaPack-118 FXO, and Mediant 2000.
PBXs supported with an AudioCodes VoIP gateway
AUDIOCODES MODEL "X" - REPLACE WITH

4 OR 8 PER NEED "Y" - REPLACE WITH 1, 2,
PBX MANUFACTURER PBX MODEL/TYPE 4, 8 OR 16 PER NEED
Alcatel OmniPCX 4400 MediaPack 11x/FXO/AC/SIP-0

Mediant2000/ySpans/SIP
Aastra M1000, M2000 Mediant2000/ySpans/SIP
Avaya Definity G3 MediaPack 11x/FXO/AC/SIP-0

AUDIOCODES MODEL "X" - REPLACE WITH
4 OR 8 PER NEED "Y" - REPLACE WITH 1, 2,
PBX MANUFACTURER PBX MODEL/TYPE 4, 8 OR 16 PER NEED
Avaya Magix/Merlin MediaPack 11x/FXO/AC/SIP-0
Avaya S8300 MediaPack 11x/FXO/AC/SIP-0

Avaya S8700 MediaPack 11x/FXO/AC/SIP-0

Avaya IP Office MediaPack 11x/FXO/AC/SIP-0

Cisco CallManager 4.x Mediant1000/IP-to-IP

Mediant2000/IP-to-IP
NEC Electra Elite MediaPack 11x/FXO/AC/SIP-0
NEC NEAX2400 MediaPack 11x/FXO/AC/SIP-0

Mediant2000/ySpans/SIP/RS232
NeXspan S MediaPack 11x/FXO/AC/SIP-0
Nortel Communication Server-1000M, 1000S, Mediant1000/ySpans/SIP

1000E Mediant2000/ySpans/SIP
Nortel Meridian 11c, 51c, 61c, 81c Mediant1000/ySpans/SIP

Panasonic KX-TES824, KX-TEA308 MediaPack 11x/FXO/AC/SIP-0
Panasonic KX-TDA30, KX-TDA100, KX-TDA200, MediaPack 11x/FXO/AC/SIP-0

KX-TDA600
Shortel IP Telephony System MediaPack 11x/FXO/AC/SIP-0
Siemens HiCom 150E MediaPack 11x/FXO/AC/SIP-0
Siemens HiPath 3550 MediaPack 11x/FXO/AC/SIP-0
Siemens HiPath 4000 MediaPack 11x/FXO/AC/SIP-0

Tadiran Telecom Coral Flexicom, Coral IPX MediaPack 11x/FXO/AC/SIP-0

Supported PBXs when using a Dialogic VoIP gateway

Each Dialogic VoIP gateway model supports different PBXs. The following tables show the PBX manufacturer and
model and which Dialogic VoIP gateway can be used. Each VoIP gateway uses different signaling methods,
densities, and protocols.
PBXs supported when using a DMG1000 series Media Gateway
The following table shows the PBXs that are supported with the low -density Dialogic Media Gateway (DMG1000).
However, when an analog DMG1000 is used, supplemental signaling (RS232 SMDI, MD110, MCI protocols, or
Inband DTMF signaling) is required.
PBXs supported when using a low-density Dialogic DMG1000 series VoIP gateway
DMG MODEL AND ADDITIONAL

PBX MANUFACTURER PBX MODEL/TYPE SIGNALING
Aastra Aastra MD110 (formerly Ericsson DMG1008LSW

MD110) Analog connectivity using the MD110
RS232 protocol
Alcatel Omni PCX 4400 DMG1008LSW
Avaya Definity G3 S8100, S8300, S8700, and DMG1008DNIW

S8710 (Communications Mgr SW V2.0
or later versions)
Intercom DMG1008LSW
Analog connectivity using SMDI serial
protocol
Mitel SX-200D, SX-200 Light, SX-2000 Light, DMG1008MTLDNIW

SX-2000 S, SX-2000 VS, SX-200 ICP
NEC 2000, 2400, 2400 IPX DMG1008DNIW
Nortel Meridian 1 - Option 11, 21, 21A, 51, DMG1008DNIW

61, 71, and 81
Meridian SL1 - Generic X11, Release 15
or later versions
Nortel Communication Server - 1000M,
1000S, 1000E with V3.0 or later
versions
Nortel SL 100 DMG1008LSW

Analog connectivity using SMDI serial
protocol
Siemens HiCom 300E CS DMG1008DNIW
Siemens HiCom 300E (European) DMG1008LSW

Analog connectivity using Inband DTMF
signaling
Siemens/ROLM 8000 (SW release 80003 or later DMG1008RLMDNIW

versions) 9000 (All versions)
9751 (All versions of SW release 9005)
9751 (SW release 9006.4 or later
versions)
Siemens HiPath 4000 DMG1008LSW

DMG MODEL AND ADDITIONAL
PBX MANUFACTURER PBX MODEL/TYPE SIGNALING
Toshiba CTX (SW version AR1ME021.00) DMG1008LSW
Others Various DMG1008LSW

Analog connectivity using either Inband
DTMF or SMDI
PBXs supported when using a DMG 2000 series Media Gateway

The following table shows the PBXs that are supported with the T1/E1 Dialogic Media Gateway (DMG2000). The
DMG2000 gateway, which comes in single span (DMG2030DTIQ ), dual span (DMG2060DTIQ ), or quad span
(DMG2120DTIQ ) densities, supports the following protocols:
T1 CAS
T1 Q.SIG
E1 Q.SIG
T1 NI-2
T1 5ESS
T1 DMS100
If Channel Associated Signaling (CAS ) signaling is used, supplemental signaling (RS232 SMDI, MD110, MCI
protocols, or Inband DTMF signaling) is required. If Q.SIG signaling is used, the PBX must support the
supplemental services that are associated with calling and called party information and the call transfer capabilities
required by Unified Messaging.
PBXs supported with the DMG2000 Media Gateway
REQUIRED SOFTWARE PROTOCOL AND ADDITIONAL

PBX MANUFACTURER PBX MODEL/TYPE VERSION SIGNALING
Alcatel Omni PCX 4400 Version 3.2.712.5 T1 Q.SIG

E1 Q.SIG
Avaya Definity G3 Version 3 or later T1 CAS
Avaya S8500 Manager SW V2.0 or later T1 CAS

versions T1 Q.SIG
E1 Q.SIG
Ericsson MD110 Release MX1 TSW R2A E1 Q.SIG

(BC13)
Intercom CAS (w/ SMDI serial

protocol)
NEC 2400 IMX Release 5200 Dec. 92 1b or CAS (w/ MCI serial protocol)
later versions
NEC 2400 IPX R17 Release 03.46.001 T1 Q.SIG

Nortel Meridian 1 - Option 11 Release 15 or later versions, T1 Q.SIG

and options 19 and 46 are E1 Q.SIG
required
Nortel Communication Server 1000 Version 2121, Release 4 T1 Q.SIG

E1 Q.SIG
Siemens HiCom 300E CS Release 9006.4 or later T1 CAS

(Note: North American
software load only)
Siemens HiPath 4000 V2 SMR 9 SMPO T1 Q.SIG

E1 Q.SIG
Mitel SX-2000 S, SX-2000 VS LW 34 T1 Q.SIG

E1 Q.SIG
Mitel 3300 Version 5.1.4.8 T1 Q.SIG

E1 Q.SIG
PBXs supported when using a DMG4008BRI series Media Gateway

The DMG4000 series Media Gateway comes with several TDM interface options. The DMG4008BRI supports 4-
port/8-channel densities and supports the following protocols:
ISDN BRI Q.SIG
ETSI-DSS1 (Euro ISDN )
NET 3 (Belgium)
VN3 (France)
1TR6 (Germany)
INS -64 (Japan)
5ESS Custom (North America - AT&T)
National ISDN (NI1 - North America)
The following table shows the PBXs that are supported using a Dialogic 4000 Media Gateway Series (DMG4008).
PBXs supported using a DMG4008BRI Media Gateway

Siemens HiCom 300 SA300-V3.05 BRI-Q.SIG (ECMAV2)
Siemens HiPath 4000 S.0 B4400 BRI-Q.SIG (ECMAV2)
Supported IP PBXs
IP PBXs are also supported by Unified Messaging. The following table shows the IP PBXs that are supported
using a direct SIP connection to Unified Messaging.
IP PBXs supported when using a direct SIP connection
PBX MANUFACTURER PBX MODEL/TYPE REQUIRED SOFTWARE VERSION
Aastra MX-ONE 4.0
Avaya Aura 5.2.1 with Service Pack 5 (SP5)
Avaya Communication Server 2100 CS2100 SE13
Cisco Call Manager, Unified Communications 5.1, 6.x, 7.0 and8.0

Manager
IP PBXs supported when using SIP media gateways

IP PBXs using SIP media gateways are also supported by Unified Messaging. The following table shows the IP
PBXs that are supported using IP to IP capabilities of SIP media gateways to connect to Unified Messaging.
IP PBXs supported when using a SIP media gateway
PBX MANUFACTURER PBX MODEL/TYPE SIP GATEWAY MODEL
Cisco Call Manager 4.x AudioCodes Mediant 1000/2000 (IP-

to-IP enabled)
Exchange Unified Messaging, Office Communications Server 2007 R2,

and Microsoft Lync Server
For on-premises and hybrid deployments, Exchange Unified Messaging can be deployed together with Microsoft
Office Communications Server 2007 R2, Microsoft Lync Server 2010 or Lync Server 2013 to provide voice
messaging, Instant Messaging (IM ), enhanced user presence, audio-video conferencing, and an integrated email
and messaging experience for users in your organization. For more information, see:
Integrate Exchange 2013 UM with Lync Server
Microsoft Lync Server 2013
To find out more about the Microsoft Unified Communications Open Interoperability Program for enterprise
telephony infrastructure, including finding qualified SIP PSTN gateways and IP PBXs and the process for
telephony infrastructure vendors to join and participate in the program, see Microsoft Unified Communications
Open Interoperability Program.
Configuration notes for supported VoIP gateways, IP
PBXs, and PBXs
This page provides links to configuration notes that have been created and tested by Microsoft or a VoIP gateway
partner. When Microsoft or a partner deploys Unified Messaging with a new VoIP gateway and PBX or IP PBX
configuration, the prerequisites and configuration settings are documented. This information is used to create a
configuration note.
Each PBX configuration note contains information about how to deploy Unified Messaging with a specific
telephony configuration, and includes the manufacturer, model, and firmware version for the VoIP gateways, IP
PBXs, or PBXs. In addition, each PBX configuration note includes other information, such as:
Contributors in authoring the configuration note.
Detailed prerequisites, including the following:
Features that have to be enabled or disabled on the PBX.
Specialized hardware that has to be installed.
Whether a VoIP gateway is required.
Features that must be present on the VoIP gateway, if one is needed.
Specific cabling requirements between an IP gateway and a PBX.
A list of Unified Messaging features that may not be available with a given telephony configuration.
To find out more about the Microsoft Unified Communications Open Interoperability Program for enterprise
telephony infrastructure, including finding qualified SIP PSTN gateways and IP PBXs and the process telephony
infrastructure vendors can use to join and participate in the program, see Microsoft Unified Communications
VoIP gateway, IP PBX, and PBX configuration notes

Microsoft is working with VoIP gateway partners, AudioCodes and Dialogic, to add to the list of PBXs that are
tested. Because we are currently testing many combinations of telephony components, this topic is updated
frequently. Please check back if you can't locate the appropriate configuration note for your deployment.
Aastra
PBX SOFTWARE GATEWAY CONFIGURATION

PBX MODEL RELEASE PROTOCOL VENDOR GATEWAY MODEL AUTHOR
Aastra MD110 MX1 TSW R2A Analog - Serial Dialogic DMG1008LSW Dialogic
(formerly (aka BC13) MD110
Ericsson MD110)
Aastra MD110 MX1 TSW R2A E1 Q.SIG Dialogic DMG2030DTIQ Dialogic

(formerly (aka BC13)
Ericsson MD110)
Aastra MX-ONE 4.0 Direct SIP N.A. N.A. Aastra

Connection
Alcatel

OmniPCX 4400 R4.2-d2.304-4- Analog - In-Band AudioCodes MP-11x FXO AudioCodes

h-il-c6s2 DTMF
Avaya

Aura Communication Direct SIP N.A. N.A. Avaya

Manager 5.2.1 Connection
with SP 5
Session Manager
5.2.
CS 2100 CS 2100 SE13 Direct SIP N.A. N.A. Avaya

Connection
Definity G3 R009i.05.122.4 Digital Set Dialogic DMG1008DNIW Dialogic

Emulation
(DNI7434)
Definity G3 R013i.01.1.628.7 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

DTMF
Definity G3 R013i.01.1.628.7 T1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

DTMF
Definity G3 R013i.01.1.628.7 T1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Definity G3 R013i.01.1.628.7 E1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Merlin Magix Release 1.5 v.6.0 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
S8300 G3xV11 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

Communication DTMF
Manager 1.3
S8300 R013x.01.2.632.1 T1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

DTMF
S8300 R013x.01.2.632.1 E1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
S8500 Communication E1 Q.SIG Dialogic DMG2030DTIQ Dialogic

Manager 3.0
(R013x00.1.346.0
)
S8500 Communication T1 CAS - In-Band Dialogic DMG2030DTIQ Dialogic

Manager 3.0 DTMF
(R013x00.1.346.0
)
S8500 Communication T1 Q.SIG Dialogic DMG2030DTIQ Dialogic

Manager 3.0
(R013x00.1.346.0
)
S8700 R011x.02.0.110.4 E1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Cisco

Cisco Call 4.x IP-to-IP AudioCodes AudioCodes AudioCodes

Manager 4.x
Cisco Call 5.1.0.9921-12 Direct SIP N.A. N.A. Microsoft

Manager 5.1 Connection
Cisco Unified 6.x Direct SIP N.A. N.A. Microsoft

Communications Connection
Manager 6.0 and
6.1
Cisco Unified 7.0.2.20000-5 Direct SIP N.A. N.A. Microsoft

Manager 7.0
Cisco Unified 8.0.3.20000-5 Direct SIP N.A. N.A. Microsoft

Manager 8.0
Inter-Tel

5000 Inter-Tel 5000 T1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

v2.1 DTMF
Axxess Axxess V9.0 T1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

DTMF
Intecom
PointSpan 40PS3.5.K.2 T1 CAS - SMDI AudioCodes Mediant 2000 AudioCodes

M6880
Mitel

3300 5.1.4.8 E1 Q.SIG Dialogic DMG2030DTIQ Dialogic
3300 5.1.4.8 T1 Q.SIG Dialogic DMG2030DTIQ Dialogic
SX2000 5.0.24 Digital Set Dialogic DMG1008MTLD Dialogic

Emulation NIW
(DNISS430)
3300 7 T1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
NEC

Electra Elite 192 SP034V4.5 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
NEAX2400IMX version 7400 T1 CAS - serial Dialogic DMG2030DTIQ Dialogic

MCI
NEAX2400IMX & version 7400 Digital Set Dialogic DMG1008DNIW Dialogic

IPX Emulation
(DNIDtermIII)
NEAX2400IPX Ver. T1 CAS - serial AudioCodes Mediant 2000 AudioCodes

R18.06.24.000 MCI
NEAX2400IPX Ver. Analog - serial AudioCodes MP-11x FXO AudioCodes

R18.06.24.000 MCI
NEAX2400IPX Ver.17 T1 Q.SIG - serial Dialogic DMG2030DTIQ Dialogic

Rel.03.46.001 MCI
NeXspan

S RMS1 version Analog - In-Band AudioCodes MP-11x FXO AudioCodes

R1.3 E1TA DTMF
Nortel
CS1000 3.0 & 4.5 E1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Meridian 81C 4.5 E1 Q.SIG AudioCodes Mediant 2000 AudioCodes
Meridian 81C 4.5 T1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Option11c Release 25 Digital Set Dialogic DMG1008DNIW Dialogic

Emulation
(DNI2616)
Option11c Release 25 T1 Q.SIG Dialogic DMG2030DTIQ Dialogic
Option11c Release 25 E1 Q.SIG Dialogic DMG2030DTIQ Dialogic
CS-1000M Release 25.40 E1 Q.SIG Dialogic DMG2030DTIQ Dialogic

(Succession)
Panasonic

KX-TDA200 001-001 Analog - In-Band AudioCodes Mediant 1000 AudioCodes

DTMF
KX-TDA200 3 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

DTMF
KX-TES824 2.0.2 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

DTMF
Rolm

9751 9005 Digital Set Dialogic DMG1008RLMD Dialogic

Emulation NIW
(DNIRP400)
ShoreTel

IP Telephony 6.1 Analog - SMDI AudioCodes MP-11x FXO AudioCodes

System
IP Telephony 7.5 Analog - SMDI AudioCodes Mediant 1000 AudioCodes

System
Siemens
HiCom 150E Rel. 2.2 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
DTMF
HiCom 300 SA300-V3.05 BRI QSIG Dialogic DMG3000 Dialogic
HiCom 300 9006.4SMR3 Digital Set Dialogic DMG1008DNIW Dialogic

Emulation
(DNIOptiset)
HiCom 300 9006.4SMR3 T1 CAS - In-Band Dialogic DMG2030DTIQ Dialogic

DTMF
HiPath 3550 Rel. 3 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

DTMF
HiPath 4000 Ver 3.0 SMR5 Analog - In-Band AudioCodes MP-11x FXO AudioCodes
SMP4 DTMF
HiPath 4000 SA300-V3.05 BRI QSIG Dialogic DMG3000 Dialogic
HiPath 4000 Ver 3.0 SMR5 T1 Q.SIG AudioCodes Mediant AudioCodes

SMP4 1000/2000
HiPath 4000 Version 2.0 Analog - In-Band Dialogic DMG1008LSW Dialogic

SMR9 SMP0 DTMF
HiPath 4000 Version 2.0 T1 Q.SIG Dialogic DMG2030DTIQ Dialogic

SMR9 SMP0
Sonus
VOIP GATEWAY SOFTWARE

VOIP GATEWAY MODEL RELEASE SUPPORTED PROTOCOLS CONFIGURATION AUTHOR
SBC 1000/2000 2.2.1 or later TDM Signaling (ISDN): AT&T Sonus

4ESS/5ESS, Nortel DMS-
100, Euro ISDN (ETSI 300-
102), QSIG, NTT InsNet
(Japan), ANSI National ISDN-
2 (NI-2)
TDM Signaling (CAS): T1
CAS (E&M, Loop start); E1
CAS (R2)
Tadiran

Coral Flexicom 14.67.49 Analog - In-Band AudioCodes MP 11x FXO AudioCodes

DTMF
Coral Flexicom 14.67.49 BRI QSIG AudioCodes Mediant AudioCodes

1000
Coral Flexicom 14.67.49 E1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

DTMF
Coral Flexicom 14.67.49 E1 Q.SIG AudioCodes Mediant AudioCodes

1000/2000
Coral IPX 14.67.49 Analog - In-Band AudioCodes MP-11x FXO AudioCodes

DTMF
Coral IPX 14.67.49 BRI QSIG AudioCodes Mediant 1000 AudioCodes
Coral IPX 14.67.49 E1 CAS - In-Band AudioCodes Mediant 2000 AudioCodes

DTMF
Coral IPX 14.67.49 E1 QSIG AudioCodes Mediant AudioCodes

1000/2000
Toshiba

CTX AR1ME021.00 Analog - SMDI Dialogic DMG1008LSW Dialogic
CTX AR1ME021.00 Analog - In-Band Dialogic DMG1008LSW Dialogic

DTMF
Configuration notes for supported session border
controllers
Session border controllers (SBCs) enable you to connect your on-premises telephony network to a Microsoft
datacenter over a dedicated public WAN connection. An SBC sits on the edge of your on-premises IP network and
connects to a second SBC in a Microsoft datacenter.
SBCs require the use of digital certificates to encrypt all traffic between your on-premises organization and the
Microsoft datacenter. You must obtain a digital certificate for the network border element, such as a session border
controller, that you're using to communicate with Exchange hybrid and online deployments. Digital certificates
establish trust between your on-premises organization and the Microsoft datacenter and enable mutual Transport
Layer Security (mutual TLS ). After this trust is established, the network border elements at your on-premises
organization and at the Microsoft datacenter exchange session keys, and use these keys to encrypt the subsequent
data traffic.
In hybrid or online deployments, a UM IP gateway represents an SBC. The subject common name in the
certificate must match the fully qualified domain name (FQDN ) value in the Address box on the UM IP gateway
that you create. For example, if you specify the FQDN address sbcexternal.contoso.com on your UM IP gateway,
make sure that the subject name and subject alternative name in the certificate contain the same value:
sbcexternal.contoso.com. The name that you use is case-sensitive, so make sure the case is the same on both the
certificate and the UM IP gateway. If you're using an Acme Packet SBC and the common name doesn't match the
UM IP gateway's FQDN, the call will be rejected with a 403 error.
NOTE
Because SBCs are designed to sit on the network edge, they also function as a firewall. If you set up an SBC behind your
organization's firewall, it can cause configuration problems and is unsupported for connecting to Office 365.
Supported session border controllers

The following SBCs have been successfully tested for interoperability with Exchange hybrid and online
deployments. Note that the capabilities and compatibilities of SBCs can vary, and the way you set them up can be
different depending on other equipment on your network. Consult with the SBC manufacturer to see whether
there are specific configuration notes for Unified Messaging in a hybrid or online deployment.
NOTE
Exchange Online UM support for third-party PBX systems via direct connections from customer operated SBCs will end in
July 2018. Please see the Exchange team blog Discontinuation of support for session border controllers in Exchange Online
unified messaging for more information.
VENDOR MODEL CONFIGURATION NOTES COMMENTS
Acme Packet Net-Net 3820 or 4500 Contact the hardware Dedicated SBC
vendor for up to date
instructions on how to set
up their device.
VENDOR MODEL CONFIGURATION NOTES COMMENTS
AudioCodes Mediant 1000B MSBG Contact the hardware Dedicated SBC

up their device.
AudioCodes Mediant 1000B MSBG Contact the hardware SBC and IP gateway
up their device.
Cisco ASR 1000 Contact the hardware Dedicated SBC

Note: Must have IOS vendor for up to date
15.4(3)S3 or later installed. instructions on how to set
up their device.
Ingate SIParator Contact the hardware Dedicated SBC

up their device.
NET VX1200 & VX1800 Contact the hardware SBC option for a VoIP
vendor for up to date gateway product
up their device.
Sonus SBC 1000/2000 2.2.1 or Contact the hardware Dedicated SBC

later vendor for up to date
up their device.
Connect your voice mail system to your telephone
network
After you've deployed all the required telephony equipment for your organization, including your VoIP gateways,
IP PBXs, and SIP -enabled PBXs or Microsoft Lync Server, you need to create all the Unified Messaging (UM )
components that will enable your telephony devices to communicate with servers in your organization.
UM components
The UM components enable the integration of Unified Messaging into your directory structure and your existing
telephony infrastructure. Your directory stores all the components and settings for UM. Each UM component is
necessary to support Unified Messaging. Some UM components are created to represent a telephony hardware
device. Others are created to represent a telephony dial plan for an organization or to support a specific feature of
Unified Messaging.
There's a tightly integrated and interconnected relationship between the UM components and the features
available in Unified Messaging. To successfully plan and deploy Unified Messaging in your organization, you need
to fully understand the relationship between each UM component and the others.
For more information about the UM components, see:
UM dial plans [ONP ]
UM IP gateways
UM hunt groups
Automatically answer and route incoming calls
For more information about setting up voice mail for users, see:
UM mailbox policies
UM dial plans [ONP]
Unified Messaging (UM ) dial plans are the main component of Unified Messaging and are required to successfully
deploy Unified Messaging voice mail on your network. The following sections discuss UM dial plans and how
they're used in a UM deployment.
Overview of UM dial plans

A UM dial plan represents a set of Private Branch eXchanges (PBXs) or IP PBXs that share common user extension
numbers. All users' extensions hosted on PBXs or IP PBXs within a dial plan contain the same number of digits.
Users can dial one another's telephone extensions without appending a special number to the extension or dialing
a full telephone number.
A UM dial plan mirrors a telephony dial plan. A telephony dial plan is configured on PBXs or IP PBXs.
In Unified Messaging, the following UM dial plan topologies can exist:
A single dial plan that represents a subset of extensions or all extensions for an organization with one PBX
or IP PBX.
A single dial plan that represents a subset of extensions or all extensions for an organization with multiple
networked PBXs or IP PBXs.
Multiple dial plans that represent a subset of extensions or all extensions for an organization with one PBX
or IP PBX.
Multiple dial plans that represent a subset of extensions or all extensions for an organization with multiple
PBXs or IP PBXs.
Users who belong to the same dial plan have these characteristics:
An extension number that uniquely identifies the user mailbox in the dial plan.
The ability to call or send voice messages to other members in the dial plan using only the extension
number.
For more information about how to enable a user for Unified Messaging, see Enable a user for voice mail.
UM dial plans are used in Unified Messaging to make sure that user telephone extensions are unique. In some
telephony networks, multiple PBXs or IP PBXs exist. In these telephony networks, there could be two users who
have the same telephone extension number. UM dial plans resolve this situation. Putting the two users into two
separate UM dial plans makes their extensions unique.
How dial plans work

When you integrate a telephony network with Unified Messaging, there must be one or more hardware devices
called Voice over IP (VoIP ) gateways or IP PBXs that connect your telephony network to your IP -based packet
switched network. VoIP gateways convert circuit-switched protocols from a PBX found in a telephony network to a
data-switched protocol such as IP. IP PBXs also convert circuit-switched protocols to a data-switched protocol.
Session Border Controllers (SBCs) enable you to connect two IP based networks together over a public or private
WAN and are found in UM hybrid or online deployments. Each VoIP gateway, IP PBX, or Session Border
Controller (SBC ) in your organization is represented by a UM IP gateway. For more information about UM IP
gateways, see UM IP gateways.
Unified Messaging requires that you create at least one UM dial plan. Whether you create one or more dial plans,
all the Exchange servers in your organization will answer incoming calls. There must also be a single or multiple
UM IP gateways associated with the dial plan. In on-premises and hybrid deployments, after you install your
Exchange servers and associate a UM IP gateway, all the Exchange servers will answer incoming calls for all dial
plans. However, for on-premises or hybrid deployments, when you're integrating Exchange and Lync Server, you
must create SIP URI dial plans.
IMPORTANT
Each time you create a UM dial plan, a default UM mailbox policy is also created. The UM mailbox policy is named <Dial Plan
Name> Default Policy. This UM mailbox policy can be deleted or configured differently.
When you create the first UM IP gateway and specify a UM dial plan at the time you create it, a default UM hunt
group is also created. Creating these components enables the Exchange servers to receive calls from a VoIP
gateway, IP PBX, or SBC and then process those incoming calls for users who are associated with the UM dial plan.
In on-premises or hybrid deployments, when a call comes in to the VoIP gateway, IP PBX, or SBC, it forwards the
call to a Client Access server. The Client Access server then forwards the call to a Mailbox server and the Mailbox
server tries to match the extension number of the user to the associated UM dial plan.
Types of dial plans

A Uniform Resource Identifier (URI) is a string of characters (numbers or alphabetic) that's used to identify or
name a resource. In Unified Messaging, the main purpose of a URI is to enable VoIP devices to communicate with
other devices using specific protocols. A URI defines the naming and numbering format or scheme used for the
calling and called party information contained within a Session Initiation Protocol (SIP ) header for an incoming or
outgoing call.
The types of UM dial plans you create in Unified Messaging will depend on the URI types supported by the VoIP
gateways or IP PBXs in your organization. The URI type is the type of string that's sent from the PBX or IP PBX.
When you create a dial plan, you should know the specific URI types that are supported by your PBXs or IP PBXs.
There are three formats or URI types that can be configured on UM dial plans:
Telephone Extension (TeleExtn)
SIP URI
E.164
By default, each time you create a dial plan in Unified Messaging, the dial plan will be created to use the telephone
extension URI type. After you create a dial plan, you won't be able to change the URI type. You must delete the
existing dial plan and create another one with the correct URI type.
Telephone Extension URI type
The Telephone Extension URI type is the most common type of UM dial plan and is used with IP PBXs and PBXs.
When you configure a telephone extension (TelExtn) dial plan, the VoIP gateways, PBXs, and IP PBXs you use must
support the TelExtn URI type. Today, most PBXs and IP PBXs support this URI type.
When a call is received by a PBX and the UM -enabled user isn't available to answer the call, the PBX will forward
the call to a VoIP gateway. The VoIP gateway—or the IP PBX, if one is used—will translate the call from a circuit-
based protocol to an IP based protocol. In the header for the SIP packet received from the VoIP gateway or IP
PBX, the calling and called party information will be listed in one of the following formats:
Tel:512345
512345@<IP address>
The telephone extension (TelExtn) format used is based on the configuration of the VoIP gateway or IP PBX.
SIP URI type
Session Initiation Protocol (SIP ) is a standard protocol for initiating interactive user sessions that involve
multimedia elements such as video, voice, chat, and gaming. SIP is a request-to-response based protocol that
answers requests from clients and responses from servers. Clients are identified by SIP URIs. Requests can be sent
through any transport protocol, such as UDP or TCP. SIP determines the endpoint to be used for the session by
selecting the communication media and media parameters.
When you create a new dial plan, you have the option of creating a SIP URI dial plan if your environment has
Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server deployed. You can also create a SIP
URI dial plan if your organization has IP PBXs or SIP -enabled PBXs. In the latter case, your organization must also
support SIP URIs and SIP routing.
A SIP URI is a user's SIP phone number. The SIP URI resembles an email address and is written in the following
format: sip :<username>@<domain or IP address>:Port. When a SIP -enabled IP PBX or PBX is used to send a call
to the Exchange servers, the device will send the SIP URI for the calling and called party in the SIP header and will
not include extension numbers.
E.164 URI type
E.164 is a standard numbering format that defines the international public telecommunication numbering plan
used in the Public Switched Telephone Network (PSTN ) and some data networks. E.164 defines the format of
telephone numbers. E.164 numbers can have a maximum of 15 digits and are usually written with a plus sign (+)
before the digits of the telephone number. To dial an E.164-formatted telephone number from a telephone, the
appropriate international call prefix must be included in the number dialed. In an E.164 numbering plan for public
telephone systems, each assigned number contains a country code (CC ), a national destination code (NDC ), and a
subscriber number (SN ).
When you create a new dial plan, you have the option to create an E.164 dial plan. However, if you create and
configure an E.164 dial plan, the PBXs and IP PBXs must support E.164 routing. The SIP header received from a
VoIP gateway associated with an E.164 dial plan will include the E.164-formatted telephone number and
information about the calling and called party and will be listed in the following format: Tel:+14255550123. For
Exchange Online deployments with Exchange Unified Messaging and Lync Server, you must use correctly
formatted E.164 numbers for Outlook Voice Access and auto attendant numbers.
VoIP security
Exchange servers communicate with VoIP gateways, IP PBXs, and other Exchange computers in either Unsecured,
SIP secured, or Secured mode, depending on how the UM dial plan is configured. In on-premises and hybrid
deployments, Client Access and Mailbox servers can operate in any mode configured on a dial plan because the
servers listen on TCP port 5060 for Unsecured requests and TCP port 5061 for Secured requests at the same time
if they're configured to start in dual mode. Client Access and Mailbox servers answer all incoming calls for all UM
dial plans, but these dial plans can have different VoIP security settings.
In on-premises and hybrid deployments, by default, when you create a UM dial plan, it will communicate in
Unsecured mode, and the Client Access and Mailbox servers will send and receive data from VoIP gateways, IP
PBXs, and SBCs without using encryption. In Unsecured mode, neither the Realtime Transport Protocol (RTP )
media channel nor the SIP signaling information is encrypted. You can use the Get-UMDialPlan cmdlet in
Exchange Online PowerShell to determine the security setting for a specific UM dial plan.
In on-premises and hybrid deployments, you can configure a Client Access and Mailbox server to use mutual
Transport Layer Security (mutual TLS ) to encrypt the SIP and RTP traffic sent and received from other devices and
servers. When you configure the dial plan to use SIP secured mode, only the SIP signaling traffic will be encrypted,
and the RTP media channels will still use TCP, which isn't encrypted. However, when you configure the dial plan to
use Secured mode, both the SIP signaling traffic and the RTP media channels are encrypted. An encrypted
signaling media channel that uses Secure Realtime Transport Protocol (SRTP ) also uses mutual TLS to encrypt the
VoIP data.
You can configure the VoIP security mode either when you're creating a new dial plan or after you've created a dial
plan using the EAC or the Set-UMDialPlan cmdlet in Exchange Online PowerShell. When you configure the UM
dial plan to use SIP secured or Secured mode, Client Access and Mailbox servers will encrypt the SIP signaling
traffic or the RTP media channels or both. However, to be able to send encrypted data to and from Exchange
servers, you must correctly configure the UM dial plan, and VoIP devices such as VoIP gateways, IP PBXs, and
SBCs must support mutual TLS.
Outlook Voice Access

There are two types of callers who access the voice mail system using the Outlook Voice Access number
configured on a UM dial plan: unauthenticated callers and authenticated callers. When callers dial the Outlook
Voice Access number configured on a dial plan, they're considered anonymous or unauthenticated until they input
information including their voice mail extension and a PIN. The only option available to anonymous or
unauthenticated callers is the directory search feature. After callers input their voice mail extension and their PIN,
they'll be authenticated and given access to their mailbox. After they gain access to the voice mail system, they're
using the Outlook Voice Access feature.
Outlook Voice Access is a series of voice prompts that give the caller access to email, voice mail, calendar, and
other information. Outlook Voice Access lets authenticated callers navigate their personal information in their
mailbox, place calls, or locate users using dual tone multi-frequency (DTMF ), also known as touchtone, inputs or
voice inputs.
Outlook Voice Access numbers
After you've created a UM dial plan, you need to add at least one Outlook Voice Access number. Outlook Voice
Access numbers are also called dial plan pilot numbers. This number is used by Outlook Voice Access users to
access their mailboxes and lets them search the directory.
By default, when you create a UM dial plan, no Outlook Voice Access number is configured. To enable users to use
the Outlook Voice Access feature, you must configure at least one telephone or extension number. The number of
alphanumeric characters in the Outlook Voice Access number can't exceed 20. After you configure this number on
the dial plan, the number will be displayed in the voice mail options in Microsoft Outlook, and in Outlook Web
App.
You can use the Outlook Voice Access numbers box on the UM dial plan to add a telephone number or
extension that a user will call to access the voice mail system using Outlook Voice Access. In most cases, you'll
enter an extension number or an external telephone number. However, because this field accepts alphanumeric
characters, a SIP URI can be used if you're using an IP PBX, a SIP -enabled PBX, Office Communications Server
2007 R2 or Microsoft Lync Server.
Depending on the needs of your organization, you may want to configure one or more Outlook Voice Access
number. You can have a single Outlook Voice Access number configured on a single UM dial plan or you can have
multiple Outlook Voice Access numbers in a single UM dial plan, but you can't have a single Outlook Voice Access
number that spans multiple UM dial plans.
UM dial plan procedures [EXO]
Create a UM dial plan

Manage a UM dial plan
Change the audio codec
Configure the maximum call duration
Configure the maximum recording duration
Configure the recording idle time-out value
Configure the VoIP security setting
Configure a dial plan for users who have similar names
Delete a UM dial plan
Create a UM dial plan
A Unified Messaging (UM ) dial plan contains configuration information related to your
telephony network. A UM dial plan establishes a link from the telephone extension number of a
user enabled for voice mail to their mailbox. When you create a UM dial plan, you can configure
the number of digits in the extension numbers, the Uniform Resource Identifier (URI) type, and
the Voice over IP (VoIP ) security setting for the dial plan.
Each time you create a UM dial plan, a UM mailbox policy is also created. The UM mailbox policy
is named <DialPlanName> Default Policy.
For additional management tasks related to UM dial plans, see UM Dial Plan Procedures.

You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "UM dial plans" entry in the
Unified Messaging Permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic,
see Keyboard shortcuts for the Exchange admin center.
TIP
Online Protection..
Use the EAC to create a UM dial plan

1. In the EAC, navigate to Unified Messaging > UM dial plans, and then click New .
2. On the New UM dial plan page, complete the following boxes:
Name: Type the name of the dial plan. A UM dial plan name is required and must be
unique. However, it's used only for display in the EAC and Exchange Online PowerShell. If
you have to change the display name of the dial plan after it's been created, you must first
delete the existing UM dial plan and then create another dial plan that has the appropriate
name. If your organization uses multiple UM dial plans, we recommend that you use
meaningful names for your UM dial plans. The maximum length of a UM dial plan name
is 64 characters, and it can include spaces. However, it can't include any of the following
characters: " / \ [ ] : ; | = , + * ? < >.
Although you can include spaces in a UM dial plan name, if you integrate Unified
Messaging with Office Communications Server 2007 R2 or Microsoft Lync Server, the
dial plan name can't include spaces. Therefore, if you created a dial plan with spaces in the
display name, and you're integrating with Office Communications Server 2007 R2 or Lync
Server, you must first delete that dial plan and then create another dial plan that doesn't
include spaces in the display name.
IMPORTANT
Although the box for the name of the dial plan can accept 64 characters, the name of the dial
plan can't be longer than 49 characters. If you try to create a dial plan name that contains more
than 49 characters, you'll receive an error message. The message will say that the UM mailbox
policy couldn't be generated because the UM dial plan name is too long. This happens because,
as mentioned earlier, when you create a dial plan a default UM mailbox policy named
<DialPlanName> Default Policy is also created. When the 15 characters in Default Policy are
added to the name of the dial plan, the total characters exceed the limit. The name parameter for
both the UM dial plan and UM mailbox policy can be 64 characters. However, if the name of the
dial plan is longer than 49 characters, the name of the default UM mailbox policy will be longer
than 64 characters, and this isn't allowed by the system.
Extension length (digits): Enter the number of digits for the dial plan. The number of
digits for extension numbers is based on the telephony dial plan created on a Private
Branch eXchange (PBX) or IP PBX. For example, if a user associated with a telephony dial
plan dials a four-digit extension to call another user in the same telephony dial plan, you
select 4 as the number of digits in the extension.
This is a required box that has a value range from 1 through 20. The typical extension
length is from 3 through 7. If your existing telephony environment includes extension
numbers, you must specify a number of digits that matches the number of digits in those
extensions.
When you create a Session Initiation Protocol (SIP ) or an E.164 dial plan and associate a
UM -enabled user with the dial plan, you must still input an extension number to be used
by the user. This number is used by Outlook Voice Access users when they access their
mailbox.
Dial plan type: A Uniform Resource Identifier (URI) is a string of characters that
identifies or names a resource. The main purpose of this identification is to enable VoIP
devices to communicate with other devices over a network using specific protocols. URIs
are defined in schemes that define a specific syntax and format and the protocols for the
call. In simple terms, this format is passed from the IP PBX or PBX. After you create a UM
dial plan, you won't be able to change the URI type without deleting the dial plan, and then
re-creating the dial plan to include the correct URI type. You can select one of the
following URI types for the dial plan:
Telephone extension: This is the most common URI type. The calling and called party
information from the VoIP gateway or IP Private Branch eXchange (PBX) is listed in one
of the following formats: Tel:512345 or 512345@<IP address>. This is the default URI
type for dial plans.
SIP URI: Use this URI type if you must have a Session Initiation Protocol (SIP ) URI dial
plan such as an IP PBX that supports SIP routing or if you're integrating Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server and Unified Messaging. The
calling and called party information from the VoIP gateway. IP PBX, or Communications
Server 2007 R2 or Lync Server is listed as a SIP address in the following format: sip:
<username>@<domain or _IP address _>:Port.
E.164: E.164 is an international numbering plan for public telephone systems in which
each assigned number contains a country code, a national destination code, and a
subscriber number. The calling and called party information sent from the VoIP gateway
or IP PBX is listed in the following format: Tel:+14255550123.
Cau t i on
After you create a dial plan, you will be unable to change the URI type without deleting the
dial plan, and then re-creating the dial plan to include the correct URI type.
VoIP security mode: Use this drop-down list to select the VoIP security setting for the
UM dial plan. You can select one of the following security settings for the dial plan:
Unsecured: By default, when you create a UM dial plan, it is set to not encrypt the SIP
signaling or RTP traffic. In unsecured mode, the Client Access and Mailbox servers
associated the UM dial plan send and receive data from VoIP gateways, IP PBXs, SBCs
and other Client Access and Mailbox servers using no encryption. In unsecured mode,
neither the Realtime Transport Protocol (RTP ) media channel nor the SIP signaling
information is encrypted.
SIP secured: When you select SIP secured, only the SIP signaling traffic is encrypted,
and the RTP media channels still use TCP, which isn't encrypted. With SIP secured, Mutual
Transport Layer Security (TLS ) is used to encrypt the SIP signaling traffic and VoIP data.
Secured: When you select Secured, both the SIP signaling traffic and the RTP media
channels are encrypted. Both the secure signaling media channel that uses Secure
Realtime Transport Protocol (SRTP ) and the SIP signaling traffic use mutual TLS to
encrypt the VoIP data.
Audio language: Use this list to specify the default language to be used by Outlook Voice
Access users. This setting doesn't apply to the language setting on a UM auto attendant.
You can set the language for Outlook Voice Access to be the same as or different from the
language that's used on a UM auto attendant. When a user places a call to a user who is
linked with a dial plan, the audio language is the default language that the voice-recorded
operator uses. The system prompts that callers hear are played in the same language. The
language that is chosen on the UM dial plan is used to read email, voice mail, and calendar
items; to say the user's name if a personal greeting hasn't been recorded; to transcribe a
voice message using the Voice Mail Preview feature; and to enable Automatic Speech
Recognition (ASR ) to work correctly.
Country/Region code: Use this box to type the country/region code number to be used
for outgoing calls. This number will precede the telephone number that's dialed. This box
accepts from 1 through 4 digits. For example, in the United States, the country/region
code is 1. In the United Kingdom, it's 44.
3. Click Save.
Use Exchange Online PowerShell to create a UM dial plan

This example creates a new UM dial plan named MyUMDialPlan that uses four-digit extension
numbers.
New-UMDialplan -Name MyUMDialPlan -NumberofDigits 4
This example creates a new UM dial plan named MyUMDialPlan that uses five-digit extension
numbers and supports SIP URIs.
New-UMDialplan -Name MyUMDialPlan -UriType SIPName -NumberofDigits 5

Manage a UM dial plan
After you create a Unified Messaging (UM ) dial plan, you can view and configure a variety of settings. For example,
you can configure the level of Voice over IP (VoIP ) security, the audio codec, and dialing restrictions. The settings
that you configure on the UM dial plan affect all users who are linked with the dial plan through a UM mailbox
policy.

permissions you need, see the "UM dial plans" entry in the Unified Messaging Permissions topic.
TIP
Use the EAC to view or configure UM dial plan settings

2. In the list view, select the UM dial plan you want to view or modify, and then click Edit .
3. On the UM Dial Plan page, click Configure. Use the configuration options to view specific dial plan
settings and to enable or disable features as described in the following steps.
4. General: Use this page to view specific dial plan settings or to enable or disable features for UM -enabled
users:
Name: This is the name of the dial plan that was created. The maximum length of a UM dial plan name is
64 characters, and it can include spaces. However, it can't include any of the following characters: " / \ [ ] : ; |
= , + * ? < >.
Although you can include spaces in a UM dial plan name, if you integrate Unified Messaging with Office
Communications Server 2007 R2 or Microsoft Lync Server, the dial plan name can't include spaces.
Therefore, if you created a dial plan with spaces in the display name, and you're integrating with Office
Communications Server 2007 R2 or Lync Server, you must first delete that dial plan and then create
another dial plan that doesn't include spaces in the display name.
IMPORTANT
Although the box for the name of the dial plan can accept 64 characters, the name of the dial plan can't be longer
than 49 characters. If you try to create a dial plan name that contains more than 49 characters, you'll receive an error
message. The message will say that the UM mailbox policy couldn't be generated because the UM dial plan name is
too long. This happens because, as mentioned earlier, when you create a dial plan a default UM mailbox policy named
<DialPlanName> Default Policy is also created. When the 15 characters in Default Policy are added to the name of
the dial plan, the total characters exceed the limit. The name parameter for both the UM dial plan and UM mailbox
policy can be 64 characters. However, if the name of the dial plan is longer than 49 characters, the name of the
default UM mailbox policy will be longer than 64 characters, and this isn't allowed.
Extension length (digits): This is the number of digits in the extension numbers for users who are
associated with this dial plan. For example, if a user associated with a dial plan dials a 4-digit extension to
call another user in the same dial plan, select 4 as the number of digits in the extension.
The number of digits for extension numbers is based on the telephony dial plan created on an IP PBX or
PBX. This is a required field that has a value range from 1 through 20. The typical extension length is from 3
through 7 digits. If your existing telephony environment includes extension numbers, you must specify a
number of digits that matches the number of digits in those extensions when you create the UM dial plan.
Dial plan type: A Uniform Resource Identifier (URI) is a string of characters that identifies or names a
resource. The main purpose of this identification is to enable VoIP devices and PBXs to communicate with
other devices over a network using specific protocols. URIs are defined in schemes that define a specific
syntax and format and the protocols for the call. In simple terms, this format is passed from the IP PBX or
PBX and the type of dial plan you create must match that format. After you create a UM dial plan, you won't
be able to change the dial plan type without deleting the dial plan, and then re-creating the correct type of
dial plan. You can select one of the following dial plan types:
Telephone extension: This is the most common dial plan type. The calling and called party information
from the VoIP gateway or IP Private Branch eXchange (PBX) is listed in one of the following formats:
Tel:512345 or 512345@<IP address>. This is the default type for dial plans.
SIP URI: Use this dial plan type if you must have a Session Initiation Protocol (SIP ) URI dial plan such as
an IP PBX that supports SIP routing, a SIP -enabled PBX, or if you're integrating Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server and Unified Messaging. The calling and called
party information from the VoIP gateway. IP PBX, SIP -enabled PBX, or Communications Server 2007 R2 or
Lync Server is listed as a SIP address in the following format: sip:<username>@<domain or IP
address>:Port.
E.164: E.164 is an international numbering plan for public telephone systems in which each assigned
number contains a country code, a national destination code, and a subscriber number. The calling and
called party information sent from the VoIP gateway and PBX or IP PBX is listed in the following format:
Tel:+14255550123.
NOTE
After you create a dial plan, you won't be able to change the dial plan type without deleting the dial plan, and then
re-creating the correct type of dial plan.
VoIP security mode: Use this drop-down list to select the VoIP security setting for the UM dial plan. You
can select one of the following security settings for the dial plan:
Unsecured: By default, when you create a UM dial plan, it's set to not encrypt the SIP signaling or RTP
traffic. In Unsecured mode, the Exchange servers associated with the UM dial plan send and receive data
from VoIP gateways, IP PBXs, SBCs, and other Exchange servers using no encryption. In Unsecured mode,
neither the Realtime Transport Protocol (RTP ) media channel nor the SIP signaling information is
encrypted.
SIP secured: When you select SIP secured, only the SIP signaling traffic is encrypted, and the RTP media
channels still use TCP, which isn't encrypted. With SIP secured, mutual Transport Layer Security (TLS ) is
used to encrypt the SIP signaling traffic and VoIP data.
Secured: When you select Secured, both the SIP signaling traffic and the RTP media channels are
encrypted. Both the secure signaling media channel that uses Secure Realtime Transport Protocol (SRTP )
and the SIP signaling traffic use mutual TLS to encrypt the VoIP data.
5. Dial codes: Use this page to configure the dial codes for a UM dial plan. Several dial code settings can be
configured on the dial plan. These include incoming and outgoing calling options. You can configure the
following:
Dial codes for outgoing calls: Use these settings to specify the dialing codes for outgoing calls that can be
made by UM -enabled users. These outgoing calls are calls that are placed using Outlook Voice Access or
from a voice mail message.
Outside line access code: Use this field to type the number or numbers used to access an outside
telephone number for outgoing external calls. This number will precede the telephone number dialed. This
is also called a trunk access code. This field accepts from 1 through 16 digits. For many organizations, this
number is 9. By default, this field isn't populated.
Frequently, this setting is used in telephony environments where a PBX or IP PBX is located onsite or
maintained in an organization. It may not have to be configured if your organization's telephony
environment is maintained by an external business or vendor.
International access code: Use this field to type the number code used to access international telephone
numbers for outgoing calls. This number will precede the telephone number dialed. By default, this field isn't
populated. This field accepts from 1 through 4 digits. For example, the international access code for the
United States is 011. For Europe, it's 00.
National number prefix: Use this field to type the number code used to dial telephone numbers that are
out of an area code but within the country/region. This number will precede the telephone number dialed.
By default, this field isn't populated. This field accepts from 1 through 4 digits. For example, 0 is used in
Europe, and 1 is used in North America.
Country/Region code: Use this field to type the country/region code number used for outgoing calls. This
number will precede the telephone number dialed. By default, this field isn't populated. This field accepts
from 1 through 4 digits. For example, in the United States, the country/region code is 1. In the United
Kingdom, it's 44.
Number formats for dialing between UM dial plans: Use these settings to configure calls between
users in separate dial plans when they place calls between the dial plans.
Country/Region number format: Use this field to specify how a user's telephone number should be
dialed by the Exchange servers when users are in a different dial plan that has the same country code. This
is used by auto attendants and when an Outlook Voice Access user searches and tries to call the user in the
directory.
This entry consists of a number prefix and a variable number of characters (for example, 020 xxxxxxx).To
determine the telephone number, Unified Messaging will append the last x digits from the telephone
number specified in the directory to the prefix specified.
International number format: Use this field to specify how a user's telephone number should be dialed
by Unified Messaging when the users are in different dial plans that have different country codes. This is
used by an auto attendant and when an Outlook Voice Access user searches and tries to call the user in the
directory.
This entry consists of a number prefix and a variable number of characters (for example, 4420 xxxxxxx). To
determine the telephone number, Unified Messaging will append the last x digits from the telephone
number specified in the directory to the prefix specified.
Number formats for incoming calls within the same dial plan: Use this field to add or remove a
number format for incoming calls that are placed between users in the same dial plan. This field accepts
both numbers and the letter "x" as a wild card character. No other letters can be used in this field.
For incoming calls within the same dial plan add a number format. For example, to add a number format for
5-digit extensions, enter, 142570xxxxx and click Add . To remove a number format, click Remove .
6. Outlook Voice Access: Use this page to configure Outlook Voice Access settings for the UM dial plan.
Outlook Voice Access enables users to access their individual mailboxes to retrieve email, voice messages,
contacts, and calendaring information using a telephone. You can view or configure the following:
Welcome greeting: This display-only field shows the name of the sound file that will be used for the
welcome greeting.
Default greeting: The welcome greeting is used when an Outlook Voice Access user or another caller calls
the Outlook Voice Access number and does a directory search. This audio file is the default greeting for a
UM dial plan. However, you may want to change this welcome greeting and provide another welcome
greeting specific to your company, such as, "Welcome to Outlook Voice Access for Contoso, Ltd."
If you decide to customize this greeting, you must first record the customized greeting, save it as a .wav file,
and then configure the dial plan to use this customized greeting. The file name and path must not exceed
255 characters.
You can add a customized greeting by clicking Change, and then clicking Browse to select a previously
recorded custom greeting and specify the audio file (.wav) to use for the welcome greeting. If you don't
specify an audio file, Outlook Voice Access users will hear a default welcome greeting that says, "Welcome,
you are connected to Microsoft Exchange."
Informational announcement: When enabled, this optional recording plays immediately after the
business or non-business hours welcome greeting. An informational announcement may state the
organization's security polices for accessing the system, for example, "When you gain access to our system
using Outlook Voice Access, you have agreed to the terms of our business agreement and all security
policies for our organization apply. Access to our system is monitored and gaining illegal access will be
prosecuted." An informational announcement can also provide information that's required for compliance
with company policy, for example, "Calls may be monitored for training purposes." If it's important that
callers hear the whole informational announcement, it can be marked as uninterruptible.
By default, there's no informational announcement configured on UM dial plans. To enable an informational
announcement and use a custom audio file specific to your organization, click Change and then click
Browse.
Allow announcement to be interrupted: Select this check box to enable the Outlook Voice Access user
to interrupt the informational announcement. You should do this if you have long informational
announcements. Outlook Voice Access users may become frustrated if the informational announcement is
long and they can't interrupt it to access the options provided by the UM dial plan.
Outlook Voice Access numbers: Use this field to add a telephone or extension number or a SIP URI that
an Outlook Voice Access user will call to access the voice mail system using Outlook Voice Access. In most
cases, you enter an extension number or an external telephone number. However, because this field accepts
all alphanumeric characters, a SIP URI can be used if you're using an IP PBX, Office Communications
Server 2007 R2, or Microsoft Lync Server.
By default, when a dial plan is created, no Outlook Voice Access numbers are defined. To enable Outlook
Voice Access users to call into Outlook Voice Access, you must configure at least one telephone number. The
number of alphanumeric characters can't exceed 20.
When you configure this number on the dial plan, this number will be displayed in Microsoft Office Outlook
2007 or later versions and Outlook Web App for voice mail options.
To add a new Outlook Voice Access number, enter the number in the box and click Add . To remove an
Outlook Voice Access number, click Remove .
7. Settings: Use this page to configure dial plan settings for Unified Messaging. When you configure settings on
this page, you can control how Outlook Voice Access users and external callers calling into an auto attendant
linked to the dial plan locate users in your organization, the audio codec that is used for voice mail messages,
the number of sign-in failures, and time-out values. You can configure the following:
Primary way to search for names: Use this list to select the primary way that callers can locate a user
when they dial in to the system.
By default, Last First is selected. This means that when users are searching for a user in the directory, they
will enter the user's last name first and then the first name.
When an Outlook Voice Access user calls in to an Outlook Voice Access number to access their mailbox, a
caller calls in to an Outlook Voice Access number to perform a directory search, or a caller calls in to an auto
attendant linked to a UM dial plan, they can search for a user in the directory by spelling their name or alias.
You must select one of the supported methods to be able to use the dial-by-name primary method. The
following methods are supported:
Last First (default)
First Last
SMTP address
Secondary way to search for names: Use this list to select the secondary way that callers can locate a
user when they dial in to the system.
By default, SMTP address is selected. This means that when users search for a user in the directory, they
will enter the user's email alias or SMTP address.
When an Outlook Voice Access user calls in to an Outlook Voice Access number to access their mailbox, a
caller calls in to an Outlook Voice Access number to perform a directory search, or a caller calls in to an auto
attendant linked to a UM dial plan, they can search for a user in the directory by spelling their name or alias.
When you select one of these options, callers can use the primary way to search for names or the secondary
way to search for names to locate users in the directory.
You aren't required to select one of the four methods that are supported. However, if you don't select a
secondary way to search for users, callers will be given only one way to search for a user. The following
options are available:
Last First
First Last
SMTP address (default)
None
Audio codec: Use this list to select the audio codec that will be used by the dial plan. When a caller places a
call to a user who is associated with the dial plan and leaves a voice message, Unified Messaging uses the
audio codec that you select from this list to record voice messages that will be sent to voice mail-enabled
users. The following audio codecs are supported:
MP3 (default)
WMA (Windows Media Audio)
G711 (Pulse Code Modulation (PCM ) Linear)
GSM (Group System Mobile 06.10)
By default, the MP3 format is selected. The MP3 format is a common audio file format that's used to greatly
reduce the size of the audio file and is most commonly used by personal audio devices or MP3 players.
MP3 is a cross-platform type of audio codec and is used for compatibility with many mobile phone and
devices and various computer operating systems.
WMA is used because it's highly compressed and has high-quality format properties. G.711 PCM Linear is
a telephone-quality audio codec format that's the least compressed and has the lowest-quality format. GSM
06.10 is an audio codec format that's used by mobile phone vendors and is the standard for digital mobile
phone services.
If you're concerned about users' disk quotas, select WMA as the audio codec. Voice files saved in .wma
format are approximately half the size of the same voice recording made using one of the other audio
codecs.
Operator extension: Use this text box to enter the telephone number or an extension number for the dial
plan's operator. This is different than an operator extension that is configured on a UM auto attendant.
However, you can put in the same phone or extension number for both types of operators.
You can configure this setting to transfer calls to an auto attendant if one is configured, to a human operator,
to external telephone numbers, or to extension numbers.
When a caller who is using the telephone keypad presses 0, or says "reception" or "operator," or the
Number of input failures before disconnecting threshold is exceeded, the caller is transferred to the
telephone or extension number that you specify in this text box.
This telephone number can be a number external to the organization or an internal telephone extension
number. For example, if the extension number for the receptionist or operator is 81964 and your
organization has only one dial plan, enter 81964.
By default, this setting is blank. If you don't enter a number in this text box, the ability to transfer calls to the
operator is disabled and callers are politely disconnected because there's no one to answer the call.
We recommend that you populate this text box with a telephone number that transfers callers to an
operator if they can't locate a specific user in the directory.
Number of sign-in failures before disconnecting: Use this text box to enter the number of sequential
unsuccessful logon attempts allowed before a caller is disconnected.
The value of this setting can be from 1 through 20. Setting this value too low can frustrate users. For most
organizations, this value should be set to the default of three attempts.
Timeouts and retries: These settings apply to Outlook Voice Access users and external callers that dial into
a UM auto attendant.
Maximum call duration (minutes): Use this text box to enter the maximum number of minutes that an
incoming call can be connected to the system without being transferred to a valid extension number before
the call is ended. For most organizations, this value should be set to the default of 30 minutes.
This setting applies to all kinds of calls. This includes incoming Outlook Voice Access calls, voice calls
internal to your organization, and voice and incoming fax calls external to your organization.
The value of this setting can be from 10 through 120. Setting this value too low can cause incoming calls to
be disconnected before they are completed. For example, if your organization receives many large fax
messages, you may want to consider increasing this value from the default so that all the pages for fax
messages are received.
Maximum recording duration (minutes): Use this text box to enter the maximum number of minutes
allowed for each voice recording when a caller leaves a voice mail message. For most organizations, this
value should be set to the default of 20 minutes.
The value of this setting can be from 1 through 100. Setting this value too low can cause long voice
messages to be disconnected before they are completed. Setting this value too high lets users save lengthy
voice messages in their Inboxes.
This setting is important if you have implemented strict disk quotas for users. This value must be less than
the value set for the Maximum call duration (minutes) setting.
Recording idle time out (seconds): Use this text box to enter the number of seconds of silence that the
system allows when a voice message is being recorded before the call is ended. For most organizations, this
value should be set to the default of 5 seconds.
The value of this setting can be from 2 through 10. Setting this value too low can cause the system to
disconnect callers before they are finished leaving their voice messages. Setting this value too high allows
lengthy silences in voice messages.
Number of input failures before disconnecting: Use this text box to configure the number of times that
callers can enter incorrect menu choices before they are disconnected. For most organizations, this value
should be set to the default of three attempts. This is an important setting for speech-enabled UM dial
plans.
Examples of incorrect data include when a caller requests an extension number that isn't found in the
system, the system can't locate the user's extension number to transfer the call, or the caller presses a menu
option that isn't valid.
The value of this setting can be from 1 through 20. Setting this value too low may prematurely disconnect
the caller.
Audio language: Use this list to specify the default language to be used by Outlook Voice Access users.
This setting doesn't apply to the language setting on a UM auto attendant. You can set the language for
Outlook Voice Access to be the same as or different from the language that's used on a UM auto attendant.
When a user places a call to a user who is linked with a dial plan, the audio language is the default language
that the voice-recorded operator uses. The system prompts that callers hear are played in the same
language. The language that is chosen on the UM dial plan is used to read email, voice mail, and calendar
items; to say the user's name if a personal greeting hasn't been recorded; to transcribe a voice message
using the Voice Mail Preview feature; and to enable Automatic Speech Recognition (ASR ) to work correctly.
For on-premises deployments, adding other languages lets Outlook Voice Access use a language other than
U.S. English. For example, if an Outlook Voice Access user calls in using an Outlook Voice Access number
from a desk telephone, the user is greeted with a prerecorded operator's voice in English. Even if the same
user selects a different language, such as French, in Outlook Web App, the menus are still read in U.S.
English. For the user to be able to hear the prerecorded operator menus in French, you must install the
appropriate language pack.
NOTE
For Exchange Online, all languages are available.
8. Dialing rules: Use this page to specify dialing rules for in-country/region and international calls placed by UM -
enabled users. Each entry defined on the dialing rule determines the types of calls that users within a specific
dialing rule group can make. After you use the Dialing rules page to configure dialing rules, you must
configure the UM dial plan, a UM mailbox policy, or a UM auto attendant to use the appropriate dialing rule.
After you configure the UM mailbox policy to use a dialing rule group, the dialing restrictions configured apply
to all UM -enabled users who are associated with the UM mailbox policy. For example, you can configure a
dialing rule group that doesn't require users who are associated with the dial plan to dial an outside line access
code when they place a call to an in-country/region telephone number. You can configure the following:
In-country/region dialing rules: Use this box to add, remove, or edit in-country/region dialing rule
groups used by UM mailbox policies. To create a dialing rule, click Add . To edit an existing dialing rule,
click Edit . To remove a dialing rule, click Remove . When you create a dialing rule, add the following
information on the New dialing rule page:
Dialing rule name: Use this text box to enter the name for the dialing rule you are creating. You can use
the same name to collect several rules in a group and then enable or disable them under Dialing
authorization. The name can be up to 32 characters long.
Number pattern to transform (number mask): Use this text box to enter the number pattern to
transform before dialing, for example 91425xxxxxxx. If a user enters a number that matches this pattern, UM
will transform the number dialed into a dialed number before placing the call. You can only enter numbers
and the wildcard character, "x".
Dialed number: Use this text box to enter the number you want to dial that matches the number pattern
you set in the Number pattern to transform (number mask). The dialed number is used to determine
the actual dial string sent to the VoIP gateway or IP PBX. This number can be different from the number
obtained by Unified Messaging for the outgoing call. However, your PBX or IP PBX can also be configured
to omit the area code for local calls and can be configured for private voice numbering plans. Any wildcard
characters ( x) in the dial string are replaced with the digits from the original number that were matched by
the number mask on the dialing rule. An example of a valid dialed number is 9 xxxxxxx. This field can contain
only numbers and the character x.
Comment: Use this text box to put in a comment or description for the dialing rule that you're adding or
modifying. By default, this text box is blank.
NOTE
If you are integrating with Office Communications Server 2007 R2 or Microsoft Lync Server, you'll probably find it
unnecessary to configure dialing rules or dialing rule groups in Unified Messaging. Office Communications Server
2007 R2 and Lync Server are designed to perform call routing and number translation for users in your organization,
and will also do this when the calls are made on behalf of users.
International rules: Use this text box to add, remove, or edit international dialing rule groups used by UM
mailbox policies.
Dialing rule name: Use this text box to enter the name for the dialing rule you are creating. You can use
the same name to collect several rules in a group and then enable or disable them under Dialing
authorization. The name can be up to 32 characters long.
Number pattern to transform (number mask): Use this text box to enter the number pattern to
transform before dialing, for example 91425xxxxxxx. If a user enters a number that matches this pattern, UM
will transform the number dialed into a dialed number before placing the call. You can only enter numbers
and the wildcard character, "x".
Dialed number: Use this text box to enter the number you want to dial that matches the number pattern
you set in Number pattern to transform (number mask). The dialed number is used to determine the
actual dial string sent to the VoIP gateway or IP PBX. This number can be different from the number
obtained by Unified Messaging for the outgoing call. However, your PBX or IP PBX can also be configured
to omit the area code for local calls and can be configured for private voice numbering plans. Any wildcard
characters ( x) in the dial string are replaced with the digits from the original number that were matched by
the number mask on the dialing rule. An example of a valid dialed number is 9 xxxxxxx. This field can contain
only numbers and the character x.
Comment: Use this text box to put in a comment or description for the dialing rule that you're adding or
modifying. By default, this text box is blank.
NOTE
For on-premises deployments, if you are integrating with Office Communications Server 2007 R2 or Microsoft Lync
Server, you'll probably find it unnecessary to configure dialing rules or dialing rule groups in Unified Messaging. Office
Communications Server 2007 R2 or Lync Server are designed to perform call routing and number translation for
users in your organization, and will also do this when the calls are made on behalf of users.
9. Dialing authorization: Use this page to select dialing rules for callers who call in to an Outlook Voice Access
number configured on a UM dial plan. You can restrict the type of calls placed by callers when an
unauthenticated user or an Outlook Voice Access user calls in to an Outlook Voice Access number configured
on a dial plan by configuring dialing rule groups and dialing restrictions. You can configure the following:
Calls in the same UM dial plan: Select this check box to let users who call in to an Outlook Voice Access
number configured on a dial plan place or transfer calls to an extension number associated with a UM -
enabled user who is within the same dial plan. By default, this setting is enabled.
When you disable this setting, users who call in to the Outlook Voice Access number won't be able to place
or transfer calls to any users who aren't UM -enabled, to other extension numbers, or to UM -enabled users
who are associated with the same dial plan. This is because the Allow calls to any extension setting is
disabled by default.
Allow calls to any extension: When this setting is disabled, users who call in to an Outlook Voice Access
number on the dial plan can't place calls to users who aren't UM -enabled or to other extension numbers not
associated with a UM -enabled user. However, they can place a call or transfer a call to extension numbers
associated with UM -enabled users. This is because the Calls in the same UM dial plan setting is enabled
by default. The Allow calls to any extension setting is disabled by default.
NOTE
To avoid attempted fraud and other potential threats to your UM environment, follow the guidance in the blog post
Is your Exchange Unified Messaging protected against telecommunication fraud?
When this setting is enabled, users who call in to an Outlook Voice Access number configured on the dial
plan can place calls to users who aren't UM -enabled, to other extension numbers not associated with a UM -
enabled user, and to UM -enabled users. This is because the Calls in the same UM dial plan setting is
enabled by default.
You can enable this setting in an environment where not all users have been UM -enabled. This setting is
also useful when you want to allow users who call in to a Outlook Voice Access number configured on a dial
plan to call extension numbers that aren't associated.
Authorized in-country/region dialing rule groups: Use this section to add or remove allowed in-
country/region dialing rules. By default, there are no in-country/region dialing rules configured on UM dial
plans.
In-country/region dialing rule groups are used to allow or restrict the telephone numbers within a country
or region that any user who has dialed in to the subscriber access number can dial. This helps prevent
unnecessary or unauthorized telephone calls and charges.
To add in-country/region dialing rules, you must first create the appropriate in-country/region dialing rule
on the dial plan, and then add the appropriate dialing rule entries on the dialing rule. After you create the
required dialing rules on the dial plan, you must then add the dialing rule to the list of dialing authorizations
on the Dialing authorization page on the dial plan.
In-country/region dialing rule groups can be used to allow or restrict access to telephone numbers within a
country or region. This is applied to all users who have called in to an Outlook Voice Access number.
Authorized international dialing rule groups: Use this section to add or remove allowed international
dialing rules. By default, there are no international dialing rules configured on UM dial plans.
International dialing rules are used to allow or restrict the telephone numbers outside a country or region
that any user who has dialed in to the Outlook Voice Access number can dial. This helps prevent
unnecessary or unauthorized telephone calls and charges.
To add international dialing rule groups, you must first create the appropriate international dialing rules on
the dial plan, and then add the appropriate dialing rule entries. After you create the required dialing rules on
the dial plan, you must then add the dialing rule to the list of dialing authorizations on the Dialing
authorization page on the dial plan.
International dialing rule groups can be used to allow or restrict access to telephone numbers outside a
country or region. This is applied to all users who have called in to an Outlook Voice Access number.
10. Transfer & search: Use this page to configure the UM dial plan features. Several features can be configured on
the UM dial plan. These include transferring calls, sending voice messages, and searching for users. You can
configure the following:
Allow callers to: Use these settings to determine how users who call in to an Outlook Voice Access
number can contact users. You can configure the following:
Transfer to users: Select this check box to enable Outlook Voice Access users to transfer calls to users. By
default, this option is enabled. This lets users associated with the dial plan transfer calls to users in the same
UM dial plan. After you select this check box, you can set the group of users callers can search for by
selecting the appropriate option under the Allow callers to search for users by name or alias section on
this page.
If you disable this option, Outlook Voice Access won't allow callers to be transferred to any users in the dial
plan.
Leave voice messages without ringing a user's phone: Select this check box to enable callers to send
voice messages to users. By default, this option is enabled. This lets Outlook Voice Access users who are
associated with the dial plan send voice messages to users in the same UM dial plan. After you select this
check box, you can set the group of users callers can search for by selecting the appropriate option under
the Allow callers to search for users by name or alias section on this page.
If you disable this option, Outlook Voice Access won't invite callers to send a voice message during a system
prompt.
Allow callers to search for users by name or alias: Use these options to determine a grouping of users
that can be searched. By default, the In this dial plan only option is selected. However, you can change the
grouping of users. Choose from the following options:
In this dial plan only: Use this option to allow callers who connect to Outlook Voice Access to locate and
contact users who are within the dial plan that they are a member of.
In the entire organization: Use this option to allow callers who connect to Outlook Voice Access to locate
and contact anyone who is listed in the entire organization. This includes all users who are mailbox-enabled
or UM -enabled users in all dial plans.
Only on this auto attendant: Use this list to allow Outlook Voice Access users to connect to a UM auto
attendant and then potentially connect to another auto attendant you have configured. You must create this
auto attendant to allow callers to be transferred to another auto attendant that's specified.
Only for this extension: Use this option to allow Outlook Voice Access users to connect to an extension
number that you specify in the field for this option. This field accepts only numeric digits. The number of
digits that you define in this field must match the number of digits configured on the dial plan associated
with the auto attendant.
Information to include for users with the same name: Use this field to select how the dial plan
differentiates between users who have the same or similar names. When a caller is prompted to enter letters
or say the person's name to find a particular user in the organization, sometimes more than one name
matches the caller's input. If there are two users with the same name, UM will use one of the following ways
to add additional information to the user's name. For example, if you select Department, when an Outlook
Voice Access user calls in to Outlook Voice Access and searches for a user and there are duplicate or similar
names in the directory, the caller will hear the user's name and department, for example:
1. System: "Welcome to Outlook Voice Access. Please enter your PIN and press the pound key."
2. Caller inputs their PIN followed by the # key.
3. System: "Please say voice mail, email, calendar, personal contacts, directory, or personal options."
4. Caller: "Directory"
5. System: "Directory search. Please note, for the following tasks the system requires you to use your
telephone keypad rather than speaking. Use the keypad to spell the name of the person you're trying
to find, last name first, or to spell the first part of their email address, press the pound key twice, if
you know the extension, press the pound key."
6. Caller uses the key pad and inputs "smithtony" and presses the # key.
7. System: "For Tony Smith, research, press 1. For Tony Smith, administration, press 2. For Tony Smith,
technical support, press 3."
8. Caller presses the appropriate key on the keypad and the call is transferred to the user.
By default, all UM auto attendants associated with this dial plan inherit this setting. However, you can
change this setting on each UM auto attendant you create.
Select one of the following methods for providing callers with more information to help them locate the
correct user in the organization:
None: No additional information is given when matches are listed. By default, this method is selected.
Title: The voice mail system includes each user's title when matches are listed.
Department: The voice mail system includes each user's department when matches are listed.
Location: The voice mail system includes each user's location when matches are listed.
Prompt for alias: The voice mail system prompts the caller for the user's alias.
11. After you configure the required settings, click Save to save your changes.
Use Exchange Online PowerShell to configure UM dial plan settings

This example configures a UM dial plan named MyDialPlan to use 9 for the outside line access code.
Set-UMDialplan -Identity MyDialPlan -OutsideLineAccessCode 9
This example configures a UM dial plan named MyDialPlan to use a welcome greeting.
Set-UMDialplan -Identity MyDialPlan -WelcomeGreetingEnabled $true -WelcomeGreetingFilename welcome.wav
This example configures a UM dial plan named MyDialPlan with dialing rules.
$csv=import-csv "C:\MyInCountryGroups.csv"
Set-UMDialPlan -Identity MyDialPlan -ConfiguredInCountryGroups $csv
Set-UMDialPlan -Identity MyDialPlan -AllowedInCountryGroups "local, long distance"
Use Exchange Online PowerShell to view UM dial plan settings

This example displays a list of all the UM dial plans.
Get-UMDialplan
This example displays a formatted list of all of the settings on a UM dial plan named MyUMDialPlan .
Get-UMDialplan -Identity MyUMDialPlan | Format-List

Change the audio codec
Unified Messaging can use one of four codecs for creating voice mail messages: MP3, Windows Media Audio
(WMA), Group System Mobile (GSM ) 06.10, and G.711 Pulse Code Modulation (PCM ) Linear. By default, when
you create a Unified Messaging (UM ) dial plan, the UM dial plan uses the MP3 audio codec to record voice
messages. The MP3 audio format is a popular audio format that is used across multiple operating systems, email
clients, and MP3 players. After the UM dial plan is created, you can configure the UM dial plan to use one of the
other audio formats including the WMA, GSM 06.10, or G.711 PCM Linear audio codecs. To listen to the voice
message, a mobile phone or computer must have a compatible audio software application installed.
For additional tasks related to UM dial plans, see UM Dial Plan Procedures.

Estimated time to complete: Less than 1 minute.
TIP
Use the EAC to change the audio codec on a Unified Messaging dial
plan
2. In the list view, select the UM dial plan you want to modify, and then click Edit .
4. In Settings, under Audio codec, use the drop-down list to select one the following:
MP3
WMA
GSM
G711
5. Click Save.
Use Exchange Online PowerShell to change the audio codec on a

Unified Messaging dial plan
This example sets the audio codec on a UM dial plan named MyUMDialPlan to G.711.
Set-UMDialPlan -Identity MyUMDialPlan -AudioCodec G711
This example sets the audio codec on a UM dial plan named MyUMDialPlan to WMA.
Set-UMDialPlan -Identity MyUMDialPlan -AudioCodec Wma

Configure the maximum call duration
You can specify the maximum number of minutes that an incoming call can be connected to the system without
being transferred to a valid extension number before the call is ended. For most organizations, this value should be
set to the default: 30 minutes. This setting applies to all calls, including incoming Outlook Voice Access calls, voice
calls internal to your organization, voice calls into Unified Messaging (UM ) auto attendants, and fax calls placed
from outside your organization.
This value can be set to a number from 10 through 120. Setting this value too low can cause incoming calls to be
disconnected before they're completed. For example, if your organization receives many large fax messages, you
may want to consider increasing this value from the default so that all the pages of fax messages are received.

TIP
Use the EAC to configure the maximum call duration

4. In Settings, under Maximum call duration (minutes), enter the number in minutes.
5. Click Save.
Use Exchange Online PowerShell to configure the maximum call

duration
This example sets the maximum call duration to 10 minutes on a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -MaxCallDuration 10

Configure the maximum recording duration
You can specify the maximum number of minutes allowed for each voice recording when a caller leaves a voice
mail message. This value can be set to a number from 1 through 100. For most organizations, this value should be
set to the default of 20 minutes. Setting this value too low can cause long voice messages to be disconnected
before they're completed. Setting this value too high lets users save lengthy voice messages in their Inboxes.
This setting is important if you've implemented strict disk quotas for users. It must be set to a lower value than the
one set for Maximum call duration (minutes).

TIP
Use the EAC to configure the maximum recording duration

4. In Settings, under Maximum recording duration (minutes), enter the number in minutes.
5. Click Save.
Use Exchange Online PowerShell to configure the maximum recording

duration
This example sets the maximum recording duration to 10 minutes for a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -MaxRecordingDuration 10

Configure the recording idle time-out value
You can specify the number of seconds of silence that the system allows when a voice message is being recorded
before the call is ended. For most organizations, this value should be set to the default of 5 seconds.
This value can be set from 2 through 10. Setting this value too low can cause the system to disconnect callers
before they've finished leaving their voice messages. Setting this value too high allows lengthy silences in voice
messages.

TIP
Use the EAC to configure the recording idle time-out value

4. In Settings, under Recording idle time out (seconds), enter the number in seconds.
5. Click Save.
Use Exchange Online PowerShell to configure the recording idle time-

out value
This example sets the recording idle time-out value to 10 for a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -RecordingIdleTimeout 10

Configure the VoIP security setting
You can enable Voice over IP (VoIP ) security for a Unified Messaging (UM ) dial plan. By default, when a UM dial
plan is created, it will use Unsecured mode or no encryption. Exchange servers can answer calls for single or
multiple UM dial plans and can answer calls for dial plans that have different VoIP security settings. In Office 365
and Exchange Online Secured mode is required and can't be disabled.
When you configure a UM dial plan to use Session Initiation Protocol (SIP ) secured or Secured mode, the
Exchange servers that answer calls for the UM dial plan will encrypt the SIP signaling traffic (for SIP secured
mode) or both the Realtime Transport Protocol (RTP ) media channels and the SIP signaling traffic (for Secured
mode).
IMPORTANT
For on-premises and hybrid deployments, when you configure the SipTCPListeningPort, SipTLSListeningPort, or the
UMStartUpMode on a Client Access server running the Microsoft Exchange Unified Messaging Call Router service or a
Mailbox server running the Microsoft Exchange Unified Messaging service, you will need to configure the Windows Firewall
rules correctly to allow SIP and RTP network traffic.

TIP
Use the EAC to configure VoIP security on a UM dial plan

1. In the EAC, navigate to Unified Messaging > UM Dial Plans, select the UM dial plan on which you want
to change the VoIP security, and then click Edit .
2. On the UM Dial Plan page, click Configure.
3. In General, under VoIP security mode, select one of the following options:
SIP secured
Unsecured (default)
Secured
4. Click Save.
Use Exchange Online PowerShell to configure VoIP security on a UM

dial plan
This example configures a UM dial plan named MySecureDialPlan to encrypt both SIP and RTP traffic.
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity Secured
This example configures a UM dial plan named MySecureDialPlan to encrypt SIP but not encrypt RTP traffic.
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity SIPsecured
This example configures a UM dial plan named MySecureDialPlan to not encrypt SIP and RTP traffic.
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity Unsecured

Configure a dial plan for users who have similar
names
You can configure a Unified Messaging (UM ) dial plan to specify the information that is provided for callers when
users have the same or similar names. UM uses this setting to differentiate between users who have the same or
similar names and provide this information to callers. When a caller or an Outlook Voice Access user is prompted
to enter letters to find a particular user, sometimes more than one name matches the caller's input. You can use one
of the available options for providing the caller with more information to help them locate the user they're trying
to reach.
You can set this setting on both UM dial plans and UM auto attendants. When a UM auto attendant is created, it
inherits this setting from the dial plan associated with the auto attendant. By default, this setting isn't configured for
dial plans, so no additional information will be given to callers to help them locate the correct user.
NOTE
For the information that will be included for users with similar names to work correctly, you must provide the title,
department, and location information for the recipients in your Microsoft Exchange organization.

TIP
Use the EAC to configure a UM dial plan for users with similar names
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan you
want to change, and then click Edit .
2. On the UM dial plan page, click Configure > Transfer & search, and under Information to include for
users with the same name, select one of the following options:
Title: The dial plan includes each user's title when it finds two or more users with similar names.
Department: The dial plan includes each user's department when it finds two or more users with similar
names.
Location: The dial plan includes each user's location when it finds two or more users with similar names.
None: The dial plan won't include any additional information when users have similar names. Although this
is the default setting, we recommend that you include one of the available options for callers. If you don't,
callers won't be able to tell the difference between two or more users with similar names.
Prompt For alias: The dial plan prompts the caller for the user's alias. An alias is the part of the user's email
or SMTP address that is before the at (@) symbol.
3. Click Save.
Use Exchange Online PowerShell to configure a UM dial plan for users

with similar names
This example sets the information to include with users with similar names to prompt for the user's alias on a UM
dial plan named MyDialPlan .
Set-UMDialplan -Identity MyDialPlan -MatchedNameSelectionMethod PromptForAlias
This example sets the information to include with users with similar names to department on a UM dial plan
named MyDialPlan .
Set-UMDialplan -Identity MyDialPlan -MatchedNameSelectionMethod Department
This example sets the information to include with users with similar names to location on a UM dial plan named
MyDialPlan .
Set-UMDialplan -Identity MyDialPlan -MatchedNameSelectionMethod Location

Delete a UM dial plan
You can delete an existing Unified Messaging (UM ) dial plan. When you delete the UM dial plan, it will no longer
be available for UM IP gateways, UM mailbox policies, and UM hunt groups. You can't delete a UM dial plan if it's
referenced by or associated with UM mailbox policies, UM auto attendants, UM IP gateways, or UM hunt groups.

TIP
Use the EAC to delete an existing dial plan

2. In the list view, select the UM dial plan you want to delete, and then click Delete .
3. On the warning page, click Yes.
Use Exchange Online PowerShell to delete an existing dial plan

This example deletes a UM dial plan named MyUMDialPlan .
RemoveUMDialplan -identity MyUMDialPlan

UM IP gateways
A Unified Messaging (UM ) IP gateway represents a physical Voice over IP (VoIP ) gateway, IP Private Branch
eXchange (PBX), or session border controller (SBC ) hardware device. Before a VoIP gateway, IP PBX, or SBC can
be used to answer incoming calls and send outgoing calls for voice mail users, a UM IP gateway must be created
in the directory service.
Overview of UM IP gateways
Traditionally, gateway is a term that describes a physical device that connects two incompatible networks. With
Exchange Unified Messaging and other unified messaging solutions, the VoIP gateway is used to translate
between the Public Switched Telephone Network (PSTN )/Time Division Multiplex (TDM ) or circuit-switched
based telephony network and an IP or packet-switched data network. An IP PBX also translates between the
PSTN network and a packet-switched network, so when an IP PBX is used, a VoIP gateway isn't required. A VoIP
gateway is only required if you are connecting a legacy PBX hardware device to your UM deployment.
NOTE
A packet-switched network is a network in which packets (messages or fragments of messages) are individually routed
between devices such as routers, switches, VoIP gateway, IP PBXs and SBCs. This contrasts with a circuit-switched network
that sets up a dedicated connection between the two nodes for their exclusive use for the duration of the communication.
Exchange Unified Messaging relies on the ability of the VoIP gateway to translate TDM or telephony circuit-
switched based protocols, such as Integrated Services Digital Network (ISDN ) or QSIG, from a PBX to protocols
based on VoIP or IP, such as Session Initiation Protocol (SIP ), Realtime Transport Protocol (RTP ), or T.38 for real-
time facsimile transport.
IP PBXs are also used when connecting a circuit-switched telephony network to a data or packet-switched
network. They are also used to translate circuit-switched protocols to protocols based on VoIP or IP, such as SIP,
RTP, and Secure RTPC (SRTP ).
Session Border Controllers (SBCs) are somewhat different than VoIP gateways and IP PBXs. Instead of
connecting a circuit-switched network to a packet-switched network, they're used to connect two data networks
over a public network like the internet or over a private WAN connection. In Unified Messaging, SBCs are used in
a hybrid deployment of UM in which UM uses some components that are located on-premises and others, such as
mailboxes, that are located in the cloud.
VoIP device configurations
Although there are many types and manufacturers of PBXs, VoIP gateways, IP PBXs, and SBCs, there are basically
three types of VoIP device configurations:
IP PBX: A single device that translates between the PSTN/TDM or circuit-switched based telephony
network and an IP or packet-switched data network
PBX (legacy) and a VoIP gateway: Two separate components that together translate between the
PSTN/TDM or circuit-switched telephony network and an IP or packet-switched data network
SBC: Single or multiple devices that connect two types of IP -based networks such as a LAN and a
datacenter.
To support Unified Messaging, one or both types of IP/VoIP device configurations are used when connecting a
telephony network infrastructure to a data network infrastructure or connecting an on-premises deployment with
a UM deployment in the cloud.
UM IP gateways
The UM IP gateway contains one or more UM hunt groups and configuration settings. UM hunt groups are used
to link a UM IP gateway to a UM dial plan. The combination of the UM IP gateway and a UM hunt group
establishes a link between a VoIP gateway, IP PBX, or SBC and a UM dial plan. By creating multiple UM hunt
groups, you can associate a single UM IP gateway with multiple UM dial plans.
After you create a UM IP gateway, the Exchange servers linked to the UM IP gateway will send a SIP OPTIONS
request to the VoIP gateway, IP PBX, or SBC to ensure that the device is responsive. If the VoIP gateway, IP PBX,
or SBC doesn't respond to the request, an Exchange server will log an event with ID 1400 stating that the request
failed. If this happens, make sure that the VoIP gateway, IP PBX, or SBC is available and online and that the
Unified Messaging configuration is correct.
A Mailbox server communicates only with VoIP gateways, IP PBXs, or SBCs listed as trusted SIP peers. In some
cases, if two VoIP gateways, IP PBXs, or SBCs are configured to use the same IP address, an event with ID 1175
will be logged. Unified Messaging protects against unauthorized requests by retrieving the internal URL of the
Unified Messaging Web services virtual directory and then uses the URL to build the list of FQDNs for the trusted
SIP peers. When two FQDNs are resolved to the same IP address, this event is logged.
IPv6 support for UM IP gateways

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP ). IPv6 is intended to
correct many of the shortcomings of IPv4, which was the previous version of the IP. In Microsoft Exchange Server
2010 on-premises and hybrid deployments, IPv6 was supported only when IPv4 was also used.
In Exchange Server on-premises and hybrid deployments, UM -related components and speech services run only
on Client Access and Mailbox servers. Because the UM architecture has changed and now requires Unified
Communications Managed API (UCMA) v4.0 to support both IPv4 and IPv6 as well as other Exchange features,
the Client Access and Mailbox servers that have Unified Messaging components and services fully support IPv6
networks and doesn't require IPv4.
In on-premises, hybrid, and Exchange Online deployments, both enterprise and Exchange Online UM
administrators can use IPv6 when they connect UM to IPv6-capable devices, including devices such as routers, IP
gateways, IP PBXs, and Microsoft Office Communications Server 2007 R2 and Microsoft Lync servers. However,
for interoperability and backward compatibility, IPv4 can be used instead without additional configuration changes
if the IPAddressFamily parameter is set to Any on UM IP gateways.
Exchange UM must still communicate directly with SIP peers (VoIP gateways, IP PBXs, and SBCs) that may not
support IPv6 in their software or firmware. If they don't support IPv6, UM must be able to communicate directly
with SIP peers that use IPv4. For hosted voice mail, UM communicates with customer equipment through SBCs,
Lync Server 2010, or Lync Server 2013. In hosted environments, IPv6 SIP -aware clients such as SBCs and Lync
servers can be deployed to handle the IPv6-to-IPv4 conversion process.
For on-premises and hybrid deployments after you install your Client Access and Mailbox servers, and for
Exchange Online UM deployments, you need to create UM IP gateways. If you need your UM IP gateways to
support IPv6, you must also:
1. Create a new UM IP gateway or configure an existing UM IP gateway with an IPv6 address for each of the
IP gateways, IP PBXs, or SBCs on your network. When you're creating and configuring the required UM IP
gateways, you must add the IPv6 address or the Fully Qualified Domain Name (FQDN ) for the UM IP
gateway. If you're adding the FQDN to the UM IP gateway, you must have created the correct DNS records
to resolve the UM IP gateway FQDN to the IPv6 address. If you have an existing UM IP gateway, you can
use the Set-UMIPgateway cmdlet to configure the IPv6 address or FQDN.
2. Configure the IPAddressFamily parameter on each UM IP gateway. To enable the VoIP gateway to accept
IPv6 packets, you must set the UM IP gateway to either accept both IPv4 and IPv6 connections, or accept
only IPv6 connections, by using the Set-UMIPgateway cmdlet.
3. After you've configured your UM IP gateways, you must also configure the VoIP gateways, IP PBXs, and
SBCs on your network to support IPv6. For details, see your hardware vendor for a list of devices that
support IPv6 and how to correctly configure them.
NOTE
The maximum number of UM IP gateways per dial plan is 200. If you create more than 200 the UM service won't start.
Enabling and disabling a UM IP gateway

By default, a UM IP gateway is left in an enabled state after it's created. However, the UM IP gateway can be
enabled or disabled. If you disable a UM IP gateway, you can set it to force all Exchange servers to drop existing
calls. Alternatively, you can set it to force the Exchange servers associated with the UM IP gateway to stop
handling any new calls presented by the VoIP gateway, IP PBX, or SBC.
If you're integrating Unified Messaging with Office Communications Server R2 or Microsoft Lync Server, you
must allow only one UM IP gateway to make outgoing calls for users, and disable outbound calling on all other
UM IP gateways associated with your SIP URI dial plans. Use either Exchange Online PowerShell or the EAC to
disable outbound calling.
When selecting the UM IP gateway through which to allow outgoing calls for on-premises and hybrid
deployments, choose the one that's likely to handle the most traffic. Don't allow outgoing traffic through a UM IP
gateway that connects to a pool of Lync Server Directors. This is necessary to ensure that outbound calls to
external users placed by a Mailbox server running the Microsoft Exchange Unified Messaging service (for
example, in Play-on-Phone scenarios) reliably traverse the corporate firewall.
UM IP gateway procedures
Create a UM IP gateway
Manage a UM IP gateway
Enable a UM IP gateway
Disable a UM IP gateway
Configure a fully qualified domain name
Configure the IP address
Configure the listening port
Delete a UM IP gateway
Create a UM IP gateway
When you create a Unified Messaging (UM ) IP gateway, you enable Exchange servers to connect to a new Voice
over IP (VoIP ) gateway, a Private Branch eXchange (PBX) enabled for Session Initiation Protocol (SIP ), an IP
PBX, or a session border controller (SBC ). Immediately after you create a UM IP gateway, you should create a
new UM hunt group and then associate the UM hunt group with the UM IP gateway. You can associate the UM
IP gateway with one or more UM dial plans by creating one or more UM hunt groups.
For additional management tasks related to UM IP gateways, see UM IP gateway procedures.

permissions you need, see the "UM IP gateways" entry in the Unified Messaging Permissions topic.
Before you perform these procedures, confirm that a UM dial plan has been created. For detailed steps,
see Create a UM dial plan.
TIP
Protection..
Use the EAC to create a UM IP gateway

1. In the EAC, navigate to Unified Messaging > UM IP gateways, and then click New .
2. On the New UM IP gateway page, enter the following information:
Name: Use this box to specify a unique name for the UM IP gateway. This is a display name that appears
in the EAC. If you have to change the display name of the UM IP gateway after it's been created, you must
first delete the existing UM IP gateway, and then create another UM IP gateway that has the name that
you want. The UM IP gateway name is required, but it's used for display purposes only. Because your
organization may use multiple UM IP gateways, we recommend that you use meaningful names for your
UM IP gateways. The maximum length of a UM IP gateway name is 64 characters, and it can include
spaces. However, it can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
Address: You can configure a UM IP gateway with either an IP address or a fully qualified domain name
(FQDN ). Use this box to specify the IP address configured on the VoIP gateway, SIP -enabled PBX, IP PBX,
or SBC, or an FQDN. This box accepts only FQDNs that are valid and formatted correctly.
You can enter alphabetical and numeric characters in this box. IPv4 addresses, IPv6 addresses, and
FQDNs are supported. If you want to use mutual Transport Layer Security (mutual TLS ) between a UM IP
gateway and a dial plan operating in either SIP secured or Secured mode, you must configure the UM IP
gateway with an FQDN. You must also configure it to listen on port 5061 and verify that any VoIP
gateways or IP PBXs have also been configured to listen for mutual TLS requests on port 5061. To
configure a UM IP gateway, run the following command:
et-UMIPGateway -identity MyUMIPGateway -Port 5061 .
If you use an FQDN, you must also make sure that you've correctly configured a DNS host record for the
VoIP gateway so that the host name will be correctly resolved to an IP address. Also, if you use an FQDN
instead of an IP address, and the DNS configuration for the UM IP gateway is changed, you must disable
and then enable the UM IP gateway to make sure that configuration information for the UM IP gateway is
updated correctly.
UM dial plan: Click Browse to select the UM dial plan that you want to associate with the UM IP
gateway. When you select a UM dial plan to associate with a UM IP gateway, a default UM hunt group is
also created and associated with the UM dial plan that you selected. If you don't select a UM dial plan, you
must manually create a UM hunt group and then associate that UM hunt group with the UM IP gateway
that you create.
3. Click Save.
Use Exchange Online PowerShell to create a UM IP gateway

This example creates a UM IP gateway named yUMIPGateway that enables Exchange servers to start accepting
calls from a VoIP gateway, a PBX enabled for SIP, an IP PBX, or an SBC that has an IP address of 10.10.10.1.
New-UMIPGateway -Name MyUMIPGateway -Address 10.10.10.1
This example creates a UM IP gateway named MyUMIPGateway that enables Exchange servers to start accepting
calls from a VoIP gateway, a PBX enabled for SIP, an IP PBX, or an SBC that has an FQDN of
MyUMIPGateway.contoso.com and listens on port 5061.
New-UMIPGateway -Name MyUMIPGateway -Address "MyUMIPGateway.contoso.com" -Port 5061
This example creates a UM IP gateway named yUMIPGateway and prevents the UM IP gateway from accepting
incoming calls or sending outgoing calls, sets an IPv6 address, and allows the UM IP gateway to use IPv4 and
IPV6 addresses.
New-UMIPGateway -Identity MyUMIPGateway -Address fe80::39bd:88f7:6969:d223%11 -IPAddressFamily Any -Status

Disabled -OutcallsAllowed $false
After you create a Unified Messaging (UM ) IP gateway, you can view or configure a variety of settings. For
example, you can configure the IP address or a fully qualified domain name (FQDN ), configure outgoing call
settings, and enable or disable Message Waiting Indicator.

Before you perform these procedures, confirm that a UM IP gateway has been created. For detailed steps,
see Create a UM IP gateway.
TIP
Use the EAC to view or configure UM IP gateway properties

1. In the EAC, navigate to Unified Messaging > UM IP Gateways. In the list view, select the UM IP gateway
that you want to manage, and then click Edit .
2. Use the UM IP Gateway page to view and configure settings for the UM IP gateway. You can view or
configure the following settings:
Status: This display-only field shows the status of the UM IP gateway.
Name: Use this box to specify a unique name for the UM IP gateway. This is a display name that appears in
the EAC. If you have to change the display name of the UM IP gateway after it's been created, you must first
delete the existing UM IP gateway, and then create another UM IP gateway that has the appropriate name.
The UM IP gateway name is required, but it's used for display purposes only. Because your organization
may use multiple UM IP gateways, we recommend that you use meaningful names for your UM IP
gateways. The maximum length of a UM IP gateway name is 64 characters, and it can include spaces.
Address: You can configure a UM IP gateway with either an IP address or a fully qualified domain name
(FQDN ). Use this box to specify the IP address or FQDN configured on the VoIP gateway, SIP -enabled
PBX, IP PBX, or SBC.
You can enter alphabetical and numeric characters in this box. IPv4 addresses, IPv6 addresses, and FQDNs
are supported. If you use an FQDN, you must also make sure that you have correctly configured a DNS
host record for the VoIP gateway so that the host name will be correctly resolved to an IP address. Also, if
you use an FQDN instead of an IP address, and the DNS configuration for the UM IP gateway is changed,
you must disable and then enable the UM IP gateway to make sure that configuration information for the
UM IP gateway is updated correctly.
If you want to use mutual Transport Layer Security (mutual TLS ) between a UM IP gateway and a dial plan
operating in either SIP secured or Secured mode, you must configure the UM IP gateway with an FQDN.
You must also configure it to listen on port 5061 and verify that any IP gateways or IP PBXs have also been
configured to listen for mutual TLS requests on port 5061. To configure a UM IP gateway, run the following
command: Set-UMIPGateway -identity MyUMIPGateway -Port 5061 .
Allow outgoing calls through this UM IP gateway: Select this check box to allow the UM IP gateway to
accept and process outgoing calls. This setting doesn't affect call transfers or incoming calls from a VoIP
gateway.
By default, when the UM IP gateway is created, this setting is enabled. If you disable this setting, users
associated with the dial plan won't be able to make outgoing calls through the VoIP gateway, IP PBX, or
SBC defined in the Address field.
Allow message waiting indicator: Select this check box to allow voice mail notifications to be sent to
users for calls taken by the UM IP gateway. This setting allows the UM IP gateway to receive and send SIP
NOTIFY messages for users. This setting is enabled by default and allows message waiting notifications to
be sent to users.
Message Waiting Indicator can refer to any mechanism that indicates the existence of a new or unheard
message. The indication that a new voice message has arrived can be found in the Inbox in clients such as
Outlook and Outlook Web App. It can take the form of a Short Messaging Service (SMS ) or text message
sent to a registered mobile phone, an outbound call made from an Exchange server to a preconfigured
number, or a lighted desktop phone lamp for a user.
Use Exchange Online PowerShell to configure UM IP gateway

properties
This example modifies the IP address of a UM IP gateway named MyUMIPGateway .
Set-UMIPGateway -Identity MyUMIPGateway -Address 10.10.10.1
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming calls and prevents
outgoing calls.
Set-UMIPGateway -Identity MyUMIPGateway -Address voipgateway.contoso.com -Status 2 -OutcallsAllowed $false
This example enables the UM IP gateway to function as a VoIP gateway simulator and can be used with the Test-
UMConnectivity cmdlet.
Set-UMIPGateway -Identity MyUMIPGateway -Simulator $true
IMPORTANT
There is a period of latency before all changes that you make to the configuration of a UM IP gateway replicate to all
Exchange servers in the same UM dial plan as the UM IP gateway.
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming calls and prevents
outgoing calls, sets an IPv6 address, and allows the UM IP gateway to use IPv4 and IPV6 addresses.
Set-UMIPGateway -Identity MyUMIPGateway -Address fe80::39bd:88f7:6969:d223%11 -IPAddressFamily Any -Status

Use Exchange Online PowerShell to view UM IP gateway properties

This example displays a formatted list of all the UM IP gateways in the Active Directory forest.
Get-UMIPGateway |Format-List
This example displays the properties for a UM IP gateway named MyUMIPGateway .
Get-UMIPGateway -Identity MyUMIPGateway
This example displays all the UM IP gateways including VoIP gateway simulators in the Active Directory forest.
Get-UMIPGateway -IncludeSimulator $true

Enable a UM IP gateway
By default, when a Unified Messaging (UM ) IP gateway is created, its status is set to enabled. However, you might
need to disable the UM IP gateway to take it offline and not allow it to take incoming or outgoing calls. After you
create a UM IP gateway, you can control its operation and functionality by setting its status variable to enabled or
disabled.

Before you perform these procedures, confirm that a UM IP gateway has been created and has been
disabled. For detailed steps, see Create a UM IP gateway.
TIP
Use the EAC to enable a UM IP gateway

1. In the EAC, navigate to > Unified Messaging > UM IP Gateways, select the UM IP gateway you want to
enable, and then click the Up arrow .
2. On the Warning page, click Yes.
Use Exchange Online PowerShell to enable a UM IP gateway

This example enables a UM IP gateway named MyUMIPGateway .
Enable-UMIPGateway -Identity MyUMIPGateway

Disable a UM IP gateway
By default, when you create a Unified Messaging (UM ) IP gateway, the status of the UM IP gateway is enabled.
After the UM IP gateway is created, you can disable the operation of the gateway by setting its status to disabled.
After you disable the UM IP gateway, the Voice over IP (VoIP ) gateway, IP Private Branch eXchange (PBX), or
session border controller (SBC ) that it's configured to use can no longer process incoming Unified Messaging calls.

Before you perform these procedures, confirm that a UM IP gateway has been created and is enabled. For
detailed steps, see Create a UM IP gateway and Enable a UM IP gateway.
TIP
Use the EAC to disable a UM IP gateway

1. In the EAC, navigate to Unified Messaging > UM IP Gateways, select the UM IP gateway you want to
disable, and then click the Down arrow .
Use Exchange Online PowerShell to disable a UM IP gateway

This example disables a UM IP gateway named yUMIPGateway and stops it from accepting incoming calls from a
VoIP gateway, IP PBX, or SBC.
Disable-UMIPGateway -Identity MyUMIPGateway
This example disables a UM IP gateway named yUMIPGateway and disconnects all current calls immediately.
Disable-UMIPGateway -Identity MyUMIPGateway -Immediate $true

Configure a fully qualified domain name
You can configure a Unified Messaging (UM ) IP gateway with either an IP address or a fully qualified domain
name (FQDN ). When you create a UM IP gateway, you must define the IP address or the FQDN configured on the
VoIP gateway, IP PBX, or session border controller (SBC ) that you're using. You can change the IP address or
FQDN after the UM IP gateway is created.
If you create a UM IP gateway using an FQDN, you must create the appropriate HOST (A) records in your DNS
forward lookup zone. If you create a UM IP gateway using an FQDN, and the DNS configuration for the UM IP
gateway is changed, you must disable and then enable the UM IP gateway to make sure that its configuration
information is updated correctly.
If you want to use mutual Transport Layer Security (mutual TLS ) between a UM IP gateway and a dial plan
operating in either SIP secured or Secured mode, you must configure the UM IP gateway with an FQDN. You
must also configure it to listen on port 5061 and verify that the VoIP gateway, IP PBX, or SBC has also been
configured to listen for mutual TLS requests on port 5061. To configure a UM IP gateway, run the following
command: Set-UMIPGateway -Identity MyUMIPGateway -Port 5061 .

TIP
Use the EAC to configure an FQDN

1. In the EAC, navigate to Unified Messaging > UM IP Gateways, select the UM IP gateway that you want
to modify, and then click Edit .
2. On the UM IP gateway page, in Address, enter the FQDN for the VoIP gateway, PBX enabled for SIP, IP
PBX, or SBC.
3. Click Save.
IMPORTANT
When you use an FQDN instead of an IP address on the UM IP gateway, verify that the correct DNS records have been
created.
Use Exchange Online PowerShell to configure an FQDN

This example configures a UM IP gateway named MyUMIPGateway with an FQDN named voipgateway.contoso.com.
Set-UMIPGateway -Identity MyUMIPGateway -Address voipgateway.contoso.com
This example configures a UM IP gateway named MySBC with an FQDN of sbc.contoso.com and listens for SIP
requests on TCP port 5061.
Set-UMIPGateway -Identity MySBC -Address sbc.contoso.com -Port 5061

Configure the IP address
Before you create a Unified Messaging (UM ) IP gateway, you must first set the IP address or the fully qualified
domain name (FQDN ) on the VoIP gateway, IP PBX, or session border controller (SBC ) that you're using. Then,
when you create the UM IP gateway, you set the IP address or FQDN. You can change the IP address or FQDN
later.
You can configure the IP address or FQDN using either the EAC or Exchange Online PowerShell. In the EAC, the
Address box on the UM IP gateway page can accept an IPv4 IP address, an IPv6 address, or an FQDN. You can
also use the Address parameter on the Set-UMIPGateway cmdlet in Exchange Online PowerShell to set an IPv4
IP address, an IPv6 address, or an FQDN. If you create a UM IP gateway using an FQDN, you must create the
appropriate HOST A records in your DNS forward lookup zone. If the DNS configuration for the UM IP gateway
is changed, you must disable and then enable the UM IP gateway to make sure that its configuration information is
updated correctly.

TIP
Use the EAC to configure the IP address on a UM IP gateway

1. In the EAC, navigate to Unified Messaging > UM IP Gateways, select the UM IP gateway that you want
to modify, and then click Edit .
2. On the UM IP gateway page, in the Address box, enter the IP address for the VoIP gateway, IP PBX, or
session border controller (SBC ).
IMPORTANT
If you use an FQDN instead of an IP address on the UM IP gateway, verify that the correct DNS records have been created.
Use Exchange Online PowerShell to configure the IP address on a UM
IP gateway
This example configures a UM IP gateway named MyUMIPGateway with an IP address of 10.10.10.1.
Set-UMIPGateway -Identity MyUMIPGateway -Address 10.10.10.1
This example configures a UM IP gateway named MyUMIPGateway with an IP address of 10.10.10.10 and listens for
SIP requests on TCP port 5061.
Set-UMIPGateway -Identity MyUMIPGateway -Address 10.10.10.10 -Port 5061
This example prevents the UM IP gateway named MyUMIPGateway from accepting incoming and outgoing calls, sets
an IPv6 address, and allows the UM IP gateway to use IPv4 and IPV6 addresses.
Set-UMIPGateway -Identity MyUMIPGateway -Address fe80::39bd:88f7:6969:d223%11 -IPAddressFamily Any -Status

Configure the listening port
You can configure the TCP port that's used to listen for Session Initiation Protocol (SIP ) requests on a Unified
Messaging (UM ) IP gateway. By default, when you create a UM IP gateway, the TCP SIP listening port number is
set to 5060. The TCP SIP listening port can't be configured or changed by using the EAC. You must configure the
TCP SIP listening port number by using the Set-UMIPGateway cmdlet.
You may have to configure the TCP listening port number to 5061 if you want to:
Set the VoIP security setting on a UM dial plan to SIP Secured.
Set the VoIP security setting on a UM dial plan to Secured.
Integrate with Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server.
Use mutual Transport Layer Security (mutual TLS ) to encrypt network data between Exchange servers and
a VoIP gateway, Private Branch eXchange (PBX) enabled for SIP, IP PBX, or session border controller (SBC ).
If you want to use mutual TLS between a UM IP gateway and a dial plan operating in either SIP Secured or
Secured mode, when you create the UM IP gateway you must configure it with a fully qualified domain name
(FQDN ) and then use Exchange Online PowerShell to configure the UM IP gateway to listen on TCP port 5061.
You must also verify that any VoIP gateways, PBXs enabled for SIP, IP PBXs, and SBCs have also been configured
to listen for mutual TLS requests on port 5061.
IMPORTANT
When you create a UM IP gateway using an FQDN, you must create the appropriate HOST (A) records in your DNS forward
lookup zone. If you create a UM IP gateway using an FQDN, and the DNS configuration for the UM IP gateway is changed,
you must disable and then enable the UM IP gateway to make sure that the UM IP gateway's configuration information is
updated correctly.

Before you perform this procedure, confirm that a UM dial plan has been created. For detailed steps, see
Before you perform this procedure, confirm that a UM IP gateway has been created. For detailed steps, see
Create a UM IP gateway.
TIP
Use Exchange Online PowerShell to configure the TCP listening port

This example configures a UM IP gateway named MyUMIPGateway that has an FQDN of
mTLS.MyUMIPGateway.contoso.com and listens for SIP requests on TCP port 5061.
Set-UMIPGateway -Identity MyUMIPGateway -Address mTLS.MYUMIPGateway.contoso.com -Port 5061

SIPSecured.MyUMIPGateway.contoso.com and listens for SIP requests on TCP port 5061.
Set-UMIPGateway -Identity MyUMIPGateway -Address SIPSecured.MyUMIPGateway.contoso.com -Port 5061

MyOCSUMIPGateway.contoso.com and listens for SIP requests on TCP port 5061.
Set-UMIPGateway -Identity MyUMIPGateway -Address MyOCSUMIPGateway.contoso.com -Port 5061

Delete a UM IP gateway
When you delete a Unified Messaging (UM ) IP gateway, Exchange servers can no longer accept incoming calls
from the Voice over IP (VoIP ) gateway, Session Initiation Protocol (SIP )-enabled Private Branch eXchange (PBX),
IP PBX, or session border controller (SBC ) associated with the UM IP gateway.
IMPORTANT
You should delete a UM IP gateway only when you fully understand the implications of disabling communication with a VoIP
gateway, IP PBX, or SBC.
For additional tasks related to UM IP gateways, see UM IP gateway procedures.

TIP
Use the EAC to delete a UM IP gateway

delete, and then click Delete .
Use Exchange Online PowerShell to delete a UM IP gateway

This example deletes the UM IP gateway named MyUMIPGateway .
Remove-UMIPGateway -Identity MyUMIPGateway

UM hunt groups
A telephony hunt group provides a way to distribute telephone calls from a single number to multiple extensions
or telephone numbers. In Unified Messaging (UM ), a UM hunt group is a logical representation of a telephony
hunt group, and it links a UM IP gateway to a UM dial plan.
Looking for management tasks related to Unified Messaging hunt groups? See UM hunt group procedures.
What is a hunt group?

Hunt group is a term used to describe a group of Private Branch eXchange (PBX) or IP PBX extension numbers
that are shared by users. Hunt groups are used to efficiently distribute calls into or out of a specific business unit.
Creating and defining a hunt group minimizes the chance that a caller who places an incoming call will receive a
busy signal when the call is received.
Hunt groups are used to locate an open line, extension, or channel when an incoming call is received. Calls are
"rolled over" to the next available line when a primary phone line is busy or isn't answered. The calling party gets a
busy signal or is sent to voice mail only if no extensions in the group are open. For example, a PBX or IP PBX
might be configured to have 10 extension numbers for the sales department. The 10 sales extension numbers
would be configured as one hunt group.
The settings for a simple hunt group include a name, an extension number, a list of available group members, and a
hunt group selection method. The hunt group selection method determines the order in which incoming calls are
presented to the members of the hunt group.
There are multiple algorithms or methods that a PBX or IP PBX can use to locate an open line, extension, or
channel. These include:
Group hunt or ring all extensions: When an incoming call is received on the hunt group extension
number, the PBX or IP PBX rings all extension numbers in the group.
Start with lowest number or linear hunting: This is the default setting on most PBXs and IP PBXs. With
this method, calls are routed to the first idle line in sequential order, starting with the first line in the group.
This configuration is most often found on multiline phones at small businesses.
Round-robin or circular hunting: With this method, calls are routed to the first idle line, starting with the
line after the one that last handled a call. When calls are distributed using the "round-robin" method, if a call
is delivered to line 1, the next call goes to line 2, the next to line 3, and so on. This process continues even if
one of the previous lines becomes free. When the end of the hunt group is reached, the hunting starts over
at the first line. Lines are skipped only if they are still busy on a previous call. Circular or round-robin
hunting spreads call disruption evenly throughout all the calls, minimizing the possibility for a major
disruption in service.
Most-idle or uniform -distribution hunting: With this method, the call is routed to the first available line
in the group that has been idle the longest. This method uses the length of time that the person taking the
call has been busy instead of whether the line is available. This method is typically used in large call centers
where the incoming calls are being answered by people and the load is distributed evenly across the group
of extension numbers.
You can configure one or more hunt groups. Each hunt group must include a minimum of two lines. If a number is
already being used in one hunt group, it won't be available in another.
Following are examples of simple telephony hunt groups and how they work.
Example 1
Extension 300 (pilot number) is programmed so that when a call comes in, it rings extension 301, then 302, then
303, then 304.
1. Extension 301 is busy.
2. Extension 302 rings and isn't answered.
3. Extension 303 answers the call.
4. Extension 304 is free and waiting for an incoming call.
Example 2
Extension 1000 (pilot number) is programmed so that when a call comes in, it rings all the extensions 2000
through 2003 at the same time:
1. Extension 2000 is free.
4. Extension 2003 answers the incoming call.
What is a pilot number?

In a telephony network, a PBX or an IP PBX can be configured to have a single hunt group or multiple hunt
groups. Each hunt group created on a PBX or IP PBX must have an associated pilot number. Using a pilot number
helps to eliminate busy signals and to route incoming calls to the extension numbers that are available. The PBX or
IP PBX uses the pilot number to locate the hunt group and in turn to locate the telephone extension number on
which the incoming call was received and the extensions that are assigned to the hunt group. Without a defined
pilot number, the PBX or IP PBX can't locate where the incoming call was received.
A pilot number is the address, extension, or location of the hunt group inside the PBX or IP PBX. It's generally a
blank extension number or one extension number from a hunt group of extension numbers that doesn't have a
person or telephone associated with it. For example, you might configure a hunt group on a PBX or IP PBX to
contain extension numbers 4100, 4101, 4102, 4103, 4104, and 4105. The pilot number for the hunt group is
configured as extension 4100. When a call is received on extension number 4100, the PBX or IP PBX looks for the
next available extension number to determine where to deliver the call. In this example, the PBX or IP PBX will use
its programmed search algorithm to look at extension numbers 4101, 4102, 4103, 4104, and 4105.
Using a pilot number helps eliminate busy signals and helps route incoming calls to the extension numbers that
are available. In Unified Messaging, the PBX or IP PBX pilot number is used as the target. If none of the extension
numbers in the hunt group answer an incoming call, the call is routed to a Mailbox server running the Microsoft
Exchange Unified Messaging service.
What is a UM hunt group?

Unified Messaging hunt groups are critical to the operation of the UM system. A UM hunt group is a logical
representation of an existing PBX or IP PBX hunt group. It's used to link a UM IP gateway with a UM dial plan. A
single UM hunt group can also link multiple UM IP gateways with a UM dial plan. By default, when you create a
UM IP gateway and associate it with a UM dial plan, a UM hunt group is created, and you can also create other
hunt groups. You must create at least one UM hunt group.
UM hunt groups are used to locate the PBX or IP PBX hunt group from which an incoming call is received. A pilot
number defined for a hunt group on the PBX or IP PBX must also be defined for the UM hunt group. The pilot
number is used to match the information presented for incoming calls using the Session Initiation Protocol (SIP )
signaling information on the voice message. The pilot number enables Exchange servers to interpret the call
together with the correct dial plan so that the call can be routed correctly. The absence of a hunt group prevents
Exchange servers from knowing the location of the incoming call. Knowing the location of incoming calls enables
the Exchange servers to accept the call header information that's passed from the VoIP gateway, IP PBX, or SIP -
enabled PBX. It's very important that you configure your UM hunt groups correctly, because incoming calls that
don't match the pilot number defined on the UM hunt group won't be answered, and routing of incoming calls will
fail.
In on-premises and hybrid deployments when you create a UM hunt group, you're enabling all Client Access and
Mailbox servers, regardless of whether they've been added to a UM dial plan, to communicate with a VoIP
gateway, IP PBX, or SIP -enabled PBX. This is because all Client Access and Mailbox servers answer incoming calls
for all dial plans, instead of for a specific UM dial plan like the UM server did in previous versions of Exchange. If
you delete the UM hunt group, the associated UM IP gateway won't be able to answer incoming calls from a VoIP
gateway, IP PBX, or SIP -enabled PBX or place outgoing calls through the VoIP gateway, IP PBX or SIP -enabled
PBX using the specified pilot number.
However, for on-premises and hybrid deployments if you're integrating UM with Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server, you must add all Client Access and Mailbox servers to
all SIP URI dial plans that have been created to work with Communications Server 2007 R2 or Lync Server. This
enables call routing and outdialing to work correctly.
For more information about UM IP gateways, see UM IP gateways.
UM hunt group procedures
Create a UM hunt group

View a UM hunt group
Delete a UM hunt group
Create a UM hunt group
A Unified Messaging (UM ) hunt group is a logical representation of a Private Branch eXchange (PBX) or IP PBX
hunt group. A UM hunt group acts as a connection or link between a UM IP gateway and a UM dial plan.
NOTE
If you associate a UM dial plan with the UM IP gateway when you create a UM IP gateway, a UM hunt group will also be
created.
NOTE
If you want to change the settings for a UM hunt group, you must delete the hunt group and then create another hunt
group that has the appropriate settings.
For additional management tasks related to UM hunt groups, see UM hunt group procedures.

permissions you need, see the "UM hunt groups" entry in the Unified Messaging Permissions topic.
TIP
Use the EAC to create a UM hunt group

want to modify, and then click Edit .
2. On the UM Dial Plan page, under UM Hunt Groups, click New .
3. On the New UM hunt group page, enter the following information:
Name: Use this box to create the display name for the UM hunt group. A UM hunt group name is required
and must be unique, but it's used only for display purposes in the EAC and Exchange Online PowerShell. If
you have to change the display name of the hunt group after it's been created, you must first delete the
existing hunt group and then create another hunt group that has the appropriate name.
If your organization uses multiple hunt groups, we recommend that you use meaningful names for your
hunt groups. The maximum length of a UM hunt group name is 64 characters, and it can include spaces.
However, it can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
UM IP gateway: Use this box to specify the UM IP gateway to be used. Click Browse to select the UM IP
gateway, and then click OK.
Pilot identifier: Use this box to specify a string that uniquely identifies the pilot identifier configured on the
PBX or IP PBX.
An extension number or a Session Initiation Protocol (SIP ) Uniform Resource Identifier (URI) can be used
in this box. Alphanumeric characters are accepted in this box. For legacy PBXs, a numeric value is used as a
pilot identifier. However, some IP PBXs can use SIP URIs.
4. Click Save.
Use Exchange Online PowerShell to create a UM hunt group

This example creates a UM hunt group named MyUMHuntGroup that has a pilot identifier of 12345.
New-UMHuntGroup -Name MyUMHuntGroup -PilotIdentifier 12345 -UMDialplan MyUMDialPlan -UMIPGateway MyUMIPGateway
This example creates a UM hunt group named MyUMHuntGroup that has multiple pilot identifiers.
New-UMHuntGroup -Name MyUMHuntGroup -PilotIdentifier 5551234,55555 -UMDialplan MyUMDialPlan -UMIPGateway

MyUMIPGateway
View a UM hunt group
When you view the properties for a Unified Messaging (UM ) hunt group, you can view the properties associated
with a single UM hunt group or with all UM hunt groups associated with a single UM IP gateway. If neither
parameter is specified, all UM hunt groups will be returned. You can't use the EAC to view UM hunt group
properties; you must use Exchange Online PowerShell.
After a UM hunt group has been created, the configured settings can't be changed. If you want to change a
configuration setting such as the pilot identifier on a UM hunt group, you must delete the existing UM hunt group
and create a new UM hunt group that has the correct settings.
For additional tasks related to UM hunt groups, see UM hunt group procedures.

Estimated time to complete: Less than 1 minute
Before you perform this procedure, confirm that a UM gateway has been created. For detailed steps, see
Create a UM IP gateway.
Before you perform this procedure, confirm that a UM hunt group has been created. For detailed steps, see
Create a UM hunt group.
TIP
Use Exchange Online PowerShell to view the properties of a UM hunt

group
This example displays all the UM hunt groups in the Active Directory forest.
Get-UMHuntGroup
This example displays the details of a UM hunt group named MyUMHuntGroup in a formatted list.
Get-UMHuntGroup -identity MyUMIPGateway\MyUMHuntGroup | Format-List

NOTE
When you're using the Get-UMHuntGroup cmdlet, you can't enter only the name of the UM hunt group. You must also
include the name of the UM IP gateway that's associated with the UM hunt group.
Delete a UM hunt group
After you delete a Unified Messaging (UM ) hunt group, the UM IP gateway associated with the UM hunt group
will no longer service or answer incoming calls. If deleting the UM hunt group leaves the UM IP gateway without
any remaining configured hunt groups, the UM IP gateway can't handle or process UM calls.
For additional tasks related to UM hunt groups, see UM hunt group procedures.
Cau t i on
If you want to change the UM hunt group settings, you must delete the hunt group and then create another hunt
group that has the appropriate settings.

Before you perform these procedures, confirm that a UM hunt group has been created. For detailed steps,
see Create a UM hunt group.
TIP
Use the EAC to delete a UM hunt group

1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the UM dial plan you
want to change, and on the toolbar, click Edit .
2. On the UM Dial Plan page, under UM Hunt Groups, select the hunt group you want to delete, and on the
toolbar, click Delete .
Use Exchange Online PowerShell to delete a UM hunt group

This example deletes a UM hunt group named MyUMHuntGroup .
Remove-UMHuntGroup -identity MyUMHuntGroup

Automatically answer and route incoming calls
Microsoft Exchange Unified Messaging (UM ) enables you to create a single or multiple UM auto attendants,
depending on the needs of your organization. Unlike other Unified Messaging components, such as UM dial plans
and UM IP gateways, you aren't required to create UM auto attendants. However, auto attendants help internal
and external callers locate users or departments that exist in an organization and transfer calls to them. This topic
discusses the UM auto attendant feature found in Unified Messaging.
Auto attendants
In telephony or Unified Messaging environments, an automated attendant or auto attendant menu system
transfers callers to the extension of a user or department without the intervention of a receptionist or an operator.
In many auto attendant systems, a receptionist or operator can be reached by pressing or saying zero. The
automated attendant is a feature in most modern Private Branch eXchanges (PBXs), IP PBXs, and Unified
Messaging solutions.
Some auto attendant systems use message-only information menus and voice menus so an organization can
provide business hours, directions to the premises, information about job opportunities, and answers to other
frequently asked questions. After the message plays, callers are forwarded to the receptionist or operator, or they
can return to the main menu.
In more complex auto attendant systems, the menu system can be used to search for other auto attendant menus,
locate a user in the system, or transfer to another outside telephone line. The menu system can also be used to let
the caller interact with the system in certain situations, such as when a student enrolls for a college class or checks
a grade, or when you activate a credit card over the telephone.
Although auto attendants can be very useful, if they aren't designed and configured correctly, they can confuse and
frustrate callers. For example, specifically in large organizations, when auto attendants aren't designed correctly,
callers can be led through a lengthy series of questions and menu prompts before they are finally transferred to a
person to answer their questions.
UM auto attendants
Unified Messaging enables you to create one or more UM auto attendants depending on the needs of your
organization. UM auto attendants can be used to create a voice menu system for an organization that lets external
and internal callers move through the UM auto attendant menu system to locate and place or transfer calls to
company users or departments in an organization.
When anonymous or unauthenticated users call an external business telephone number, or when internal callers
call a defined extension number, they are presented with a series of voice prompts that help them place a call to a
user or locate a user in the organization and then place a call to that user. The UM auto attendant is a series of
voice prompts or .wav files that callers hear instead of a human operator when they call an organization that has
Unified Messaging. The UM auto attendant lets callers move through the menu system, place calls, or locate users
by using dual tone multi-frequency (DTMF ) or voice inputs. However, for Automatic Speech Recognition (ASR ) or
voice inputs to be used, you must enable ASR on the UM auto attendant.
A UM auto attendant has the following features:
It provides corporate or informational greetings.
It provides custom corporate menus. You can customize these menus to have more than one level.
It provides a directory search function that enables a caller to search the organization's directory for a name.
It enables a caller to connect to the telephone of, or leave a message for, members of the organization.
There is no limit to the number of UM auto attendants you can create. Each Unified Messaging auto attendant can
support an unlimited number of extensions. A UM auto attendant can reference one, and only one, UM dial plan.
UM auto attendants can also reference or link to other UM auto attendants.
An incoming call received from an external telephone number or an internal telephone extension is passed
between Exchange servers, and then sent to a UM auto attendant. The UM auto attendant is configured by the
administrator to use prerecorded voice (.wav) files that are played over the telephone to the caller and that enable
the caller to move through the Unified Messaging menu system. You can customize all the .wav files used when
you configure a UM auto attendant to meet the needs of your organization.
Auto attendants with multiple languages

There are situations in which you may have to provide callers with auto attendants that have different languages.
The language setting available on a UM auto attendant enables you to configure the default prompt language on
the auto attendant. When you are using the default system prompts for the auto attendant, this is the language that
the caller will hear when the auto attendant answers the incoming call. This language setting affects only the
default system prompts provided. This language setting doesn't affect custom prompts configured on an auto
attendant.
For on-premises and hybrid deployments, when you install the U.S. English version, U.S. English is the only
language available to configure on UM auto attendants. If you install a localized version, for example, Japanese,
you can configure the auto attendant that you create to use Japanese or U.S. English for the default language.
Additional UM language packs can be installed on a Unified Messaging server to enable you to use other default
languages on an auto attendant.
For example, if you have a business that's based in the United States but requires a menu system that gives callers
the options of U.S. English, Spanish, and French, you must first install the UM language packs that you need. In
this case, if you have installed the U.S. English version, you would install the UM language packs for Spanish and
French. However, because a Unified Messaging auto attendant can have only one language configured at a time,
you would create four auto attendants: a main auto attendant configured to use U.S. English and then one auto
attendant for each language: U.S. English, Spanish, and French. You would then configure the main auto attendant
to have the appropriate key mappings or menu navigation to access the other auto attendants that you created for
each language. In this example, the main auto attendant would answer the incoming call and the caller would hear,
"Welcome to Contoso, Ltd. For English, press or say 1. For Spanish, press or say 2. For French, press or say 3."
TIP
In Exchange UM, authenticated and non-authenticated Outlook Voice Access users can't search for users in the directory
using speech inputs in any language. However, callers that call into an auto attendant can use speech inputs in multiple
languages to navigate auto attendant menus and search for users in the directory.
Non-business hours and business hours custom greetings

After you create a UM auto attendant, a default system prompt will be used for the non-business hours main menu
prompt greeting heard by callers after the non-business hours welcome greeting is played. Although the system
prompts mustn't be replaced or changed, you probably want to customize the greetings and menu prompts used
with UM auto attendants. Frequently, in addition to configuring a customized non-business hours welcome
greeting, you also want to create and configure a custom non-business hours main menu prompt greeting. After
you configure a custom non-business hours main menu prompt greeting, you must enable key mappings on the
UM auto attendant for non-business hours.
A custom non-business hours main menu prompt greeting is a list of options callers hear during non-business
hours. To let callers hear a non-business hours main menu prompt greeting, you first must configure the business
and non-business hours schedule by using the EAC or the Set-UMAutoAttendant cmdlet in Exchange Online
PowerShell. For example, "You have reached Trey Research after normal business hours. If you are experiencing a
medical emergency, please hang up and dial 911. To leave a message for one of our doctors, press 1. To leave a
message for one of our physical therapists, press 2. To leave a general message for one of our front office
coordinators, press 3. To be connected with an after hours operator, press 0."
By default, when you create a UM auto attendant, the business and non-business hours greetings or prompts
aren't configured and no menu navigation entries are defined for business or non-business hours main menu
prompts. To correctly configure customized non-business hours main menu greetings and prompts, you must:
1. Configure business and non-business hours on the Business hours page.
2. Create the greeting file that will be used for the non-business hours welcome greeting.
3. Configure the non-business hours welcome greeting on the Greetings page.
4. Create the greeting file that will be used for the non-business hours main menu prompt greeting.
5. Configure the non-business hours main menu prompt greeting on the Greetings page.
6. Enable menu navigation and add menu navigation entries on the Menu navigation page.
Menu navigation entries

If you use the default main menu prompt greeting and define a menu navigation entry or multiple menu
navigation entries, the UM Text-to-Speech (TTS ) engine will synthesize a main menu prompt. However, the TTS
engine will only synthesize a main menu prompt if the default greeting is configured and at least one menu
navigation entry has been defined. The TTS engine will not synthesize a main menu prompt if you're using a
custom main menu prompt, for example, "For the sales department, press 1. For the support department, press 2."
To create this main menu prompt, you must create two menu navigation entries: one named "Sales Department"
and another named "Support Department", and then configure the key mapping entry to play an audio file,
transfer to an extension number, or send the caller to another auto attendant.
When you configure menu navigation entries, you define the options and the operations that will be performed if a
caller speaks a phrase while they're using a speech-enabled auto attendant or presses a key on the telephone
keypad while they're using an auto attendant that isn't speech-enabled. To configure menu navigation entries for
an auto attendant, you must:
Enable business hours menu navigation.
Add menu navigation entries.
Type the name of the menu navigation entry.
Select an option in the When this key is pressed list, and use the Play the following audio file box to
upload the audio file to play.
Configure the action you want performed:
Transfer to this extension
Transfer to this UM auto attendant
Leave a voice message for this user
Announce business location
Announce business hours
Auto attendant examples
The following examples demonstrate how you can use UM auto attendants with Unified Messaging:
Example 1: At a company called Contoso, Ltd., external customers can use three external telephone
numbers: 425-555-0111 (Corporate Offices), 425-555-0122 (Product Support), and 425-555-0133 (Sales).
The Human Resources, Administration, and Accounting departments have internal telephone extensions
and must be accessed from the Corporate Offices UM auto attendant.
To create a UM auto attendant structure that supports this scenario, create and configure three UM auto
attendants that have the appropriate external telephone numbers. Create three other UM auto attendants
for each department in the Corporate Offices. You then configure each UM auto attendant based on your
requirements, such as the greeting type or other navigational information.
Example 2: At a company called Contoso, Ltd., external customers call one main number for the business,
425-555-0100. When an external caller calls the external number, the UM auto attendant answers and
prompts the caller by saying, "Welcome to Contoso, Ltd. Please press or say "One" to be transferred to
corporate administration. Please press or say "Two" to be transferred to product support. Please press or
say "Three" to be transferred to corporate information. Please press or say "Zero" to be transferred to the
operator." To create a UM auto attendant structure that supports this scenario, you create a UM auto
attendant that has customized extensions that route the call to the appropriate extension number.
DTMF interface
In Unified Messaging (UM ), callers can use dual tone multi-frequency (DTMF ), also referred to as touchtone, and
voice inputs to interact with the system. The methods that callers can use depend on how the UM dial plans and
auto attendants are configured.
The DTMF interface enables callers to use the telephone keypad to locate users and navigate the UM voice mail
menu system when they call an Outlook Voice Access number configured on a dial plan or when they call a
telephone number configured on an auto attendant. This topic discusses the DTMF interface and how it's used by
callers to locate users and to navigate the UM voice mail menu system.
DTMF overview
DTMF requires a caller to press a key on the telephone keypad that corresponds to a Unified Messaging menu
option or to input a user's name or email alias by using the letters on the keys to spell the name or alias. Callers
might use DTMF because Automatic Speech Recognition (ASR ) hasn't been enabled or because they tried to use
voice commands and failed. In either case, DTMF inputs are used to navigate menus and search for users.
By default, in UM, DTMF inputs are used on dial plans and are the default caller interface for UM auto attendants.
Callers can use DTMF inputs for:
Dial plan dial-in access by using Outlook Voice Access.
Dial plan directory lookups and searches to locate users.
Auto attendants that aren't speech-enabled.
Auto attendants that are speech-enabled that do or don't have a DTMF fallback auto attendant configured.
DTMF fallback auto attendants (not speech-enabled).
UM dial plans and dial by name

When you create a UM dial plan, you can configure the primary and secondary input method that callers will use
to look up names when they search for a user or want to contact a user. These settings are located on the dial plan's
Settings page and are called Primary way of searching for names and Secondary way of searching for
names. The following options are available for both the primary and secondary ways of searching for names:
Last First
First Last
SMTP address
Additionally, None is an available option for the secondary way of searching for names.
By default, Last First is selected as the primary way of searching for names and SMTP address is selected as the
secondary way of searching for names Therefore, when a caller dials in to an Outlook Voice Access number
configured on the UM dial plan, the dial plan's welcome message is played and the operator says something like,
"Welcome to Contoso Outlook Voice Access. To access your mailbox, enter your extension. To contact someone,
press the pound key." After the caller presses the # key, the system responds with "Spell the name of the person
you are calling, last name first, or to spell their email alias, press the pound key twice." In this scenario, depending
on how your dial plan is configured, the system then prompts the caller to enter the user's last name and then the
user's first name (Last First) or to spell the email alias, excluding the domain name. For example, if the user's email
alias is tsmith@contoso.com, the caller would enter tsmith.
If you want to change this configuration because the default setting doesn't meet your needs, you can change it to
enable callers to enter the user's email alias first or the user's first name followed by the last name. In this case, you
would configure the Primary way of searching for names with the SMTP address setting and configure the
Secondary way of searching for names with the First Last setting. The settings for the dial by name methods
will also apply to any UM auto attendants that are associated with the dial plan. For callers to be able to enter the
name of the user by using DTMF inputs or the keys on the telephone keypad, a DTMF map and values for the user
must exist within your organization's directory.
For more information about how to change the dial by name primary and secondary methods on a UM dial plan,
see Configure the primary way for Outlook Voice Access users to search and Configure the secondary way for
Outlook Voice Access users to search.
DTMF maps
In an Exchange organization, an attribute named msExchUMDtmfMap is associated with each user created in the
directory. Unified Messaging uses this attribute to map the user's first name, last name, and email alias to a set of
numbers. This mapping is referred to as a DTMF map. A DTMF map enables a caller to enter the digits on the
telephone keypad that correspond to the letters of the user's name or email alias. This attribute contains the values
needed to create a DTMF map for the user's first name followed by the last name, for the user's last name followed
by the first name, and for the user's email alias.
The following table shows the DTMF map values that would be stored in Active Directory on the
msExchUMDtmfMap attribute for a UM -enabled user named Tony Smith with an alias of tsmith@contoso.com.
DTMF values stored for a UM -enabled user named Tony Smith
DIRECTORY ENTRY USER'S NAME
firstNameLastName:866976484 tonysmith
lastNameFirstName:764848669 smithtony
emailAddress:876484 tsmith
Names and email aliases may contain other characters that aren't alphanumeric, such as commas, hyphens,
underscores, or periods. Characters such as these won't be used in a DTMF map for a user. For example, if the
email alias for Tony Smith is tony-smith@contoso.com, the DTMF map value would be 866976484, and the
hyphen wouldn't be included. However, if a user's email alias contains a number or numbers, for example,
tonysmith123@contoso.com, the numbers would be used in the DTMF map that's created. The DTMF map for
tonysmith123 would be 866976484123.
A DTMF map must exist for a user for callers to be able to enter the user's name or email alias. However, not all
users will have a DTMF map associated with their user account.
DTMF maps for users who aren't enabled for Unified Messaging
Users, including mailbox-enabled users, aren't enabled for Unified Messaging by default. The
msExchUMDtmfMap attribute is populated with the values needed for DTMF maps for users who haven't been
enabled for UM. By default, the following DTMF maps are created for all users when a mailbox is created for them:
1. emailAddress
2. firstNameLastName
3. lastNameFirstName
If a user doesn't have DTMF map values defined for their account, callers won't be able to contact the user when
they press a telephone key from a UM auto attendant menu or perform a directory search. Also, UM -enabled users
won't be able to send messages or transfer calls to users who don't have a DTMF map unless they can use
Automatic Speech Recognition (ASR ). To enable callers to transfer calls or contact users who aren't UM -enabled by
using the telephone keypad, you need to create the necessary values for the DTMF map for those users. You can
use the Set-User cmdlet with the -CreateDtmfMap parameter to create and update a single user's DTMF map or
update a DTMF map for a user if the name of the user was changed after a DTMF map was created. Optionally, you
can create a PowerShell script by using this cmdlet to update the DTMF map values for multiple users.
For more information about the Set-User cmdlet, see Set-User.
DTMF maps for users who are enabled for Unified Messaging
By default, a DTMF map is created for a user when they're enabled for Unified Messaging. This makes it possible
for calls to be transferred to the UM -enabled user from external callers, from users who aren't enabled for UM, and
from other UM -enabled users who use the telephone keypad to spell the user's name or email alias.
After the DTMF map values have been created for a UM -enabled user, callers can use the directory search feature.
Callers use directory search when they use the telephone keypad in the following situations:
To identify or search for a user when they call in to an Outlook Voice Access number.
To locate or transfer calls to a UM -enabled user when they call in to a UM auto attendant.
For more information about how to enable a user for Unified Messaging, see Enable a user for voice mail.
Sometimes a user's first name, last name, or email alias changes after the user is enabled for UM. The user's DTMF
map values aren't updated automatically. If a caller enters the user's new name or email alias and the user's DTMF
map hasn't been updated to reflect the change to the name or email alias, the caller won't be able to locate the user
in the directory, send a message to the user, or transfer calls to the user. If you have to update a user's DTMF map
after the user has been enabled for UM, you can use the Set-User cmdlet with the -CreateDtmfMap parameter.
You can also create PowerShell script using this cmdlet if you want to update the DTMF maps for multiple UM -
enabled users.
Cau t i on
We recommend that you don't manually change the DTMF values for users by using a tool such as ADSI Edit
because it might result in inconsistent configurations or other errors. We recommend that you use only the Set-
UMService cmdlet or the Set-User cmdlet to create or update DTMF maps for users.

Adsiedit Overview
UM auto attendant procedures
Set up a UM auto attendant

Enable a customized non-business hours menu prompt
Manage a UM auto attendant
Configure a DTMF fallback auto attendant
Enable a UM auto attendant
Disable a UM auto attendant
Delete a UM auto attendant
Enable or prevent transferring calls from an auto attendant
Enable or disable sending voice messages to users
Configure the group of users that can be contacted
Configure an auto attendant for users who have similar names
Set up a UM auto attendant
In addition to allowing users access to voice mail, Unified Messaging (UM ) allows you to create one or more UM
auto attendants depending on the needs of your organization. UM auto attendants can be used to create a voice
menu system for an organization that lets external and internal callers locate, place, or transfer calls to company
users or departments in an organization.
Auto attendants
In telephony or Unified Messaging environments, an automated attendant or auto attendant menu system
transfers callers to the extension of a user or department without the intervention of a receptionist or an operator.
In many auto attendant systems, a receptionist or operator can be reached by pressing or saying zero. Some auto
attendant systems use message-only information menus and voice menus so an organization can provide business
hours, directions to the premises, information about job opportunities, and answers to other frequently asked
questions. After the message plays, callers are forwarded to the receptionist or operator, or they can return to the
main menu.
Although auto attendants can be very useful, if they aren't designed and configured correctly, they can confuse and
frustrate callers. For example, especially in large organizations, when auto attendants aren't designed correctly,
callers can be led through a lengthy series of questions and menu prompts before they're finally transferred to a
person to answer their questions.
How do I set up an auto attendant?

In the Exchange admin center (EAC ), you set up and manage UM auto attendants to automatically answer calls to
your organization and allow callers to self-select different options using the keys on their telephone. You can have
just one UM auto attendant that provides basic menu navigation for callers to your organization, or you can have
multiple nested and branching auto attendants that provide a richer experience for your callers. However, in both
cases, you must plan and set up your auto attendants carefully.
To plan and create a new UM auto attendant structure, you need to do the following:
1. Decide whether you want to allow users to interact with the auto attendant using speech inputs.
2. Decide which language you want to use for your main auto attendant and whether you need to create other
auto attendants to support more languages.
3. Decide on the business and non-business hours for the auto attendant and set the business hours using
Business hours. Though it's not required, you can also decide on the holiday schedule for this auto
attendant.
NOTE
You should also set the time zone on the attendant.
4. Decide whether you want standard system-generated business and non-business hours greetings or to
create custom recordings for them.
If you want to use custom greetings, plan and record your business and non-business hour greetings to play
to callers during business and non-business hours. If you need to, you can also create a custom
informational announcement greeting. For example, for your business hours greeting you could use
"Welcome to Contoso. For English, press or say 1, for Spanish, press or say 2." For your non-business hours
greeting, you could record the following script: "Welcome to Contoso. Our office is currently closed. We will
be open on Monday at 8:00 am."
5. Plan your auto attendant structure based on your business needs. For example, one organization may be a
multinational business with offices in both Germany and the UK, and thus need an auto attendant structure
based on multiple languages. Another organization might have its corporate office at one site, Sales located
at another site, and Customer Service located at a third site, and thus need an auto attendant that directly
relates to the structure of the organization.
6. Decide if you'll need DTMF fallback auto attendants or other auto attendants to use when auto attendant
voice commands don't work.
7. Plan the menu navigation for business hours and non-business hours. For each auto attendant, including
DTMF auto attendants, you'll need to plan and configure menu prompts and menu navigation entries. You'll
need to do this for both business and non-business hours.
8. The following is an example of a worksheet you could use to plan non-business hours menu navigation.
KEY PROMPT/NAVIGATION MENU ENTRY NAME RESPONSE TO RECORD
1 Language selection to use English. "Press or say 1 to use English."
2 Account balance "Press or say 2 to get your account

balance."
3 Transfer to Sales "Press or say 3 to be transferred to our

sales department."
4 Transfer to customer service "Press or say 4 to be transferred to the

next customer service representative."
5 Business hours No response needed.
6 Business location No response needed.
9. Using your menu navigation plan, record prompts that inform callers what they can do. For example,
depending on the auto attendant structure for the non-business hours menu navigation shown in the table,
you might record the following script: "To leave a message for Sales, press one. For our business hours,
press two. For our address, press three."
10. Determine how callers will access your organization. Consider how they will search for and contact users in
your organization. Also consider how to transfer callers, including how they'll get to a live person or
organization representative, and whether callers will access an operator during business and non-business
hours.
11. Determine what calls you'll allow callers to make when they're using a specific auto attendant. For example,
whether you want to allow callers to make calls to users in a single dial plan, to any extension, or whether
you'll allow them to make calls outside your organization.
12. After you've planned your auto attendant settings, greetings and menu navigation, and created audio files
that contain your recorded greetings, menu navigation prompts, and menu navigation responses, you're
ready to create and configure your auto attendant. Here's how:
13. If you've created the auto attendant structure and settings, enable the UM auto attendant so it can start
accepting calls.
After you create a Unified Messaging (UM ) auto attendant, incoming calls to an external telephone number
that a human operator would ordinarily answer are answered by the auto attendant. Unlike with other Unified
Messaging components, such as UM dial plans and UM IP gateways, you aren't required to create UM auto
attendants. However, auto attendants help internal and external callers locate users or departments that exist in
an organization and transfer calls to them.

permissions you need, see the "UM auto attendants" entry in the Unified Messaging Permissions topic.
TIP
Protection..
Use the EAC to create a UM auto attendant

1. In the EAC, navigate to Unified Messaging > UM dial plans, select the UM dial plan for which you
want to add an auto attendant, and then click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, click New .
3. On the New UM auto attendant page, enter the following information:
Name: Use this box to create the display name for the UM auto attendant. A UM auto attendant name
is required and must be unique. However, it's used only for display purposes in the EAC and Exchange
Online PowerShell.
If you have to change the display name of the auto attendant after it's created, you must first delete the
existing UM auto attendant and then create another auto attendant that has the appropriate name. If
your organization uses multiple UM auto attendants, we recommend that you use meaningful names
for your UM auto attendants. The maximum length of a UM auto attendant name is 64 characters, and
it can include spaces.
Although you can name a new UM auto attendant to include spaces, if you integrate Unified Messaging
with Office Communications Server 2007 R2 or Microsoft Lync Server, the name of the auto attendant
can't include spaces. Therefore, if you created an auto attendant with spaces in the display name, and
you're integrating with Office Communications Server 2007 R2 or Lync Server, you must first delete
that auto attendant and then create another auto attendant that doesn't include spaces in the display
name.
Create this auto attendant as enabled: Select this check box to enable the auto attendant to answer
incoming calls when you complete the New UM Auto Attendant Wizard. By default, a new auto
attendant is created as disabled.
If you decide to create the UM auto attendant as disabled, you can use the EAC or Exchange Online
PowerShell to enable the auto attendant after you finish the wizard.
Set the auto attendant to respond to voice commands: Select this check box to speech-enable the
UM auto attendant. If the auto attendant is speech-enabled, callers can respond to the system or custom
prompts used by the UM auto attendant using touchtone or voice inputs. By default, the auto attendant
won't be speech-enabled when it's created.
For callers to use a speech-enabled auto attendant, you must install the appropriate UM language pack
that contains Automatic Speech Recognition (ASR ) support and configure the properties of the auto
attendant to use this language.
Access numbers: Use this box to enter the extension numbers or telephone numbers that callers will
use to reach the auto attendant. Type an extension number or telephone number in the box, and then
click Add to add the number to the list. The number of digits in the extension number or telephone
number that you provide doesn't have to match the number of digits for an extension number
configured on the associated UM dial plan. This is because direct calls are allowed to UM auto
attendants.
The number of extension numbers or telephone numbers entered is unlimited. However, you may
create the new auto attendant without an extension number listed. An extension number or telephone
number isn't required.
You can edit or remove an existing extension number or telephone number. To edit an existing extension
number or telephone number, click Edit . To remove an existing extension number or telephone
number from the list, click Remove .
4. Click Save.
Use Exchange Online PowerShell to create a UM auto attendant

This example creates a UM auto attendant named MyUMAutoAttendant that can accept incoming calls but isn't
speech-enabled.
New-UMAutoAttendant -Name MyUMAutoAttendant -UMDialPlan MyUMDialPlan -PilotIdentifierList 55000 -Enabled

$false
This example creates a speech-enabled UM auto attendant named MyUMAutoAttendant .
New-UMAutoAttendant -Name MyUMAutoAttendant -UMDialPlan MyUMDialPlan -PilotIdentifierList 56000,56100 -

SpeechEnabled $true
You can configure an extension number or multiple extension numbers on a Unified Messaging (UM ) auto
attendant. When you add an extension number to a UM auto attendant, that number can be used by callers to call
into the auto attendant. Also, you may have to add extension numbers because there is more than one extension
number that callers can use to access an auto attendant. By default, no extension numbers are configured when
you create an auto attendant.
You can create a new auto attendant without setting up an extension number for the auto attendant. You can also
associate more than one telephone or extension number with a single auto attendant. You can either add the
extension numbers when you create the UM auto attendant or add them after you configure the auto attendant.
The number of digits in the extension number you configured on the UM auto attendant must match the number
of digits for an extension number that's configured on the UM dial plan associated with the UM auto attendant.
NOTE
You can also add a Session Initiation Protocol (SIP) address instead of adding an extension number. A SIP address is used by
some IP Private Branch eXchanges (PBXs) and Office Communications Server 2007 R2 or Microsoft Lync Server.

TIP
Use the EAC to add an extension or phone numbers for a UM auto

attendant
want to edit and click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to add
extension or phone numbers to.
3. On the toolbar, click Edit .
4. On the UM Auto Attendant page > General, under Access numbers, in the text box, enter the extension
or phone number that you want to use and click Add .
5. Click Save to add the number.
Use Exchange Online PowerShell to configure an extension number on

a UM auto attendant
This example configures a UM auto attendant named MyUMAutoAttendant with multiple extension numbers.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -PilotIdentifierList "12345, 72000, 75000"

When you configure business hours for a Unified Messaging (UM ) auto attendant, you define the hours of the day
that your organization is open, and the business hours greetings and menu prompts callers will hear when they
call an extension number that's configured on the auto attendant. If a caller reaches the auto attendant during
hours that are outside the business hours you define, the caller will hear the non-business hours prompts and
greetings.
Several default schedule options are available in the EAC. For example, most businesses are open from 8:00 A.M.
to 5:00 P.M., Monday through Friday. Sometimes the default options won't fit your needs and you'll want to
customize the schedule. If your business hours vary from the schedules defined by the system, you can define a
customized schedule for the auto attendant.
By default, the UM auto attendant will play the business hours prompts and greetings regardless of the time of
day callers dial in to the auto attendant.
NOTE
When you set the schedule for business and non-business hours on a UM auto attendant, make sure the time zone is
configured correctly.

TIP
Use the EAC to specify business hours for a UM auto attendant

2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant for which you
want to set the business hours, and then click Edit .
3. On the UM Auto Attendant page > Business Hours under Business hours, click Configure business
hours.
4. On the Configure Business Hours page, select the hours you want to use as your business hours for each
day of the week.
5. Click OK, and then click Save.
Use Exchange Online PowerShell to specify business hours for a UM

auto attendant
This example sets the business hours for a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -BusinessHoursSchedule 0.10:45-0.13:15,1.09:00-

1.17:00,6.09:00-6.16:30
You can define the dates and times your organization will be closed for holidays and other occasions. Between the
start dates and the end dates you specify, callers who reach the Unified Messaging (UM ) auto attendant will hear a
holiday greeting you specify when you configure the holiday schedule. After the caller hears the holiday greeting
you've specified, the non-business hours greeting and menu prompts will be played for the caller.
You can also create a holiday schedule within an existing holiday schedule. When you create multiple holiday
schedules, Unified Messaging lets you overlap your scheduled holiday times. For example, you can define a holiday
schedule from December 15th through December 31st when your organization will be closed for construction, and
you can define another holiday schedule from December 24th through December 26th. When callers call in to the
auto attendant from December 15th through December 23rd and from December 27th through December 31st,
they'll be presented with the holiday greeting that you've specified for this schedule. For example, "We are
currently closed for construction." When callers call in to the auto attendant from December 24th through
December 26th, they'll be presented with another holiday greeting, such as "We are currently closed for business
so that our employees can enjoy the holidays with their families."

TIP
Use the EAC to specify a holiday schedule for a UM auto attendant

want to change, and then on the toolbar, click Edit .
want to set the holiday schedule. On the toolbar, click Edit .
3. On the UM Auto Attendant page > Business Hours, under Holiday schedule, click Add .
4. On the New Holiday page, configure the following:
Name: Enter a name for your holiday schedule.
Holiday greeting: Browse to the .wav file you want to use as your greeting. This is a required field.
Start date: Use this list to select the date you want the holiday to start. The holiday schedule will start at
midnight on the date specified in this list.
End date: Use this list to select the date you want the holiday to end. The holiday schedule will end at 11:59
P.M. on the date specified in this list.
5. After you've configured your holiday schedule, click OK, and then click Save.
Use Exchange Online PowerShell to specify a holiday schedule for a

UM auto attendant
This example configures a UM auto attendant named MyUMAutoAttendant that has business hours configured to be
10:45 to 13:15 (Sunday), 09:00 to 17:00 (Monday), and 09:00 to 16:30 (Saturday), and holiday times and their
associated greetings configured to be "New Year" on January 2, 2013, and "Building Closed for Construction" from
April 24, 2013 through April 28, 2013.

1.17:00,6.09:00-6.16:30 -HolidaySchedule "New Year,newyrgrt.wav,1/2/2013","Building Closed for
Construction,construction.wav,4/24/2013,4/28/2013"
You can enter the name of your business in the Business name box on a UM auto attendant. By default, no
business name is entered. If you enter a business name, a default greeting prompt with the business name will be
played to callers when they call in to the Unified Messaging (UM ) auto attendant.
For additional tasks related to UM auto attendants, see UM auto attendant procedures.

TIP
Use the EAC to configure a business name

want to set a business name, and then, on the toolbar, click Edit .
3. On the UM Auto Attendant page > General, under Business name, type the name of the business.
4. Click Save.
Use Exchange Online PowerShell to configure a business name

This example sets the business name on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -BusinessName "Northwind Traders"

You can specify the location of a business on a Unified Messaging (UM ) auto attendant so that the location will be
played for callers. By default, no business location is entered.

TIP
Use the EAC to configure a business location

want to set the business location, and then click Edit .
3. On the UM Auto Attendant page > General, under Business location, type the location of the business.
4. Click Save.
Use Exchange Online PowerShell to configure a business location

This example sets the business location on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -BusinessLocation 'Redmond'

By default, the Unified Messaging (UM ) auto attendant uses the time zone of the Mailbox server on which it's
created. However, there are situations where you may have to change the time zone for a UM auto attendant to a
different time zone. For example, if you have two UM dial plans and each dial plan represents a different time zone,
you must configure one UM auto attendant to have the same time zone as the Mailbox server and the other UM
auto attendant to have a time zone that differs from the Mailbox server.

TIP
Use the EAC to configure the time zone

want to set the time zone, and then click Edit .
3. On the UM Auto Attendant page, click Business Hours, and then, under Time zone, select the time zone
from the drop-down list.
4. To save your changes, click OK, and then click Save.
Use Exchange Online PowerShell to configure the time zone

This example sets the time zone to the Pacific time zone on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -TimeZoneName Pacific

You can enable a customized business hours greeting for a Unified Messaging (UM ) auto attendant. The business
hours greeting is the first thing callers hear when a UM auto attendant answers their call during business hours.
You'll probably want to customize the greeting.
Unified Messaging includes a default system prompt for use during business hours. Although the default system
prompt mustn't be replaced or changed, you may want to provide an customized greeting. You can create a
customized greeting in the .wav or .wma file format to be used when callers call in to a UM auto attendant during
business hours. For example, "You've reached Woodgrove Bank."
If you want to include the name of your organization or business as part of the default greeting, you can enter the
name in the Business name box on the UM auto attendant. For details, see Enter a business name.

Create a .wav or .wma file to be used for the greeting.
TIP
Use the EAC to enable a customized business hours greeting

want to enable a customized business hours greeting, and then click Edit .
3. On the UM Auto Attendant page, > Greetings, under Business hours greeting click Change, and then
click Browse to locate the customized business hours greeting file you created before you started this
procedure.
IMPORTANT
The file you use for the greeting must be a .wav or .wma file.
4. After you've located the file, click Open, and then click Save.
Use Exchange Online PowerShell to enable a customized business

hours greeting
This example enables the business hours greeting that uses a customized greeting named GreetingFile.wav for
the UM auto attendant MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -BusinessHoursWelcomeGreetingEnabled $true -

BusinessHoursWelcomeGreetingFilename GreetingFile.wav
This example configures a UM auto attendant named MyUMAutoAttendant to have business hours configured to be
10:45 to 13:15 (Sunday), 09:00 to 17:00 (Monday), and 09:00 to 16:30 (Saturday) and holiday times and their
associated greetings configured to be " New Year " on January 2, 2013, and " Building Closed for Construction "
from April 24, 2013 through April 28, 2013.

This example configures a UM auto attendant named MyAutoAttendant and enables business hours key mappings
so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant . When
they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're sent to
another auto attendant that plays an audio file.
Set-UMAutoAttendant -Identity MyAutoAttendant - BusinessHoursKeyMappingEnabled $true -BusinessHoursKeyMapping

"1,Sales,,SalesAutoAttendant","2,Support,12345","3,Directions,,,directions.wav"
You can customize the menu prompt to be used by a Unified Messaging (UM ) auto attendant during business
hours. After you create a UM auto attendant, a default system prompt ("Welcome to Unified Messaging") is used
as the menu prompt that callers hear after the business hours welcome greeting is played. Although the system
prompt mustn't be replaced or changed, you can customize the greetings and menu prompts that are used with
UM auto attendants. After you create a customized business hours menu prompt audio file, you must enable menu
navigation entries on the UM auto attendant for business hours.
If you only want to include the name of your organization or business as part of the default system prompt, you
can enter the name in the Business name box on the UM auto attendant. For details, see Enter a business name.
IMPORTANT
You must configure business hours on the auto attendant. For details, see Configure business hours.

Create a .wav or .wma file to be used for the menu prompt.
TIP
Use the EAC to enable a customized business hours menu prompt

1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial plan that
you want to change, and then click Edit .
want to enable a customized business hours menu prompt, and then click Edit .
3. On the UM Auto Attendant page, > Menu navigation, under Business hours menu navigation click
Change, and then click Browse to locate the customized business hours menu prompt file.
IMPORTANT
The file you use for the menu prompt must be a .wav or .wma file.
Use Exchange Online PowerShell to enable a customized business

hours menu prompt
This example enables a business hours main menu prompt and uses a customized prompt named
businesshoursprompts.wav on the UM auto attendant MyUMAutoAttendant .
Command Set-UMAutoAttendant -Identity MyUMAutoAttendant -BusinessHoursMainMenuCustomPromptEnabled $true -

BusinessHoursMainMenuCustomPromptFilename BusinessHoursPrompts.wav

This example configures a UM auto attendant named MyAutoAttendant and enables business hours navigation
menus so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant .
When they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're
sent to another auto attendant that plays an audio file.

You can enable a customized non-business hours greeting for a Unified Messaging (UM ) auto attendant. The non-
business hours greeting is the first thing callers hear when a UM auto attendant answers their call during non-
business hours. You'll probably want to customize the greeting.
Unified Messaging includes a default system prompt for use during non-business hours. Although the default
system prompt mustn't be replaced or changed, you may want to provide an customized greeting. You can create a
customized greeting in the .wav or .wma file format to be used when callers call in to a UM auto attendant during
non-business hours. For example, "You've reached Woodgrove Bank after hours."
If you want to include the name of your organization or business as part of the default greeting, you can enter the
name in the Business name box on the UM auto attendant. For details, see Enter a business name.

Create a .wav or .wma file to be used for the greeting.
TIP
Use the EAC to enable a customized non-business hours greeting

want to enable a customized non-business hours greeting, and then click Edit .
3. On the UM Auto Attendant page, > Greetings, under Non-business hours greeting, click Change, and
then click Browse to locate the customized non-business hours greeting file you created before you started
this procedure.
IMPORTANT
Use Exchange Online PowerShell to enable a customized non-business

hours greeting
This example enables the non-business hours greeting that uses a customized greeting named GreetingFile.wav
for the UM auto attendant MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AfterHoursWelcomeGreetingEnabled $true -

AfterHoursWelcomeGreetingFilename GreetingFile.wav

This example configures a UM auto attendant named MyAutoAttendant and enables non-business hours key
mappings so that when callers press 1, they're forwarded to another UM auto attendant named
SalesAutoAttendant . When they press 2, they're forwarded to extension number 12345 for Support , and when
they press 3, they're sent to another auto attendant that plays an audio file.

Enable a customized non-business hours menu
prompt
You can customize the menu prompt to be used by a Unified Messaging (UM ) auto attendant outside business
hours. After you create a UM auto attendant, a default system prompt ("Welcome to Unified Messaging") is used
as the menu prompt that callers hear after the non-business hours welcome greeting is played. Although the
system prompt mustn't be replaced or changed, you can customize the greetings and menu prompts that are used
with UM auto attendants. After you create a customized non-business hours menu prompt audio file, you must
enable menu navigation entries on the UM auto attendant for non-business hours.
If you only want to include the name of your organization or business as part of the default system prompt, you
can enter the name in the Business name box on the UM auto attendant. For details, see Enter a business name.
IMPORTANT
You must configure business hours on the auto attendant. When you configure business hours, the non-business hours are
set automatically. For details, see Configure business hours.

Create a .wav or .wma file to be used for the menu prompt.
TIP
Use the EAC to enable a customized non-business hours menu prompt

want to enable a customized non-business hours menu prompt, and then click Edit .
3. On the UM Auto Attendant page > Menu navigation, under Non-business hours menu navigation,
click Change, and then click Browse to locate the customized non-business hours menu prompt file.
IMPORTANT
The file you use for the menu prompt must be a .wav or .wma file.
Use Exchange Online PowerShell to enable a customized non-business

hours menu prompt
This example enables a UM auto attendant named MyUMAutoAttendant that has business hours configured to be

This example configures a UM auto attendant named MyAutoAttendant and enables non-business hours navigation
menus so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant .
When they press 2, they're forwarded to extension number 12345 for Support , and when they press 3, they're
sent to another UM auto attendant that plays an audio file.
Set-UMAutoAttendant -Identity MyAutoAttendant -

AfterHoursKeyMappingEnabled $true -
AfterHoursKeyMapping "1,Sales,,SalesAutoAttendant","2,Support,12345","3,Directions,,,directions.wav"
You can enable an informational announcement for a Unified Messaging (UM ) auto attendant. When an
informational announcement is enabled, it will play immediately after the business or non-business hours greeting.
By default, an informational announcement isn't configured. To enable an informational announcement, create a
.wav or .wma file to be used as the informational announcement, and then configure the auto attendant to use this
sound file.

Create a .wav or .wma file to be used for the informational announcement.
TIP
Use the EAC to enable an informational announcement

want to enable an informational announcement, and then click Edit .
3. On the UM Auto Attendant page, > Greetings, under Informational announcement click Change, and
then click Browse to locate the informational announcement file you created before you started this
procedure.
IMPORTANT
Use Exchange Online PowerShell to enable an informational
announcement
This example enables an informational announcement that uses the MyInfoAnnouncement.wav file for the UM auto
attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -InfoAnnouncementEnabled $true -InfoAnnouncementFilename

MyInfoAnnouncement.wav
You can use the New menu navigation entry page to create single or multiple key mappings for business or
non-business hours main menu prompts for auto attendants. You can define the action that will be performed
when a key on the telephone keypad is pressed, for example, transferring the call to an extension number or
another auto attendant.

TIP
Use the EAC to configure UM auto attendant navigation menus

want to create menu navigation. On the toolbar, click Edit .
3. On the UM Auto Attendant page, click Menu navigation, select either Enable business hours menu
navigation or Enable non-business hours menu navigation, and then click Add .
4. On the New menu navigation entry page, configure the following:
Prompt: Use this box to type the name of the new navigation menu. The navigation menu name is used for
display purposes only. This is a required field.
Because you may want to specify multiple new navigation menus, we recommend that you use meaningful
names for your key mappings. The maximum length of the name for the key mapping is 64 characters, and
it can include spaces. However, it can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
When this key is pressed: Use this list to enable key mapping. The key mapping is the number key that a
caller presses to have the auto attendant perform a specific operation, for example, forwarding the caller to
another auto attendant or to an operator. By default, no entries are defined.
Use the drop-down list to select the numeric key (from 1 through 9) that the caller must press. Zero (0) is
reserved for the auto attendant operator.
If you select Time Out from the drop down list, it enables callers to be transferred to an extension number
or to another auto attendant if they don't press a key on the telephone keypad. For example, "Please stay on
the line and your call will be answered by the next available representative." The default setting is 5 seconds.
If you enable this option, a blank key mapping will be created.
Play the following audio file: Use this option to select a previously recorded audio file for callers. Click
Change, and then click Browse to locate the audio file.
Perform this additional action: Select one of the following options to define the action that you want the
auto attendant to perform for the caller:
None: If you don't want to the auto attendant to transfer the call to an extension or to another auto
attendant, or leave a message for a user, use this option.
Transfer to this extension: Select this option to enable calls to be transferred to an extension number. If
you enable this option, use the box to type the extension where the call will be transferred. This field allows
only numeric characters. It can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
Transfer to this UM auto attendant: Select this option to transfer the call to an auto attendant. Click
Browse to locate the auto attendant that you want to use. Before you enable this option, you must first
create and configure the auto attendant. This option is used when you create a parent/child structure of UM
auto attendants.
Leave a voice message for this user: Select this option to enable a caller to leave a voice mail message for
a user that's on the same dial plan as the UM auto attendant that you're configuring. When a caller chooses
this option from an auto attendant menu, they'll be prompted to leave a voice message for the user that was
selected. Click Browse to locate the UM -enabled user.
Announce business location: Select this option to enable a caller to choose an auto attendant menu
option and hear the location of the business that's configured on the UM auto attendant. To enable this to
work correctly, you must first enter the business location in the Business location box on the General
page on the UM auto attendant.
Announce business hours: Select this option to enable a caller to choose an auto attendant menu option
and hear the hours of operation for the business that's configured on the UM auto attendant. To enable this
to work correctly, you must first configure the business hours on the Business hours page on the UM auto
attendant.
5. Click OK to create the new menu navigation.
6. On the UM Auto Attendant page, click Save to save your changes.
Use Exchange Online PowerShell to configure UM auto attendant key

mappings
This example enables business hours key mappings so that:
When callers press 1, they will be forwarded to another UM auto attendant named SalesAutoAttendant .
When they press 2, they will be forwarded to extension number 12345 for Support.
When they press 3, they will be sent to another auto attendant that will play an audio file.
Set-UMAutoAttendant -Identity MyAutoAttendant -BusinessHoursKeyMappingEnabled $true -BusinessHoursKeyMapping
This example sets key mappings defined in a comma-separated value (.csv) file. You must first create the .csv file
with the following headings and the correct entry: <key>,<description>,[<extension>],[<autoattendant name>],
[<promptfilenamepath>],[<asrphrase1;asrphrase2>],[<leavevoicemailfor>],[<transfertomailbox>]. The values in
brackets are optional. After creating the .csv file, import the .csv file using the Import-csv cmdlet.
$o = Import-csv -path "C:\UMFiles\AutoAttendants\keymappings.csv"

Set-UMAutoAttendant MyAutoAttendant -BusinessHoursKeyMapping $o
This example exports key mappings from an existing UM auto attendant into a .csv file, and then imports the same
key mappings into another UM auto attendant. You could also export the key mappings to a .csv file, edit or modify
the key mappings in the .csv file, and then import those key mappings into another UM auto attendant.
$aa = Get-UMAutoAttendant -Identity MyAutoAttendant

$aa1 = Get-UMAutoAttendant -Identity MyAutoAttendant2
$aa.BusinessHoursKeyMapping | Export-csv -path "C:\UMFiles\AutoAttendants\keymappings.csv"
$aa1.BusinessHoursKeyMapping = (Import-csv -path "C:\UMFiles\AutoAttendants\keymappings.csv")
You can enable business hours key mappings for a Unified Messaging (UM ) auto attendant. After you create a UM
auto attendant, a default system prompt will be used for the business hours main menu prompt greeting that
callers hear after the business hours welcome greeting is played. The default business hours main menu prompt
says, "Welcome to the Microsoft Exchange auto attendant." Because no key mappings are defined by default, no
menu options are available to callers, and they hear only the default main menu prompt.
When you configure key mappings, you define the options and the operations that will be performed if a caller
speaks a phrase while they're using a speech-enabled auto attendant or presses a key on the telephone keypad
while they're using an auto attendant that isn't speech-enabled.

TIP
Use the EAC to enable business hours key mappings on a UM auto

attendant
want to create a business hours navigation menu. On the toolbar, click Edit .
3. On the UM Auto Attendant page, click Menu navigation, under Business hours menu navigation,
select Enable business hours menu navigation, and then click Add .
4. On the New menu navigation entry page, use the following options to create a new navigation entry:
Use the drop down list to select the numeric key (from 1 through 9) that the caller must press. Zero (0) is
Change, and then click Browse to locate the audio file. If you leave the audio file as the default <None>,
the Unified Messaging TTS (Text to Speech) engine will synthesize a business hours main menu prompt.
Alternatively, you can create a customized audio file that can be used for the business hours main menu
prompt for a speech-enabled auto attendant. For example, it might say, "To leave a voice message for sales,
say 1. To leave a voice message for technical support, say 2. To leave a voice message for administration, say
3."
None: If you don't want the auto attendant to transfer the call to an extension or to another auto attendant,
or leave a message for a user, use this option.
you enable this option, use the box to type the extension number where the call will be transferred. This field
allows only numeric characters. It can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
auto attendants.
attendant.
Use Exchange Online PowerShell to enable business hours key
mappings on a UM auto attendant
This example configures a UM auto attendant named MyAutoAttendant and enables business hours key mappings
so that when callers press 1, they're forwarded to another UM auto attendant named SalesAutoAttendant . When
they press 2, they're forwarded to extension number 12345 for Support, and when they press 3, they're sent to
another auto attendant that plays an audio file.

You can enable non-business hours key mappings for a Unified Messaging (UM ) auto attendant. After you create a
UM auto attendant, a default system prompt will be used for the non-business hours main menu prompt greeting
that callers hear after the non-business hours welcome greeting is played. The default non-business hours main
menu prompt says, "Welcome to the Microsoft Exchange after hours auto attendant." Because no key mappings
are defined by default, no menu options are available to callers and they hear only the default non-business hours
main menu prompt.
When you configure key mappings, you define the options and the operations that will be performed if a caller
speaks a phrase while they're using a speech-enabled auto attendant or presses a key on the telephone keypad
while they're using an auto attendant that isn't speech-enabled.

TIP
Use the EAC to enable non-business hours key mappings on a UM

auto attendant
want to create a non-business hours navigation menu. On the toolbar, click Edit .
3. On the UM Auto Attendant page, click Menu navigation, under Non-business hours menu
navigation, select Enable non-business hours menu navigation, and then click Add .
4. On the New menu navigation entry page, use the following options to create a new menu navigation
entry:
the Unified Messaging TTS (Text to Speech) engine will synthesize a non-business hours main menu
prompt. Alternatively, you can create a customized audio file that can be used for the non-business hours
main menu prompt for a speech-enabled auto attendant that would say, for example, "You have reached
Contoso during non-business hours. To leave a voice message for sales, say 1. To leave a voice message for
technical support, say 2. To leave a voice message for administration, say 3. To reach an after hours operator,
press zero."
you enable this option, use the box to type the extension number where the call will be transferred. This field
allows only numeric characters. It can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
Transfer to this UM auto attendant: Select this option to transfer the call to an existing auto attendant.
Click Browse to locate the auto attendant that you want to use. Before you enable this option, you must first
auto attendants.
attendant.
Use Exchange Online PowerShell to enable non-business hours key

mappings on a UM auto attendant
This example configures a UM auto attendant named MyAutoAttendant and enables non-business hours key
mappings so that when callers say "After Hours" they will be forwarded to extension number 12345, and if they
say "Directions" they will be forwarded to extension number 23456.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AfterHoursKeyMappingEnabled $true -AfterHoursKeyMapping

"AfterhoursOperator,12345","Directions,23456"
After you create a Unified Messaging (UM ) auto attendant, you can view or configure a variety of settings. For
example, you can add, remove, and edit extension numbers associated with the auto attendant. You can also enable
or disable Automatic Speech Recognition (ASR ) for the auto attendant and change the greetings used for business
and non-business hours.

TIP
Use the EAC to view or configure UM auto attendant settings

2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to view
or configure, and then on the toolbar, click Edit .
3. On the UM Auto Attendant page, click General to view display-only information about the UM auto
attendant and to perform management tasks on the UM auto attendant, as follows:
UM dial plan: This box displays the UM dial plan associated with the auto attendant. After you create an
auto attendant, the dial plan associated with the auto attendant can't be changed. If you need to associate an
auto attendant with a different dial plan, you must delete the dial plan and then associate the auto attendant
with the correct dial plan after you re-create it.
Name: This box shows the name that was assigned to the auto attendant when it was created. This is the
name that will appear in the EAC.
Status: This box shows whether the UM auto attendant is enabled or disabled. To enable or disable the auto
attendant, close the UM Auto Attendant page and use the toolbar under UM Auto Attendants on the
UM Dial Plan page.
Access numbers: Use this box to enter an extension number or access number that leads callers to the
auto attendant. By default, no extension or access numbers are configured when you create an auto
attendant.
The number of digits in the extension numbers or access numbers you provide must match the number of
digits for an extension number configured on the UM dial plan associated with the UM auto attendant. You
can also add a Session Initiation Protocol (SIP ) address to this box. A SIP address is used by some IP
Private Branch eXchanges (PBXs), SIP -enabled PBXs, and Microsoft Office Communications Server 2007
R2 or Microsoft Lync Server.
You can create a new auto attendant without listing an extension number or access number. To add an
extension number, type the number in this box, and then click Add . You can associate more than one
number with an auto attendant. You can also edit or remove an existing access number. To edit an existing
number, select it and click Edit . To remove an existing extension number from the list, select it and click
Remove .
Set the auto attendant to respond to voice commands: Select this check box to enable callers to
respond verbally to auto attendant prompts to navigate the menu system. By default, when an auto
attendant is created, it isn't speech-enabled.
If you decide to create the UM auto attendant but not to speech-enable it, you can use the EAC or Exchange
Online PowerShell to speech-enable it after it is created.
Use this auto attendant when voice commands don't work correctly: Click Browse to select the auto
attendant that you want to use in the case that voice commands don't work. This is also referred to as a
DTMF fallback auto attendant. A DTMF fallback auto attendant can be used only if the Set the auto
attendant to respond to voice commands don't work correctly option is selected. You must first create
a DTMF fallback auto attendant, and then click Browse to locate the appropriate DTMF auto attendant.
A DTMF fallback auto attendant is used when the UM speech-enabled auto attendant can't understand or
recognize the speech inputs from the caller. If the DTMF auto attendant is used, the caller is required to use
DTMF inputs to navigate the menu system, spell a user's name, or use a custom menu prompt. A caller
won't be able to use voice commands to navigate this auto attendant.
If you don't configure a DTMF fallback auto attendant, we recommend that you configure an operator
extension number on the auto attendant. If you don't configure an operator extension number, when callers
use a speech-enabled auto attendant and the system doesn't recognize their voice inputs, they won't be able
to navigate the system or be transferred to an operator for help.
Although not required, we recommend that you configure the DTMF fallback auto attendant to have the
same configuration as the speech-enabled auto attendant. The DTMF fallback auto attendant shouldn't be
speech-enabled.
Language for automated voice interface: Use this list to select the language that callers hear when they
reach the auto attendant. The default language is determined when you install Microsoft Exchange. For on-
premises and hybrid deployments, by default, U.S. English is used because the auto attendant uses the
language setting on the UM dial plan. To have other language options available, you must install the UM
language packs for the languages you want to include. For more information about how to install a UM
language pack, see Install a Unified Messaging Language Pack. For UM in Office 365, it's not required that
you install any additional UM language packs.
Although you can select a language other than the language selected on the UM dial plan associated with
the auto attendant, we recommend that the language settings on the dial plan and the auto attendant
match. If language settings don't match, when callers call an extension number defined on the dial plan,
they will be presented with prompts in one language, and when they dial an extension number associated
with an auto attendant, they will be presented with prompts in a different language.
Business name: Use this box to enter the name of the business. By default, no business name is entered. If
you enter a business name in this box, a prompt with the business name will be played to callers instead of
the default greeting.
Business location: Use this box to enter the location of the business. By default, no business location is
entered. If you enter the location of the business in this box, the business location will be played for callers.
4. Use Greetings on the auto attendant to manage recorded greetings. You can select default greetings or
previously recorded custom greetings for business hours and non-business hours. You can configure the
following:
Business hours greeting: This is the initial greeting that is played when a caller calls the auto attendant
during your organization's business hours. By default, business hours are from 12:00 A.M. to 12:00 A.M.
and no non-business hours are set. If you don't specify a custom greeting, a system prompt that says,
"Welcome to the Exchange auto attendant" is played for callers. The business and non-business hours are
configured on the auto attendant Business hours.
You may want to customize this greeting to represent your company, for example, "Thank you for calling
Woodgrove Bank." You can configure a customized business hours greeting by clicking Change to select a
previously recorded custom greeting file. The custom greeting must already have been recorded as a .wav
or .wma file.
Non-business hours greeting: This is the initial greeting played when a caller calls the auto attendant
during your organization's non-business hours. By default, no non-business hours are configured.
Therefore, there is no default non-business hours greeting. You can configure the business and non-
business hours on the auto attendant Business hours.
You may want to customize this greeting to represent your company, for example, "Thank you for calling
Woodgrove Bank but we are now closed." or "You have reached Contoso, Ltd. after business hours. Our
business hours are from 8:00 A.M. until 5:00 P.M., Monday through Friday." You can configure a
customized non-business hours greeting by clicking Change to select a previously recorded custom
greeting file. The custom greeting must already have been recorded as a .wav or .wma file.
Informational announcement: When enabled, this optional recording plays immediately after the
business or non-business hours greeting. An informational announcement may state the organization's
hours of operation, for example, "Our business hours are 8:30 A.M. to 5:30 P.M., Monday through Friday
and 8:30 A.M. to 1:00 P.M. on Saturday." An informational announcement can also provide information
required for compliance with company policy, for example, "Calls may be monitored for training purposes."
If it's important that callers hear the whole informational announcement, it can be marked as
uninterruptible, requiring the caller to listen to the whole announcement.
By default, there's no informational announcement configured on UM dial plans or auto attendants. If you
enable an informational announcement and use a custom audio file specific to your organization, the Allow
announcement to be interrupted option will be made available. The recordings must already have been
recorded as .wav or .wma files. Click Change to locate a custom informational announcement file
previously recorded.
Allow announcement to be interrupted: Select this check box to enable the caller to interrupt the
informational announcement. This should be enabled if you have long informational announcements.
Callers may become frustrated if the informational announcement is long and they can't interrupt it to
access the options provided by the auto attendant.
5. Use Business hours to determine the organization's open business hours. During business hours, callers hear
the default business hours greeting or a customized greeting, and the business hours main menu prompt if the
appropriate business hours key mappings are configured on Menu navigation. You can configure the
following:
Time zone: Use this list to select your time zone. Consider whether the dial plan associated with the auto
attendant covers more than one time zone when you set your schedule.
For on-premises and hybrid deployments, by default, the time zone is configured using the local server's
system time when the Mailbox server that is running the Microsoft Exchange Unified Messaging service
was installed.
Business hours: Click Configure business hours, and then, on the Configure Business Hours page, use
the grid to configure your organization's business hours.
Holiday schedule: Use this to define days, from 00:00 through 23:59 (12:00 A.M. through 11:59 P.M.), on
which your organization will be closed for a holiday. Callers who reach the auto attendant during the times
that you specify on the New holiday page hear a custom holiday greeting audio file that you define. When
you configure the holiday schedule, you must define the holiday name, the audio file for the recorded
holiday greeting, and the Start date and End date. The greetings must already have been recorded as .wav
or .wma files.
6. Use Menu navigation to specify the menu options that are offered to callers during business and non-
business hours. If you want to enable menu navigation, you must do it separately for business and non-
business hours. For example, if you want to enable business hours navigation, you must add a menu prompt
custom audio recording, select the Enable business hours menu navigation check box, click Add , and
then set the options on the New menu navigation entry page.
Business hours menu navigation: This is the list of options that callers hear during the business hours
that are defined on the Business hours page. For example, "For technical support, press or say 1. For
corporate offices and administration, press or say 2. For sales, press or say 3."
To enable business hours menu navigation, you must perform the following steps:
1. Menu prompt: Use this to specify a custom menu prompt audio file. To use a custom or previously
recorded business hours menu prompt, click Change, and then click Browse to locate the menu
prompt recording.
2. Enable business hours menu navigation: Select this check box to enable options for menu
navigation that will be used during business hours. When you enable business hours menu
navigation, you can add new menu navigation entries for business hours.
3. Click Add to create a new menu navigation entry. On the New menu navigation entry page,
use the following options to create a new menu navigation entry:
the Unified Messaging TTS (Text to Speech) engine will synthesize a business hours main menu prompt.
Alternatively, you can create a customized audio file that can be used for the business hours main menu
prompt for a speech-enabled auto attendant. For example, it might say, "To leave a voice message for sales,
say 1. To leave a voice message for technical support, say 2. To leave a voice message for administration,
say 3."
you enable this option, use the box to type the extension where the call will be transferred. This field allows
only numeric characters. It can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
auto attendants.
Leave a voice message for this user: Select this option to enable a caller to leave a voice mail message
for a user that's on the same dial plan as the UM auto attendant that you're configuring. When a caller
chooses this option from an auto attendant menu, they'll be prompted to leave a voice message for the user
that was selected. Click Browse to locate the UM -enabled user.
attendant.
Non-Business hours menu navigation: This is the list of options callers hear during the non-business
hours that are defined on the Business hours page. For example, "Your call is very important to us.
However, you have reached Woodgrove Bank after normal business hours. If you want to leave a message,
please press or say 1 and we will return your call as soon as possible."
To enable non-business hours menu navigation, you must perform the following steps:
1. Menu prompt: Use this to specify a custom menu prompt audio file. To use a custom or previously
recorded non-business hours menu prompt, click Browse.
2. Enable non-business hours menu navigation: Select this check box to enable options for menu
navigation that will be used during non-business hours. When you enable non-business hours menu
navigation, you can add new menu navigation entries for non-business hours.
3. Click Add to create a new menu navigation entry. On the New menu navigation entry page,
use the following options to create a new menu navigation entry:
the Unified Messaging TTS (Text to Speech) engine will synthesize a non-business hours main menu
prompt. Alternatively, you can create a customized audio file that can be used for the non-business hours
main menu prompt for a speech-enabled auto attendant that would say, for example, "You have reached
Contoso during non-business hours. To leave a voice message for sales, say 1. To leave a voice message for
technical support, say 2. To leave a voice message for administration, say 3. To reach an after hours
operator, press zero."
you enable this option, use the box to type the extension number where the call will be transferred. This
field allows only numeric characters. It can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
Transfer to this UM auto attendant: Select this option to transfer the call to an existing auto attendant.
Click Browse to locate the auto attendant that you want to use. Before you enable this option, you must
first create and configure the auto attendant. This option is used when you create a parent/child structure of
UM auto attendants.
Leave a voice message for this user: Select this option to enable a caller to leave a voice mail message
for a user that's on the same dial plan as the UM auto attendant that you're configuring. When a caller
chooses this option from an auto attendant menu, they'll be prompted to leave a voice message for the user
that was selected. Click Browse to locate the UM -enabled user.
attendant.
7. Use Address book and operator access to define the features available to callers who dial in to the UM auto
attendant. You can configure auto attendant features such as the language used when callers call in to the auto
attendant and the ability for callers to transfer to an operator's extension number. You can configure the
following:
Options for contacting users: Use these options to determine how callers can contact users with voice
mail when they call into a UM auto attendant
Allow callers to dial users: Select this check box to enable callers to transfer calls to users. By default, this
option is enabled, and lets users who are associated with the dial plan transfer calls to users in the same
UM dial plan. After you select this check box, you can set the group of users to whom callers can transfer by
selecting the appropriate option under the Options for searching the address book section on this page.
If you disable this option and disable the Allow callers to leave voice messages for users option, the
options under Options for searching the address book are also disabled.
Allow callers to leave voice messages for users: Select this check box to enable callers to send voice
messages to users. By default, this option is enabled, and lets users who are associated with the dial plan
send voice messages to users in the same UM dial plan. After you select this check box, you can set the
group of users to whom callers can send voice messages by selecting the appropriate option under the
Options for searching the address book section on this page.
If you disable this option and disable the Allow callers to dial users option, the options under Options
for searching the address book are also disabled.
If you disable this option, the auto attendant won't invite callers to send a voice message during a system
prompt.
Options for searching the address book: Use these options to determine a grouping of users. By default,
Allow callers to search for user by name or alias is selected, along with the In this dial plan only
option. However, you can change the grouping of users to allow callers to transfer calls or send voice
messages to users who are located in the global address list (GAL ) for an organization. You can choose
from the following:
Allow callers to search for users by name or alias: By default, this option is selected. It allows callers
that call into this auto attendant to do a directory search for users by name or by their alias. An alias is
assigned to a user when a mailbox is created for them. The alias is the first part of an SMTP address, for
example, tonysmith@contoso.com. The SMTP address is tonysmith@contoso.com, while the alias is
tonysmith. Choosing this option only affects callers that use this auto attendant and not those who use
Outlook Voice Access.
In this dial plan only: Select this option to allow callers who connect to the UM auto attendant to locate
and contact users who are in the same dial plan that is associated with this UM auto attendant. By default,
this option is enabled on the dial plan and on the auto attendant. This means that both Outlook Voice
Access users and callers into the auto attendant are able to search for users within the same dial plan.
In the entire organization: Select this option to allow callers who call into this UM auto attendant to
search for and contact anyone listed in the GAL for the organization. This includes not only UM -enabled
users but all users who are mailbox-enabled. This option allows callers to contact users in multiple dial
plans. It isn't enabled by default. This setting is also available on a dial plan for Outlook Voice Access users.
Information to include for similar names: Use this drop-down list to select the option used for the UM
auto attendant when users have the same or similar names. This setting is used when two or more users
who have the same name exist in the directory. This is also called a matched name or disambiguation field.
You can configure this setting, or you can leave the default setting on the auto attendant. By default, the
auto attendant will inherit this setting from the setting on the dial plan that is linked to the auto attendant.
The following is an example of a speech-enabled auto attendant:
1. System: "Welcome to Contoso. If you know the name of the person you are calling, please tell me
their name at any time."
2. Caller says "Tony Smith."
3. There are multiple people with this name. Please select from one of the options: For Tony Smith,
research, press 1. For Tony Smith, administration, press 2. For Tony Smith, technical support, press
3."
4. Caller presses the appropriate key on the key pad and the call is transferred to the user.
NOTE
On a non-speech-enabled auto attendant, the system will tell the caller to use the key pad to input the user's name
(last name first) and then search for the user. If there are multiple people in the directory with the same name, the
caller is instructed to press the appropriate key to be transferred to the user. You could optionally create a DTMF
fallback auto attendant that uses only the key pad to enter a name or alias.
For these settings to be used, you must add the correct information to the user. For example, if you want the
auto attendant to use a title for two users with the same name, you must add this information to the user's
account. Select one of the following methods that provide more information to help the caller select the
correct user in the organization:
Inherit From dial plan: Select this option to have the auto attendant use the default setting from the dial
plan associated with the auto attendant.
Title: Select this option to have the auto attendant include each user's title when listing matches.
Department: Select this option to have the auto attendant include each user's department when listing
matches.
Location: Select this option to have the auto attendant include each user's location when listing matches.
None: Select this option to have no additional information given when listing matches.
Prompt for alias: Select this option to have the auto attendant prompt the caller for the user's alias.
8. Under Operator access, you can specify auto attendant operator settings including the following:
Operator extension: Use this box to type the extension number used to call an operator. This extension
number can connect the caller to a human operator or a UM -enabled mailbox, or can be configured to call
an external telephone number. By default, an operator extension isn't included in this box.
Allow transfer to operator during business hours: Select this check box to enable callers to be
transferred to a human operator during business hours by using the extension number that you configure
in the Operator extension box. By default, this option is disabled.
It's useful to enable this option so that when a caller is unsuccessful at using the menu prompts or directory
search to locate the required person during business hours, the caller can leave a voice message or connect
to a human operator. After you enable this option, you can configure the operator extension number on a
UM -enabled mailbox that's monitored. The caller can leave a voice message, or a human operator who has
the extension number can help the caller.
Allow transfer to operator during non-business hours: Select this check box to enable callers to be
transferred to a human operator after business hours by using the extension number that you configure in
the Operator extension box. By default, this option is disabled.
It's useful to enable this option so that when a caller is unsuccessful at using the menu prompts or directory
search to locate the required person after business hours, the caller can leave a voice message or connect to
a human operator. After you enable this option, you can configure the operator extension number
configured on a UM -enabled mailbox that's monitored. The caller can leave a voice message, or a human
operator who has the extension number can help the caller.
9. Use Dialing authorization to configure dialing rules for callers who call in to a UM auto attendant. You can
use these settings to control the extension numbers that can be reached from an auto attendant or control the
telephone numbers that can be dialed by callers that have dialed into the auto attendant. You can configure the
following:
Calls in the same UM dial plan: Select this check box to allow users who call in to an auto attendant to
place or transfer calls to an extension number associated with a UM -enabled user who is associated with
the same dial plan as the auto attendant. By default, this setting is enabled.
When you disable this setting, users who call in to an auto attendant can place or transfer calls to users who
aren't UM -enabled or to other extension numbers not associated with a UM -enabled user. Users can't
transfer calls to UM -enabled users who are associated with the same dial plan as the auto attendant. This is
because the Allow calls to any extension setting is enabled by default.
Allow calls to any extension: When this setting is disabled, users who call in to an auto attendant can't
place calls to users who aren't UM -enabled or to other extension numbers not associated with a UM -
enabled user. However, they can place calls or transfer calls to extension numbers associated with UM -
enabled users. This is because the Calls in the same UM dial plan setting is enabled by default. The
Allow calls to any extension setting is enabled by default.
When this setting is enabled, users who call in to an auto attendant can place calls to users who aren't UM -
enabled, to other extension numbers not associated with a UM -enabled user, and to UM -enabled users.
This is because the Calls within the same UM dial plan setting is enabled by default.
also useful when you want to allow users who call in to a telephone number configured on an auto
attendant to call extension numbers not associated with a UM -enabled user.
country/region dialing rule groups. By default, there are no in-country/region dialing rule groups
configured on UM auto attendants.
or region that any user who has dialed in to the UM auto attendant can dial. This helps prevent unnecessary
or unauthorized telephone calls and charges.
To add in-country/region dialing rule groups, you must first create the appropriate in-country/region
dialing rule groups on the dial plan associated with the UM auto attendant, and then add the appropriate
dialing rule group.
In-country/region dialing rule groups can be used by Unified Messaging to allow or restrict access to
telephone numbers within a country or region. This is applied to any user who has called in to an auto
attendant. For more information about outdialing, see Allow users to make calls.
dialing rule groups. By default, there are no international dialing rule groups configured on UM auto
attendants.
International dialing rule groups are used to allow or restrict the telephone numbers outside a country or
region that any user who has dialed in to the UM auto attendant can dial. This helps prevent unnecessary or
unauthorized telephone calls and charges.
To add international dialing rule groups, you must first create the appropriate international dialing rule
groups on the dial plan associated with the UM auto attendant. After you create the required dialing rule
groups on the dial plan, you must then add the dialing rule groups to the list of authorized dialing rule
groups on the UM auto attendant.
International dialing rule groups can be used by Unified Messaging to allow or restrict access to telephone
numbers outside a country or region. This is applied to any user who has called in to an auto attendant. For
more information about outdialing, see Allow users to make calls.
Use Exchange Online PowerShell to configure UM auto attendant

properties
This example configures a UM auto attendant named MySpeechEnabledAA to fall back to the MyDTMFAA auto
attendant, sets the operator's extension to 50100, and enables transfers to this extension number after business
hours.
Set-UMAutoAttendant -Identity MySpeechEnabledAA -DTMFFallbackAutoAttendant MyDTMFAA -OperatorExtension 50100 -

AfterHoursTransferToOperatorEnabled $true
This example configures a UM auto attendant named MyUMAutoAttendant that has: Business hours configured as
10:45 to 13:15 (10:45 A.M. to 1:15 P.M.) on Sunday, 09:00 to 17:00 (9:00 A.M. to 5:00 P.M.) on Monday, and 09:00
to 16:30 (9:00 A.M. to 4:30 P.M.) on Saturday; holiday times and their associated greetings configured as "New
Year" on January 2, 2013; and "Building Closed for Construction" configured from April 24 through April 28,
2013.

Use Exchange Online PowerShell to view UM auto attendant

properties
This example returns a formatted list of all UM auto attendants.
Get-UMAutoAttendant | Format-List
This example displays the properties of a UM auto attendant named MyUMAutoAttendant.
Get-UMAutoAttendant -Identity MyUMAutoAttendant

Configure a DTMF fallback auto attendant
You can configure a speech-enabled Unified Messaging (UM ) auto attendant that has a dual tone multi-frequency
(DTMF ) fallback auto attendant. A DTMF fallback auto attendant is used when the UM speech-enabled auto
attendant can't understand or recognize the speech inputs provided by a caller. If a DTMF fallback auto attendant
has been configured, the caller has to use DTMF inputs, also known as touchtone inputs, to navigate the auto
attendant menu system, spell a user's name, or use a custom menu prompt. If no DTMF fallback auto attendant has
been configured, and the maximum number of speech inputs is exceeded because the system didn't understand
what the caller said, the system will respond with this prompt: "Sorry, I couldn't help. Please call back later."
By default, an auto attendant isn't speech-enabled when you create it. After you speech-enable the auto attendant,
callers can use only voice commands to navigate the auto attendant menu system, and touchtone inputs can't be
used. Although it isn't required, we recommend that you configure a DTMF fallback auto attendant for each
speech-enabled auto attendant so callers can use touchtone inputs if the speech-enabled auto attendant doesn't
recognize or understand the words they say. We also recommend that you don't speech-enable a DTMF fallback
auto attendant.

TIP
Use the EAC to configure a speech-enabled auto attendant with a

DTMF fallback auto attendant
want to change and click Edit .
want to create a DTMF fallback auto attendant. On the toolbar, click Edit .
3. On the UM Auto Attendant page > General, select the check box next to Use this auto attendant when
voice commands don't work correctly, and then click Browse.
4. On the Select a UM Auto Attendant page, select the auto attendant you want to use as a DTMF fallback
auto attendant, and then click Save.
IMPORTANT
You must first speech-enable the auto attendant before you can browse for a DTMF fallback auto attendant you have set up.
Use Exchange Online PowerShell to configure a speech-enabled auto

attendant with a DTMF fallback auto attendant
This example configures a UM auto attendant named MySpeechEnabledAA to use a DTMF fallback auto attendant
named MyDTMFAA .
Set-UMAutoAttendant -Identity MySpeechEnabledAA -DTMFFallbackAutoAttendant MyDTMFAA

Enable a UM auto attendant
By default, when a Unified Messaging (UM ) auto attendant is created, its status is set to disabled. After you create
the UM auto attendant, you can change its status to enable it to answer incoming calls.

TIP
Use the EAC to enable a UM auto attendant

want to change and click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to
enable. On the toolbar, click the Up arrow .
Use Exchange Online PowerShell to enable a UM auto attendant

This example enables the UM auto attendant named MyUMAutoAttendant to answer incoming calls.
Enable-UMAutoAttendant -Identity MyUMAutoAttendant

Disable a UM auto attendant
By default, when a Unified Messaging (UM ) auto attendant is created, its status is set to disabled. After you create
the UM auto attendant, you can change its status to control whether it can answer incoming calls. For example, you
might want to disable the UM auto attendant when you're recording or re-recording customized prompts and
messages.

steps, see Create a UM auto attendant. Also confirm that the status of the UM auto attendant is set to
enabled.
TIP
Use the EAC to disable a UM auto attendant

1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the dial plan you want
to change, and on the toolbar, click Edit .
disable. On the toolbar, click Down arrow
Use Exchange Online PowerShell to disable a UM auto attendant

This example disables a UM auto attendant named MyUMAutoAttendant .
Disable-UMAutoAttendant -Identity MyUMAutoAttendant

Delete a UM auto attendant
After you delete a Unified Messaging (UM ) auto attendant, the incoming calls that were answered by the UM auto
attendant must be answered by a human operator. A UM auto attendant can't be deleted if it's associated with a
UM dial plan as the default UM auto attendant.

TIP
Use the EAC to delete a UM auto attendant

want to edit, and then click Edit .
2. On the UM Dial Plan page, under UM Auto Attendants, select the UM auto attendant you want to delete.
On the toolbar, click Delete . On the Warning page, click Yes.
Use Exchange Online PowerShell to delete a UM auto attendant

This example deletes a UM auto attendant named MyUMAutoAttendant .
Remove-UMAutoAttendant -Identity MyUMAutoAttendant

You can enable your Unified Messaging (UM ) auto attendant for Automatic Speech Recognition (ASR ). After you
speech-enable a UM auto attendant, callers can respond verbally to auto attendant prompts and move through the
menu system of the auto attendant. By default, an auto attendant isn't speech-enabled when you create it. After
you speech-enable the auto attendant, callers can use only voice commands to navigate the auto attendant menu
system, and touchtone inputs can't be used.
Although it isn't required, we recommend that you configure a dual tone multi-frequency (DTMF ) fallback auto
attendant for each speech-enabled auto attendant so callers can use touchtone inputs if the speech-enabled auto
attendant doesn't recognize or understand the words they say. If a DTMF fallback auto attendant is configured,
callers can use DTMF inputs, also known as touchtone inputs, to navigate the auto attendant menu system, spell a
user's name, or use a custom menu prompt. We don't recommend that you speech-enable a DTMF fallback auto
attendant.

TIP
Use the EAC to speech-enable a UM auto attendant

speech enable, and then click Edit .
3. On the UM Auto Attendant page > General, select the check box next to Set the auto attendant to
respond to voice commands to enable speech recognition. To disable automatic speech recognition, clear
this check box.
4. Click Save.
Use Exchange Online PowerShell to speech-enable a UM auto
attendant
This example enables ASR on a UM auto attendant named MySpeechEnabled AA .
Set-UMAutoAttendant -Identity MySpeechEnabledAA -SpeechEnabled $true

Enable or prevent transferring calls from an auto
attendant
You can enable callers to transfer calls to users through an auto attendant, or prevent them from doing so. By
default this option is enabled, and lets callers transfer calls to UM -enabled users in the Unified Messaging (UM )
dial plan that's associated with the UM auto attendant.

TIP
Use the EAC to enable or prevent call transfers to users from a UM

auto attendant
want to configure call transfer, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for contacting
users, select the check box next to Allow callers to dial users to enable calls to be transferred. To prevent
call transfers, clear the check box.
4. Click Save.
NOTE
If you clear this check box and also clear the Allow callers to leave voice messages for users check box, the Options for
searching the address book are disabled.
Use Exchange Online PowerShell to enable or prevent call transfers to
users from a UM auto attendant
This example prevents call transfers on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AllowDialPlanSubscribers $false
This example enables call transfers on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AllowDialPlanSubscribers $true

Enable or disable sending voice messages to users
You can enable callers to send voice messages to users from a Unified Messaging (UM ) auto attendant, or prevent
them from doing so. By default, this option is enabled and lets callers send voice messages to users in the UM dial
plan that's associated with the UM auto attendant. If you disable this option, the auto attendant won't invite callers
to send a voice message during a system prompt.

TIP
Use the EAC to enable callers to send voice messages or prevent them
from doing so
manage, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for contacting
users, select the check box next to Allow callers to leave voice messages for users to enable callers to
leave voice messages. To prevent callers from leaving voice messages, clear the check box.
4. Click Save.
NOTE
If you disable this option and also disable the Allow callers to dial users option, the Options for searching the address
book are also disabled.
Use Exchange Online PowerShell to enable callers to send voice
messages or prevent them from doing so
This example prevents callers who call in to a UM auto attendant named MyUMAutoAttendant from sending voice
messages.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -SendVoiceMsgEnabled $false
This example enables callers who call in to a UM auto attendant named MyUMAutoAttendant to send voice
messages.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -SendVoiceMsgEnabled $true

You can enable directory lookups so that callers who call in to a Unified Messaging (UM ) auto attendant can look
up names in the directory using their telephone keypad but not be able to search the directory using voice inputs.
This setting is enabled by default. If this setting is disabled, callers won't be able to search the directory for a
specific person using touchtone or voice commands.
NOTE
Outlook Voice Access users can't use Automatic Speech Recognition (ASR) or speech inputs to locate users in the directory,
they can only use DTMF or touchtone inputs.

TIP
Use the EAC to enable or disable directory lookups

want to enable or disable directory lookups, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for searching
the address book, select the check box next to Allow callers to search for users by name or alias to
enable callers to search for users. To disable callers from searching for users, clear this check box.
4. Click Save.
Use Exchange Online PowerShell to enable or disable directory lookups

This example disables directory lookups on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -NameLookupEnabled $false

Configure the group of users that can be contacted
You can specify the group of users that callers can contact when calling into a Unified Messaging (UM ) auto
attendant. By default, callers can contact users within the same dial plan that's associated with the UM auto
attendant. However, you can change the grouping of users to allow callers to transfer calls or send voice messages
to users who are located in the organization's address book or to a specific set of users.
For additional management tasks related to UM auto attendants, see Manage a UM auto attendant.

TIP
Use the EAC to configure the group of users that callers can contact
configure, and then click Edit .
3. On the UM Auto Attendant page > Address book and operator access, under Options for searching
the address book, choose from the following options:
In this dial plan only: Select this option to allow callers who connect to the UM auto attendant to locate
and contact users who are in the dial plan associated with the UM auto attendant.
In the entire organization: Select this option to allow callers who connect to the UM auto attendant to
locate and contact anyone listed in the organization's address book. This includes all users who are mailbox-
enabled.
4. Click Save.
Use Exchange Online PowerShell to configure the group of users that

callers can contact
This example sets the scope of the users that callers can contact to all users in the organization's address book on a
UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -ContactScope GlobalAddressList

Configure an auto attendant for users who have
similar names
You can configure the method to use for users with similar names on an auto attendant's Address book and
operator access options, or you can leave the default setting on the auto attendant and configure this setting on
the dial plan associated with the auto attendant. By default, an auto attendant can disambiguate between two or
more users who have the same or similar names because the default setting on the auto attendant is Inherit from
dial plan.
NOTE
For the information that will be included for users with similar names to work correctly, you must provide the title,
department, and location information for the recipients in your Microsoft Exchange organization.

TIP
Use the EAC to configure a UM auto attendant for users with similar
names
configure, and then click Edit .
3. On the UM Auto Attendant page, click Address book and operator access, and under Information to
include for users with the same name, select one of the following:
Title: The auto attendant will include each user's title when it lists matches.
Department: The auto attendant will include each user's department when it lists matches.
Location: The auto attendant will include each user's location when it lists matches.
None: The auto attendant won't include any additional information when it lists matches.
Prompt For alias: The auto attendant will prompt the caller for the user's alias.
Inherit from dial plan: The auto attendant will use the default setting from the dial plan associated with
the auto attendant.
4. Click Save.
Use Exchange Online PowerShell to configure a UM auto attendant for

users with similar names
This example sets the information to be included with users with similar names to Prompt for Alias for a UM auto
attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -MatchedNameSelectionMethod PromptForAlias
This example sets the information to be included with users with similar names to the title of the users, enables
name lookups, and enables callers that dial into the auto attendant to press * to be presented with the Outlook
Voice Access welcome greeting for a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -MatchedNameSelectionMethod Title -NameLookupEnabled $true -

StarOutToDialPlanEnabled $true
Set up voice mail for users
After you've connected your telephony network or integrated Microsoft Lync Server with Exchange Unified
Messaging (UM ) and created and configured the required UM components, you'll need to set up voice mail for
your users.
When you're enabling users for voice mail, you'll need to link the user to a UM mailbox policy. UM mailbox policies
are used to apply common settings to a group of UM - enabled users. These settings include PIN policies, outbound
calling restrictions, text to send with messages, and other related settings. You can either use a default UM mailbox
policy or create and customize a UM mailbox policy based on the needs of your organization.
Setting up voice mail for users

Before you enable users for UM, you must consider the type of dial plan to use, the extension numbers that will be
used, and determine what PIN policies, Outlook Voice Access, and other features you'll allow users to have access
to. For details, see Voice mail for users.
UM mailbox policies
Unified Messaging (UM ) mailbox policies are required when you enable users for Unified Messaging. You create
UM mailbox policies to apply a common set of policies or security settings to a collection of voice mail users'
mailboxes. UM mailbox policies are used to specify UM settings like the following:
PIN policies
Dialing restrictions
Other general UM mailbox policy properties
For example, you can create a UM mailbox policy to increase the level of PIN security by reducing the maximum
number of sign-in failures for a specific group of UM -enabled users, such as executives.
UM mailbox policies
At least one UM mailbox policy must have been created before you can enable users for Unified Messaging. You
can create additional UM mailbox policies to apply a common set of settings for groups of users.
You create UM mailbox policies by using Exchange Online PowerShell or the Exchange admin center (EAC ). By
default, a single UM mailbox policy is created every time you create a UM dial plan. The new UM mailbox policy is
automatically associated with the UM dial plan, and part of the dial plan name is included in the display name of
the UM mailbox policy. You can edit this default UM mailbox policy.
Multiple UM -enabled users can be linked to a single UM mailbox policy. However, the mailbox for each UM -
enabled user must be linked to a single UM mailbox policy. This lets you control PIN security settings such as the
minimum number of digits in a PIN or the maximum number of sign-in attempts for the UM -enabled users who
are associated with the UM mailbox policy. You can also control message text settings or dialing restrictions for the
same UM -enabled mailboxes.
UM mailbox policy procedures
Create a UM mailbox policy

Manage a UM mailbox policy
Delete a UM mailbox policy
Create a UM mailbox policy
You can create a Unified Messaging (UM ) mailbox policy to apply a common set of UM policy settings,
such as PIN policy settings or dialing restrictions, to a collection of UM -enabled mailboxes. UM mailbox
policies link a UM -enabled user with a UM dial plan and apply a common set of policies or security
settings to a collection of UM -enabled mailboxes. UM mailbox policies are useful for applying and
standardizing UM configuration settings for UM -enabled users.
By default, when a UM dial plan is created, a UM mailbox policy is also created. You may have to create
additional UM mailbox policies or modify existing UM mailbox policies after you deploy Unified
Messaging in your organization.
For additional management tasks related to UM mailbox policies, see UM mailbox policy procedures.

You need to be assigned permissions before you can perform this procedure or procedures. To see
what permissions you need, see the "UM mailbox policies" entry in the Unified Messaging
Permissions topic.
Before you perform these procedures, confirm that a UM dial plan has been created. For detailed
steps, see Create a UM dial plan.
For information about keyboard shortcuts that may apply to the procedures in this topic, see
Keyboard shortcuts for the Exchange admin center.
TIP
Protection..
Use the EAC to create a UM mailbox policy

1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the UM dial
plan you want to modify, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, click New .
3. On the New UM mailbox policy page, in the Name box, enter the name of the new UM mailbox
policy.
Use this box to specify a unique name for the UM mailbox policy. This is a display name that
appears in the EAC. If you need to change the display name of the UM mailbox policy after it's
been created, you must first delete the existing UM mailbox policy, and then create another UM
mailbox policy that has the appropriate name. You can't delete a UM mailbox policy if any UM -
enabled users are associated with it.
The UM mailbox policy name is required, but it's used for display purposes only. Because your
organization may use multiple UM mailbox policies, we recommend that you use meaningful
names for your UM mailbox policies. The maximum length of a UM mailbox policy name is 64
characters, and it can include spaces. However, it cannot include any of the following characters: " /
\ [ ] : ; | = , + * ? < >.
4. Click Save to save the new UM mailbox policy. When you save the UM mailbox policy, all of the
default settings including PIN policies, voice mail features, and Protected Voice Mail settings are
enabled. If you want to customize or change any default settings, use the Set-UMMailbox cmdlet
to change the settings for the UM mailbox policy you just created.
Use Exchange Online PowerShell to create a UM mailbox policy

This example creates a UM mailbox policy named MyUMMailboxPolicy associated with a UM dial plan
named MyUMDialPlan .
New-UMMailboxPolicy -Name MyUMMailboxPolicy -UMDialPlan MyUMDialPlan

After you create a Unified Messaging (UM ) mailbox policy, you can view and configure a variety of settings. For
example, you can configure UM features like Voice Mail Preview or Play on Phone and other security-related
options such as Protected Voice Mail and PIN policy settings.

permissions you need, see the "UM mailbox policies" entry in the Unified Messaging Permissions topic.
Create a UM mailbox policy.
TIP
Use the EAC to manage a UM mailbox policy

2. On the UM dial plan page, under UM Mailbox Policies, on the toolbar, click Edit .
Use General to view and configure settings for a UM mailbox policy. For example, you can view the dial
plans associated with the UM mailbox policy or disable missed call notifications for users who are
associated with a specific UM mailbox policy. When you modify the settings on a UM mailbox policy, the
settings are applied to all users who are associated with the UM mailbox policy. You can view or configure
the following:
UM dial plan: Displays the name of the dial plan associated with the UM mailbox policy. This is the name
of the dial plan displayed in Exchange Online PowerShell.
When a new UM mailbox policy is created, it must be associated with a dial plan. After the UM mailbox
policy is created and associated with a dial plan, the settings defined on the mailbox policy are applied to
the users who are associated with the dial plan. By default, when you create a UM dial plan using Exchange
Online PowerShell, it will also create a UM mailbox policy.
Name: Type the name of the dial plan. A UM dial plan name is required and must be unique. However, it's
used only for display in the EAC and Exchange Online PowerShell. If you have to change the display name
of the dial plan after it's been created, you must first delete the existing UM dial plan and then create
another dial plan that has the appropriate name. If your organization uses multiple UM dial plans, we
recommend that you use meaningful names for your UM dial plans. The maximum length of a UM dial
plan name is 64 characters, and it can include spaces. (If you're integrating with Microsoft Office
Communications Server 2007 R2 or Microsoft Lync Server it's not recommended that you use spaces.)
However, it can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.
Limit on personal greetings (minutes): Use this text box to enter the maximum number of minutes that
users who are associated with the UM mailbox policy can use when they record their voice mail greeting.
You can modify this setting after the UM mailbox policy is created. Only numeric characters are allowed.
The valid range for the greeting is from 1 through 10 minutes. The default setting is 5 minutes.
Allow voice mail preview: Select or clear this check box to enable or disable the Voice Mail Preview
feature for users associated with the UM mailbox policy. Enabling this setting allows users to receive the
text of a voice mail message in the message body of an email or text message. The default setting is
enabled.
Allow users to configure call answering rules: Select this check box to allow users who are associated
with the UM mailbox policy to create call answering rules. If this option is disabled on the UM dial plan, this
feature won't be available to UM -enabled users associated with the UM mailbox policy. The default setting
is enabled.
Allow message waiting indicator: Select or clear this check box to enable or disable Message Waiting
Indicator for users associated with the UM mailbox policy. Message Waiting Indicator is a feature found in
most legacy voice mail systems. In its most common form, it lights a lamp on the voice mail user's phone to
indicate the presence of a new voice message. Message Waiting Indicator can also send a text message to
the UM -enabled user's mobile phone. The default setting is enabled.
Allow Outlook Voice Access: Select or clear this check box to enable or disable access to Outlook Voice
Access for UM -enabled users who are associated with this UM mailbox policy. Outlook Voice Access is a
feature used by UM -enabled users to access their mailbox over a phone. By default, this setting is enabled.
Allow missed call notifications: Select or clear this check box to enable or disable missed call
notifications for users associated with the UM mailbox policy. A missed call notification is an email
message sent to a user's mailbox when the user doesn't answer an incoming call. This is a different email
message than the email message that contains the voice message left for a user.
NOTE
When you're integrating Unified Messaging and Lync Server on-premises, missed call notifications aren't available to
users who have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server. A missed call notification
is generated when a user disconnects before the call is sent to Unified Messaging.
Typically, when a user misses an incoming call, the user receives two email messages: a message that
contains the voice message and a missed call notification message. By default, missed call notifications are
enabled when a UM mailbox policy is created.
Allow Play on Phone for voice mail: Select or clear this check box to enable or disable the Play on
Phone feature for users associated with the UM mailbox policy. This option is enabled by default and
allows users to play their voice messages over any phone, including an office or mobile phone.
Allow inbound faxes: Select or clear this check box to enable or disable inbound faxes for users
associated with the UM mailbox policy. By default, when you enable users for UM, their mailbox is able to
receive faxes. However, if this option is disabled on the UM dial plan, UM -enabled users associated with
the UM mailbox policy won't be able to receive faxes. The default setting on the UM mailbox policy is
disabled.
After you have enabled the Allow inbound faxes setting, you will need to specify the URI for the partner
fax server. If the UM mailbox policy is linked to a dial plan that can use TCP and TLS, you will need to enter
URIs for both TCP and TLS.
Help Microsoft improve voice mail preview: These options allow Microsoft to improve the quality of
Voice Mail Preview. You can enable the following settings:
Allow analysis of voice messages left by callers: Use this option to help improve the quality of Voice
Mail Preview in future releases of Microsoft Exchange by forwarding copies of voice messages to
Microsoft for analysis. You can't set this option if all voice messages are protected.
Tell callers that voice messages may be analyzed: Use this option to tell callers that the messages they
leave may be analyzed by Microsoft to improve the quality of Voice Mail Preview, and allow them to opt
out.
Use Message Text to configure message text settings for users who are associated with a UM mailbox
policy. For example, you can specify the email message text sent to users after they reset their UM PIN. You
can configure the following:
When a user is enabled for Unified Messaging: The text entered in this text box appears in the email
message sent to users when they are enabled for UM. When a recipient's mailbox is enabled for UM and
they are enabled for voice mail, an email message that welcomes the user to Unified Messaging is sent to
the user. This text box is limited to 512 characters and can contain simple HTML formatting. By default, no
text is defined in this text box.
This welcome message contains welcome text and the PIN information that the user will use to access the
UM or voice mail system. The text entered in this text box is included at the bottom of this welcome
message. You can use this text box to include information such as the voice mail technical support
telephone numbers or Outlook Voice Access numbers.
If text isn't entered in this text box, the default text generated by the UM or voice mail system is included in
the email message.
The text that you provide in this text box can be plain. It can also contain simple HTML formatting tags if
you want to emphasize text or add hyperlinks to other content.
Example 1: If you have any questions or suggestions about voice mail service, please call the help desk at
extension 4200.
Example 2: If you have any questions or suggestions about <b>voice mail service</b>, please call the
help desk at extension 4200 or visit our website at <a href="http://emp.contoso.com/itinfo/vmail"></a>.
When a user's Outlook Voice Access PIN is reset: The text entered in this text box is included in the
email message sent to UM -enabled users when their UM PIN is reset.
A PIN is reset by the UM or voice mail system if the number of failed sign-in attempts exceeds 10 (by
default) or if users reset their PIN using the UM features included with Microsoft Outlook, Outlook Web
App, or Outlook Voice Access from a telephone. You can use this text box to include information such as
security notices or other security-related information in the email message.
If text isn't entered in this text box, the default text generated by the UM system is included in the email
message.
This text box is limited to 512 characters. By default, no text is defined in this text box.
When a user receives a voice message: The text entered in this text box is included in the email message
sent to users when they receive a voice message from an incoming caller. For example, this text can include
disclaimers that contain information about forwarding voice messages or system security policies that
describe the correct way to handle voice messages in your organization.
If text isn't entered in this text box, the default text generated by the system is included in the email
message. This text box is limited to 512 characters. By default, no text is defined in this text box.
When a user receives a fax message: The text entered in this text box is included in the email message
sent to users when they receive an incoming fax message in their Inbox. You can use this text box to include
disclaimers that contain information about forwarding fax messages or other system security policies
about the correct way to handle fax messages in your organization.
If text isn't entered in this text box, the default text generated by the system is included in the email
message. This text box is limited to 512 characters. By default, no text is defined in this text box.
Use PIN Policies to configure PIN settings for users who are associated with a UM mailbox policy. UM
PINs enable users to access their Inboxes by using a telephone. By configuring settings on this page, you
can specify the minimum number of digits for a UM PIN or the number of failed sign-in attempts before
users are locked out of their UM mailbox.
Make sure that you plan carefully for the UM PIN policies that you implement in your environment. If you
don't plan and implement the appropriate UM PIN policies, you may introduce security threats and
mistakenly allow unauthorized access to your network. You can configure the following:
Minimum PIN length (digits): Use this text box to specify the minimum number of digits that a UM
user's PIN can contain. The default setting is six digits. The range is from 4 through 24 numeric digits. This
setting can't be disabled.
Increasing the number of digits required for a PIN increases the level of security for your UM system.
Decreasing the number of digits required for a PIN reduces the level of security for your network. The
fewer the digits that are required in a PIN, the easier it is for a potential attacker to guess a user's PIN.
If this setting is set too high, users might have problems remembering their PINs. However, if the setting is
too low, you risk unauthorized access to the UM system.
PIN recycle count: Use this setting to set the number of unique PINs that users must use before they can
reuse an old PIN. For most organizations, this value should be set to the default of 5, the number of PINs
that the system will remember. PIN history can't be disabled.
You can set this value from 1 through 20. Setting this value too high can frustrate users because it can be
difficult to memorize many PINs. Setting it too low may introduce a security threat to your network.
Allow common PIN patterns: Use this setting to set PIN complexity requirements for UM. These
complexity requirements are enforced on PIN changes or when new PINs are created.
If this option is disabled, sequential and repeated numbers and the suffix of the mailbox extension will be
rejected. If this option is enabled, only the suffix of the mailbox extension will be rejected.
As a security best practice, we recommend that you disable this setting. If this setting is disabled, user PINs
can't contain the following:
Sequential numbers, such as 123456 or 456789.
Repeated numbers, such as 111111 or 8888888.
Suffix of the mailbox extension.
Enforce PIN lifetime (days): Use this text box to configure the number of days until the UM -enabled
user's PIN expires. After the PIN expires, the user must create a new UM PIN. For most organizations, this
value should be set to the default of 60 days.
The value of this setting can be from 0 through 999. If it's set to 0, PINs never expire. Setting this value too
low can frustrate users because they are required to create and memorize new PINS too frequently.
Number of sign-in failures before PIN reset: Use this text box to enter the number of sequential
unsuccessful or failed sign-in attempts that can occur before the UM system automatically resets a user's
PIN. For most organizations, this value should be set to the default of 5 attempts.
The value of this setting can be from 0 through 999. If it's set to 0, this setting is disabled and the system
won't automatically reset users' PINs. Setting this value too low can frustrate users; setting it too high gives
malicious users more attempts to determine the PIN.
This setting must be set to a number lower than the number configured in the Number of sign-in
failures before lockout setting. This setting is designed to help prevent a brute force attack on user PINs.
Number of sign-in failures before lockout: Use this text box to enter the maximum number of
sequential unsuccessful or failed sign-in attempts before users are locked out of their mailboxes.
For example, if a user tries to sign in to the mailbox unsuccessfully five times, based on the Number of
sign-in failures before PIN reset setting, the system will reset the user's PIN. If the user tries to use the
new PIN five more times unsuccessfully, the system will again reset the PIN. If the user tries to use this
new PIN five more times unsuccessfully, the user is then locked out of the mailbox. After a user is locked
out, an administrator must manually reset or unlock the mailbox for the user.
This value can be set from 1 through 999. Setting this value too low can frustrate users; setting it too high
gives malicious users more attempts to determine the PIN. For most organizations, this value should be set
to the default of 15 attempts.
This number must be greater than the number set in the Number of sign-in failures before PIN reset
setting. This setting is designed to help prevent a brute force attack on user PINs.
Use Dialing authorization to configure dialing rules for UM -enabled users who are associated with this
UM mailbox policy.
You can use these settings to control the extension numbers that can be reached or the telephone numbers
that can be dialed by UM -enabled users who are associated with the UM mailbox policy. You can configure
the following:
Calls in the same UM dial plan: Select this check box to allow UM -enabled users who call in to a
subscriber access number configured on a dial plan and successfully sign in to their mailbox to place calls
or transfer to UM -enabled users who have extension numbers within the same dial plan. By default, this
setting is enabled.
When you disable this setting, UM -enabled users who call in to a subscriber access number configured on
a dial plan and successfully sign in to their mailbox can place calls or transfer calls to users who aren't UM -
enabled or to other extension numbers not associated with a UM -enabled user. However, they can't
transfer to UM -enabled users who are within the same dial plan. This is because the Calls to any
extension setting is enabled by default.
Calls to any extension: When this setting is enabled, users who call in to a subscriber access number
configured on a dial plan and successfully sign in to their mailbox can place calls to users who aren't UM -
enabled, to other extension numbers not associated with a UM -enabled user, and to UM -enabled users
within the same dial plan. This is because the Calls in the same UM dial plan setting is enabled by
default.
When this setting is disabled, users who call in to an Outlook Voice Access number configured on a dial
plan and successfully sign in to their mailbox can't place calls to users who aren't UM -enabled or to other
extension numbers not associated with a UM -enabled user. However, they can place calls or transfer calls
to extension numbers associated with UM -enabled users. This is because the Calls in the same UM dial
plan setting is enabled by default. The Calls to any extension setting is enabled by default.
also useful when you want to allow users who call in to an Outlook Voice Access number configured on a
dial plan to call extension numbers not associated with a UM -enabled user.
country/region dialing rule groups. By default, there are no in-country/region dialing rule groups
configured on UM mailbox policies.
or region that Outlook Voice Access users can dial. This helps prevent unnecessary or unauthorized
telephone calls and charges.
To add in-country/region dialing rule groups, you must first create the appropriate in-country/region
dialing rule groups on the dial plan associated with the UM mailbox policy, and then add the appropriate
dialing rule entries on the dialing rule group. After you create the required dialing rule groups on the dial
plan, you must then add the dialing rule groups to the list of dialing restrictions under Dialing
authorization on the UM mailbox policy.
In-country/region dialing rule groups can be used to enable Unified Messaging to allow or restrict access
to telephone numbers within a country or region. This is applied to Outlook Voice Access users who have
called in to an Outlook Voice Access number.
dialing rule groups. By default, there are no international dialing rule groups configured on UM mailbox
policies.
To add international dialing rule groups, you must first create the appropriate international dialing rule
groups on the dial plan associated with the UM mailbox policy, and then add the appropriate dialing rule
entries on the dialing rule group. After you create the required dialing rule groups, you must add the
dialing rule groups to the dialing restrictions on the UM mailbox policy.
International dialing rule groups can be used to enable Unified Messaging to allow or restrict access to
telephone numbers outside a country or region. This is applied to Outlook Voice Access users who have
called in to a Outlook Voice Access number.
International dialing rule groups are used to allow or restrict the telephone numbers outside a country or
region that Outlook Voice Access users can dial. This helps prevent unnecessary or unauthorized telephone
calls and charges.
Use Protected Voice Mail to configure the following settings:
Protect voice messages from unauthenticated callers: Select one of the following options from the
drop-down list to determine whether an incoming call answered by Unified Messaging will protect voice
messages. This setting applies to voice messages sent to UM -enabled users when they don't answer their
phone. This setting also applies to voice messages sent directly to UM -enabled users when the caller uses a
UM auto attendant. You can configure the following:
None: Use this setting to not have protection applied to any voice messages sent to UM -enabled users.
Private: Use this setting when you want to apply protection only to voice messages that have been marked
as private by the caller.
All: Use this setting when you want to apply protection to all voice messages, including those not marked
as private.
Protect voice messages from authenticated callers: Select one of the following options from the drop-
down list to determine whether an incoming call answered by Unified Messaging will protect voice
messages. This setting applies to voice messages sent to UM -enabled users when they don't answer their
phone. This setting also applies when callers sign in to their mailbox using Outlook Voice Access, and then
create and send a voice message. You can configure the following:
None: Use this setting to not have protection applied to any voice messages sent to UM -enabled users.
Private: Use this setting when you want to apply protection only to voice messages that have been marked
as private by the caller.
All: Use this setting when you want to apply protection to all voice messages, including those not marked
as private.
Require Play on Phone for protected voice messages: Select this check box if you want to force users
who receive protected voice messages to use the Play on Phone feature. Or, if the client software doesn't
support rights management, users must use Outlook Voice Access. The Play on Phone feature only applies
to clients using a version of Outlook that supports rights management. For Outlook 2007 and earlier
versions that don't support rights management, and for Outlook Web App clients, Outlook Voice Access is
the only way that users can listen to protected voice mail.
The default setting requires all users associated with the UM mailbox policy to use the Play on Phone
feature to listen to voice messages that are protected. By doing this, it prevents other people from hearing
the voice message from a media player over computer speakers or from a media player on a mobile phone.
Even if this is enabled, a UM -enabled user can still use Outlook Voice Access to hear the protected voice
mail.
This is especially useful when UM -enabled users use public computers, laptops in public places, or their
mobile phone's media player to listen to protected voice mail that can contain private information.
Allow voice responses to email and calendar items: Use this option to allow UM -enabled users to
send voice responses to protected voice mail messages. The default is enabled. If you disable this, if a UM -
enabled user receives a protected voice mail message, they will not be able to use Outlook Voice Access to
reply to email and calendar items.
Message to send to users who don't have Windows Rights Management support: Protected voice
mail can only be accessed by email clients that support Information Rights Management (IRM ), or if a UM -
enabled user uses Outlook Voice Access to access the protected voice mail message.
If a protected voice mail message is sent to an email client that doesn't support IRM, the text that you
include in this box will be sent to the user in an email message. This information should include instructions
about what to do to be able to receive the protected voice mail message.
Use Exchange Online PowerShell to manage a UM mailbox policy

This example sets the PIN settings for users who are associated with a UM mailbox policy named
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -LogonFailuresBeforePINReset 8 -MaxLogonAttempts 12 -

MinPINLength 8 -PINHistoryCount 10 -PINLifetime 60 -ResetPINText "The PIN that is used to allow you access to
your mailbox using Outlook Voice Access has been reset."
This example selects the in-country or region groups and international groups from those configured on the UM
dial plan associated with the UM mailbox policy. UM -enabled users associated with this UM mailbox policy will be
able to place outbound calls according to the rules defined on these groups.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowDialPlanSubscribers $true -

AllowedInCountryOrRegionGroups InCountry/RegionGroup1,InCountry/RegionGroup2 -AllowedInternationalGroups
InternationalGroup1,InternationalGroup2 -AllowExtensions $true
This example configures the text of voice messages sent to UM -enabled users and the text included in an email
message sent to a user who has been UM -enabled.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -UMEnabledText "You have been enabled for Unified Messaging."
-VoiceMailText "You have received a voice message from Microsoft Exchange Unified Messaging."
Use Exchange Online PowerShell to view UM mailbox policy properties

This example returns a formatted list of all UM mailbox policies in the Active Directory forest.
Get-UMMailboxPolicy | Format-List
This example returns the properties and values for a UM mailbox policy named MyUMMailboxPolicy .
Get-UMMailboxPolicy -Identity MyUMMailboxPolicy

Delete a UM mailbox policy
When you delete a Unified Messaging (UM ) mailbox policy, the UM mailbox policy will no longer be available to
be associated with recipients who are being enabled for UM. You can't delete a UM mailbox policy if it's referenced
by any UM -enabled mailboxes, and you can't delete a UM dial plan if a UM mailbox policy is associated with it.

Before you perform these procedures, confirm that a UM mailbox policy has been created. For detailed
steps, see Create a UM mailbox policy.
TIP
Use the EAC to delete a UM mailbox policy

2. On the UM dial plan page, under UM Mailbox Policies, on the toolbar, click Delete .
Use Exchange Online PowerShell to delete a UM mailbox policy

This example deletes a UM mailbox policy named MyUMMailboxPolicy .
Remove-UMMailboxPolicy -Identity MyUMMailboxPolicy

With Unified Messaging (UM ), users in an Exchange organization can receive all their email and voice messages in
one mailbox. The Unified Messaging functionality and voice mail features increase user productivity and enable
more flexible messaging throughout an organization.
When you're adding a user to your organization, you're given the option of creating a mailbox or connecting the
user to an existing mailbox. After the mailbox is created for the user or the user is connected to an existing
mailbox, you can enable the mailbox for Unified Messaging so the user can use the voice mail system and the
features included with voice mail. After the user is enabled for Unified Messaging, all email, voice mail, and fax
messages will be delivered to the user's mailbox. By using Microsoft Office Outlook 2007 or later versions,
Outlook Web App, a mobile phone enabled for Microsoft Exchange ActiveSync, or a regular or mobile phone,
users can access their email, voice messages, personal contacts, and calendaring information.
Voice mail user properties

A user must have a mailbox before they can be enabled for Unified Messaging. But, by default, a user who has a
mailbox isn't enabled for Unified Messaging. After the user is UM -enabled, you can manage, modify, and
configure the UM properties and voice mail features for them. You can enable a user for Unified Messaging using
EAC or Exchange Online PowerShell. For details, see Enable a user for voice mail. To enable multiple UM users,
use the EAC or the Enable-UMMailbox cmdlet in Exchange Online PowerShell.
The relationship between a voice mail user and other UM components

When you enable a user for Unified Messaging, the user must be associated with or linked to an existing UM
mailbox policy, and you must provide an extension number for them. You can associate a user with a UM mailbox
policy by using the Enable-UMMailbox cmdlet in Exchange Online PowerShell or by selecting the UM mailbox
policy when you enable the user for Unified Messaging. By default, when you create a UM dial plan, a new UM
mailbox policy is created. This policy can be modified or another policy can be created and linked to the dial plan
to determine what features or settings will be applied to a user or group of users.
A UM mailbox policy contains settings such as the dialing restrictions and PIN policies for a user. When a UM
mailbox policy is created, it must be associated with only one UM dial plan. Any Exchange server can answering
incoming calls and provide voice mail services for any UM -enabled users who are linked with the UM dial plan.
After the user is enabled for Unified Messaging, the settings from a UM mailbox policy are applied to the UM -
enabled user.
Extension numbers and SIP addresses

When you enable a user for Unified Messaging, you must define at least one extension number that Unified
Messaging will use when voice mail is submitted to the user's mailbox. After you enable the user for Unified
Messaging, you can add secondary extension numbers to the user's mailbox, or modify or remove them by
configuring the Exchange Unified Messaging proxy address (EUM proxy address) on the user's mailbox or add or
remove additional or secondary extensions for the user in the EAC. You can remove the primary extension number
in the EAC by removing the EUM proxy address, but it's recommended that you don't remove it. Removing the
primary extension number won't allow calls to be forwarded correctly to the user's mailbox.
NOTE
There's no limit to the number of secondary extension numbers that you can add for a UM-enabled user but there can only
be one primary extension number per user.
The mailbox of a UM -enabled user can be associated with only one UM dial plan. The UM -enabled user can be
assigned the following:
A single primary extension number, Session Initiation Protocol (SIP ) address, or E.164 address on a single
dial plan.
Multiple secondary extension numbers, SIP addresses, or E.164 addresses on a single dial plan.
Multiple primary extension numbers, SIP addresses, or E.164 addresses on two separate dial plans.
NOTE
Each extension number, SIP address, and E.164 number must be unique within a dial plan and the number of digits in the
dial plan will used for all users that are linked with the dial plan.
For example, a UM -enabled user travels frequently from New York to Tokyo. The user's mailbox is associated with
the New York dial plan and a single extension number is configured on the user's mailbox. A second extension
number is configured on the user's mailbox for the Tokyo dial plan. When callers dial either extension number and
leave a voice message for the user, the voice message will be delivered to the same UM -enabled mailbox.
Using the EAC to enable a user for UM and voice mail

After you create an Exchange mailbox for the user, you can configure the UM mailbox settings by using View
Details under Unified Messaging in the EAC. When you enable a user, there are several settings that you need
to configure:
1. SIP address: This is the SIP address for the user. You'll see this setting if the user that you're enabling for
UM is assigned to a UM mailbox policy that's linked to a SIP URI dial plan. SIP URI dial plans are used
when you're integrating Office Communications Server 2007 R2 or Microsoft Lync Server. When you
assign the user to a UM mailbox policy that's linked to a SIP URI or E.164 dial plan, you must still also enter
an extension number for the user. The primary extension number is used by the user to access Outlook
Voice Access.
2. Extension number: You must manually enter the extension number for the user you're enabling for UM.
You must provide a valid extension number for the user and match the number of digits specified on the
dial plan. You can only enter numeric characters or digits from 1 through 20. The typical extension number
is 3 to 7 digits long, and is configured on the dial plan with which the UM mailbox policy is linked and
assigned to the user.
3. PIN settings for the user:
Automatically generate PIN: This setting automatically generates a PIN for the UM -enabled user to use
for voice mail access via Outlook Voice Access. This is the default setting. When you click this button, a PIN
is automatically generated based on the PIN policies configured on the UM mailbox policy assigned to the
user. We recommend that you use this setting to help protect the user's PIN. The PIN is sent to the user in
the welcome message they receive after they're enabled for UM. By default, they'll have to change this PIN
when they first sign in to their mailbox to get their voice mail.
Type a PIN: This setting enables you to manually specify a PIN that the user will use to access the voice
mail system.
The PIN must comply with the PIN policy settings configured on the UM mailbox policy associated with
this UM -enabled user. For example, if the UM mailbox policy is configured to accept only PINs that contain
seven or more digits, the PIN you enter in this box must be at least seven digits long.
Require the user to reset their PIN the first time they sign in: This setting forces the user to reset their
voice mail PIN when they access the voice mail system from a telephone using Outlook Voice Access for
the first time. They will be prompted to enter a PIN that's more familiar to them.It's a security best practice
to force UM -enabled users to change their PIN when they first sign in to help protect against unauthorized
access to their data and Inbox. This check box is selected by default.
Using Exchange Online PowerShell to enable a user for UM and voice

mail
This example enables Unified Messaging and voice mail on the mailbox for tonysmith@contoso.com, sets the
extension and manually sets the PIN for the user, and then assigns the user to a UM mailbox policy named
MyUMMailboxPolicy .
Enable-UMMailbox -Identity tonysmith@contoso.com -UMMailboxPolicy MyUMMailboxPolicy -Extensions 51234 -PIN

5643892 -PINExpired $true
This example enables Unified Messaging and voice mail on a mailbox for tonysmith@contoso.com, assigns the
user to a UM mailbox policy named MyUMMailboxPolicy , and sets the extension number, SIP address, and manually
sets the PIN for the user.

5643892 -SIPResourceIdentifier "tonysmith@contoso.com" -PINExpired $true
Disabling UM for a user

When you disable Unified Messaging for a user, the user's account may still be listed when a caller performs a
directory search using a UM auto attendant menu or using Outlook Voice Access. Callers may be able to locate a
user in the directory, but when they try to contact the user, they're taken back to the main menu in Unified
Messaging. This may cause callers to become frustrated with the system. You can prevent callers from using a
directory search to contact a user who's been disabled for Unified Messaging by connecting the user to another
voice mail system, removing the user from the UM auto attendant directory search, or removing the user's
account.
After a UM -enabled user account is disabled for Unified Messaging, the user may still have access to the
individual UM -enabled mailbox using Outlook Voice Access or Microsoft Outlook. This can occur when all the
changes aren't consistent in the directory. To lessen the risk of a user gaining access to the mailbox even though
the account has been disabled for Unified Messaging, you can manually force replication to occur or remove all
Unified Messaging information from the user's mailbox when the user is disabled for Unified Messaging.
Voice mail-enabled user procedures

Include text with the email message sent when a user Is enabled for voice mail
Manage voice mail settings for a user
Assign a UM mailbox policy
Change the UM dial plan
Enable calls from users who aren't UM -enabled
Disable calls from users who aren't UM -enabled
Allow callers without a caller ID to leave a voice message
Include text with the email message sent when a voice message Is received
Prevent callers without a caller ID from leaving a voice message
Disable voice mail for a user
Change a SIP address
Change an extension number
Add a SIP address
Remove a SIP address
Add an extension number
Remove an extension number
Change an E.164 number
Add an E.164 number
Remove an E.164 number
When you enable a user for Unified Messaging (UM ), a default set of properties are applied to the user, and
the user will be able to use the voice mail features included with Unified Messaging. After you enable a user
for voice mail, you have the option of adding a Session Initiation Protocol (SIP ) address for the user if they're
assigned to a UM mailbox policy that's linked to a SIP URI dial plan. Or, you can add an E.164 number for the
user if they're assigned to a UM mailbox policy that's linked to an E.164 dial plan. In both cases, the user must
still have an extension number configured.
An extension number is required for each user that's associated with a telephone extension, SIP Uniform
Resource Identifier (URI), or E.164 dial plan. The extension number must be the correct number of digits, as
specified in the UM dial plan for the UM mailbox policy.
NOTE
You must add, remove, or modify extension numbers for all UM-enabled users by using the EAC or Exchange Online
PowerShell, even if they're linked to a SIP URI or E.164 dial plan. To add, remove or modify SIP address or E.164
numbers for users, you'll need to use Exchange Online PowerShell because those options aren't available in the EAC.
For additional management tasks related to users who are enabled for voice mail, see Voice mail-enabled user
procedures.

You need to be assigned permissions before you can perform this procedure or procedures. To see
what permissions you need, see the "UM mailboxes" entry in the Unified Messaging Permissions topic.
TIP
Protection..
Use the EAC to enable a user for voice mail

1. In the EAC, click Recipients.
2. In the List view, select the user whose mailbox you want to enable for Unified Messaging.
3. In the Details pane, under Phone and Voice Features, click Enable.
4. On the Enable UM mailbox page, click the Browse button next to UM mailbox policy, locate the
UM mailbox policy to assign the user from the list, and then click OK.
5. On the Enable UM mailbox page, complete the following boxes:
SIP address or E.164 number: In the SIP address or E.164 number text box, enter the SIP address
or E.164 number for the user. These options are available if the user that you enable for Unified
Messaging is assigned to a UM mailbox policy that's linked to either a SIP URI or an E.164 dial plan.
You can't add a SIP address or E.164 number for a user if the user is associated with a telephone
extension dial plan.
When you assign a user to a UM mailbox policy that's linked to a SIP URI or E.164 dial plan, you must
enter an extension number for the user. The user will use this extension number when accessing their
mailbox via Outlook Voice Access. The number of digits that you configure in this box must match the
number of digits configured on the SIP URI or E.164 dial plan.
Extension number: Use this text box to manually enter the extension number for the user you're
enabling for UM.
You must provide a valid extension number for the user and must match the number of digits specified
on the dial plan. You can only enter digits from 1 through 20. The typical extension number is 3 to 7
digits long. The number of digits in the extension is set on the dial plan that's linked to the UM mailbox
policy that's assigned to the user.
Under PIN settings, complete the following:
Automatically generate PIN: Click this button to automatically generate a PIN for the UM -enabled
user to use for voice mail access via Outlook Voice Access. This is the default setting. The PIN is
automatically generated based on the PIN policies configured on the UM mailbox policy assigned to
the user. Using this setting will help protect the user's PIN. The PIN is sent to the user in the welcome
message they receive after they're enabled for UM. By default, they'll have to change this PIN when
they first sign in to their mailbox to get their voice mail.
Type a PIN: Click this button to enter a PIN that the user will use to access the voice mail system. The
PIN must comply with the PIN policy settings configured on the UM mailbox policy associated with
this UM -enabled user. For example, if the UM mailbox policy is configured to accept only PINs that
contain seven or more digits, the PIN you enter in this box must be at least seven digits long.
Require the user to reset their PIN the first time they sign in: Select this check box to force the
user to reset their voice mail PIN when they access the voice mail system from a telephone using
Outlook Voice Access for the first time. They will be prompted to enter a PIN that's more familiar to
them.It's a security best practice to force UM -enabled users to change their PIN when they first sign in
to help protect against unauthorized access to their data and Inbox. This check box is selected by
default.
6. On the Enable UM mailbox page, review your settings. Click Finish to enable the user for voice mail.
Click Back to make configuration changes.
Use Exchange Online PowerShell to enable a user for voice mail

This example enables Unified Messaging on the mailbox of tonysmith@contoso.com, sets the extension
number to 51234, sets the PIN for the user to 5643892, and assigns the user to a UM mailbox policy named
MyUMMailboxPolicy .

5643892 -PINExpired $true
This example enables Unified Messaging on the mailbox of tonysmith@contoso.com, assigns the user to a
UM mailbox policy named MyUMMailboxPolicy , and sets the extension number, SIP address, and PIN for the
user.

5643892 -SIPResourceIdentifier "tonysmith@contoso.com" -PINExpired $true
Include text with the email message sent when a user
Is enabled for voice mail
When a user's mailbox is enabled for Unified Messaging (UM ) voice mail, an email message is sent that welcomes
the user to Unified Messaging. This message contains the PIN information the user will use to first access the voice
mail system.
You can customize the text that's sent in the welcome email message by adding text in the When a user is
enabled for Unified Messaging box on a UM mailbox policy. You can include such information as the UM
technical support telephone numbers or additional Outlook Voice Access numbers. After you add the text, it will be
included in the email message sent when users associated with the UM mailbox policy are enabled for Unified
Messaging.
NOTE
The custom text you add to the welcome message is limited to 512 characters, and it can include simple HTML text.

TIP
Use the EAC to customize the text sent when a mailbox is enabled for
Unified Messaging
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
3. On the UM Mailbox Policy page > Message text, in the text box for When a user is enabled for
Unified Messaging, enter the text you want to include in the email message that's sent when users are
enabled for Unified Messaging voice mail.
4. Click Save.
Use Exchange Online PowerShell to customize the text sent when a

mailbox is enabled for Unified Messaging
This example enables UM -enabled users who are associated with a UM mailbox policy to receive additional
instructions about UM and the Outlook Voice Access number that they can use to access their mailbox over a
phone.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -UMEnabledText "You've been enabled for Unified Messaging
voice mail. To access your Exchange mailbox, call your internal telephone extension number. From outside your
office, call 425-555-1234."
You can view or set the Unified Messaging (UM ) and voice mail features and configuration settings for a user
that's been enabled for UM and voice mail. For example, you can do the following:
Reset their Outlook Voice Access PIN.
Add a personal operator extension number.
Add other extension numbers.
Enable or disable Automatic Speech Recognition (ASR ).
Enable or disable Call Answering Rules.
Enable or disable access to their email or calendar.
NOTE
Some of the settings and features can only be configured by using Exchange Online PowerShell.
procedures.

permissions you need, see the "UM mailboxes" entry in the Unified Messaging Permissions topic.
Before you perform these procedures, confirm that the existing user is currently enabled for Unified
Messaging. For detailed steps, see Enable a user for voice mail.
TIP
Use the EAC to view or configure a UM-enabled user's properties

2. In the list view, select the mailbox for which you want to change the UM mailbox policy.
3. In the details pane, under Phone and Voice Features > Unified Messaging, click View details.
4. On the UM Mailbox page, click UM mailbox settings to view or change the following UM properties for
an existing UM -enabled user:
PIN Status: This display-only field shows the status of the user's mailbox. By default, when a user is UM -
enabled, the PIN status is listed as Not locked out. However, if the user has input an incorrect Outlook
Voice Access PIN multiple times, the status is listed as Locked Out.
UM mailbox policy: This box shows the name of the UM mailbox policy associated with the UM -enabled
user. You can click Browse to locate and specify the UM mailbox policy to be associated with this UM
mailbox.
Personal operator extension: Use this box to specify the operator extension number for the user. By
default, an extension number isn't configured. The length of the extension number can be from 1 through
20 characters. This enables incoming calls for the UM -enabled user to be forwarded to the extension
number that you specify in this box.
You can configure other types of operator extension numbers on dial plans and auto attendants. However,
those extensions are generally meant for company-wide receptionists or operators. The personal operator
extension setting could be used when an administrative assistant or personal assistant answers incoming
calls before they're answered for a particular user.
5. On the UM Mailbox page, under Other extensions, you can add, change, and view extension numbers for the
user.
To add an extension number, click Add . On the Add another extension page, use Browse to select the
UM dial plan, and then enter the extension number in the Extension number box.
To remove an extension number, select the extension number you want to remove, and then click Remove
.
6. If you make any changes, click Save.
Use Exchange Online PowerShell to configure features for a UM-

enabled user
This example disables Play on Phone and missed call notifications, but enables text message (SMS ) notifications.
NOTE
For on-premises and hybrid deployments, when you're integrating Unified Messaging and Lync Server, missed call
notifications aren't available to users who have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server. A
missed call notification is generated when a user disconnects before the call is sent to a Mailbox server.
Set-UMMailbox -Identity tony@contoso.com -UMEnabled $true -UMMailboxPolicy AdminPolicy -

MissedCallNotificationEnabled $false -PlayonPhoneEnabled $false -SMSMessageWaitingNotificationEnabled $true
This example prevents a user from accessing the calendar, but enables access to email when the user is using
Set-UMMailbox -Identity tony@contoso.com -UMEnabled $true -UMMailboxPolicy AdminPolicy -Extension 523456 -

FAXEnabled $true -TUIAccessToCal $false -TUIAccessToEmail True
This example prevents a user from accessing the calendar and email when the user is using Outlook Voice Access.
Set-UMMailbox -Identity tony@contoso.com -TUIAccessToCalendarEnabled $false -TUIAccessToEmailEnabled $false
This example prevents a user from creating call answering rules, receiving incoming faxes, and using Outlook
Voice Access, but enables Automatic Speech Recognition (ASR ).
Set-UMMailbox -Identity tony@contoso.com -AutomaticSpeechRecognitionEnabled $true -CallAnsweringRulesEnabled

$false -FaxEnabled $false -SubscriberAccessEnabled $false
Use Exchange Online PowerShell to view a UM-enabled user's

properties
This example displays a list of all the UM -enabled mailboxes in the forest in a formatted list.
Get-UMMailbox | Format-List
This example displays the UM mailbox properties for tonysmith@contoso.com.
Get-UMMailbox -Identity tonysmith@contoso.com
IMPORTANT
When you're running Exchange 2007 and Exchange 2013 and the user's mailbox is located on an Exchange 2007 Mailbox
server, running the Get-UMMailbox cmdlet won't work correctly. To resolve the issue, run the Get-UMMailbox cmdlet from
an Exchange 2007 server or a computer running the Exchange 2007 administrative tools.
When you enable a user for Unified Messaging (UM ) and voice mail, you must select the UM mailbox policy that
will be associated with the user's mailbox. You can change the UM mailbox policy associated with the user's
mailbox after the user has been enabled for UM.
You create UM mailbox policies to apply a common set of policies or security settings to a collection of mailboxes
of UM -enabled users. You can use UM mailbox policies to apply settings such as the following:
PIN policies
Dialing restrictions
Other general UM mailbox policy properties
NOTE
A default UM mailbox policy is created every time you create a UM dial plan. You can delete the default UM mailbox policies
or create additional UM mailbox policies based on the needs of your organization.
procedures.

Before you perform these procedures, confirm that the user is enabled for Unified Messaging. For detailed
steps, see Enable a user for voice mail.
TIP
Use the EAC to change the UM mailbox policy assigned to a UM-

enabled user
2. In the list view, select the mailbox for which you want to change the UM mailbox policy.
4. On the UM Mailbox page, click UM mailbox settings, and then click Edit .
5. On the UM Mailbox page > next to UM mailbox policy, click Browse to locate the UM mailbox policy
for the user.
6. Click Save.
Use Exchange Online PowerShell to change the UM mailbox policy

assigned to a UM-enabled user
This example associates a UM -enabled user named Tony Smith with a UM mailbox policy named
MyUMMailboxPolicy .
Set-UMMailbox -Identity tonysmith@contoso.com -UMMailboxPolicy MyUMMailboxPolicy

Change the UM dial plan
You may need to move a user who is enabled for Unified Messaging (UM ) to a different UM dial plan or change
the dial plan that's associated with the user. For example, you might want to move a UM -enabled user from a
Telephone Extension dial plan to a SIP URI dial plan.
To change the UM dial plan, you'll have to disable the user for Unified Messaging and then enable the user for
Unified Messaging on the new UM dial plan. This is because different dial plans may have different settings and
requirements, such as different extension lengths or different URI types. For example, SIP URI dial plans require a
SIP Resource Identifier to be assigned to each UM -enabled mailbox, but Telephone Extension dial plans don't. Also,
each UM mailbox contains references to both the UM dial plan and the UM mailbox policy. The UM mailbox policy,
in turn, contains references to the UM dial plan. If you change the primary proxy address for a UM -enabled user to
point to a different dial plan, the UM mailbox is in an inconsistent state.
procedures.

Before you perform this procedure, confirm that a UM mailbox policy has been created. For detailed steps,
see Create a UM mailbox policy.
Before you perform these procedures, confirm that the existing Exchange recipient is enabled for Unified
TIP
Step 1: Create the new UM dial plan

IMPORTANT
If you're migrating UM-enabled users to Microsoft Office Communications Server 2007 R2 or to Microsoft Lync Server, you
must first create a SIP URI dial plan.
For detailed instructions, see Create a UM dial plan.

Step 2: Disable the user for Unified Messaging
For detailed instructions, see Disable voice mail for a user.
Step 3: Enable the user for Unified Messaging on the new UM dial plan
IMPORTANT
If you're moving users to an environment with Office Communications Server 2007 R2 or Lync Server, you must also include
a SIP Resource Identifier for the user when you enable them for UM. You must also select the UM mailbox policy that's
associated with a SIP dial plan.
For detailed instructions, see Enable a user for voice mail.

Enable calls from users who aren't UM-enabled
You can enable or disable calls from users who aren't enabled for Unified Messaging (UM ). By default, Unified
Messaging allows incoming calls from unauthenticated callers through an auto attendant to be transferred to UM -
enabled users. With this option enabled, users from outside an organization can transfer calls to UM -enabled
users.
If this setting has been disabled for a UM -enabled user, the user's mailbox can still be located using a directory
search. However, if an external caller tries to transfer to the user, the system says, "I'm sorry, I am unable to transfer
the call to this user." The caller is then transferred to the operator, if an operator has been configured on the auto
attendant. If no operator has been configured on the auto attendant, the call is transferred to a dial plan operator, if
one has been configured. If no operator extension has been configured on the speech-enabled auto attendant, the
dual tone multi-frequency (DTMF ) fallback auto attendant, or the dial plan, the system responds by saying, "Sorry.
Neither the operator or the touchtone service are available."
procedures.

Before you perform this procedure, confirm that the user's mailbox has been UM -enabled. For detailed
TIP
Use Exchange Online PowerShell to enable calls from users who aren't
UM-enabled
This example allows Tony Smith to receive voice calls from callers who aren't UM -enabled.
Set UMMailbox -Identity tony@contoso.com -AllowUMCallsFromNonUsers SearchEnabled

Disable calls from users who aren't UM-enabled
You can enable or disable calls from users who aren't enabled for Unified Messaging (UM ). By default, Unified
Messaging allows incoming calls from unauthenticated callers through an auto attendant to be transferred to UM -
enabled users. With this setting enabled, users from outside an organization can transfer calls to UM -enabled
users.
If this setting has been disabled for a UM -enabled user, the user's mailbox can still be located using a directory
search. However, if an external caller tries to transfer to the user, the system says, "I'm sorry, I am unable to transfer
the call to this user." The caller is then transferred to the operator, if an operator has been configured on the auto
attendant. If no operator has been configured on the auto attendant, the call is transferred to a dial plan operator, if
one has been configured. If no operator extension has been configured on the speech-enabled auto attendant, the
dual tone multi-frequency (DTMF ) fallback auto attendant, or the dial plan, the system responds by saying, "Sorry.
Neither the operator nor the touchtone service are available."
procedures.

TIP
Use Exchange Online PowerShell to disable calls from users who aren't
UM-enabled
This example prevents Tony Smith from receiving voice calls from callers who aren't UM -enabled.
Set UMMailbox -Identity tony@contoso.com -AllowUMCallsFromNonUsers None

Allow callers without a caller ID to leave a voice
message
You can allow UM -enabled users to receive voice mail messages from anonymous callers or prevent them from
doing so. By default, when users are enabled for Unified Messaging (UM ) and voice mail, they can receive calls that
are anonymous and don't contain caller ID information.
In most cases, calls received by Unified Messaging contain a caller ID that can be used to determine the source of
the incoming call. However, incoming calls may not include caller ID information for the following reasons:
Your organization's telephony equipment is configured not to include caller ID information.
The incoming call is from a mobile or external telephone.
The caller has disabled caller ID on their telephone.
Because the AnonymousCallersCanLeaveMessages parameter is enabled by default, a UM -enabled user can
receive a voice message even if caller ID information isn't included. If the AnonymousCallersCanLeaveMessages
option is disabled, and the UM -enabled user receives a call that doesn't include a caller ID, the call will be identified
as anonymous, and the UM -enabled user won't receive a voice message.
procedures.

TIP
Use Exchange Online PowerShell to allow voice messages from

anonymous callers to be received
This example allows UM -enabled user tonysmith@contoso.com to receive voice messages from incoming calls
that don't contain caller ID information.
Set-UMMailbox -Identity tonysmith@contoso.com -AnonymousCallersCanLeaveMessages $true

Include text with the email message sent when a
voice message Is received
You can include additional text in the email message that's sent when a voice mail message is received by a user
who is enabled for Unified Messaging (UM ) voice mail. By default, the text that's included with a voice message
indicates only that the user has received a voice message. However, you can create a custom message by adding
text in the When a user receives a voice message box on a UM mailbox policy. For example, the text can include
information about system security policies and describe the correct way to handle voice messages in your
organization. After you add the text, it will be included in each email message that's sent when UM -enabled users
associated with the UM mailbox policy receive a voice message.
NOTE
The custom text that accompanies a voice message is limited to 512 characters, and can include simple HTML text.

TIP
Use the EAC to change the text included with a voice message
3. On the UM Mailbox Policy page > Message text, in the text box for When a user receives a voice
message, enter the text you want to include in the email message that's sent when users receive a voice
message.
4. Click Save.
Use Exchange Online PowerShell to change the text included with a

voice message
This example includes the additional text, "Do not forward voice messages to users outside this organization", with
voice messages sent to users who are associated with the UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailText "Do not forward voice messages to users outside
this organization."
Prevent callers without a caller ID from leaving a
voice message
You can allow UM -enabled users to receive voice messages from anonymous callers or prevent them from doing
so. By default, when users are enabled for Unified Messaging (UM ) and voice mail, they can receive calls that are
anonymous and don't contain caller ID information.
In most cases, calls received by Exchange servers contain a caller ID that can be used to determine the source of
the incoming call. However, incoming calls may not include caller ID information for the following reasons:
Your organization's telephony equipment is configured not to include caller ID information.
The incoming call is from a mobile or external telephone.
The caller has disabled caller ID on their telephone.
Because the AnonymousCallersCanLeaveMessages parameter is enabled by default, a UM -enabled user can
receive a voice message even if caller ID information isn't included. If the AnonymousCallersCanLeaveMessages
option is disabled, and the UM -enabled user receives a call that doesn't include a caller ID, the call will be identified
as anonymous, and the UM -enabled user won't receive a voice message.
procedures.

TIP
Use Exchange Online PowerShell to prevent voice messages from

anonymous callers from being received
This example prevents UM -enabled user tonysmith@contoso.com from receiving voice messages from calls that
don't contain caller ID information.
Set-UMMailbox -Identity tonysmith@contoso.com -AnonymousCallersCanLeaveMessages $false

Disable voice mail for a user
You can disable Unified Messaging (UM ) for a UM -enabled user. When you do this, the user can no longer use the
voice mail features found in Unified Messaging. If you prefer, when you disable UM for a user, you can keep the
UM settings for the user.
procedures.

Before you perform these procedures, confirm that the existing user is currently enabled for Unified
TIP
Use the EAC to disable Unified Messaging and voice mail for a user
1. In the EAC, click Recipients.
2. In the list view, select the user whose mailbox you want to disable for Unified Messaging.
3. In the Details pane, under Phone and Voice Features, under Unified Messaging, click Disable.
4. In the Warning box, click Yes to confirm that Unified Messaging will be disabled for the user.
Use Exchange Online PowerShell to disable Unified Messaging and

voice mail for a user
This example disables Unified Messaging and voice mail for the user tonysmith@contoso.com, but keeps the UM
mailbox settings.
Disable-UMMailbox -Identity tonysmith@contoso.com -KeepProperties $True

Change a SIP address
When you enable a user for UM and link them to a SIP URI dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains a SIP address for the user. The extension number is
used when the user calls in to an Outlook Voice Access number.
SIP URI dial plans and SIP addresses are used when you're integrating UM and Microsoft Office Communications
Server 2007 R2 or Microsoft Lync Server. The SIP address is used by Communications Server or Lync Server to
route incoming calls and send voice mail to the user. By default, the SIP address that's used by UM will be the SIP
address that's used by Communications Server or Lync Server.
You can change the primary SIP address that was added when the user was enabled for UM or a secondary SIP
address that was added later, along with the EUM proxy addresses for the user. The primary SIP address you
added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
secondary SIP addresses you added will be listed as secondary EUM proxy addresses. When secondary SIP
addresses are changed, callers can leave voice mail for the user at all SIP endpoints that the user is signed in to
using the new SIP addresses. All the voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change a primary or a secondary SIP address. You can use
the Email Address page on the user's mailbox in the EAC to change a primary or a secondary SIP address. You
can't use the UM Mailbox page in the EAC to change a primary or secondary SIP address.
You can view the primary and secondary SIP addresses for a user by using the Get-UMMailbox cmdlet or the
Get-Mailbox cmdlet in Exchange Online PowerShell.
procedures.

Before you perform these procedures, confirm that a SIP URI UM dial plan has been created. For detailed
Before you perform these procedures, confirm that the existing user is enabled for UM and linked to a SIP
URI dial plan. For detailed steps, see Enable a user for voice mail.
Before you perform these procedures, confirm that the SIP address that will be assigned to the user is valid
and formatted correctly.
TIP
Use the EAC to change the primary or a secondary SIP address

2. In the list view, select the mailbox for which you want to change a SIP address, and then click Edit .
3. On the User Mailbox page, under Email address, select the SIP address you want to change, and then
click Edit . The primary SIP address is listed in bold letters and numbers.
4. On the Email address page, in the Address/Extension box, enter the new SIP address for the user, and
then click OK. If you need to select a new UM dial plan, you can click Browse.
5. Click Save.
Use Exchange Online PowerShell to change the primary or a secondary

SIP address
This example changes a SIP address for Tony Smith.
NOTE
Before you change a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM proxy
address is the default (primary) SIP address and it will be 0 in the list.
$mbx=Get-Mailbox tony.smith
$mbx.EmailAddresses.Item(1)="eum:tsmith@contoso.com;phone-context=MySIPDialPlan.contoso.com"
Set-Mailbox tony.smith -EmailAddresses $mbx.EmailAddresses
Change an extension number
When you enable a user for UM and link them to a telephone extension dial plan, an EUM proxy address is created
for the user that contains the user's extension number. You must define at least one extension number for UM to
use so voice mail can be sent to the user's mailbox. The extension number is also used when the user calls in to an
Outlook Voice Access number.
You can change the primary extension number that was added when the user was enabled for UM or a secondary
extension number that was added later, along with the related EUM proxy addresses for the user. The primary
extension number you added when the user was enabled for UM will be listed as the primary EUM proxy address.
Any additional secondary extension numbers you added will be listed as secondary EUM proxy addresses. When
extension numbers have been changed, callers can leave voice mail for the user at all the new extension numbers
that have been set. All the voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change a primary or a secondary extension number for a
user. You can use the Email Address page on the user's mailbox in the EAC to change a primary or secondary
extension number. You can't use the UM Mailbox page in the EAC to change a primary extension number, but you
can use it to change a secondary extension number. If you want to change a secondary extension number, you
must first remove the existing secondary extension number and then add the correct secondary extension number
for the user.
You can view the primary and secondary extension numbers for a user by using the Get-UMMailbox cmdlet or
the Get-Mailbox cmdlet in Exchange Online PowerShell.
procedures.

Before you perform these procedures, confirm that a telephone extension UM dial plan has been created.
For detailed steps, see Create a UM dial plan.
Before you perform these procedures, confirm that the user's mailbox has been enabled for UM and linked
to a telephone extension dial plan. For detailed steps, see Enable a user for voice mail.
Before you perform these procedures, confirm that the extension number that will be assigned to the user
contains the correct number of digits set on the UM dial plan.
TIP
Use the EAC to change the primary or secondary extension number

2. In the list view, select the mailbox for which you want to change an extension number, and then click Edit .
3. On the User Mailbox page, under Email address, select the extension number you want to change, and
then click Edit . The primary extension number is listed in bold letters and numbers.
4. On the Email address page, in the Address/Extension box, enter the new extension number for the user.
If you need to select a new UM dial plan, you can click Browse.
5. Click Save.
Use Exchange Online PowerShell to change the primary or secondary

extension number
This example changes the extension number to 22222 for Tony Smith, a UM -enabled user.
NOTE
Before you change an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address is the default (primary) extension number and it will be 0 in the list.
$mbx.EmailAddresses.Item(0)="eum:22222;phone-context=MyDialPlan.contoso.com"
Add a SIP address
The primary SIP address you added when the user was enabled for UM will be listed as the primary EUM proxy
address. If the primary SIP address was removed, the first EUM proxy address you add that contains the user's SIP
address will be listed as the primary EUM proxy address. Any additional SIP addresses you add will be listed as
secondary EUM proxy addresses. When secondary SIP addresses are added, callers can leave voice mail for the
user at SIP endpoints that the user is signed in to using the SIP addresses. All the voice messages will be delivered
to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary SIP address for a user. You
can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary SIP address. You
can't use the UM Mailbox page in the EAC to add a primary or secondary SIP address.
procedures.

Before you perform these procedures, confirm that a SIP URI UM dial plan has been created. For detailed
Before you perform these procedures, confirm that the existing user is enabled for UM and linked to a SIP
URI dial plan. For detailed steps, see Enable a user for voice mail.
Before you perform these procedures, confirm that the SIP address that will be assigned to the user is valid
and formatted correctly.
TIP
Use the EAC to add a primary or secondary SIP address

2. In the list view, select the mailbox for which you want to add a SIP address, and then click Edit .
3. On the User Mailbox page, under Email address, click Add .
4. On the New email address page, select EUM and, in the Address/Extension box, enter the new SIP
address for the user.
5. On the New email address page, under Dial plan, click Browse to select the SIP URI dial plan, and then
click OK.
6. Click Save.
Use Exchange Online PowerShell to add a SIP address

This example adds a SIP address for Tony Smith, a UM -enabled user.
NOTE
Before you add a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy address
in the list will be 0.
$mbx.EmailAddresses +="eum:tsmit@contoso.com;phone-context=MyDialPlan.contoso.com"
Remove a SIP address
You can remove the primary SIP address that was added when the user was enabled for UM or a secondary SIP
address that was added later, along with the EUM proxy address for the user. The primary SIP address you added
when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional SIP addresses
you added will be listed as secondary EUM proxy addresses. When a SIP address is removed, callers can no longer
leave voice mail for the user at the SIP address that was removed even if the user is signed in with the SIP address
assigned to the user in Communications Server or Lync Server.
If you remove the primary SIP address, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After the primary SIP address has been removed, the EUM proxy address for
the user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox cmdlet in
Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions, PhoneNumber,
and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary SIP address. You can use
the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary SIP address. You
can't use the UM Mailbox page in the EAC to remove a primary or secondary SIP address.
procedures.

to a SIP URI dial plan. For detailed steps, see Enable a user for voice mail.
Before you perform these procedures, confirm that the primary and secondary SIP addresses are
configured for the user.
TIP
Use the EAC to remove the primary or a secondary SIP address

2. In the list view, select the mailbox from which you want to remove a SIP address, and then click Edit .
3. On the User Mailbox page, under Email address, select the SIP address that you want to remove from the
list, and then click Delete . The primary EUM proxy address or SIP address is listed in bold letters and
numbers.
4. Click Save.
Use Exchange Online PowerShell to remove the primary or a secondary

SIP address
This example removes the SIP address which is second in the list of available addresses from the mailbox of Tony
Smith, a UM -enabled user.
NOTE
Before you remove a SIP address using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM proxy
address in the list will be 0.
$mbx = Get-Mailbox tony.smith

$mbx.EmailAddresses.Remove($mbx.EmailAddresses.Item(1))
Add an extension number
The primary extension number you added when the user was enabled for UM will be listed as the primary EUM
proxy address. If the primary extension number was removed, the first EUM proxy address you add that contains
the user's extension number will become the primary EUM proxy address. Any additional extension numbers you
add will be listed as secondary EUM proxy addresses. When additional secondary extension numbers are added,
callers can leave voice mail for the user at all extension numbers that have been set. All the voice messages will be
delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary extension number for a user.
You can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary extension
number. You can't use the UM Mailbox page in the EAC to add a primary extension number, but you can use that
page to add secondary extension numbers.
procedures.

Before you perform these procedures, confirm that a telephone extension UM dial plan has been created.
For detailed steps, see Create a UM dial plan.
Before you perform these procedures, confirm that the extension number that will be assigned to the user
contains the correct number of digits set on the UM dial plan.
TIP
Use the EAC to add a secondary extension number
2. In the list view, select the mailbox to which you want to add an extension number.
3. In the details pane, Phone and Voice Features, under Unified Messaging, click View details.
4. On the UM Mailbox page, click Other Extensions, and then click Add .
5. On the Other extensions page, next to the UM dial plan box, click Browse and locate the dial plan for the
user.
6. On the Other extensions page, in the Extension number box, type the extension number, and then click
OK.
7. Click Save.
Use the EAC to add a primary or secondary extension number

2. In the list view, select the mailbox to which you want to add an extension number, and then click Edit .
4. On the New email address page, select EUM and, in the Address/Extension box, enter the extension
number for the user.
5. On the New email address page, under Dial plan, click Browse to select the telephone extension dial
plan, and then click OK.
6. Click Save.
Use Exchange Online PowerShell to add an extension number

This example adds an extension number 22222 for Tony Smith, a UM -enabled user.
NOTE
Before you add an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy
address in the list will be 0.
$mbx.EmailAddresses +="eum:22222;phone-context=MyDialPlan.contoso.com"
Remove an extension number
You can remove the primary extension number that was added when the user was enabled for UM or a secondary
extension number that was added later, along with the related EUM proxy addresses for the user. The primary
extension number you added when the user was enabled for UM will be listed as the primary EUM proxy address.
Any additional extension numbers you added will be listed as secondary EUM proxy addresses. When an extension
number is removed, callers can no longer leave voice mail for the user at the extension number that was removed.
If you remove the primary extension number, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After the primary extension number has been removed, the EUM proxy
address for the user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox
cmdlet in Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions,
PhoneNumber, and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary extension number. You
can use the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary extension
number. You can't use the UM Mailbox page in the EAC to remove a primary extension number, but you can use it
to remove a secondary extension number.
procedures.

Before you perform these procedures, confirm that the primary and secondary extension numbers are
TIP
Use the EAC to remove the primary or secondary extension number

2. In the list view, select the mailbox from which you want to remove an extension number, and then click Edit
.
3. On the User Mailbox page, under Email address, select the extension number that you want to remove
from the list, and then click Delete . The primary EUM proxy address or extension number is listed in bold
letters and numbers.
4. Click Save.
Use the EAC to remove a secondary extension number

2. In the list view, select the user whose mailbox you want to remove an extension number from.
4. On the Other extensions page, in the Extension number box, select the extension number you want to
remove, and then click Delete .
5. Click Save.
Use Exchange Online PowerShell to remove an extension number

This example removes the extension number 12345 from the mailbox of Tony Smith, a UM -enabled user.
NOTE
Before you remove an extension number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address in the list will be 0.

$mbx.EmailAddresses.remove("eum:22222;phone-context=MyDialPlan.contoso.com")
Change an E.164 number
When you enable a user for UM and link them to an E.164 dial plan, two EUM proxy addresses are created. One
contains the user's extension number and the other contains the E.164 number for the user. The extension number
is used when the user calls in to an Outlook Voice Access number.
You can change the primary E.164 number that was added when the user was enabled for UM or a secondary
E.164 number that was added later, along with the EUM proxy addresses for the user. The primary E.164 number
you added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
secondary E.164 numbers you added will be listed as secondary EUM proxy addresses. When E.164 numbers have
been changed, callers can leave voice mail for the user at all the new E.164 numbers that have been set. All the
voice messages will be delivered to the same user's mailbox.
You can use the EAC or Exchange Online PowerShell to change the primary and secondary E.164 numbers for a
user. You can use the Email Address page on the user's mailbox to change a primary or secondary E.164 number.
However, you can't use the UM Mailbox page in the EAC to change a primary or secondary E.164 number.
You can view the primary and secondary E.164 numbers for a user by using the Get-UMMailbox cmdlet or the
procedures.

Before you perform these procedures, confirm that an E.164 UM dial plan has been created. For detailed
to an E.164 dial plan. For detailed steps, see Enable a user for voice mail.
Before you perform these procedures, confirm that the E.164 number that will be assigned to the UM -
enabled user is valid.
TIP
Use the EAC to change the primary or a secondary E.164 number

2. In the list view, select the mailbox for which you want to change an E.164 number, and then click Edit .
3. On the User Mailbox page, under Email address, select the E.164 number you want to change, and then
click Edit . The primary E.164 number is listed in bold letters and numbers.
4. On the Email address page, in the Address/Extension box, enter the new E.164 number for the user, and
then click OK. If you need to select a new UM dial plan, you can click Browse.
5. Click Save.
Use Exchange Online PowerShell to change the primary or a secondary

E.164 number
This example changes an E.164 number for Tony Smith, a UM -enabled user.
NOTE
Before you change an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to change. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address is the default (primary) E.164 number and it will be 0 in the list.
$mbx.EmailAddresses.Item(1)="eum:+14255550123;phone-context=MyE.164DialPlan.contoso.com"
Add an E.164 number
The primary E.164 number you added when the user was enabled for UM will be listed as the primary EUM proxy
address. If the primary E.164 number was removed, the first EUM proxy address you add that contains the user's
E.164 number will be listed as the primary EUM proxy address. Any additional E.164 numbers you add will be
listed as secondary EUM proxy addresses. When additional E.164 numbers are added, callers can leave voice mail
for the user at all E.164 numbers that have been set. All the voice messages will be delivered to the same user's
mailbox.
You can use the EAC or Exchange Online PowerShell to add a primary or a secondary E.164 number for a user. You
can use the Email Address page on the user's mailbox in the EAC to add a primary or secondary E.164 number.
You can't use the UM Mailbox page in the EAC to add a primary or secondary E.164 number.
procedures.

Before you perform these procedures, confirm that an E.164 UM dial plan has been created. For detailed
Before you perform these procedures, confirm that the E.164 number that will be assigned to the user is
valid and formatted correctly.
TIP
Use the EAC to add a primary or secondary E.164 number

2. In the list view, select the mailbox for which you want to add an E.164 number, and then click Edit .
4. On the New email address page, select EUM and, in the Address/Extension box, enter the new E.164
number for the user.
5. On the New email address page, under Dial plan, click Browse to select the E.164 dial plan and then click
OK.
6. Click Save.
Use Exchange Online PowerShell to add an E.164 number

This example adds an E.164 number for Tony Smith, a UM -enabled user.
NOTE
Before you add an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM proxy
address that you want to add. To determine the position, use the $mbx.EmailAddresses command. The first proxy address
in the list will be 0.
$mbx.EmailAddresses.Item(2)="eum:+14255550123;phone-context=MyDialPlan.contoso.com"
Remove an E.164 number
You can remove the primary E.164 number that was added when the user was enabled for UM or a secondary
E.164 number that was added later, along with the EUM proxy addresses for the user. The primary E.164 number
you added when the user was enabled for UM will be listed as the primary EUM proxy address. Any additional
E.164 numbers you added will be listed as secondary EUM proxy addresses. When an E.164 number is removed,
callers can no longer leave voice mail for the user at the E.164 number that was removed.
If you remove the primary E.164 number, UM won't be able to send voice mail to the user's mailbox and call
answering rules won't be processed. After you remove the primary E.164 number, the EUM proxy address for the
user will be listed as Null on the user's mailbox in the EAC and when you run the Get-Mailbox cmdlet in
Exchange Online PowerShell. Also, when you run the Get-UMMailbox cmdlet, the Extensions, PhoneNumber,
and CallAnsweringRulesExtensions parameters will be blank or null.
You can use the EAC or Exchange Online PowerShell to remove a primary or a secondary E.164 number for a user.
You can use the Email Address page on the user's mailbox in the EAC to remove a primary or a secondary E.164
number. You can't use the UM Mailbox page in the EAC to remove a primary or secondary E.164 number.
procedures.

Before you perform this procedure, confirm that an E.164 UM dial plan has been created. For detailed steps,
Before you perform these procedures, confirm that the primary and secondary E.164 numbers are
TIP
Use the EAC to remove the primary or a secondary E.164 number

2. In the list view, select the mailbox from which you want to remove an E.164 number, and then click Edit .
3. On the User Mailbox page, under Email address, select the E.164 number that you want to remove from
the list, and then click Delete . The primary EUM proxy address or E.164 number is listed in bold letters
and numbers.
4. Click Save.
Use Exchange Online PowerShell to remove the primary or a secondary

E.164 number
This example removes the E.164 number +14255551010 from the mailbox of Tony Smith, a UM -enabled user.
NOTE
Before you remove an E.164 number using Exchange Online PowerShell, you need to determine the position of the EUM
proxy address that you want to modify. To determine the position, use the $mbx.EmailAddresses command. The first EUM
proxy address in the list will be 0.

$mbx.EmailAddresses.Item(1) -="eum:+14255551010;phone-context=MyDialPlan.contoso.com"
Set up client voice mail features in Exchange Online
This topic describes the client features that give users who are enabled for Exchange Unified Messaging (UM )
access to the email and voice mail messages in their mailbox. These features let you offer your users simplified
access to voice mail and email and an improved overall user experience.
Voice mail client support

Exchange ActiveSync clients: The Microsoft Exchange ActiveSync protocol is used to connect mobile clients,
such as those found on internet-capable mobile devices, to an Exchange mailbox. Users can use mobile devices to
access their mailbox and view email messages, view and change calendar and contact information, and listen to
their voice mail messages. They can also synchronize email, voice mail, calendar items, and contact information
with other devices.
Integration with Outlook: Microsoft Outlook enables users to access their Exchange mailbox and view email
messages in their Inbox, view and change calendar information, and listen to voice messages by using Microsoft
Windows Media Player, which is embedded inside the email messages. By using a supported email client, users
gain additional features, such as the Play on Phone functionality.
Integration with Outlook Web App: Microsoft Outlook Web App provides users with a set of UM interfaces and
tools comparable to a full-featured email client like Outlook. With Outlook Web App, users can access their
Exchange mailbox by using a compliant web browser. Like Outlook, Outlook Web App provides Windows Media
Player embedded in email messages so that users can listen to voice messages, and enables users to access other
features such as Play on Phone.

In Exchange UM, a UM -enabled user can call in to an internal or external telephone number that's configured on a
UM dial plan to access their mailbox and use the Outlook Voice Access menu system. Using this menu, UM -
enabled users can read email, listen to voice messages, interact with their Outlook calendar, access their personal
contacts, and perform tasks such as configuring their Outlook Voice Access PIN or recording their voice mail
greetings. For details, see Setting up Outlook Voice Access.
Forwarding calls
A UM -enabled user can create and configure call answering rules using Outlook or Outlook Web App. Call
answering rules let users control how their incoming calls should be handled. The rules are applied to incoming
calls similar to the way Inbox rules are applied to incoming email messages, and are stored along with other voice
settings in the user's mailbox. Up to nine call answering rules can be set up for each UM -enabled mailbox. These
rules are independent of the Inbox rules and don't take up part of the user's Inbox rules storage quota. For details,
see Allow voice mail users to forward calls.
Voice Mail Preview

Voice Mail Preview is a feature that's available to users who receive their voice mail messages from the UM voice
mail system. Voice Mail Preview enhances the voice mail experience by providing a text version of audio
recordings. For details, see Allow users to see a voice mail transcript.
Receiving faxes
UM forwards incoming fax calls for a UM -enabled user to a dedicated fax partner solution, which establishes the
fax call with the fax sender and receives the fax on behalf of the user. Before your UM -enabled users can receive fax
messages in their mailbox, you must do the following:
Enable inbound faxing on the UM dial plan linked to the users by setting the FaxEnabled parameter to
$true .
Enable inbound faxing on the UM dial plan linked to the users by setting the Allowfax parameter to $true .
Enable inbound faxing for the users by setting the FaxEnabled parameter to $true .
Set the partner fax server URI to allow inbound faxing.
Configure authentication between the Mailbox server and the fax partner server.
Setting up Outlook Voice Access
Microsoft Outlook Voice Access lets users who are enabled for Exchange Unified Messaging (UM ) access their
mailboxes by using analog, digital, or cellular telephones.
An Outlook Voice Access user (also called a subscriber), is a user in an organization who's enabled for Unified
Messaging. Subscribers use Outlook Voice Access to access their mailboxes by telephone to retrieve email, voice
mail messages, personal contacts, and calendar information.
Outlook Voice Access overview

In Microsoft Exchange UM, a UM -enabled user can call in to an internal or external telephone number that's
configured on a UM dial plan to access their mailbox and use the Outlook Voice Access menu system. Using this
menu, UM -enabled users can read email, listen to voice messages, interact with their Outlook calendar, access their
personal contacts, and perform tasks such as configuring their Outlook Voice Access PIN and recording their voice
mail greetings.
Two types of users, authenticated and unauthenticated, can call in to an Outlook Voice Access number. When an
unauthenticated user calls into an Outlook Voice Access number that is set on a UM dial plan, they are only able to
do directory searches for users. Authenticated users, those that input their PIN, can perform directory searches
and sign in to their mailbox to listen to email, calendar items, and voice mail, and to search personal contacts.
When they are searching for a user in the directory or personal contacts, after the user is located, they can transfer
calls to a user or ring the user's extension.
Outlook Voice Access interfaces

Two Unified Messaging user interfaces are available to Outlook Voice Access users: the telephone user interface
(TUI) and the voice user interface (VUI) that uses Automatic Speech Recognition (ASR ).
Before users can use the VUI in Outlook Voice Access, it must be enabled on the UM dial plan and on the UM
mailbox policy and also be enabled for the user. By default, when you create a dial plan and a UM mailbox policy
and enable voice mail for a user, the user can use ASR or the Outlook Voice Access VUI to navigate menus,
messages, and other options. However, even if the user is able to use the VUI, they will have to use the telephone
key pad to enter their PIN, navigate personal options, and perform a directory search. The default settings are
listed in the following table.
EXCHANGE ONLINE POWERSHELL EXAMPLE

UM COMPONENT DEFAULT SETTING TO ENABLE VUI ACCESS
UM dial plan Enabled Set-UMDialPlan -Identity

MyUMDialPlan -
AutomaticSpeechRecognitionEnabled
$true
UM mailbox policy Enabled Set-UMMaiboxPolicy -Identity

MyUMPolicy -
AllowAutomaticSpeechRecognition
$true
UM COMPONENT DEFAULT SETTING TO ENABLE VUI ACCESS
User's mailbox Enabled Set-UMMailbox -Identity tonysmith

-
AutomaticSpeechRecognitionEnabled
$true
The following section includes scenarios that describe the VUI functionality.
Outlook Voice Access scenarios

Here are examples of how Outlook Voice Access can be used from a telephone:
Access email: An Outlook Voice Access user places a call to an Outlook Voice Access number from a
telephone and wants to access their email. The voice prompt says, "Welcome. You're connected to Microsoft
Exchange. To access your mailbox, please enter your extension. To contact someone, press the pound key."
After the user enters a mailbox extension number, the voice prompt says, "Please enter your PIN and press
the pound key." After the user enters a PIN, the voice prompt says, "You have two new voice mails, 10 new
email messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal
contacts, directory, or personal options." When the user says "Email," the voice mail system reads the
message header and then the name, subject, time, and priority for the messages that are in the user's
mailbox.
Access calendar: An Outlook Voice Access user places a call to an Outlook Voice Access number from a
telephone and wants to access their calendar. The voice prompt says, "Welcome. You're connected to
Microsoft Exchange. To access your mailbox, please enter your extension. To contact someone, press the
pound key." After the user enters a mailbox extension number, the voice prompt says, "Please enter your
PIN and press the pound key." After the user enters a PIN, the voice prompt says, "You have two new voice
mails, 10 new email messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar,
personal contacts, directory, or personal options." When the user says "Calendar," the voice mail system
says, "Sure, and which day should I open?" The user says, "Today's calendar." The voice mail system
responds by saying, "Opening today's calendar." The voice mail system reads each calendar appointment for
that day for the user.
NOTE
If a Mailbox server running the Microsoft Exchange Unified Messaging service encounters a corrupted calendar item
in a user's mailbox, it will fail to read the item, return the caller to the Outlook Voice Access main menu, and skip
reading any additional meetings that may be scheduled for the rest of the day.
Access voice mail: An Outlook Voice Access user places a call to an Outlook Voice Access number from a
telephone and wants to access voice mail. The voice prompt says, "Welcome. You're connected to Microsoft
Exchange. To access your mailbox, please enter your extension. To contact someone, press the pound key."
After the user enters a mailbox extension number, the voice prompt says, "Please enter your PIN and press
the pound key." After the user enters a PIN, the voice prompt says, "You have two new voice mails, 10 new
email messages, and your next meeting is at 10:00 A.M. Please say voice mail, email, calendar, personal
contacts, directory, or personal options." The user says "Voice mail," and the voice mail system reads the
message header and then the name, subject, time, and priority for the voice messages that are in the user's
mailbox.
NOTE
If speech recognition is enabled, users can access their UM-enabled mailbox using speech input. Subscribers can also
use touchtone, also known as dual tone multi-frequency (DTMF), by pressing 0. Speech recognition isn't enabled for
PIN input.
Locate a user in the directory: An Outlook Voice Access user places a call to an Outlook Voice Access
number from a telephone and wants to locate a person in the directory by spelling their email alias. The
voice prompt says, "Welcome. You're connected to Microsoft Exchange. To contact someone, press the
pound key." The user presses the pound key, and then uses touchtone inputs to spell the SMTP address of
the person.
NOTE
The directory search feature with an Outlook Voice Access number isn't speech-enabled. Users can spell the name of
the person they want to contact only by using touchtone inputs.
IMPORTANT
In some companies (especially in East Asia), office telephones may not have letters on the keys of the telephone. This
makes the spell-the-name feature that uses the touchtone interface almost impossible to use without a working
knowledge of the key mappings. By default, Unified Messaging uses the E.161 key mapping. For example, 2=ABC,
3=DEF, 4=GHI, 5=JKL, 6=MNO, 7=PQRS, 8=TUV, 9=WXYZ.
When inputting a combination of letters and numbers, for example, Mike1092, the numeric digits are
mapped to themselves. For an email alias of Mike1092 to be entered correctly, the user must press the
numbers 64531092. Also, for characters other than A-Z and 0-9, there isn't a telephone key equivalent.
Therefore, these characters shouldn't be entered. For example, the email alias jim.wilson would be entered
as 546945766. Even though there are 10 characters to be input, the user enters only 9 digits because there's
no digit equivalent for the period (.).
Distribution groups and contact groups

Users can use Outlook Voice Access to send or forward a voice message, an email message, or a meeting request.
They can send or forward the message or meeting request to any of the following:
A person in their personal Contacts folder
A person in their organization's shared address book
A contact group they've created in their Contacts folder
A distribution group included in their organization's shared address book
They can send messages and meeting requests by using the VUI (if ASR has been turned on) or by using
touchtone inputs on their telephone keypad. They can also use Outlook Voice Access to listen to details about a
group, including the members of the group.
NOTE
If a user tries to send a message to a group (either a distribution group in their shared address book or a contact group in
their personal Contacts folder) that doesn't include any members, the voice mail system won't give them the option to send
or forward the message or meeting request. If they try to add a group with no members as one of the recipients of a
message or meeting request that they're creating over the phone, the voice mail system won't add the group to the
message, and will say "The message could not be sent because the contact does not appear to have a valid email address."
Choosing a language
Users can't change the language that Outlook Voice Access uses to speak to them and that they use when they
reply to it. The voice mail system tries to find and use the best match for the language the user chose when they
signed in to Microsoft Outlook Web App or the language they chose on the regional settings in Outlook Web App.
If the language they chose isn't supported by Outlook Voice Access, the voice mail system will use the same
language that callers hear when they're prompted to leave a voice message.
Controlling Outlook Voice Access features

By default, when users dial in to Outlook Voice Access, they can use the telephone to access their calendar, email,
and personal contacts, and to search the directory. You can use Exchange Online PowerShell to prevent users from
accessing one or more of these features when they use Outlook Voice Access to access their mailbox. When you
modify Outlook Voice Access features on a UM mailbox policy, your changes affect all users who are associated
with the UM mailbox policy. You can also disable some features on a single user's mailbox, although other features
can only be disabled on a UM mailbox policy and aren't available on an individual mailbox.
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access TUI settings for UM-enabled mailboxes or
UM mailbox policies.
UM mailbox policy settings: You can disable users' access to the following Outlook Voice Access features on a
UM mailbox policy:
Automatic Speech Recognition
PIN -less access to voice mail
Voice responses to other messages
TUI access to their calendar
TUI access to the directory
TUI access to their email
TUI access to their personal Contacts
UM -enabled mailbox settings: You can disable a user's access to the following Outlook Voice Access features
on the user's mailbox:
TUI access to the calendar
TUI access to email
Automatic Speech Recognition
You can prevent users from receiving voice mail, but let them retain the ability to access their mailbox using
Outlook Voice Access. You can enable a user for UM and configure the user's mailbox with an extension number
that isn't currently being used by another user in the organization.
Outlook Voice Access commands
Outlook Voice Access lets Unified Messaging (UM )-enabled users access their mailbox using analog, digital, or
mobile telephones. Using the menu system found in Outlook Voice Access, UM -enabled users can read email,
listen to voice messages, interact with their Outlook calendar, access their personal contacts, and manage personal
options such as configuring their Outlook Voice Access PIN or recording their voice mail messages. This topic
contains a list of the Outlook Voice Access commands and how users can use them when they access their mailbox
by calling an Outlook Voice Access number.
Outlook Voice Access user interfaces

Outlook Voice Access consists of two user interfaces: the Telephone User Interface (TUI) that uses a telephone
keypad and the Voice User Interface (VUI) that uses voice commands. Users can use Outlook Voice Access to
access the voice mail system from an external or internal telephone to access their personal email, voice messages,
contacts, and calendaring information in their mailbox.
Email and voice mail commands reference

As an Outlook Voice Access user, when you dial in to an Outlook Voice Access number, you're presented with menu
options that enable you to access your mailbox and manage your email and voice mail. The following table lists the
commands that are available for managing your email and voice mail.
Email and voice mail commands
VOICE COMMAND TOUCHTONE COMMAND DESCRIPTION
"Play" Plays the current email or voice mail

message.
"Next" # Reads the next email or voice mail

message.
"Next unread" 00 followed by ## Reads the next unread email message.

Available only for email.
"Delete" 7 Deletes the current email or voice mail

message.
"Reply" 8 Replies to the user who sent the current

email or voice mail message.
"Reply all" 00 followed by 88 Replies to all the users on the current

email message. Not an available option
for voice mail messages.
"Mark as unread" 9 Marks the email message as Unread.
"End" 33 Stops reading and goes to the end of

the current email or voice mail message.
"More options" 00 Opens the More Options menu.
"Previous" 00 followed by 11 Reads the previous email or voice mail

message.
"Read the header" Reads the header of the email or voice

mail message.
"Call sender" 00 followed by 2 Places a call to the user who sent the
current email or voice mail message.
"Forward" 00 followed by 6 Forwards the current email or voice mail

message to other email recipients or
groups.
"Flag for follow-up" 00 followed by 44 Marks or flags the current email or

voice mail message for follow-up.
"Find by name" Uses the user's name to locate email or

voice mail messages in the user's
mailbox.
"Delete conversation" 00 followed by 77 Deletes all the email messages that are
associated with an email conversation.
Available only for email.
"Hide conversation" 00 followed by 99 Hides additional email messages that

are contained within the same email
conversation. Available only for email.
"Envelope information" 00 followed by 5 Reads the envelope information for the

email or voice mail message.
"Select language" 00 followed by 55 Lets you select the language in which

you want the email or voice mail
message to be read.
"Rewind" or "Repeat" 1 Rewinds or repeats the current email or

voice mail message. Available only while
the message is being played.
"Pause" 2 Pauses the current email or voice mail

message. Available only while the
message is being played.
"Fast forward" 3 Fast forwards the current email or voice

mail message. Available only while the
message is being played.
"Slow down" 4 Plays or reads the current email or voice

mail message more slowly. Available
only while the message is being played.
"Faster" 6 Plays or reads the current email or voice

mail message faster. Available only while
the message is being played.
"Previous" 11 Reads the previous email message from

the beginning. Available only for email.
"Replay" 00 followed by 1 Replays the current email or voice mail

message.
"Repeat" 0 Repeats the current menu options.
"Main menu" * Exits to the main menu.
IMPORTANT
If you need to access an email message after you delete it using Outlook Voice Access, you can use Outlook Web App or
Outlook to move the email message back into the appropriate folder from the Deleted Items folder. You can't use Outlook
Voice Access to access the Deleted Items folder.
Calendar options command reference

options that enable you to access your mailbox and manage your calendar. The following table lists the commands
that are available for managing your calendar.
Calendar commands
"Next" # Reads the next calendar appointment.
"Next day" ## Opens and reads the calendar

appointments for the next day.
"Repeat" 0 Repeats the menu options that are

available. Or, if you're using the VUI, the
system reads the calendar appointment
again.
"More options" 00 Plays the more calendar options menu.
"Repeat" 1 Reads the calendar appointment again.
"Previous meeting" 00 followed by 11 Opens the previous meeting that's

scheduled.
"Call location" 2 Calls the telephone number that's listed

for the meeting location.
"Call organizer" 00 followed by 22 Calls the telephone number that's listed

for the organizer of the meeting.
"I'll be late" 3 Sends an I'll be late message to all the

meeting attendees.
"Accept" or "Tentative accept" 4 Accepts or tentatively accepts the

meeting request.
"Meeting details" 5 Reads or plays back the details of the

meeting that's currently being read.
"Attendance details" 00 followed by 55 Reads or plays the details of a meeting

that's scheduled.
"Forward" 00 followed by 6 Forwards a meeting request for the

meeting to another user.
"Decline" or "Cancel" 7 Declines or cancels the meeting request.
"Clear my calendar" 00 followed by 77 Clears your calendar for a specific time

period for that day.
"Reply" 00 followed by 8 Replies to the meeting organizer.
"Reply all" 00 followed by 88 Replies to all the meeting attendees.
"Repeat menu" 5 followed by 0 Repeats the menu options that are

available.
"Rewind" 5 followed by 1 Rewinds the meeting details.
5 followed by 11 Returns to the beginning of the

meeting details.
5 followed by 2 Pauses and resumes playback of the

meeting details.
"Fast forward" 5 followed by 3 Skips forward within the meeting

details.
"End" 5 followed by 33 Skips to the end of the meeting details.
5 followed by 4 Plays or reads the meeting details

slower.
5 followed by 55 Selects the language that will be used to

read the meeting details.
5 followed by 6 Plays or reads the meeting details faster.
Find a contact commands reference

options that enable you to access your mailbox, change personal options, or call or send a message to a contact. If
you choose to use your voice, which is selected by default, and select the contacts menu option, the voice mail
system you to use the telephone keypad to navigate the find a contact options. You can also locate a user in the
directory or a contact by using the telephone keypad. The following table lists the commands that are available for
managing your contacts or searching for a user.
Contact commands
"Directory" 00 Searches the directory for a user.
"Play details" 1 Plays the details of the personal contact,

such as the telephone numbers that are
listed for the personal contact.
"Send a message" 3 Sends a message to the personal

contact that's selected.
"Find another contact" 4 Finds another personal contact.
"Call the cell" 2 followed by 1 Calls the mobile telephone number

that's listed for the personal contact.
"Call the office" 2 followed by 2 Calls the business or office telephone

number that's listed for the personal
contact.
"Call home" 2 followed by 3 Calls the home telephone number that's

listed for the personal contact.
## Lets you enter the email alias or name

for the user in the directory if using the
directory search feature.
Personal options commands reference

options that enable you to access your mailbox and manage your personal options. When you configure personal
options using Outlook Voice Access, you can only use the telephone keypad to navigate the menus. Using your
voice to navigate the menus is not available for configuring personal options. The following table lists the
commands that are available for managing your personal options.
Personal options commands
1 Turns on or off the telephone Out of

Office greeting.
2 Records the personal voice mail or Out

of Office voice mail greeting.
3 Changes the PIN that's used for

4 Starts using the VUI or touchtone

interface.
5 Sets the local time zone to use.
6 Chooses the 12-hour or 24-hour time

format.
* Returns to the main menu.
0 Repeats the menu options that are

available.

Setting up Outlook Voice Access
Set Up Client Voice Mail Features
Navigating menus with Outlook Voice Access
Outlook Voice Access is a feature in Unified Messaging (UM ) that enables users to retrieve email and voice mail
messages and manage their calendar and personal contacts by using an analog, digital, or mobile telephone. They
can interact with their mailbox using their telephone keypad or voice commands, but must use the keypad on their
telephone to search for a user in the directory for your organization.
When UM -enabled users call in to an Outlook Voice Access number, they can sign in to their mailbox using a
telephone and are presented with a series of voice prompts. These voice prompts help them navigate the voice mail
system menus and enable them to access their mailbox. Outlook Voice Access lets users do the following:
Retrieve, listen to, reply to, create, and forward voice or email messages.
Listen to or change calendar information.
Change personal options, such as a PIN, or call or send a voice message to a personal contact.
An Outlook Voice Access number is assigned to a user when they're enabled for UM. The user can find an Outlook
Voice Access number to access their mailbox in the welcome message that's sent to them when they're enabled for
UM or by signing in to their mailbox using Outlook Web App, going to Options > Telephone, and locating the
Outlook Voice Access number or numbers in the Outlook Voice Access section.
After a user enters their extension number and PIN, the voice mail system will let them know how many new voice
mail and email messages they have and when their next meeting is. After the voice mail system has played this
prompt, an Outlook Voice Access main menu will be read to the user and the user can say one of the following:
Voice mail
Email
Calendar
Personal options
Reading and reviewing email

Users can listen to, reply to, create, and forward unread email messages using the telephone. For example, if a user
is expecting an important email message, and does not have access to the internet, they can use a mobile telephone
to dial an Outlook Voice Access number.
Listen to email messages
To listen to email messages using their voice, the user must dial an Outlook Voice Access number, enter their
extension number and PIN, and then do the following:
1. Say "Email" to access their email.
2. The voice mail system will read the name, subject, time, and priority of the first unread email message.
3. The user can then say one of the following options:
"Next message" to mark the message as Read and go to the next email message.
"Mark unread" to keep the message marked as Unread and go to the next message.
"End" to jump to the end of the message.
"Delete" to delete the message.
This process is shown in the following figure.
To listen to email messages using the telephone keypad, users must dial an Outlook Voice Access number, enter
their extension number and PIN, and then do the following:
1. Press 2 to access their email.
2. The voice mail system will read the name, subject, time, and priority of the first unread email message.
3. The user can then press one of the following options:
Pound (#) key to mark the message as Read and go to the next email message.
9 to keep the message marked as Unread and go to the next message.
33 to jump to the end of the message.
7 to delete the message.
Reply to email messages

To listen to email messages and then reply using their voice, users must do the following:
1. Say "Email."
2. Say "Next message" repeatedly until they reach the email message to which they want to reply.
3. Listen to the message or say "End" to go to the end of the message.
4. Say one of the following:
"Reply" to reply to the sender.
"Reply all" to reply to the sender and all other recipients.
"Forward" to forward the message to another user or group.
5. Record a reply and then hang up, remain silent, or press any key. To accept the reply message and send it, say
"Send it."
To listen to email messages and then reply using the telephone keypad, users must do the following:
1. Press 2.
2. Press # repeatedly until they reach the email message to which they want to reply.
3. Listen to the message or press 33 to go to the end of the message.
4. Press one of the following:
8 to reply to the sender.
88 to reply to the sender and all other recipients.
6 to forward the message to another user or group.
5. Record a reply, and then press #. To accept the reply message and send it, press 1.
Listen to the next unread email message

To listen to an email message and then go to the next unread message using their voice, users must do the
following:
1. Say "Email."
2. Say "Next unread." Say "Mark unread" if they want to mark the message as Unread.
To listen to an email message and then go to the next unread message using the telephone keypad, users must do
the following:
1. Press 2.
2. Press ## to listen to the next unread message. Press 9 to mark the message as Unread.
Flag an email message for follow-up

To listen to email messages and flag messages for follow -up using their voice, users must do the following:
1. Say "Email."
2. Say "Next message" repeatedly until they reach the email message that they want to flag for follow -up. Say
"Mark unread" to mark the message as Unread.
4. Say "Flag" or "Flag for follow -up" to flag the message for follow -up.
To listen to email messages and flag messages for follow -up using the telephone keypad, users must do the
following:
1. Press 2.
2. Press # repeatedly until they reach the email message that they want to flag for follow -up. Press 9 to mark
the message as Unread.
4. Press 0 (zero) twice to access more options.
5. Press 44 to flag the message for follow -up.
Hide a conversation
To listen to email messages and hide a conversation so that the voice mail system will not continue to read other
email messages that are in the same email conversation using their voice, users must do the following:
1. Say "Email."
2. Say "Next message" repeatedly until they reach the email message that they want. Say "Mark unread" to
mark the message as Unread.
4. Say "Hide" or "Hide conversation" to hide the conversation. The next email message from a different
conversation will be read.
To listen to email messages and hide a conversation so that the voice mail system will not continue to read other
email messages that are in the same email conversation using the telephone keypad, users must do the following:
1. Press 2.
2. Press # repeatedly until they reach the email message that they want to hide. Press 9 to mark the message
as Unread.
4. Press 99 to hide the conversation. The next email message from a different conversation will be read.
NOTE
When a conversation is hidden, it is hidden only for the current session. If users sign out and then sign in to their mailbox
again, the voice mail system will read email messages that are in the same conversation.
Managing calendar meetings and appointments

Users can listen to, reply to, create, and forward meeting requests and appointments in their calendar over the
telephone.
For example, a user has a meeting at 10:00 A.M. However, because of some unexpected delays, the user will be 15
minutes late. The user can inform the other meeting attendees by calling the telephone number for Outlook Voice
Access, signing in to their mailbox, and then accessing the list of meetings for that day in the calendar. After the
voice mail system reads the meeting request for the 10:00 A.M. meeting, the user can use the I'll be late feature to
inform all the meeting attendees that the user will be 15 minutes late. Each attendee will receive an email message
that informs them that the user will be 15 minutes late. The user also has the option to attach a voice mail message.
In another example, a user may have an important client who decides to schedule an all-day meeting on very short
notice. The user must cancel all other meetings for that day in the simplest possible way. Using the Clear my
calendar feature, users can quickly and easily clear their calendar for the whole day.
Send an I'll be late message
To send an I'll be late message to meeting participants using their voice, users must dial an Outlook Voice Access
number, enter their extension number and PIN, and then do the following:
1. Say "Calendar for today" to access their calendar.
2. Listen to the meeting requests to locate the meeting for which to send an I'll be late message.
3. After the meeting request has been read, say "I'll be late."
4. The voice mail system asks, "How late?" Say "10 minutes."
5. The voice mail system asks, "Do you want to record a message?" If so, say "Yes," record the message, and
then say "Send it." If not, say "No."
To send an I'll be late message to meeting participants using the telephone keypad, users must dial an Outlook
Voice Access number, enter their extension number and PIN, and then do the following:
1. Press 3 to access their calendar.
2. Listen to the meeting requests to locate the meeting for which to send an I'll be late message.
3. After the meeting request has been read, press 3.
4. The voice mail system asks, "How late?" Enter 10 on the telephone key pad.
Cancel a meeting
To cancel a meeting, the user must be the meeting organizer. To cancel the meeting using their voice, meeting
organizers must do the following:
1. Say "Calendar for today."
2. Listen to the meeting requests to locate the meeting to cancel.
3. After the meeting request has been read, say "Cancel meeting."
4. Confirm the meeting cancellation by saying "Yes."
5. If the meeting organizer chooses to send a voice message, they can then say "Yes," record the message, and
then say "Send it."
To cancel a meeting, the user must be the meeting organizer. To cancel the meeting using the telephone keypad,
meeting organizers must do the following:
1. Press 3.
2. Listen to the meeting requests to locate the meeting to cancel.
3. Press 7 to cancel the meeting.
4. If the meeting organizer chooses to send a voice message, they can then press one of the following options:
pound key to stop recording the message.
1 to accept the recorded message.
Clear a calendar
To clear their calendar using their voice, users must do the following:
2. Say "Clear my calendar."
3. Enter the time or the number of days to be cleared.
4. The voice mail system asks whether they want to attach a recorded voice message. If so, say "Yes," record
the message, and then say "Send it." If not, say "No."
To clear their calendar using the telephone keypad, users must do the following:
1. Press 3.
2. Press 00 to go to the More Options menu.
3. Press 77 to clear their calendar.
4. Enter the number of hours to clear from the calendar.
5. If users choose to send a voice message, they can do one of the following:
Press # to not send a voice message.
Record the voice message when prompted, press # to stop recording the message, and then press 1 to
accept the recorded message.
Accept a meeting request

To accept a meeting request using their voice, users must do the following:
1. Say "Email" to access their email.
2. Listen to the email message that contains a meeting request.
3. Say "Accept" to accept the meeting request.
To accept a meeting request using the telephone keypad, users must do the following:
1. Press 2 to access their email.
2. Listen to the email message that contains a meeting request.
3. Press 4 to accept the meeting request.
Reply to a meeting request

To reply to a meeting request using their voice, users must do the following:
2. Listen to the meeting requests to locate the meeting request to reply to.
3. Say "More options" to open the More Options menu.
4. Say "Reply" to reply to the meeting organizer.
5. Record a message.
6. Say "Send it."
To reply to a meeting request using the telephone keypad, users must do the following:
1. Press 3.
2. Listen to the meeting requests to locate the meeting request to reply to.
3. Press 00 for more options.
4. Press 8 to reply to the meeting organizer.
5. Record a message, and then press #.
6. Press 1 to accept the recording and send the message.
Managing personal options and contacts

Users can manage their personal options and contacts using Outlook Voice Access. They can:
Call a personal contact.
Locate and call a user in the directory.
Configure personal options, such as changing their PIN over the telephone.
When users first set up their mailbox, they must create personal and Automatic Replies greetings that callers will
hear when users are unable to answer their telephone. If, for example, users realize that they have forgotten to turn
on an Automatic Replies voice greeting that will give callers an alternative number to call if they have an immediate
issue, users can use Outlook Voice Access to access their personal options and record and turn on an Automatic
Replies greeting from any telephone.
If a user has to contact an account manager with important information about a client, the user can call the number
that is used for Outlook Voice Access, use the directory search feature using their telephone keypad to locate the
account manager, and then place the call.
NOTE
When users access the Personal Options menu, they must use the telephone keypad.
Record a personal greeting

To record a personal greeting using their voice, users must dial an Outlook Voice Access number, enter their
extension number and PIN, and then do the following:
1. Say "Personal options" to access personal options.
2. Press 2 to record greetings.
3. Press 1 to record a personal greeting. Press 2 if they need to re-record the personal greeting.
4. Press # to stop recording the personal greeting.
5. Press 1 to accept the personal greeting.
To record a personal greeting using the telephone keypad, users must dial an Outlook Voice Access number, enter
their extension number and PIN, and then do the following:
1. Press 6 to access personal options.
2. Press 2 to record greetings.
3. Press 1 to record a personal greeting. Press 2 if they need to re-record the personal greeting.
4. Press # to stop recording the personal greeting.
5. Press 1 to accept the personal greeting.
NOTE
When users change their telephone greeting, they are also given the option to turn on or off their email automatic reply
message.
Send a voice message to a user

To locate and send a voice message to another UM -enabled user using their voice, users must do the following:
1. Say "Directory."
2. Say the name of the person to locate.
3. Select the correct person from the list.
4. Say "Send a message," and then record the voice message.
5. Say "Send it" to send the message.
To locate and send a voice message to another UM -enabled user using the telephone keypad, users must do the
following:
1. Press 4 to search for a contact.
2. Press 00 to locate the person in the directory.
3. Use the telephone keypad to spell the name of the person to locate.
4. Select the correct person from the list.
5. Press 3 to send a voice message to the person.
6. Record the voice message, and then press # to stop recording.
7. Press 1 to accept the voice message and send it.
Change a PIN
To change their PIN using their voice, users must do the following:
1. Say "Personal options."
2. Press 3 to change the PIN.
3. Enter the new PIN, and then press #.
4. Press # to confirm the new PIN.
To change their PIN using the telephone keypad, users must do the following:
1. Press 6 to access personal options.
2. Press 3 to change the PIN.
3. Enter the new PIN, and then press #.
4. Press # to confirm the new PIN.
Play on Phone
After a voice mail message arrives, users can choose either to listen to the voice mail message through their
computer speakers or headphones or to use the Play on Phone feature. The Play on Phone feature is included with
Microsoft Outlook and Outlook Web App, and settings for Play on Phone are available in the Play on phone
section under Voice mail options. This topic discusses how a Unified Messaging (UM )-enabled user can use the
Play on Phone feature.
What is Play on Phone?

The Play on Phone feature lets UM -enabled users play voice messages over a telephone. If a UM -enabled user sits
in an office cubicle, is using a public computer or a computer that's not enabled for multimedia, or is listening to a
voice message that's confidential, the user might not want to—or be able to—listen to a voice message through
their computer speakers. Alternatively, they can play back the voice mail message using any telephone, including
home, office, or mobile phones. To review settings for Play on Phone, in Outlook, go to File > Info > Manage
voice mail. Clicking the Manage voice mail button will automatically sign you in to Outlook Web App. or you
can sign in to Outlook Web App using a web browser. In Outlook Web App, go to Options > Phone > Voice Mail
> Play on Phone section on the Voice Mail page.
When the user clicks the Play on Phone toolbar option in the voice mail form, the Play on Phone dialog box
appears. The Play on Phone box provides the controls for selecting or inputting the telephone number to use to
play a voice message, starting and ending the call, and a status message for monitoring the call. If the user is linked
to a SIP URI dial plan, their SIP address will appear in the Dial box. If they are linked to an E.164 dial plan, their full
E.164 number will appear in the Dial box.
NOTE
Only one voice message can be played at a time. If the user tries to start a second Play on Phone call while a previous call is
still in progress, an error message will appear.
Most recently used telephone number list

Users can see a list of telephone numbers they used most recently in the Dial box. The telephone number specified
in the Play on phone section is always displayed as the top entry and is automatically selected for the user as the
primary number. Users can use the drop-down menu to select other telephone numbers to dial instead of the
telephone number that's configured as the primary number.
NOTE
To enable users who are using the Play on Phone feature to dial an external telephone number without using an outside line
access code, for example 425-555-1234 instead of 9-425-555-1234, configure in-country/region dialing rules on a UM dial
plan that include the following line: group1, 9xxxxxxxxxx, 91xxxxxxxxxx. After you've configured the in-country/region dialing
rules, add this list to the UM mailbox policy.
Play on Phone buttons

The Play on Phone dialog box gives users the option to Dial and Hang-up. When the Play on Phone dialog box
is first opened, the Dial button is enabled and the Hang-up button is disabled. After a call is placed, the Dial
button becomes disabled until the call has ended. The call can be ended either by clicking the Hang-up button or
by physically hanging up the telephone. Closing the Play on Phone dialog box using the Close button ends the
call if one is in progress. The Play on Phone option and other options are also available in Reading pane preview
in Outlook. If you open the voice mail message in a separate window, the Play on Phone button is on the toolbar.
Subject, sent, and status section

The bottom section of the Play on Phone dialog box displays the subject of the voice message, the date and time
sent, and a message that displays the current state of the call. Any errors specific to the Play on Phone operation
are displayed to the user in this section of the Play on Phone dialog box.
Phone number validation

Play on Phone performs only simple validation on input into the Play on Phone dialog box. Play on Phone does
not validate telephone numbers. If a telephone number is not valid, Unified Messaging returns a meaningful error
code to the user.
Outlook Voice Access procedures
Enable or disable Outlook Voice Access for users

Configure an Outlook Voice Access number
Disable selected features for Outlook Voice Access users
Set mailbox features for Outlook Voice Access users
Set mailbox features for an Outlook Voice Access user
Enable or disable automatic speech recognition for an Outlook Voice Access user
Enable an informational announcement for Outlook Voice Access users
Enable a customized greeting for Outlook Voice Access users
Enable or disable Play on Phone for Outlook Voice Access users
Enable or disable sending voice messages from Outlook Voice Access
Enable or prevent transferring calls from Outlook Voice Access
Configure the group of users that Outlook Voice Access users can contact
Configure the primary way for Outlook Voice Access users to search
Configure the secondary way for Outlook Voice Access users to search
Configure the number of sign-in failures before Outlook Voice Access users are disconnected
Configure the number of input failures before Outlook Voice Access users are disconnected
Configure the limit on personal greetings for Outlook Voice Access users
Enable or disable Outlook Voice Access for users
You can enable or disable access to Outlook Voice Access for UM -enabled users who are associated with a Unified
Messaging (UM ) mailbox policy. Outlook Voice Access is a feature used by UM -enabled users to access their
mailbox over a phone. By default, this setting is enabled.

TIP
Use the EAC to enable or disable Outlook Voice Access

2. Under UM Mailbox Policies, select the UM mailbox policy you want to manage, and then click Edit .
3. On the UM Mailbox Policy page, select or clear the check box next to Allow Outlook Voice Access.
4. Click Save.
Use Exchange Online PowerShell to enable or disable Outlook Voice

Access
This example allows users who are associated with the UM mailbox policy MyUMMailboxPolicy to use Outlook Voice
Access.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowSubscriberAccess $true
This example prevents users who are associated with the UM mailbox policy MyUMMailboxPolicy from using
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowSubscriberAccess $false
Configure an Outlook Voice Access number
An Outlook Voice Access number lets a user who is enabled for Unified Messaging (UM ) and voice mail access
their mailbox using Outlook Voice Access. When you configure an Outlook Voice Access or subscriber access
number on a dial plan, UM -enabled users can call in to the number, sign in to their mailbox, and access their email,
voice mail, calendar, and personal contact information.
By default, when you create a UM dial plan, an Outlook Voice Access number isn't configured. To configure an
Outlook Voice Access number, you first need to create the dial plan, and then configure an Outlook Voice Access
number under the dial plan's Outlook Voice Access option. Although an Outlook Voice Access number isn't
required, you need to configure at least one Outlook Voice Access number to enable a UM -enabled user to use
Outlook Voice Access to access their mailbox. You can configure multiple Outlook Voice Access numbers for a
single dial plan.
Outlook Voice Access numbers can contain alphabetical, numeric, and special characters, separators, and spaces.
For example:
+14255551010
+1-425-555-1010
4255551010
+1 425 555 1010
1-800-555-CALL
For more information about the menu options available for Outlook Voice Access users, see the Quick Reference
Guide for Outlook Voice Access, which is available from the Microsoft Download Center.
For additional management tasks related to UM dial plans, see Dial Plan Procedures.

TIP
Use the EAC to configure an Outlook Voice Access number

2. In the list view, select the UM dial plan you want to modify and on the toolbar, click Edit .
4. In Outlook Voice Access, under Outlook Voice Access numbers, use the box to enter the number you
want to use, and then click Add .
5. Click Save.
Use Exchange Online PowerShell to configure an Outlook Voice Access

number
This example sets the Outlook Voice Access number to 4255550100 for a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -AccessTelephoneNumbers 4255550100

Disable selected features for Outlook Voice Access
users
Outlook Voice Access contains two interfaces: the telephone user interface (TUI) and the voice user interface (VUI).
By default, when users dial in to Outlook Voice Access, they can access their calendar, email, and personal contacts,
and search the directory. You can use Exchange Online PowerShell to prevent users from accessing one or more of
these features when they use Outlook Voice Access to access their mailbox. When you modify Outlook Voice
Access features on a Unified Messaging (UM ) mailbox policy, your changes affect all users who are associated with
the UM mailbox policy.
You can disable users' access to the following Outlook Voice Access features on a UM mailbox policy:
Calendar
Directory
Email
Personal contacts
You can also use Exchange Online PowerShell to disable Outlook Voice Access features on the mailbox of a single
UM -enabled user. When you do this, the features will be disabled only for that user. Although you can't disable all
the Outlook Voice Access features that are found on a UM mailbox policy for a single user, you can disable access
to their calendar and to their email.
For additional management tasks related to UM mailboxes, see Voice mail for users.
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access features for UM-enabled users on a UM
mailbox policy or on the mailbox of a single UM-enabled user.

Before you perform these procedures, confirm that a user has been enabled for UM. For detailed steps, see
Enable a user for voice mail.
TIP
Use Exchange Online PowerShell to disable selected Outlook Voice

Access features for UM-enabled users on a UM mailbox policy
This example prevents users associated with a UM mailbox policy named MyUMMailboxPolicy from accessing their
calendar when they dial in to Outlook Voice Access.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowTUIAccessToCalendar $false
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing the
directory when they dial in to Outlook Voice Access.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowTUIAccessToDirectory $false
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing
their email when they dial in to Outlook Voice Access.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowTUIAccessToEmail -$false
This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from accessing
personal contacts when they dial in to Outlook Voice Access.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowTUIAccessToPersonalContacts $false
Use Exchange Online PowerShell to disable selected Outlook Voice

Access features on the mailbox of a single UM-enabled user
This example disables access to the calendar on a UM mailbox named tony@contoso.com when the user dials in to
Set-UMMailbox -Identity tony@contoso.com -TUIAccessToCalendarEnabled $false
This example disables access to email on a UM mailbox named tony@contoso.com when the user dials in to
Set-UMMailbox -Identity tony@contoso.com -TUIAccessToEmailEnabled $false

Set mailbox features for Outlook Voice Access users
Outlook Voice Access contains two interfaces: a telephone user interface (TUI) and a voice user interface (VUI). You
can configure a UM -enabled user's TUI settings when the user accesses a mailbox using the Unified Messaging
(UM ) system in Exchange Server. When you modify a UM -enabled user's TUI settings on a UM mailbox policy, the
changes affect all users who are associated with the UM mailbox policy. You can modify the following TUI settings
on a UM mailbox policy:
PIN -less access to voice mail
Voice responses to other messages
TUI access to their calendar
TUI access to the directory
TUI access to their email
TUI access to their personal contacts
NOTE
You can use only Exchange Online PowerShell to modify the Outlook Voice Access TUI settings for UM-enabled users.

TIP
Use Exchange Online PowerShell to modify TUI settings on a UM

mailbox policy
This example sets TUI-related settings on a UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailbox -identity MyUMMailboxPolicy -AllowSubscriberAccess $true -AllowTUIAccessToCalendar $false -
AllowTUIAccessToDirectory $false -AllowTUIAccessToEmail -$true -AllowTUIAccessToPersonalContacts $true
Set mailbox features for an Outlook Voice Access user
Telephone user interface (TUI) settings are used when a user accesses the Unified Messaging (UM ) system by
using Outlook Voice Access. When you modify a UM -enabled user's TUI configuration settings, you modify
properties and their values on the UM -enabled user's mailbox.
You can change the following TUI settings for a UM -enabled user:
Allow subscriber access
Allow TUI access to the calendar
Allow TUI access to email
Allow Automatic Speech Recognition
For additional management tasks related to UM users, see Set mailbox features for an Outlook Voice Access user.

Before you perform these procedures, confirm that the existing Exchange recipient is enabled for Unified
Messaging and voice mail. For detailed steps, see Enable a user for voice mail.
TIP
Use Exchange Online PowerShell to modify a single UM-enabled user's

TUI settings
This example enables calendar and email access using the TUI for a UM -enabled user named Tony Smith.
Set-UMMailbox -Identity tony@contoso.com TUIAccessToCal True -TUIAccessToEmail True -OperatorNumber 111111 -

DisableMissedCallNotification False -AnonCallBlock True
NOTE
TUI settings for users are also available on UM mailbox policies. Modifying TUI settings on a UM mailbox policy affects all
users who are associated with the UM mailbox policy. For more information about how to modify TUI settings on a UM
mailbox policy, see Set mailbox features for Outlook Voice Access users.
Enable or disable automatic speech recognition for
an Outlook Voice Access user
You can configure Automatic Speech Recognition (ASR ) for a user who's enabled for Unified Messaging (UM ) and
voice mail. When ASR is enabled on the mailbox of an Outlook Voice Access user, the user can move through the
mailbox menus using voice commands. ASR is enabled by default. If ASR is disabled, the user must use dual tone
multi-frequency (DTMF ), also known as touchtone, inputs to move through the menus.
NOTE
You can't use the EAC to configure this feature. You must use Exchange Online PowerShell to enable or disable ASR for a
voice mail user.
For additional management tasks related to UM or voice mail users, see Voice mail-enabled user procedures.

Before you perform these procedures, confirm that the user's mailbox has been UM -enabled. For detailed
TIP
Use Exchange Online PowerShell to enable or disable ASR for a UM-

enabled user
This example enables ASR for a UM -enabled user named tonysmith .
Set-UMMailbox -Identity tonysmith@contoso.com -AutomaticSpeechRecognitionEnabled $true
This example disables ASR for a UM -enabled user named tonysmith .

Set-UMMailbox -Identity tonysmith@contoso.com -AutomaticSpeechRecognitionEnabled $false
Enable an informational announcement for Outlook
Voice Access users
You can enable an informational announcement on a Unified Messaging (UM ) dial plan. Informational
announcements are used for general announcements that change more frequently than the welcome greeting
does, or for announcements that are required by corporate compliance policies.
By default, callers, including Outlook Voice Access users who dial in to an Outlook Voice Access number that's
been configured, don't hear an informational announcement. If you want one to be played, you must create a .wav
or .wma file to use for the informational announcement after you create a UM dial plan, and then enable the
informational announcement on the dial plan.
When it's important that the whole informational announcement is heard, you can configure the announcement to
be uninterruptible. This prevents a caller from pressing a key or speaking a command to interrupt and stop the
announcement.
For more information about the menu options that are available for Outlook Voice Access users, see the Quick
Reference Guide for Outlook Voice Access, which is available from the Microsoft Download Center.

TIP
Use the EAC to enable an informational announcement

2. In the list view, select the UM dial plan that you want to modify, and then click Edit .
4. In Outlook Voice Access, under Informational announcement, click Change, and then click Browse to
locate the announcement file.
IMPORTANT
The file you use for the informational announcement must be a .wav or .wma file.
Use Exchange Online PowerShell to enable an informational

announcement
This example enables an informational announcement that uses the informational.wav informational
announcement file on a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -Identity MyUMDialPlan -InfoAnnouncementEnabled $true-InfoAnnouncementFilename

c:\UMGreetings\informational.wav
Enable a customized greeting for Outlook Voice
Access users
By default, each Unified Messaging (UM ) dial plan uses a standard .wav file for the welcome greeting that's played
to callers, including Outlook Voice Access users who dial in to an Outlook Voice Access number that's been
configured. However, you can create a .wav or .wma file for the welcome greeting, and then enable it on the UM
dial plan.
For example, you might want to change the default welcome greeting and instead provide a welcome greeting
that's specific to your company, such as "Welcome to Outlook Voice Access for Woodgrove Bank." To do this, you
record the customized welcome greeting and save it as a .wav or .wma file. Then you configure the dial plan to use
the customized welcome greeting.
For more information about the menu options available for Outlook Voice Access users, see the Quick Reference
Guide for Outlook Voice Access, which is available from the Microsoft Download Center.

TIP
Use the EAC to enable a customized welcome greeting

2. In the list view, select the UM dial plan that you want to modify, and then click Edit .
4. In Outlook Voice Access, under Welcome greeting, click Change, and then click Browse to locate the
greeting file.
IMPORTANT
The file you use for the welcome greeting must be a .wav or .wma file.
Use Exchange Online PowerShell to enable a customized welcome

greeting
This example enables a welcome greeting that uses the C:\UMPrompts\welcome.wav file on a UM dial plan
Set-UMDialPlan -Identity MyUMDialPlan -WelcomeGreetingEnabled $true -WelcomeGreetingFilename

c:\UMPrompts\welcome.wav
Enable or disable Play on Phone for Outlook Voice
Access users
You can enable or disable the Play on Phone feature for users associated with a Unified Messaging (UM ) mailbox
policy. This option is enabled by default and allows users to play their voice mail messages over any phone. This
option isn't available to UM -enabled users who have a mailbox on a Microsoft Exchange Server 2007 server.

TIP
Use the EAC to enable or disable Play on Phone

3. On the UM Mailbox Policy page, select or clear the check box next to Allow Play on Phone for voice
mail.
4. Click Save.
Use Exchange Online PowerShell to enable or disable Play on Phone

This example enables the Play on Phone feature for users who are associated with the UM mailbox policy
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowPlayOnPhone $true
This example disables the Play on Phone feature for users who are associated with the UM mailbox policy
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowPlayOnPhone $false

Enable or disable sending voice messages from
You can enable Outlook Voice Access users to send voice mail messages to other UM -enabled users who are
associated with the same dial plan, or prevent them from doing so.
By default, this setting is enabled. If you disable this setting, Outlook Voice Access users that call into an Outlook
Voice Access number won't be able to send voice messages to users within the same dial plan.

TIP
Use the EAC to enable or prevent Outlook Voice Access users sending
voice messages to users in the same dial plan
2. In the list view, select the UM dial plan you want to change, and then click Edit .
4. In Transfer & search, under Allow callers to, select Leave voice messages without ringing a user's
phone to allow sending voice messages. If you want to prevent sending voice messages for users, clear this
setting.
5. Click Save.
Use Exchange Online PowerShell to enable or prevent Outlook Voice

Access users sending voice messages to users in the same dial plan
This example enables Outlook Voice Access users associated with the UM dial plan named MyUMDialPlan to send
voice messages to users associated with the same dial plan.
Set-UMDialPlan -identity MyUMDialPlan -SendVoiceMsgEnabled $true
This example prevents Outlook Voice Access users associated with the UM dial plan named MyUMDialPlan from
sending voice messages to users associated with the same dial plan.
Set-UMDialPlan -identity MyUMDialPlan -SendVoiceMsgEnabled $false

Enable or prevent transferring calls from Outlook
Voice Access
You can enable Outlook Voice Access users to transfer calls to a user who's associated with a Unified Messaging
(UM ) dial plan, or prevent them from doing so. By default, both this option and the Leave voice messages
without ringing a user's phone option are enabled, so that Outlook Voice Access users can transfer calls to users
in the same UM dial plan and leave voice messages for them. This setting only applies to Outlook Voice Access
users who have entered their PIN and are authenticated.

TIP
Use the EAC to enable or prevent Outlook Voice Access users from
transferring calls
3. In transfer & search, under Allow callers to, select the check box next to transfer to users to enable
callers to transfer calls to other users within the dial plan. If you want to prevent Outlook Voice Access users
from transferring calls to users, clear this check box.
4. Click Save.
Use Exchange Online PowerShell to enable or prevent Outlook Voice

Access users from transferring calls
This example enables Outlook Voice Access users to transfer calls to users in the same dial plan on a UM dial plan
Set-UMDialPlan -identity MyUMDialPlan -AllowDialPlanSubscribers $true
This example prevents Outlook Voice Access users from transferring calls to users in the same dial plan on a UM
dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -AllowDialPlanSubscribers $false

Configure the group of users that Outlook Voice
Access users can contact
You can specify which users can receive transferred calls or voice mail messages from Outlook Voice Access users.
By default, the In this dial plan only option is selected. You can change this setting to allow Outlook Voice Access
users to transfer calls or send voice messages to users located in the entire organization, to an existing UM auto
attendant, or to a specific extension number.

TIP
Use the EAC to configure the group of users that Outlook Voice Access
users can contact
4. In Transfer & search, under Allow callers to search for users by name or alias, select one of the
following options:
In this dial plan only: Use this option to allow Outlook Voice Access users who call in to an Outlook Voice
Access number to locate and contact users who are within the same dial plan.
In the entire organization: Use this option to allow Outlook Voice Access users who call in to an Outlook
Voice Access number to locate and contact anyone in the entire organization. This includes all users who are
mailbox-enabled.
Only on this auto attendant: Use this option to allow Outlook Voice Access users who call in to an
Outlook Voice Access number to connect to a specific auto attendant. You must create the auto attendant
before you specify it here. This allows Outlook Voice Access users to be transferred to another auto
attendant. The auto attendant you choose here can be a speech-enabled or non-speech-enabled auto
attendant.
Only for this extension: Use this option to allow Outlook Voice Access users to connect to an extension
number that you specify. You can use only numeric digits for the extension. The number of digits that you
define in this field must match the number of digits in the extension numbers that are configured on the UM
dial plan.
5. Click Save.
Use Exchange Online PowerShell to configure the group of users that

Outlook Voice Access users can contact
This example sets the group of users that Outlook Voice Access users can contact for a UM dial plan named
MyUMDialPlan to the entire organization.
Set-UMDialPlan -Identity MyUMDialPlan -ContactScope 'GlobalAddressList' -UMAutoAttendant $null -

AllowDialPlanSubscribers $false -AllowExtensions $false
This example sets the group of users that Outlook Voice Access users can contact for a UM dial plan named
MyUMDialPlan to the DialPlan .
Set-UMDialPlan -Identity MyUMDialPlan -ContactScope DialPlan -AllowDialPlanSubscribers $false -AllowExtensions

$false
Configure the primary way for Outlook Voice Access
users to search
When you create a Unified Messaging (UM ) dial plan, you can configure the primary and secondary ways that
callers can search for names to locate a user when they call an Outlook Voice Access number or a UM auto
attendant that's associated with the dial plan. Callers can use touchtone inputs to locate a UM -enabled user.
NOTE
None isn't an available option for the primary way callers can search for names. When None is selected for the secondary
way they can search for names, only the primary way will be available to callers. If you configure both the primary and
secondary ways that callers can search for names, they will be prompted for both ways.

TIP
Use the EAC to change the primary dial by name method

4. In Settings, under Primary way to search for names, use the drop-down list to select the option you
want:
Last first (default)
First last
SMTP address
5. Click Save.
Use Exchange Online PowerShell to change the primary dial by name
method
This example sets the primary dial by name method to FirstLast . This enables callers who call the Outlook Voice
Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by their first
and then last name.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNamePrimary FirstLast
This example sets the primary dial by name method to LastFirst . This enables callers who call the Outlook Voice
Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by their last
and then first name.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNamePrimary LastFirst
This example sets the primary dial by name method to SMTP address . This enables callers who call the Outlook
Voice Access number or a UM auto attendant associated with the dial plan to search for a UM -enabled user by
their SMTP address.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNamePrimary SMTPAddress

Configure the secondary way for Outlook Voice
Access users to search
When you create a dial plan, you can configure the primary and secondary dial by name methods or ways that
callers can search for names. Callers use these dial by name methods to look up names to locate and contact a
user when they call in to an Outlook Voice Access number or when they call in to a UM auto attendant that's
associated with the dial plan. Callers can use touchtone inputs to locate a UM -enabled user.
NOTE
If None is selected as the secondary way for callers to search for names, only the primary way of searching for names will be
available to callers who want to locate users. If you configure both the primary and secondary ways that callers can search
for names, callers will be prompted for both ways.

TIP
Use the EAC to change the secondary dial by name method

4. In Settings, under Secondary way to search for names, use the drop-down list to select the option you
want:
Last first (default)
First last
SMTP address
None
5. Click Save.
Use Exchange Online PowerShell to change the secondary dial by

name method
This example sets the secondary dial by name method to FirstLast . This enables callers who call the Outlook
their first and then last name.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNameSecondary FirstLast
This example sets the secondary dial by name method to LastFirst . This enables callers who call the Outlook
their last and then first name.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNameSecondary LastFirst
This example sets the secondary dial by name method to SMTP address . This enables callers who call the Outlook
their SMTP address.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNameSecondary SMTPAddress
This example sets the secondary dial by name method to None and the primary dial by name method to
SMTP address . This enables callers who call the Outlook Voice Access number or a UM auto attendant associated
with the dial plan to search for a UM -enabled user by their SMTP address only.
Set-UMDialPlan -Identity MyUMDialPlan -DialByNamePrimary SMTPAddress -DialByNameSecondary None

Configure the number of sign-in failures before
Outlook Voice Access users are disconnected
You can specify the number of sequential unsuccessful sign-in attempts that are allowed before a caller is
disconnected. The value of this setting can be from 1 through 20. Setting this value too low can frustrate users. For
most organizations, this value should be set to the default of three attempts.

TIP
Use the EAC to configure the number of sign-in failures before users
are disconnected
4. In Settings, under Number of sign-in failures before disconnecting, enter the number of sign-in
failures.
5. Click Save.
Use Exchange Online PowerShell to configure the number of sign-in

failures before users are disconnected
This example sets the number of sign-in failures before users are disconnected to 5 for a UM dial plan named
MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -LogonFailuresBeforeDisconnect 5

Configure the number of input failures before
Outlook Voice Access users are disconnected
You can configure the number of times that users who call in to an Outlook Voice Access number can enter
incorrect data before they're disconnected. This setting applies to both Outlook Voice Access users and
unauthenticated callers who use directory search.
The following are examples of types of data that are considered incorrect:
A caller requests an extension number that isn't found in the system.
The system can't locate the user's extension number to transfer the call.
A caller presses a menu option that isn't valid.
The value of this setting can be from 1 through 20. For most organizations, this value should be set to the default
of three attempts. Setting this value too low may prematurely disconnect callers.

TIP
Use the EAC to configure the input failures before disconnect

4. In Settings, under Number of input failures before disconnecting, enter the number of input failures.
5. Click Save.
Use Exchange Online PowerShell to configure the input failures before

disconnect
This example sets the input failures before disconnect to 5 on a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -identity MyUMDialPlan -InputFailuresBeforeDisconnect 5

Configure the limit on personal greetings for Outlook
Voice Access users
The Limit on personal greetings (minutes) setting enables you to enter the maximum number of minutes that
users associated with the Unified Messaging (UM ) mailbox policy can use to record their voice mail greetings. This
setting applies to both their standard voice mail and their Out of Office voice mail greetings. By default, the
maximum greeting duration is set to 5 minutes. However, you can configure the maximum greeting duration to
any setting between 1 and 10 minutes.

TIP
Use the EAC to change the maximum greeting duration

want to modify, and then on the toolbar, click Edit .
manage, and then on the toolbar, click Edit .
3. On the UM mailbox policy page > General, under Limit on personal greetings (minutes), enter the
length of time, in minutes, allowed for personal greetings for voice mail users.
4. Click Save.
Use Exchange Online PowerShell to change the maximum greeting

duration
This example configures the maximum greeting duration on the UM mailbox policy MyUMMailboxPolicy to 3
minutes.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy MaxGreetingDuration 3
Protect voice mail in Exchange Online
Some Private Branch eXchange (PBX) and IP PBX telephony systems allow the caller to mark a voice mail message
as private, blocking the intended recipient of the message from forwarding it to others. In integrated voice mail
systems, a voice message can be accessed in multiple ways, which makes it more of a challenge to prevent voice
messages marked private from being exposed to unintended listeners. Unified Messaging (UM ) can be configured
to protect voice messages for an organization. This feature is known as Protected Voice Mail.
When a voice message is protected, the recipient is not only blocked from forwarding the message, but UM also
ensures that only the intended recipient or recipients of the message can access its content. Protected voice
messages can be accessed by using Outlook Web App, or Outlook Voice Access.
Overview of Protected Voice Mail

The Protected Voice Mail feature is available with Unified Messaging (UM ). It can be configured on a UM mailbox
policy, and all Protected Voice Mail settings can be configured by using the Exchange admin center (EAC ) or
cmdlets in Exchange Online PowerShell in Exchange Server.
Protected Voice Mail is implemented by applying Information Rights Management (IRM ) to voice messages. When
voice messages are protected by UM:
Users can reply to protected voice messages.
Recipients of a voice message can't forward it.
Users can't save a copy of the voice message.
Users can't save or copy the attached audio of the voice message.
A voice message can be opened only by the intended recipient or recipients.
Both call-answering voice messages and interpersonal voice messages (voice messages that are sent to a user
using Outlook Voice Access) can be protected by UM. However, protection won't be applied to the following types
of messages:
Fax messages.
Non-voice messages. For example, email messages or meeting requests, even when they're created using
Outlook Voice Access (voice replies).
Client support and end-user features

The email client software that's used to listen to a Protected Voice Mail message must support IRM and know how
to read a UM -protected voice message. Email clients that are supported include Outlook, Outlook Web App, and
Outlook Voice Access. The following table contains a list of email clients and whether they're supported.
EMAIL CLIENT DESCRIPTION
Outlook Protected voice messages are supported in Outlook 2010 and

later versions.
Outlook Web App Outlook Web App supports Protected Voice Mail messages.
EMAIL CLIENT DESCRIPTION
Outlook Voice Access Outlook Voice Access supports Protected Voice Mail.
Windows Mobile or Windows Phone Windows Mobile doesn't support Protected Voice Mail.
However, Windows Phone 7 and Windows Phone 8 support
Protected Voice Mail.
Other third-party email clients Protected Voice Mail isn't supported.
Protected voice message structure

There are actually two messages involved for each Protected Voice Mail message. The first message is the outer
message, which isn't encrypted. It contains an attachment named message.rpmsg. The attachment contains the
IRM -protected voice message and internal rights management control data. The rights management control data
includes a content key and rights information that specifies who can access the voice message and how those users
can access it.
Protected voice messages are shown in the user's Inbox in the Voice Mail search folder. The user can listen to the
voice messages by using the embedded audio player just as they would listen to a regular voice message, except
that the Forward button will be disabled and a note will be shown at the top of the message stating that it's
protected and that it can't be forwarded.
For email clients that don't support Protected Voice Mail, the body of the outer message will be displayed.
Administrators can include text when the client's software doesn't support Protected Voice Mail by using UM
mailbox policies. You can customize the default text that's included in the email message by configuring a UM
mailbox policy. For example, you could configure the UM mailbox policy with customized text such as, "You can't
open this voice mail message because it's protected. To view or listen to this voice message, sign in to your mailbox
at https://mail.contoso.com or call +1 (425 ) 555 -1234 to call in to Outlook Voice Access."
Composing a Protected Voice Mail message

There are two situations in which protected voice messages can be created:
Call answering: Call answering occurs when a caller calls a UM -enabled user, but the user isn't available to
answer the call or forwards it directly to voice mail. In call-answering scenarios, the voice mail system will
play a series of voice prompts after the caller records a voice message.
The caller can then choose from additional message options, including the option to mark the voice message
as private by pressing the pound (#) key. If the caller presses the # key, they can follow the instructions
provided by UM to mark the message as private, remove the private marking from the private voice
message, or mark the voice message with High importance. The following diagram shows the menu options
that are available to callers when they leave a private voice message for a user.
NOTE
For call-answering calls, UM uses the Protected Voice Mail settings on the UM mailbox policy of the intended
recipient of the message, because the caller isn't authenticated.
Create a Protected Voice Mail message using Call Answering

Outlook Voice Access: Outlook Voice Access lets UM -enabled users access their mailbox using analog,
digital, or cellular telephones by dialing their Outlook Voice Access number. There are two Unified
Messaging user interfaces available to UM -enabled users: the telephone user interface (TUI) and the voice
user interface (VUI).
Outlook Voice Access users can search for contacts in the directory and send them voice messages. If
Protected Voice Mail has been enabled for the UM -enabled recipients, callers can mark the messages as
private after they're recorded. Alternatively, administrators can configure a UM mailbox policy to ensure that
all voice messages sent by authenticated users are protected by UM.
NOTE
If a caller is authenticated, the Protected Voice Mail settings on the UM mailbox policy that's linked to the caller are
applied, regardless of the UM mailbox policy settings for the intended recipient of the voice message.
Create a Protected Voice Mail message using the voice user interface
Create a Protected Voice Mail message using the telephone user interface
UM mailbox policies
You can create a Unified Messaging mailbox policy to apply a common set of UM policy settings, such as PIN
policy settings, dialing restrictions, and Protected Voice Mail settings, to a collection of UM -enabled mailboxes. To
learn more about UM mailbox policies, see Manage a UM mailbox policy and Protected Voice Mail procedures.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure Protected
Voice Mail options. The following table lists the settings that can be configured for Protected Voice Mail.
Protected Voice Mail settings
PARAMETER SETTING AVAILABLE IN EAC? DESCRIPTION
ProtectAuthenticatedVoiceMail Yes The ProtectAuthenticatedVoiceMail

parameter specifies whether UM-
enabled users can send protected voice
messages when they're accessing their
mailbox using Outlook Voice Access.
The default setting is None . This means
that no protection is applied when voice
messages are composed and that callers
won't have the option to mark voice
messages as Private. If the value is set
to Private , only messages marked as
Private by the caller are protected. If the
value is set to All , every voice
message is protected, regardless of the
option chosen by the caller.
ProtectUnauthenticatedVoiceMail Yes The ProtectUnauthenticatedVoiceMail

parameter specifies whether the
Mailbox servers that answer calls for
UM-enabled users associated with a
UM mailbox policy create protected
voice messages. This setting also applies
when a message is sent from a UM
auto attendant to a UM-enabled user.
The default setting is None . This means
that no protection is applied to voice
messages and that the caller won't be
offered the option to mark the message
as Private. If the value is set to
Private , only messages marked as
Private by the caller are protected. If the
value is set to All , every voice
message is protected, regardless of
whether if the message has been
marked as private by the caller.
ProtectedVoiceMailText Yes The ProtectedVoiceMailText parameter

specifies the text to be included in the
body of the outer message of a
Protected Voice Mail message. This text
will be shown in all email client
applications that don't support
Protected Voice Mail messages. Note
that a default message is always
provided by UM when this property is
set to Null or is empty.
PARAMETER SETTING AVAILABLE IN EAC? DESCRIPTION
RequireProtectedPlayOnPhone Yes The RequireProtectedPlayOnPhone

parameter specifies whether users
associated with the UM mailbox policy
will be forced to listen to the protected
voice message over the phone (using
Play On Phone). The default value is
$false . When the value is set to
$true , the audio media player on
Protected Voice Mail forms in Outlook
or Outlook Web App will be shown as
disabled. Note that the preview text for
the voice message can always be
accessed. The user can't play the audio
file using any media player software or
use the embedded media player to
listen to the voice message.
AllowVoiceResponseToOtherMessageTy Yes The

pes AllowVoiceResponseToOtherMessageTy
pes parameter specifies whether callers
who have authenticated to Outlook
Voice Access to access their email will be
able to compose a voice reply to email
messages and meeting requests.
For more information about how to manage Protected Voice Mail settings, see Protected Voice Mail procedures or
Set-UMMailboxPolicy.
Text message notifications and Protected Voice Mail

Users who configure their UM account to send text message notifications (also called SMS notifications) to their
mobile phone when voice messages are received will also receive audio transcription (Voice Mail Preview ) text as
part of the body of the text message. However, for protected voice messages, this represents a security issue
because the content of the voice messages should always be protected.
When UM creates a text message notification for a voice message that's protected, it checks whether the voice
message is marked as Private. If so, it won't add the transcribed audio text to the text message that it sends to the
mobile phone. The following text will be included in the text message instead: "Use Outlook Voice Access to access
this protected voice mail message."
Protected Voice Mail procedures
Configure Protected Voice Mail from authenticated callers

Configure Protected Voice Mail from unauthenticated callers
Enable or disable multimedia playback of protected voice messages
Specify the text to display for email clients that don't support Windows Rights Management
Configure Protected Voice Mail from authenticated
callers
You can configure Unified Messaging to answer an incoming call, and then determine whether it will apply
protection to voice mail messages by using encryption. When a voice message is protected:
The message is marked as Private in Microsoft Outlook and Outlook Web App.
The voice message can be opened only by the intended recipient of the voice message.
The recipient can reply to the voice message, but can't forward it to someone who wasn't included on the
original voice message.
This setting applies to voice messages sent to UM -enabled users when they don't answer their phone. This setting
also applies when callers sign in to their mailbox using Outlook Voice Access, and then create and send a voice
message.
For additional management tasks related to Protected Voice Mail procedures, see Protected Voice Mail procedures.

TIP
Use the EAC to configure Protected Voice Mail from authenticated

callers
3. On the UM Mailbox Policy page > Protected voice mail, under Protect voice message from
authenticated callers, select one of the following options:
None: Use this setting when you don't want protection applied to any voice messages sent to UM -enabled
users.
Private: Use this setting when you want Unified Messaging to apply protection only to voice messages that
have been marked as private by the caller.
All: Use this setting when you want Unified Messaging to apply protection to all voice messages, including
those not marked as private.
4. Click Save.
Use Exchange Online PowerShell to configure Protected Voice Mail

from authenticated callers
This example protects voice messages from all authenticated callers on the UM mailbox policy MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy ProtectAuthenticatedVoiceMail -All

Configure Protected Voice Mail from unauthenticated
callers
You can configure Unified Messaging to answer an incoming call, and then determine whether it will apply
protection to voice mail messages by using encryption. When a voice mail message is protected:
This setting applies to voice messages sent to UM -enabled users when they don't answer their phone. This setting
also applies to voice messages sent directly to UM -enabled users when the caller uses a UM auto attendant.

TIP
Use the EAC to configure Protected Voice Mail from unauthenticated

callers
3. On the UM Mailbox Policy page > Protected voice mail, under Protect voice message from
unauthenticated callers, select one of the following options:
None: Use this setting when you don't want protection applied to any voice messages sent to UM -enabled
users.
Private: Use this setting when you want Unified Messaging to apply protection only to voice messages that
have been marked as private by the caller.
All: Use this setting when you want Unified Messaging to apply protection to all voice messages, including
those not marked as private.
4. Click Save.
Use Exchange Online PowerShell to configure Protected Voice Mail

from unauthenticated callers
This example protects all voice messages from all unauthenticated callers on the UM mailbox policy
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -ProtectUnauthenticatedVoiceMail -All

Enable or disable multimedia playback of protected
voice messages
You can force users who receive protected voice mail messages to use the Play on Phone feature to listen to their
messages. Or, if the client software doesn't support rights management, users must use Outlook Voice Access to
listen to messages.
To listen to voice messages, Unified Messaging (UM )-enabled users can use the Play on Phone feature or use
multimedia software on a computer or mobile device. Multimedia playback allows a UM -enabled user to use a
media player over computer speakers or use a media player on a mobile device to hear the voice message.
NOTE
Protected voice mail is available only on clients that are using a version of Outlook that supports rights management. If the
client software doesn't support rights management, users must use Outlook Voice Access to listen to their calls.
By default, the value of the RequireProtectedPlayOnPhone property on a UM mailbox policy is set to false. This
means that UM -enabled users that are associated with that UM mailbox policy can listen to protected voice
messages by:
Using Outlook Voice Access.
Using the built-in media player or the Play on Phone button in Outlook 2010 or a later version.
Using the built-in media player or the Play on Phone button in Outlook Web App.
If this value is set to true, multimedia playback of protected voice mail isn't allowed. UM -enabled users associated
with a UM mailbox policy on which this value is set to true can listen to protected voice messages only by:
Using Outlook Voice Access.
Using the Play on Phone button in Outlook 2010 or a later version.
Using the Play on Phone button in Outlook Web App.
This setting is especially useful when UM -enabled users use public computers, laptops in public places, or their
mobile device's media player to listen to protected voice mail that can contain private information.

TIP
Use the EAC to enable or disable multimedia playback of protected

voice messages
3. On the UM Mailbox Policy page > Protected voice mail, select the check box next to Require Play on
Phone for protected voice messages to enable this setting. Clear the check box to disable this setting.
4. Click Save.
Use Exchange Online PowerShell to enable or disable multimedia

playback of protected voice messages
This example allows users who are associated with the UM mailbox policy named MyUMMailboxPolicy to play back
protected voice messages using a media player.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -RequireProtectedPlayOnPhone $false
This example prevents users who are associated with the UM mailbox policy named MyUMMailboxPolicy from
playing back protected voice messages using a media player.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -RequireProtectedPlayOnPhone $true

Specify the text to display for email clients that don't
support Windows Rights Management
You can specify the text that will be sent to a user when they receive a protected voice message but their email
client doesn't support Information Rights Management (IRM ) or Windows Rights Management.
Protected Voice Mail can be accessed only by email clients that support Windows Rights Management or when a
UM -enabled user uses Outlook Voice Access to access a protected voice message.
Protected Voice Mail is encrypted. When a voice message is protected:
If a protected voice message is sent to someone whose email client doesn't support Windows Rights Management
and isn't accessing the message using Outlook Voice Access, an email message will be sent to them that includes
the text you specify. This text should include instructions about what the called party should do to be able to
receive the protected voice message.

TIP
Use EAC to specify the text to display for email clients that don't
support Windows Rights Management
3. On the UM Mailbox Policy page > Protected voice mail, under Message to send to users who don't
have Windows Rights Management support, type the message text in the text box.
4. Click Save.
Use Exchange Online PowerShell to specify the text to display for email
clients that don't support Windows Rights Management
This example specifies the text to display to users associated with the UM mailbox policy named
MyUMMailboxPolicy who have email clients that don't support Windows Rights Management.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -ProtectedVoiceMailText "Your email client software does not
support Protected Voice Mail. Please contact the Help Desk."
Allow voice mail users to forward calls
The Call Answering Rules feature was first introduced in Exchange 2010. Using this feature, users who are enabled
for voice mail can control how their incoming calls should be handled. Call answering rules are applied to
incoming calls similar to the way Inbox rules are applied to incoming email messages.
Call answering rules are created and configured by a voice mail-enabled user using Outlook or Outlook Web App.
The rules are stored along with other voice settings in the user's mailbox. A total of nine call answering rules can be
set up for each UM -enabled mailbox. These rules are independent of the Inbox rules that are set up by users, and
don't take up part of the Inbox rules storage quota for the user.
By default, when a user is enabled for Unified Messaging (UM ) and voice mail, no call answering rules are
configured. If an incoming call is answered by the voice mail system, the caller is prompted to leave a voice
message or if the caller doesn't get prompted, the caller will also be able to leave a voice message for the user.
If your users want to have the voice mail system just answer their incoming calls and record a voice message, you
don't have to create any call answering rules. However, if you decide that you want to set up conditions or actions,
you can set them up by using the Call Answering Rules section on the Voice Mail page in Outlook Web App.
Use the Call Answering Rules section to create, edit, and delete call answering rules.
Anatomy of call answering rules

A call answering rule consists of two parts: conditions and actions. You can associate one or more conditions with a
single call answering rule. The call answering rule will only be processed if all the conditions for the rule are met.
You can also associate one or more actions with a single call answering rule. These actions determine what options
will be offered to the caller when the call answering rule is processed.
Call Answering Rules supports the following conditions:
Who the incoming call is from
The time of day
Calendar free/busy status
Whether automatic replies are turned on for email
The following actions are supported:
Find me
Transfer the caller to someone else
Leave a voice message
If a user records a custom greeting for a call answering rule, they must include the menu option as part of the
custom greeting when they configure the call answering rule. If they don't, Unified Messaging won't generate a
menu prompt that lets the caller know what his or her choices are. After the custom greeting is played, the server
will wait for the caller's input. If a menu option isn't included in the greeting, the caller won't input anything and the
server will prompt them, asking "Are you still there?"
Conditions
Conditions are rules that you can apply to call answering rules. By using a combination of conditions, you can
create multiple call answering rules that will trigger when the conditions are met. To create a default rule that will
be applied to every call, you create a rule that doesn't contain any conditions.
There are three conditions that can be used when you set up call answering rules, including:
Caller ID
Time-of-the-day
Free/busy status
Actions
Actions are used to define what you want to happen when a condition is met. The two kinds of actions are:
Find Me
Call Transfer
Adding a Find Me action
When a caller selects Find Me, the voice mail system will attempt to locate you at up to two different phone
numbers, and then connect the caller to you if you're available at one of the phone numbers.
You can specify text that will be read to the caller. For example, if you enter "Urgent Matters" to inform your
callers that they should only select this action if they have important things to discuss with you, the voice
mail system will say "For Urgent Matters, press the 1 key."
You have to associate the Find Me action with the number on the telephone keypad that the caller will press
to select this action. In the example above, the 1 telephone key is the number callers will press to reach you
at one of the phone number or numbers you specify.
Next, you have to specify the one or two phone numbers that the voice mail system will dial. If you specify
two telephone numbers, the second number will be dialed if you're not available at the first. Each phone
number that you specify has an associated duration. The duration is the time period during which the voice
mail system will try to dial the phone number before it moves on to the next number. Or, if you can't be
contacted, the voice mail system will go back to the options menu.
After you've entered this information, click Apply to save the Find Me settings.
Adding Call Transfer actions
By setting a Call Transfer action, you provide callers with the option to be transferred to another person's phone
number. There are several options that are available when you want to transfer an incoming call to another phone
or contact.
You can specify text that will be read to the caller. For example, you can enter "Important Matters" to inform
your callers that they should choose this option if they have an important matter to discuss and need to
speak to someone.
You have to associate the Call Transfer action with the number on the telephone keypad that the caller will
press to select this action.
When you choose the Call Transfer action, you have to specify a person or phone number for the caller to be
transferred to. You can choose a phone number or select a contact to be called when the caller presses the
correct key on the telephone keypad. If you specify a contact who's within your company directory, the voice
mail system will try to transfer the call to the extension number of that contact.
In addition to specifying a person or number for the caller to be transferred to, you also need to specify the
number on the telephone keypad that the caller will press to select the Call Transfer action.
After you've entered this information, click Apply to save the Call Transfer settings.
Selecting a call answering rule for each incoming call

After you create and configure Call Answering Rules, Unified Messaging will:
1. Determine whether the user has created any call answering rules. If not, UM will offer the caller the option
of leaving a voice message.
2. If one or more call answering rules have been configured, UM will evaluate each of these rules. The first rule
whose conditions are met will be processed.
3. After evaluating all the rules, if UM doesn't find a rule whose conditions are met, UM will ask the caller to
leave a voice message.
Dialing rules
Depending on how a call answering rule is configured, an incoming call may result in a call transfer. When this
happens, the transfer target phone number will be subject to the dialing rules and restrictions on the UM mailbox
policy that the called party is associated with. For more information about outdialing and dialing rules and
restrictions, see Allow users to make calls.
Enabling/disabling Call Answering Rules
By default, Call Answering Rules is automatically enabled for UM -enabled users. However, you can disable call
answering rules for users by disabling the feature on a UM mailbox policy or the user's mailbox. For details about
how to enable or disable Call Answering Rules, see the following topics:
Forwarding calls procedures

You can specify whether you want individual users to be able to create and manage their own call answering rules
by configuring their mailbox properties. By default, they can create call answering rules.
You can enable or disable Call Answering Rules for multiple users that are enabled for Unified Messaging (UM ) by
configuring Call Answering Rules on a UM dial plan or UM mailbox policy.
NOTE
You can't use the EAC to configure this feature. You must use Exchange Online PowerShell to enable or disable Call
Answering Rules for a voice mail user.
For additional management tasks related to allowing users to forward calls, see Forwarding calls procedures.

TIP
Use Exchange Online PowerShell to enable or disable call answering

rules for a UM-enabled user
This example enables Call Answering Rules for the user tony@contoso.com.
Set-UMMailbox -Identity tony@contoso.com -CallAnsweringRulesEnabled $true
This example disables Call Answering Rules for the user tony@contoso.com.
Set-UMMailbox -Identity tony@contoso.com -CallAnsweringRulesEnabled $false

You can allow users who are associated with a Unified Messaging (UM ) mailbox policy to configure call answering
rules, or prevent them from doing so. If the option to configure call answering rules is disabled on a UM dial plan,
the Call Answering Rules feature won't be available to UM -enabled users associated with the UM mailbox policy.
The default setting is enabled.
For additional management tasks related to allowing users to forward calls, see Forwarding calls procedures.

TIP
Use the EAC to enable or disable call answering rules on a UM mailbox

policy
3. On the UM Mailbox Policy page, select or clear the check box next to Allow users to configure call
answering rules.
4. Click Save.
Use Exchange Online PowerShell to enable or disable call answering

rules on a UM mailbox policy
This example allows users who are associated with the UM mailbox policy MyUMMailboxPolicy to create call
answering rules.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowCallAnsweringRules $true

This example prevents users who are associated with the UM mailbox policy MyUMMailboxPolicy from creating call
answering rules.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowCallAnsweringRules $false

You can use Exchange Online PowerShell to create one or more call answering rules for a user. You can also use
the New-UMCallAnsweringRule cmdlet in a PowerShell script to create call answering rules for multiple users.
Call answering rules are applied to incoming calls similar to the way Inbox rules are applied to incoming email
messages. By default, when a user is enabled for Unified Messaging (UM ), no call answering rules are configured.
Even so, incoming calls are answered by the mail system and callers are prompted to leave a voice message.
NOTE
Users that are UM-enabled can sign in to Outlook Web App to create, manage, and remove call answering rules.
For additional management tasks related to Call Answering Rules, see Forwarding calls procedures.

permissions you need, see the "UM call answering rules" entry in the Unified Messaging Permissions topic.
TIP
Use Exchange Online PowerShell to create a call answering rule

This example creates the call answering rule MyCallAnsweringRule in the mailbox for Tony Smith with the priority of
2.
New-UMCallAnsweringRule -Name MyCallAnsweringRule -Priority 2 -Mailbox tonysmith
This example creates the call answering rule MyCallAnsweringRule in the mailbox for Tony Smith and performs the
following actions:
Sets the call answering rule to two caller IDs.
Sets the priority of the call answering rule to 2.
Sets the call answering rule to allow callers to interrupt the greeting.
New-UMCallAnsweringRule -Name MyCallAnsweringRule -CallerIds "1,4255550100,,","1,4255550123,," -Priority 2 -

CallersCanInterruptGreeting $true -Mailbox tonysmith
This example creates the call answering rule MyCallAnsweringRule in the mailbox for Tony Smith and performs the
following actions:
Creates key mappings for the call answering rule.
If the caller reaches the voice mail for the user and the status of the user is set to Busy, the caller can:
- Press the 1 key and be transferred to a receptionist at extension 45678.
- Press the 2 key so the Find Me feature will be used for urgent issues, ring extension 23456 first, and then
ring extension 45671.
New-UMCallAnsweringRule -Name MyCallAnsweringRule -Priority 2 -Mailbox tonysmith -ScheduleStatus 0x4 - -

KeyMappings "1,1,Receptionist,,,,,45678,","5,2,Urgent Issues,23456,23,45671,50,,"
You can use Exchange Online PowerShell to view or configure one or more call answering rules for a user. You can
also use the Get-UMCallAnsweringRule or Set-UMCallAnsweringRule cmdlets in a PowerShell script to view
or manage call answering rules for multiple users.
IMPORTANT

Exchange Online PowerShell, see Connect to Exchange Online PowerShell..
TIP
Use Exchange Online PowerShell to view a call answering rule

You can retrieve the properties for a single call answering rule or a list of call answering rules in a UM -enabled
user's mailbox.
This example returns a formatted list of call answering rules in a user's UM -enabled mailbox.
Get-UMCallAnsweringRule-Mailbox tonysmith | Format-List

This example displays the properties of the call answering rule MyUMCallAnsweringRule .
Get-UMCallAnsweringRule -Identity MyUMCallAnsweringRule
Use Exchange Online PowerShell to configure a call answering rule

You can configure or change a call answering rule that's stored in a user's mailbox. You can specify the following
conditions:
Who the incoming call is from
Time of day
Calendar free/busy status
Whether automatic replies are turned on for email
You can also specify the following actions:
Find me
Transfer the caller to someone else
Leave a voice message
This example sets the priority to 2 on the call answering rule MyCallAnsweringRule that exists in the mailbox for
Tony Smith.
Set-UMCallAnsweringRule -Mailbox tonysmith -Name MyCallAnsweringRule -Priority 2
This example performs the following actions on the call answering rule MyCallAnsweringRule in the mailbox for
Tony Smith:
Sets the call answering rule to two caller IDs.
Sets the call answering rule to allow callers to interrupt the greeting.
Set-UMCallAnsweringRule -Name MyCallAnsweringRule -CallerIds "1,4255550100,,","1,4255550123,," -Priority 2 -

CallersCanInterruptGreeting $true -Mailbox tonysmith
This example changes the free/busy status to Away on the call answering rule MyCallAnsweringRule in the mailbox
for Tony Smith and sets the priority to 2.
Set-UMCallAnsweringRule -Name MyCallAnsweringRule -Priority 2 -Mailbox tonysmith@contoso.com -ScheduleStatus

0x8
You can use Exchange Online PowerShell to enable or disable one or more call answering rules for a user. You can
also use the Enable-UMCallAnsweringRule or Disable-UMCallAnsweringRule cmdlets in a PowerShell
script to enable or disable one or more call answering rules for multiple users.
For additional management tasks related to call answering rules, see Forwarding calls procedures.

To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell..
TIP
Use Exchange Online PowerShell to enable a call answering rule

When a call answering rule is created, it's enabled. You can use Exchange Online PowerShell to enable a call
answering rule that was previously disabled. Enabling a call answering rule enables the Enable-
UMCallAnsweringRule cmdlet to retrieve the call answering rule, including the conditions and actions for a
specified call answering rule.
This example enables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith.
Enable-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith
The example uses the WhatIf switch to test whether the call answering rule MyUMCallAnsweringRule in the mailbox
for Tony Smith is ready to be enabled and if there are any errors within the command.
Enable-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith -WhatIf
This example enables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith and prompts
the signed-in user to confirm that the call answering rule is to be enabled.
Enable-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith -Confirm
Use Exchange Online PowerShell to disable a call answering rule

Disabling a call answering rule prevents it from being retrieved and processed when an incoming call is received.
When you create a call answering rule, you should disable it while you're setting up conditions and actions. This
prevents the call answering rule from being processed when an incoming call is received before you've correctly
configured the call answering rule.
This example disables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith.
Disable -UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith
This example uses the WhatIf switch to test whether the call answering rule MyUMCallAnsweringRule in the mailbox
for Tony Smith is ready to be disabled and if there are any errors within the command.
Disable -UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith -WhatIf
This example disables the call answering rule MyUMCallAnsweringRule in the mailbox for Tony Smith and prompts
the signed-in user to confirm that they're disabling the call answering rule.
Disable-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith -Confirm

You can use Exchange Online PowerShell to remove one or more call answering rules for a user. You can also use
the Remove-UMCallAnsweringRule cmdlet in a PowerShell script to remove one or more call answering rules
for multiple users.
NOTE

Exchange Online PowerShell, see Connect to Exchange Online PowerShell..
TIP
Use Exchange Online PowerShell to remove a call answering rule

This example removes the call answering rule MyUMCallAnsweringRule from a user's mailbox. The user's mailbox is
the mailbox of the user running the cmdlet.
Remove-UMCallAnsweringRule -Identity MyUMCallAnsweringRule
This example removes the call answering rule MyUMCallAnsweringRule from the mailbox of Tony Smith.
Remove-UMCallAnsweringRule -Identity MyUMCallAnsweringRule -Mailbox tonysmith
Allow users to see a voice mail transcript
Voice Mail Preview is a feature that's available to users who receive their voice mail messages from Unified
Messaging (UM ). Voice Mail Preview enhances the existing UM voice mail functionality by providing a text version
of audio recordings. The voice mail text is displayed in email messages within Microsoft Outlook Web App,
Outlook 2010 and later versions, and in other supported email programs. For more information, see Microsoft
Speech Technologies.
Do users need to use a specific email program?

No. Voice Mail Preview is included in the message body text of any email program, including mobile programs.
Although users can use other email programs to receive voice messages, Outlook and Outlook Web App provide a
better experience. For example, in Outlook 2010 and later versions, when a specific word is clicked in the Voice
Mail Preview text, the audio playback of the voice message will start to play at that word. This is useful for listening
to a specific part of a voice message.
Can users search for specific voice mail messages?

Yes. Words and phrases in the Voice Mail Preview text are automatically indexed, so voice messages will appear in
search results. In Outlook 2010 and later versions or in Outlook Web App, users can also use the Audio Notes
box to add text about a voice message. These notes are also included in searches, to make it easier to locate a
message.
Why is this feature called "Voice Mail Preview"?

It's important to set users' expectations correctly. Voice Mail Preview doesn't necessarily produce text that's the
same as what callers say in their voice messages. In fact, it's usually inaccurate in some way. To call it transcription
would suggest a more perfect result than can generally be achieved. Preview suggests that the reader should be
able to understand the gist of the voice content, which is closer to the real capability of the feature.
What makes the Voice Mail Preview text more or less accurate?
The accuracy of the Voice Mail Preview text depends by many factors and sometimes those factors can't be
controlled. However, Voice Mail Preview text is likely to be more accurate when:
The caller leaves a simple voice message that doesn't include slang terms, technical jargon, or unusual
words or phrases.
The caller uses a language that's easily recognized and translated by the voice mail system. Generally, voice
messages left by callers who don't speak too quickly or too softly and who don't have strong accents will
produce more accurate sentences and phrases.
The voice message is free of background noise, echo, and the audio doesn't drop out.
Which languages can be used with Voice Mail Preview?

Voice Mail Preview text is available in the following languages:
English (US ) (en-US )
English (Canada) (en-CA)
French (France) (fr-FR )
Italian (it-IT)
Polish (pl-PL )
Portuguese (Portugal) (pt-PT)
Spanish (Spain) (es-ES )
If you have an on-premises or hybrid deployment of UM, you can download the UM language packs from the
Microsoft Download Center.
If you have an on-premises or hybrid deployment, after you install a UM language pack, the dial plans and auto
attendants can be configured to use the language you've chosen. For online customers, you don't have to install
any UM language packs. Many companies have only one UM dial plan. UM will try to create a voice mail preview
in the default dial plan language, but will only be successful if the default language supports Voice Mail Preview. A
UM dial plan can only be configured to create voice mail previews in one language at a time.
To configure UM to provide voice mail previews in a language other than en-US, follow these steps:
1. Verify that Voice Mail Preview is supported in the language you want to use.
2. If you have an on-premises or hybrid deployment, download and install the appropriate UM language pack.
Downloading and installing the language pack doesn't configure the dial plan default language.
3. Configure the dial plan with the language that will be used for Voice Mail Preview. For more information,
see Set the default language on a dial plan.
How Voice Mail Preview displays text in the supported languages depends on the type of voice message that's
sent. There are two types:
Voice messages that are recorded when a user doesn't answer their phone
For these messages, the language used for Voice Mail Preview is determined by the caller's spoken
language and whether the language is supported. For example, if a caller leaves a voice message in Italian,
the Voice Mail Preview text will appear in Italian if Italian has been configured on the dial plan. However, if a
caller leaves a message in Japanese, no Voice Mail Preview text will be included with the message because
Japanese isn't available.
Voice messages that are sent to by an Outlook Voice Access user
For messages sent by an Outlook Voice Access user, the language that's used for Voice Mail Preview is
controlled by the voice mail administrator. Thus, the Voice Mail Preview text will be in the same language as
the voice mail system. However, if a caller speaking a language that's not supported for Voice Mail Preview
uses Outlook Voice Access to leave a message, no Voice Mail Preview text will be included with the
message. To learn more about Outlook Voice Access, see Setting up Outlook Voice Access.
Does UM know when a voice mail preview is inaccurate?

The confidence level is determined for each voice mail preview included with a voice message. The voice mail
system measures how well the sounds in the recording match the words, numbers, and phrases. If matches are
found easily, the confidence level is high. A higher level of confidence is generally associated with a higher
accuracy.
If the confidence level is determined to be lower than a certain value, the phrase Voice Mail Preview
(confidence is low) is included above the Voice Mail Preview text. If the confidence level is low, it's likely that the
Voice Mail Preview text will be inaccurate.
Unified Messaging uses Automatic Speech Recognition (ASR ) to calculate its confidence in the preview, but it has
no way to determine which words are wrong and which are correct.
However, UM does try to learn to improve accuracy of its voice mail previews. For example, it tries to match the
caller's telephone number (if provided) with the user's personal Contacts and your organization's address book or
contacts from social networks. If UM finds a match, it will include the name of the caller, along with its standard
lists of names and words, when running ASR on the voice recording.
Can Voice Mail Preview be used if it isn't completely accurate?
Users may have a better experience with Voice Mail Preview if they don't try to read the preview too carefully,
word by word. Instead, they should look for names, phone numbers, and phrases such as "Call me back" or "I need
to talk" that may provide clues about the purpose of the call.
Voice Mail Preview isn't expected to dictate messages exactly, but it can help users answer questions such as the
following:
Is this voice message related to my work?
Is this voice message important to me?
Did the caller leave a number? Is it different from any numbers that I may have listed for them?
Does the caller consider this voice message urgent?
Should I step out of a meeting to call this person back?
I was expecting a call to confirm my request. Is this the confirmation call?
Can Voice Mail Preview be turned on or off?

Yes. If you've enabled Voice Mail Preview, users can turn it on or off using Outlook 2010 or a later version or
Outlook Web App. However, the dial plan language must support Voice Mail Preview and the UM language pack
for that language must be installed.
Although Voice Mail Preview settings are the same whether a user is using Outlook 2010 or a later version or
Outlook Web App, they'll access them differently:
Outlook Web App
To access the Voice Mail Preview settings in Outlook Web App, users click Settings > phone > Voice mail. On
the Voice mail page, the settings are available under voice mail preview.
By default, both Voice Mail Preview options are available when a user is enabled for Unified Messaging. If the UM
dial plan is configured to use a UM language pack that supports Voice Mail Preview, Unified Messaging will create
voice mail previews for users when:
A caller leaves a voice mail message because the user doesn't answer their phone.
A UM -enabled user signs in to Outlook Voice Access and records a voice message for one or more
recipients.
When a caller leaves a voice message, and Include preview text with voice messages I receive is selected,
Unified Messaging will create a voice mail preview in the email message, attach the audio file, and send it to the
recipient's mailbox. You may want to disable this option if the language that's configured on the dial plan doesn't
include Voice Mail Preview support and you don't want voice mail previews included in voice mail messages.
When users sign in to Outlook Voice Access and they send a voice message to another user, they may want to clear
the Include preview text with voice messages I send through Outlook Voice Access check box. For
example, they might want to do this if they're sending voice messages in a language that Voice Mail Preview
doesn't support or if they don't want to include the voice mail preview with the voice message because it's too
long.
Voice Mail Preview advisor
Microsoft Exchange Unified Messaging (UM ) includes a feature called Voice Mail Preview, which uses automatic
speech recognition (ASR ) to add a text version of the voice mail audio file to voice mail messages. ASR isn't
entirely accurate, especially when it's used to record audio over a phone that contains unknown voices and noises.
Some organizations require consistently error-free (or near-error-free) transcripts of voice messages. The Voice
Mail Preview Partner program can help such organizations meet those requirements.
Voice Mail Preview uses Microsoft speech technologies to provide a text version of audio recordings. The voice
mail text is displayed in email messages within Microsoft Outlook Web App, Outlook 2010 or later versions, and
other email programs.
By default, when you enable a user for UM in an on-premises or hybrid deployment, voice mail previews will be
sent if a supported UM language pack is installed. When you enable a user for UM in Exchange Online, all the UM
language packs are installed. However, Voice Mail Preview isn't supported in all languages that are installed.
There are Voice Mail Preview partners that offer enhanced transcription support and services for the Voice Mail
Preview feature. These partners employ people to correct voice mail transcriptions that were created using ASR.
Each Voice Mail Preview partner must meet a set of requirements to be certified to interoperate with Exchange
UM.
If you determine that the voice mail previews sent to your users aren't accurate enough, you can contact one of the
certified Voice Mail Preview partners listed at Microsoft Pinpoint and sign up with them at an additional cost.
Overview
When Unified Messaging records the audio for a voice message, it uses ASR to create voice mail preview text
from the audio file, and then submits the whole voice message for delivery to the user. For each voice message
that's created, Unified Messaging determines a confidence level for the voice mail preview included with the
message. It measures how well the sounds in the recording match the words, numbers, and phrases in the
message. If the system finds matches easily, the confidence level will be high. A higher level of confidence is
generally associated with a higher accuracy.
The accuracy of voice mail preview text depends on many factors, and sometimes those factors can't be controlled.
However, the text is likely to be more accurate when:
A simple voice message is left, and the caller doesn't use slang terms, technical jargon, or unusual words or
phrases.
The caller uses a language that's easily recognized and translated by the voice mail system. Generally, voice
messages left by callers who don't speak too quickly or too softly and who don't have strong accents will
produce more accurate sentences and phrases.
The voice message is free of background noise and echoes, and the audio doesn't drop out.
Most customers who use Unified Messaging find that the voice mail previews are accurate enough for their users.
However, when ASR is applied to recordings made over the phone by unknown voices and background noises,
the voice mail preview text usually isn't completely accurate. If the level of confidence is consistently low or the
voice mail previews that are received aren't very accurate, you can increase the accuracy of the voice mail previews
that users receive as follows:
Sign up for a voice transcription service from a Voice Mail Preview partner.
After you've signed up with a Voice Mail Preview partner, set the partner up to work with UM. For more
information about how to configure UM for a Voice Mail Preview partner, see Configure Voice Mail
Preview partner services for users.
When you've signed up with a Voice Mail Preview partner, the Exchange servers in your organization redirect
voice messages with the audio file attached to the Voice Mail Preview partner instead of generating voice mail
preview text for voice messages and submitting the voice messages to the user's mailbox. The email message with
the voice mail preview text produced by the Voice Mail Preview partner is then submitted to the Exchange servers
in your organization for delivery to the recipient's mailbox.
IMPORTANT
We recommend that all customers who plan to deploy Unified Messaging obtain the assistance of a UM specialist. A UM
specialist helps you ensure that there's a smooth transition to UM from a legacy voice mail system. Performing a new
deployment or upgrading a legacy voice mail system requires significant knowledge about VoIP gateways, IP PBXs, PBXs,
session border controllers (SBCs), and Unified Messaging. For more information about how to contact a UM specialist, see
the Microsoft Exchange Server Unified Messaging (UM) Specialists or Microsoft Pinpoint for Unified Messaging.
Exchange Unified Messaging Voice Mail Partner program

To become certified as a Voice Mail Preview partner that interoperates with Exchange UM, the partner must
implement the requirements contained in the Voice Mail Preview Interoperability Specification, and the partner
solution must be certified by an independent certification vendor.
Voice Mail Preview partners certified for Exchange Unified Messaging

If you've already deployed Unified Messaging in your organization and you're looking for a certified Voice Mail
Preview partner to provide transcription support services, see Microsoft PinPoint. These software vendors have
been certified as interoperable with Exchange UM.
Configuring Voice Mail Preview partners

After UM has been configured, it forwards voice messages with the audio to a dedicated Voice Mail Preview
partner, which then takes the audio file and creates the voice mail preview text. However, to allow users to receive
the voice mail preview with their voice message in their mailbox, you must configure a UM mailbox policy,
associate users with the UM mailbox policy, and then have the users verify that they can receive voice mail
previews in their voice messages in Outlook 2010 or a later version or Outlook Web App. For more information
about how to configure UM for a Voice Mail Preview partner, see Configure Voice Mail Preview partner services
for users.
VoIP or media gateways and IP PBX support

Configuring VoIP gateways and IP PBXs for your organization is a difficult deployment task that must be
completed correctly to successfully deploy Unified Messaging with a Voice Mail Preview partner. For information
that can help you configure your VoIP gateways and IP PBXs, and for the most up-to-date information about how
to configure them, see Telephony advisor for Exchange 2013 or Configuration notes for supported VoIP gateways,
IP PBXs, and PBXs.
Testing interoperability of Exchange UM with VoIP gateways has been integrated with the Microsoft Unified
Communications Open Interoperability Program. For more information, see Microsoft Unified Communications
Voice Mail Preview procedures
Configure Voice Mail Preview partner services for users

Set the Voice Mail Preview partner address
Set the Voice Mail Preview partner ID
Set the maximum message duration for a Voice Mail Preview partner
Set the maximum delivery delay for a Voice Mail Preview partner
Enable Voice Mail Preview for users
Disable Voice Mail Preview for users
Configure Voice Mail Preview partner services for
users
You can configure a Voice Mail Preview partner on a Unified Messaging (UM ) mailbox policy. After you've
configured Voice Mail Preview partner settings, such as the Voice Mail Preview partner ID and Voice Mail Preview
partner address, on a UM mailbox policy, the settings you configure will apply to all UM -enabled users who are
linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to configure a Voice Mail Preview partner.

TIP
Step 1: Sign up with a partner service

To find the list of certified partners and detailed instructions for how to sign up, see Voice Mail Preview advisor or
see the Microsoft PinPoint website. After you've signed up, the Voice Mail Preview partner will provide you a
partner ID and the SMTP address to use to forward the voice messages.
In Step 2, you'll apply the Partner ID and SMTP address you acquired in Step 1 to the required UM mailbox
policies.
Step 2: Set the Voice Mail Preview partner address and ID

This example sets the Voice Mail Preview partner address to exumvmp@fabrikam.com and the Voice Mail
Preview partner ID to CON123-2010 on a UM mailbox policy named MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailPreviewPartnerAddress exumvmp@fabrikam.com
-VoiceMailPreviewPartnerAssignedID CON123-2010
Step 3: Configure advanced Voice Mail Preview partner settings

If the partner requires custom settings, you may want to set two additional parameters for a Voice Mail Preview
partner as follows:
VoiceMailPreviewPartnerMaxMessageDuration
VoiceMailPreviewPartnerMaxDeliveryDelay
This example sets the maximum message duration to 300 seconds (5 minutes) and the maximum delivery delay to
600 seconds (10 minutes) on a UM mailbox policy named MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailPreviewPartnerMaxMessageDuration 300 -

VoiceMailPreviewPartnerMaxDeliveryDelay 600
Step 4: Assign a UM-enabled user to the UM mailbox policy for a Voice

Mail Preview partner
If you want to configure the Voice Mail Preview partner service for some, but not all, UM -enabled users in a UM
dial plan, you must create a new UM mailbox policy and configure the partner settings. When you've finished, you
can apply the new policy to selected UM -enabled users. For more information about how to assign a UM -enabled
user to a UM mailbox policy, see the following topics:
Set-UMMailbox
For more information about the Voice Mail Preview partner program, see Voice Mail Preview advisor.
Set the Voice Mail Preview partner address
You can set a Voice Mail Preview partner address on a Unified Messaging (UM ) mailbox policy. After you've set the
Voice Mail Preview partner address on a UM mailbox policy, the setting will apply to all UM -enabled users who are
NOTE
You must use Exchange Online PowerShell to set a Voice Mail Preview partner address.
For additional management tasks related to Voice Mail Preview, see Voice Mail Preview procedures.

TIP
Use Exchange Online PowerShell to set the Voice Mail Preview partner
address on a UM mailbox policy
This example sets the Voice Mail Preview partner address to exumvmp@fabrikam.com on a UM mailbox policy
named MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailPreviewPartnerAddress exumvmp@fabrikam.com

Set the Voice Mail Preview partner ID
You can set a Voice Mail Preview partner ID on a Unified Messaging (UM ) mailbox policy. After you've set the
Voice Mail Preview partner ID on a UM mailbox policy, the setting will apply to all UM -enabled users who are
NOTE
You must use Exchange Online PowerShell to set the Voice Mail Preview partner ID.
For additional management tasks related to voice mail preview, see Voice Mail Preview procedures.

TIP
Use Exchange Online PowerShell to set the Voice Mail Preview partner
ID on a UM mailbox policy
This example sets the Voice Mail Preview partner ID to CON123-2010 on a UM mailbox policy named
MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy

-VoiceMailPreviewPartnerAssignedID CON123-2010
Set the maximum message duration for a Voice Mail
Preview partner
You can set the maximum message duration for a Voice Mail Preview partner on a Unified Messaging (UM )
mailbox policy. After you've set the maximum message duration, the setting will apply to all UM -enabled users who
are linked with that mailbox policy.
NOTE
You must use Exchange Online PowerShell to set the maximum message duration for a Voice Mail Preview partner.
For additional management tasks related to Voice Mail Preview, see Voice Mail Preview procedures.

TIP
Use Exchange Online PowerShell to set the maximum message

duration for a Voice Mail Preview partner
This example sets the maximum message duration for a Voice Mail Preview partner to 300 seconds (5 minutes) on
a UM mailbox policy named MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -VoiceMailPreviewPartnerMaxMessageDuration 300

Set the maximum delivery delay for a Voice Mail
Preview partner
You can set the maximum delivery delay for a Voice Mail Preview partner on a Unified Messaging (UM ) mailbox
policy. After you've set the maximum delivery delay, the setting will apply to all UM -enabled users who are linked
with that UM mailbox policy.
NOTE
You must use Exchange Online PowerShell to set the maximum delivery delay for a Voice Mail Preview partner.
For additional management tasks related to voice mail preview, see Voice Mail Preview procedures.

TIP
Use Exchange Online PowerShell to set the maximum delivery delay for
a Voice Mail Preview partner
This example sets the maximum delivery delay to 600 seconds (10 minutes) on a UM mailbox policy named
MyUMMailboxPolicy.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy - VoiceMailPreviewPartnerMaxDeliveryDelay 600

Enable Voice Mail Preview for users
You can enable the Voice Mail Preview feature for users associated with a Unified Messaging (UM ) mailbox policy
if it has been disabled. Enabling this setting allows users to receive the text of a voice mail message in the message
body of an email or text message. The default setting is enabled.

TIP
Use the EAC to enable Voice Mail Preview

1. In the EAC, navigate to Unified Messaging > UM dial plans, select the UM dial plan you want to change,
3. On the UM Mailbox Policy page > General, select the check box next to Allow voice mail preview.
4. Click Save.
Use Exchange Online PowerShell to enable Voice Mail Preview

This example allows users who are associated with the UM mailbox policy MyUMMailboxPolicy to use the Voice Mail
Preview feature.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy - AllowVoiceMailPreview $true

Disable Voice Mail Preview for users
You can disable the Voice Mail Preview feature for users associated with a Unified Messaging (UM ) mailbox policy.
Disabling this setting prevents users from receiving the text of a voice mail message in the message body of an
email or text message. The default setting is enabled.

TIP
Use the EAC to disable Voice Mail Preview

1. In the EAC, navigate to Unified Messaging > UM Dial plans, select the UM dial plan you want to change,
3. On the UM Mailbox Policy page > General, clear the check box next to Allow voice mail preview.
4. Click Save.
Use Exchange Online PowerShell to disable Voice Mail Preview

This example prevents users who are associated with the UM mailbox policy MyUMMailboxPolicy from using the
Voice Mail Preview feature.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy - AllowVoiceMailPreview $false

MWI in Exchange Online
Message Waiting Indicator (MWI) is a feature that's found in most voice mail systems. It lets users know that they
have new or unheard voice mail messages. In its most common form, this feature lights a lamp on a user's phone
to indicate the presence of a new or unheard voice message.
Overview
MWI notifications can include any mechanism that indicates the existence of a new or unheard voice message. The
message can be in a new email message or one that's marked as unread. The MWI notification might take any of
the following forms:
A new voice message seen from Microsoft Outlook or Outlook Web App.
A lamp on a digital, analog, USB, or VoIP phone.
A special dial tone.
Icons or buttons on the display screen of a digital, analog, USB, or VoIP phone.
A highlighted notification within a software application such as:
Lync 2010 and 2013 desktop clients
Lync Mobile client app for Windows Phone, Microsoft Surface. and iOS devices
A text or Short Messaging Service (SMS ) message sent to a mobile phone that's configured to receive text
messages.
In Exchange Online, a user's voice mail is stored in their mailbox. It can be accessed from a telephone using
Outlook Voice Access, from a desktop or portable computer using Outlook or Outlook Web App, and from mobile
phone clients. When a user receives a new voice message, the message appears in their Voice Mail search folder. If
the voice message is accessed using Outlook or Outlook Web App, an email message will be included with the
voice message.
By default, MWI is turned on for all users who are enabled for Unified Messaging (UM ). It's controlled through
settings on a UM mailbox policy or on the UM IP gateways that have been created and linked to a UM dial plan.
MWI also works with protected voice messages.
MWI administration
MWI can be administered by configuring settings on two UM components: UM mailbox policies and UM IP
gateways. For both UM components, you can enable or disable MWI notifications by using the Set-
UMMailboxPolicy cmdlet or the Set-UMIPgateway cmdlet in Exchange Online PowerShell. You can also
configure the settings by using the Exchange admin center (EAC ). You can view the status of MWI notifications by
using the Get-UMMailboxPolicy cmdlet and the Get-UMIPgateway cmdlet in Exchange Online PowerShell, or
by viewing the settings in the EAC.
UM mailbox policies and MWI
You can create a UM mailbox policy to apply a common set of UM policy settings to a collection of UM -enabled
mailboxes. For example, you can use a UM mailbox policy to apply PIN policy settings, dialing restrictions, and
MWI notifications settings. If you enable or disable MWI on a UM mailbox policy, it will be enabled or disabled for
all UM -enabled users who are linked with that UM mailbox policy. The MWI setting can also apply to a subset of
the users who are linked with a UM dial plan. To learn more about UM mailbox policies, including how to enable or
disable MWI for a group of UM -enabled users, see UM mailbox policy procedures.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure the MWI
setting, as shown in the following table.
Message Waiting Indicator setting on a UM mailbox policy
PARAMETER SETTING AVAILABLE IN THE EAC? DESCRIPTION
AllowMessageWaitingIndicator Yes The AllowMessageWaitingIndicator

parameter specifies whether users who
are linked with a UM mailbox policy can
receive MWI notifications when they
receive a new voice message. The
default value is $true .
When this setting is enabled, MWI
notifications are sent to users who are
linked with a single UM mailbox policy
for calls taken by a UM IP gateway. This
setting allows the UM IP gateway to
receive and send SIP NOTIFY messages
to UM-enabled users' phones or SIP
endpoints.
For more information about how to manage MWI settings on a UM mailbox policy, see the following topics:
Enable Message Waiting Indicator (MWI) for users
Disable Message Waiting Indicator (MWI) for users
Set-UMMailboxPolicy
UM IP gateways and MWI
If you disable MWI on a UM IP gateway, you'll disable MWI notifications for all users who connect to the VoIP
gateway or IP PBX that's represented by the UM IP gateway. Disabling MWI on a single UM IP gateway that's
linked to a UM dial plan can disable MWI notifications for all UM -enabled users associated with a single or
multiple UM dial plans or a single or multiple UM mailbox policies. To learn more about UM mailbox policies,
including how to enable or disable MWI for a group of UM -enabled users, see Manage a UM mailbox policy.
You can use the EAC or the Set-UMMailboxPolicy cmdlet in Exchange Online PowerShell to configure the MWI
setting, as shown in the following table.
Message Waiting Indicator setting on a UM IP gateway

MessageWaitingIndicatorAllowed Yes The MessageWaitingIndicatorAllowed

parameter specifies whether to enable
the UM IP gateway to allow SIP NOTIFY
messages to be sent to users associated
with a UM dial plan. The default value is
$true .
When this setting is enabled, voice mail
notifications can be sent to users for
calls that are received by the UM IP
gateway. This setting allows the UM IP
gateway to send message-waiting
notifications to UM-enabled users.
For more information about how to manage MWI settings, see the following topics:
Allow Message Waiting Indicator (MWI) on a UM IP gateway
Prevent Message Waiting Indicator (MWI) on a UM IP gateway
Set-UMIPGateway
Text message (SMS) notifications for voice mail messages and missed
calls
As mentioned earlier, an MWI notification is any mechanism that indicates the existence of a new voice mail
message. In addition to the mechanisms already discussed, users can be notified that they have a voice message
waiting via a text message, also called an SMS (Short Message Service) message. This is a different type of MWI
notification for new voice messages than the traditional light or other mechanisms.
A text message is sent to a user's mobile phone when a caller leaves a new voice message. Users can also receive a
text message that notifies them when they miss a phone call and a voice message isn't left. The missed call
notification text message can be sent to the user along with the new voice mail notification.
NOTE
The text message that's sent to a user includes voice mail preview.
Text message notifications use different settings than the MWI settings on the UM IP gateway or the UM mailbox
policy. Text message notifications for new voice mail and missed calls are configured on UM mailbox policies and
UM mailboxes. You can enable or disable text message notifications by using the Set-UMMailboxPolicy cmdlet
and the Set-UMMailbox cmdlet in Exchange Online PowerShell. You can view the status of text message
notifications by using the Get-UMMailboxPolicy cmdlet and the Get-UMMailbox cmdlet. It's not possible to
configure text message notifications in the EAC.
The following table shows the parameter on a UM mailbox that must be configured for a user to receive text
messages for voice mail and missed call notifications:
Text message notification settings on a user's mailbox

UMSMSNotificationOption No Specifies whether a UM-enabled user

can receive text message notifications
for voice mail only, for voice mail and
missed calls, or isn't allowed to receive
notifications. The values for this
parameter are: VoiceMail ,
VoiceMailAndMissedCalls , and
None . The default value is None .
For more information about how to manage text message notification settings on a user's mailbox, see the
following topics:
Set-UMMailbox
The following table shows the parameter on a UM mailbox policy that must be configured for a user to receive text
messages for voice mail and missed call notifications:
Text message and missed call notification settings on a UM mailbox policy
AllowSMSNotification No Specifies whether UM-enabled users

whose mailboxes are associated with
the UM mailbox policy are allowed to
receive text message notifications on
their mobile phones. If this parameter is
set to $true , you must also use the
Set-UMMailbox cmdlet and set the
UMSMSNotificationOption parameter
for the UM-enabled user to either
VoiceMail or
VoiceMailAndMissedCalls . The
default value is $true .
For more information about how to manage text message notification settings, see the following topics:
Set-UMMailboxPolicy
For text message notifications for voice mail and missed calls to work correctly, you must perform the following
tasks:
1. Use either the EAC or Exchange Online PowerShell to enable the user for UM and link them to the correct
UM mailbox policy.
2. On the UM mailbox policy that's linked to the user, verify that the AllowSMSNotification parameter is set to
$true . To set the parameter to $true , run the following command:
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowSMSNotification $true
3. On the user's mailbox, enable text message notifications by setting the UMSMSNotificationOption
parameter to VoiceMailAndMissedCalls or VoiceMail .
4. Because the default setting is None , you must run the following command in Exchange Online PowerShell
and set the text message notification option to either VoiceMailAndMissedCalls or VoiceMail . For example:
Set-UMMailbox -Identity MyUMMailbox -UMSMSNotificationOption VoiceMailAndMissedCalls
IMPORTANT
The AllowSMSNotification parameter on the UM mailbox policy and the UMSMSNotificationOption parameter on the
user's mailbox must both be set to $true for SMS notifications to work.
In addition to your configuring the UM mailbox policy and the user's mailbox to enable text message notifications
for new voice mail and missed calls, the user must enable and configure text message notifications when they sign
in to Outlook Web App. To set up and configure text message notifications, the user must:
1. Sign in to Outlook Web App and go to Options > Phone > Voice mail.
2. On the Voice Mail page, under Notifications, click Set up notifications.
3. On the Text messaging page, click the Turn on notifications button.
Cau t i on
Don't click Voice mail notifications or it will take you back to the Voice mail page.
4. On the Text messaging page, under Locale, use the drop-down list to select the locale or location of the
text messaging mobile operator.
5. On the Text messaging page, under Mobile operator, use the drop-down list to select the text messaging
mobile operator, and then click Next.
6. On the Text messaging page, in the Enter your phone number and click Next box, enter the mobile
phone number that's used for text message notifications, and then click Next. A six-digit passcode will be
sent to the mobile phone. If you didn't receive a passcode, click I didn't receive a passcode and need it
sent again.
7. Enter the passcode in the Passcode box, and then click Finish.
8. After the user enables text message notifications, they can click Set up voice mail notifications on the
Text Messaging page. They'll be taken back to the voice mail page, where they can scroll down to the
Notifications section and set up text message notification options for missed calls and voice mail.
Allow Message Waiting Indicator procedures
Allow Message Waiting Indicator (MWI) on a UM IP gateway

Prevent Message Waiting Indicator (MWI) on a UM IP gateway
Enable missed call notifications for a user
Disable missed call notifications for a user
Allow Message Waiting Indicator (MWI) on a UM IP
gateway
You can allow or prevent voice mail notifications to users for calls received by a Unified Messaging (UM ) IP
gateway. If you enable this setting, the UM IP gateway can receive and send SIP NOTIFY messages for users.
Message Waiting Indicator (MWI) is enabled by default and allows message waiting notifications to be sent to
users, but you can turn it off depending on your needs.
A message waiting indicator notifies a user about a new or unheard voice message. It appears in the Inbox in
clients such as Outlook and Outlook Web App. It can also be a text (SMS ) message sent to a registered mobile
phone, an outgoing call made from an Exchange server to a number that's been configured for playing new
messages, or a lighted lamp on a user's desktop phone.
TIP
MWI notifications can also be enabled and disabled on a UM mailbox policy for a group of users.

TIP
Use the EAC to allow Message Waiting Indicator

2. On the UM IP Gateway page, select the check box next to Allow message waiting indicator.
3. Click Save.
Use Exchange Online PowerShell to allow Message Waiting Indicator

This example allows the message waiting indicator to appear for users who are associated with the UM IP gateway
named MyUMIPGateway with an IP address of 10.10.10.1.
Set-UMIPGateway -Identity MyUMIPGateway -Address 10.10.10.1 -MessageWaitingIndicatorAllowed $true

Prevent Message Waiting Indicator (MWI) on a UM
IP gateway
You can prevent voice mail notifications to users for calls received by a Unified Messaging (UM ) IP gateway. If you
enable this setting, the UM IP gateway can receive and send SIP NOTIFY messages for users. Message Waiting
Indicator (MWI) is enabled by default and allows message waiting notifications to be sent to users, but you can
turn it off depending on your needs.
A message waiting indicator notifies a user about a new or unheard voice message. It appears in the Inbox in
clients such as Outlook and Outlook Web App. It can also be a text (SMS ) message sent to a registered mobile
phone, an outgoing call made from an Exchange server to a number that's been configured for playing new
messages, or a lighted lamp on a user's desktop phone.
TIP
MWI notifications can also be enabled and disabled on a UM mailbox policy for a group of users.

TIP
Use the EAC to prevent Message Waiting Indicator

2. On the UM IP Gateway page, clear the check box next to Allow message waiting indicator.
3. Click Save.
Use Exchange Online PowerShell to prevent Message Waiting

Indicator
This example prevents the message waiting indicator from appearing for users who are associated with the UM IP
gateway named MyUMIPGateway with an IP address of 10.10.10.1.
Set-UMIPGateway -Identity MyUMIPGateway -Address 10.10.10.1 -MessageWaitingIndicatorAllowed $false

You can enable or disable Message Waiting Indicator for users associated with a Unified Messaging (UM ) mailbox
policy. Message Waiting Indicator is a feature found in most legacy voice mail systems. In its most common form,
it lights a lamp on a voice mail subscriber's phone to indicate the presence of a new voice mail message. Message
Waiting Indicator can also send a text message to a UM -enabled user's mobile phone. The default setting is
enabled.
If Message Waiting Indicator is disabled on the UM IP gateway, the feature isn't available to UM -enabled users
associated with the UM mailbox policy.

TIP
Use the EAC to enable Message Waiting Indicator

3. On the UM Mailbox Policy page, select the check box next to Allow Message Waiting Indicator.
4. Click Save.
Use Exchange Online PowerShell to enable Message Waiting Indicator

This example enables Message Waiting Indicator for users associated with the UM mailbox policy named
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowMessageWaitingIndicator $true

You can enable or disable Message Waiting Indicator for users associated with a Unified Messaging (UM ) mailbox
policy. Message Waiting Indicator is a feature found in most legacy voice mail systems. In its most common form,
it lights a lamp on a voice mail subscriber's phone to indicate the presence of a new voice mail message. Message
Waiting Indicator can also send a text message to a UM -enabled user's mobile phone. The default setting is
enabled.
If Message Waiting Indicator is disabled on the UM IP gateway, the feature isn't available to UM -enabled users

TIP
Use the EAC to disable Message Waiting Indicator

3. On the UM Mailbox Policy page, clear the check box next to Allow Message Waiting Indicator.
4. Click Save.
Use Exchange Online PowerShell to disable Message Waiting Indicator

This example disables Message Waiting Indicator for users associated with the UM mailbox policy named
MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowMessageWaitingIndicator $false

Enable missed call notifications for a user
You can enable or disable missed call notifications for a Unified Messaging (UM ) mailbox policy by using Exchange
Online PowerShell or the EAC. A missed call notification is an email message that's sent to a user when the user
doesn't answer an incoming call and the caller doesn't leave a voice mail message. This is a different email
message than the message that contains the voice message that's left for a user.
When you disable missed call notifications on a UM mailbox policy, you prevent all users associated with the UM
mailbox policy from receiving an email message when they don't answer an incoming call and the caller doesn't
leave a voice message. By default, missed call notifications are enabled for each UM mailbox policy that's created.
Also by default, a UM mailbox policy is created every time you create a UM dial plan.
NOTE
When you're integrating Unified Messaging and Microsoft Lync Server, missed call notifications aren't available to users that
have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server when a user disconnects before the call is
sent to a Mailbox server running the Microsoft Exchange Unified Messaging service.
For additional management tasks related to UM mailbox policies, see Manage a UM mailbox policy.

TIP
Use the EAC to enable missed call notifications for a UM mailbox policy
3. On the UM Mailbox Policy page > General, select the check box next to Allow missed call
notifications.
4. Click Save.
Use Exchange Online PowerShell to enable missed call notifications for

a UM mailbox policy
This example enables missed call notifications for a UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowMissedCallNotifications $true

Disable missed call notifications for a user
You can enable or disable missed call notifications for a Unified Messaging (UM ) mailbox policy by using Exchange
Online PowerShell or the EAC. A missed call notification is an email message that's sent to a user when the user
doesn't answer an incoming call and the caller doesn't leave a voice message. This is a different email message
than the one that contains the voice message that's left for a user.
When you disable missed call notifications on a UM mailbox policy, you prevent all users associated with the UM
mailbox policy from receiving an email message when they don't answer an incoming call and the caller doesn't
leave a voice message. By default, missed call notifications are enabled for each UM mailbox policy that's created.
Also by default, a UM mailbox policy is created every time you create a UM dial plan.
NOTE
When you're integrating Unified Messaging and Microsoft Lync Server, missed call notifications aren't available to users that
have a mailbox located on an Exchange 2007 or Exchange 2010 Mailbox server when a user disconnects before the call is
sent to a Mailbox server running the Microsoft Exchange Unified Messaging service.
For additional management tasks related to UM mailbox policies, see Manage a UM mailbox policy.

TIP
Use the EAC to disable missed call notifications for a UM mailbox policy
3. On the UM Mailbox Policy page > General, clear the check box next to Allow missed call notifications.
4. Click Save.
Use Exchange Online PowerShell to disable missed call notifications for
a UM mailbox policy
This example disables missed call notifications for a UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowMissedCallNotifications $false

Allow users to make calls
Outdialing is the process by which users call in to a UM dial plan using an Outlook Voice Access number and
place or transfer a call to an internal or external telephone number. Unified Messaging uses many outdialing
settings to dial calls for users. To configure outdialing, you must configure dialing rules, dialing rule groups, and
dialing authorizations on Unified Messaging (UM ) dial plans and then authorize outdialing on UM dial plans, UM
mailbox policies, and auto attendants. You can also configure UM dial plans to have dialing or access codes, a
national number prefix, and in-country/region or international number formats that enable you to control
outdialing in your organization. This topic discusses dialing rules, dialing rule groups, and dialing authorizations
and how they are used to authorize and control outdialing for your organization.
Overview
Outdialing happens when:
A call is placed to an external telephone number.
A call is transferred to an auto attendant.
A call is transferred to a user in your organization.
A UM -enabled user uses the Play on Phone feature.
For outdialing to work correctly, the following settings must be configured correctly:
Dialing rules: Dialing rules define the number that is dialed by the UM -enabled user and the number that
will be dialed by the Private Branch eXchange (PBX) or IP PBX.
Dialing rule groups: Dialing rule groups determine the types of calls that users within a dialing group can
make.
Dialing authorizations: Dialing authorizations determine the restrictions that will be applied to prevent
users from incurring unnecessary telephone charges or from dialing long-distance calls.
To enable outdialing for users who call in to a dial plan or an auto attendant, you must:
Make sure the VoIP gateways represented by a UM IP gateway that is linked with a dial plan will allow
outgoing calls.
Create dialing rule groups by creating dialing rules on the UM dial plan.
Add dialing authorizations for in-country/region and international dialing rule groups on the UM dial plan,
UM mailbox policy, or auto attendant associated with the same dial plan as the UM IP gateway.
Types of users
Two types of users can use the outdialing feature in Unified Messaging: authenticated and unauthenticated. All
users who call in to a UM auto attendant are unauthenticated. When users call in to an Outlook Voice Access
number, they're considered unauthenticated because they haven't provided their extension number and PIN and
signed in to their mailbox. Users are authenticated after they provide their extension number and PIN and
successfully sign in to their mailbox.
When users call in to an Outlook Voice Access number configured on a UM dial plan and try to place or transfer a
call without signing in to their mailbox, only the UM dial plan outdialing settings are applied to the call. When
anonymous or unauthenticated users call in to a UM auto attendant, both the outdialing settings configured on
the auto attendant and the outdialing settings configured on the dial plan associated with the auto attendant are
applied to the call.
When users call in to the Outlook Voice Access number configured on a dial plan and successfully sign in to their
mailbox, they become authenticated users. When they're authenticated, the outdialing call settings use the dialing
rules and dialing authorization settings on the UM mailbox policy that's linked to those users.
Outdialing settings
You need to configure several settings to apply outdialing rules for your organization. In addition to configuring
the UM dial plans, UM auto attendants, and UM mailbox policies that you've created with the correct dialing rules
and dialing authorizations, you need to configure access codes, number prefixes, and number formats on the UM
dial plans. The following outdialing settings are configured on dial plans, auto attendants, and UM mailbox
policies:
Outside line, country/region, and international access codes
National number prefixes
In-country/region and international number formats
Configured in-country/region and international dialing rule groups
Allowed in-country/region and international dialing rule groups
Dialing rule entries
Dialing authorizations
For you to successfully configure outdialing for your organization, you first need to understand how each
component can be used with outdialing and how the component must be configured. The following table
introduces each component that needs to be configured on UM dial plans, UM auto attendants, and UM mailbox
policies before outdialing will work correctly.
Outdialing components
COMPONENT DESCRIPTION
Dial codes, number prefixes, and number formats UM uses dial codes, number prefixes, and number formats to
determine the correct number to dial when placing an
outgoing call. You can configure dial codes, number prefixes,
and number formats to restrict outgoing calls for users who
dial in to a UM auto attendant associated with a UM dial plan
or for users who dial in to an Outlook Voice Access number
configured on the dial plan.
COMPONENT DESCRIPTION
Dialing rule groups Dialing rule groups are created to enable telephone numbers
to be modified before they're sent to the PBX for outgoing
calls. Dialing rule groups remove numbers from or add
numbers to telephone numbers being called by UM. For
example, you can create a dialing rule group that
automatically adds a 9 as a prefix to a 7-digit telephone
number to provide access to an outside line. In this example,
users who place outgoing calls don't have to dial the 9 before
the telephone number to reach someone external to the
organization.
Each dialing rule group contains dialing rules that determine
the types of in-country/region and international calls that
users within a dialing rule group can make. Dialing rule
groups apply to the users who are associated with a UM dial
plan or to UM auto attendants and UM mailbox policies
associated with the UM dial plan. Each dialing rule group
must contain at least one dialing rule.
Dialing rule entries A dialing rule is used to determine the types of calls that users
within a dialing rule group can make. When you create a
dialing rule group, you configure one or more dialing rules.
When you configure each dialing rule, you must enter the
dialing rule name, number pattern to transform (number
mask), and dialed number. You can also enter a comment.
Comments can be used to describe how the dialing rule will
be used or to describe a group of users to whom the dialing
rule will apply. When you add a number mask and the dialed
number to a dialing rule, you can substitute the letter x for a
digit in a telephone number, for example, 91425xxxxxxx. You
can also use an asterisk (*) symbol as a wildcard character, for
example, 91425*.
Dialing authorizations A dialing authorization uses dialing rule groups to apply

dialing restrictions for users who are associated with a specific
UM mailbox policy, dial plan, or auto attendant. They can also
be used when you want to let users place calls to in-
country/region or international telephone numbers.
After you create dialing rules on a UM dial plan, you add the
dialing rule group to a UM mailbox policy, dial plan, or auto
attendant. After the dialing rule group is added to a UM
mailbox policy, all settings or rules defined will apply to UM-
enabled users who are linked with the UM mailbox policy.
Configuring outdialing
A dialing rule group is a collection of one or more dialing rules configured on a UM dial plan. Two types of dialing
rule groups can be configured on a UM dial plan: in-country/region and international. In-country/region dialing
rule groups apply to telephone numbers dialed within the same country or region. International dialing rule
groups apply to international telephone numbers dialed from one country or region to another country or region.
Each UM dial plan can contain one or more dialing rule groups. To apply a dialing rule group to a set of users,
after you create the dialing rule group, you must add it to the list of allowed dialing rule groups on the UM dial
plan and on the UM auto attendants and UM mailbox policies associated with the UM dial plan.
Dialing rule groups enable you to specify dialing rules that you want to apply to a group of UM -enabled users
who fall into a specific category. For example, you can use dialing rule groups to specify which group of users can
place international calls and which group can make only in-state or local calls. You can create a dialing rule group
using the Exchange admin center (EAC ) or the Set-UMDialPlan cmdlet in Exchange Online PowerShell. When
you create a dialing rule group, you must define at least one dialing rule for the group.
When a user dials a telephone number, UM takes the number and looks for a match in the dialing rules. If a match
is found, UM uses the dialing rule to determine the number to dial by looking at the telephone number or digits
listed in the Dialed Number section of the dialing rule. The number listed in the Dialed Number box of the
dialing rule will be dialed.
The following table shows an example of dialing rule groups and dialing rules. In this example, Local-Calls-Only
and Low -Rate are the dialing rule groups that have been created. The dialing rule group Local-Calls-Only has two
dialing rules: 91425* and 91206*, and the dialing rule group Low -Rate also has two dialing rules: 91509* and
91360*.
Dialing rule groups and dialing rules
NAME NUMBERMASK DIALEDNUMBER COMMENT
Local-Calls-Only 91425* 91* Local calls
Local-Calls-Only 91206* 91* Local calls
Low-Rate 91509* 9* In-state calls
Low-Rate 91360* 9* In-state calls
For example, when a user dials 9-1-425-555-1234, UM dials 4255551234. UM removes any nonnumeric
characters (in this example, the hyphens) and applies the number mask from the dialing rule. In this example, UM
applies the number mask 91*. This tells UM not to dial the 9 or the 1, but to dial all the other numbers in the
telephone number that appear to the right of the number 1. This includes all the numbers represented by the
asterisk (*).
You can use the EAC or Exchange Online PowerShell to create and configure single or multiple in-country/region
and international dialing rule groups and dialing rules. However, if you're creating many or complex dialing rule
groups and dialing rules, you can use a comma-separated value (.csv) file in Exchange Online PowerShell. You can
import or export a list of dialing rule groups and dialing rules.
To import a list of dialing rule groups and dialing rules that you've defined in a .csv file, run the Set-UMDialPlan
cmdlet, as follows.
Set-UMDialPlan "MyUMDialPlan" -ConfiguredInCountryOrRegionGroups $(IMPORT-CSV

c:\dialrules\InCountryRegion.csv)
To retrieve a list of the dialing rule groups configured on a UM dial plan, run the Get-UMDialPlan cmdlet, as
follows.
(Get-UMDialPlan -Identity "MyUMDialPlan").ConfiguredInCountryOrRegionGroups | EXPORT-CSV

C:\incountryorregion.csv
The .csv file must be created and saved in the correct format. Each line in the .csv file represents one dialing rule.
However, each dialing rule is configured on the same dialing rule group. Each rule in the file will have four
sections separated by commas. These sections are name, number mask, dialed number, and comment. Each
section is required, and you must enter the correct information in each section except for the comment section.
There should be no spaces between the text entry and the comma for the next section, nor should there be any
blank lines between the rules or at the end. The following is an example of a .csv file that can be used to create in-
country/region dialing rule groups and dialing rules.
Name,NumberMask,DialedNumber,Comment
Low-rate,91425xxxxxxx,9xxxxxxx,Local call
Any,91*,91*,Open access to in-country/region numbers
Long-distance,91408*,91408*,long distance
The following is an example of a .csv file that can be used to create international dialing rule groups and dialing
rule entries.
Name,NumberMask,DialedNumber,Comment
International, 901144*, 901144*, international call
International, 901133*, 901133*, international call
Applying configured dialing rule groups

Dialing rule groups are created on a UM dial plan. You can create in-country/region or international dialing rule
groups using the EAC or the Set-UMDialPlan cmdlet in Exchange Online PowerShell. After you create the
appropriate dialing rule groups on a UM dial plan and define the dialing rules, you can apply the dialing rule
groups that you created to a UM dial plan, a UM auto attendant, or to users who are associated with a UM
mailbox policy, and authorize outdialing depending on how the user accesses the voice mail system.
You can apply the dialing rule groups that you created on a UM dial plan to the following:
Same dial plan: The settings will apply to all users who call in to an Outlook Voice Access number but
don't sign in to their mailbox. To apply an in-country/region dialing rule group named
MyAllowedDialRuleGroup to the same dial plan, use Exchange Online PowerShell Set-UMDialPlan cmdlet,
as follows.
Set-UMDialPlan -Identity MyUMDialPlan -AllowedInCountryOrRegionGroups MyAllowedDialRuleGroup
Single or multiple UM mailbox policies: The settings that are configured on a UM mailbox policy will
apply to all users who are linked with that UM mailbox policy. The settings configured on a UM mailbox
policy apply to users who call in to an Outlook Voice Access number and sign in to their mailbox. To apply
an in-country/region dialing rule group named MyAllowedDialRuleGroup to a single UM mailbox policy, use
the Dialing authorization page on the UM mailbox policy in the EAC or use the Set-UMMailboxPolicy
cmdlet in Exchange Online PowerShell, as follows.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowedInCountryOrRegionGroups MyAllowedDialRuleGroup
Single or multiple auto attendants associated with the UM dial plan: This will apply to all users who
call in to a UM auto attendant. To apply the in-country/region dialing rule group named
MyAllowedDialRuleGroup to a single UM auto attendant, use the Dialing authorization page on the auto
attendant in the EAC or the Set-UMAutoAttendant cmdlet in Exchange Online PowerShell, as follows.
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AllowedInCountryOrRegionGroups MyAllowedDialRuleGroup
The following table summarizes the way that dialing rule groups are applied in Unified Messaging.
Applying outdialing rules
CALLER TYPE SCOPE OUTDIALING SETTINGS APPLIED
Outlook Voice Access number User calls a dial plan Outlook Voice UM mailbox policy
Access number and signs in to the
mailbox
Anonymous caller User calls a dial plan Outlook Voice UM dial plan
Access number
Anonymous caller User calls an auto attendant pilot or UM auto attendant

extension number
Caller from inside the organization User calls the Play on Phone number UM mailbox policy
Applying dialing rules

The outdialing process happens when:
Unified Messaging places a call to an external telephone number for a caller.
Unified Messaging transfers a call to an auto attendant.
Unified Messaging transfers a call to a user in your organization.
A UM -enabled user uses the Play on Phone feature.
In each outdialing scenario, UM will apply the dialing rules that have been configured, and then place the call for
the user. However, depending on the scenario and how the call is initiated by the user, UM may apply only some of
the dialing rules to the telephone number being dialed. In other outdialing scenarios, UM may apply all the
outdialing rules configured to the telephone number being dialed.
Dial codes, number prefixes, and number formats
You can configure several dialing codes that Unified Messaging (UM ) uses to dial internal and external calls for
UM -enabled users. Frequently, you want to configure a dial plan together with the dialing or access codes, a
national number prefix, or in-country/region or international number formats so that you can control outdialing for
users in your organization. This topic discusses dial codes, number prefixes, and number formats and how you can
use them to control outdialing for your organization.
Overview
Outdialing is the process in which users call in to a UM dial plan or UM auto attendant and then place a call to an
internal or external telephone number. When a user calls in to a UM dial plan or a UM auto attendant and then
places a call, Unified Messaging uses the settings configured on the dial plan, auto attendant, and UM mailbox
policies to place the call. UM places an outgoing call in the following situations:
When it places a call to an external telephone number for a caller
When it transfers a call to an auto attendant
When it transfers a call to a user (either UM -enabled or not) in your organization
When a UM -enabled user uses the Play on Phone feature
Two types of users use outdialing: authenticated users and unauthenticated users. Unauthenticated users call in to
an Outlook Voice Access number configured on a UM dial plan but don't sign in to their mailbox. Unauthenticated
users also call in to a number configured on a UM auto attendant. Authenticated users call in to an Outlook Voice
Access number and successfully sign in to their mailbox. When users call in to an Outlook Voice Access number,
they are initially considered unauthenticated because they haven't provided their extension number and PIN and
signed in to their mailbox. They are authenticated after they provide their extension number and PIN and
successfully sign in to their mailbox.
When an unauthenticated user calls in to a UM auto attendant and places a call using outdialing, the outdialing
settings configured on the UM dial plan and the auto attendant are used. When an unauthenticated user calls in to
an Outlook Voice Access number configured on a dial plan, only the settings configured on the dial plan are used.
When a user has successfully signed in to their mailbox, configuration settings from the dial plan and the UM
mailbox policy associated with the authenticated user are applied to the authenticated user.
You need to configure several settings to control outdialing for your organization. To control outdialing, you need
to configure the UM dial plans, auto attendants, and UM mailbox policies in Unified Messaging. The following
settings can be configured on UM dial plans, auto attendants, and UM mailbox policies to control outdialing:
Outside line, in-country/region, and international access codes
National number prefixes
In-country/region and international number formats
In-country/region and international dialing rule groups
Allowed in-country/region and international dialing rule groups
Dialing rule entries
You configure access codes, number prefixes, and number formats on a UM dial plan on the Dial Codes page in
the Exchange admin center (EAC ). You can also configure the settings using the Set-UMDialPlan cmdlet in
Exchange Online PowerShell. You can choose to configure all the settings, none of the settings, or only some of the
settings. Each setting controls a specific part of the outdialing process.
UM uses access codes, number prefixes, and number formats to determine the correct number to dial. They can be
configured to restrict outgoing calls for users who dial in to a UM auto attendant associated with a UM dial plan or
who dial in to the Outlook Voice Access number configured on the dial plan.
For more information about outdialing in Unified Messaging, see Dial codes, number prefixes, and number
formats.
Outside line access code

You can configure an outside line access code, also known as a trunk access code, on each dial plan that you create.
This is the number used to gain access to an outside telephone line. This number is also configured on the Private
Branch eXchanges (PBXs) or IP PBXs in your organization. In most telephony networks, users dial the number 9 to
gain access to an outside line and place a call to an external telephone number.
You should configure an outside line access code on each dial plan that you create. This dialing code will apply to
all users who are linked with a UM mailbox policy that's linked with the UM dial plan. When a caller who's linked
with the dial plan places a call and the dial plan dials the outgoing call, UM adds the outside line access code
(usually 9) in front of the dialed number string so that the PBX or IP PBX can dial the number correctly. If you don't
configure the outside line access code, the PBX or IP PBX may not recognize the number that's sent.. For example,
as stated earlier, in many organizations, the access code that users dial to gain access to an outside line is 9, and this
is configured on a PBX or IP PBX. Unified Messaging must add the outside line access code (9) before the
telephone number string for the PBX or IP PBX to correctly dial the outgoing number. If you configure the dialing
code so that Unified Messaging will add the outside line access code, Unified Messaging will be able to use the
outside line access code to access an outside line before it dials the external telephone number string. The dialing
code that you configure will apply to all users who are linked with a UM mailbox policy linked with the UM dial
plan.
National number prefix

The national number prefix and the country/region code can also be configured on a UM dial plan. Unified
Messaging uses the number you enter to dial the correct national number prefix or country/region code when a
user dials an outgoing call destined within the same country/region or an international call. For example, when a
user from North America places an outgoing international call to Europe, UM will add the national number prefix
before the number string that it sends to the PBX or IP PBX to place the outgoing call. The number 1 is used as the
national number prefix for North America.
In-Country/region access code

A country/region code can be configured on a UM dial plan. The country/region access code consists of the digits
associated with a specific country or region. Unified Messaging uses the country/region access code to dial the
correct telephone number when a call is placed to a telephone number from inside the same country or region.
UM will add this number before the number string that it sends to the PBX or IP PBX when it places the outgoing
call. For example, UM will add the number 1 to a call placed from the United States and destined for the United
States. For the United Kingdom, the country/region code is 44.
International access code

An international access code can be configured on a UM dial plan. The international access code consists of the
digits used to access international telephone numbers. Unified Messaging uses the international access code to dial
the correct international access code when a call is placed from a telephone number within a country/region and
the number being dialed is located in another country/region. UM will add this number before the number string
that it sends to the PBX or IP PBX when it places the outgoing call. For example, UM will use 011 as the
international access code for the United States. For Europe, the international access code is 00.
In-Country/region and international number formats

You can configure the incoming call configuration for country/region and international number formats on a UM
dial plan. After you configure these settings, Unified Messaging will be able to recognize incoming calls from inside
a country/region and internationally between UM dial plans within the same organization. You can also add
number formats for incoming calls that are placed within a single dial plan. Configuring these options enables your
organization to save money by preventing outgoing calls that shouldn't be made by users from inside your
organization, and helps to prevent toll fraud. UM will use the information that you configure to examine the
number format of the incoming call and verify that the number pattern matches before it accepts the call. For
example, you may have multiple dial plans inside an organization. If you have one dial plan for the United States
and another for the United Kingdom, you may want to let users in the United States dial plan have UM place calls
to users who are located in the United Kingdom dial plan, but not let the users in the United States dial plan place
calls directly to other countries/regions or internationally.
Allowing users to make calls procedures

Create dialing rules for users
Authorize calls for auto attendant callers
Authorize calls for users in a dial plan
Authorize calls for a group of users
You can enable outgoing calls for a Unified Messaging (UM ) IP gateway if outgoing calls have been disabled.
When you select the Allow outgoing calls through this UM IP gateway option on the properties for the UM
IP gateway, you configure the UM IP gateway to accept and send outgoing calls to a Voice over IP (VoIP ) gateway,
Private Branch eXchange (PBX) enabled for Session Initiation Protocol (SIP ), IP PBX, or session border controller
(SBC ). Although the Allow outgoing calls through this UM IP gateway setting controls whether the UM IP
gateway is able to initiate outgoing calls for users, it doesn't affect call transfers or incoming calls from a VoIP
gateway, PBX enabled for SIP, IP PBX, or SBC.
Outdialing is the term used to describe a situation in which a user in one UM dial plan initiates a call to a UM -
enabled user in another dial plan or to an external telephone number.
To allow outdialing for UM -enabled users, you must:
Verify that the UM IP gateway allows outgoing calls.
Create dialing rule groups by creating dialing rule entries on the UM dial plan associated with the UM IP
gateway.
Add the correct dialing rule groups to the list of dialing restrictions in Dialing authorization on the UM
dial plan, auto attendant, or UM mailbox policy.

TIP
Use the EAC to enable outgoing calls for a UM IP gateway

2. On the UM IP Gateway page, select the check box next to Allow outgoing calls through this UM IP
gateway.
3. Click Save.
Use Exchange Online PowerShell to enable outgoing calls for a UM IP

gateway
This example enables outgoing calls on a UM IP gateway named MyUMIPGateway .
Set-UMIPGateway -Identity MyUMIPGateway -OutcallsAllowed $true

You can enable or disable outgoing calls for a Unified Messaging (UM ) IP gateway. When you clear the Allow
outgoing calls through this UM IP gateway option on the properties for the UM IP gateway, you configure the
UM IP gateway to not accept and send outgoing calls to a Voice over IP (VoIP ) gateway, IP PBX, or session border
controller (SBC ). Although the Allow outgoing calls through this UM IP gateway setting controls whether the
UM IP gateway is able to initiate outgoing calls for users, it doesn't affect call transfers or incoming calls from a
VoIP gateway, IP PBX, or SBC.

TIP
Use the EAC to disable outgoing calls for a UM IP gateway

2. On the UM IP Gateway page, clear the check box next to Allow outgoing calls through this UM IP
gateway.
3. Click Save.
Use Exchange Online PowerShell to disable outgoing calls for a UM IP

gateway
This example disables outgoing calls on a UM IP gateway named MyUMIPGateway .
Set-UMIPGateway -Identity MyUMIPGateway -OutcallsAllowed $false

You can configure dial codes, number prefixes, and number formats that are used by Unified Messaging to dial
incoming and outgoing calls for users who are enabled for UM. In most cases, you'll configure a dial plan with the
dial codes, prefixes, and number formats currently configured on your telephony network.
Dial codes and number prefixes are used to determine the correct number to dial for an outgoing call that's placed
by a UM -enabled user. Outdialing is the term used to describe the process by which a user in a UM dial plan
initiates an outgoing call. Number formats are used for incoming calls within a country or region, international
calls, or calls that are placed within a dial plan. You can configure a dial plan to match the incoming call number
format for both in-country/region and international numbers. When you configure the in-country/region and
international number formats, you can restrict incoming calls for users linked with a dial plan.
For additional management tasks related to outdialing, see Allowing users to make calls procedures.

TIP
Use the EAC to configure dial codes, prefixes, and number formats
2. Select the UM dial plan you want to manage, and then click Edit .
4. On the UM dial plan page > Dial codes, configure the following options:
Outside line access code
International access code
National number prefix
Country/Region code
5. Under Number formats for dialing between dial plans, configure the following:
Country/Region number format
International number format
Number formats for incoming calls within the same dial plan: To add a number format, click Add .
Use Exchange Online PowerShell to configure dial codes, prefixes, and

number formats
This example configures a UM dial plan named yUMDialPlan with an in-country or region number format, an
international number format, and the following dial codes:
9 for the outside line access code
011 for the international access code
1 for the national number prefix
1 for the country or region code
Set-UMDialPlan -Identity MyUMDialPlan -OutsideLineAccessCode 9 -InternationalAccessCode 011 -

NationalNumberPrefix 1 CountryorRegionCode 1 -InCountryOrRegionNumberFormat 1425xxxxxxx -
InternationalNumberFormat 441425xxxxxxx
Create dialing rules for users
Dialing rule groups consist of dialing rule entries. Dialing rules are used to modify a phone number before
sending it to an on-premises telephone system (PBX) or IP PBX for outgoing calls. Dialing rules serve two
purposes:
They specify the numbers that can be dialed for outgoing calls. When you create a dialing rule, you specify
the number formats that can be dialed. Any number that doesn't match one of the formats you specified is
rejected. If you don't set any dialing rules, callers can place calls within your organization but can't make any
outgoing calls.
They transform the numbers dialed before sending them out to your on-premises telephone system.
Dialing rules can strip numbers from or add numbers to the number dialed. For example, you can use
dialing rules to add the outside line access code for your telephone system or to add or remove the in-
country/region code for long-distance or local numbers.
To specify the types of outgoing calls you want to allow for a UM dial plan, you create a dialing rule group with
dialing rules and then use them to authorize outgoing calls for Outlook Voice Access users and callers that dial
into a UM auto attendant. You create separate dialing rule groups for in-country/region and for international calls.
NOTE
If you are integrating UM with Microsoft Lync Server, we recommend that you create at least one dialing rule group and
authorize that dialing rule group on the SIP URI dial plans, UM mailbox policies, and UM auto attendants to allow all
outgoing calls to be forwarded to Lync Servers.
For other management tasks for outdialing, see Allowing users to make calls procedures.
Examples of commonly used dialing rules

WHEN WOULD YOU USE THIS DIALING
NUMBER PATTERN DIALED NUMBER RULE?
* * Allow all outgoing calls.
1425xxxxxxx 91425xxxxxxx Prevent users from getting an internal

extension or an error when they forget
to dial the outside access line number.
1xxxxxxxxxx 1xxxxxxxxxx Allow all numbers that start with 1.
xxxxxxx 1425xxxxxxx Add 1 and the local area code 425 to

7-digit numbers.

If you will be applying dialing rule groups to UM mailbox policies, you will need to confirm that a UM
mailbox policy is created. For detailed steps, see Create a UM mailbox policy.
If you will be applying dialing rule groups to UM auto attendants, you will need to confirm that a UM auto
attendant is created. For detailed steps, see Create a UM auto attendant.
TIP
Use the EAC to create a dialing rule

3. On the UM Dial Plan page > Dialing rules, click Add under In-country/region dialing rules or
International dialing rules.
4. On the New Dialing Rule page, enter the following information:
Dialing rule name: Enter the name of the dialing rule group you want this rule to be a part of. To combine
it with other rules, use the same group name. To create a new dialing rule group, enter a new unique name.
Number pattern to transform (number mask): Enter the number pattern to transform before dialing, for
example, 91425xxxxxxx. If a caller dials a number that matches, UM transforms it to the dialed number
before placing the call. Enter only numbers and the wildcard (x). The number pattern is also called a number
mask.
Dialed number: Enter the number to dial. Use only numbers and the wildcard (x), as in the number pattern
9xxxxxxx. Wildcards (x) are substituted with the digits from the original number dialed by the user. Make
sure the number of wildcards in the dialed number is the same as the number of wildcards in the number
pattern.
Comment: Enter a comment or description for this dialing rule. You can use the comment to describe what
the rule does, for example, "Add a 9 to outgoing calls."
5. Click OK to save the dialing rule. You can continue to enter rules, using the same dialing rule group name for
rules that you want to authorize together.
By default, users aren't able to place outgoing calls. To specify the kinds of calls users can make, you first create
dialing rules, then authorize groups of these dialing rules on UM dial plans, UM mailbox policies, or UM auto
attendants. Before you can authorize dialing rule groups, you have to define dialing rules on a UM dial plan. For
details, see Create dialing rules for users.
Each dialing rule that you create will contain the types of calls or number patterns that you want to give users
access to. You can allow different types of users to make different types of calls. The calls you allow can be within a
country or region, or they can be international.
To authorize or restrict dialing, the following settings must be configured correctly:
Dialing rules: Dialing rules define the number that UM -enabled users dial and the number that will be sent
from Unified Messaging and dialed by the Private Branch eXchange (PBX) or IP PBX. You create a dialing
rule group by adding a dialing rule. After you create a dialing rule group, you add it to the list of authorized
calls for an in-country/region or international dialing rule group.
Dialing rule groups: Dialing rule groups determine the types of calls that users within the dialing group
can make.
Dialing authorizations: Dialing authorizations are used to determine the restrictions that will be applied to
prevent users from incurring unnecessary telephone charges or from dialing long-distance calls.
How do I authorize a dialing rule group?

Where you authorize dialing rule groups depends on the types of callers that you want to allow to make outgoing
calls. For example, if you want only Outlook Voice Access users to place outgoing calls, you would create your
dialing rules and then authorize those dialing rule groups to the UM mailbox policy that the Outlook Voice Access
users are linked to. The following table shows how to authorize calls for different types of callers.
TYPE OF CALLER AUTHORIZE DIALING RULE GROUPS HERE
Unauthenticated callers who call in to an Outlook Voice Access UM dial plan. For details, see Authorize calls for users in a dial
number and don't enter a PIN plan.
Authenticated callers who call in to an Outlook Voice Access UM mailbox policy for the caller. For details, see Authorize calls
number and enter a PIN for a group of users.
Unauthenticated callers who call in to a telephone number UM auto attendant. For details, see Authorize calls for auto
that's configured on a UM auto attendant attendant callers.
Depending on which users you're authorizing to make outbound calls, you'll use the Dialing authorization page
in the Exchange admin center (EAC ) for the dial plan, the auto attendant, or the UM mailbox policy.
Authorize calls for auto attendant callers
You can enable dialing authorizations on a Unified Messaging (UM ) auto attendant. Dialing authorizations on an
auto attendant are used to prohibit users who call in to the auto attendant from making in-country/region or
international telephone calls, or outdialing. Outdialing happens when Unified Messaging makes an outgoing call
for a user after they've called into a phone number that is configured on a UM auto attendant.

Before you perform these procedures, confirm that in-country/region and international dialing rules have
been created on a UM dial plan. For detailed steps, see Create dialing rules for users.
TIP
Use the EAC to enable dialing authorizations on a UM auto attendant

for in-country/region rule groups
want to create a dialing authorization, and then click Edit .
3. On the UM Auto Attendant page > Dialing authorization, click Add under Authorized in-
country/region dialing rule groups.
4. On the Select Dialing Rule Groups to Allow page, select the dialing rule group, click OK, and then click
Save.
Use the EAC to enable dialing authorizations on a UM auto attendant

for international rule groups
3. On the UM Auto Attendant page > Dialing authorization, click Add under Authorized
international dialing rule groups.
Save.
Use Exchange Online PowerShell to enable in-country/region and

international dialing authorizations on a UM auto attendant
This example enables the InCountry/RegionGroup1, InCountry/RegionGroup2. InternationalGroup1, and
InternationalGroup2 dialing authorizations on a UM auto attendant named MyUMAutoAttendant .
Set-UMAutoAttendant -Identity MyUMAutoAttendant -AllowedInCountryOrRegionGroups

InCountry/RegionGroup1,InCountry/RegionGroup2 -AllowedInternationalGroups
InternationalGroup1,InternationalGroup2
Authorize calls for users in a dial plan
You can enable dialing authorizations on a Unified Messaging (UM ) dial plan. Dialing authorizations on a dial plan
are used to prohibit unauthenticated Outlook Voice Access users from making in-country/region or international
telephone calls, or outdialing. Outdialing happens when Unified Messaging places an outgoing call for a user after
they've called in to an Outlook Voice Access phone number that is configured on a UM dial plan. When you
configure a setting on a UM dial plan, that setting applies to all unauthenticated users that call in to an Outlook
Voice Access number.

Before you perform this procedure, confirm that in-country/region and international dialing rules have been
created on a UM dial plan. For detailed steps, see Create dialing rules for users.
TIP
Use the EAC to enable dialing authorizations on a UM dial plan for in-
country/region dialing rule groups
3. On the UM Dial Plan page > Dialing authorization, click Add under Authorized in-country/region
dialing rule groups.
Save.
Use the EAC to enable dialing authorizations on a UM dial plan for

international dialing rule groups
3. On the UM Dial Plan page > Dialing authorization, click Add under Authorized international
dialing rule groups.
Save.

international dialing authorizations on a UM dial plan
This example enables the InCountry/RegionGroup1, InCountry/RegionGroup2, InternationalGroup1, and
InternationalGroup2 dialing authorizations on a UM dial plan named MyUMDialPlan .
Set-UMDialPlan -Identity MyUMDialPlan -AllowedInCountryOrRegionGroups

Authorize calls for a group of users
You can enable dialing authorizations on a Unified Messaging (UM ) mailbox policy. You can use dialing
authorizations on a mailbox policy to prohibit authenticated Outlook Voice Access users that are linked to the UM
mailbox policy from making in-country/region or international telephone calls, or outdialing. Outdialing happens
when Unified Messaging places an outgoing call for a user after they've called in to an Outlook Voice Access
phone number that is configured on a UM dial plan. When you configure a setting on a UM mailbox policy, that
setting applies to all UM -enabled users linked with the UM mailbox policy.

Before you perform these procedures, confirm that in-country/region and international dialing rules have
been created on a UM dial plan. For detailed steps, see Create dialing rules for users.
TIP
Use the EAC to enable dialing authorizations on a UM mailbox policy

for in-country/region dialing rule groups
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy for which you
3. On the UM Mailbox Policy page > Dialing authorization, click Add under Authorized in-
country/region dialing rule groups.
Save.
Use the EAC to enable dialing authorizations on a UM mailbox policy

for international dialing rule groups
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy for which you
3. On the UM Mailbox Policy page > Dialing authorization, click Add under Authorized
international dialing rule groups.
Save.

international dialing authorizations on a UM mailbox policy
This example enables the InCountry/RegionGroup1, InCountry/RegionGroup2, InternationalGroup1, and
InternationalGroup2 dialing authorizations on a UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowedInCountryOrRegionGroups

Setting up incoming faxing
Microsoft Exchange Unified Messaging (UM ) relies on certified fax partner solutions for enhanced fax features
such as outbound fax or fax routing. By default, Exchange servers aren't configured to allow incoming faxes to be
delivered to a user that's enabled for UM. Instead, an Exchange server redirects incoming fax calls to a certified fax
partner solution. The fax partner's server receives the fax data and then sends it to the user's mailbox in an email
message with the fax included as a .tif attachment.
For more information about fax partners, see Microsoft Pinpoint for Fax Partners.
Deploying and configuring faxing

UM forwards incoming fax calls to a dedicated fax partner solution, which then establishes the fax call with the fax
sender and receives the fax on behalf of the UM -enabled user. However, to allow UM -enabled users to receive fax
messages in their mailboxes, you must first enable incoming faxing and set the fax partner's URI on the UM
mailbox policy that's linked to the UM -enabled user or users. You can allow or prevent incoming faxing on UM dial
plans, UM mailbox policies, and on the mailbox for a UM -enabled user. For details, see the following topics:
Step 1: Deploy Unified Messaging
Before you can set up faxing for your on-premises or hybrid organization, you need to successfully deploy Client
Access and Mailbox servers and configure your supported Voice over IP (VoIP ) gateways to allow faxing. For
details about how to deploy UM, see Deploy Exchange Server UM. For details about how to deploy VoIP gateways
and IP Private Branch eXchanges (PBXs), see Connect UM to Your Telephone System.
IMPORTANT
Sending and receiving faxes using T.38 or G.711 isn't supported in an environment where Unified Messaging and Microsoft
Office Communications Server 2007 R2 or Microsoft Lync Server are integrated.
Step 2: Configure fax partner servers

Next, you need to enable incoming faxing and configure the fax partner's URI on each UM mailbox policy that you
require in your organization. To successfully deploy incoming faxing, you must integrate a certified fax partner
solution with Exchange Unified Messaging. For details, see Fax advisor for Exchange UM. For a list of certified fax
partners, see Microsoft Pinpoint for Fax Partners
NOTE
Because the fax partner server is external to your organization, firewall ports must be configured to allow the T.38 protocol
ports that enable faxing over an IP-based network. By default, the T.38 protocol uses TCP port 6004. It can also use User
Datagram Protocol (UDP) port 6044, but this will be defined by the hardware manufacturer. The firewall ports must be
configured to allow fax data that uses the TCP or UDP ports or port ranges defined by the manufacturer.
Step 3: Enable faxing on Unified Messaging

Three components must be configured correctly for users to be able to receive faxes by using Unified Messaging:
UM dial plans
UM mailbox policies
UM mailboxes
Faxing can be enabled or disabled on UM dial plans, UM mailbox policies, or on an individual UM -enabled user's
mailbox. UM mailbox policies can be enabled or disabled for faxing using either the Exchange admin center (EAC )
or Exchange Online PowerShell. Enabling and disabling of dial plans and individual UM -enabled users needs to be
done using Exchange Online PowerShell. The following table shows the options that are available and the cmdlets
and parameters that are used for enabling and disabling faxing.

UM COMPONENT ENABLE/DISABLE USING THE EAC? FOR ENABLING FAXING
Dial plan No Set-UMDialPlan -Identity

MyUMDialPlan -faxenabled $true
UM mailbox policy Yes Set-UMMaiboxPolicy -Identity

MyPolicy -AllowFax $true
UM-enabled user No Set-UMMailbox -Identity tonysmith

-faxenabled $true
By default, although the UM dial plan and the user's mailbox allow incoming faxes, you must first enable inbound
faxing on the UM mailbox policy that's assigned to the UM -enabled user and then enter the fax partner server's
URI.
To enable UM -enabled users to receive faxes, you must do the following:
Verify that each UM dial plan allows the users who are associated with the dial plan to receive faxes. By
default, all users who are associated with a dial plan can receive faxes. For UM -enabled users to receive fax
messages in their mailbox, each VoIP gateway or IP PBX must be configured to accept incoming fax calls.
You must also enable fax messages to be received by users who are linked with the dial plan. For more
information about how to enable users linked with a dial plan to receive faxes or to prevent them from
doing this, see Enable a user to receive faxes.
NOTE
If you prevent fax messages from being received on a dial plan, no users who are associated with the dial plan will be
able to receive faxes, even if you configure an individual user's properties to allow them to receive faxes. Enabling or
disabling faxing on a UM dial plan takes precedence over the settings for an individual UM-enabled user.
Configure the UM mailbox policy that's associated with the UM -enabled user. The UM mailbox policy must
be configured to allow incoming faxes, including the fax partner's URI and the name of the fax partner's
server. The FaxServerURI parameter must use the following form: sip:<fax server URI>:<port>;<transport>,
where "fax server URI" is either a fully qualified domain name (FQDN ) or an IP address of the fax partner
server. The "port" is the port on which the fax server listens for incoming fax calls and "transport" is the
transport protocol that's used for the incoming fax (UDP, TCP, or Transport Layer Security (TLS )). For
example, you might configure a UM mailbox policy to receive a fax as follows.
Set-UMMailboxPolicy MyUMMailboxPolicy -AllowFax $true -FaxServerURI

"sip:faxserver.abc.com:5060;transport=tcp"
For details, see Set the partner fax server URI to allow faxing.
Cau t i on
Although you can include multiple entries in the format for the FaxServerURI by separating them with a
semicolon, only one entry will be used. This parameter allows only one entry to be used, and adding
multiple entries won't enable you to load balance fax requests.
Verify that the mailbox that's UM -enabled can receive fax messages. By default, all users who are associated
with a dial plan can receive faxes. However, there may be situations when a user can't receive faxes because
the ability to receive faxes has been disabled on their mailbox. For more information about how to enable a
UM -enabled user to receive faxes, see Enable a user to receive faxes.
You can prevent an individual user who's associated with a dial plan from receiving fax messages. To do this,
configure the properties for the user by using the Set-UMMailbox cmdlet in Exchange Online PowerShell.
You can also use the Set-UMMailboxPolicy cmdlet to prevent multiple users from receiving fax messages.
For more information about how to prevent a user or users from receiving fax messages, see Prevent a user
from receiving faxes.
Step 4: Configure authentication
In addition to configuring your UM dial plans, UM mailbox policies, and UM -enabled users, you have to configure
authentication between your Exchange servers and the fax partner server. The Exchange servers must be able to
authenticate the origin of the messages that claim to be coming from the fax partner server. Any unauthenticated
messages claiming to have come from a fax partner server won't be processed by an Exchange server.
To authenticate the connection from the fax partner server to the Exchange servers, you can use:
Mutual TLS
Sender ID validation
A dedicated receive connector
A receive connector should be sufficient for authenticating the fax partner servers deployed in your organization.
The receive connector will ensure that the Exchange servers treats all traffic coming from the fax partner server as
authenticated.
The receive connector will be configured on an Exchange server that's used by the fax partner server to submit
SMTP fax messages, and must be configured with the following values:
AuthMechanism: ExternalAuthoritative
PermissionGroups: ExchangeServers, PartnersFax
RemoteIPRanges: {the fax server's IP address}
RequireTLS: False
EnableAuthGSSAPI: False
LiveCredentialEnabled: False
For details, see Connectors.
If the fax partner server sends network traffic to an Exchange server over a public network, for example, a service-
based fax partner server hosted in the cloud, it's a good idea to authenticate the fax partner server using a sender
ID check. This type of authentication ensures that the IP address that the fax message came from is authorized to
send email messages on behalf of the fax partner domain that the message claims to have come from. DNS is used
to store the sender ID records (or sender policy framework (SPF ) records) and fax partners must publish their SPF
records in the DNS forward lookup zone. Exchange will validate the IP addresses by querying DNS. However, the
sender ID agent must be running on a Mailbox server to be able to perform the DNS query.
You can also use TLS to encrypt the network traffic, or mutual TLS for encryption and authentication between the
fax partner server and Exchange servers.
Fax advisor for Exchange UM
Microsoft Unified Messaging (UM ) relies on certified fax partner solutions for enhanced fax functionality such as
outbound fax or fax routing. By default, users aren't configured to allow incoming fax messages to be delivered to a
UM -enabled user. Exchange servers send the fax requests to a certified fax partner solution. The fax partner's
server receives the fax data and then sends it to the recipient's mailbox in an email message with the fax included
as a .tif attachment. For details, see Enable Voice Mail Users to Receive Faxes.
IMPORTANT
We recommend that all customers who plan to deploy Unified Messaging obtain the assistance of a Unified Messaging
specialist. A Unified Messaging specialist helps you ensure that there's a smooth transition to Unified Messaging from a
legacy voice mail system. Performing a new deployment or upgrading a legacy voice mail system requires significant
knowledge about PBXs and Unified Messaging. For more information about how to contact a Unified Messaging specialist,
see the Microsoft Exchange Server Unified Messaging (UM) Specialists or Microsoft Pinpoint for Unified Messaging.
Exchange Unified Messaging Fax Partner Program

To become a fax partner certified for interoperability with Exchange UM, the partner must implement the
requirements contained in the Fax Partner Interoperability Specification and the fax solution must be certified by
an independent certification vendor.
Fax partner solutions certified as interoperable with Unified Messaging

If you've already deployed Exchange Unified Messaging and are looking for a fax partner that can enable incoming
faxes for your organization, see Microsoft Pinpoint for Fax Partners. These software vendors have been certified as
interoperable with Exchange Server and include certified software solutions for Unified Messaging.
VoIP, media gateway, and IP PBX support

Correctly configuring VoIP gateways for your organization is a difficult deployment task that must be completed to
successfully deploy Exchange Unified Messaging with incoming faxing. To help answer questions and get the most
up-to-date VoIP gateway configuration information, see Telephony advisor for Exchange 2013. Configuration
notes for supported VoIP gateways, IP PBXs, and PBXs provides VoIP gateway configuration notes and files that
you must have to correctly configure your organization's VoIP gateways, IP PBXs, and SBCs to work with
Exchange Unified Messaging.
Interoperability testing of Exchange Unified Messaging with VoIP gateways is now integrated with the Microsoft
Unified Communications Open Interoperability Program. For more information, see Microsoft Unified
Communications Open Interoperability Program.
The Microsoft Unified Communications Open Interoperability Program qualification program for VoIP gateways
and IP PBXs ensures that customers have a seamless setup and support experience when they're using qualified
telephony gateways and IP PBXs with Microsoft Unified Communications software.
IMPORTANT
Sending and receiving faxes using T.38 or G.711 isn't supported in an environment where Unified Messaging and
Communications Server 2007 R2 or Microsoft Lync Server are integrated.
Deploying and configuring faxing

UM forwards incoming fax calls to a dedicated fax partner solution, which then establishes the fax call with the fax
sender and receives the fax on behalf of the UM -enabled user. However, to allow UM -enabled users to receive fax
messages in their mailbox, you must configure the fax partner server, and then configure the UM dial plans, UM
mailbox policies, and enable UM -enabled users to receive faxes. For details, see Setting up incoming faxing.
Faxing procedures

Include text with the email message sent when a fax message is received
You can enable and disable inbound faxes for users associated with a Unified Messaging (UM ) mailbox policy. By
default, when you enable users for UM, users can't receive fax messages until you enable inbound faxing on the
UM mailbox policy and specify the URI for the partner fax server. If the URIs are configured on the UM mailbox
policy but the option to allow incoming faxes is disabled on the UM dial plan or for an individual user, UM -enabled
users linked to the UM mailbox policy still won't be able to receive faxes.
For more information about fax partners, see Microsoft PinPoint for Fax Partners.
For additional management tasks related to faxing, see Faxing procedures.

TIP
Use the EAC to set the fax partner URI

2. On the UM dial plan page, under UM Mailbox Policies, select the policy you want to modify, and then
click Edit .
3. On the UM mailbox policy page > General, in the Partner fax server URI box, enter the TCP or TLS
URI. For example: sip:faxserver1.contoso.com:5060;transport=tcp or
sip:faxserver2.contoso.com:5061;transport=tls
NOTE
Although the box can contain more than one fax server URI, only one will be used. If you enter two URIs, only the
first will be used.

Use Exchange Online PowerShell to set the fax partner URI
This example allows users who are linked with the UM mailbox policy UMDialPlan Default Policy to use TCP with
port 5060 for the partner fax server faxserver1 .
Set-UMMailboxPolicy "UMDialPlan Default Policy" -FaxServerURI sip:faxserver1.contoso.com:5060;transport=tcp
This example allows users who are linked with the UM mailbox policy UMDialPlan Default Policy to use TLS with
port 5061 for the partner fax server faxserver2 .
Set-UMMailboxPolicy "UMDialPlan Default Policy" -FaxServerURI sip:faxserver2.contoso.com:5061;transport=tls

Include text with the email message sent when a fax
message is received
You can include additional text in the email message that's sent when a fax message is received by a user who is
enabled for Unified Messaging (UM ) voice mail and is fax-enabled, and when the UM mailbox policy has been
configured correctly to use a fax partner provider. By default, the text included when a UM -enabled user receives a
fax message indicates only that the user has received a fax message. However, you can create a custom message
by adding text in the When a user receives a fax message box on a UM mailbox policy. For example, the text can
include information about system security policies and describe the correct way to handle fax messages in your
organization. After you add the text, it will be included in each email message that's sent when UM -enabled users
who are associated with the UM mailbox policy receive a fax message.
NOTE
The custom text that accompanies a fax message is limited to 512 characters, and can include simple HTML text.

TIP
Use the EAC to change the text included with a fax message
3. On the UM Mailbox Policy page > Message text, in the text box for When a user receives a fax
message, enter the text you want to include in the email message that's sent when users receive a fax
message in their mailbox.
4. Click Save.
Use Exchange Online PowerShell to change the text included with a fax
message
This example enables UM -enabled users who are associated with a UM mailbox policy to receive additional
instructions on how to open a fax message that they've received in their mailbox.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -FaxMessageText "To open this fax message, double-click the
file attachment."
You can enable all users who are linked with a Unified Messaging (UM ) dial plan to receive fax messages in their
mailboxes. By default, users who are enabled for Unified Messaging and are linked with a UM dial plan can receive
fax messages. To allow UM -enabled users to receive fax messages in their mailboxes, the dial plan must be
configured to accept incoming fax calls. You must also enable faxing on the UM mailbox policy and for the user. By
default, faxing is enabled on dial plans, UM mailbox policies, and for users. However, there may be times when
these default settings have changed and UM -enabled users can't receive fax messages.
If you prevent fax messages from being received on a dial plan, all users who are associated with the dial plan
won't be able to receive fax messages, even if you configure an individual user's properties to allow them to
receive fax messages. Enabling or disabling faxing on a UM dial plan takes precedence over the settings for faxing
on a UM mailbox policy or an individual UM -enabled user.
NOTE
You can use the EAC to configure fax settings on a UM mailbox policy. However, you must use Exchange Online PowerShell
to configure fax settings on dial plans or for individual users.

TIP
Use Exchange Online PowerShell to allow users who are linked to a dial
plan to receive faxes
This example enables UM -enabled users who are linked with the UM dial plan named MyUMDialPlan to receive
incoming faxes.
Set-UMDialPlan -Identity MyUMDialPlan -FaxEnabled $true

Prevent users in the same dial plan from receiving
faxes
You can prevent UM -enabled users who are linked with a Unified Messaging (UM ) dial plan from receiving fax
messages. By default, users who are enabled for Unified Messaging and are linked with a UM dial plan can receive
fax messages. However, there may be times when you want to prevent users who are associated with a specific
UM dial plan from receiving faxes.
You can prevent UM -enabled users from receiving faxes by configuring the UM dial plan, the UM mailbox policy,
or the UM -enabled user's mailbox. If you disable incoming fax message delivery on a UM dial plan, all users who
are associated with the dial plan will be prevented from receiving fax messages. Enabling or disabling faxing on a
UM dial plan takes precedence over the settings for an individual UM -enabled user.
NOTE

TIP
Use Exchange Online PowerShell to prevent users who are linked to a

dial plan from receiving faxes
This example prevents UM -enabled users associated with the UM dial plan named MyUMDialPlan from receiving
faxes.
Set-UMDialPlan -Identity MyUMDialPlan -FaxEnabled $false

You can enable inbound faxes for users linked with a Unified Messaging (UM ) mailbox policy. By default, when you
enable users for Unified Messaging, users can't receive fax messages until you specify the URI for the fax partner
server, deploy a fax partner server for your organization, and enable faxing on a UM mailbox policy. If the option
to allow incoming faxes is disabled on the UM dial plan, the users linked with the UM mailbox policy still won't be
able to receive faxes. Similarly, if the option to allow incoming faxes is disabled on an individual user, that user
won't be able to receive faxes.

TIP
Use the EAC to enable inbound faxing

2. On the UM dial plan page, under UM Mailbox Policies, select the mailbox policy you want to modify,
3. On the UM mailbox policy page > General, select the check box next to Allow inbound faxes.
Use Exchange Online PowerShell to enable inbound faxing

This example allows users who are linked with the UM mailbox policy MyUMMailboxPolicy to use inbound faxing.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowFax $true

You can disable inbound faxes for users associated with a Unified Messaging (UM ) mailbox policy. By default,
when you enable users for Unified Messaging, users can't receive fax messages until you specify the URI for the
fax partner server , deploy a fax partner server for your organization, and enable faxing on a UM mailbox policy. If
the option to allow incoming faxes is disabled on the UM dial plan, the users linked with the UM mailbox policy
still won't be able to receive faxes. Similarly, if the option to allow incoming faxes is disabled on an individual user,
that user won't be able to receive faxes.

TIP
Use the EAC to disable inbound faxing

2. On the UM dial plan page, under UM Mailbox Policies, select the mailbox policy you want to modify,
3. On the UM mailbox policy page > General, clear the check box next to Allow inbound faxes.
Use Exchange Online PowerShell to disable inbound faxing

This example prevents users who are linked with the UM mailbox policy MyUMMailboxPolicy from using inbound
faxing.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -AllowFax $false
You can enable a Unified Messaging (UM ) user to receive faxes. By default, when you enable a user for Unified
Messaging, they will be able to receive faxes if you enable faxing and configure a fax partner's URI on the UM
mailbox policy that is linked to the user. Faxing can be enabled or disabled on UM dial plans, UM mailbox policies,
or the UM -enabled user's mailbox.
By default, the user's mailbox and the dial plan that is linked with the user allow incoming faxes. However, for a
user to receive faxes you must first enable inbound faxing on the UM mailbox policy that's associated with the
UM -enabled user and enter the fax partner's URI.
NOTE

Before you perform these procedures, confirm that the UM mailbox policy assigned to the user has faxing
enabled and the fax partner's URI is properly configured.
TIP
Use Exchange Online PowerShell to enable a UM user to receive faxes

This example enables Tony Smith to receive incoming faxes.
Set-UMMailbox -Identity tonysmith@contoso.com -FaxEnabled $true
Prevent a Unified Messaging (UM ) user from receiving faxes. Find out how to alter fax settings for new and
existing UM users.
By default, when you enable a user for Unified Messaging, they will be able to receive faxes if you enable faxing
and configure a fax partner's URI on the UM mailbox policy that is linked to the user. Faxing can be enabled or
disabled on UM dial plans, UM mailbox policies, or the UM -enabled user's mailbox.
By default, the user's mailbox and the dial plan that is linked with the user allow incoming faxes. However, for a
user to receive faxes you must first enable inbound faxing on the UM mailbox policy that's associated with the
UM -enabled user and enter the fax partner's URI.
NOTE
You can use the EAC to configure fax settings on a Unified Messaging mailbox policy. However, you must use Exchange
Online PowerShell to configure fax settings on dial plans or for individual users.

TIP
Use Exchange Online PowerShell to prevent a UM-enabled user from

receiving faxes
This example prevents a UM -enabled user named Tony from receiving fax messages in his mailbox.
Set-UMMailbox -Identity tony@contoso.com -FaxEnabled $false
Set Outlook Voice Access PIN security
When Unified Messaging (UM ) users connect to the voice mail system by telephone, they use Outlook Voice
Access to navigate the menu system. Before users can access the voice mail system, the system prompts them to
enter their PIN. As the administrator, you can configure PIN settings and requirements and perform PIN
management tasks. After a user has been enabled for voice mail and a PIN has been generated, the user's PIN is
stored encrypted in the user's mailbox.
NOTE
Outlook Voice Access users must use touchtone (also called dual tone multi-frequency (DTMF)) inputs to enter their PIN to
access their UM-enabled mailbox. Speech recognition isn't available for PIN entry.
PIN overview
A PIN is a numeric string that's used in certain systems so that a user can be authenticated and gain access to the
system. PINs are most frequently used for automatic teller machines (ATMs). They're also used instead of
alphanumeric passwords for voice mail systems. The strength of a PIN depends on its length, how well it's
protected, and how difficult it is to guess.
In Unified Messaging, Outlook Voice Access users enter their PIN on an analog, digital, or mobile telephone so that
they can access email, voice mail, contact, and calendaring information in their Exchange Server mailbox.
In UM, PIN policies are defined and configured on a UM mailbox policy. You can create multiple UM mailbox
policies depending on your requirements. When you enable a user for voice mail, you link the user to an existing
UM mailbox policy. The UM PIN policies that are configured on the UM mailbox policy should be based on the
security requirements of your organization.
PIN requirements
The following are several PIN configuration settings that you can set on a UM mailbox policy.
Minimum PIN length
The Minimum PIN length setting specifies the minimum number of digits that a mailbox PIN must contain. The
range is 4 through 24, and the default is 6. If you enter 0, users aren't required to enter a PIN.
IMPORTANT
Configuring this setting with zero isn't a recommended practice. If you configure the setting to zero, you greatly decrease the
level of security for your network.
If you change the minimum PIN length to a higher value, current Outlook Voice Access users will be prompted to
create a new PIN that contains the new minimum number of digits before they can continue.
NOTE
Increasing this number creates a more secure UM environment. However, setting it too high can result in users forgetting
their PIN.
Enforce PIN lifetime
The Enforce PIN lifetime setting controls the time interval, in days, from the date Outlook Voice Access users last
changed their PIN to the date they'll be forced to change their PIN again. The range is 0 through 999, and the
default is 60 days. If 0 is entered, the PIN won't expire.
NOTE
Unified Messaging won't notify users when their PIN is about to expire.
Number of sign-in failures before PIN reset

The Number of sign-in failures before PIN reset setting specifies the number of sequential unsuccessful sign-
in attempts before the mailbox PIN is automatically reset. To disable this feature, set this setting to unlimited.
Otherwise, it must be set to a number lower than the Number of sign-in failures before lockout setting. The
range is 1 through 998, and the default is 5.
NOTE
To increase security for UM-enabled users, enter a number that's less than 5.
Number of sign-in failures before lockout

The Number of sign-in failures before lockout setting specifies how many PIN entry errors in successive calls
Outlook Voice Access users can make before they're locked out of their mailbox. By default, after 5 attempts are
made, the PIN is automatically reset. The range is 1 through 999, and the default is 15.
NOTE
To increase security, decrease the number of failed attempts that are allowed. But remember that decreasing it to a number
much lower than the default may result in users being locked out unnecessarily. Unified Messaging will generate warning
events that can be viewed using Event Viewer if PIN authentication fails for a UM-enabled user or the user is unsuccessful in
trying to sign in to the system.
Allow common PIN patterns

The Allow common PIN patterns setting is used to either enable or disable the use of common number patterns
when creating a PIN. By default, this setting is disabled and won't allow Outlook Voice Access users to enter the
following number patterns:
Sequential numbers: PIN values that consist completely of consecutive numbers. Examples of sequential
numbers for a PIN are 1234 and 65432.
Repeated numbers: PIN values that consist of repeated numbers. Examples of repeated numbers are
11111 and 22222.
Suffix of mailbox extension: PIN values that consist of the suffix of a user's mailbox extension. If the
mailbox extension is 36697, the PIN can't be 6697.
PIN recycle count
The PIN recycle count setting configures the number of different PINs a user must use before any PINs that
were previously used can be reused. The range is 1 through 20, and the default is 5.
Managing Outlook Voice Access PINs

When planning for Outlook Voice Access PINs, you must choose the appropriate levels of security for your
organization. You must carefully consider the Outlook Voice Access PIN requirements and how your PIN security
settings meet or exceed your organization's security policy.
IMPORTANT
It's a security best practice to implement strong PIN requirements for Outlook Voice Access users. This can be enforced by
creating UM mailbox policy PIN policies that require six or more digits for PINs, which increases the level of security for your
network.
After you set the Outlook Voice Access PIN requirements, you must create and configure a UM mailbox policy to
enforce your organizational PIN requirements. For details about how to create a UM mailbox policy, see Create a
UM mailbox policy. For details about how to manage UM mailbox policies, see Manage a UM mailbox policy.
NOTE
After you create the UM mailbox policy, you must link the UM-enabled user or users with the appropriate UM mailbox policy.
You can do this by using the Enable-UMMailbox cmdlet in Exchange Online PowerShell or by using the Exchange admin
center (EAC). For more information about Exchange Online PowerShell cmdlet, see Enable-UMMailbox.
There are situations in which Outlook Voice Access users forget their PIN or are locked out of voice mail access to
their mailbox. In either case, it may be necessary for you to reset a UM -enabled user's PIN. For details, see Reset a
voice mail PIN.
You can retrieve PIN information for a user who is enabled for Unified Messaging. The information returned to you
is calculated by using the encrypted PIN data stored in the user's mailbox. This lets you view PIN information for
the user and also indicates whether the user has been locked out of their mailbox. For details, see Retrieve voice
mail PIN information.
PIN security procedures
Set Outlook Voice Access PIN policies

Include text with the email message sent when a PIN Is reset
Set the minimum PIN length for voice mail
Set the PIN lifetime for voice mail
Set the number of previous voice mail PINs to recycle
Disable common PIN patterns for voice mail
Enable common PIN patterns for voice mail
Set the number of sign-in failures before a voice mail PIN is reset
Set the number of sign-in failures before a voice mail user Is locked out
Set Outlook Voice Access PIN policies
You can set PIN policies on a Unified Messaging (UM ) mailbox policy. UM mailbox policies can be configured to
increase the level of security for UM -enabled users that use Outlook Voice Access by requiring users to comply
with the predefined PIN policies for your organization.
To set PIN policies for Outlook Voice Access users, you can either create a new UM mailbox policy or modify an
existing UM mailbox policy. After a new UM mailbox policy is created, you can then configure the UM mailbox
policy by configuring the following PIN settings:
MinPasswordLength
PINLifetime
LogonFailuresBeforePINReset
MaxLogonAttempts
AllowCommonPatterns
PINHistoryCount
It's a security best practice to implement strong PIN requirements for UM users. This can be enforced by creating
UM PIN policies that require 6 or more digits for PINs and increase the level of security for your network.
When you change the PIN policy, the new PIN setting is applied to users who are currently associated with the UM
mailbox policy. For example, if you modify the UM mailbox policy and change the minimum PIN length from 7 to
10 digits, the next time users log on they'll be forced to change their PIN to comply with the changed PIN
requirement.
For additional tasks related to Outlook Voice Access PIN security, see PIN security procedures.

TIP
Use the EAC to set PIN policies for Outlook Voice Access users
1. In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the UM dial plan you
want to edit, and then click Edit .
2. On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit,
3. Click Properties.
4. On the UM mailbox policy page, click PIN policies.
5. On the PIN Policies page, configure the PIN settings for the Outlook Voice Access users associated with
this UM mailbox policy, and then click Save.
Use Exchange Online PowerShell to set PIN policies for Outlook Voice
Access users
This example sets the PIN settings for users associated with the UM mailbox policy MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -LogonFailuresBeforePINReset 8 -MaxLogonAttempts 12 -

MinPINLength 8 -PINHistoryCount 10 -PINLifetime 60 -ResetPINText "The PIN used to allow you access to your
mailbox using Outlook Voice Access has been reset."
When a Unified Messaging (UM )-enabled voice mail user is locked out of their mailbox using Outlook Voice
Access because they tried to sign in using an incorrect PIN multiple times or they forgot their PIN, you can use
one of the following procedures to reset the user's PIN. When you reset a user's Outlook Voice Access PIN, you
can configure UM to automatically generate a PIN or you can manually specify the PIN. The new PIN is sent to
the user in email. You can specify additional PIN options such as requiring the user to reset their PIN when they
first sign in. Users can also reset their UM PIN using Outlook or Outlook Web App.
NOTE
To access their UM-enabled mailboxes, Outlook Voice Access users need to use touchtone, also known as dual tone multi-
frequency (DTMF), inputs. Speech recognition isn't available for PIN input.

TIP
Use the EAC to reset a Unified Messaging PIN

1. In the EAC, navigate to Recipients. In the list view, select the user mailbox that you want to view.
2. In the details pane, under Phone and Voice Features, under Unified Messaging, click View details.
3. On the UM Mailbox page, under UM mailbox settings, click Reset PIN.
4. On the Reset UM Mailbox PIN page, use the following options to reset the UM -enabled user's PIN:
Automatically generate a PIN: Use this option to automatically generate the PIN that's used by the user
to gain access to their mailbox using Outlook Voice Access. By default, this setting is enabled.
The automatically generated PIN will be sent in an email message to the user's mailbox. After they receive
the PIN and sign in to their mailbox, they'll be prompted to change the PIN to a PIN that's more familiar to
them.
Outlook Web App and Microsoft Outlook also let the user reset their PIN. The PIN is automatically
generated based on the PIN policies that are configured on the UM mailbox policy that's associated with
the user's mailbox. We recommend that you automatically generate PINs for Outlook Voice Access users.
Type a PIN: Use this option to manually specify a PIN for an Outlook Voice Access user. By default, this
setting is disabled.
If you specify a PIN for a user, the PIN will be sent in an email message to the user's mailbox. After they
receive the PIN and sign in to their mailbox, they can change the PIN by configuring personal options in
Outlook Voice Access. However, in Outlook Web App and Microsoft Outlook, there is no option to
manually specify a PIN.
Require the user to reset their PIN the first time they sign in: Use this option to require the user to
reset their PIN when they first sign in to Outlook Voice Access. By default, this option is enabled.
If you select the option to automatically generate a PIN for a user, you can enable this option to require
users to change their PIN when they first sign in to Outlook Voice Access. This helps protect the user's PIN.
5. Click Save.
Use Exchange Online PowerShell to reset a Unified Messaging PIN

This example resets the voice mail PIN for Tony Smith to 1985848. However, this PIN must be changed when the
user first signs in to Outlook Voice Access.
Set-UMMailboxPIN -Identity tonysmith@contoso.com -PIN 1985848 -PinExpired $true

You can retrieve PIN information for a user who is enabled for Unified Messaging (UM ). After a user has been
enabled for UM -enabled and a PIN is generated or created, the PIN is encrypted and stored in the user's mailbox.
When you retrieve PIN information for a UM -enabled user, the information returned to you is calculated by using
the encrypted PIN data stored in the user's mailbox. This lets you view information from the user's mailbox and
also indicates whether the user has been locked out of the mailbox.
For additional tasks related to PIN security, see PIN security procedures.

Before you perform these procedures, confirm that the user's mailbox has been UM -enabled. For detailed
TIP
Use the EAC to retrieve PIN information for a UM-enabled user

1. In the EAC, navigate to Recipients. In the list view, select the user mailbox that you want to view.
2. In the details pane, under Phone and Voice Features, click View details.
3. On the UM Mailbox page > UM mailbox settings, view the PIN status for the user. On this page, you
can also reset the voice mail PIN for the user.
Use Exchange Online PowerShell to retrieve PIN information for a UM-

enabled user
This example displays the user ID, whether a PIN is expired, whether the UM mailbox is locked out, and whether
Tony is a first-time user.
Get-UMMailboxPIN -identity tony@contoso.com
Include text with the email message sent when a PIN
Is reset
You can include additional text in the email message that's sent to users when their Unified Messaging (UM ) or
voice mail PIN is reset. You do this by entering custom text in the When a user's Outlook Voice Access PIN is
reset box on a UM mailbox policy. The customized text can include, for example, security-related information for
UM -enabled users.
By default, a PIN used for Outlook Voice Access is reset by the Unified Messaging or voice mail system if the
number of failed sign-in attempts exceeds 5. Users can also reset their PINs using the UM features included with
Outlook Web App or Outlook 2010 or later, or by using Outlook Voice Access from a telephone.
NOTE
The text you enter in this box is limited to 512 characters, and can include simple HTML text.

TIP
Use the EAC to add text to the email message sent to users when their
PIN is reset
3. On the UM Mailbox Policy page > Message text, in the text box for When a user's Outlook Voice
Access PIN is reset, enter the text you want to include in the email message that's sent when a user's PIN
is reset.
4. Click Save.
Use Exchange Online PowerShell to add text to the email message sent
to users when their PIN is reset
This example includes the additional text, "Do not share your PIN with other users. Doing so may result in
disciplinary action", in the email message sent to users who are associated with the UM mailbox policy
MyUMMailboxPolicy when their PIN is reset.
Set-UMMailboxPolicy -identity MyUMMailboxPolicy -ResetPINText "Do not share your PIN with other users. Doing
so may result in disciplinary action."
Set the minimum PIN length for voice mail
You can configure the minimum PIN length for your Outlook Voice Access users who are enabled for Unified
Messaging (UM ). The PIN settings that you configure on a UM mailbox policy will apply to all UM -enabled users
Outlook Voice Access is used by UM -enabled users to access their voice mail, email, calendar, and personal contact
information located in their mailbox. However, before they can access their mailbox, they must enter a PIN so they
can be authenticated by the voice mail system.
NOTE
If you change the minimum PIN length value, existing Outlook Voice Access users will be prompted to enter a new PIN that
contains the new minimum number of digits before they can continue. The default is 6.

TIP
Use the EAC to configure the minimum PIN length for Outlook Voice
Access
2. In the list view, select the dial plan you want to change, and then click Edit .
3. On the UM dial plan page, under UM Mailbox Policies, select the UM mailbox policy you want to
4. Click PIN policies, and next to Minimum PIN length, enter a value between 4 and 24.
5. Click Save.
Use Exchange Online PowerShell to configure the minimum PIN length
for Outlook Voice Access
This example sets the minimum PIN length to 8 digits for Outlook Voice Access users who are associated with the
UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -MinPINLength 8
This example sets the minimum PIN length to 8 digits and sets the number of times a sign-in can fail before the
user's PIN is reset to 3. This applies to UM -enabled users who are associated with the UM mailbox policy named
MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -LogonFailuresBeforePINReset 3 -MinPINLength 8

Set the PIN lifetime for voice mail
You can configure the PIN lifetime for users who are enabled for Unified Messaging (UM ). The PIN lifetime is the
maximum time that an Outlook Voice Access PIN will be valid for UM -enabled recipients. The PIN lifetime setting
is configured on a UM mailbox policy and applies to all UM -enabled users associated with the UM mailbox policy.
Several PIN -related settings can be configured on a UM mailbox policy. The PIN lifetime setting controls the time
interval, in days, from the date Outlook Voice Access users last changed their PIN to the date they'll be forced to
change their PIN again. The range is 0 through 999, and the default is 60 days. If you enter 0, the user's PIN won't
expire. We recommend that you don't configure this setting to 0, because by doing so you greatly reduce the
security of your network.
IMPORTANT
Unified Messaging doesn't notify users when their PIN is about to expire.

TIP
Use the EAC to configure the PIN lifetime

4. Click PIN policies, and next to Enforce PIN lifetime (days), enter a value between 0 and 999.
5. Click Save.
Use Exchange Online PowerShell to configure the PIN lifetime
This example sets the number of days that a PIN can be used for Outlook Voice Access users who are associated
with a UM mailbox policy named MyUMMailboxPolicy to 30.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -PINLifetime 30
This example configures the following PIN -related settings for Outlook Voice Access users who are associated
with a UM mailbox policy named MyUMMailboxPolicy :
Sets the number of logon failures before the user's PIN is reset to 3.
Sets the maximum number of logon attempts to 5.
Sets the minimum PIN length to 9 digits.
Sets the PIN to expire in 40 days.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -LogonFailuresBeforePINReset 3

-MaxLogonAttempts 5 -MinPINLength 9 -PINLifetime 40
Set the number of previous voice mail PINs to recycle
When Outlook Voice Access users dial in to an Outlook Voice Access number, they're prompted to enter their PIN
so that the voice mail system can authenticate them. After they're authenticated, they can access the voice mail,
email, calendaring, and personal contact information in their mailbox from any telephone.
Several PIN -related settings can be configured on a Unified Messaging (UM ) mailbox policy. The PIN recycle
count setting specifies the number of unique PINs users must use before they can reuse an old PIN. You can set
the value of this setting between 1 and 20. For most organizations, this value should be set to 5 PINs, which is the
default. Setting this value too high can frustrate users because it can be difficult for users to create and memorize
many PINs. Setting it too low may introduce a security threat to your network.
IMPORTANT
The PIN recycle count can't be disabled.

TIP
Use the EAC to change the PIN recycle count

2. In the list view, select the dial plan you want to change, and then click Edit .
4. Click PIN policies, and next to PIN recycle count, enter a value between 1 and 20.
5. Click Save.
Use Exchange Online PowerShell to change the PIN recycle count
This example sets the PIN recycle count on the UM mailbox policy MyUMMailboxPolicy to 10.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -PINHistoryCount 10

Disable common PIN patterns for voice mail
You can enable or disable common Unified Messaging (UM ) PIN patterns for Outlook Voice Access users. If you
enable or disable the common PIN patterns setting on a UM mailbox policy, the setting will apply to all UM -
enabled users associated with the UM mailbox policy. By default, UM -enabled users can't use common patterns
when they create a PIN.
You can configure several PIN -related settings on a UM mailbox policy. The Allow Common PIN Patterns
setting is used to allow or prevent the use of common number patterns when users create a PIN. By default, this
setting is disabled and prevents users from using the following number patterns:
Sequential numbers: These are PIN values that include only consecutive numbers. Examples of
consecutive numbers for a PIN are 1234 and 65432.
Repeated numbers: These are PIN values that include only repeated numbers. Examples of repeated
numbers are 11111 and 22222.
Suffix of mailbox extension: These are PIN values that include the suffix of a user's mailbox extension.
For example, if a user's mailbox extension is 36697, the user's PIN cannot be 3669712.
NOTE
If the Allow Common PIN Patterns setting is enabled, only the suffix of the mailbox extension will be rejected.

TIP
Use the EAC to disable common PIN patterns

3. On the UM Mailbox Policy page, under PIN polices, clear the check box next to Allow common PIN
patterns.
4. Click Save.
Use Exchange Online PowerShell to disable common PIN patterns

This example prevents users associated with the UM mailbox policy named MyUMMailboxPolicy from using PINs
that contain common patterns.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowCommonPatterns $false

Enable common PIN patterns for voice mail
You can enable or disable common Unified Messaging (UM ) PIN patterns for Outlook Voice Access users. If you
enable or disable the common PIN patterns setting on a UM mailbox policy, the setting will apply to all UM -
enabled users associated with the UM mailbox policy. By default, UM -enabled users can't use common patterns
when they create a PIN.
You can configure several PIN -related settings on a UM mailbox policy. The Allow Common PIN Patterns
setting is used to allow or prevent the use of common number patterns when users create a PIN. By default, this
setting is disabled and prevents users from using the following number patterns:
Sequential numbers: These are PIN values that include only consecutive numbers. Examples of
consecutive numbers for a PIN are 1234 and 65432.
Repeated numbers: These are PIN values that include only repeated numbers. Examples of repeated
numbers are 11111 and 22222.
Suffix of mailbox extension: These are PIN values that include the suffix of a user's mailbox extension.
For example, if a user's mailbox extension is 36697, the user's PIN cannot be 3669712.
NOTE
If the Allow Common PIN Patterns setting is enabled, only the suffix of the mailbox extension will be rejected.

TIP
Use the EAC to enable common PIN patterns

3. On the UM Mailbox Policy page, under PIN polices select the check box next to Allow common PIN
patterns.
4. Click Save.
Use Exchange Online PowerShell to enable common PIN patterns

This example allows users associated with the UM mailbox policy named MyUMMailboxPolicy to use PINs that
contain common patterns.
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -AllowCommonPatterns $true

Set the number of sign-in failures before a voice mail
PIN is reset
You can configure the number of sign-in failures allowed before the PIN is reset for an Outlook Voice Access user
to a value from 1 through 998. The default is 5. The number of sign-in failures allowed before a PIN is reset is
configured on a Unified Messaging (UM ) mailbox policy and applies to all Outlook Voice Access users associated
with the UM mailbox policy.
NOTE
You can increase security by configuring the Number of sign-in failures before PIN reset setting to a number less than 5.
You decrease security if you configure it to a number more than 5.

TIP
Use the EAC to configure the number of sign-in failures before a PIN is
reset
4. Click PIN policies, and next to Number of sign-in failures before PIN reset, enter a value between 0
and 999.
5. Click Save.
failures before a PIN is reset
This example sets the number of sign-in failures before the user's PIN is reset to 3 for UM -enabled users who are
associated with a UM mailbox policy named MyUMMailboxPolicy .
This example sets the number of sign-in failures before the user's PIN is reset to 3, the maximum number of sign-
in attempts to 5, and the minimum PIN length to 9 for UM -enabled users who are associated with a UM mailbox
policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -LogonFailuresBeforePINReset 3 -MaxLogonAttempts 5 -

MinPINLength 9
Set the number of sign-in failures before a voice mail
user Is locked out
You can configure the number of sign-in failures allowed before an Outlook Voice Access user is locked out of their
mailbox. The number of sign-in failures allowed before a voice mail user is locked out is configured on a Unified
Messaging (UM ) mailbox policy, and applies to all UM -enabled users associated with the UM mailbox policy. By
default it is set to 15.
To increase security, decrease the maximum number of failed attempts. However, remember that if you decrease it
to a number much lower than the default, users may be locked out unnecessarily. Unified Messaging will generate
warning events you can view using Event Viewer if PIN authentication fails for UM -enabled users or if users are
unsuccessful when they try to sign in to the system. This setting must be larger than the setting for the number of
sign-in failures before the PIN is reset.

TIP
Use the EAC to configure the number of sign-in failures before a voice
mail user is locked out
4. Click PIN policies, and next to Number of sign-in failures before lockout, enter a value between 1 and
999.
5. Click Save.
failures before a voice mail user is locked out
This example sets the maximum number sign-in attempts to 10 for UM -enabled users who are associated with a
UM mailbox policy named MyUMMailboxPolicy .
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -MaxLogonAttempts 10
This example sets the number of sign-in failures before the Outlook Voice Access user's PIN is reset to 3, the
maximum number of sign-in attempts to 5, and a minimum PIN length to 9 for UM -enabled users who are
associated with a UM mailbox policy named MyUMMailboxPolicy .

-MaxLogonAttempts 5 -MinPINLength 9
Run reports for voice mail calls
Unified Messaging (UM ) call reports provide information about the calls forwarded to or placed by UM. Use these
reports to monitor, troubleshoot, and report on UM for your organization. You can access Unified Messaging call
statistic reports by using the Call Statistics tool and access call logs for UM -enabled users by using the User Call
Logs tool.
The reports provide aggregated statistical information about calls for Exchange servers and calls for UM -enabled
users in your organization. These reports:
Give on-premises, hybrid, and online administrators the ability to gather statistics about the UM services
and UM -enabled users in their organizations.
Provide summaries from the data that's gathered. This data can be stored for 90 days and archived for up to
two years to meet retention requirements.
Verify the overall audio quality for incoming calls to Exchange servers that are deployed.
Easily verify the availability of the voice mail system and UM services in the organization for a given period
of time.
Plan for Unified Messaging capacity for an on-premises or hybrid organization.
Verify how UM services in an organization are used over a given period of time.
You can use the following topics to help you gather call statistics and reports and interpret those results to monitor
and troubleshoot UM services in your organization:
Review the voice mail calls in your organization Use the UM Call Statistics report to monitor the availability
and audio quality of UM and to track usage for capacity planning.
Review the voice mail calls for a user Use user call logs to see details about the calls for a user for the last 90
days.
Investigate the audio quality of voice calls in your organization If your organization is experiencing problems
with the audio quality of UM calls, use the audio quality details from the UM Call Statistics report to help
you understand what's causing the problems.
Investigate the audio quality of voice calls for a user If a user is experiencing problems with the audio quality
of UM calls, use the audio quality details from the user call logs to help you understand what's causing the
problems.
Interpret voice mail call records Export more detailed data to diagnose problems with audio quality or
rejected calls, and to provide information for audits or reports about your UM service.
UM reports procedures
Review the voice mail calls in your organization

Review the voice mail calls for a user
Investigate the audio quality of voice calls in your organization
Investigate the audio quality of voice calls for a user
Review the voice mail calls in your organization
You can use the Call Statistics report to view information about the type and status of incoming calls handled by
the Exchange servers in your organization. The report provides statistical information about the calls forwarded to
or placed by Unified Messaging (UM ) for your organization. You can use this information to track usage for
capacity planning, monitor and troubleshoot the availability and audio quality of UM, and to troubleshoot failed
calls.
For additional tasks related to UM reporting, see UM reports procedures.
How to get call statistics for UM

1. In the Exchange admin center (EAC ), click Unified messaging > More options > Call statistics.
2. Choose the information you want to include in the report. The report automatically updates as you select
any of the following options:
Show: Choose what type of call statistics to view:
Daily (90 days): Select Daily to see details for all calls in the past 90 days.
Monthly (12 months): Select Monthly to see a summary of calls by month for the last 12 months.
All: Select All to see the combined statistics for all calls received since UM started handling calls.
UM dial plan: If you want to limit the data in the report to only calls in a specific UM dial plan, select that
dial plan.
UM IP gateway: If you want to limit the data in the report to only calls in a specific UM IP gateway, select
that gateway. If you select a UM dial plan first, only the UM IP gateways associated with the selected UM
dial plan are available in the list.
3. To get more details about the audio quality for a row in the report, select the row and click Audio Quality
Details. For more information about how to interpret audio quality, see Investigate the audio quality of
voice calls in your organization.
4. To copy the report to the Clipboard, click Copy.
5. For Daily reports, you can export the details for a specific day to a .csv file.
6. Select the day and click Export day.
7. In the File Download confirmation box, click Open or Save.
The exported file will be named um_cdr_ YYYY -MM -DD.csv, where YYYY -MM -DD is the year, month, and
day the report was run. For more information, see Interpret voice mail call records.
NOTE
On the report page, you can download a Microsoft Excel template that you can use to import the .csv file for a
specific day.
How to interpret UM call statistics

The UM Call Statistics report includes the following information:
DATE: The UTC date for the call data. The date format depends on the type of report you've chosen and
your locale settings. You can choose from the following options:
---: All calls are shown.
MMM/YY: The month of the calls. For example, Jan/13.
MM/DD/YY: The day of the calls. For example, 6/23/13.
TOTAL: The total number of calls for the selected UM dial plan or UM IP gateway for that date.
VOICE MESSAGE: The percentage of incoming calls answered by UM on behalf of users in which callers
left a voice message.
MISSED: The percentage of incoming calls answered by UM on behalf of users in which callers didn't leave
a voice message, resulting in a missed call notification.
OUTLOOK VOICE ACCESS: The percentage of incoming calls where users signed in to UM (and were
authenticated) to access their email messages, calendars, and voice messages.
OUTGOING: The percentage of calls that were placed or transferred by UM on behalf of authenticated or
unauthenticated users. This statistic includes Find Me, Play on Phone, and Play on Phone Greetings call
types.
AUTO ATTENDANT: The percentage of incoming calls that were answered by UM auto attendants.
FAX: The percentage of incoming calls that were redirected to a fax partner.
OTHER: The percentage of any other incoming or placed calls that do not fall in any of the above
categories. These calls include calls made to Outlook Voice Access numbers where the users didn't sign in
and weren't authenticated.
FAILED OR REJECTED: The percentage of calls that either failed or were rejected by UM. Note that failed
calls aren't counted twice. For example, if a call to Outlook Voice Access fails, it is only counted as a Failed
call, and not also as an Outlook Voice Access call.
AUDIO QUALITY: A graphical representation of the overall audio quality for the selected period of time
for the organization.

Investigate the audio quality of voice calls in your organization
Review the voice mail calls for a user
User call logs are used to view the following information about specific Unified Messaging (UM ) users:
Details about the UM calls for a user over the last 90 days.
Audio quality of each call. Audio quality metrics might not be available for all calls, because the metrics
depend on several factors, such as the type and length of the call.
How do I get call logs for a UM-enabled user?

1. In the Exchange admin center (EAC ), select Unified messaging > More options > User call logs.
2. Click Select a user, and then select the user you want data for.
Details. For more information about how to interpret audio quality, see Investigate the audio quality of
voice calls for a user.
4. To copy the report to the Clipboard, click Copy all rows to the clipboard.
How do I interpret the UM user call log?

The user call log includes the following information for each call:
DATE AND TIME: The date and time of the call, in the time zone that the selected user has set in Microsoft
Outlook Web App.
DURATION: How long the call lasted in minutes (MM ) and seconds (SS ), in the following format: MM:SS.
CALL TYPE: The type of call:
Call Answering: The call wasn't answered and was forwarded to the Mailbox servers, and the caller
left a voice message.
Call Answering Missed Call: The call wasn't answered and was forwarded to the Mailbox servers,
and the caller didn't leave a voice message.
Subscriber Access: A call was made to the subscriber access number. The caller signed in and was
authenticated to UM with their extension and password to access email messages, calendars, and
voice messages over the phone.
Auto Attendant: The call was answered by a UM auto attendant. These calls are typically calls in
which the caller dialed your organization's main phone number.
Fax: A call was received in which a fax tone was detected. If you've configured fax partners, this call
was sent to the partner.
PlayonPhone: A call was placed by UM because the user clicked the Play on Phone button in a
voice message in Microsoft Outlook Web App or Outlook.
FindMe: An outbound call was placed by UM as a result of a Find Me rule in a call answering rule.
Unauthenticated Pilot Number: A call was placed to the Outlook Voice Access number. The caller
didn't sign in and wasn't authenticated.
Greetings Recording: A call was placed by UM to record personal greetings for a user.
None: A call was placed but the type wasn't defined.
CALLING NUMBER: The phone number or SIP address of the caller.
CALLED NUMBER: The phone number or SIP address (for users in SIP dial plans, such as Microsoft
Office Communications Server 2007 R2 or Microsoft Lync Server users) of the intended recipient of the
call.
UM IP GATEWAY: The UM IP gateway that took the call.
AUDIO QUALITY: The overall audio quality of the call. For more details about audio quality, select the row
and click Audio Quality Details.
Investigate the audio quality of voice calls in your
organization
If your organization is experiencing problems with the audio quality of Unified Messaging (UM ) calls and voice
mail messages, use the Call Statistics report to help you understand what's causing the problems.
NOTE
The audio quality of a call can be affected by factors that aren't covered in the reports. For example, if your Exchange servers
are experiencing a heavy memory load or CPU load, users may report poor call quality, even though the reports show
excellent audio quality.
For additional tasks related to call statistics see UM reports procedures.

permissions you need, see the "UM call data and summary report cmdlets" entry in the Unified Messaging
Permissions topic.
TIP
Use the EAC to get audio quality statistics for your organization
1. In the EAC, navigate to Unified messaging > More options > Call statistics.
2. Choose the call statistics to include in the report. The report automatically updates as you select any of the
following options.
Show: Choose what type of call statistics to view:
Daily (90 days): Select Daily to see details for all calls in the past 90 days.
Monthly (12 months): Select Monthly to see a summary of calls by month for the last 12 months.
All: Select All to see the combined statistics for all calls received since UM started handling calls.
UM dial plan: If you want to limit the data in the report to only calls in a specific UM dial plan, select that
dial plan.
UM IP gateway: If you want to limit the data in the report to only calls in a specific UM IP gateway, select
that UM IP gateway. If you select a UM dial plan first, only the UM IP gateways associated with the selected
UM dial plan are available in the list.
Details. The following information is available:
DATE AND TIME: The UTC date and time that the call statistics were captured.
UM DIAL PLAN: The dial plan for the calls included in the statistics.
UM IP GATEWAY: The UM IP gateway that took the calls included in the statistics.
NMOS: The Network Mean Opinion Score (NMOS ) for the call. The NMOS indicates how good the audio
quality was on the call as a number on a scale from 1 to 5, with 5 being excellent.
NOTE
The maximum NMOS possible for a call is dependent on the audio codec being used. The NMOS may not be
available for very short calls that are less than 10 seconds long.
NMOS DEGRADATION: The amount of audio degradation of the NMOS from the top value possible for
the audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
reported for the call was 3.3, the maximum NMOS for that particular call would be 4.5 (1.2 + 3.3).
JITTER: The average variation in the arrival of data packets for the call.
PACKET LOSS: The average percentage of data packet loss for the selected call. Packet loss is an indication
of the reliability of the connection.
ROUND TRIP: The average round trip score, in milliseconds, for audio on the selected call. The round-trip
score measures latency on the connection.
BURST LOSS DURATION: The average duration of packet loss during bursts of losses for the selected
call.
NUMBER OF SAMPLES: The number of calls that were sampled to calculate the averages.
4. For detailed audio quality metrics for specific calls, see Investigate the audio quality of voice calls for a user.
Investigate the audio quality of voice calls for a user
If a user reports problems with the audio quality of their Unified Messaging (UM ) calls, you can use the User Call
Logs report to help you understand what's causing the problems.
NOTE
The audio quality of a call can be affected by factors that aren't covered in the reports. For example, if your Exchange servers
are experiencing a heavy memory or CPU load, users may report poor call quality, even though the reports show excellent
audio quality.
For additional tasks related to UM reports, see UM reports procedures

permissions you need, see the "UM call data and summary report cmdlets" entry in the Unified Messaging
Permissions topic.
TIP
Use the EAC to get call logs for a UM-enabled user

1. In the EAC, navigate to Unified Messaging > More options > User call logs.
2. Click Select a user, and then select the user you want data for.
Details. The following information is available:
DATE AND TIME: The date and time of the call, in the time zone that the selected user has set in Outlook
Web App.
USER: The selected user.
UM DIAL PLAN: The dial plan for the call.
UM IP GATEWAY: The UM IP gateway that was used for the call.
AUDIO CODEC: The audio codec that was used during the call.
NMOS: The Network Mean Opinion Score (NMOS ) for the call. The NMOS indicates how good the audio
quality was on the call as a number on a scale from 1 to 5, with 5 being excellent.
NOTE
The maximum NMOS possible for a call depends on the audio codec being used. The NMOS may not be available for
very short calls that are less than 10 seconds long.
NMOS DEGRADATION: The amount of audio degradation of the NMOS from the top value possible for
the audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
JITTER: The average variation in the arrival of data packets for the call.
PACKET LOSS: The average percentage of data packet loss for the selected call. Packet loss is an indication
of the reliability of the connection.
ROUND TRIP: The average round trip score, in milliseconds, for audio on the selected call. The round-trip
score measures latency on the connection.
BURST LOSS DURATION: The average duration of packet loss during bursts of losses for the selected
call.
To view detailed information about calls handled by the Exchange servers on a specific day, export the call data for
that day from the Call Statistics report. Daily call data, which is available for the past 90 days, can help you
diagnose problems with audio quality or rejected calls, and provide information for audits or reports on Exchange
servers in your organization.
Use the EAC to export daily UM call records

1. In the EAC, navigate to Unified messaging > More options > Call statistics.
2. Under Show, click Daily (90 days), and then choose the UM dial plan or UM IP gateway, or both, if you
want. The report automatically updates as you choose options.
3. Select the day for which you want to export call records, and then click Export day.
4. In the File Download confirmation box, click Open or Save.
The exported file will be named um_cdr_ YYYY -MM -DD.csv, where YYYY -MM -DD is the year, month, and
day the report was run.
NOTE
On the report page, you can download a Microsoft Excel template that you can use to import the .csv file for a
specific day.
5. Use an application such as Excel to process the .csv file and build your own custom reports.
Interpret UM call data

The UM call data that you export includes the following detailed information about each call that UM handled on
that day.
NOTE
In the Call Statistics report, the days are in UTC time.
CallStartTime: The date and time that UM handled the call, in UTC. The UTC time and date is represented
in the following format: YYYY -MM -DD hh:mm:SSZ, where YYYY = year, MM = month, DD = day, hh =
hour, in 24-hour time, mm = minutes, ss = seconds. Z signifies Zulu, which is a way to denote UTC (like
+hh:mm or -hh:mm, which gives the time offset from UTC ). Because all call times in this report are in UTC
time, this will always be Z.
For example, for a call placed on June 23, 2013 at 2:23pm, the call start time is shown as 2013-06-23
14:23:11Z.
Call Type: The type of call:
Call Answering Voice Message: The call wasn't answered and was forwarded to the Exchange
servers, and the caller left a voice message.
Call Answering Missed Call: The call wasn't answered and was forwarded to the Exchange
servers, and the caller didn't leave a voice message.
Subscriber Access: A call was made to the subscriber access number. The caller signed in and was
authenticated to UM with their extension and password to access email messages, calendars, and
voice messages over the phone.
Auto Attendant: The call was answered by a UM auto attendant. These calls are typically calls in
which the caller dialed your organization's main phone number.
Fax: A call was received in which a fax tone was detected. If you've configured fax partners, this call
was sent to the fax partner.
PlayOnPhone: A call was placed by UM because the user clicked the Play on Phone button in a
voice message in either Microsoft Outlook Web App or Outlook.
Find Me: An outbound call was placed by UM as a result of a Find Me rule in a call answering rule.
Unauthenticated Pilot Number: A call was placed to the Outlook Voice Access number. The caller
didn't sign in and wasn't authenticated.
Greetings Recording: A call was placed by UM to record personal greetings for a user.
None: A call was placed but the type wasn't defined.
CallIdentity: The SIP call identity, as provided by the UM IP gateway.
ParentCallIdentity: The SIP Session Identity of the session that originated this call. This box is used when
using the Call Answering Rules Find Me feature or call transfer calls, including call transfers between UM
auto attendants.
UMServerName: The name of the Mailbox server handling the call, if any. This information is provided
only when you have an on-premises Mailbox server.
DialPlanName: The UM dial plan that handled the call.
Call Duration: The total duration of the call.
IPGatewayAddress: The fully qualified domain name (FQDN ) of the IP gateway that handled the call.
CalledPhoneNumber: The phone number or SIP address of the intended recipient of the call (for users in
SIP dial plans with Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server) .
CallerPhoneNumber: The phone number or SIP address of the caller.
OfferResult: The status of the call:
Answer: UM successfully answered or placed a call. The call was neither transferred nor redirected.
These calls include completed calls to Outlook Voice Access, Play on Phone, or UM auto attendants,
and calls that UM handled when the called extension didn't answer the phone.
Failed: UM accepted or placed a call, but the call failed. These calls include calls where the called
number or address is busy, doesn't answer, or doesn't exist; where the caller hung up before the call
was connected; where the UM dial plan or UM mailbox policy settings prevented the call; or where
the VoIP gateway or IP PBX on your telephone system couldn't be reached.
Rejected: UM rejected the call, usually because of a configuration error. These calls include calls
where the UM IP gateway isn't associated with a UM dial plan, or where there are incompatibility
issues.
Redirected: UM accepted the call, but redirected it to another Mailbox server. These calls include
calls where the caller used the UM menu to call a contact in the directory or personal contacts, or
where the caller called an Outlook Voice Access number using a phone number that isn't associated
with the user's mailbox. In these cases, UM transfers the call to the Exchange server that's associated
with that user's account.
None: The call status is unknown.
DropCallReason: The reason the call was disconnected, if UM was able to determine the reason. For
example, if the caller hung up, this shows Graceful Hangup.
ReasonForCall: How the call was connected:
Direct: The caller dialed the called number directly.
DivertForward: The caller dialed a number, and the person being called redirected the call to UM
voice mail.
DivertBusy: The caller dialed a number, and the phone was busy, so the call was redirected to UM
voice mail.
DivertNoAnswer: The caller dialed a number, and the person didn't answer, so the call was
redirected to UM voice mail.
Outbound: The call was placed by UM, for example, to play a voice message using Play on Phone.
None: No reason was reported for the call.
DialedString: The address or phone number of the person to whom this call was either referred or
transferred. This value also refers to the address or phone number called for Play on Phone calls.
CallerMailboxAlias: The mailbox alias (the portion of the email address that precedes the @ symbol) of
the caller. This value is only available if the caller signed in to Outlook Voice Access.
CallerMailboxAlias: The mailbox alias of the intended recipient of the call, if the intended recipient is a
UM -enabled user.
Auto Attendant Name: The name of the auto attendant related to this call.
NMOS Score: The Network Mean Opinion Score (NMOS ) for the call. The NMOS indicates how good the
audio quality was on the call as a number on a scale from 1 to 5, with 5 being excellent.
NOTE
Note: The maximum NMOS possible for a call depends on the audio codec being used. The NMOS may not be
available for very short calls that are less than 10 seconds long.
NMOSDegradation: The amount of audio degradation of the NMOS from the top value possible for the
audio codec being used. For example, if the NMOS degradation value for a call was 1.2 and the NMOS
NMOSDegradation Jitter: The total NMOS degradation due to jitter.
NMOSDegradation PacketLoss: The total NMOS degradation because of packet loss.
Jitter: The average variation in the arrival of data packets for the call.
PacketLoss: The average percentage of data packet loss for the selected call. Packet loss is an indication of
the reliability of the connection.
Round Trip: The average round trip, in milliseconds, for audio on the selected call. The round-trip score
measures latency on the connection.
BurstDensity: The percentage of packets lost and discarded within a burst (high loss rate) period.
Burst Gap duration: The average duration of packet loss during bursts of losses for the selected call.
Audio Codec: The audio codec used during the call.
UM and voice mail terminology
This topic contains the terms and definitions that are used with Unified Messaging.
audio codec
A digital encoding of an analog voice signal. Most audio codecs provide compression of the data, at the cost of
some loss of fidelity when the data is recovered. Audio codecs vary in their perceived sound quality, the
bandwidth that is required to use them, and the system requirements that are needed to do the encoding.
audio notes
Text-based notes that can be added to a voice mail message that has been received in Outlook or Outlook Web
App.
auto attendant
A software system that answers calls, plays prompts or instructions, and then collects input from the caller as
touchtones or speech. Auto attendants can direct a call to telephone numbers or named users or to entities (for
example, departments) that the caller specifies, without intervention from a human operator.
Automatic Speech Recognition (ASR )
A technology that enables a computer to match human speech to a predefined set of words or phrases.
call answering
The process by which a caller interacts with a voice mail system if the number they originally called isn't
answered. Typically, the system will play a greeting or other prompt, and allow the caller to record a voice
message.
Call Answering Rules
A form of call answering in which the user for whom the call is being answered can specify rules to determine
the behavior callers experience. The user can specify conditions to be evaluated, greetings, and choices to be
provided to the caller, and actions (for example, transfer or leave a message) to be taken as a result of the
caller's choice.
circuit-switched network
A network in which there exists a dedicated connection. A dedicated connection is a circuit or channel set up
between two nodes so that they can communicate.
conditional call forwarding
A set of conditions that are chosen by a user to be used when they receive an incoming call. The call is
redirected based on the conditions that are set.
Dial by Name
A feature that enables a caller to spell a person's name using the keys on a telephone (ABC=2, DEF=3, etc.).
dial plan
For Unified Messaging, this is a set of telephony-capable endpoints that share a common numbering plan. The
details of the plan are determined by the telephone system to which UM is connected. In the simplest case, this
can be a private branch exchange (PBX) with its extensions, each with a unique, fixed-length number.
dialing rule group
Dialing rule groups are created to enable telephone numbers to be modified before they're sent to a traditional
or SIP -enabled PBX or IP PBX for outgoing calls. Dialing rule groups may remove digits from or add digits to
telephone numbers that are being used to place calls by a Unified Messaging server. Each dialing rule group
contains dialing rule entries that determine the types of in-country/region and international calls that users
within a dialing rule group can make. Each dialing rule group must contain at least one dialing rule entry.
fax partner
UM fax partners provide applications or services that can accept calls handed off by UM when a fax tone is
detected. The partner's product or service then receives the fax data, creates a message, and delivers it to the
UM -enabled user as an email message with a .tif attachment. These messages will appear in the Fax search
folder in Outlook and Outlook Web App.
hunt group
A set of extensions that are organized into a group, over which a traditional or SIP -enabled PBX or IP PBX
"hunts" to find an available extension. A hunt group is used to direct calls to identically capable endpoints or to
an application, such as voice mail.
in-country/region number format
The in-country/region number format specifies how a user's telephone number should be dialed by Unified
Messaging from one dial plan to a different dial plan that has the same country code. This is used by an auto
attendant and when an Outlook Voice Access user searches and tries to call the user in the directory. This entry
consists of a number prefix and a variable number of characters (for example, 020xxxxxxx).
informational announcement
An audio message that is played when a caller first dials in to a voice mail system, which may describe some
item of interest.
international access code
The prefix that is used to direct a call internationally. The international access code is 011 in the United States
and 00 in much of the rest of the world.
international number format
The string of digits that is used to define how to dial someone from outside a specific country.
Internet Protocol Private Branch eXchange (IP PBX)
A telephone switch that natively supports voice over IP (VoIP ). An IP PBX uses VoIP -based protocols to
communicate with IP -based hosts such as VoIP telephones over a packet-switched network. Some IP PBXs can
also support the use of traditional analog and digital phones.
matched name selection method
The mechanism used to help a caller differentiate between users with names that match the touchtone or
speech input.
message waiting indicator
A signal that indicates the presence of one or more unread voice messages. For voice mail systems, this is often
a lamp on the phone or a stutter dial tone.
Microsoft Exchange Unified Messaging Call Router service
A service that directs incoming calls for UM -enabled users to the Microsoft Exchange Unified Messaging
service.
Microsoft Exchange Unified Messaging service
A service that implements Unified Messaging capabilities for UM -enabled users.
missed call notification
An email message that is sent to a UM -enabled user that indicates that someone called but did not leave a
voice message.
national number prefix
A prefix that is used to direct a call as an in-country call. In the United States, this prefix is 1. In the United
Kingdom and most of the rest of the world, this prefix is 0.
number mask
A set of numbers and wildcard characters that is used to determine the telephone number that the Mailbox
server will dial. An "X" represents a single digit (0 to 9). An asterisk (*) represents any number of such digits.
numeric extension
A string of digits that doesn't contain a "+" or a country/region code. In dial plans, extensions are required to
have a specified length.
outdialing
A process in which Unified Messaging (UM ) dials or transfers calls. UM generally receives calls, but sometimes
dials calls. For example, outdialing occurs when a UM auto attendant transfers a call to a user's extension, or
when a UM -enabled user uses Play on Phone from Outlook.

A series of voice prompts that allows authenticated callers to access their email, voice mail, calendar, and
contact information using a standard analog, digital, or mobile telephone. Outlook Voice Access also enables
authenticated callers to navigate their personal information in their mailbox, place calls, locate users, and
navigate the system prompts and menus using DTMF, also known as touchtone, or voice inputs.
outside line access code
The prefix that is used by UM (or a person using an internal extension on the PBX or IP PBX) to access an
outside line. This prefix is typically 9.
packet switching
A technique that divides a data message into smaller units called packets. Packets are sent to their destination
by the best route available, and then they are reassembled at the receiving end.
pilot identifier
A telephone number that points to a hunt group and is the access number for calls that are routed to Unified
Messaging. This is also sometimes called a pilot number.
PIN
A passcode that a user enters on the telephone to access their mailbox.
Play on Phone
A Unified Messaging feature that users can use to play their voice messages or play and record personalized
voice mail greetings over a telephone.
Private Branch eXchange (PBX)
A private telephone network in an organization. Individual telephone numbers or extension numbers are
supported, and calls are automatically routed to them. Users can call each other using extensions, even across
distributed locations.
prompt
An audio message played over the telephone to explain valid options to users.
Protected Voice Mail
A UM feature that uses information rights management to encrypt the contents of voice messages and specify
the operations permitted on them. Protection can be caused by caller action (marking the message as private),
or by system policy.
public switched telephone network (PSTN )
PSTN is a grouping of the world's public circuit-switched telephone networks. This grouping resembles the
way that the internet is a grouping of the world's public IP -based packet-switched networks.
reset
When a PIN or a password is reset, the system randomly chooses a new, temporary PIN or password. The user
is required to change the temporary PIN the next time that they sign in to Outlook Voice Access.
reverse number lookup (RNL )
A method used to try to locate the name of a person, from a directory or other information store, based on a
telephone number.
RTAudio codec
An advanced speech codec that is designed for real-time two-way VoIP applications such as gaming, audio
conferencing, and wireless applications over IP. RTAudio is the preferred Microsoft audio codec and is the
default codec for Microsoft Lync Server platforms.
SIP -enabled PBX
A SIP -enabled PBX is a telephony device that acts as a networking switch for switching calls in a telephony or
circuit-switched network. However, the difference between a SIP -enabled PBX and a traditional PBX is that the
SIP -enabled PBX can connect to the internet and use the SIP protocol to make calls over the internet.
SIP notification
A SIP notification is a SIP message sent from one SIP peer to another to advise it of a change.
SIP peer
A SIP -enabled device that provides telephony communications between a VoIP gateway, IP PBX, SIP -enabled
PBX, Microsoft Lync servers, or VoIP phones and Unified Messaging services.
star out
An action a caller can perform when they are dialed in to a Unified Messaging auto attendant but they want to
be able to get to Outlook Voice Access to get their email and voice mail. To do this, they press the star (*) key
while the auto attendant prompts are being played.
subscriber access number (Outlook Voice Access number)
A number that is configured in a traditional or SIP -enabled PBX or IP PBX and on a UM dial plan that allows
users to access their mailbox using Outlook Voice Access. In some cases, this may be configured to be the same
number as the subscriber access number or pilot number (also called a pilot identifier) on the traditional or
SIP -enabled PBX or IP PBX and the UM hunt group.
system prompt
A short audio recording for Unified Messaging, which is played to callers by the server. System prompts are
used to welcome callers and to inform them of their options when they use the voice mail system.
telephone user interface (TUI)
An interface that is used to navigate the menus of a voice mail system using DTMF, also known as touchtone,
inputs.
Text-to-Speech (TTS )
Technologies for translating or converting typewritten text into speech.
UM IP gateway
(See IP gateway.) A UM IP gateway is the Exchange Unified Messaging representation of any SIP peer with
which it can communicate using VoIP protocols. It may represent a device that interfaces with a traditional or
SIP -enabled PBX, an IP PBX, or Microsoft Lync Server.
UM worker process
A process that's created during the startup of the Microsoft Exchange Unified Messaging service. The UM
service, on receiving a request to handle an incoming call, immediately redirects the request to a UM worker
process, which carries out all subsequent interactions with the caller.
UM Worker Process Manager
A component that handles the creation and monitoring of all the UM worker processes that are created.
Unified Messaging
An application that consolidates a user's voice mail and email into one mailbox, so that the user only needs to
check a single location for messages, regardless of type. The email server is used as the platform for all types of
messages, making it unnecessary to maintain separate voice mail and email infrastructures.
voice mail
A system that records and stores telephone messages in a user mailbox.
Voice Mail Preview
A feature that provides text, transcribed from the audio recording, on a voice message when it is delivered.
voice message
An electronic message with a primary content of digitized audio.
Voice over IP (VoIP )
The practice of using an IP data network to transmit voice calls.
voice user interface (VUI)
An interface that is used to navigate the menus of a voice mail system using speech inputs.
VoIP gateway
1. A third-party hardware device or product that connects a legacy PBX to a LAN. A VoIP gateway translates
or converts TDM or telephony circuit-switched protocols to packet-switched protocols that can be used on a
VoIP -based network.
2. The Exchange Unified Messaging representation of any SIP peer with which it can communicate using VoIP
protocols. It may represent a device that interfaces with a legacy PBX, an IP PBX, or Microsoft Lync Server.
welcome greeting
A greeting that is played when an external caller calls in to a UM auto attendant or when an Outlook Voice
Access user or another caller calls a subscriber access number that is configured on a UM dial plan. The default
welcome greetings can be changed by a customer to make them specific to an organization or location.
Clients and mobile in Exchange Online
Many different clients can be used to access information in an Exchange Online mailbox. These clients include
desktop programs such as Microsoft Outlook, Outlook on the web (formerly known as Outlook Web App), and
mobile clients such as phones, tablets, and other mobile devices. Each of these clients offers a variety of features.
The following table contains links to topics that will help you learn about and manage some of the clients and client
access methods that can be used to access an Office 365 mailbox.
TOPIC DESCRIPTION
Exchange ActiveSync in Exchange Online Learn about Exchange ActiveSync, the protocol that provides
connectivity to a wide variety of mobile phones and tablets.
Using Exchange ActiveSync, users can access email, calendar,
contact, and task information.
Mobile device mailbox policies in Exchange Online
POP3 and IMAP4 Learn about how you can use the POP3 and IMAP4 protocols
to provide users access to a number of the features in their
Office 365 mailbox. These client protocols can be used on
desktop email applications and on many mobile phones and
devices.
Outlook for iOS and Android in Exchange Online
Outlook on the web in Exchange Online Learn about Outlook on the web, which provides users access
to their Exchange Online mailbox through a web browser.
Mobile access in Exchange Online
MailTips in Exchange Online Learn about MailTips, the informative messages displayed to
users while they're composing a message.
Add-ins for Outlook in Exchange Online
Remote Connectivity Analyzer tests for Exchange Online
Client Access Rules in Exchange Online Learn how to use Client Access Rules to control connections to
Exchange Online.
Disable Basic authentication in Exchange Online Learn how to disable Basic auth connections to your Exchange
Online mailboxes.
Enable or disable modern authentication in Exchange Online Learn how to require Modern auth connections to your
Exchange Online mailboxes.
Exchange ActiveSync in Exchange Online
Exchange ActiveSync is a client protocol that lets you synchronize a mobile device with your mailbox.
Overview of Exchange ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized to work together with
high-latency and low -bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an
organization's information on a server that's running Microsoft Exchange. Exchange ActiveSync enables mobile
phone users to access their email, calendar, contacts, and tasks, and to continue to access this information while
they're working offline.
Features in Exchange ActiveSync

Exchange ActiveSync provides the following:
Support for HTML messages
Support for follow -up flags
Conversation grouping of email messages
Ability to synchronize or not synchronize an entire conversation
Support for viewing message reply status
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
PIN reset
Enhanced device security through password policies
Autodiscover for over-the-air provisioning
Support for setting automatic replies when users are away, on vacation, or out of the office
Support for task synchronization
Direct Push
Support for availability information for contacts
Managing Exchange ActiveSync

By default, Exchange ActiveSync is enabled. All users who have an Exchange mailbox can synchronize their mobile
device with the Microsoft Exchange server.
You can perform the following Exchange ActiveSync tasks:
Enable and disable Exchange ActiveSync for users
Set policies such as minimum password length, device locking, and maximum failed password attempts
Initiate a remote wipe to clear all data from a lost or stolen mobile phone
Run a variety of reports for viewing or exporting into a variety of formats
Control which types of mobile devices can synchronize with your organization through device access rules
Managing mobile device access in Exchange ActiveSync
You can control which mobile devices can synchronize. You do this by monitoring new mobile devices as they
connect to your organization or by setting up rules that determine which types of mobile devices are allowed to
connect. Regardless of the method you choose to specify which mobile devices can synchronize, you can approve
or deny access for any specific mobile device for a specific user at any time.
Device security features in Exchange ActiveSync
In addition to the ability to configure security options for communications between the Exchange server and your
mobile devices, Exchange ActiveSync offers the following features to enhance the security of mobile devices:
Remote wipe: If a mobile device is lost, stolen, or otherwise compromised, you can issue a remote wipe
command from the Exchange Server computer or from any Web browser by using Outlook Web App. This
command erases all data from the mobile device.
Device password policies: Exchange ActiveSync lets you configure several options for device passwords.
These options include the following:
Minimum password length (characters): This option specifies the length of the password for the
mobile device. The default length is 4 characters, but as many as 18 can be included.
Minimum number of character sets: Use this text box to specify the complexity of the
alphanumeric password and force users to use a number of different sets of characters from among
the following: lowercase letters, uppercase letters, symbols, and numbers.
Require alphanumeric password: This option determines password strength. You can enforce the
usage of a character or symbol in the password in addition to numbers.
Inactivity time (seconds): This option determines how long the mobile device must be inactive
before the user is prompted for a password to unlock the mobile device.
Enforce password history: Select this check box to force the mobile phone to prevent the user from
reusing their previous passwords. The number that you set determines the number of past passwords
that the user won't be allowed to reuse.
Enable password recovery: Select this check box to enable password recovery for the mobile
device. Users can use Outlook Web App to look up their recovery password and unlock their mobile
device. Administrators can use the Exchange admin center to look up a user's recovery password.
Wipe device after failed (attempts): This option lets you specify whether you want the phone's
memory to be wiped after multiple failed password attempts.
Device encryption policies: There are a number of mobile device encryption policies that you can enforce
for a group of users. These policies include the following:
Require encryption on device: Select this check box to require encryption on the mobile device.
This increases security by encrypting all information on the mobile device.
Require encryption on storage cards: Select this check box to require encryption on the mobile
device's removable storage card. This increases security by encrypting all information on the storage
cards for the mobile device.
IMPORTANT
Although the Exchange ActiveSync protocol provides support for the different features listed above, it is up to the mobile
device operating system and manufacturers (OEMs) to build support for these features in their mobile operating system and
email apps (default or third party). Not all EAS features listed above are supported by 3rd party mobile devices like iOS,
Android, etc. Microsoft has no control over which EAS features are supported by these 3rd party mobile device
manufacturers. Contact the manufactures directly for help with EAS features on 3rd party mobile devices.
Mobile device mailbox policies in Exchange Online
In Office 365, you can create mobile device mailbox policies to apply a common set of policies or security settings
to a collection of users. A default mobile device mailbox policy is created in every Office 365 organization.
Overview of mobile device mailbox policies

You can use mobile device mailbox policies to manage many different settings. These include the following:
Require a password
Specify the minimum password length
Allow a numeric PIN or require special characters in the password
Designate how long a device can be inactive before requiring the user to re-enter a password
Wipe a device after a specific number of failed password attempts
Managing Exchange ActiveSync mailbox policies

Mobile device mailbox policies can be created in the Exchange admin center (EAC ) or Exchange Online
PowerShell. If you create a policy in the EAC, you can configure only a subset of the available settings. You can
configure the rest of the settings using Exchange Online PowerShell.
Mobile device mailbox policy settings

The following table summarizes the settings you can specify using mobile device mailbox policies.
Mobile device mailbox policy settings
SETTING DESCRIPTION
Allow Bluetooth This setting specifies whether a mobile device allows Bluetooth
connections. The available options are Disable, HandsFree
Only, and Allow. The default value is Allow.
Allow Browser This setting specifies whether Pocket Internet Explorer is

allowed on the mobile device. This setting doesn't affect third-
party browsers installed on the mobile device. The default
value is $true .
Allow Camera This setting specifies whether the mobile device camera can be
used. The default value is $true .
Allow Consumer EMail This setting specifies whether the mobile device user can
configure a personal email account (either POP3 or IMAP4) on
the mobile device. The default value is $true . This setting
doesn't control access to email accounts that are using third-
party mobile device email programs.
SETTING DESCRIPTION
Allow Desktop Sync This setting specifies whether the mobile device can
synchronize with a computer through a cable, Bluetooth, or
IrDA connection. The default value is $true .
Allow External Device Management This setting specifies whether an external device management
program is allowed to manage the mobile device.
Allow HTML Email This setting specifies whether email synchronized to the
mobile device can be in HTML format. If this setting is set to
$false , all email is converted to plain text.
Allow Internet Sharing This setting specifies whether the mobile device can be used
as a modem for a desktop or a portable computer. The default
value is $true .
AllowIrDA This setting specifies whether infrared connections are allowed

to and from the mobile device.
Allow Mobile OTA Update This setting specifies whether the mobile device mailbox policy
settings can be sent to the mobile device over a cellular data
connection. The default value is true .
Allow non-provisionable devices This setting specifies whether mobile devices that may not
support application of all policy settings are allowed to
connect to Office 365 by using Exchange ActiveSync. Allowing
non-provisionable mobile devices has security implications.
For example, some non-provisionable devices may not be able
to implement an organization's password requirements.
Allow POPIMAPEmail This setting specifies whether the user can configure a POP3
or an IMAP4 email account on the mobile device. The default
value is $true . This setting doesn't control access by third-
party email programs.
Allow Remote Desktop This setting specifies whether the mobile device can initiate a
remote desktop connection. The default value is $true .
Allow simple password This setting enables or disables the ability to use a simple
password such as 1111 or 1234. The default value is $true .
Allow S/MIME encryption algorithm negotiation This setting specifies whether the messaging application on
the mobile device can negotiate the encryption algorithm if a
recipient's certificate doesn't support the specified encryption
algorithm.
Allow S/MIME software certificates This setting specifies whether S/MIME software certificates are
allowed on the mobile device.
Allow storage card This setting specifies whether the mobile device can access
information that's stored on a storage card.
Allow text messaging This setting specifies whether text messaging is allowed from
the mobile device. The default value is $true .
SETTING DESCRIPTION
Allow unsigned applications This setting specifies whether unsigned applications can be
installed on the mobile device. The default value is $true .
Allow unsigned installation packages This setting specifies whether an unsigned installation package
can be run on the mobile device. The default value is $true .
Allow Wi-Fi This setting specifies whether wireless Internet access is

allowed on the mobile device. The default value is $true .
Alphanumeric password required This setting requires that a password contains numeric and
non-numeric characters. The default value is $true .
Approved Application List This setting stores a list of approved applications that can be
run on the mobile device.
Attachments enabled This setting enables attachments to be downloaded to the

mobile device. The default value is $true .
Device encryption enabled This setting enables encryption on the mobile device. Not all
mobile devices can enforce encryption. For more information,
see the device and mobile operating system documentation.
Device policy refresh interval This setting specifies how often the mobile device mailbox
policy is sent from the server to the mobile device.
IRM enabled This setting specifies whether Information Rights

Management (IRM) is enabled on the mobile device.
Max attachment size This setting controls the maximum size of attachments that
can be downloaded to the mobile device. The default value is
Unlimited.
Max calendar age filter This setting specifies the maximum range of calendar days
that can be synchronized to the mobile device. The following
values are accepted:
All
OneDay
ThreeDays
OneWeek
TwoWeeks
OneMonth
Max email age filter This setting specifies the maximum number of days of email
items to synchronize to the mobile device. The following
values are accepted:
All
OneDay
ThreeDays
OneWeek
TwoWeeks
OneMonth
Max email body truncation size This setting specifies the maximum size at which email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
SETTING DESCRIPTION
Max email HTML body truncation size This setting specifies the maximum size at which HTML email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
Max inactivity time lock This value specifies the length of time that the mobile device
can be inactive before a password is required to reactivate it.
You can enter any interval between 30 seconds and 1 hour.
The default value is 15 minutes.
Max password failed attempts This setting specifies the number of attempts a user can make
to enter the correct password for the mobile device. You can
enter any number from 4 through 16. The default value is 8.
Min password complex characters This setting specifies the minimum number of complex
characters required in the mobile device's password. A
complex character is a character that is not a letter.
Min password length This setting specifies the minimum number of characters in
the mobile device password. You can enter any number from
1 through 16. The default value is 4.
Password enabled This setting enables the mobile device password.
Password expiration This setting enables the administrator to configure a length of

time after which a mobile device password must be changed.
Password history This setting specifies the number of past passwords that can
be stored in a user's mailbox. A user can't reuse a stored
password.
Password recovery enabled When this setting is enabled, the mobile device generates a
recovery password that's sent to the server. If the user forgets
their mobile device password, the recovery password can be
used to unlock the mobile device and enable the user to
create a new mobile device password.
Require device encryption This setting specifies whether device encryption is required. If
set to $true , the mobile device must be able to support and
implement encryption to synchronize with the server.
Require encrypted S/MIME messages This setting specifies whether S/MIME messages must be
encrypted. The default value is $false .
Require encryption S/MIME algorithm This setting specifies what required algorithm must be used
when encrypting S/MIME messages.
Require manual synchronization while roaming This setting specifies whether the mobile device must
synchronize manually while roaming. Allowing automatic
synchronization while roaming will frequently lead to larger-
than-expected data costs for the mobile device data plan.
Require signed S/MIME algorithm This setting specifies what required algorithm must be used
when signing a message.
SETTING DESCRIPTION
Require signed S/MIME messages This setting specifies whether the mobile device must send
signed S/MIME messages.
Require storage card encryption This setting specifies whether the storage card must be
encrypted. Not all mobile device operating systems support
storage card encryption. For more information, see your
mobile device and mobile operating system documentation.
Unapproved InROM application list This setting specifies a list of applications that cannot be run
in ROM.
POP3 and IMAP4
Summary: An overview of POP3 and IMAP4, and the differences between them.
By default, POP3 and IMAP4 are enabled for all users in Exchange Online.
To enable or disable POP3 and IMAP4 for individual users, see Enable or Disable POP3 or IMAP4 access
for a user.
To customize the POP3 or IMAP4 settings for a user, see Set POP3 or IMAP4 settings for a user.
Users can use any email programs that support POP3 and IMAP4 to connect to Exchange Online. These
programs include Outlook, Microsoft Outlook Express, Entourage, and many third-party programs, such as
Mozilla Thunderbird and Eudora. The features supported by each email client programs vary. For information
about features offered by specific POP3 and IMAP4 client programs, see the documentation that's included with
each application.
POP3 and IMAP4 provide access to the basic email features of Exchange Online and allow for offline email access,
but don't offer rich email, calendaring, and contact management, or other features that are available when users
connect with Outlook, Exchange ActiveSync, Outlook Web App, or Outlook Voice Access.
NOTE
Each time a person accesses a POP-based or IMAP-based email program to open his or her Office 365 email, that user will
experience a delay of several seconds. The delay results from using a proxy server, which introduces an additional hop for
authentication. The proxy server first looks up the assigned pod server (client access server) and then authenticates against
that.
Settings users use to set up POP3 or IMAP4 access to their Exchange

Online mailboxes
After you enable POP3 and IMAP4 client access, you have to give users the information in the following table so
that they can connect their email programs to their Exchange Online mailboxes.
POP3 and IMAP4 email programs don't use POP3 and IMAP4 to send messages to the email server. Email
programs that use POP3 and IMAP4 rely on SMTP to send messages.
SERVER NAME PORT ENCRYPTION METHOD
POP3 Outlook.office365.com 995 TLS
IMAP4 Outlook.office365.com 993 TLS
SMTP Smtp.office365.com 587 TLS
Understanding the differences between POP3 and IMAP4

By default, when POP3 email programs download email messages to a client computer, the downloaded
messages are removed from the server. When a copy of your user's email isn't kept on the email server, the user
can't access the same email messages from multiple computers. However, some POP3 email programs can be
configured to keep copies of the messages on the server so that the same email messages can be accessed from
another computer. POP3 client programs can be used to download messages from the email server to only a
single folder (usually, the Inbox) on the client computer. POP3 can't synchronize multiple folders on the email
server with multiple folders on the client computer. POP3 also doesn't support public folder access.
Email client programs that use IMAP4 are more flexible and generally offer more features than those that use
POP3. By default, when IMAP4 email programs download email messages to a client computer, a copy of each
downloaded message remains on the email server. Because a copy of the user's email message is kept on the
email server, the user can access the same email message from multiple computers. With IMAP4 email, the user
can access and create multiple email folders on the email server. Users can then access any of their messages on
the server from computers in multiple locations. For example, most IMAP4 programs can be configured to keep a
copy of a user's sent items on the server so that he or she can view the sent items from any other computer.
IMAP4 supports additional features that are supported by most IMAP4 programs. For example, some IMAP4
programs include a feature that lets users view only the headers of their email messages on the server—who the
messages are from and the subjects—and then download only the messages that they want to read.
Send and receive options for POP3 and IMAP4 email programs
POP3 and IMAP4 email programs let users choose when they want to connect to the server to send and receive
email. This section discusses some of the most common connectivity options and provides some factors your
users should consider when they choose connection options available in their POP3 and IMAP4 email programs.
Common configuration settings
Three of the most common connection settings that can be set on the POP3 or IMAP4 client application are:
To send and receive messages every time the email application is started. When this option is used, mail is
sent and received only on starting the email application.
To send and receive messages manually. When this option is used, messages are sent and received only
when the user clicks a send-and-receive option in the client user interface.
To send and receive messages every set number of minutes. When this option is used, the client application
connects to the server every set number of minutes to send messages and download any new messages.
For information about how to configure these settings for the email application that you use, see the Help
documentation that's provided with the email application.
Considerations when selecting send and receive options
The default setting on some email programs is to not keep a copy of messages on the server after they're
retrieved. If the user wants to access messages from multiple email programs or devices, they should keep a copy
of messages on the server.
If the device or computer that's running the POP3 or IMAP4 email application is always connected to the internet,
the user might want to configure the email application to send and receive messages every set number of minutes.
Connecting to the server at frequent intervals lets the user keep the email application up-to-date with the most
current information on the server. However, if the device or computer that's running the POP3 or IMAP4 email
application isn't always connected to the internet, the user might want to configure the email application to send
and receive messages manually.
NOTE
If the user is using an IMAP4-compliant email application that supports the IMAP4 IDLE command, the user might be able
to send email to and receive email from the Exchange mailbox in nearly real time. For this connection method to work, both
the email server application and the client application must support the IMAP4 IDLE command. In most cases, users don't
have to configure any settings in their IMAP4 programs to use this connection method.
Enable or Disable POP3 or IMAP4 access for a user
By default, POP3 and IMAP4 are enabled for all users in Exchange Online. You can disable them for individual
users. For additional information related to POP3 and IMAP4, see POP3 and IMAP4.

Estimated time to finish: two minutes.
permissions you need, see the "POP3 and IMAP4 settings" section in the Feature permissions in Exchange
Online topic.
TIP
Use the EAC to enable or disable POP3 or IMAP4 for a user

2. In the result pane, select the user for which you want to enable or disable POP3, and then click Edit .
3. In the User Mailbox dialog box, in the console tree, click Mailbox Features.
4. In the result pane, under Email Connectivity, do one of the following:
To enable POP3 for the user, under POP3: Disabled, click Enable.
To enable IMAP4 for the user, under IMAP4: Disabled, click Enable.
To disable POP3 for the user, under POP3: Enabled, click Disable.
To disable IMAP4 for the user, under IMAP4: Enabled, click Disable.
5. Click Save.
Use Exchange Online PowerShell to enable or disable POP3 or IMAP4

for a user
This example enables POP3 for the user Christa Knapp.
Set-CASMailbox -Identity "Christa Knapp" -POPEnabled $true
This example enables IMAP4 for the user Christa Knapp.
Set-CASMailbox -Identity "Christa Knapp" -IMAPEnabled $true

This example disables POP3 for the user Christa Knapp.
Set-CASMailbox -Identity "Christa Knapp" -POPEnabled $false
This example disables IMAP4 for the user Christa Knapp.
Set-CASMailbox -Identity "Christa Knapp" -IMAPEnabled $false

2. In the result pane, select the user for which you want to enable or disable POP3 or IMAP4, and then click
Edit.
3. In the User Mailbox dialog box, in the console tree, click Mailbox Features.
4. In the result pane, look under Email Connectivity.
If POP3 is disabled for the user, you will see POP3: Disabled.
If IMAP4 is disabled for the user, you will see IMAP4: Disabled.
If POP3 is enabled for the user, you will see POP3: Enabled.
If IMAP4 is enabled for the user, you will see IMAP4: Enabled.
5. Click Save.
Set POP3 or IMAP4 settings for a user
You use the Set-CASMailbox cmdlet to configure the PO3 and IMAP4 options for each user. The configuration
options are described in the following table.
PARAMETER DESCRIPTION VALUES
PopForceICalForCalendarRetrievalOpti Sets the preferred format for meeting $true : Meeting requests are all
on requests. Outlook Web App links
ImapForceICalForCalendarRetrievalOp By default, meeting requests appear as $false : Meeting requests are all iCal
tion Outlook Web App links. You can change format
them to iCal format.
PopSuppressReadReceipt Sets whether to send read receipts $false : POP3 or IMAP4 users are
ImapSuppressReadReceipt when a message is downloaded and sent a read receipt each time a recipient
again when it is opened or just when downloads a message. Users are also
the message is opened sent a read receipt when the user opens
By default, if a read receipt is requested, the message. This is the default setting.
two read receipts are sent: one when a $true : POP3 or IMAP4 users that use
user downloads a message and another the send read receipt for messages I
when the user opens the message. You send option in their email client
can change it so that only one read programs receive a read receipt only
receipt is sent: when the user opens the when the recipient opens the message.
message.
PopMessagesRetrievalMimeFormat Sets the preferred format for received Use a numeral or a text value.
ImapMessagesRetrievalMimeFormat messages. 0 or TextOnly : Text only
The default is to use the best format 1 or HtmlOnly : HTML
based on the message. 2 or HtmlAndTextAlternative :
HTML and alternative text
3 or TextEnriched : Enriched text
4 or
TextEnrichedAndTextAlternative :
Enriched text and alternative text
5 or BestBodyFormat : Best body
format. This is the default value.
6 or Tnef : Transport-Neutral
Encapsulation Format (TNEF). Also
known as rich text format, Outlook rich
text format, or MAPI rich text format.
PopEnableExactRFC822Size Sets whether to calculate the exact size $true : Use actual message size.
ImapEnableExactRFC822Size of messages. $false : Use estimated message size.
Changing this value is not This is the default.
recommended unless the default value
causes problems for your email client.
By default, the estimated message size,
rather than the exact message size, is
sent to the email client.
For additional information related to POP3 and IMAP4, see POP3 and IMAP4.

Estimated time to finish each procedure: five minutes.
permissions you need, see the "POP3 and IMAP4 settings" entry in the Feature permissions in Exchange
Online topic.
TIP
Use Exchange Online PowerShell to set the meeting request format for
a POP3 or IMAP4 user
The following example sets all meeting requests in incoming mail to USER01 to iCal format for a POP3 user.
Set-CASMailbox USER01 -PopUseProtocolDefaults $false -PopForceICalForCalendarRetrievalOption $true
The following example sets all meeting requests in incoming mail to USER01 to iCal format for an IMAP4 user.
Set-CASMailbox USER01-ImapUseProtocolDefaults $false -ImapForceICalForCalendarRetrievalOption $true

To verify that you successfully set the meeting request format for a POP3 or an IMAP4 user, run the following
command in Exchange Online PowerShell and verify that the values displayed are the values that you configured:
Get-CASMailbox USER01 | format-list *ForceIcal*,*UseProtocolDefaults
Use Exchange Online PowerShell to set the suppress read receipt

option for a POP3 or IMAP4 user
The following example sets it up so that the POP3 sender receives a read receipt only when the message is
opened.
Set-CASMailbox USER01 -PopUseProtocolDefaults $false -PopSuppressReadReceipt $true
The following example sets it up so that the IMAP4 sender receives a read receipt only when the message is
opened.
Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -ImapSuppressReadReceipt $true

To verify that you successfully set the read receipt option for a POP3 or an IMAP4 user, run the following
Get-CASMailbox USER01 | format-list *SuppressReadReceipt,*UseProtocolDefaults

Use Exchange Online PowerShell to set the message retrieval format
for a POP3 or IMAP4 user
The following example sets the message retrieval format to text only for POP3 access for USER01 .
Set-CASMailbox USER01 -PopUseProtocolDefaults $false -PopMessagesRetrievalMimeFormat TextOnly
The following example sets the message retrieval format to text only for IMAP4 access for USER01 .
Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -ImapMessagesRetrievalMimeFormat TextOnly

To verify that you successfully set the message retrieval format for a POP3 or an IMAP4 user, run the following
Get-CASMailbox USER01 | format-list *MessagesRetrievalMimeFormat,*UseProtocolDefaults
Use Exchange Online PowerShell to set the message size calculation

for a POP3 or IMAP4 user
This example calculates the exact size of POP messages for USER01.
IMPORTANT
Set the PopEnableExactRFC822Size parameter to $true only if the POP client doesn't work for this user.
Set-CASMailbox USER01 -PopUseProtocolDefaults $false -PopEnableExactRFC822Size $true
This example calculates the exact size of IMAP messages for USER01.
IMPORTANT
Set the ImapEnableExactRFC822Size parameter to $true only if the IMAP client doesn't work for this user.
Set-CASMailbox USER01 -ImapUseProtocolDefaults $false -ImapEnableExactRFC822Size $true

To verify that you successfully set the message size calculation for a POP3 or IMAP4 user, run the following
command in Exchange Online PowerShell and verify that the values displayed are the values that you configured::
Get-CASMailbox USER01 | format-list *EnableExact*,*UseProtocolDefaults

Connect to Exchange Online Using Remote PowerShell
POP3 and IMAP4
Enable or Disable POP3 or IMAP4 access for a user
Set-CASMailbox
Outlook for iOS and Android in Exchange Online
The Outlook app for iOS and Android is designed to bring together email, calendar, contacts, and other files,
enabling users in your organization to do more from their mobile devices. This article provides an overview of the
architecture, so that Office 365 administrators can deploy and maintain Outlook for iOS and Android in their
organizations.
NOTE
The Outlook for iOS and Android Help Center is available for users, including help for using the app on specific devices and
troubleshooting information.
Outlook for iOS and Android architecture

The Outlook for iOS and Android app is fully powered by the Microsoft Cloud. All Office 365 Enterprise, Business,
and Education accounts are supported natively, which means there is no mailbox data cached outside of Office
365. Data simply stays in its current Exchange Online mailbox, and it's protected by TLS -secured connections end-
to-end, between Office 365 and the app. Outlook for iOS and Android is fully delivered through Microsoft services
that provide a strong commitment to security, privacy, and compliance.
The Office 365-based architecture provides the following benefits:
1. Data locality: User mailbox data stays in place, and therefore continues to respect the data locality and
regionality promises of Office 365 for data at rest. In other words, the user’s mailbox data is stored within
the region in which the tenant is located.
2. Device ID: Each Outlook for iOS and Android connection registers in the Office 365 Admin console and is
able to be managed as a unique connection.
3. Modern Authentication (OAuth): Outlook for iOS and Android leverages Modern Authentication
(OAuth) to protect user’s credentials. Modern authentication provides Outlook for iOS and Android with a
secure mechanism to access Office 365 data without ever touching a user’s credentials. At sign in, the user
authenticates directly against an identity platform (either Azure AD or an on-premises identity provider like
ADFS ) and receives an access token in return, which grants Outlook for iOS and Android access to the
user’s mailbox or files. At no time does the service have access to the user’s password in any form.
4. Enterprise Mobility + Security support: Customers can take advantage of Microsoft Enterprise Mobility
+ Security (EMS ) including Microsoft Intune and Azure Active Directory Premium, to enable conditional
access and Intune app protection policies, which control and secure corporate messaging data on the mobile
device.
Data synchronization protocol
Within the Office 365-based architecture, Outlook for iOS and Android is utilizing one of two different data
synchronization protocols:
a proprietary device API + REST API
a native Microsoft sync technology
Today, the vast majority of accounts using Outlook for iOS and Android connect via a Stateless Protocol Translator
component that is built and run in Azure. This component routes data and translates commands, but it doesn't
cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to
and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator
enables communication between Outlook and Exchange Online.
Beginning in December 2018, Microsoft will migrate customers to a native Microsoft sync technology that
removes the Stateless Protocol Translator component from the Office 365-based architecture. With the native
Microsoft sync technology, Outlook for iOS and Android connects directly to Office 365 for data connections
ensuring the data is protected by an HTTP TLS -secured connection end-to-end.
The native Microsoft sync technology offers several benefits:

1. Eliminates middle tier services: Data synchronization with the native Microsoft sync technology occurs
between the app and Office 365, eliminating the need for any middle tier services.
2. Latency reduction: By replacing the propietary Outlook device API and Stateless Protocol Translator, there
is a reduction in end-to-end latency between the app and Office 365.
3. Additional Office 365 instance support: Removing the intermediary Stateless Protocol Translator for
data connections enables Microsoft to support other unique Office 365 instances, like Office 365
Government Community Cloud High and Office 365 Department of Defense, that were previously blocked
from using Outlook for iOS and Android.
4. Protocol consolidation: Today, each Outlook client platform utilizes a different data sync protocol, which
hinders the ability to innovate and deploy new features quickly across all Outlook clients. The native
Microsoft sync technology that Outlook for iOS and Android is adopting has been in use by the native
Windows 10 mail client for a number of years, and in the future, will be used by Outlook for Mac.
5. Unlocking new features: The native Microsoft sync technology will enable Outlook for iOS and Android
to take advantage of native Office 365 features it does not support today, such as S/MIME, Microsoft
Information Protection labeling, and shared mailboxes. These and more Office 365 features will roll out
soon after the architecture update.
Outlook for iOS and Android in Exchange Online:
FAQ
Summary: This article covers the most common questions asked by customers and administrators about using
Outlook for iOS and Android with Exchange Online and Office 365.
The Outlook for iOS and Android app is designed to enable users in your organization to do more from their
mobile devices, by bringing together email, calendar, contacts, and other files. The following sections highlight the
most common questions we receive, across three key areas:
Outlook for iOS and Android architecture and security
Managing and maintaining Outlook for iOS and Android in your Exchange organization after it has been
deployed
Common questions from end-users who access information in your Exchange organization with the
Outlook for iOS and Android app on their mobile devices
Architecture and security

The following questions are about the overall architecture of Outlook for iOS and Android in Exchange Online, as
well as user authentication and other security concerns.
Q: What cloud architecture is utilized by Outlook for iOS and Android for Office 365 accounts?
For more information on the architecture, see Outlook for iOS and Android in Exchange Online.
Q: Can I add two different Office 365 accounts from different Office 365 regions to Outlook for iOS and
Android?
Yes. However, customers with the Office 365 Government plan may only have accounts connected to Outlook for
iOS and Android from a single Office 365 region. This means that Office 365 Government customers can't have
both a mailbox that is located in European Office 365 datacenters and an Office 365 Government plan mailbox
within the same Outlook for iOS and Android app on the same device.
Q: What authentication mechanism is used for Outlook for iOS are Android? Are credentials stored in Office
365?
Active Directory Authentication Library (ADAL )-based authentication is what Outlook for iOS and Android uses to
access Exchange Online mailboxes in Office 365. ADAL authentication, used by Office apps on both desktop and
mobile devices, involves users signing in directly to Azure Active Directory, which is Office 365's identity provider,
instead of providing credentials to Outlook.
ADAL -based sign in enables OAuth for Office 365 accounts, and provides Outlook for iOS and Android a secure
mechanism to access email without requiring access to user credentials. At sign in, the user authenticates directly
with Office 365 and receives an access token in return. The token grants Outlook for iOS and Android access to the
appropriate mailbox. OAuth provides Outlook with a secure mechanism to access Office 365 and the Outlook
cloud service without needing or storing a user's credentials.
For more information, see the Office Blog post New access and security controls for Outlook for iOS and Android.
Q: Do Outlook for iOS and Android and other Microsoft Office mobile apps support single sign-on?
All Microsoft apps that leverage the Azure Active Directory Authentication Library (ADAL ) support single sign-on.
In addition, single sign-on is also supported when the apps are used in conjunction with either the Microsoft
Authenticator or Microsoft Company Portal apps.
Tokens can be shared and re-used by other Microsoft apps (such as Word mobile) under the following scenarios:
1. When the apps are signed by the same signing certificate and use the same service endpoint or audience
URL (such as the Office 365 URL ). In this case, the token is stored in app shared storage.
2. When the apps leverage or support single sign-on with a broker app. The tokens are stored within the
broker app. Microsoft Authenticator is an example of a broker app. In the broker app scenario, after you
attempt to sign in to Outlook for iOS and Android, ADAL will launch the Microsoft Authenticator app, which
will make a connection to Azure Active Directory to obtain the token. It will then hold on to the token and re-
use it for authentication requests from other apps, for as long as the configured token lifetime allows.
For more information, see How to enable cross-app SSO on iOS using ADAL.
Q: What is the lifetime of the tokens generated and used by the Active Directory Authentication Library (ADAL )
in Outlook for iOS and Android?
Two tokens are generated when a user authenticates through ADAL -enabled apps like Outlook for iOS and
Android, the Authenticator app, or the Company Portal app: an access token and a refresh token. The access token
is used to access the resource (Exchange message data), while a refresh token is used to obtain a new access or
refresh token pair when the current access token expires.
By default, the access token lifetime is one hour and the refresh token lifetime is 90 days. These values can be
adjusted; for more information see Configurable token lifetimes in Azure Active Directory. Note that if you choose
to reduce these lifetimes, you can also reduce the performance of Outlook for iOS and Android, because a smaller
lifetime increases the number of times the application must acquire a fresh access token.
Q: What happens to the access token when a user's password is changed?
A previously granted access token is valid until it expires. Upon expiration, the client will attempt to use the refresh
token to obtain a new access token, but because the user's password has changed, the refresh token will be
invalidated (assuming directory synchronization has occurred between on-premises and Azure Active Directory).
The invalidated refresh token will force the user to re-authenticate in order to obtain a new access token and
refresh token pair.
Q: Does Outlook for iOS and Android support certificate -based authentication?
Yes, Outlook for iOS and Android supports certificate-based authentication for modern authentication-enabled
accounts (Office 365 accounts or on-premises accounts leveraging hybrid modern authentication). For more
information, see:
Configuring Active Directory Federation Services (ADFS ) with Office 365
Certificate-based authentication on iOS
Certificate-based authentication on Android
Q: What does background synchronization enable? I notice that when I launch the app with it enabled, I still have
to wait for messages to download, even after I've received new mail notifications for them; and sometimes, I get
reminders for appointments that had been cancelled.
Background synchronization enables new message notifications, calendar reminders, badge count updates, and
background synchronization of mailbox and calendar information for Outlook for iOS and Android.
If background synchronization is disabled by the user in the mobile operating system's settings, then the user must
launch the app and keep it in the foreground in order to synchronize messages and have an up-to-date calendar.
Background synchronization in Outlook for iOS and Android can also be temporarily disabled by the following
actions:
Force quitting Outlook for iOS.
Restarting the iOS device.
Outlook for iOS crashes and is not restarted by the user.
Not opening the app for a given period of time. iOS will automatically freeze third-party apps, like Outlook,
based on usage patterns. Android doze mode and app standby features can also prevent background
updates to the app while those features are active.
On some Android devices, you can also restrict background processing or network access per-app. In these
cases, Outlook for Android will not be able to process updates in the background. Android device
manufacturers can modify the way you can interact with settings, therefore it is not possible to document
every device scenario, but in general, these are the steps you can take to remove battery optimization:
1. Open Settings.
2. Tap Battery.
3. Tap the ellipse and tap Battery optimization.
4. Tap the down arrow and tap All apps.
5. For the Microsoft Authenticator, Intune Company Portal and Outlook apps, tap Not optimized to turn off
battery optimization.
If the mobile operating system prevents background synchronization, users will experience the following:
New mail notifications will continue to be delivered, however, upon launching the app, the new messages
will have to be downloaded.
Calendar reminders will fire for appointments that have been cancelled because the app was unable to
download and process the meeting cancellation.
NOTE
Apple allows its native Mail and Calendar apps to do background refreshes without any restrictions. Therefore, users may
notice a difference in the background synchronization experience between the apps. However, this also results in improved
battery life and less data consumption with Outlook for iOS.
Q: Does each user's instance of Outlook for iOS and Android have a unique device ID in the Office 365-based
architecture? How is the device ID generated and is this same device ID used in Intune?
Upon initial account login, Outlook for iOS and Android establishes a connection to the Office 365-based
architecture. A unique device ID is generated, and this device ID is what appears in Active Directory device records
(which can be retrieved with cmdlets such as Get-MobileDevice in Exchange Online Powershell) and which appears
in HTTP request headers.
Intune uses a different device ID. The basic workflow for how Intune assigns a device ID is described in App-based
conditional access with Intune. In Intune, the device ID is assigned when the device workplace joins for all device-
conditional access scenarios. This is an AAD -generated unique ID for the device. Intune uses that unique ID when
sending compliance information, and ADAL uses that unique ID when authenticating to services.
Q: Does Outlook for iOS and Android support RMS?
Yes. Outlook for iOS and Android supports reading protected messages. Outlook for iOS and Android works
differently than desktop versions of Outlook when it comes to RMS. For desktop versions of Outlook, once a
protected message is received and access is attempted, and Outlook verifies that the user can read RM messages,
Outlook connects to Exchange to request an encryption key. The Outlook desktop client uses that encryption key to
decrypt the message in front of the user (client-side). Mobile clients operate differently. When Outlook for iOS and
Android sets up its initial relationship with Exchange, it notifies Exchange that it supports RMS. Exchange decrypts
any protected messages before passing them to the client. In other words, decryption is performed server-side.
Outlook for iOS and Android doesn't perform any decryption itself.
In cases where Outlook for iOS and Android receives protected messages and prompts end-users to use an RM
client to open the file, it means that Exchange hasn't decrypted the message, which is due to an issue on the
Exchange side.
NOTE
Outlook for iOS leverages iOS's native preview technology to quickly expose attachments to end users. iOS's preview
technology does not support rights management and will report error "The operation couldn't be completed.
(OfficeImportErrorDomain error 912)" when a user attempts to open a rights-protected attachment. Users will need to tap
the respective Word, Excel, or PowerPoint app icon to open the rights-protected attachment in the native app.
Q: What ports and end points does Outlook for iOS and Android use?
Outlook for iOS and Android communicates via TCP port 443. The app accesses various end points, depending on
the activities of the user. Complete information is available in Network Requests in Office 365 ProPlus.
Q: Does Outlook for iOS and Android support proxy configurations?
Yes, Outlook for iOS and Android supports proxy configurations when the proxy infrastructure meets the following
requirements:
Supports HTTP protocol without TLS decryption and inspection.
Does not perform authentication.
Outlook for iOS and Android will consume the proxy configuration as defined by the platform operating system.
Typically, this configuration information is deployed via a PAC file. The PAC file must be configured to use
hostnames instead of protocol; no additional custom settings are supported.
For tenants that have not been migrated to the native Microsoft sync technology, the following additional
requirement applies:
Supports and has SOCKS proxy capability enabled. The Outlook for iOS and Android client utilizes TCP
connections to our Office 365-based architecture. The IP ranges for the SOCKS connections are not restricted
to a subset of Azure IP ranges, which means that customers cannot define a whitelist range. The PAC must be
configured to use hostnames instead of protocol and return the SOCKS proxy information given the host URL;
no additional custom settings are supported.
Native Microsoft sync technology migration

The following questions are about the migration from the REST API data sync protocol to the native Microsoft
sync technology used by Outlook for iOS and Android for accessing mailbox data.
Q: Is there a minimum version of Outlook for iOS and Android required to use the native Microsoft sync
technology?
For Outlook for iOS, users should install 3.10.1 or later. For Outlook for Android, users should install 3.0.14 or later.
As always, we recommend users keep the Outlook app up to date.
Q: What will my users experience when our tenant is migrated to the native Microsoft sync technology?
Assuming the user is running a supported version of Outlook for iOS and Android, after your tenant is migrated,
your users may see a brief notice indicating that we are updating their email and calendar data. Otherwise the user
experience to migrate to the updated architecture will be seamless.
Q: As a tenant administrator, can I control which of my users will be migrated to the native Microsoft sync
technology?
No, the migration to the native Microsoft sync technology will be on a tenant-by-tenant basis and not a per-user
basis. While the tenant selection order for migration is random, we are being deliberate about migrating Office 365
mailboxes first. If you are a customer operating in a hybrid configuration where a portion of your mailboxes remain
on-premises, the on-premises users leveraging hybrid modern authentication will be migrated to the native
Microsoft sync technology at a later date. This means that your Office 365 users will migrate to the native
Microsoft sync technology, while the on-premises users continue to use the REST API to connect to Exchange
Online.
Once your tenant is migrated, a user will not switch to the native Microsoft sync technology, until after they
launch/resume Outlook for iOS and Android.
Q: If my user doesn't upgrade to a supported build of Outlook for iOS and Android prior to my tenant's
migration, does that mean the user will lose access to email and calendar data while mobile?
No, the user will continue to connect using the existing REST-based data sync protocol.
Q: Will my Intune App Protection Policies or Azure AD Conditional Access policies be affected by this
migration?
No, both Intune App Protection Policies and Azure AD Conditional Access policies will continue to be applied to
the targeted identity, regardless of the data sync protocol leveraged by Outlook for iOS and Android.
Q: Will I have to update my Exchange mobile device access policies (allow block quarantine (ABQ ) rules)?
No, the user agent string that Outlook for iOS and Android uses does not change. For more information on what
that user agent is, see Securing Outlook for iOS and Android in Exchange Online.
Q: As an Exchange administrator, is there a way for me to determine which data sync protocol Outlook for iOS
and Android clients are utilizing in the Office 365-based architecture?
Yes, execute the following command from Exchange Online PowerShell:
Get-MobileDevice | where {$_.DeviceModel -eq "Outlook for iOS and Android"} | Format-List
FriendlyName,DeviceID,DeviceOS,ClientType
The ClientType property indicates which data sync protocol is in use. If the value is REST, then the client is
utilizing the REST API. If the value is Outlook, then the client is using the native Microsoft sync technology.
Alternatively, a user can login to Outlook on the web and, from within Options, select Mobile Devices to view the
details of a mobile device. Like the cmdlet, the user can see the value for the ClientType property.
Administrating and monitoring Outlook for iOS and Android in your

organization
The following questions are about managing and monitoring the Outlook for iOS and Android app within your
organization after the app has been deployed.
Q: Is it necessary to file an in-app support ticket when I experience an issue with Outlook for iOS and Android?
Yes, if you want to troubleshoot and resolve the issue, or if you want to inform us of a product defect or limitation,
you will need to file an in-app support ticket. Only through filing an in-app support ticket can the Outlook app's
logs get collected and analyzed by our product engineers.
Customers with a Microsoft Premier agreement can open support cases with Customer Service & Support (CSS ).
Instead of having the user initiate an in-app support ticket, the user can leverage Collect Diagnostics to upload the
logs and share the incident ID with CSS/Premier. Collect Diagnostics will capture data from Outlook for iOS and
Android, Authenticator, and the Company Portal and upload all the relevant logs to Microsoft. Microsoft Support
Escalation Engineers can use the incident ID to access the diagnostic logs and troubleshoot the user's issue.
To gather the logs:
1. Within Outlook for iOS and Android’s settings, tap Help & Feedback.
2. Tap Collect Diagnostics.
3. Tap Get Started.
4. Tap Upload Outlook Logs (iOS ) or Collect Logs (Android).
5. Share the incident ID with CSS.
Q: As an Exchange administrator, I would like to deploy Outlook for iOS and Android, but in my testing I can't
log in. What might be the issue?
Assuming authentication is not the issue, there are two areas you can check:
1. Check whether you have an EWS application policy that restricts which client applications can connect.
2. Check whether you have EWS enabled for the account.
For more information, see Securing Outlook for iOS and Android in Exchange Online. If one of the above checks
doesn't resolve the issue, please open an in-app support ticket.
Q: Will Outlook for iOS and Android support third-party EMM or MDM solutions?
For more information, please see Managing Outlook for iOS and Android in Exchange Online.
Q: Is a license required to use Outlook for iOS and Android?
Outlook for iOS and Android is free for consumer usage from the iOS App store and from Google Play. However,
commercial users require an Office 365 subscription that includes the Office desktop applications: Business,
Business Premium, Enterprise E3, E5, and ProPlus, or the corresponding versions of those plans for Government
or Education. Commercial users with the following subscriptions are allowed to use the Outlook mobile app on
devices with integrated screens 10.1" diagonally or less: Office 365 Enterprise E1, Office 365 F1, Office 365
Business Essentials, Office 365 A1, and if you only have an Exchange Online license (without Office). If you only
have an Exchange on-premises (Exchange Server) license, you are not licensed to use the app.
Common questions from end-users

The following questions concern end-users in your organization who are using Outlook for iOS and Android on
their devices to access their Exchange mailboxes.
Q: My users enabled the "Save Contacts" advanced settings option. However, they are complaining that not all
contacts have synchronized on their iOS devices. Are there limitations with synchronization?
The initial export of contacts can only begin when Outlook is in the foreground. A user can switch between apps
and the export will continue while Outlook is active in memory. There are iOS limitations when syncing with
iCloud that may result in data inconsistency, but Outlook will automatically trigger a reconciliation to ensure that
the contacts are always consistently exported (e.g., reconciliation will remove duplicates in the event that Outlook
detects exported contacts from a previous export activity). In the event you are seeing an inconsistency and it has
not been resolved after a short period of time, wait twenty-four hours and then restart the app to trigger the
reconciliation process..
Q: Why are the Office mobile apps required to be installed on Android in order to render attachments in
Outlook, while iOS devices provide a preview of the attachments within Outlook?
This is due to the differences in the base operating systems. iOS provides native content rendering for known
attachment types, which Outlook for iOS uses to provide basic attachment rendering. Android provides nothing
similar. Android users have to install the Office apps and/or third-party apps in order to render attachment content.
Q: A new message included an attachment, but while I was offline I couldn't open the attachment. Why is that?
Outlook (like other mobile clients) does not download attachments automatically. This is by design, in order to
conserve device space. Attachments are only downloaded at the request of the user.
Q: A week ago I accessed an attachment in a message, but now that I'm offline I can no longer access that
attachment on my iOS device. However, I can access it on my Android device. Why is that?
Outlook for iOS stores attachments in our own database. As a result, every attachment we download to the client
takes up a considerable amount of space in our database. To ensure the client is able to provide fast performance
and take a small amount of space, we purge data rather aggressively based on usage (attachments will be cached
up to seven days).
Unlike iOS, Android uses an accessible file system, so when Outlook for Android downloads an attachment, it
doesn't go into the database, rather it is stored as a temporary file.
Q: Why does data within Outlook for iOS disappear and then re -appear after I toggle the Focused Inbox or the
Organize by Thread settings?
Whenever those options are changed, Outlook for iOS performs a soft reset. This wipes the existing data that has
been downloaded to the app and requires a re-synchronization.
Q: Can I view organization chart information in Outlook for iOS?
Yes. Outlook for iOS provides your company's organization information as part of a person's contact card details.
Your company's reporting structure and a list of colleagues is also provided, to help employees connect with the
people and teams they need to work with.
The list of people displayed as part of the Other Colleagues list under Show Organization is based on common
email distribution lists, group memberships, and degrees of separation in the Organization structure defined in
Azure Active Directory.
If you do not have organization chart data exposed in the app, consult with your directory administrator. There are
two main scenarios to consider:
1. Your company has a hybrid topology where an on-premises directory is synchronized with Azure Active
Directory. You will need to update Active Directory with the organization chart information, either directly in
the directory or via your Human Resources system. Data will be synchronized into AAD automatically and
will be accessible via the Global Address List in Exchange Online.
2. Your company only leverages Azure Active Directory for directory management. You will need to update
Azure Active Directory with the organization chart information, either directly in the directory or via your
Human Resources system. This data will be accessible via the Global Address List in Exchange Online.
Q: How much of my mailbox data is synchronized with Outlook for iOS and Android?
Outlook for iOS and Android synchronizes 500 items per folder, with up to 1000 items per folder if the user taps
Load more conversations. The app periodically trims the items per folder down to 500, in order to ensure
optimal app performance.
Q: Why are tasks and notes not available with Outlook for iOS and Android?
Microsoft's strategic direction for task management and note taking on mobile devices is the To-Do and OneNote
apps, respectively. To-Do provides integration with the tasks stored in Exchange Online mailboxes.
Account setup with modern authentication in
Exchange Online
Summary: How users with modern authentication-enabled accounts can quickly set up their Outlook for iOS and
Android accounts in Exchange Online.
There are two ways that users in your Exchange Online organization can set up their own Outlook for iOS and
Android accounts: AutoDetect and single sign-on. Both methods leverage modern authentication. In addition,
Outlook for iOS and Android offers IT administrators the ability to "push" account configurations to their Office
365 users, as well as, control whether Outlook for iOS and Android supports personal accounts.
AutoDetect
Outlook for iOS and Android offers a solution called AutoDetect that helps end-users quickly setup their accounts.
AutoDetect will first determine which type of account a user has, based on the SMTP domain. Account types that
are covered by this service include Office 365, Outlook.com, Google, Yahoo, and iCloud. Next, AutoDetect will
make the appropriate configurations to the app on the user's device based on that account type. This saves time for
users and eliminates the need for manual input of configuration settings like hostname and port number.
For modern authentication, which is used by all Office 365 accounts and on-premises accounts leveraging hybrid
modern authentication, AutoDetect queries Exchange Online for a user's account information and then configures
Outlook for iOS and Android on the user's device so that the app can connect to Exchange Online. During this
process, the only information required from the user is their SMTP address and credentials.
The following images show an example of account configuration via AutoDetect:
In the event that AutoDetect fails for a user, the following images show an alternative account configuration path
using manual configuration:
Single sign-on
Outlook for iOS and Android supports single sign-on via authentication token re-use. If a user is already signed in
to another Microsoft app on their device, like Word or Company Portal, Outlook for iOS for Android will detect
that token and use it for its own authentication. When such a token is detected, users already enrolled in Outlook
for iOS and Android will see their account available as "Found" under Accounts on the Settings menu. New users
will see their account in the initial account setup screen.
The following images show an example of account configuration via single sign-on for a first-time user:
If a user already has Outlook for iOS and Android, such as for a personal account, but an Office 365 account is
detected because they recently enrolled, the single-sign on path will look as follows:
Account setup configuration via enterprise mobility management
Outlook for iOS and Android offers IT administrators the ability to "push" account configurations to Office 365
accounts or on-premises accounts leveraging hybrid modern authentication. This capability works with any Mobile
Device Management (MDM ) provider who uses the Managed App Configuration channel for iOS or the Android
in the Enterprise channel for Android.
For users enrolled in Microsoft Intune, you can deploy the account configuration settings using Intune in the Azure
Portal.
Once account setup configuration has been setup in the MDM provider and the user enrolls their device, Outlook
for iOS and Android will detect that an account is "Found" and will then prompt the user to add the account. The
only information the user needs to enter to complete the setup process is their password. Then, the user's mailbox
content will load and the user can begin using the app.
For more information on the account setup configuration keys needed to enable this functionality, please see the
Account setup configuration section in Deploying Outlook for iOS and Android App Configuration Settings.
Organization allowed accounts mode

Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to
the Office 365 value. Some companies have a requirement to capture all communications information within their
corporate environment, as well as, ensure the devices are only used for corporate communications. To support
these requirements, Outlook for iOS and Android on corporate-managed devices can be configured to only allow a
single, corporate account to be provisioned within Outlook for iOS and Android. Like with account setup
configuration, this capability works with any Mobile Device Management (MDM ) provider who uses the Managed
App Configuration channel for iOS or the Android in the Enterprise channel for Android. This is supported with
Office 365 accounts or on-premises accounts leveraging hybrid modern authentication, however, only a single
corporate account can be added to Outlook for iOS and Android.
For more information on the settings that need to be configured to deploy Organization Allowed Accounts mode,
please see the Organization allowed accounts mode section in Deploying Outlook for iOS and Android App
Configuration Settings.
NOTE
Account setup configuration and Organization allowed accounts mode can be configured together to simplify account setup.
In order to ensure these users can only access corporate email on enrolled devices (whether it be iOS or Android
Enterprise) with Intune, you will need to leverage an Azure Active Directory conditional access policy with the grant
controls Require devices to be marked as compliant and Require approved client app. Details on creating this type
of policy can be found in Azure Active Directory app-based conditional access.
IMPORTANT
Require devices to be marked as compliant grant control requires the device to be managed by Intune.
1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync
clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy
for Exchange Online", but for the fifth step select "Require device to be marked as compliant", "Require
approved client app", and "Require all the selected controls".
2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to
Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with
Active Sync (EAS )."
Managing Outlook for iOS and Android in Exchange
Online
Summary: This article describes best practices for managing mobile devices with Outlook for iOS and Android in
Exchange Online.
Outlook for iOS and Android provides users the fast, intuitive email and calendar experience users expect from a
modern mobile app, while being the only app to provide support for the best features of Office 365. In addition,
Microsoft provides a number of utilities for managing and protecting company data on mobile devices in your
Exchange Online organization.
Options for managing devices and applications in Office 365

Customers looking to manage Outlook for iOS and Android have the following options:
1. Recommended: The Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active
Directory conditional access.
2. Mobile Device Management (MDM ) for Office 365.
3. Third-party Mobile Device Management solutions.
4. Mobile Device Access and Mobile Device Mailbox Policies.
NOTE
For implementation details on each of these three options, see Securing Outlook for iOS and Android in Exchange Online.
Microsoft recommends Office 365 customers use the features of the Enterprise Mobility + Security suite to protect
corporate data on mobile devices, due to the advanced capabilities provided by these services. The core capabilities
of the built-in MDM for Office 365 are included with an Office 365 subscription, while the broader capabilities of
the Enterprise Mobility + Security require an additional subscription purchase.
IMPORTANT
Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is managed by a
conditional access policy that includes either Require device to be marked as compliant or Require approved client app.
A complete side-by-side comparison of MDM and Intune is available in Choose between MDM for Office 365 and
Microsoft Intune.
NOTE
When using mobile device cmdlets such as Get-MobileDevice to check the status of a device, the timestamp for Outlook
for iOS and Android synchronization, indicated by the LastSyncTime property, may be up to 15 minutes behind the actual
time of synchronization. While device synchronization does occur in real time, the returned time stamp may lag behind.
Using Enterprise Mobility + Security

The richest and broadest protection capabilities for Office 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune, Azure Information Protection, and Azure
Active Directory Premium features, such as conditional access.
NOTE
While the Enterprise Mobility + Security suite subscription includes licenses for both Microsoft Intune and Azure Active
Directory, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All users
must be licensed to leverage the conditional access and Intune app protection policies discussed in this article.
Intune provides mobile application management (MAM ) capabilities, as well as other conditional access and device
management capabilities. With Intune app protection policies, you can restrict actions such as cut, copy, paste, and
"save as" of corporate data between Intune-managed apps and apps that are not managed by Intune. More
information is available in How to create and assign app protection policies. Additionally, the Intune-managed
Outlook apps include a new multi-identity management feature that enables users to access both their personal
and work email accounts in the same Outlook app while only applying the Intune app protection policies to the
user's work account. This provides a much more seamless user experience.
Conditional access is a capability of Azure Active Directory that enables you to enforce controls on the access to
apps in your environment based on specific conditions from a central location. By using conditional access policies,
you can apply the right access controls under the required conditions. Azure Active Directory conditional access
provides you with added security when such security is needed, and it stays out of your users' way when it isn't.
Key features of the Enterprise Mobility + Security suite with Outlook for iOS and Android:
Conditional access. Azure Active Directory ensures that Exchange Online email can be accessed only when
the conditional access requirements are met. For more information on device enrollment, see Conditional
access in Azure Active Directory.
Intune app protection. Outlook for iOS and Android allows you to protect your corporate data with
Intune app protection policies. This is a great option for "bring your own device" (BYOD ) scenarios where
you want to keep corporate data safe without managing a users' devices. For more information on Intune
app protection policies, see Protect app data using mobile app management policies with Microsoft Intune.
Device enrollment. Intune lets you manage your workforce's devices and apps, and how they access your
company data. In this model, Outlook for iOS and Android ensures that Exchange Online email can be
accessed only on phones and tablets that are managed by your company and are compliant with your
organization's policy. When users log on to the Outlook app on an unmanaged mobile device, Outlook
prompts users to enroll the device in Intune by leveraging the Azure conditional access policy, and then
validates that the device meets organizational standards of device compliance.
Device management and reporting. The enrollment process allows organizations to set and manage
security policies that, for example, enforce device-level PIN lock, require data encryption, and block
compromised devices in order to prevent untrusted devices from accessing corporate email and data. Each
enrolled device appears in the Office 365 admin center, and reporting is available to provide details on the
devices that access your corporate data.
Selective wipe. Microsoft Intune can remove Office 365 email data from Outlook for iOS and Android,
while leaving any personal email accounts intact (whether the device is enrolled or not). This is an
increasingly important requirement as more businesses adopt a "bring your own device" approach to
phones and tablets.
For more about Microsoft Intune see Documentation for Microsoft Intune.
Using built-in Mobile Device Management (MDM ) for Office 365
MDM for Office 365 provides device management capabilities at no additional cost. Microsoft Intune powers these
basic capabilities, providing a core set of controls in the Office 365 admin center for organizations that need the
basics.
Because this is a device management solution, there is no native capability to control which apps can be used, even
after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure
Active Directory Premium licenses and leverage conditional access policies.
Outlook for iOS and Android fully supports the capabilities provided by MDM for Office 365.
For detailed information on MDM, see the following resources:
Overview built-in Mobile Device Management for Office 365.
Manage settings and features on your devices with Microsoft Intune policies
Instructions for your end-users to enroll a device in Office 365 MDM: Enroll your mobile device in Office
365
Using Third-Party Mobile Device Management Solutions
Third-party MDM providers can deploy the Outlook for iOS and Android the same way they would deploy any
iOS or Android app, using their existing tools. They can also apply device management controls like device PIN,
device encryption, device wipe, and more, all of which are important for a secure email experience, but are also
completely independent of Outlook for iOS and Android.
Third-party MDM providers can also deploy certain app configuration settings, like account setup, organization
allowed accounts mode, and general app configuration settings, to Outlook for iOS and Android; for more
information, please see Deploying Outlook for iOS and Android app configuration settings.
In order to manage and protect corporate data within the app (such as restricting actions with corporate data like
cut, copy, paste, and "save as"), customers will need to use Microsoft's Enterprise Mobility + Security suite.
Using Mobile Device Access and Mobile Device Mailbox Policies
Microsoft recommends Office 365 customers use either the Enterprise Mobility + Security suite or the built-in
MDM for Office 365 to manage company data on mobile devices, due to the advanced capabilities provided by
those services. Outlook for iOS and Android does support mobile device access and mobile device mailbox policies
(formerly known as Exchange Active Sync policies), which are available through the Exchange admin center.
Outlook for iOS and Android supports the following Exchange mobile device mailbox policy settings:
Device encryption enabled
Min password length
Password enabled
See Mobile device mailbox policies in Exchange Online for more information.
Exchange administrators can initiate a remote device wipe against Outlook for iOS and Android. Upon receiving
the remote wipe request, the app will remove the profile and all data associated with it.
NOTE
Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only
Remote Wipe Device."
Securing Outlook for iOS and Android in Exchange
Online
Outlook for iOS and Android provides users the fast, intuitive email and calendar experience that users expect
from a modern mobile app, while being the only app to provide support for the best features of Office 365.
Protecting company or organizational data on users' mobile devices is extremely important. Begin by reviewing
Setting up Outlook for iOS and Android, to ensure your users have all the required apps installed. After that,
choose one of the following options to secure your devices and your organization's data:
1. Recommended: If your organization has an Enterprise Mobility + Security subscription, or has separately
obtained licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging
Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android to protect
corporate data with Outlook for iOS and Android.
2. If your organization doesn't have an Enterprise Mobility + Security subscription or licensing for Microsoft
Intune and Azure Active Directory Premium, follow the steps in Leveraging Mobile Device Management for
Office 365, and use the Mobile Device Management (MDM ) for Office 365 capabilities that are included in
your Office 365 subscription.
3. Follow the steps in Leveraging Exchange Online mobile device policies to implement basic Exchange
mobile device mailbox and device access policies.
If, on the other hand, you don't want to use Outlook for iOS and Android in your organization, see Blocking
Outlook for iOS and Android.
NOTE
See Exchange Web Services (EWS) application policies later in this article if you'd rather implement an EWS application policy
to manage mobile device access in your organization.
Setting up Outlook for iOS and Android

For devices enrolled in a mobile device management (MDM ) solution, users will utilize the MDM solution, like the
Intune Company Portal, to install the required apps: Outlook for iOS and Android and Microsoft Authenticator.
For devices that are not enrolled in an MDM solution, users need to install:
Outlook for iOS and Android via the Apple App Store or Google Play Store
Microsoft Authenticator app via the Apple App Store or Google Play Store
Intune Company Portal app via Apple App Store or Google Play Store
Once the app is installed, users can follow these steps to add their corporate email account and configure basic
app settings:
Set up email account in Outlook for iOS mobile app
Set up email in the Outlook for Android app
Optimizing the Outlook mobile app for your iOS or Android phone
IMPORTANT
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For
Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional Access with
Intune.
Leveraging Enterprise Mobility + Security suite to protect corporate

data with Outlook for iOS and Android
IMPORTANT
The Allow/Block/Quarantine (ABQ) list provides no security guarantees (if a client spoofs the DeviceType header, it might be
possible to bypass blocking for a particular device type). To securely restrict access to specific device types, we recommend
that you configure conditional access policies. For more information, see App-based conditional access with Intune.
The richest and broadest protection capabilities for Office 365 data are available when you subscribe to the
Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium
features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only
allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that
ensures the corporate data is protected.
NOTE
While the Enterprise Mobility + Security suite subscription includes both Microsoft Intune and Azure Active Directory
Premium, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All
users must be licensed in order to leverage the conditional access and Intune app protection policies that are discussed in
this article.
Block all email apps except Outlook for iOS and Android using conditional access
When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android
as the only email app for end users, they can configure a conditional access policy that blocks other mobile access
methods. To do this, you will need two conditional access policies, with each policy targeting all potential users.
Details on creating these polices can be found in Azure Active Directory app-based conditional access.
1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync
clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy
for Exchange Online."
The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have
integrated the Intune SDK are granted access.
NOTE
After the conditional access policies are enabled, it may take up to 6 hours for any previously connected mobile device to
become blocked. Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is
managed by a conditional access policy that includes either Require device to be marked as compliant or Require approved
client app. To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS
devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional
Access with Intune.
Protect corporate data in Outlook for iOS and Android using Intune app protection policies
Regardless of whether the device is enrolled in an MDM solution, an Intune app protection policy needs to be
created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These
policies, at a minimum, must meet the following conditions:
1. They include all Microsoft mobile applications, such as Word, Excel, or PowerPoint, as this will ensure that
users can access and manipulate corporate data within any Microsoft app in a secure fashion.
2. They mimic the security features that Exchange provides for mobile devices, including:
Requiring a PIN for access (which includes Select Type, PIN length, Allow Simple PIN, Allow fingerprint)
Encrypting app data
Blocking managed apps from running on "jailbroken" and rooted devices
3. They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook
for iOS and Android.
In addition to the above minimum policy requirements, you should consider deploying advanced protection policy
settings like Restrict cut, copy and paste with other apps to further prevent corporate data leakage. For more
information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app
protection policy settings.
IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.
Leveraging Mobile Device Management for Office 365

If you don't plan to leverage the Enterprise Mobility + Security suite, you can use Mobile Device Management
(MDM ) for Office 365. This solution requires that mobile devices be enrolled. When a user attempts to access
Exchange Online with a device that is not enrolled, the user is blocked from accessing the resource until they enroll
the device.
Because this is a device management solution, there is no native capability to control which apps can be used even
after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure
Active Directory Premium licenses and leverage the conditional access policies discussed in Block all email apps
except Outlook for iOS and Android using conditional access.
An Office 365 global admin must complete the following steps to activate and set up MDM for Office 365. See Set
up Mobile Device Management (MDM ) in Office 365 for complete steps. In summary, these steps include:
1. Activating MDM for Office 365 by following steps in the Security & Compliance Center.
2. Setting up MDM for Office 365 by, for example, creating an APNs certificate to manage iOS devices, and
by adding a Domain Name System (DNS ) record for your domain to support Windows phones.
3. Creating device policies and apply them to groups of users. When you do this, your users will get an
enrollment message on their device. And when they've completed enrollment, their devices will be
restricted by the policies you've set up for them.
NOTE
Policies and access rules created in MDM for Office 365 will override both Exchange mobile device mailbox policies and
device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange
mobile device mailbox policy or device access rule that is applied to that device will be ignored.
Leveraging Exchange Online mobile device policies

If you don't plan on leveraging either the Enterprise Mobility + Security suite or the MDM for Office 365
functionality, you can implement Exchange mobile device mailbox policy to secure the device, and device access
rules to limit device connectivity.
Mobile device mailbox policy
Outlook for iOS and Android supports the following mobile device mailbox policy settings in Exchange Online:
Device encryption enabled
Min password length
Password enabled
For information on how to create or modify an existing mobile device mailbox policy, see Mobile device mailbox
policies in Exchange Online.
In addition, Outlook for iOS and Android supports Exchange Online's device-wipe capability. When executed, only
the app is wiped, because Exchange Online considers the Outlook for iOS and Android app as the mobile device.
For more information on how to perform a remote wipe, see Wipe a mobile device in Office 365.
NOTE
Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only
Remote Wipe Device."
Device access policy

Outlook for iOS and Android should be enabled by default, but in some existing Exchange Online environments
the app may be blocked for a variety of reasons. Once an organization decides to standardize how users access
Exchange data and use Outlook for iOS and Android as the only email app for end users, you can configure blocks
for other email apps running on users' iOS and Android devices. You have two options for instituting these blocks
within Exchange Online: the first option blocks all devices and only allows usage of Outlook for iOS and Android;
the second option allows you to block individual devices from using the native Exchange ActiveSync apps.
Option 1: Block all email apps except Outlook for iOS and Android
You can define a default block rule and then configure an allow rule for Outlook for iOS and Android, and for
Windows devices, using the following Exchange Online PowerShell commands. This configuration will prevent
any Exchange ActiveSync native app from connecting, and will only allow Outlook for iOS and Android.
1. Create the default block rule:
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
2. Create an allow rule for Outlook for iOS and Android
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -

AccessLevel Allow
3. Optional: Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP
refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app
included in Windows 10):
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP" -AccessLevel Allow

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP8" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WindowsMail" -AccessLevel Allow
Option 2: Block native Exchange ActiveSync apps on Android and iOS devices
Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types
of devices.
1. Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and
Android:
Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | ft

Name,AccessLevel,QueryString -auto
If any device access rules that block Outlook for iOS and Android are found, type the following to remove
them:
Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} |

Remove-ActiveSyncDeviceAccessRule
2. You can block most Android and iOS devices with the following commands:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Android" -AccessLevel Block

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPod" -AccessLevel Block
3. Not all Android device manufacturers specify "Android" as the DeviceType. Manufacturers may specify a
unique value with each release. In order to find other Android devices that are accessing your environment,
execute the following command to generate a report of all devices that have an active Exchange ActiveSync
partnership:
Get-MobileDevice | Select-Object DeviceOS,DeviceModel,DeviceType | Export-CSV c:\temp\easdevices.csv
4. Create additional block rules, depending on your results from Step 3. For example, if you find your
environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device
access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this
example, you would type:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "HTCOne" -AccessLevel Block
NOTE
The QueryString parameter does not accept wildcards or partial matches.
Additional resources:
New -ActiveSyncDeviceAccessRule
Get-MobileDevice
Set-ActiveSyncOrganizationSettings
Blocking Outlook for iOS and Android

If you don't want users in your organization to access Exchange data with Outlook for iOS and Android, the
approach you take depends on whether you are using Azure Active Directory conditional access policies or
Exchange Online's device access policies.
Option 1: Block mobile device access using a conditional access policy
Azure Active Directory conditional access does not provide a mechanism whereby you can specifically block
Outlook for iOS and Android while allowing other Exchange ActiveSync clients. With that said, conditional access
policies can be used to block mobile device access in two ways:
Option A: Block mobile device access on both the iOS and Android platforms
Option B: Block mobile device access on a specific mobile device platform
Option A: Block mobile device access on both the iOS and Android platforms
If you want to prevent mobile device access for all users, or a subset of users, using conditional access, follow
these steps.
Create conditional access policies, with each policy either targeting all users or a subset of users via a security
group. Details are in Azure Active Directory app-based conditional access.
1. The first policy blocks Outlook for iOS and Android and other OAuth capable Exchange ActiveSync clients
from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for
Exchange Online," but for the fifth step, choose Block access.
Option B: Block mobile device access on a specific mobile device platform
If you want to prevent a specific mobile device platform from connecting to Exchange Online, while allowing
Outlook for iOS and Android to connect using that platform, create the following conditional access policies, with
each policy targeting all users. Details are in Azure Active Directory app-based conditional access.
1. The first policy allows Outlook for iOS and Android on the specific mobile device platform and blocks other
OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure
an Azure AD conditional access policy for Exchange Online," but for step 4a, select only the desired mobile
device platform (such as iOS ) to which you want to allow access.
2. The second policy blocks the app on the specific mobile device platform and other OAuth capable Exchange
ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional
access policy for Exchange Online," but for step 4a, select only the desired mobile device platform (such as
Android) to which you want to block access, and for step 5, choose Block access.
3. The third policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to
Option 2: Block Outlook for iOS and Android using Exchange mobile device access rules
If you are managing your mobile device access via Exchange Online's device access rules, you have two options:
Option A: Block Outlook for iOS and Android on both the iOS and Android platforms
Option B: Block Outlook for iOS and Android on a specific mobile device platform
Every Exchange organization has different policies regarding security and device management. If an organization
decides that Outlook for iOS and Android doesn't meet their needs or is not the best solution for them,
administrators have the ability to block the app. Once the app is blocked, mobile Exchange users in your
organization can continue accessing their mailboxes by using the built-in mail applications on iOS and Android.
The New-ActiveSyncDeviceAccessRule cmdlet has a Characteristic parameter, and there are three Characteristic
options that administrators can use to block the Outlook for iOS and Android app. The options are UserAgent,
DeviceModel, and DeviceType. In the two blocking options described in the following sections, you will use one or
more of these characteristic values to restrict the access that Outlook for iOS and Android has to the mailboxes in
your organization.
The values for each characteristic are displayed in the following table:
CHARACTERISTIC STRING FOR IOS STRING FOR ANDROID
DeviceModel Outlook for iOS and Android Outlook for iOS and Android
DeviceType Outlook Outlook
UserAgent Outlook-iOS/2.0 Outlook-Android/2.0
Option A: Block Outlook for iOS and Android on both the iOS and Android platforms
With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule, using either the DeviceModel
or DeviceType characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all
platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an
Exchange mailbox via the app.
The following are two examples of a device access rule. The first example uses the DeviceModel characteristic; the
second example uses the DeviceType characteristic.
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Outlook" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -

AccessLevel Block
Option B: Block Outlook for iOS and Android on a specific mobile device platform
With the UserAgent characteristic, you can define a device access rule that blocks Outlook for iOS and Android
across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on
the platform you specify. The following examples show how to use the device-specific value for the UserAgent
characteristic.
To block Android and allow iOS:
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Block

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Allow
To block iOS and allow Android:
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Allow

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Block
Exchange Online controls

Beyond Microsoft Intune, MDM for Office 365, and Exchange mobile device policies, you can also manage the
access that mobile devices have to information in your organization through various Exchange Online controls.
Exchange Web Services (EWS ) application policies
An EWS application policy can control whether or not applications are allowed to leverage the REST API. Note
that when you configure an EWS application policy that only allows specific applications access to your messaging
environment, you must add the user-agent string for Outlook for iOS and Android to the EWS allow list.
The following example shows how to add the user-agent strings to the EWS allow list:
Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-Android/*"}
Exchange User controls

With the native Microsoft sync technology, administrators can control usage of Outlook for iOS and Android at
the mailbox level. By default, users are allowed to access mailbox data using Outlook for iOS and Android. The
following example shows how to disable a user's mailbox access with Outlook for iOS and Android:
Set-CASMailbox jane@contoso.com -OutlookMobileEnabled $false

Deploying Outlook for iOS and Android app
configuration settings
Summary: How to customize the behavior of Outlook for iOS and Android in your Exchange organization.
Outlook for iOS and Android supports app settings that allow Office 365 and mobile device management (MDM ),
like Intune, administrators to customize the behavior of the app.
Outlook for iOS and Android supports the following configuration scenarios:
Account setup configuration
General app configuration settings
Data protection settings
Each configuration scenario will highlight its specific requirements; for example, whether the configuration scenario
requires device enrollment, and thus work with any MDM provider, or requires Intune App Protection Policies.
IMPORTANT
For configuration settings that require device enrollment, with Android the devices must be enrolled via an Android
Enterprise work profile and Outlook for Android must be deployed via the managed Google Play store. For more information,
please see Set up enrollment of Android work profile devices and Add app configuration policies for managed Android
devices.
App configuration scenarios

Outlook for iOS and Android offers administrators the following app configuration scenarios with enrolled devices:
These configuration scenarios only work with enrolled devices; however, any MDM provider is supported. If you
are not using Intune, you'll need to consult with your MDM documentation on how to deploy these settings. For
more information on the configuration keys, see Configuration keys.
Account setup configuration settings
Outlook for iOS and Android offers administrators the ability to “push” account configurations to their Office 365
and on-premises users leveraging hybrid Modern Authentication users. For more information on account setup
configuration, see Account setup with modern authentication in Exchange Online.
Organization allowed accounts mode settings
Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to
only corporate accounts. For more information on organization allowed accounts mode, please see Account setup
with modern authentication in Exchange Online.
Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-
app settings.
For this first release, Outlook is supporting the following settings for configuration:
SETTING DEFAULT APP BEHAVIOR NOTES
Focused Inbox On
Require Biometrics to access the app Off This setting is only available for
Outlook for iOS.
If using App Protection Policies,
Microsoft recommends disabling
this setting to prevent dual access
prompts.
Save Contacts Off User must grant access to the native

Contacts app for contact
synchronization to occur.
External Recipients MailTip On
Block external images Off
Settings that are security-related in nature have an additional option, Allow user to change setting. For these
settings (Save Contacts, External recipients MailTip, Block external images, and Require Biometrics to access the
app), administrators can prevent the user from changing the app’s configuration. The administrator’s configuration
cannot be overridden.
Allow user to change setting does not change the app’s behavior. For example, if the admin enables Block
external images and prevents user change, then by default external images will not be downloaded in messages;
however, the user can manually download the images for that message body.
NOTE
The Allow user to change setting for Require Biometrics to access the app is currently only available as a configuration key.
This will be addressed in a future Intune portal update. For more information regarding the configuration key, see
Configuration keys.
The following conditions describe Outlook’s behavior when implementing various app configurations:
If the admin configures a setting with its default value, and the app is configured with the default, then the
admin’s configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on,
the default value is also on, so Outlook’s configuration doesn't change.
If the admin configures a setting with the non-default value and the app is configured with the default, then
the admin’s configuration is applied. For example, the admin sets Focused Inbox=off, but app default is on,
so Outlook’s configuration for Focused Inbox is off.
If the user has configured a non-default value, but the admin has configured a default value and allows user
choice, then Outlook retains the user’s configured value. For example, the user has enabled contact
synchronization, but the admin sets Save Contacts=off and allows user choice, so Outlook keeps contact
synchronization on and does not break caller-ID for user.
If the admin disables user choice, Outlook always enforces the admin-defined configuration, regardless of
the user's configuration or default app configuration. For example, the user has enabled contact
synchronization, but the admin sets Save Contacts=off and disables user choice, so contact synchronization
gets disabled and the user is prevented from enabling it.
If after the MDM configuration is applied, if the user changes the setting value to not match the admin
desired value (and user choice is allowed), then the user’s configuration is retained. For example, block
external images is off by default, admin set Block external images=on, but afterwards, user changes block
external images back to off; in this scenario, block external images remains off the next time the policy is
applied.
Users are alerted to configuration changes via a notification toast in the app:
This notification toast will automatically dismiss after ten seconds. There are two scenarios where this notification
toast will not appear:
If the app has previously shown the notification in the last hour.
If the app has been installed in less than 24 hours.
Save Contacts
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user
interaction: the user needs to grant Outlook permissions to access the native Contacts app and the data stored
within. If the user does not grant access, then contact synchronization cannot be enabled.
NOTE
With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the
policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile;
for more information on how to assign permissions, please see Add app configuration policies for managed Android devices.
When assigning default permissions it is important to understand which Android Enterprise deployment models are in use, as
the permissions may grant access to personal data.
The workflow for enabling Save Contacts is the same for new accounts and existing accounts.
1. The user is notified that the administrator has enabled contact synchronization. In Outlook for iOS, the
notification occurs within the app, whereas in Outlook for Android, a persistent notification is delivered via
the Android notification center.
2. If the user taps on the notification, the user is prompted to grant access:
3. If the user allows Outlook to access the native Contacts app, access is granted and contact synchronization
will be enabled. If the user denies Outlook access to the native Contacts app, then the user is prompted to go
into the OS settings and enable contact synchronization:
4. In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt,
the user may later enable access by navigating to the account configuration within Outlook and tapping
Open Settings:
Deploying app configuration settings with Intune
The Intune portal enables administrators to easily deploy these settings to Outlook for iOS and Android via App
Configuration Policies.
The following steps will allow you to create an app configuration policy. After the configuration policy is created,
you can assign its settings to groups of users.
IMPORTANT
When deploying app configuration policies to managed devices, issues can occur when multiple policies have different values
for the same configuration key and are targeted for the same app and user. This is due to the lack of a conflict resolution
mechanism for resolving the differing values. You can prevent this by ensuring that only a single app configuration policy for
managed devices is defined and targeted for the same app and user.
Create an app configuration policy for Outlook for iOS and Android
1. Sign into the Azure portal.
2. Select More Services > Monitoring + Management > Intune.
3. On the Client apps blade of the Manage list, select App configuration policies.
4. On the App Configuration policies blade, choose Add.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. For Device enrollment type, choose Managed devices.
7. For Platform, choose either iOS or Android.
8. For Associated app, choose Select the required app, and then, on the Targeted apps blade, choose
Outlook.
NOTE
If Outlook is not listed as an available app, then you must add it by following the instructions in Assign apps to Android work
profile devices with Intune and Add iOS store apps to Microsoft Intune.
9. Click OK to return to the Add app configuration blade.

10. Choose Configuration Settings. On the Configuration blade, select Use configuration designer for the
Configuration settings format.
11. If you want to deploy account setup configuration, select Yes for Configure email account settings and
configure appropriately:
For Authentication type, select Modern authentication. This is required for Office 365 accounts
or on-premises accounts leveraging hybrid modern authentication.
For Username attribute from AAD, select User Principal Name.
For Email address attribute from AAD, select Primary SMTP Address.
If you want to configure Outlook for iOS and Android such that only the work or school account can
be used, select Require for Allow only work or school accounts.
12. If you want to deploy general app configuration settings, configure the desired settings accordingly:
For Focused Inbox, choose from the available options: Not configured (default), On (app default), Off.
For Require Biometrics to access the app, choose from the available options: Not configured
(default), On, Off (app default). This setting is only available in Outlook for iOS.
IMPORTANT
If the account will be protected by an Intune App Protection Policy that requires a PIN to access the protected
account, then the Require Biometrics to access the app setting should be disabled, otherwise the user will be
prompted with multiple authentication prompts when accessing the app.
For Save Contacts, choose from the available options: Not configured (default), On, Off (app default).
When selecting On or Off, administrators can choose to allow the user to change the app setting’s value.
Select Yes (app default) to allow the user to change the setting or choose No if you want to prevent the
user from changing the setting’s value.
For External recipients MailTip, choose from the available options: Not configured (default), On (app
default), Off. When selecting On or Off, administrators can choose to allow the user to change the app
setting’s value. Select Yes (app default) to allow the user to change the setting or choose No if you want
to prevent the user from changing the setting’s value.
For Block external images, choose from the available options: Not configured (default), On, Off (app
default). When selecting On or Off, administrators can choose to allow the user to change the app
setting’s value. Select Yes (app default) to allow the user to change the setting or choose No if you want
to prevent the user from changing the setting’s value.
13. When you are done, choose OK.
14. On the Add app configuration blade, choose Add.
The newly created configuration policy will be displayed on the App configuration blade.
NOTE
For Managed devices you will need to create a separate app configuration policy for each platform. Also, Outlook will need
to be installed from the Company Portal for the configuration settings to take effect.
Assign the configuration policy settings that you created

You assign the settings to groups of users in Azure Active Directory. When a user has the Microsoft Outlook app
installed, the app will be managed by the settings you have specified. To do this:
1. From the Intune blade, on the Mobile apps blade of the Manage list, select App configuration policies.
2. From the list of app configuration policies, select the one you want to assign.
3. On the next blade, choose Assignments.
4. On the Assignments blade, select the Azure AD group to which you want to assign the app configuration,
and then choose OK.
Data protection scenarios

Outlook for iOS and Android supports app configuration policies for the following data protection settings when
the app is managed by Intune:
Managing the use of wearable technology
Managing mail and calendar reminder notifications on iOS
Managing the contact fields synchronized to the native contacts app
These settings can be deployed to the app regardless of device enrollment status.
Configure Wearables for Outlook for iOS and Android
By default, Outlook for iOS and Android supports wearable technology, allowing the user to receive message
notifications and event reminders, and the ability to interact with messages and view daily calendars. Organizations
that want to disable the ability to access corporate data on wearables can deploy the following key via App
configuration policies.
KEY VALUE DEVICE ENROLLMENT TYPE
com.microsoft.intune.mam.areWearable This key specifies if Outlook data can be Managed apps

sAllowed synchronized to a wearable device.
Setting the value to false disables
wearable synchronization.
Accepted values: true, false
Default if not specified: true
Example: false
Configure Notifications for Outlook for iOS

The Apple notification architecture ensures notifications are mirrored on iOS devices and WatchOS. Which device
shows the notification depends on the device state: if the Apple Watch is unlocked and on a wrist, while the iOS
device is locked, then WatchOS will alert the user with the notification. Apple does not provide a mechanism where
you can administratively control and prevent notifications on WatchOS while still allowing them to be delivered on
iOS devices.
The following configuration settings will disable notifications completely on iOS and WatchOS. The disadvantage
is that the end user will never see new mail notifications or calendar reminders on iOS devices. The user will have
to launch the Outlook for iOS in order to discover new mail or see calendar appointments.
com.microsoft.outlook.Mail.Notifications This key specifies if Outlook will allow Managed apps

Enabled mail notifications. Setting the value to
false disables mail notifications.
Example: false
com.microsoft.outlook.Mail.Notifications This key specifies if the user can adjust Managed apps
Enabled.UserChangeAllowed the mail notification setting within the
app. Setting the value to false prevents
the user from adjusting the mail
notification setting.
Example: false
com.microsoft.outlook.Calendar.Notifica This key specifies if Outlook will allow Managed apps

tionsEnabled calendar reminder notifications. Setting
the value to false disables calendar
reminder notifications.
Example: false
com.microsoft.outlook.Calendar.Notifica This key specifies if the user can adjust Managed apps
tionsEnabled.UserChangeAllowed the calendar reminder notification
setting within the app. Setting the value
to false prevents the user from
adjusting the calendar reminder
notification setting.
Example: false
Configure Contact Field Sync to native Contacts for Outlook for iOS and Android
The settings in the following table allow you to control the contact fields that will synchronize between Outlook on
iOS and Android and the native Contacts applications.
NOTE
Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app
that is restricted (such as the Notes field), then that data will not synchronize back into Outlook for Android.
com.microsoft.outlook.ContactSync.Add This key specifies if the contact's address Managed apps

ressAllowed should be synchronized to native
contacts.
Example: true
com.microsoft.outlook.ContactSync.Birt This value specifies if the contact's Managed apps

hdayAllowed birthday should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Co This key specifies if the contact's Managed apps

mpanyAllowed company name should be synchronized
to native contacts.
Example: true
com.microsoft.outlook.ContactSync.Dep This key specifies if the contact's Managed apps

artmentAllowed department should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Ema This key specifies if the contact's email Managed apps

ilAllowed address should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Inst This key specifies if the contact's instant Managed apps

antMessageAllowed messaging address should be
synchronized to native contacts.
Example: true
com.microsoft.outlook.ContactSync.JobT This key specifies if the contact's job title Managed apps
itleAllowed should be synchronized to native
contacts.
Example: true
com.microsoft.outlook.ContactSync.Nick This key specifies if the contact's Managed apps

nameAllowed nickname should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Not This key specifies if the contact's notes Managed apps

esAllowed should be synchronized to native
contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's home Managed apps

neHomeAllowed phone number should be synchronized
to native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's home Managed apps

neHomeFaxAllowed fax number should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's mobile Managed apps

neMobileAllowed phone number should be synchronized
to native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's other Managed apps

neOtherAllowed phone number should be synchronized
to native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's pager Managed apps

nePagerAllowed phone number should be synchronized
to native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This value specifies if the work phone Managed apps

neWorkAllowed number should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Pho This key specifies if the contact's work Managed apps

neWorkFaxAllowed fax number should be synchronized to
native contacts.
Example: true
com.microsoft.outlook.ContactSync.Prefi This key specifies if the contact's name Managed apps

xAllowed prefix should be synchronized to native
contacts.
Example: true
com.microsoft.outlook.ContactSync.Suffi This key specifies if the contact's name Managed apps

xAllowed suffix should be synchronized to native
contacts.
Example: true
Deploying the configuration scenarios with Microsoft Intune

If you are using Microsoft Intune as your mobile device management provider, the following steps will allow you to
create an app configuration policy. After the configuration is created, you can assign its settings to groups of users.
NOTE
Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed
in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the
Intune App Configuration Policy check-in interval is set to 720 minutes.
Create an app configuration policy for Outlook for iOS and Android
1. Sign in to the Azure portal.
2. Select More Services > Monitoring + Management > Intune.
3. On the Client apps blade of the Manage list, select App configuration policies.
4. On the App Configuration policies blade, choose Add.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. For Device enrollment type, choose Managed apps.
7. For Associated app, choose Select the required app, and then, on the Targeted apps blade, choose
Outlook by selecting both the iOS and Android platform Outlook apps.
8. Click OK to return to the Add app configuration blade.
9. Choose Configuration Settings. On the Configuration blade, define the key and value pairs that will
supply configurations for Outlook for iOS and Android. The key and value pairs you can define are covered
in Data protection scenarios.
10. When you are done, choose OK.
11. On the Add app configuration blade, choose Add.
The newly created configuration policy will be displayed on the App configuration blade.
Assign the configuration settings that you created
You assign the settings to groups of users in Azure Active Directory. When a user has the Microsoft Outlook app
installed, the app will be managed by the settings you have specified. To do this:
1. From the Intune blade, on the Mobile apps blade of the Manage list, select App configuration policies.
2. From the list of app configuration policies, select the one you want to assign.
3. On the next blade, choose Assignments.
4. On the Assignments blade, select the Azure AD group to which you want to assign the app configuration,
and then choose OK.
Configuration keys
Outlook for iOS and Android offers administrators the ability to “push” account configurations to their Office 365
users. For more information on account setup configuration, see Account setup with modern authentication in
Exchange Online.
com.microsoft.outlook.EmailProfile.Email This key specifies the email address to Managed devices

Address be used for sending and receiving mail.
Value type: String Accepted values:
Email address Default if not specified:
<blank> Required: Yes Example:
user@companyname.com
com.microsoft.outlook.EmailProfile.Email This key specifies the User Principal Managed devices

UPN Name or username for the email profile
that will be used to authenticate the
account. Value type: String Accepted
values: UPN Address or username
Default if not specified: <blank>
Required: Yes Example:
userupn@companyname.com
com.microsoft.outlook.EmailProfile.Acco This key specifies the account type Managed devices

untType being configured based on the
authentication model. Value type:
String Accepted values: ModernAuth
Required: Yes Example: ModernAuth
Organization allowed accounts mode settings

Outlook for iOS and Android offers administrators the ability to restrict email and storage provider accounts to
only corporate accounts. For more information on organization allowed accounts mode, please see Account setup
with modern authentication in Exchange Online.
KEY VALUE PLATFORM DEVICE ENROLLMENT TYPE
IntuneMAMAllowedAccount This key specifies the iOS Managed devices

sOnly whether organization
allowed account mode is
active. Value type: String
Accepted values: Enabled,
Disabled Required: Yes
Value: Enabled
IntuneMAMUPN This key specifies the User iOS Managed devices

Principal Name for the
account. Value type: String
Accepted values: UPN
Address Required: Yes
Example:
userupn@companyname.co
m
com.microsoft.intune.mam.Al This key specifies the UPNs Android Managed devices

lowedAccountUPNs allowed for organization
allowed account mode.
Accepted values: UPN
Address Required: Yes
Example:
userupn@companyname.co
m

Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-
app settings.
com.microsoft.outlook.Mail.F This key specifies whether iOS, Android Managed Devices

ocusedInbox Focused Inbox is enabled.
Setting the value to false will
disable Focused Inbox. Value
type: Boolean Accepted
values: true, false Default if
not specified: true
Required: No Example:
false
com.microsoft.outlook.Auth. This key specifies whether iOS Managed Devices

Biometric FaceID or TouchID is
required to access the app.
Setting the value to true will
enable biometric access.
Value type: Boolean
Default if not specified:
false Required: No
Example: false
com.microsoft.outlook.Auth. This key specifies whether iOS Managed devices

Biometric.UserChangeAllowe the biometric setting can be
d changed by the end user.
Value type: Boolean
true Required: No
Example: false
com.microsoft.outlook.Conta This key specifies whether iOS, Android Managed devices

cts.LocalSyncEnabled the app should sync Outlook
contacts to the native
Contacts app. Setting the
value to true will enable
contact sync. Value type:
Boolean Accepted values:
true, false Default if not
specified: false Required:
No Example: false
com.microsoft.outlook.Conta This key specifies whether iOS, Android Managed devices

cts.LocalSyncEnabled.UserCh the contact sync setting can
angeAllowed be changed by the end user.
Value type: Boolean
true Required: No
Example: false
com.microsoft.outlook.Mail.E This key specifies whether iOS, Android Managed devices

xternalRecipientsToolTipEnab the External Recipients
led MailTip is enabled. Setting
the value to false will disable
the MailTip. Value type:
specified: true Required:
No Example: false
com.microsoft.outlook.Mail.E This key specifies whether iOS, Android Managed devices

xternalRecipientsToolTipEnab the External Recipients
led.UserChangeAllowed MailTip setting can be
changed by the end user.
Note that at this time, there
is no user configurable
setting for MailTips. Value
type: Boolean Accepted
values: true, false Default if
not specified: true
Required: No Example:
false
com.microsoft.outlook.Mail.B This key specifies whether iOS, Android Managed devices

lockExternalImagesEnabled external images are blocked
by default. Setting the value
to true will enable blocking
external images. Value type:
specified: false Required:
No Example: false
com.microsoft.outlook.Mail.B This key specifies whether iOS, Android Managed devices

lockExternalImagesEnabled.U the Block External Images
serChangeAllowed setting can be changed by
the end user. Value type:
specified: true Required:
No Example: false
Using Outlook for iOS and Android in the
Government Community Cloud
Summary: How organizations in the Office 365 U.S. Government Community Cloud (GCC ) can enable Outlook
for iOS and Android for their Exchange Online users.
Outlook for iOS and Android is fully architected in the Microsoft Cloud and meets the security and compliance
requirements needs of all United States Government customers when the mailboxes reside in Exchange Online.
For customers with Exchange Online mailboxes operating in the Government Community Cloud (GCC Moderate,
GCC High or Department of Defense), Outlook for iOS and Android leverages the native Microsoft sync
technology. This architecture is FedRAMP -compliant (defined by NIST Special Publication 800-145) and approved,
and meets GCC High and DoD requirements DISA SRG Level 4 (GCC -High) and Level 5 (DoD ), Defense Federal
Acquisition Regulations Supplement (DFARS ), and International Traffic in Arms Regulations (ITAR ), which have
been approved by a third-party assessment organization and are FISMA compliant based on the NIST 800-53 rev
4.
For more information, please see the Office 365 FedRAMP System Security plan located in the FedRAMP Audit
Reports section of the Microsoft Service Trust Portal.
IMPORTANT
Customers operating in the Government Community Cloud may have user mailboxes that also reside on-premises via an
Exchange hybrid topology. Accessing on-premises mailboxes with Outlook for iOS and Android does not utilize an
architecture that is FedRAMP-compliant. For more information on this architecture, see Using Basic authentication with
Outlook for iOS and Android.
This article covers how to:

Enable Outlook for iOS and Android for Office 365 GCC customers.
Unlock non-FedRAMP compliant features, if needed.
Enabling Outlook for iOS and Android for Office 365 GCC customers
GCC (Moderate, High and Department of Defense) customers can leverage Outlook for iOS and Android without
any special configuration.
For Office 365 GCC customers who are not currently using Outlook for iOS and Android, enabling the app
requires unblocking Outlook for iOS and Android in the organization, downloading the app on users' devices, and
having end-users add their account on their devices.
1. Unblock Outlook for iOS and Android
Remove any restrictions placed within your Exchange environment that may be blocking Outlook for iOS and
Android. This means you'll need to update your Exchange Web Services application policies, your Exchange mobile
device access rules, or any relevant Azure Active Directory Conditional Access policies so that the app is no longer
blocked. See Securing Outlook for iOS and Android in Exchange Online for information about enabling Outlook as
the only mobile messaging client in an organization.
2. Download and install Outlook for iOS and Android
End users need to install the app on their devices. How the installation happens depends on whether or not the
devices are enrolled in a mobile device management (MDM ) solution, such as Microsoft Intune. Users with
enrolled devices can install the app through their MDM solution, like the Intune Company Portal. Users with
devices that are not enrolled in an MDM solution can search for "Microsoft Outlook" in the Apple App Store or
Google Play Store and download it from one of those locations.
NOTE
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For
Android devices, the Intune Company Portal app is leveraged. For more information, see App-based conditional access with
Intune.
Services and features not available

By default, certain services and features of Outlook for iOS and Android are disabled automatically for the Office
365 U.S. Government Community Cloud (GCC ) because they do not meet FedRAMP requirements:
In-app support: Users will not be able to submit support tickets from within the app. They should contact
their internal help desk and provide logs (via the Share Diagnostics Logs option in Setting -> Help). If
necessary, the organization's IT department can then contact Microsoft Support directly.
In-app feature requests: Users will not be able to submit in-app feature requests. Instead, users will be
directed to use Outlook Uservoice.
Multiple accounts: Only the user's Office 365 GCC account and OneDrive for Business account can be
added to a single device. Personal accounts cannot be added. Customers can use another device for personal
accounts, or an ActiveSync client from another provider.
Calendar Apps: Calendar apps (Facebook, Wunderlist, Evernote, Meetup) are not available with GCC
accounts.
Add-Ins: Add-ins are not available with GCC accounts.
Storage Providers: Only the GCC user's OneDrive for Business storage account can be added within
Outlook for iOS and Android. Third-party storage accounts (e.g., Dropbox, Box) cannot be added.
Location services: Bing location services are not available with GCC accounts. Features that rely on
location services, like Cortana Time To Leave, are also unavailable.
Favorites: Favorite folders, groups and people are not available with GCC accounts.
MailTips: The External recipients MailTip is not available with GCC accounts.
Office Lens: Office Lens technology (e.g., scanning business cards, taking pictures) included in Outlook for
iOS and Android is not available with GCC accounts.
Executing the below Exchange Online cmdlet will enable GCC Moderate customers using Outlook for iOS and
Android access to features and services that are not FedRAMP compliant:
Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $false
At any time, access can be revoked by resetting the parameter back to the default value:
Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $true
Changing this setting typically takes affect within an hour. As this is an tenant-based change, all Outlook for iOS
and Android users in the GCC organization will be affected.
For more information on the cmdlet, please see Set-OrganizationConfig.
Mobile access in Exchange Online
Your users can access their Office 365 mailbox from a wide variety of devices: mobile phones, tablets, laptops, and
even devices such as e-readers. These devices can use Exchange ActiveSync, POP3, or IMAP4 to access Office 365
mailbox data.
Exchange ActiveSync
Exchange ActiveSync is a synchronization protocol that's optimized to work together with high-latency and low -
bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's
information on a server that's running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to
access their email, calendar, contacts, and tasks, and to continue to access this information while they're working
offline.
Exchange ActiveSync provides the following:
Support for HTML messages
Support for follow -up flags
Conversation grouping of email messages
Ability to synchronize or not synchronize an entire conversation
Support for viewing message reply status
Support for fast message retrieval
Meeting attendee information
Enhanced Exchange Search
PIN reset
Enhanced device security through password policies
Autodiscover for over-the-air provisioning
Support for setting automatic replies when users are away, on vacation, or out of the office
Support for task synchronization
Direct Push
Support for availability information for contacts
POP3
POP3 was designed to support offline mail processing. With POP3, email messages are removed from the server
and stored on the local POP3 client unless the client has been set to leave mail on the server. This puts the data
management and security responsibility in the hands of the user. POP3 doesn't offer advanced collaboration
features such as calendaring, contacts, and tasks.
IMAP4
IMAP4 offers offline and online access but, like POP3, IMAP4 doesn't offer advanced collaboration features such
as calendaring, contacts, and tasks.
Configure mobile phones to access email
You can configure a mobile phone, such as a Windows Phone, to use Microsoft Exchange ActiveSync. You should
perform this procedure on each mobile phone in your organization.
Prerequisites
You've reviewed the manufacturer's documentation for the mobile phone you want to configure.
Exchange ActiveSync is enabled in your organization.
NOTE
For device-specific information about setting up Microsoft Exchange-based email on a phone or tablet, see Set up a mobile
device using Office 365 for business.
Configure a mobile phone to use Exchange ActiveSync

Most mobile phones and devices are capable of using Autodiscover to configure the mobile email client to use
Exchange ActiveSync. To configure an email account on most mobile phones, you'll need two pieces of information.
The user's email address
The user's password
If the mobile phone is unable to contact the Exchange server automatically through Autodiscover, you'll need to set
up the mobile phone manually. Manual setup requires the user's email address and password, as well as the
Exchange ActiveSync server name. In most organizations, the Exchange ActiveSync server name is the same as the
Outlook Web App server name without the /owa, for example, mail.contoso.com.
Windows Phone synchronization
If you're configuring a Windows Phone mobile phone to synchronize with an Exchange mailbox using Exchange
ActiveSync, only a subset of mobile device mailbox policy settings are supported. Those policy settings are detailed
in Supported Mobile Device Mailbox Policies for Windows Phones and Devices.
If you configure mobile device mailbox policy settings that are not supported for the version of Windows Phone
you're using, you must also set the AllowNonProvisionableDevices policy setting to true or create a separate
mobile device mailbox policy for Windows Phone mobile phones.
Perform a remote wipe on a mobile phone
Your users carry sensitive corporate information in their pockets every day. If one of them loses their mobile
phone, your data can end up in the hands of another person. If one of your users loses their mobile phone, you can
use the Exchange admin center (EAC ) or Exchange Online PowerShell to wipe their phone clean of all corporate
and user information.
NOTE
This topic also provides instructions for how to use Microsoft Outlook Web App to perform a remote wipe on a phone. The
user must be signed in to Outlook Web App to perform a remote wipe.

permissions you need, see the "Mobile devices" entry in the Clients and mobile devices permissions topic.
This procedure will clear all data on the mobile phone, including installed applications, photos, and personal
information.
TIP
Use the EAC to wipe a user's phone

You can use the EAC to wipe a user's phone or cancel a remote wipe that has not yet completed.
2. Select the user, and under Mobile Devices, choose View details.
3. On the Mobile Device Details page, select the lost mobile device, and then select Wipe Data.
4. Select Save.
Use Exchange Online PowerShell to wipe a user's phone

You can use the Clear-MobileDevice cmdlet in Exchange Online PowerShell to wipe a user's phone.
The following command wipes the device named WM_TonySmith and sends a confirmation message to
admin@contoso.com.
Clear-MobileDevice -Identity WM_TonySmith -NotificationEmailAddresses "admin@contoso.com"

Use Outlook Web App to wipe a user's phone
Your users can wipe their own phone using Outlook Web App.
1. In Outlook Web App, select Settings > Phone > Mobile devices.
2. Select the mobile phone.
3. Click or tap the Wipe Device icon.

There are several ways to verify that the remote wipe completed.
Run the Clear-MobileDevice cmdlet with the -NotificationEmailAddresses parameter configured. A
message will be sent to the supplied email address when the remote wipe has completed.
In the EAC, check the status of the mobile device. The status will change from Wipe Pending to Wipe
Successful.
In Outlook Web App, check the status of the mobile device. The status will change from Wipe Pending to
Wipe Successful.
Outlook on the web in Exchange Online
By default, Outlook on the web (formerly known as Outlook Web App) is enabled in Exchange Online, and lets
users access their mailbox from almost any web browser.
For information about client access mailbox methods in Exchange Online, see Clients and mobile in Exchange
Online.
Overview of Outlook on the web

Fully supported web browsers give users access to features such as conversation view, Inbox rules, the reading
pane, and the Scheduling Assistant. Browsers that aren't fully supported can still be used, but users will see the
light version of Outlook on the web, which has fewer features.
Managing Outlook on the web

In Exchange Online, the most common Outlook on the web management tasks can be accomplished in the
Exchange admin center (EAC ). All these tasks, and many others, can be accomplished by using Exchange Online
PowerShell.
Outlook on the web mailbox policies in Exchange
Online
In Exchange Online, Outlook on the web mailbox policies control the availability of settings and features in
Outlook on the web (formerly known as Outlook Web App). A mailbox can only have one Outlook on the web
mailbox policy applied to it. You can create different policies for different types of users in your Exchange Online
organization.
Every Exchange Online organization has a default Outlook on the web mailbox policy named OwaMailboxPolicy-
Default that's applied to all user mailboxes. You can use this policy or create additional policies as necessary to
meet the needs of your organization.
For the procedures that you can do on Outlook on the web mailbox policies, see Outlook on the web mailbox
policy procedures in Exchange Online.
Outlook on the web mailbox policy procedures in
Exchange Online
Create an Outlook on the web mailbox policy in Exchange Online

Apply or remove an Outlook on the web mailbox policy on a mailbox in Exchange Online
Remove an Outlook on the web mailbox policy from Exchange Online
View or configure Outlook on the web mailbox policy properties
Create an Outlook on the web mailbox policy in
Exchange Online
You can create Outlook on the web mailbox policies to apply settings to users in Outlook on the web (formerly
known as Outlook Web App). Outlook on the web mailbox policies are useful for applying and standardizing
settings, for example, attachment settings, for specific groups of users.
For more information about Outlook on the web mailbox policies, see Outlook Web App mailbox policies.

permissions you need, see the "Outlook on the web mailbox policies" entry in the Feature permissions in
Exchange Online topic.
TIP
Use the EAC to create an Outlook on the web mailbox policy

1. In the EAC, go to Permissions > Outlook Web App policies, and click New
2. In the new policy window that opens, configure the following settings:
Policy name: Enter a unique name for your policy.
Use the check boxes to enable or disable features. By default, the most common features are displayed. To
see all features that can be enabled or disabled, click More options.
Note: You can configure settings for individual users by using the Set-CASMailbox cmdlet in Exchange
Online PowerShell.
5. Click Save to save the policy.
Use Exchange Online PowerShell to create an Outlook on the web

mailbox policy
In Exchange Online PowerShell, creating an Outlook on the web mailbox policy is a two-step process:
1. Create the policy by using the following syntax:
New-OwaMailboxPolicy -Name "<Unique Name>"
This example creates an Outlook on the web mailbox policy named Executives.
New-OwaMailboxPolicy -Name Policy1
For detailed syntax and parameter information, see New -OwaMailboxPolicy.

2. Modify the default settings of the policy.
For more information, see Use Exchange Online PowerShell to modify Outlook on the web mailbox policies.

To verify that you've successfully created an Outlook Web App mailbox policy:
In the EAC, click Permissions > Outlook Web App Policies, and look for your new mailbox policy.
To verify that you've successfully created an Outlook on the web mailbox policy, do either of the following steps:
In the EAC, click Permissions > Outlook Web App Policies, and verify the policy is listed. You can select
the policy and click Edit to verify the properties of the policy.
In Exchange Online PowerShell, run the following command to verify the policy is listed:
Get-OwaMailboxPolicy | Format-Table Name
In Exchange Online PowerShell, replace <Policy Name> with the name of the policy, and run the following
command to verify the settings:
Get-OwaMailboxPolicy -Identity "<Policy Name>"
Next steps
To modify an existing Outlook on the web mailbox policy, see View or configure Outlook on the web mailbox
policy properties in Exchange Online.
Apply or remove an Outlook on the web mailbox
policy on a mailbox in Exchange Online
Assigning an Outlook on the web mailbox policy to a mailbox controls the Outlook on the web (formerly known as
Outlook Web App) experience for the user. You can apply Outlook on the web mailbox policies to one or more
mailboxes or remove the policy assignments in the Exchange admin center (EAC ) or Exchange Online PowerShell.

TIP
Apply Outlook on the web mailbox policies to mailboxes

Use the EAC to apply an Outlook on the web mailbox policy to a mailbox
2. Do one of the following steps:
Select a mailbox and then click Edit .
a. In the properties of the mailbox window that opens, click Mailbox features.
b. In the Email connectivity section under Outlook on the web: Enabled, click View details.
c. In the Outlook Web App mailbox policy policy window that opens, click Browse to find
and select the policy to apply, and then click OK when you're finished. By default, the default
policy named OwaMailboxPolicy-Default is applied.
d. When you're finished, click Save multiple times.
Select multiple mailboxes.
1. In the Details pane, find Outlook on the web and click Assign a policy.
2. In the bulk assign window that opens, click Browse to find and select the policy to apply, and then
click OK when you're finished.
Use Exchange Online PowerShell to apply an Outlook on the web mailbox policy to a mailbox
There are three basic methods you can use to apply an Outlook on the web mailbox policy to mailboxes:
Set-CasMailbox -Identity <MailboxIdentity> -OwaMailboxPolicy "<Policy Name>"
This example applies the Outlook on the web mailbox policy named Sales Associates to tony@contoso.com.
Set-CASMailbox -Identity tony@contoso.com -OwaMailboxPolicy "Sales Associates"
Filter mailboxes by attributes: This method requires that the mailboxes all share a unique filterable
attribute. For example:
Title, Department, or address information for user accounts as seen by the Get-User cmdlet.
CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the Get-Mailbox cmdlet.
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the
policy to the mailboxes):
$<VariableName> = <Get-User | Get-Mailbox> -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-CasMailbox -Identity $_.MicrosoftOnlineServicesID -OwaMailboxPolicy "

<Policy Name>"}
This example assigns the policy named Managers and Executives to all mailboxes whose Title attribute
contains "Manager" or "Executive".
$Mgmt = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like
'*Manager*' -or Title -like '*Executive*')}
$Mgmt | foreach {Set-CasMailbox -Identity $_.MicrosoftOnlineServicesID -OwaMailboxPolicy "Managers and

Executives"}
akol@contoso.com
kakers@contoso.com
$<VariableName> | foreach {Set-CasMailbox -Identity $_ -OwaMailboxPolicy "<Policy Name>"}

This example assigns the policy named Managers and Executives to the mailboxes specified in the file C:\My
Documents\Management.txt.
$Mgrs = Get-Content "C:\My Documents\Management.txt"
$Mgrs | foreach {Set-CasMailbox -Identity $_ -OwaMailboxPolicy "Managers and Executives"}

To verify that you've applied an Outlook on the web mailbox policy to a mailbox, use any of the following steps:
In the EAC, go to Recipients > Mailboxes and select the mailbox. In the Details pane, go to Email
Connectivity, click View details, and verify the name of the policy in the Outlook Web App mailbox
policy window that appears.
In the EAC, go to Recipients > Mailboxes, select the mailbox, and click Edit . In the properties of the
mailbox window that opens, click Mailbox features. In the Email connectivity section under Outlook on
the web: Enabled, click View details, and verify the name of the policy in the Outlook Web App mailbox
policy window that appears.
name of the mailbox, and run the following command to verify the value of the OwaMailboxPolicy
property:
Get-CasMailbox -Identity "<MailboxIdentity>" | Format-List OwaMailboxPolicy
In Exchange Online PowerShell, run the following command to verify the value of the OwaMailboxPolicy
property for all mailboxes:
Get-CasMailbox -ResultSize unlimited | Format-Table Name,OwaMailboxPolicy -Auto
Remove an Outlook on the web mailbox policy assignments from

mailboxes
Use the EAC to remove an Outlook on the web mailbox policy assignment from a mailbox
1. In the EAC, go to Recipients > Mailboxes, and select the mailbox that you want to modify.
2. Scroll down in the details pane to Email Connectivity and click View details.
If a mailbox policy has been assigned, click Clear X to remove the policy assignment from the mailbox.
3. When you're finished, click Save to save.
Use Exchange Online PowerShell to remove an Outlook on the web mailbox policy assignment from a mailbox
To remove the policy assignment from the mailbox, use the following syntax:
Set-CasMailbox -Identity "<MailboxIdentity>" -OwaMailboxPolicy $null
This example removes the Outlook on the web mailbox policy from mailbox of the user tony@contoso.com.
Set-CASMailbox -Identity tony@contoso.com -OwaMailboxPolicy $null

To verify that you've removed an Outlook on the web mailbox policy assignment from a mailbox, use any of the
following steps:
In the EAC, go to Recipients > Mailboxes and select the mailbox. In the Details pane, go to Email
Connectivity, click View details, and verify the policy is blank in the Outlook Web App mailbox policy
window that appears.
In the EAC, go to Recipients > Mailboxes. In the properties of the mailbox window that opens, click
Mailbox features. In the Email connectivity section under Outlook on the web: Enabled, click View
details, and verify the policy is blank in the Outlook Web App mailbox policy window that appears.
name of the mailbox, and run the following command to verify the value of the OwaMailboxPolicy
property:
Get-CasMailbox -Identity "<MailboxIdentity>" | Format-List OwaMailboxPolicy
In Exchange Online PowerShell, run the following command to verify the value of the OwaMailboxPolicy
property:
Get-CasMailbox -ResultSize unlimited | Format-Table Name,OwaMailboxPolicy -Auto

Remove an Outlook on the web mailbox policy from
Exchange Online
You can remove a Microsoft Outlook on the web mailbox policy from an Exchange organization by using either the
Exchange admin center (EAC ) or Exchange Online PowerShell.
Note: Don't remove the built-in mailbox policy named OwaMailboxPolicy-Default.
For additional management tasks related to Outlook on the web mailbox policies, see Outlook on the web mailbox
policies.

TIP
Use the EAC to remove an Outlook on the web mailbox policy

1. In the EAC, go to Permissions > Outlook Web App policies, select the policy that you want to remove,
and then click Delete .
2. In the confirmation window that appears, click Yes to remove the mailbox policy, or click No to cancel.
Use Exchange Online PowerShell to remove an Outlook on the web

mailbox policy
To remove an Outlook on the web mailbox policy, use the following syntax:
Remove-OwaMailboxPolicy -Identity "<Policy Name>"
This example removes the Outlook on the web mailbox policy named Sales Associates.
Remove-OwaMailboxPolicy -Identity "Sales Associates"
For detailed syntax and parameter information, see Remove-OwaMailboxPolicy.

To verify that you've successfully removed an Outlook on the web mailbox policy, do any of the following steps:
In the EAC, go to Permissions > Outlook Web App policies and verify the policy is no longer listed.
In Exchange Online PowerShell, run the following command to verify the policy is no longer listed:
Get-OwaMailboxPolicy
View or configure Outlook on the web mailbox
policy properties in Exchange Online
After you create an Outlook on the web mailbox policy, you can configure a variety of options to control the
features available to users in Outlook on the web (formerly known as Outlook Web App). For example, you can
enable or disable Inbox rules or create a list of allowed file types for attachments.
For more information about Outlook on the web mailbox policies, see Outlook Web App mailbox policies.

TIP
Use the EAC to view or configure Outlook on the web mailbox policies
1. In the EAC, go to Permissions > Outlook Web App policies and select the policy that you want to view
or configure.
2. The Details pane show the enabled features in the policy. To see more information, click Edit . In the
properties window that opens you can view and configure the following settings:
On the General tab, you can view and edit the name of the policy.
On the Features tab, use the check boxes to enable or disable features. By default, the most common
features are displayed. To see all features that can be enabled or disabled, click More options.
Note: You can configure settings for individual users by using the Set-CASMailbox cmdlet in Exchange
Online PowerShell.
On the File Access tab, use the Direct file access check boxes to configure the file access and viewing
options for users. File access lets a user open or view the contents of files attached to an email message.
File access can be controlled based on whether a user has signed in on a public or private computer. The
option for users to select private computer access or public computer access is available only when you're
using forms-based authentication. All other forms of authentication default to private computer access.
On the Offline access tab, use the option buttons to configure offline access availability.
3. When you're finished, click Save to update the policy.
Use Exchange Online PowerShell to modify Outlook on the web

mailbox policies
To modify an Outlook on the web mailbox policy, use the following syntax:
Set-OwaMailboxPolicy -Identity "<Policy Name>" [Settings]
This example enables calendar access in the default mailbox policy.
Set-OwaMailboxPolicy -Identity Default -CalendarEnabled $true
For detailed syntax and parameter information, see Set-OwaMailboxPolicy.
Use Exchange Online PowerShell to view Outlook on the web mailbox

policies
To view an Outlook on the web mailbox policy, use the following syntax:
Get-OwaMailboxPolicy [-Identity "<Policy Name>"]
This example returns a summary list of all policies in the organization
Get-OwaMailboxPolicy | Format-Table Name
This example retrieves detailed information for the policy named Executives.
Get-OwaMailboxPolicy -Identity Executives
For detailed syntax and parameter information, see Get-OwaMailboxPolicy.

To verify that you've successfully modified an Outlook on the web mailbox policy, do either of the following steps:
In the EAC, click Permissions > Outlook Web App Policies, select the policy, click Edit , and verify the
properties of the policy.
In Exchange Online PowerShell, replace <Policy Name> with the name of the policy, and run the following
command to verify the settings:
Get-OwaMailboxPolicy -Identity "<Policy Name>"

2 minutes to read
Public attachment handling in Exchange Online
As an admin, you can set up both private and public attachment handling in Outlook on the web (formerly known
as Outlook Web App) depending on how you configure your Outlook on the web mailbox policies. The settings for
private (internal) and public (external) networks define how users can open, view, send, or receive attachments
depending on whether a user is signed in to Outlook on the web on a computer that is part of a private or of a
public network.
How can I control public attachment handling?

Although there are both private (internal network) and public (external network) settings to control attachments
using Outlook on the web mailbox policies, admins require more consistent and reliable attachment handling when
a user signs in to Outlook on the web from a computer on a public network such as at a coffee shop or library. To
set up the ability to enforce attachment handling from external networks for an entire organization in Exchange
Online, first use the Set-OrganizationConfig cmdlet, set the PublicComputersDetectionEnabled parameter to
$true , configure the correct Outlook on the web mailbox policy either by using the Exchange admin center ( EAC )
or the Set-OwaMailboxPolicy cmdlet and create claim rules in AD FS. Enabling this setting the on the Set-
OrganizationConfig cmdlet and creating the claim rules will enable Exchange Online to tell if a user is signing in to
Outlook on the web from a private and public network or computer.
The Outlook on the web mailbox policy parameters in the following table should be set to $true to enable an
admin to control attachment handling for public computers and networks.
PARAMETER* DESCRIPTION
DirectFileAccessOnPublicComputersEnabled Specifies left-click and other options available for attachments

when the user has signed in to Outlook on the web from a
computer outside of a private or corporate network. If this
parameter is set to $true , Open and other options are
available. If it's set to $false , the Open option is disabled.
ForceWacViewingFirstOnPublicComputers Specifies whether a user who signed in to Outlook on the web

from a computer outside of a private or corporate network
can open an Office file directly without first viewing it as a
webpage.
ForceWebReadyDocumentViewingFirstOnPublicComputers Specifies whether a user who has signed in to Outlook on the

web can open a document directly without first viewing it as a
webpage.
WacViewingOnPublicComputersEnabled Specifies whether a user who has signed into Outlook on the
web from a computer outside of the corporate network can
view supported Office files using Outlook on the web.
WebReadyDocumentViewingOnPublicComputersEnabled Specifies whether WebReady Document Viewing is enabled

when the user has signed in from a computer outside of the
corporate network.

Create one or more mailboxes for users.
Enable Outlook on the web on a user's mailbox if it has been disabled.
Verify that cookies have been enabled in the Web browser for all of the users in your organization.
Set up and configure single sign on using AD FS:
Checklist: Use AD FS to implement and manage single sign-on
Setting Up Single Sign On with Office 365 using AD FS 2.0
Configure single sign on
PowerShell.
TIP
Task 1 - Enable public attachment handling for your organization

Set-OrganizationConfig -PublicComputersDetectionEnabled $true
Note: Setting this parameter to $true won't affect the settings for the following parameters:
ForceWacViewingFirstOnPublicComputers
WSSAccessOnPublicComputersEnabled
UNCAccessOnPublicComputersEnabled
Task 2 - Add and create claim rules in AD FS 2.0

You must create a custom claim rule because an AD FS server relies on the presence of the x-ms-proxy claim to
detect whether user is coming from an internal or external network. When an AD FS proxy is deployed for external
or public access, and if the user is coming from outside a private network, there will be an x-ms-proxy claim sent
from AD FS proxy to an AD FS server. To learn more about claim rules in AD FS, see Create a Rule to Send Claims
Using a Custom Rule
1. On the Start Screen, type AD FS Management, and then press Enter.
2. In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and select O365
Identity Platform.
3. In O365 Identity Platform, click Edit Claim Rules > Add Rule > Issuance Transform Rules.
4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom
Rule from the list, and then click Next.
5. On the Configure Rule page under Claim rule name type the display name for this rule.
6. Under Custom rule, input the following:
exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type
= "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "false");
7. Next, input the following:

NOT exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) =>
issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "true");
8. Click Finish.
9. In the Edit Claim Rules dialog box, click OK to save the rule.
Task 3 - Enable public attachment handling on an Outlook on the web

mailbox policy
Use EAC to enable public attachment handling settings
1. In the EAC, click Permissions > Outlook on the web policies.
2. In the result pane, click the mailbox policy you want to view or configure, and click Edit.
3. On File Access, use the check boxes to configure the file access and viewing options for users. File access
lets a user open or view the contents of files attached to an email message.
File access can be controlled based on whether a user has logged on to a public or private computer. The
option for users to select private computer access or public computer access is available only when you're
using forms-based authentication. All other forms of authentication default to private computer access.
Direct file access: Select this check box if you want to enable direct file access. Direct file access lets users
open files attached to email messages.
WebReady Document Viewing: Select this check box if you want to enable supported documents to be
converted to HTML and displayed in a web browser.
Force WebReady Document Viewing when a converter is available: Select this check box if you want
to force documents to be converted to HTML and displayed in a web browser before users can open them
in the viewing application. Documents can be opened in the viewing application only if direct file access has
been enabled.
4. Click Save to update the policy.
Use Exchange Online PowerShell to enable public attachment handling settings
Set-OwaMailboxPolicy -Identity MyOWAPublicPolicy -DirectFileAccessOnPublicComputersEnabled $true -

ForceWacViewingFirstOnPublicComputers $true -WacViewingOnPublicComputersEnabled $true -
WebReadyDocumentViewingOnPublicComputersEnabled $true
What you need to know about attachments?

An attachment can be a file that's created in any program, for example, a Word document, an Excel spreadsheet, a
.wav file, or a bitmap file. Users can attach or include one or more files on any item that they create in their mailbox,
for example, an email message, calendar item, or contact. Outlook on the web allows you to send and receive many
common files types. Continuously
Some attachments might be removed or blocked by antivirus software used by your organization, by the
organization of the recipients of your email, or you might be required to save them on your computer before you
can open them. By default, Outlook on the web allows you to open attached Word, Excel, PowerPoint, text files and
many media files directly. The files you can open from Outlook on the web vary depending on your account
settings. The following list describes the default file name extensions that you can open in Outlook on the web.
File name extensions allowed by default:
.avi
.bmp
.doc
.doc
.docm
.docx
.gif
.jpeg
.mp3
.one
.pdf
.png
.ppsm
.ppsx
.ppt
.pptm
.pptx
.pub
.rpmsg
.rtf
.tif
.txt
.vsd
.wav
.wma
.wmv
.xls
.xls
.xlsb
.xlsm
.xlsx
Modify the space used by Inbox rules in Exchange
Online
Inbox rules in Outlook on the web (formerly known as Outlook Web App) and Outlook are limited to 256 KB total
for all rules. Each rule you create will take up space in your mailbox. The actual amount of space a rule uses
depends on several factors, such as how long the name is and how many conditions you've applied. When you
reach the 256 KB limit, you'll be warned that you can't create any more rules or that you can't update a rule. You
can't increase the amount of space that's allocated to store Inbox rules in Exchange Online, but you can decrease it
to suit your business needs.
Notes:
The valid range for the Inbox rules quota is 32 KB to 256 KB.
There isn't a maximum number of rules that users can create.
The quota for Inbox rules applies only to enabled rules. There's no restriction on the number of disabled
rules that a mailbox can have. However, the total size of rules that are enabled or active in the mailbox can't
exceed the quota value

Estimated time to complete each procedure: 5 minutes or less.
permissions you need, see the "Mailbox settings" entry in the Feature permissions in Exchange Online topic.
You can only use Exchange Online PowerShell to perform the procedure in this topic. To connect to
TIP
Use Exchange Online PowerShell to increase the limit for Inbox rules
There are three basic methods you can use to modify the rules quota for a mailbox:
Set-Mailbox -Identity <MailboxIdentity> -RulesQuota "<32 KB to 256 KB>"
This example decreases the rules quota to 200 KB for the user douglas@contoso.com.
Set-Mailbox -Identity douglas@contoso.com -RulesQuota " 200 KB"
Filter mailboxes by attributes: This method requires that the mailboxes all share a unique filterable
attribute. For example:
Title, Department, or address information for user accounts as seen by the Get-User cmdlet.
CustomAttribute1 through CustomAttribute15 for mailboxes by as seen the Get-Mailbox cmdlet.
The syntax uses the following two commands (one to identify the mailboxes, and the other to apply the rules
quota to the mailboxes):
$<VariableName> = <Get-User | Get-Mailbox> -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -RulesQuota "<32 KB to 256

KB>"}
This example decreases the rules quota to 32 KB to all mailboxes whose Title attribute contains "Vendor" or
"Contractor".
$V = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like
'*Vendor*' -or Title -like '*Contractor*')}
$V | foreach {Set-Mailbox -Identity $_.MicrosoftOnlineServicesID -RulesQuota "32 KB"}
akol@contoso.com
kakers@contoso.com
rules quota to those users):
$<VariableName> | foreach {Set-Mailbox -Identity $_ RulesQuota "<32 KB to 256 KB>"}
This example decreases the rules quota to 150 KB to the mailboxes specified in the file C:\My
Documents\Junior Managers.txt.
$Jr = Get-Content "C:\My Documents\Junior Managers.txt"
$Jr | foreach {Set-Mailbox -Identity $_ -RulesQuota "150 KB"}

To verify that you've modified the Inbox rules quota on a mailbox, use any of the following steps in Exchange
Online PowerShell:
Replace <MailboxIdentity> with the name, alias, email address, or account name of the mailbox, and run the
following command to verify the value of the RulesQuota property:
Get-Mailbox -Identity "<MailboxIdentity>" | Format-List RulesQuota
Run the following command to verify the value of the RulesQuota property for all mailboxes:
Get-Mailbox -ResultSize unlimited | Format-Table Name,RulesQuota -Auto
What else do I need to know?

Inbox rules are run from top to bottom in the order in which they appear in the Rules window. To change
the order of rules, click the rule you want to move, and then click the up or down arrow to move the rule to
the position you want in the list.
When you create a forwarding rule, you can add more than one address to forward to. The number of
addresses you can forward to may be limited, depending on the settings for your account. If you add more
addresses than are allowed, your forwarding rule won't work. If you create a forwarding rule with more than
one address, test it to be sure it works.
MailTips
MailTips are informative messages displayed to users while they're composing a message. Microsoft Exchange
Server analyzes the message, including the list of recipients to which it's addressed, and if it detects a potential
problem, it notifies the user with MailTips prior to sending the message. With the help of the information provided
by MailTips, senders can adjust the message they're composing to avoid undesirable situations or non-delivery
reports (NDRs).
How MailTips work

MailTips are implemented as a web service in Exchange. When a sender is composing a message, the client
software makes an Exchange web service call to the Client Access server to get the list of MailTips. The server
responds with the list of MailTips that apply to that message, and the client software displays the MailTips to the
sender.
The following unproductive messaging scenarios are common in any messaging environment:
NDRs resulting from messages that violate restrictions configured in an organization such as message size
restrictions or maximum number of recipients per message.
NDRs resulting from messages sent to recipients that don't exist, recipients that are restricted, or users
whose mailboxes are full.
Sending messages to users with Automatic Replies configured.
All of these scenarios involve the user sending a message, expecting it to be delivered, and instead receiving a
response stating that the message isn't delivered. Even in the best-case scenario, like the automatic reply, these
events result in lost productivity. In the case of an NDR, this scenario could result in a costly call to the Help desk.
There are also several scenarios where sending a message won't result in an error, but can have undesirable, even
embarrassing consequences:
Messages sent to extremely large distribution groups.
Messages sent to inappropriate distribution groups.
Messages inadvertently sent to recipients outside your organization.
Selecting Reply to All to a message that was received as a Bcc recipient.
All of these problematic scenarios can be mitigated by informing users of the possible outcome of sending the
message as they're composing the message. For example, if senders know that the size of the message they're
trying to send exceeds the corporate policy, they won't attempt to send the message. Similarly, if senders are
notified that the message they're sending will be delivered to people outside the organization, they're more likely
to ensure that the content and the tone of the message are appropriate.
The following messaging clients support MailTips:
Outlook Web App
Microsoft Outlook 2010 or later
MailTips in Exchange
The following table lists the available MailTips in Exchange Server.
MAILTIP AVAILABILITY SCENARIO
Invalid Internal Recipient Outlook The Invalid Internal Recipient MailTip is

displayed if the sender adds a recipient
that appears to be internal to the
organization but doesn't exist.
This could happen if the sender
addresses a message to a user who is
no longer with the company but whose
address resolves due to name
resolution cache or an entry in the
sender's Contacts folder. It can also
happen if the sender types an SMTP
address with a domain for which
Exchange is authoritative and the
address doesn't resolve to an existing
recipient.
The MailTip indicates the invalid
recipient and gives the sender the
option to remove the recipient from the
message.
Mailbox Full Outlook The Mailbox Full MailTip is displayed if

Outlook Web App the sender adds a recipient whose
mailbox is full and your organization
has implemented a Prohibit Receive
restriction for mailboxes over a specified
size.
The MailTip indicates the recipient
whose mailbox is full and gives the
sender the option to remove the
recipient from the message.
The MailTip is accurate at the time of
display. If the message isn't immediately
sent, the MailTip is updated every two
hours. This also applies to messages
that were saved in the Drafts folder and
reopened after two hours.
Automatic Replies Outlook The Automatic Replies MailTip is

Outlook Web App displayed if the sender adds a recipient
who has turned on Automatic Replies.
The MailTip indicates the recipient has
Automatic Replies turned on and also
displays the first 175 characters of the
automatic reply configured by the
recipient.
The MailTip is accurate at the time of
display. If the message isn't immediately
sent, the MailTip is updated every two
hours. This also applies to messages
that were saved in the Drafts folder and
reopened after two hours.
If part of your user mailboxes are
hosted on Exchange Online and you're
in a coexistence with Exchange Online
scenario, the setting on the remote
domain object that represents the
remote part of your organization has a
direct effect on how this MailTip is
processed.
In Exchange Server, users can configure
different Automatic Replies for internal
and external senders. If the remote
domain is configured as an internal
domain (by setting the IsInternal
parameter on the remote domain
object to $true ), the internal
automatic reply is returned to all users
in the organization regardless of where
their mailbox resides. However, if the
remote domain isn't configured as an
internal domain, the internal automatic
reply is returned to all users whose
mailboxes are in the local domain and
the external automatic reply is returned
to users whose mailboxes are in the
remote domain.
Custom Outlook A custom MailTip is displayed if the

Outlook Web App sender adds a recipient for whom a
customized MailTip is configured.
A custom MailTip can be useful for
providing specific information about a
recipient. For example, you can create a
custom MailTip for a distribution group
explaining its purpose to reduce its
misuse. For more information, see
Configure custom MailTips for
recipients.
By default, custom MailTips aren't
displayed if the sender isn't allowed to
send to that recipient. In that case, the
Restricted Recipient MailTip is displayed.
However, you can change this
configuration and have the custom
MailTip also display.
Restricted Recipient Outlook The Restricted Recipient MailTip is

for which delivery restrictions are
configured prohibiting this sender from
sending messages.
The MailTip indicates the recipient to
which the sender isn't allowed to send
messages and gives the sender the
option to remove the recipient from the
message. It also clearly informs the
sender that the message won't be
delivered if sent.
If the restricted recipient is an external
recipient, or if it's a distribution group
that contains external recipients, this
information is also provided to the
sender. However, the following MailTips,
if applicable, are suppressed:
Automatic Replies
Mailbox Full
Custom MailTip
Moderated Recipient
Oversize Message
External Recipients Outlook The External Recipients MailTip is

that's external, or adds a distribution
group that contains external recipients.
This MailTip informs senders if a
message they're composing will leave
the organization, helping them make
the correct decisions about wording,
tone, and content.
By default, this MailTip is turned off. You
can turn it on using the Set-
OrganizationConfig cmdlet. For
details, see MailTips over organization
relationships.
If part of your user mailboxes are
hosted on Exchange Online and you're
in coexistence with an Exchange Online
scenario, the setting on the remote
domain object that represents the
remote part of your organization has a
direct effect on how this MailTip is
processed.
If the remote domain is configured as
an internal domain (by setting the
IsInternal parameter on the remote
domain object to $true ), any
recipients in this remote domain will be
treated as internal and therefore the
External Recipients MailTip won't be
displayed. However, if the remote
domain isn't configured as an internal
domain, the recipients in that domain
will be considered external and this
MailTip will be displayed when a
message is being composed to those
recipients.
> [!NOTE]> This MailTip isn't evaluated
when composing a message to a
distribution group in the remote
domain.
Large Audience Outlook The Large Audience MailTip is displayed

Outlook Web App if the sender adds a distribution group
that has more than the large audience
size configured in your organization. By
default, Exchange displays this MailTip
for messages to distribution groups
that have more than 25 members. For
details, see Configure the large
audience size for your organization.
The size of distribution groups isn't
calculated each time. Instead, the
distribution group information is read
from the group metrics data.
Moderated Recipient Outlook The Moderated Recipient MailTip is

that's moderated.
The MailTip indicates which recipient is
moderated and informs the sender that
this may result in delay of the delivery.
If the sender is also the moderator, this
MailTip isn't displayed. It's also not
displayed if the sender has been
explicitly allowed to send messages to
the recipient (by adding the sender's
name to the Accept Messages Only
From list for the recipient).
For instructions on how to configure
moderated recipients in Exchange
Server, see Common message approval
scenarios.
For instructions on how to configure
moderated recipients in Exchange
Online, see Configure a moderated
recipient in Exchange Online.
Reply-All on Bcc Outlook Web App The Reply-All on Bcc MailTip is

displayed if the sender receives a Bcc
copy of a message and selects Reply to
All.
When a user selects Reply to All to
such a message, the fact that the user
received a Bcc of that message is
revealed to the rest of the audience to
which the message was sent. In almost
all cases, this is an undesirable situation,
and this MailTip informs the user of this
condition.
Oversize Message Outlook The Oversize Message MailTip is

displayed if the message the sender is
composing is larger than configured
message size limits in your organization.
The MailTip is displayed if the message
size violates one of the following size
restrictions:
Maximum send size setting on the
sender's mailbox
Maximum receive size setting on the
recipient's mailbox
Maximum message size restriction for
the organization
> [!NOTE]> Due to the complexity of
the implementation, the message size
limits on the connectors in your
organization aren't taken into account.
MailTip restrictions
MailTips are subject to the following restrictions:
MailTips aren't supported when working in offline mode in Outlook.
When a message is addressed to a distribution group, the MailTips for individual recipients that are
members of that distribution group aren't evaluated. However, if any of the members is an external
recipient, the External Recipients MailTip is displayed, which shows the sender the number of external
recipients in the distribution group.
If the message is addressed to more than 200 recipients, individual mailbox MailTips aren't evaluated due to
performance reasons.
Custom MailTips are limited to 175 characters.
While older versions of Exchange Server would populate MailTips in their entirety, Exchange Online will
only display up to 1000 characters.
If the sender starts composing a message and leaves it open for an extended period of time, the Automatic
Replies and Mailbox Full MailTips are evaluated every two hours.
Configure the large audience size for your
organization
You can use Exchange Online PowerShell to configure various settings that define how you use MailTips in your
organization.

permissions you need, see the "MailTips" entry in the Mail flow permissions topic.
You can only use Exchange Online PowerShell to perform this procedure.
TIP
Use Exchange Online PowerShell to configure the large audience size

for your organization
You use the Set-OrganizationConfig cmdlet to configure the large audience size for your organization. When
senders address messages to more recipients than the size you configure, they are shown the Large Audience
MailTip. The large audience size is set to 25 by default. This example configures the large audience size to 50 in
your organization.
Set-OrganizationConfig -MailTipsLargeAudienceThreshold 50
For detailed syntax and parameter information, see set-OrganizationConfig.

Configure custom MailTips for recipients
MailTips are informative messages displayed to users in the InfoBar in Outlook Web App and Microsoft Outlook
2010 or later when a user does any of the following while composing an e-mail message:
Add a recipient
Add an attachment
Reply or Reply all
Open a message from the Drafts folder that's already addressed to recipients
In addition to the built-in MailTips that are available, you can create custom MailTips for all types of recipients. For
more information about the built-in MailTips, see MailTips.

You can configure the primary MailTip in the Exchange admin center (EAC ) or in Exchange Online
PowerShell. However, you can only configure additional MailTip translations in Exchange Online
PowerShell.
When you add a MailTip to a recipient, two things happen:
HTML tags are automatically added to the text. For example, if you enter the text:
This mailbox is not monitored , the MailTip automatically becomes:
<html><body>This mailbox is not monitored</body></html> . Additional HTML tags in the MailTip aren't
supported.
The text is automatically added to the MailTipTranslations property of the recipient as the default
value. If you modify the MailTip text, the default value is automatically updated in the
MailTipTranslations property.
The length of a MailTip can't exceed 175 displayed characters.
TIP
Configure MailTips for recipients

Use the EAC to configure MailTips for recipients
1. In the EAC, navigate to Recipients.
2. Select any of the following recipient tabs based on the recipient type:
Mailboxes
Groups
Resources
Contacts
Shared
3. On the recipient tab, select the recipient you want to modify, and click Edit .
4. In the recipient properties page that appears, click MailTips.
5. Enter the text for the MailTip. When you are finished, click Save.
Use Exchange Online PowerShell to configure MailTips for recipients
To configure a MailTip for a recipient, use the following syntax.
Set-<RecipientType> <RecipientIdentity> -MailTip "<MailTip text>"
<RecipientType> can be any type of recipient. For example, Mailbox , MailUser , MailContact , DistributionGroup ,
or DynamicDistributionGroup .
For example, suppose you have a mailbox named "Help Desk" for users to submit support requests, and the
promised response time is two hours. To configure a custom MailTip that explains this, run the following
command:
Set-Mailbox "Help Desk" -MailTip "A Help Desk representative will contact you within 2 hours."
Use Exchange Online PowerShell to configure additional MailTips in

different languages
To configure additional MailTip translations without affecting the existing MailTip text or other existing MailTip
translations, use the following syntax:
Set-<RecipientType> -MailTipTranslations @{Add="<culture1>:<localized text 1>","<culture2>:<localized text

2>"...; Remove="<culture1>:<localized text 1>","<culture2>:<localized text 2>"...}
<culture> is a valid ISO 639 two-letter culture code associated with the language.
For example, suppose the mailbox named Notifications currently has the MailTip: "This mailbox is not monitored."
To add the Spanish translation, run the following command:
Set-Mailbox -MailTipTranslations @{Add="ES:Esta caja no se supervisa."}

To verify that you have successfully configured a MailTip for a recipient, do the following:
1. In Outlook Web App or Outlook 2010 or later, compose an email message addressed to the recipient, but
don't send it.
2. Verify the MailTip appears in the InfoBar.
3. If you configured additional MailTip translations, compose the message in Outlook Web App where the
language setting matches the language of the MailTip translation to verify the results.
MailTips over organization relationships
Microsoft Exchange Server allows you to configure organization relationships with Microsoft Exchange Online or
other Exchange organizations. Establishing an organization relationship allows you to enhance the user experience
when dealing with the other organization. For example, you can share free or busy data, configure secure message
flow, and enable message tracking across both organizations.
Controlling the MailTips access level

You may want to restrict certain types of MailTips. You can either allow all MailTips to be returned or allow only a
limited set that would prevent NDRs. You can configure this setting with the MailTipsAccessLevel parameter on the
Set-OrganizationRelationship cmdlet. The following table shows which MailTips are returned over the
organization relationship.
IS THE MAILTIP AVAILABLE WHEN THE IS THE MAILTIP AVAILABLE WHEN THE
MAILTIP ACCESS LEVEL IS SET TO ALL? ACCESS LEVEL IS SET TO LIMITED?
Large Audience Yes No
Automatic Replies Yes Yes

If the remote domain of the recipient is The external automatic reply is
specified as internal, the internal displayed.
automatic reply is displayed. Otherwise,
the external automatic reply is
displayed.
Moderated Recipient Yes No
Oversize Message Yes Yes
Restricted Recipient Yes Yes
Mailbox Full Yes No
Custom MailTips Yes No
External Recipients Yes Yes

If the remote domain of the recipient is If the remote domain of the recipient is
specified as internal, this MailTip is specified as internal, this MailTip is
suppressed. Otherwise, the external suppressed. Otherwise, the external
MailTip is returned. MailTip is returned.
For detailed steps about how to configure MailTips access levels, see Manage MailTips for organization
relationships.
Controlling the MailTips access scope

When you enable MailTips over an organization relationship and set the access level to All , the recipient-specific
MailTips, Mailbox Full, Automatic Replies, and custom MailTips, are returned for all users. However, you may only
want to allow these MailTips for a specific set of users. For example, if you set up an organization relationship with
a partner, you may want to allow these MailTips only for the users that work with that partner.
To achieve this, you need to first create a group and add all users for whom you want to share recipient-specific
MailTips to that group. You can then specify that group on the organization relationship.
After you implement this restriction, your Client Access servers will first verify whether the recipient for whom
they received a MailTips query is part of this group. If the recipient is a member of this group, the Client Access
servers will proxy back all MailTips including the recipient-specific MailTips. Otherwise they won't include the
recipient-specific MailTips in their response.
For detailed steps about how to configure MailTips access levels, see Manage MailTips for organization
relationships.
Manage MailTips for organization relationships
You can use Exchange Online PowerShell to configure custom settings for MailTips between various
organizations.
By establishing an organizational relationship, you can enhance the user experience for both organizations by
sharing free/busy data, configuring secure message flow, and enabling message tracking. For more information
about organizational relationships, see MailTips over organization relationships.
You can use various settings to control how MailTips are used between two organizations that have established an
organizational relationship. The procedures in this section illustrate these various controls. In all examples, the on-
premises organization is contoso.com, the remote organization is online.contoso.com, and the organizational
relationship is named Contoso Online.
You use the Set-OrganizationRelationship cmdlet to configure these settings.

You can only use Exchange Online PowerShell to perform this procedure.
TIP
Use Exchange Online PowerShell to enable or disable MailTips

between two organizations
This example configures the organizational relationship so that MailTips are returned to senders in the remote
organization when composing messages to recipients in your organization.
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessEnabled $true
This example configures the organizational relationship to prevent MailTips from being returned to senders in the
remote organization when composing messages to recipients in your organization.
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessEnabled $false
For detailed syntax and parameter information, see Set-OrganizationRelationship.
Use Exchange Online PowerShell to configure which MailTips are

returned to the remote organization
For each organizational relationship, you can determine which set of MailTips are returned to senders in the other
organization. This example configures the organizational relationship so that all MailTips are returned.
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel All
This example configures the organizational relationship so that only the Automatic Replies, Oversize Message,
Restricted Recipient, and Mailbox Full MailTips are returned.
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel Limited
This example configures the organizational relationship so that no MailTips are returned.
NOTE
Don't use this method to disable MailTips for this relationship. To disable MailTips, set the MailTipsAccessEnabled parameter
to $false .
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessLevel None
Use Exchange Online PowerShell to configure a specific group of users

for whom recipient-specific MailTips are returned
You can restrict the return of recipient-specific MailTips to a specific group of users. By default, when you enable
MailTips for an organizational relationship, the following recipient-specific MailTips are returned for all users:
Automatic Replies
Mailbox Full
Custom MailTip
You can specify a MailTips access group on the organizational relationship. After you specify a group, the
recipient-specific MailTips are returned only for mailboxes, mail contacts, and mail users that are members of that
group. This example configures the organizational relationship to return recipient-specific MailTips only for
members of the ShareMailTips@contoso.com group.
Set-OrganizationRelationship "Contoso Online" -MailTipsAccessScope ShareMailTips@contoso.com

Add-ins for Outlook in Exchange Online
Add-ins for Outlook are applications that extend the usefulness of Outlook clients by adding information or tools
that your users can use without having to leave Outlook. Add-ins are built by third-party developers and can be
installed either from a file or URL or from the Office Store. By default, all users can install add-ins. Exchange
Online admins can control whether users can install add-ins for Office.
TIP
For information about add-ins for Outlook from an end-user perspective, check out the Help topic Installed add-ins at
Office.com. That topic provides an overview of the add-ins and also shows you some of the add-ins for Outlook that might
be installed by default.
Office Store add-ins and custom add-ins

Outlook clients supports a variety of add-ins that are available through the Office Store. Outlook also supports
custom add-ins that you can create and distribute to users in your organization.
Notes:
Access to the Office Store isn't supported for mailboxes or organizations in specific regions. If you don't see
Add from the Office Store as an option in the Exchange admin center under Organization > Add-ins
> New , you may be able to install an add-in for Outlook from a URL or file location. For more
information, contact your service provider.
Some add-ins for Outlook are installed by default. Default add-ins for Outlook only activate on English
language content. For example, German postal addresses in the message body won't activate the Bing Maps
add-in.
Add-in access and installation

By default, all users can install and remove add-ins. Exchange Online admins have a number of controls available
for managing add-ins and users' access to them. Admins can disable users from installing add-ins that are not
downloaded from the Office Store (instead they are "side loaded" from a file or URL ). Admins can also disable
users from installing Office Store add-ins, and from installing add-ins on behalf of other users.
To install add-ins for some or all users in your organization, see Manage deployment of Office 365 add-ins in the
Office 365 admin center
Remote Connectivity Analyzer tests for Exchange
Online
The Microsoft Exchange Remote Connectivity Analyzer (ExRCA) helps you make sure that connectivity for your
Exchange servers is set up correctly. If you're having problems, it can also help you find and fix these problems. The
ExRCA website can run tests to check for Microsoft Exchange ActiveSync, Exchange Web Services, Microsoft
Outlook, and internet email connectivity.
Remote Connectivity Analyzer tests

You can perform several tests with the ExRCA. The following tests work on Exchange 2007 and later versions:
Exchange ActiveSync
Exchange Web Services
Outlook
Internet email
Exchange ActiveSync tests
You can run the following tests for Exchange ActiveSync:
Exchange ActiveSync: This test simulates the steps that a mobile device uses to connect to an Exchange
server using Exchange ActiveSync.
Exchange ActiveSync Autodiscover: This walks through the steps an Exchange ActiveSync device uses to
obtain settings from the Autodiscover service.
Exchange Web Services connectivity tests
The Exchange Web Services tests check the settings for many of the Exchange Web Services. You can run the
following tests for Exchange Web Services:
Synchronization, Notification, Availability, and Automatic Replies: These tests walk through many
basic Exchange Web Services tasks to confirm that they're working. This is useful for IT administrators who
want to troubleshoot external access using Entourage EWS or other Web Services clients.
Service Account Access (Developers): This test verifies a service account's ability to access a specified
mailbox, create and delete items in it, and access it via Exchange impersonation. This test is primarily used
by application developers to test the ability to access mailboxes with alternate credentials.
Microsoft Office Outlook Connectivity tests
You can run the following tests for Outlook connectivity:
Outlook Anywhere (RPC over HTTP ): This test walks through the steps Outlook uses to connect via
Outlook Anywhere (RPC over HTTP ).
Outlook Autodiscover: This test walks through the steps Outlook uses to obtain settings from the
Autodiscover service. This test doesn't actually connect to a mailbox.
Internet email tests
You can run the following tests for internet email:
Inbound SMTP E -Mail: This test walks through the steps an internet email server uses to send inbound
SMTP email to your domain.
Outbound SMTP E -Mail: This test checks your outbound IP address for certain requirements. This
includes Reverse DNS, Sender ID, and RBL checks.
POP Email: This test walks through the steps an email client uses to connect to a mailbox using POP3.
IMAP Email: This test walks through the steps an email client uses to connect to a mailbox using IMAP.
Client Access Rules in Exchange Online
Summary: Learn how administrators can use Client Access Rules to allow or block different types of client
connections to Exchange Online.
Client Access Rules help you control access to your Exchange Online organization based on client properties or
client access requests. Client Access Rules are like mail flow rules (also known as transport rules) for client
connections to your Exchange Online organization. You can prevent clients from connecting to Exchange Online
based on their IP address, authentication type, and user property values, and the protocol, application, service, or
resource that they're using to connect. For example:
Allow access to Exchange ActiveSync clients from specific IP addresses, and block all other ActiveSync
clients.
Block access to Exchange Web Services (EWS ) for users in specific departments, cities, or countries.
Block access to an offline address book (OAB ) for specific users based on their usernames.
Prevent client access using federated authentication.
Prevent client access using Exchange Online PowerShell.
Block access to the Exchange admin center (EAC ) for users in a specific country or region.
For Client Access Rule procedures, see Procedures for Client Access Rules in Exchange Online.
Client Access Rule components

A rule is made of conditions, exceptions, an action, and a priority value.
Conditions: Identify the client connections to apply the action to. For a complete list of conditions, see the
Client Access Rule conditions and exceptions section later in this topic. When a client connection matches
the conditions of a rule, the action is applied to the client connection, and rule evaluation stops (no more
Rules are applied to the connection).
Exceptions: Optionally identify the client connections that the action shouldn't apply to. Exceptions
override conditions and prevent the rule action from being applied to a connection, even if the connection
matches all of the configured conditions. Rule evaluation continues for client connections that are allowed
by the exception, but a subsequent rule could still affect the connection.
Action: Specifies what to do to client connections that match the conditions in the rule, and don't match any
of the exceptions. Valid actions are:
Allow the connection (the AllowAccess value for the Action parameter).
Block the connection (the DenyAccess value for the Action parameter).
Note: When you block connections for a specific protocol, other applications that rely on the same
protocol might also be affected.
Priority: Indicates the order that the rules are applied to client connections (a lower number indicates a
higher priority). The default priority is based on when the rule is created (older rules have a higher priority
than newer rules), and higher priority rules are processed before lower priority rules. Remember, rule
processing stops once the client connection matches the conditions in the rule.
For more information about setting the priority value on rules, see Use Exchange Online PowerShell to set
the priority of Client Access Rules.
How Client Access Rules are evaluated
How multiple rules with the same condition are evaluated, and how a rule with multiple conditions, condition
values, and exceptions are evaluated are described in the following table.
Multiple rules that contain the same The first rule is applied, and subsequent For example, if your highest priority rule
condition rules are ignored blocks Outlook on the web connections,
and you create another rule that allows
Outlook on the web connections for a
specific IP address range, all Outlook on
the web connections are still blocked by
the first rule. Instead of creating
another rule for Outlook on the web,
you need to add an exception to the
existing Outlook on the web rule to
allow connections from the specified IP
address range.
Multiple conditions in one rule AND A client connection must match all
conditions in the rule. For example, EWS
connections from users in the
Accounting department.
One condition with multiple values in a OR For conditions that allow more than
rule one value, the connection must match
any one (not all) of the specified
conditions. For example, EWS or IMAP4
connections.
Multiple exceptions in one rule OR If a client connection matches any one

of the exceptions, the actions are not
applied to the client connection. The
connection doesn't have to match all
the exceptions. For example, IP address
19.2.168.1.1 or Basic authentication.
You can test how a specific client connection would be affected by Client Access Rules (which rules would match
and therefore affect the connection). For more information, see Use Exchange Online PowerShell to test Client
Access Rules.
Important notes
Client connections from your internal network
Connections from your local network aren't automatically allowed to bypass Client Access Rules. Therefore, when
you create Client Access Rules that block client connections to Exchange Online, you need to consider how
connections from your internal network might be affected. The preferred method to allow internal client
connections to bypass Client Access Rules is to create a highest priority rule that allows client connections from
your internal network (all or specific IP addresses). That way, the client connections are always allowed, regardless
of any other blocking rules that you create in the future.
Client Access Rules and middle-tier applications
Many applications that access Exchange Online use a middle-tier architecture (clients talk to the middle-tier
application, and the middle-tier application talks to Exchange Online). A Client Access Rule that only allows access
from your local network might block middle-tier applications. So, your rules need to allow the IP addresses of
middle-tier applications.
Middle-tier applications owned by Microsoft (for example, Outlook for iOS and Android) will bypass blocking by
Client Access Rules, and will always be allowed. To provide additional control over these applications, you need to
use the control capabilities that are available in the applications.
Timing for rule changes
To improve overall performance, Client Access Rules use a cache, which means changes to rules don't immediately
take effect. The first rule that you create in your organization can take up to 24 hours to take effect. After that,
modifying, adding, or removing rules can take up to one hour to take effect.
Administration
You can only use remote PowerShell to manage Client Access Rules, so you need to be careful about rules that
block your access to remote PowerShell. If you create a rule that blocks your access to remote PowerShell, or if
you create a rule that blocks all protocols for everyone, you'll lose the ability to fix the rules yourself. You'll need to
call Microsoft Customer Service and Support, and they will create a rule that gives you remote PowerShell access
from anywhere so you can fix your own rules. Note that it can take up to one hour for this new rule to take effect.
As a best practice, create a Client Access Rule with the highest priority to preserve your access to remote
PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols RemotePowerShell -
Priority 1
Authentication types and protocols

Not all authentication types are supported for all protocols. The supported authentication types per protocol are
described in this table:
ADFSAUTHENTICA BASICAUTHENTICA CERTIFICATEBASED NONBASICAUTHEN OAUTHAUTHENTIC

TION TION AUTHENTICATION TICATION ATION
ExchangeActiveSync n/a supported supported n/a supported
ExchangeAdminCentersupported supported n/a n/a n/a
ExchangeWebServicesn/a n/a n/a n/a n/a
IMAP4 n/a n/a n/a n/a n/a
OfflineAddressBook n/a n/a n/a n/a n/a
OutlookAnywhere n/a n/a n/a n/a n/a
OutlookWebApp supported supported n/a n/a n/a
POP3 n/a n/a n/a n/a n/a
n/a
PowerShellWebServices n/a n/a n/a n/a
RemotePowerShell n/a supported n/a supported n/a
REST n/a n/a n/a n/a n/a
UniversalOutlook n/a n/a n/a n/a n/a

Client Access Rule conditions and exceptions
Conditions and exceptions in Client Access Rules identify the client connections that the rule is applied to or not
applied to. For example, if the rule blocks access by Exchange ActiveSync clients, you can configure the rule to
allow Exchange ActiveSync connections from a specific range of IP addresses. The syntax is the same for a
condition and the corresponding exception. The only difference is conditions specify client connections to include,
while exceptions specify client connections to exclude.
This table describes the conditions and exceptions that are available in Client Access Rules:
CONDITION PARAMETER IN EXCHANGE EXCEPTION PARAMETER IN EXCHANGE

ONLINE POWERSHELL ONLINE POWERSHELL DESCRIPTION
AnyOfAuthenticationTypes ExceptAnyOfAuthenticationTypes Valid values are:

• AdfsAuthentication
• BasicAuthentication
• CertificateBasedAuthentication
• NonBasicAuthentication
• OAuthAuthentication
You can specify multiple values
separated by commas. You can use
quotation marks around each individual
value ("value1","value2"), but not
around all values (don't use
"value1,value2").
AnyOfClientIPAddressesOrRanges ExceptAnyOfClientIPAddressesOrRange Valid values are:

s • A single IP address: For example,
192.168.1.1 .
• An IP address range: For example,
192.168.0.1-192.168.0.254 .
• Classless Inter-Domain Routing
(CIDR) IP: For example,
192.168.3.1/24 .
separated by commas.
AnyOfProtocols ExceptAnyOfProtocols Valid values are:

• ExchangeActiveSync
• ExchangeAdminCenter
• ExchangeWebServices
• IMAP4
• OfflineAddressBook
• OutlookAnywhere (includes MAPI
over HTTP)
• OutlookWebApp (Outlook on the
web)
• POP3
• PowerShellWebServices
• RemotePowerShell
• REST
• UniversalOutlook (Mail and
Calendar app)
separated by commas. You can use
quotation marks around each individual
value (" value1","value2"), but not
around all values (don't use
"value1,value2").
Note: If you don't use this condition in
a rule, the rule is applied to all
protocols.
Scope n/a Specifies the type of connections that

the rule applies to. Valid values are:
• Users : The rule only applies to end-
user connections.
• All : The rule applies to all types of
connections (end-users and middle-tier
apps).
UsernameMatchesAnyOfPatterns ExceptUsernameMatchesAnyOfPatterns Accepts text and the wildcard character

(*) to identify the user's account name
in the format <Domain>\<UserName>
(for example, contoso.com\jeff or
*jeff* , but not jeff* ). Non-
alphanumeric characters don't require
an escape character.
separated by commas.
UserRecipientFilter n/a Uses OPath filter syntax to identify the

user that the rule applies to. For
example, {City -eq 'Redmond'} . The
filterable attributes are:
• City
• Company
• CountryOrRegion
• CustomAttribute1 to
CustomAttribute15
• Department
• Office
• PostalCode
• StateOrProvince
• StreetAddress
The search criteria uses the syntax
{<Property> -<Comparison
operator> '<Value>'}
.
• <Property> is a filterable property.
• -<Comparison Operator> is an
OPATH comparison operator. For
example -eq for exact matches
(wildcards are not supported) and
-like for string comparison (which
requires at least one wildcard in the
property value). For more information
about comparison operators, see
about_Comparison_Operators.
• <Value> is the property value. Text
values with or without spaces or values
with wildcards (*) need to be enclosed
in quotation marks (for example,
'<Value>' or '*<Value>' ). Don't
use quotation marks with the system
value $null (for blank values) or
integers.
You can chain multiple search criteria
together using the logical operators
-and and -or . For example,
{<Criteria1>) -and <Criteria2>}
or
{(<Criteria1> -and <Criteria2>) -
or <Criteria3>}
.
Procedures for Client Access Rules in Exchange
Online
Summary: Learn how to view, create, modify, delete, and test Client Access Rules in Exchange Online.
Client Access Rules allow or block client connections to your Exchange Online organization based on the
properties of the connection. For more information about Client Access Rules, see Client Access Rules in Exchange
Online.
TIP
Verify that your rules work the way you expect. Be sure to thoroughly test each rule and the interactions between rules. For
more information, see the Use Exchange Online PowerShell to test Client Access Rules section later in this topic.

Estimated time to complete each procedure: less than 5 minutes.
The procedures in this topic are only available in Exchange Online PowerShell. To learn how to use
Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
permissions you need, see the "Mail flow" entry in Feature permissions in Exchange Online.
TIP
Use Exchange Online PowerShell to view Client Access Rules

To return a summary list of all Client Access Rules, run this command:
Get-ClientAccessRule
To return detailed information about a specific rule, use this syntax:
Get-ClientAccessRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]
This example returns all the property values for the rule named "Block Client Connections from 192.168.1.0/24".
Get-ClientAccessRule -Identity "Block Client Connections from 192.168.1.0/24" | Format-List
This example returns only the specified properties for the same rule.
Get-ClientAccessRule -Identity "Block Client Connections from 192.168.1.0/24" | Format-List
Name,Priority,Enabled,Scope,Action
For detailed syntax and parameter information, see Get-ClientAccessRule.
Use Exchange Online PowerShell to create Client Access Rules

To create Client Access Rules in Exchange Online PowerShell, use this syntax:
New-ClientAccessRule -Name "<RuleName>" [-Priority <PriorityValue>] [-Enabled <$true | $false>] -Action

<AllowAccess | DenyAccess> [<Conditions>] [<Exceptions>]
This example creates a new Client Access Rule named Block ActiveSync that blocks access for Exchange
ActiveSync clients, except for clients in the IP address range 192.168.10.1/24.
New-ClientAccessRule -Name "Block ActiveSync" -Action DenyAccess -AnyOfProtocols ExchangeActiveSync -

ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1/24
Notes:
As a best practice, create a Client Access Rule with the highest priority to preserve your administrator
access to remote PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols
RemotePowerShell -Priority 1
.
The rule has the default priority value, because we didn't use the Priority parameter. For more information,
see the Use Exchange Online PowerShell to set the priority of Client Access Rules section later in this topic.
The rule is enabled, because we didn't use the Enabled parameter, and the default value is $true .
This example creates a new Client Access Rule named Restrict EAC Access that blocks access for the Exchange
admin center, except if the client is coming from an IP address in the 192.168.10.1/24 range or if the user account
name contains "tanyas".
New-ClientAccessRule -Name "Restrict EAC Access" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -

ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1/24 -ExceptUsernameMatchesAnyOfPatterns *tanyas*
For detailed syntax and parameter information, see New -ClientAccessRule.

To verify that you've successfully created a Client Access Rule, use any of these procedures:
Run this command in Exchange Online PowerShell to see the new rule in the list of rules:
Replace <RuleName> with the name of the rule, and run this command to see the details of the rule:
Get-ClientAccessRule -Identity "<RuleName>" | Format-List
See which Client Access Rules would affect a specific client connection to Exchange Online by using the
Test-ClientAccessRule cmdlet. For more information, see the Use Exchange Online PowerShell to test
Client Access Rules section later in this topic.
Use Exchange Online PowerShell to modify Client Access Rules

No additional settings are available when you modify a Client Access Rule. They're the same settings that were
available when you created the rule.
To modify a Client Access Rule in Exchange Online PowerShell, use this syntax:
Set-ClientAccessRule -Identity "<RuleName>" [-Name "<NewName>"] [-Priority <PriorityValue>] [-Enabled <$true |

$false>] -Action <AllowAccess | DenyAccess> [<Conditions>] [<Exceptions>]
This example disables the existing Client Access Rule named Allow IMAP4.
Set-ClientAccessRule -Identity "Allow IMAP4" -Enabled $false
An important consideration when you modify Client Access Rules is modifying conditions or exceptions that
accept multiple values:
The values that you specify will replace any existing values.
To add or remove values without affecting other existing values, use this syntax:
@{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...}
This example adds the IP address range 172.17.17.27/16 to the existing Client Access Rule named Allow IMAP4
without affecting the existing IP address values.
Set-ClientAccessRule -Identity "Allow IMAP4" -AnyOfClientIPAddressesOrRanges @{Add="172.17.17.27/16"}
For detailed syntax and parameter information, see Set-ClientAccessRule.

To verify that you've successfully modified a Client Access Rule, use any of these procedures:
Replace <RuleName> with the name of the rule, and run this command to see the details of the rule:
Get-ClientAccessRule -Identity "<RuleName>" | Format-List
See which Client Access Rules would affect a specific client connection to Exchange Online by using the
Test-ClientAccessRule cmdlet. For more information, see the Use Exchange Online PowerShell to test
Client Access Rules section later in this topic.
Use Exchange Online PowerShell to set the priority of Client Access

Rules
By default, Client Access Rules are given a priority that's based on the order they were created in (newer rules are
lower priority than older rules). A lower priority number indicates a higher priority for the rule, and rules are
processed in priority order (higher priority rules are processed before lower priority rules). No two rules can have
the same priority.
The highest priority you can set on a rule is 1. The lowest value you can set depends on the number of rules. For
example, if you have five rules, you can use the priority values 1 through 5. Changing the priority of an existing rule
can have a cascading effect on other rules. For example, if you have five rules (priorities 1 through 5), and you
change the priority of a rule from 5 to 2, the existing rule with priority 2 is changed to priority 3, the rule with
priority 3 is changed to priority 4, and the rule with priority 4 is changed to priority 5.
To set the priority of a Client Access Rule in Exchange Online PowerShell, use this syntax:
Set-ClientAccessRule -Identity "<RuleName>" -Priority <Number>
This example sets the priority of the rule named Disable IMAP4 to 2. All existing rules that have a priority less than
or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Set-ClientAccessRule -Identity "Disable IMAP" -Priority 2
Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-
ClientAccessRule cmdlet.
To verify that you've successfully set the priority of a Client Access Rule, use either of these procedures:
Run the this command in Exchange Online PowerShell to see the list of rules and their Priority values:
Replace <RuleName> with the name of the rule, and run this command:
Get-ClientAccessRule -Identity "<RuleName>" | Format-List Name,Priority
Use Exchange Online PowerShell to remove Client Access Rules

To remove Client Access Rules in Exchange Online PowerShell, use this syntax:
Remove-ClientAccessRule -Identity "<RuleName>"
This example removes the Client Access Rule named Block POP3.
Remove-ClientAccessRule -Identity "Block POP3"
Note: To disable a Client Access Rule without deleting it, use the Enabled parameter with the value $false on the
Set-ClientAccessRule cmdlet.
For detailed syntax and parameter information, see Remove-ClientAccessRule.
To verify that you've successfully removed a Client Access Rule, run this command in Exchange Online PowerShell
to verify that the rule is no longer listed:
Use Exchange Online PowerShell to test Client Access Rules

To see which Client Access Rules would affect a specific client connection to Exchange Online, use this syntax:
Test-ClientAccessRule -User <MailboxIdentity> -AuthenticationType <AuthenticationType> -Protocol <Protocol> -
RemoteAddress <ClientIPAddress> -RemotePort <TCPPortNumber>
This example returns the Client Access Rules that would match a client connection to Exchange Online that has
these properties:
Authentication type: Basic
Protocol: OutlookWebApp
Remote address: 172.17.17.26

Remote port: 443
User: julia@contoso.com
Test-ClientAccessRule -User julia@contoso.com -AuthenticationType BasicAuthentication -Protocol OutlookWebApp

-RemoteAddress 172.17.17.26 -RemotePort 443
For detailed syntax and parameter information, see Test-ClientAccessRule.

Disable Basic authentication in Exchange Online
Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic
authentication can help protect your Exchange Online organization from brute force or password spray attacks.
When you disable Basic authentication for users in Exchange Online, their email clients and apps must support
modern authentication. Those clients are:
Outlook 2013 or later (Outlook 2013 requires a registry key change)
Outlook 2016 for Mac or later
Outlook for iOS and Android
Mail for iOS 11.3.1 or later
If your organization has no legacy email clients, you can use authentication policies in Exchange Online to disable
Basic authentication requests, which forces all client access requests to use modern authentication. For more
information about modern authentication, see Using Office 365 modern authentication with Office clients.
This topic explains how Basic authentication is used and blocked in Exchange Online, and the corresponding
procedures for authentication policies.
How Basic authentication works in Exchange Online

Basic authentication is also known as proxy authentication because the email client transmits the username and
password to Exchange Online, and Exchange Online forwards or proxies the credentials to an authoritative identity
provider (IdP ) on behalf of the email client or app. The IdP depends your organization's authentication model:
Cloud authentication: The IdP is Azure Active Directory.
Federated authentication: The IdP is an on-premises solution like Active Directory Federation Services
(AD FS ).
These authentication models are described in the following sections.

Cloud authentication
The steps in cloud authentication are described in the following diagram:
1. The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
2. Exchange Online sends the username and password to Azure Active Directory.
3. Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
Federated authentication
The steps in federated authentication are described in the following diagram:
1. The email client sends the username and password to Exchange Online.
Note: When Basic authentication is blocked, it's blocked at this step.
2. Exchange Online sends the username and password to the on-premises IdP.
3. Exchange Online receives a Security Assertion Markup Language (SAML ) token from the on-premises IdP.
4. Exchange Online sends the SAML token to Azure Active Directory.
5. Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
How Basic authentication is blocked in Exchange Online

You block Basic authentication in Exchange Online by creating and assigning authentication policies to individual
users. The policies define the client protocols where Basic authentication is blocked, and assigning the policy to one
or more users blocks their Basic authentication requests for the specified protocols.
When it's blocked, Basic authentication in Exchange Online is blocked at the first pre-authentication step (Step 1 in
the previous diagrams) before the request reaches Azure Active Directory or the on-premises IdP. The benefit of
this approach is brute force or password spray attacks won't reach the IdP (which might trigger account lock-outs
due to incorrect login attempts).
Because authentication policies operate at the user level, Exchange Online can only block Basic authentication
requests for users that exist in the cloud organization. For federated authentication, if a user doesn't exist in
Exchange Online, the username and password are forwarded to the on-premises IdP. For example, consider the
following scenario:
1. An organization has the federated domain contoso.com and uses on-premises AD FS for authentication.
2. The user ian@contoso.com exists in the on-premises organization, but not in Office 365 (there's no user
account in Azure Active Directory and no recipient object in the Exchange Online global address list).
3. An email client sends a login request to Exchange Online with the username ian@contoso.com. An
authentication policy can't be applied to the user, and the authentication request for ian@contoso.com is
sent to the on-premises AD FS.
4. The on-premises AD FS can either accept or reject the authentication request for ian@contoso.com. If the
request is accepted, a SAML token is returned to Exchange Online. As long as the SAML token's
ImmutableId value matches a user in Azure Active Directory, Azure AD will issue a user ticket to Exchange
Online (the ImmutableId value is set during Azure Active Directory Connect setup).
In this scenario, if contoso.com uses on-premises AD FS server for authentication, the on-premises AD FS server
will still receive authentication requests for non-existent usernames from Exchange Online during a password
spray attack.
Authentication policy procedures in Exchange Online

You manage all aspects of authentication policies in Exchange Online PowerShell. The protocols and services in
Exchange Online that you can block Basic authentication for are described in the following table.
PROTOCOL OR SERVICE DESCRIPTION PARAMETER NAME
Exchange Active Sync (EAS) Used by some email clients on mobile AllowBasicAuthActiveSync
devices.
Autodiscover Used by Outlook and EAS clients to find AllowBasicAuthAutodiscover

and connect to mailboxes in Exchange
Online
IMAP4 Used by IMAP email clients. AllowBasicAuthImap
MAPI over HTTP (MAPI/HTTP) Used by Outlook 2013 and later. AllowBasicAuthMapi
Offline Address Book (OAB) A copy of address list collections that AllowBasicAuthOfflineAddressBook
are downloaded and used by Outlook.
Outlook Service Used by the Mail and Calendar app for AllowBasicAuthOutlookService
Windows 10.
POP3 Used by POP email clients. AllowBasicAuthPop
Reporting Web Services Used to retrieve report data in AllowBasicAuthReportingWebServices

Exchange Online.
Outlook Anywhere (RPC over HTTP) Used by Outlook 2016 and earlier. AllowBasicAuthRpc
Authenticated SMTP Used by POP and IMAP client's to send AllowBasicAuthSmtp

email messages.
Exchange Web Services (EWS) A programming interface that's used by AllowBasicAuthWebServices

Outlook, Outlook for Mac, and third-
party apps.
PowerShell Used to connect to Exchange Online AllowBasicAuthPowerShell

with remote PowerShell. If you block
Basic authentication for Exchange
Online PowerShell, you need to use the
Exchange Online PowerShell Module to
connect. For instructions, see Connect
to Exchange Online PowerShell using
multi-factor authentication.
Typically, when you block Basic authentication for a user, we recommend that you block Basic authentication for all
protocols. However, you can use the AllowBasicAuth* parameters (switches) on the New-AuthenticationPolicy
and Set-AuthenticationPolicy cmdlets to selectively allow or block Basic authentication for specific protocols.
For email clients and apps that don't support modern authentication, you need to allow Basic authentication for the
protocols and services that they require. These protocols and services are described in the following table:
CLIENT PROTOCOLS AND SERVICES
Older EWS clients • Autodiscover

• EWS
Older ActiveSync clients • Autodiscover

• ActiveSync
POP clients • POP3

• Authenticated SMTP
IMAP clients • IMAP4

• Authenticated SMTP
NOTE
Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see
Create an app password for Office 365.

Verify that modern authentication is enabled in your Exchange Online organization (it's enabled by default).
For more information, see Enable or disable modern authentication in Exchange Online.
Verify your email clients and apps support modern authentication (see the list at the beginning of the topic).
Also, verify that your Outlook desktop clients are running the minimum required cumulative updates. For
more information, see Outlook Updates.
Create and apply authentication policies
The steps to create and apply authentication policies to block Basic authentication in Exchange Online are:
1. Create the authentication policy.
2. Assign the authentication policy to users.
3. Wait 24 hours for the policy to be applied to users, or force the policy to be immediately applied.
These steps are described in the following sections.
Step 1: Create the authentication policy
To create a policy that blocks Basic authentication for all available client protocols in Exchange Online (the
recommended configuration), use the following syntax:
New-AuthenticationPolicy -Name "<Descriptive Name>"
This example creates an authentication policy named Block Basic Auth.
New-AuthenticationPolicy -Name "Block Basic Auth"

For detailed syntax and parameter information, see New -AuthenticationPolicy.
Notes:
You can't change the name of the policy after you create it (the Name parameter isn't available on the Set-
AuthenticationPolicy cmdlet).
To enable Basic authentication for specific protocols in the policy, see the Modify authentication policies
section later in this topic. The same protocol settings are available on the New-AuthenticationPolicy and
Set-AuthenticationPolicy cmdlets, and the steps to enable Basic authentication for specific protocols are
the same for both cmdlets.
Step 2: Assign the authentication policy to users
The methods that you can use to assign authentication policies to users are described in this section:
Individual user accounts: Use the following syntax:
Set-User -Identity <UserIdentity> -AuthenticationPolicy <PolicyIdentity>
This example assigns the policy named Block Basic Auth to the user account laura@contoso.com.
Set-User -Identity laura@contoso.com -AuthenticationPolicy "Block Basic Auth"
Filter user accounts by attributes: This method requires that the user accounts all share a unique
filterable attribute (for example, Title or Department) that you can use to identify the users. The syntax uses
the following commands (two to identify the user accounts, and the other to apply the policy to those users):
$<VariableName1> = Get-User -ResultSize unlimited -Filter <Filter>

$<VariableName2> = $<VariableName1>.MicrosoftOnlineServicesID
$<VariableName2> | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
This example assigns the policy named Block Basic Auth to all user accounts whose Title attribute contains
the value "Sales Associate".
$SalesUsers = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -
like '*Sales Associate*')}
$Sales = $SalesUsers.MicrosoftOnlineServicesID
$Sales | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
Use a list of specific user accounts: This method requires a text file to identify the user accounts. Values
that don't contain spaces (for example, the Office 365 work or school account) work best. The text file must
contain one user account on each line like this:
akol@contoso.com
kakers@contoso.com

$<VariableName> | foreach {Set-User -Identity $_ -AuthenticationPolicy <PolicyIdentity>}
This example assigns the policy named Block Basic Auth to the user accounts specified in the file C:\My
Documents\BlockBasicAuth.txt.
$BBA = Get-Content "C:\My Documents\BlockBasicAuth.txt"

$BBA | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
Filter on-premises Active Directory user accounts that are synchronized to Exchange Online: For
details, see the Filter on-premises Active Directory user accounts that are synchronized to Exchange Online
NOTE
To remove the policy assignment from users, use the value $null for the AuthenticationPolicy parameter on the Set-User
cmdlet.
Step 3: (Optional) Immediately apply the authentication policy to users

By default, when you create or change the authentication policy assignment on users or update the policy, the
changes take effect within 24 hours. If you want the policy to take effect within 30 minutes, use the following
syntax:
Set-User -Identity <UserIdentity> -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
This example immediately applies the authentication policy to the user laura@contoso.com.
Set-User -Identity laura@contoso.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
This example immediately applies the authentication policy to multiple users that were previously identified by
filterable attributes or a text file. This example works if you're still in the same PowerShell session and you haven't
changed the variables you used to identify the users (you didn't use the same variable name afterwards for some
other purpose). For example:
$Sales | foreach {Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}
or
$BBA | foreach {Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}
View authentication policies

To view a summary list of the names of all existing authentication policies, run the following command:
Get-AuthenticationPolicy | Format-Table Name -Auto
To view detailed information about a specific authentication policy, use this syntax:
Get-AuthenticationPolicy -Identity <PolicyIdentity>
This example returns detailed information about the policy named Block Basic Auth.
Get-AuthenticationPolicy -Identity "Block Basic Auth"
For detailed syntax and parameter information, see Get-AuthenticationPolicy.

Modify authentication policies
By default, when you create a new authentication policy without specifying any protocols, Basic authentication is
blocked for all client protocols in Exchange Online. In other words, the default value of the AllowBasicAuth*
parameters (switches) is False for all protocols.
To enable Basic authentication for a specific protocol that's disabled, specify the switch without a value.
To disable Basic authentication for a specific protocol that's enabled, you can only use the value :$false .
You can use the Get-AuthenticationPolicy cmdlet to see the current status of the AllowBasicAuth* switches in
the policy.
This example enables basic authentication for the POP3 protocol and disables basic authentication for the IMAP4
protocol in the existing authentication policy named Block Basic Auth.
Set-AuthenticationPolicy -Identity "Block Basic Auth" -AllowBasicAuthPop -AllowBasicAuthImap:$false
For detailed syntax and parameter information, see Set-AuthenticationPolicy.

Configure the default authentication policy
The default authentication policy is assigned to all users who don't already have a specific policy assigned to them.
Note that the authentication policies assigned to users take precedence to the default policy. To configure the
default authentication policy for the organization, use this syntax:
Set-OrganizationConfig -DefaultAuthenticationPolicy <PolicyIdentity>
This example configures the authentication policy named Block Basic Auth as the default policy.
Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"
NOTE
To remove the default authentication policy designation, use the value $null for the DefaultAuthenticationPolicy
parameter.
Remove authentication policies

To remove an existing authentication policy, use this syntax:
Remove-AuthenticationPolicy -Identity <PolicyIdentity>
This example removes the policy named Test Auth Policy.
Remove-AuthenticationPolicy -Identity "Test Auth Policy"
For detailed syntax and parameter information, see Remove-AuthenticationPolicy.

How do you know that you've successfully disabled Basic authentication in Exchange Online?
To confirm that the authentication policy was applied to users:
1. Run the following command to find the distinguished name (DN ) value of the authentication policy:
Get-AuthenticationPolicy | Format-List Name,DistinguishedName
2. Use the DN value of the authentication policy in the following command:
Get-User -Filter {AuthenticationPolicy -eq '<AuthPolicyDN>'}
For example:
Get-User -Filter {AuthenticationPolicy -eq 'CN=Block Basic Auth,CN=Auth

Policies,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR11B009,DC=PROD,DC=OUT
LOOK,DC=COM'}
When an authentication policy blocks Basic authentication requests from a specific user for a specific protocol in
Exchange Online, the response is 401 Unauthorized . No additional information is returned to the client to avoid
leaking any additional information about the blocked user. An example of the response looks like this:
HTTP/1.1 401 Unauthorized

Server: Microsoft-IIS/10.0
request-id: 413ee498-f337-4b0d-8ad5-50d900eb1f72
X-CalculatedBETarget: DM5PR2101MB0886.namprd21.prod.outlook.com
X-BackEndHttpStatus: 401
Set-Cookie: MapiRouting=#################################################; path=/mapi/; secure; HttpOnly
X-ServerApplication: Exchange/15.20.0485.000
X-RequestId: {3146D993-9082-4D57-99ED-9E7D5EA4FA56}:8
X-ClientInfo: {B0DD130A-CDBF-4CFA-8041-3D73B4318010}:59
X-RequestType: Bind
X-DiagInfo: DM5PR2101MB0886
X-BEServer: DM5PR2101MB0886
X-Powered-By: ASP.NET
X-FEServer: MA1PR0101CA0031
WWW-Authenticate: Basic Realm="",Basic Realm=""
Date: Wed, 31 Jan 2018 05:15:08 GMT
Content-Length: 0
Filter on-premises Active Directory user accounts that are synchronized

to Exchange Online
This method uses one specific attribute as a filter for on-premises Active Directory group members that will be
synchronized with Exchange Online. This method allows you to disable legacy protocols for specific groups
without affecting the entire organization.
Throughout this example, we'll use the Department attribute, because it's a common attributes that identifies
users based on their department and role. To see all Active Directory user extended properties, go to Active
Directory: Get-ADUser Default and Extended Properties.
Step 1: Find the Active Directory users and setSet the Active Directory user attributes
Get the members of an Active Directory group
These steps require the Active Directory module for Windows PowerShell. To install this module on your PC, you
need to download and install the Remote Server Administration Tools (RSAT).
Run the following command in Active Directory PowerShell to return all groups in Active Directory:
Get-ADGroup -Filter * | select -Property Name
After you get the list of groups, you can query which users belong to those groups and create a list based on any of
their attributes. We recommend using the objectGuid attribute because the value is unique for each user.
Get-ADGroupMember -Identity "<GroupName>" | select -Property objectGuid
This example returns the objectGuid attribute value for the members of the group named Developers.
Get-ADGroupMember -Identity "Developers" | select -Property objectGuid
Set the filterable user attribute

After you identify the Active Directory group that contains the users, you need to set the attribute value that will be
synchronized with Exchange Online to filter users (and ultimately disable Basic authentication for them).
Use the following syntax in Active Directory PowerShell to configure the attribute value for the members of the
group that you identified in the previous step. The first command identifies the group members based on their
objectGuid attribute value. The second command assigns the Department attribute value to the group members.
$variable1 = Get-ADGroupMember -Identity "<GroupName>" | select -ExpandProperty "objectGUID"; Foreach ($user

in $variable1) {Set-ADUser -Identity $user.ToString() -Add@{Department="<DepartmentName>"}}
This example sets the Department attribute to the value "Developer" for users that belong to the group named
"Developers".
$variable1 = Get-ADGroupMember -Identity "Developers" | select -ExpandProperty "objectGUID"; Foreach ($user in

$variable1) {Set-ADUser -Identity $user.ToString() -Add@{Department="Developer"}}
Use the following syntax in Active Directory PowerShell to verify the attribute was applied to the user accounts
(now or in the past):
Get-ADUser -Filter {(Department -eq '<DepartmentName>')} -Properties Department
This example returns all user accounts with the value "Developer" for the Department attribute.
Get-ADUser -Filter {(Department -eq 'Developer')} -Properties Department
Step 2: Disable legacy authentication in Exchange Online
NOTE
The attribute values for on-premises users are synchronized to Exchange Online only for users that have a valid Exchange
Online license. For more information, see Assign licenses to users in Office 365 for business.
The Exchange Online PowerShell syntax uses the following commands (two to identify the user accounts, and the
other to apply the policy to those users):
$<VariableName1> = Get-User -ResultSize unlimited -Filter <Filter>
$<VariableName2> = $<VariableName1>.MicrosoftOnlineServicesID
$<VariableName2> | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
This example assigns the policy named Block Basic Auth to all synchronized user accounts whose Department
attribute contains the value "Developer".
$developerUsers = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (department -
like '*developer*')}
$developers = $developerUsers.MicrosoftOnlineServicesID
$developers | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth"}
If you connect to Exchange Online PowerShell in an Active Directory PowerShell session, you can use the
following syntax to apply the policy to all members of an Active Directory group.
This example creates a new authentication policy named Marketing Policy that disables Basic authentication for
members of the Active Directory group named Marketing Department for ActiveSync, POP3, authenticated SMTP,
and IMAP4 clients.
NOTE
A known limitation in Active Directory PowerShell prevents the Get-AdGroupMember cmdlet from returning more than
5000 results. Therefore, the following example only works for Active Directory groups that have less than 5000 members.
New-AuthenticationPolicy -Name "Marketing Policy" -AllowBasicAuthActiveSync $false -AllowBasicAuthPop $false -

AllowBasicAuthSmtp $false -AllowBasicAuthImap $false
$users = Get-ADGroupMember "Marketing Department"
foreach ($user in $users) {Set-User -Identity $user.SamAccountName -AuthenticationPolicy "Marketing Policy"}
Enable modern authentication in Exchange Online
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA)
using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern
authentication is based on the Active Directory Authentication Library (ADAL ) and OAuth 2.0.
When you enable modern authentication in Exchange Online, Outlook 2013 or later clients use modern
authentication to log in to Exchange Online mailboxes. For more information, see How modern authentication
works for Office client apps.
When you disable modern authentication in Exchange Online, Outlook 2013 or later uses basic authentication to
log in to Exchange Online mailboxes. They don't use modern authentication.
Notes:
Modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint
Online.
Enabling or disabling modern authentication in Exchange Online as described in this topic only affects
modern authentication connections by Outlook 2013 or later clients.
Other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac
2016, and Exchange ActiveSync in iOS 11 or later) always use modern authentication to log in to Exchange
Online mailboxes, regardless of whether you enable or disable modern authentication for Outlook 2013 or
later clients as described in this topic.
You should synchronize the state of modern authentication in Exchange Online with Skype for Business
Online to prevent multiple log in prompts in Skype for Business clients. For instructions, see Skype for
Business Online: Enable your tenant for modern authentication.
Enable or disable modern authentication in Exchange Online for client

connections in Outlook 2013 or later
1. Connect to Exchange Online PowerShell.
2. Do one of these steps:
Run the following command to enable modern authentication connections to Exchange Online by
Outlook 2013 or later clients:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Note that the previous command does not block Outlook 2013 or later clients from using basic
authentication connections.
Run the following command to prevent modern authentication connections (force th use of basic
authentication connections) to Exchange Online by Outlook 2013 or later clients:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
3. To verify that the change was successful, run the following command:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
See also
Using Office 365 modern authentication with Office clients
Monitoring, reporting, and message tracing in
Exchange Online
Exchange Online offers many different reports that can help you determine the overall status and health of your
organization. There are also tools to help you troubleshoot specific events (such as a message not arriving to its
intended recipients), and auditing reports to aid with compliance requirements. The following table describes the
reports and troubleshooting tools that are available to Exchange Online administrators.
NOTE
For a mapping of reports from the old Office 365 admin center, see Where did my Office 365 report go?
FEATURE DESCRIPTION WHERE YOU CAN FIND IT FOR MORE INFORMATION
Usage reports in the Office 365 groups activity: In the Office 365 admin Office 365 Reports in the
Office 365 admin center View information about the center at admin center - Office 365
number of Office 365 https://portal.office.com/adm groups
groups that are created and inportal/home, click Reports Office 365 Reports in the
used. > Usage. At the top of the Admin Center - Email activity
Email activity: View dashboard, click Select a Office 365 Reports in the
information about the report. In the in the drop- Admin Center - Email apps
number of messages sent, down list that appears, make usage
received and read in your one of these selections: Office 365 Reports in the
whole organization, and by Office 365 section: Office Admin Center - Mailbox
specific users. 365 groups activityExchange usage
Email app usage: View section: Email activityEmail
information about the email app usageMailbox usage
apps that are connecting to
Exchange Online. This
include the total number of
connections for each app,
and the versions of Outlook
that are connecting.
Mailbox usage: View
information about storage
used, quota consumption,
item count, and last activity
(send or read activity) for
mailboxes.
Security & compliance These enhanced reports In the Office 365 Security & View the reports for data
reports in the Office 365 provide an interactive Compliance Center at loss prevention
admin center reporting experience for https://protection.office.com, View reports for Advanced
Exchange Online admins, click Reports > Dashboard. Threat Protection and
which includes summary Select one of the reports Exchange Online Protection
information, and the ability that are available on the
to drill down for more page: DLP reports: DLP
details. policy matches and DLP false
Data loss prevention positives and overrides. ATP
(DLP): View information reports: ATP file types, ATP
about DLP policies and rules message disposition, and
that affect messages Threat protection status.
containing sensitive data as EOP reports: Malware
they enter and leave your detections, Top malware, Top
organization. senders and recipients, Spoof
Note: DLP is only available mail, Spam detections, and
in certain Exchange Online Sent and received mail.
subscription plans. For
information, see the Data
Loss Prevention entries in
the Exchange Online Service
Description.
Advanced Threat
Protection (ATP): View
information about safe links
and safe attachments that
are part of ATP.
Note: ATP is available in
Office 365 Enterprise E5, but
you can also purchase ATP
as an add-on to other
subscription plans. For more
information, see Office 365
Advanced Threat Protection
Service Description.
Exchange Online
Protection (EOP): View
information about malware
detections, spoofed mail,
spam detections, and mail
flow to and from your
organization.
Custom reports using Programmatically create the n/a The subtopics of Working
Microsoft Graph reports that are available in with Office 365 usage
the Office 365 admin center reports in Microsoft Graph
by using Microsoft Graph
Custom reports using Programmatically create https://reports.office365.com Office 365 Reporting Web
reporting web services reports from the available /ecp/reportingwebservice/re Services
Exchange Online PowerShell porting.svc
reporting cmdlets by using
REST/ODATA2 query
filtering.
Note: Many of the original
reporting cmdlets have been
deprecated and replaced by
similar reports in Microsoft
Graph. For more
information, see Reporting
cmdlets in Exchange Online.
Message trace Follows email messages as In the Office 365 admin Trace an email message
they travel through your center at To learn how to use message
Exchange Online https://portal.office.com/adm trace and other tools for
organization. You can inportal/home, click Admin troubleshooting, watch the
determine if an email centers > Exchange. In the video at Find and fix email
message was received, new Exchange admin center delivery issues as an Office
rejected, deferred, or page that opens, go to Mail 365 for business admin.
delivered by the service. It flow > Message trace.
also shows what actions
were taken on the message
before it reached its final
status.
You can use this information
to efficiently answer your
user's questions,
troubleshoot mail flow
issues, validate policy
changes, and alleviates the
need to contact technical
support for assistance.
Audit logging Tracks specific changes made In the Office 365 admin Exchange auditing reports
by admins to your Exchange center at
Online organization. These https://portal.office.com/adm
reports help you meet inportal/home, click Admin
regulatory, compliance, and centers > Exchange Online
litigation requirements. Protection. In the new
Exchange admin center page
that opens, go to
Compliance management >
Auditing.
Reporting and message trace data availability and latency

The following table describes when Exchange Online reporting and message trace data is available and for how
long.
DATA AVAILABLE FOR (LOOK BACK

REPORT TYPE PERIOD) LATENCY
DATA AVAILABLE FOR (LOOK BACK
REPORT TYPE PERIOD) LATENCY
Mailbox summary reports 60 days Message data aggregation is mostly

complete within 24-48 hours. Some
minor incremental aggregated changes
may occur for up to 5 days.
Mail protection summary reports 90 days Message data aggregation is mostly

complete within 24-48 hours. Some
minor incremental aggregated changes
Mail protection detail reports 90 days For detail data that's less than 7 days
old, data should appear within 24 hours
but may not be complete until 48
hours. Some minor incremental changes
To view detail reports for messages that
are greater than 7 days old, results may
take up to a few hours.
Message trace data 90 days When you run a message trace for
messages that are less than 7 days old,
the messages should appear within 5-
30 minutes.
When you run a message trace for
messages that are greater than 7 days
old, results may take up to a few hours.
NOTE
Data availability and latency is the same whether requested via the Office 365 admin center or remote PowerShell.
Use mail protection reports in Office 365 to view data
about malware, spam, and rule detections
If you're an Exchange Online or Exchange Online Protection (EOP ) admin, there's a good chance you'd like to
monitor how much spam and malware is being detected, or how often your mail flow rules (also known as
transport rules) are being matched. With the interactive mail protection reports in the Office 365 Security &
Compliance Center, you can quickly get a visual report of summary data, and drill-down into details about
individual messages, for as far back as 90 days.
Reports are now available in the Security & Compliance Center

If you were viewing mail protection reports in the Exchange admin center, they've been updated, improved, and
moved to the Security & Compliance Center.
To get to the Security & Compliance Center, visit https://protection.office.com, and sign in using your work or
school account.
NOTE
You must be an Office 365 global administrator or have appropriate permissions assigned in order to use the Security &
Compliance Center. For more details, see Permissions in the Office 365 Security & Compliance Center.
Reporting overview
The following table describes the types of reports that are available, how to find them, and where to go to learn
more.
TYPE OF INFORMATION HOW TO GET THERE WHERE TO GO TO LEARN MORE
Threat management dashboard (this In the Security & Compliance Center, Security dashboard overview
is also referred to as the Security go to Threat management >
dashboard and the Threat Dashboard.
Intelligence dashboard).
Threat detections, malware trends, top
targeted users, details about sent and
received email messages, and more.
Advanced Threat Protection and In the Security & Compliance Center, View reports for Office 365 Advanced
email security reports go to Reports > Dashboard. Threat Protection
Email security and threat protection View email security reports in the
reports (including malware, spam, Security & Compliance Center
phishing, and spoofing reports).
Mail flow In the Security & Compliance Center, Mail flow insights in the Office 365
Information about sent and received go to Mail flow > Dashboard. Security & Compliance Center
email messages, recent alerts, top
senders and recipients, email
forwarding reports, and more .
Related topics
Reports and insights in the Office 365 Security & Compliance Center
Customize and schedule mail protection reports in
Office 365 to be automatically sent to your inbox
As an Exchange Online or Exchange Online Protection (EOP ) admin, you probably want to keep an eye on your
organization's mail flow, how much spam and malware is being detected, or how often your rules and policies are
being matched. By using mail protection reports, you'll get a quick summary of the messages that Office 365 has
delivered or rejected based on spam or malware characteristics, rules, or data loss prevention (DLP ) policies.
You can choose to either schedule mail protection reports to be sent to your inbox automatically, or you can view
them any time in the Office 365 Security & Compliance Center.
To get started customizing and downloading reports, see the following resources:
Set up and download a custom report in the Security & Compliance Center
Download existing reports in the Security & Compliance Center
Manage schedules for multiple reports in the Security & Compliance Center
Related topics
Smart reports and insights in the Security & Compliance Center
View email security reports in the Security & Compliance Center
Mail flow insights in the Office 365 Security & Compliance Center
What happened to delivery reports in Office 365?
Delivery reports was a feature in Office 365 that allowed users and administrators to discover and view delivery
information about messages.
In Office 365, delivery reports for administrators has been replaced by message trace. For more information, see
these topics:
Using Message Trace
Currently, there's no direct replacement for delivery reports for users, so the delivery report links in Outlook and
Outlook on the web don't go anywhere.
Notes
Delivery reports for users and administrators is still available in on-premises Exchange environments. For
more information, see Track messages with delivery reports .
Read receipts and delivery notifications aren't related to delivery reports, and are still available in Office 365.
For more information, see Add and request read receipts and delivery notifications.
Sometimes an email message gets lost in transit, or it can take a lot longer than expected for delivery, and your
users can wonder what happened. As an administrator, you can use the message trace feature to follow messages
as they pass through your Exchange Online or Exchange Online Protection service. With message tracing, you can
determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also
shows what events have occurred to the message before reaching its final status. Getting detailed information
about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate
policy changes, and alleviates the need to contact technical support for assistance.
TIP
For troubleshooting general issues and trends, use the reports in the Office 365 admin center or the Excel reporting
workbook. For single point specifics where details are needed about a message, use the message trace tool.
Run a Message Trace and View Results describes how to run a message trace to narrow down your search criteria.
It also describes how to view message trace results, and how to view details about a specific message.
The Message Trace FAQ topic presents common messaging questions that arise and how to best answer these
questions using the message trace tool.
Run a message trace and view the results in the Exchange admin center
NOTE
Message trace is available in the Office 365 Security & Compliance Center. For more information, see Message trace in the Office 365 Security & Compliance Center.
As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). After running the
message trace, you can view the results in a list, and then view the details about a specific message. Message trace data is available for the past 90 days. If a message
is more than 7 days old, you can only view the results in a downloadable .CSV file.
For a video walkthrough of message trace and other mail flow troubleshooting tools, see Find and fix email delivery issues as an Office 365 for business admin.

For information about when data is available and for how long, see the Reporting and message trace data availability and latency section in Reporting and
message trace in Exchange Online Protection.
To find and open the EAC, see Exchange admin center in Exchange Online.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Message trace" entry
in the Feature permissions in Exchange Online topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts for the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection. If you're an Office 365 for business admin, you can contact
Office 365 for business support.
Run a message trace

1. In the EAC, go to Mail flow > message trace.
2. Depending on what you're searching for, you can enter values in the following fields. None of these fields are required for messages that are less than 7 days
old. You can simply click Search to retrieve all message trace data over the default time period, which is the past 48 hours.
3. Date range: Using the drop-down list, select to search for messages sent or received within the past 24 hours, 48 hours, or 7 days. You can also select a
custom time frame that includes any range within the past 90 days. For custom searches you can also change the time zone, in Coordinated Universal Time
(UTC).
4. Delivery status: Using the drop-down list, select the status of the message you want to view information about. Leave the default value of All to cover all
statuses. Other possible values are:
Delivered: The message was successfully delivered to the intended destination.
Failed: The message was not delivered. Either it was attempted and failed or it was not delivered as a result of actions taken by the filtering service. For
example, if the message was determined to contain malware.
Pending*: Delivery of the message is being attempted or re-attempted.
Expanded: The message was sent to a distribution list and was expanded so the members of the list can be viewed individually.
Unknown*: The message delivery status is unknown at this time. When the results of the query are listed, the delivery details fields will not contain any
information.
<sup>*</sup>If you're searching for messages that are older than 7 days, you can't select **Pending** or **Unknown**.
3. Message ID: This is the Internet message ID (also known as the Client ID) found in the message header in the Message-ID: header field. Users can provide you
with this information in order to investigate specific messages.
The form of this ID varies depending on the sending mail system. The following is an example: `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>`.
This ID should be unique; however, not all sending mail systems behave the same way. As a result, there's a possibility that you may get results for multiple
messages when querying upon a single Message ID.
**Note**: Be sure to include the full Message ID string. This may include angle brackets (\<\>).
4. Sender: You can narrow the search for specific senders by clicking the Add sender button next to the Sender field. In the subsequent dialog box, select one or
more senders from your company from the user picker list and then click Add. To add senders who aren't on the list, type their email addresses and click
Check names. In this box, wildcards are supported for email addresses in the format: *@contoso.com. When specifying a wildcard, other addresses can't be
used. When you're done with your selections, click OK.
5. Recipient: You can narrow the search for specific recipients by clicking the Add recipient button next to the Recipient field. In the subsequent dialog box,
select one or more recipients from your company from the user picker list and then click Add. To add recipients who aren't on the list, type their email
addresses and click Check names. In this box, wildcards are supported for email addresses in the format: *@contoso.com. When specifying a wildcard, other
addresses can't be used. When you're done with your selections, click OK.
6. If you're searching for messages that are older than 7 days, configure the following settings: (otherwise you can skip this step):
7. Include message events and routing details with report: We recommend selecting this check box only if you're looking for a small number of messages.
Otherwise, the results will take longer to return.
8. Direction: Leave the default All or select Inbound for messages sent to your organization or Outbound for messages sent from your organization.
9. Original client IP address: Specify the IP address of the sender's client.
10. Report title: Specify the unique identifier for this report. This will also be used as the subject line text for the email notification. The default is "Message trace
report <day of the week>, <current date> <current time>". For example, "Message trace report Thursday, October 17, 2018 7:21:09 AM".
11. Notification email address: Specify the email address that you want to receive the notification when the message trace completes. This address must reside
within your list of accepted domains.
12. Click Search: to run the message trace. You'll be warned if you're nearing the threshold of the amount of traces you're allowed to run over a 24 hour period.
After running your message trace, proceed to one of the next sections to read about how to view your results.
Note: To search for a different message, you can click the Clear button and then specify new search criteria.
View message trace results for messages less than 7 days old
After you run a message trace in the EAC, the results will be listed, sorted by date, with the most recent message appearing first. You can sort on any of the listed
fields by clicking their headers. Clicking a column header a second time will reverse the sort order. When viewing message trace results, the following information is
provided about each message:
Date: The date and time at which the message was received by the service, using the configured UTC time zone.
Sender: The email address of the sender in the form alias@domain .
Recipient: The email address of the recipient or recipients. For messages sent to more than one recipient, there is one line per recipient. If the recipient is a
distribution list, the distribution list will be the first recipient, and then each member of the distribution list will be included on a separate line so that you can
check the status for all recipients.
Subject: The subject line text of the message. If necessary, this is truncated to the first 256 characters.
Status: This field specifies whether the message was Delivered to the recipient or the intended destination, Failed to be delivered to the recipient (either
because it failed to reach its destination or because it was filtered), is Pending delivery (it is either in the process of being delivered or the delivery was
deferred but is being re-attempted), was Expanded (there was no delivery because the message was sent to a distribution list (DL) that was expanded to the
recipients of the DL), or has a status of None (there is no status of delivery for the message to the recipient because the message was either rejected or
redirected to a different recipient).
NOTE
The message trace can display a maximum of 500 entries. By default, the user interface displays 50 entries per page, and you can navigate through the pages. You can also change the
entry size of each page up to 500.
View details about a specific message less than 7 days old

After you review the list of items returned by running the message trace in the EAC, you can double-click an individual message to view the following additional
details about the message:
Message size: The size of the message, including attachments, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).
Message ID: This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. The form of this
varies depending on the sending mail system. The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@contoso.com> .
This ID should be unique, however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a
result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.
This is given as output so that trace entries and the messages in question can be co-related.
To IP: The IP address or addresses to which the service attempted to deliver the message. If there are multiple recipients, these are displayed. For inbound
messages sent to Exchange Online, this value is blank.
From IP: The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.
In the events section, the following fields provide information about the events that occurred to the message as it passed through the messaging pipeline:
Date: The date and time that the event occurred.
Event: This field briefly informs you of what happened, for example if the message was received by the service, if it was delivered or failed to be delivered to
the intended recipient, and so on. The following are examples of events that may be listed:
RECEIVE: The message was received by the service.
SEND: The message was sent by the service.
FAIL: The message failed to be delivered.
DELIVER: The message was delivered to a mailbox.
EXPAND: The message was sent to a distribution group that was expanded.
TRANSFER: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
DEFER: The message delivery was postponed and may be re-attempted later.
RESOLVED: The message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient
address is listed in a separate row in the message trace along with the final delivery status for the message.
TIP
Additional events may appear; for more information about these, see the "Event types in the message tracking log" section in Message Tracking.
Action: This field shows the action that was performed if the message was filtered due to a malware or spam detection or a rule match. For example, it will let
you know if the message was deleted or if it was sent to the quarantine.
Detail: This field provides detailed information that elaborates on what happened. For example, it may inform you which specific mail flow rule (also known as
a transport rule) was matched, and what happened to the message as a result of that match. It can also inform you which specific malware was detected in
which specific attachment, or why a message was detected as spam. If the message was successfully delivered, it can tell you the IP address to which it was
delivered.
View message trace results for messages more than 7 days old
If you run a message trace for items that are older than 7 days, when you click Search a message should appear letting you know that the message was successfully
submitted, and that an email notification will be sent to the supplied email address when the trace has completed. (If the message trace is processed and data that
matches your search criteria is successfully retrieved, this notification message will include information about the trace and a link to the downloadable .CSV file. If no
data was found that matched the search criteria you specified, you'll be asked to submit a new request with changed criteria in order to obtain valid results.)
In the EAC, you can click View pending or completed traces in order to view a list of traces that were run for items that older than 7 days. In the resulting UI, the
list of traces is sorted based on the date and time that they were submitted, with the most recent submissions appearing first. In addition to the report title, the date
and time the trace was submitted, and the number of messages in the report, the following status values are listed:
Not started: The trace was submitted but is not yet running. At this point, you have the option to cancel the trace.
Cancelled: The trace was submitted but was cancelled.
In progress: The trace is running and you can't cancel the trace or download the results.
Completed: The trace has completed and you can click Download this report to retrieve the results in a .CSV file. Note that if your message trace results
exceed 5000 messages for a summary report, it will be truncated to the first 5000 messages. If your message trace results exceed 3000 messages for a
detailed report, it will be truncated to the first 3000 messages. If you do not see all the results that you need, we recommend that break your search out into
multiple queries.
When you select a specific message trace, additional information appears in the right pane. Depending on what search criteria you specified, this may include details
such as the date range for which the trace was run, and the sender and intended recipients of the message.
NOTE
Message traces containing data that is more than 7 days old are automatically deleted in the EAC after 10 days. They can't be manually deleted.
View report details about a specific message more than 7 days old
When you download and view a message trace report, either from View pending or completed traces in the EAC or from a notification email, its contents depend
on whether you have selected the Include message events and routing details with report option.
IMPORTANT
In order to view the downloaded message trace report, you must have the "View-Only Recipients" RBAC role assigned to your role group. By default, the following role groups have
this role assigned: Compliance Management, Help Desk, Hygiene Management, Organization Management, View-Only Organization Management.
Viewing a message trace report without routing details

If you didn't include routing details when running the message trace, the following information is included in the .CSV file, which you can open in an application such
as Microsoft Excel:
origin_timestamp: The date and time at which the message was received by the service, using the configured UTC time zone.
sender_address: The email address of the sender in the form alias@domain.
Recipient_status: The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it will show all the recipients and
the corresponding status against each, in the format: <email address>##<status>. For example, a status of:
##Receive, Send: means that the message was received by the service and sent to the intended destination.
##Receive, Fail: means that the message was received by the service but failed to be delivered to the intended destination.
##Receive, Deliver: means that the message was received by the service and delivered to the recipient's mailbox.
message_subject: The subject line text of the message. If necessary, this is truncated to the first 256 characters.
total_bytes: The size of the message, including attachments, in bytes.
message_id: This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. The form of this
varies depending on the sending mail system. The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.
This ID should be unique, however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a
result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.
This is given as output so that trace entries and the messages in question can be co-related.
network_message_id: This is a unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution
group expansion. An example value is 1341ac7b13fb42ab4d4408cf7f55890f.
original_client_ip: The IP address of the sender's client.
directionality: This field denotes whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your
organization.
connector_id: The name of the source or destination Send connector or Receive connector. For example, ServerName \ ConnectorName or ConnectorName.
delivery_priority: Denotes whether the message was sent with High, Low, or Normal priority.
View a message trace report with routing details
If you included routing details when running the message trace, all information from the message tracking logs is included in the .CSV file, which you can open in an
application such as Microsoft Excel. Some of the values included in this report are described in the prior section, while other values that may be useful for
investigative purposes are described in the "Fields in the message tracking log files" section in the Message Tracking topic.
The custom_data field
Additionally, the custom_data field may contain values that are specific to the filtering service. The custom_data field in an AGENTINFO event is used by a variety of
different agents to log details from the agent's processing of the message. Some of the message data protection related agents are described below.
Spam Filter Agent (S:SFA)
A string beginning with S:SFA is an entry from the spam filter agent and provides the following key details:
LOG INFORMATION DESCRIPTION
SFV=NSPM The message was marked as non-spam and was sent to

the intended recipients.
SFV=SPM The message was marked as spam by the content filter.
SFV=BLK Filtering was skipped and the message was blocked

because it originated from a blocked sender.
SFV=SKS The message was marked as spam prior to being

processed by the content filter. This includes messages
where the message matched a mail flow rule to
automatically mark it as spam and bypass all additional
filtering.
SCL=<number> For more information about the different SCL values and
what they mean, see Spam Confidence Levels.
PCL=<number> The Phishing Confidence Level (PCL) value of the message.

These can be interpreted the same way as the SCL values
documented in Spam Confidence Levels.
DI=SB The sender of the message was blocked.
DI=SQ The message was quarantined.
DI=SD The message was deleted.
DI=SJ The message was sent to the recipient's Junk Email folder.
DI=SN The message was routed through the higher risk delivery
pool. For more information, see Higher risk delivery pool
for Outbound Messages.
DI=SO The message was routed through the normal outbound

delivery pool.
SFS=[a] SFS=[b] This denotes that spam rules were matched.
IPV=CAL The message was allowed through the spam filters because
the IP address was specified in an IP Allow list in the
connection filter.
H=[helostring] The HELO or EHLO string of the connecting mail server.
PTR=[ReverseDNS] The PTR record of the sending IP address, also known as

the reverse DNS address.
When a message is filtered for spam, a sample custom_data entry would look similar to the following:
S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-
1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;
Malware Filter Agent (S:AMA)

A string beginning with S:AMA is an entry from the anti-malware agent and provides the following key details:
AMA=SUM|v=1| The message was determined to contain malware. SUM denotes that the malware could've
or been detected by any number of engines. EV denotes that the malware was detected by a
AMA=EV|v=1| specific engine. When malware is detected by an engine this triggers the subsequent
actions.
Action=r The message was replaced.
Action=p The message was bypassed.
Action=d The message was deferred.
Action=s The message was deleted.
Action=st The message was bypassed.
Action=sy The message was bypassed.
Action=ni The message was rejected.
Action=ne The message was rejected.
Action=b The message was blocked.
Name=<malware> The name of the malware that was detected.
File=<filename> The name of the file that contained the malware.
When a message contains malware, a sample custom_data entry would look similar to the following:
S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201307282038|name=Test_File|file=filename
Transport Rule Agent (S:TRA)

A string beginning with S:TRA is an entry from the Transport Rule agent and provides the following key details:
ETR|ruleId=[guid] The rule ID that was matched.
St=[datetime] The date and time (in UTC) when the rule match occurred.
Action=[ActionDefinition] The action that was applied. For a list of available actions, see Mail flow rule actions in
Exchange Online.
Mode=Enforce The mode of the rule. Possible values are:

• Enforce: All actions on the rule will be enforced.
• Test with Policy Tips: Any Policy Tip actions will be sent, but other enforcement actions
will not be acted on.
• Test without Policy Tips: Actions will be listed in a log file, but senders will not be
notified in any way, and enforcement actions will not be acted on.
When a message matches a mail flow rule, a sample custom_data entry would look similar to the following:
S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2013 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce
Message Trace FAQ presents messaging questions that a user may have, along with possible answers. It also describes how to use the message trace tool in order to
get those answers and troubleshoot specific mail delivery issues.
Can I run a message trace via Exchange Online PowerShell or Exchange Online Protection PowerShell? What are the cmdlets to use? gives information about the
PowerShell cmdlets that you can use to run a message trace.
Message Trace FAQ
This topic presents messaging questions that a user may have, along with possible answers. It also describes how
to use the message trace tool in order to get those answers and troubleshoot specific mail delivery issues.
How long does it take to see results when running a message trace?
In the Exchange admin center (EAC ), the search results appear immediately for messages that are less than
7 days old.
In the Office 365 Security & Compliance Center, the search results appear immediately for messages that
are less than 10 days old.
When you run a message trace for older messages, the results are returned within a few hours as a downloadable
CSV file.
How long does it take for a sent message to appear in a message

trace?
When a message is sent, it should take between 5-10 minutes for the message to appear in the message trace
data.
Can I run a message trace via Exchange Online PowerShell or

Exchange Online Protection PowerShell? What are the cmdlets to use?
You can use the following cmdlets in Exchange Online PowerShell or Exchange Online Protection PowerShell to
run a message trace:
Get-MessageTrace: Trace messages that are less than 10 days old.
Get-MessageTraceDetail: View the message trace event details for a specific message.
Get-HistoricalSearch: Use this cmdlet to view information about historical searches that have been performed
within the last 10 days.
Start-HistoricalSearch: Start a new historical search for messages that are less than 90 days old.
Stop-HistoricalSearch: Stop queued historical searches that haven't started yet (the status value is NotStarted ).
To connect to Exchange Online PowerShell, see Connect to Exchange Online Using Remote PowerShell.
To connect to Exchange Online Protection PowerShell, see Connect to Exchange Online Protection Using Remote
PowerShell.
Why am I getting a timeout error when running a message trace in the

user interface?
The likely cause of a timeout error is that the query is taking too long to process. Consider simplifying your search
criteria. You may want to consider using the Get-MessageTrace cmdlet, which has more liberal timeout
requirements.
Why didn't I receive an expected email message?
Here are some possible reasons:
The message was detected as spam.
The message was sent to quarantine due to a rule match.
The message was rejected
By the malware filter
Because a file attached to the message contained malware
Because the message body contained malware
By a rule
Because the action was Reject
Because the action was Force TLS and TLS failed to be established
By a connector because TLS was required and failed to be established
The message was sent for moderation and is awaiting approval or was rejected by the moderator.
The message was never sent.
The message is still being processed because there was a previous failure and the service is re-attempting
delivery.
The message failed to be delivered to your mailboxes
Because the destination is not reachable
Because the destination rejected the message
Because the message timed out during the delivery attempt
To find out what happened:
Run a message trace. Use as many search criteria as possible to narrow down the results. For example, you should
know the sender and the intended recipient or recipients of the message, and the general time period when the
message was sent.
View the results, locate the message, and then view specific details about the message (see View message trace
results for messages less than 7 days old or View message trace results for messages more than 7 days old). Look
for a delivery status of Failed or Pending to explain why the message was not received.
Confirm that the message was sent, that it was successfully received by the service, that it was not filtered,
redirected, or sent for moderation, and that it did not experience any delivery failures or delays.
Why did I receive an unexpected message?

Here are some possible reasons:
The message was released from quarantine.
The message was awaiting moderator approval and was released.
The message was spam that was not detected.
The message matched a rule that added you to the message.
The message was sent to a distribution list of which you are a member.
Run a message trace. Use as many search criteria as possible to narrow down the results. For example, specify the
recipient who received the message, set the delivery status to Delivered, and set the time period based on when
the message was received.
results for messages less than 7 days old or View message trace results for messages more than 7 days old).
Why didn't someone receive my message or why did I get this non-
delivery report (also known as an NDR or bounce message)?
Possible reasons include the following:
The message was detected as spam.
The message was sent to quarantine due to a rule match.
The message was re-routed because a connector sent it to another destination.
The message was rejected
By the malware filter
Because a file attached to the message contained malware
Because the message body contained malware
By a rule
Because the action was Reject
Because the action was Force TLS and TLS failed to be established
By a connector because TLS was required and failed to be established
The message was sent for moderation and is awaiting approval or was rejected by the moderator.
The message was never sent.
The message is still being processed because there was a previous failure and the service is re-attempting
delivery.
The message failed to be delivered to the destination
Because the destination is not reachable
Because the destination rejected the message
Because the message timed out during the delivery attempt
The message was delivered to the destination but it was deleted before it was accessed (perhaps because it
matched a rule).
message was sent.
Look for a delivery status of Failed or Pending to explain why the message was not delivered. Confirm that the
message was sent, that it was successfully received by the service, that it was not filtered, redirected, or sent for
moderation, and that it did not experience any delivery failures or delays. If the destination is not reachable, you
can use the To IP to help troubleshoot connectivity issues.
Why is my message taking so long to arrive to its destination? Where is

it in the pipeline?
Possible reasons include the following:
The intended destination is not responsive. This is the most likely scenario.
It may be a large message that is taking a long time to process
Latency in the service may be causing delays
The message may have been blocked
message was sent.
The events section will tell you why the message was not yet delivered. When viewing the events, the timestamp
information will let you follow the message through the messaging pipeline, and tell you how long the service
takes to process each event. The event details will also inform you if the message being delivered is extremely
large or if the destination is not responsive.
Was a message marked as spam?

Messages can be marked as spam for several reasons. For example, the sending IP address may appear on one of
the service's IP Block lists. A message can be marked as spam due to the content of the actual message, such as
when it matches a rule in the spam content filter. The message trace tool only tracks spam content filter events;
connection filter events (such as blocked IP addresses) are not traceable. For more information about spam
filtering, including spam content filtering, see Anti-Spam Protection.
To find out why a message was marked as spam:
Run a message trace, locate the message in the results, and then view specific details about the message (see View
message trace results for messages less than 7 days old or View message trace results for messages more than 7
days old).
When the content filter marks a message as spam, if it is sent to the Junk Email folder or the quarantine, it will
have a status of Delivered. You can view the event details in order to see how the message arrived at its
destination. For example, it may inform you that the message was determined to have a high spam confidence
level, or that an advanced spam filtering option was matched. You will also be informed of the action that occurred
as a result of the message being marked as spam, for example if it was sent to quarantine, stamped with an X-
header, or if it was sent through the high risk delivery pool.
Was a message detected to contain malware?

Messages are detected as malware when its properties, either in the message body or in an attachment, match a
malware definition in of one of the anti-malware engines. For more detailed information about malware filtering,
see Anti-Malware protection.
To find out why a message was detected to contain malware, run a message trace. Use as many search criteria as
possible to narrow down the results. Set the delivery status to Failed.
If the message was not delivered because it was determined to contain malware, this information will be provided
in the events section. For example, the following is a sample Detail: Malware: "ZipBomb" was detected in
attachment file.zip. You will also be informed of the action that occurred as a result of the message containing
malware, for example if the entire message was blocked or if all attachments were deleted and replaced with an
alert text file.
Which mail flow rule (also known as a transport rule) or DLP policy was
applied to a message?
To find out which mail flow rule (custom policy rule) or data loss prevention (DLP ) policy (Exchange Online
customers only) was applied to a message, run a message trace. Use as many search criteria as possible to narrow
down the results. Set the delivery status to Failed.
If the message was not delivered because its contents matched a rule, the events section will let you know the
name of the mail flow rule that was matched. You will also be informed of the action that occurred as a result of
the mail flow rule match, for example if the message was quarantined, rejected, redirected, sent for moderation,
decrypted, or any number of other possible options. For information about how to create Exchange mail flow rules
and set actions for them, see Mail flow rules (transport rules) in Exchange Online.
When I run a message trace it returns rule ID-1. What does this mean?
Rule ID -1 is returned when the message trace encounters a mail flow rule that no longer exists. (The mail flow rule
could have been modified or deleted after the original message was sent.)
Are there any known limitations or behavior clarifications that I should

be aware of when using the message trace tool?
You should be aware of the following when using the message trace tool:
IP -blocked messages: Messages blocked by IP reputation block lists will be included in the spam data for
real time reports, but you cannot perform a message trace on these messages.
Redirected messages: If a recipient is rewritten by a mail flow rule or because the spam action for the
domain is set to Redirect to email address, the message is not traceable in a single search. The original
message can be traced until to the point when the recipient is changed. After that, the message is not
traceable under the original recipient. You can trace the message again using the new recipient.
MAIL FROM: The message trace tool uses the MAIL FROM value presented at the initiation of the SMTP
conversation as the Sender in a search, regardless of what the DATA section of the message shows. The
message may show a Reply-to address or different From: or Sender values. If the email message was sent
by a process and not by an email client, there is an increased likelihood that the sender in the MAIL FROM
will not match the sender in the actual message.
Mail flow rule updates: When a message matches a mail flow rule, the rule ID is stored in the message
trace and real time reporting databases. If you trace one of these messages, or drill down on rule details in a
report, the message trace and real time reporting user interfaces dynamically pull the current rule
information from the hosted services network based on the rule ID in the reporting database. If you have
changed the attributes of that particular rule since the message was processed (changed it from Reject to
Allow, for example), the rule ID stays the same in the message trace and real time reporting returned
results, but the Exchange admin center will show the new mail flow rule properties. You can use the auditing
reports feature in order to determine when the rule was changed and the properties that were changed.
Spam -filtered messages: When the content filter marks a message as spam, if it is sent to the Junk Email
folder or the quarantine, it will have a status of Delivered. Drill down to the event details in order to see
how the message arrived at its destination.

Help and Support for EOP
Backing up email in Exchange Online
One of the questions we often hear is "How does Exchange Online back up my data?" You may be asking this
because you're concerned about how to recover your data if there is a failure. Or, you may be wondering how to
recover your data if it gets accidentally deleted. This topic answers these questions.
How does Exchange Online protect mailbox data?

Lots of things can disrupt service availability, such as hardware failure, natural disasters, or human error. To ensure
that your data is always available and that services continue, even when unexpected events occur, Exchange Online
uses the same technologies found in Exchange Server. For example, Exchange Online uses the Exchange Server
feature known as database availability groups (DAGs) to replicate Exchange Online mailboxes to multiple
databases in separate Microsoft datacenters. As a result, you can readily access up-to-date mailbox data in the
event of a failure that affects one of the database copies. In addition to having multiple copies of each mailbox
database, the different datacenters back up data for one another. If one fails, the affected data are transferred to
another datacenter with limited service interruption and users experience seamless connectivity.
NOTE
You can get the latest information related to a service interrupting event by logging into the Service Health Dashboard. For
more information, see View the status of your services.
What happens if users accidentally delete data from their mailboxes?

Deleted items are stored in the Deleted Items folder of the mailbox. Items deleted from the Deleted Items folder or
deleted by pressing Shift+Delete are most likely recoverable if they're dealt with in a timely manner.
For more information about how admins can recover deleted items in Exchange Online, see the following topics:
Recoverable Items folder in Exchange Online.
Enable or disable single item recovery for a mailbox in Exchange Online
Change how long permanently deleted items are kept for an Exchange Online mailbox.
Note:
Point in time restoration of mailbox items is out of scope for the Exchange Online service. However, Exchange
Online offers extensive retention and recovery support for your organization's email infrastructure, and your
mailbox data is available when you need it, no matter what happens. For more information about additional
options, see the following topics:
High Availability and Business Continuity
Exchange Online Service Description
Office 365 retention policies
Inactive mailboxes in Office 365
How do users backup Outlook data?
In Exchange Online, the best way to provide a backup for users is with Exchange Online Archiving. Using Outlook
to backup data to .PST files isn't recommended due to the loss of discoverability and control of content.
For more information about Exchange Online Archiving, see:
Enable archive mailboxes in the Office 365 Security & Compliance Center
Unlimited archiving in Office 365
For more information about the licensing requirements for Exchange Online Archiving, see the Exchange Online
Archiving Service Description.
How do users restore Outlook data?

To learn how to restore deleted items in Outlook, see Recover deleted items in Outlook.
To learn how to restore deleted items in Outlook on the web (formerly known as Outlook Web App), see Recover
deleted items or email in Outlook Web App.
Offboard a user from Office 365

For more info what to do when a user in your organization leaves, check out Remove a former employee from
Office 365. This topic discusses the steps you should take and how to secure your data after an employee leaves
your organization.
Fix Outlook connection problems in Office 365 and
Exchange Online
If you're using Outlook to access your Office 365 email account or another Exchange-based email account, and
you're having problems, we want to get you back to sending and receiving email as quickly as possible.
NOTE
If you're looking for help with Outlook.com, check out Help for Outlook.com. > If you're looking for help with Outlook for
Mac, check out Outlook 2016 for Mac Help.
Let us fix your Outlook connection problems for you

We can diagnose and fix several common Outlook connectivity issues for you. If our automated tool can't fix your
issue, or you'd like to fix it yourself, see the next section.
Let us fix your issue Need more help?

Support and Recovery Contact support for business
Assistant for Office 365 products - Admin Help.
Fix software update and profile issues

Out-of-date software and corrupted Outlook profiles are two of the most common issues that can prevent you
from sending and receiving email. If you're an admin with multiple users reporting problems, you also should
check for service issues with Office 365.
Common Outlook fixes
Run Windows Update If your Outlook client software or

Windows operating system software is
out of date, you might have problems
sending and receiving email. For
Windows Update instructions, see
Windows Update: FAQ
Repair your Outlook profile An Outlook profile is a set of

configuration information that includes
your user name, password, and file
storage location. To repair your Outlook
profile, see Fix your Outlook email
connection by repairing your profile.
Check for service issues Admin only: If more than one person
in your organization is experiencing
email problems in Office 365, it could be
due to a problem with the service. Go
to the Office 365 service health
dashboard page (admin sign in
required), and check the status of the
services under Exchange Online.
Fix Outlook and Office 365 issues with Support and
Recovery Assistant for Office 365
The Support and Recovery Assistant app can help you identify and fix several issues for the following apps and
services:
Office setup
Outlook
Outlook for Mac 2016 or Outlook for Mac 2011
Mobile devices
Outlook on the web for business
Microsoft Dynamics CRM Online
Exchange Online
OneDrive for Business
The following video shows how to use Support and Recovery Assistant to run diagnostic tests:
Create an Outlook Profile

To create or re-create your Outlook profile, install and run the Office 365 Support and Recovery Assistant:
1. Log in with your Office 365 credentials.
2. Choose Outlook.
3. Choose I need help setting up my Office 365 email in Outlook.
Support and Recovery Assistant will run some checks, and when you're ready will create an Outlook profile with
your email address.
Download and start Support and Recovery Assistant
1. Download and install the Support and Recovery Assistant for Office 365 download page.
2. After installation, Support and Recovery Assistant will start automatically.
Use Support and Recovery Assistant
1. Choose I agree to accept the license agreement.
2. Select the app you want to get help with, and choose Next.
3. Select the support topic that best describes your issue, and then choose Next.
4. Sign in with your Office 365 work or school account.
5. Wait for the series of tests to finish.
6. Review the test results, and do one of the following.
If the application succeeds in fixing your problem, follow the prompts and close the tool.
If the tests fail, the application will let you know the reason and suggest other solutions.
7. After the app has finished, leave feedback, and close the app.
What if I'm still having problems?

If Support and Recovery Assistant for Office 365 can't fix your problem for you, we'll provide suggestions for next
steps and help you get in touch with Office 365 support.
How do I use Support and Recovery Assistant with my mobile device,

Outlook for Mac 2016, or Outlook for Mac 2011?
Support and Recovery Assistant can run diagnostics and fix problems with Office 365 accounts that access the
service through a mobile device or a Mac. However, to use the app to run diagnostics, you need to download and
run it on a PC.
Turn off diagnostic log collection in Support and
Recovery Assistant for Office 365
By default, Support and Recovery Assistant for Office 365 collects diagnostic logs to help troubleshoot problems in
the following scenarios:
Support and Recovery Assistant sometimes collects diagnostic logs when the tool fails to solve a user's
problem.
Support and Recovery Assistant collects diagnostic logs when a user chooses to run advanced diagnostics.
Typically this happens at the request of an admin or Microsoft support engineer.
Office 365 uses diagnostic logs to improve the tool to provide better troubleshooting in the future. Microsoft
support engineers can also use these logs to analyze your user's specific issue more throughly. As an admin, you
can make a registry edit to prevent users from collecting diagnostic logs if your organization wants to limit data
sharing.
Cau t i on
Registry Editor is a tool intended for advanced users. Follow the steps in this article carefully to make sure you only
make changes to data collection for Support and Recovery Assistant. Before making changes to the registry, create
a backup in case something goes wrong. For more information about creating a backup, see How to back up and
restore the registry in Windows.
Option 1: Create a new registry entry

To turn off data collection in Support and Recovery Assistant:
1. Copy and paste the following text into Notepad:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Support and Recovery Assistant]

"UploadDiagnosticLogsDisabled"=dword:00000001
2. Save the file with a .reg extension (instead of .txt).

3. Open File Explorer (formerly known as Windows Explorer), browse to the .reg file, and double-click on the
file to add it to the registry.
For details about creating registry entries, see How to add, modify, or delete registry subkeys and values by using a
.reg file.
With the registry entry in place, Support and Recovery Assistant can't collect diagnostic logs. If you want to re-
enable log collection later, you can either change the value to 0 or delete the registry entry.
Option 2: Edit the existing registry entry

If you previously created a registry entry for Support and Recovery Assistant, you can edit the entry to turn off (or
turn on) data collection.
1. Open Registry Editor (for example, run regedit.exe).
2. Go to the following registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Support and Recovery Assistant
3. Double-click the UploadDiagnosticLogsDisabled entry.

Note: If you don't see UploadDiagnosticLogsDisabled in that registry location, you need to add it using the
instructions in Option 1: Create a new registry entry .
4. In the Edit DWORD (32-bit) Value dialog box that opens, configure one of the following values for the
Value data field:
1: Disable diagnostic log collection.
0: Enable diagnostic log collection.
5. When you're finished, click OK and close Registry Editor.
Determine if Support and Recovery Assistant is collecting data

Support and Recovery Assistant will collect log data if either of the following statements are true:
The UploadDiagnosticLogsDisabled value is not 1 (for example, 0).
The HKEY_LOCAL_MACHINE\Software\Microsoft\Support and Recovery Assistant key does not exist.
Related articles
Fix Outlook and Office 365 issues with Microsoft Support and Recovery Assistant for Office 365
Microsoft Support and Recovery Assistant
Find and fix email delivery issues as an Office 365 for
business admin
When users report that they aren't getting email, it can be hard to find what's wrong. You might run through
several troubleshooting scenarios in your mind. Is something wrong with Outlook? Is the Office 365 service
down? Is there a problem with mail flow or spam filter settings? Or is the problem due to something that's outside
your control, like the sender is on a global block list? Fortunately, Office 365 provides powerful automated tools
that can help you find and fix a variety of problems.
First things first, check if there's a problem with Outlook or another

email app
If only one user is reporting having trouble receiving email, there might be a problem with their email account or
their email app. Have the affected user try the following solutions before you move on to admin-specific tasks.
Use Outlook on the web to look for missing messages - 5 minutes
If a user is receiving email in their Outlook on the web mailbox but not on the email app that's installed on their
machine, that could indicate that there's an issue with the users machine or email app. Ask the user with the issue
to sign in to Outlook on the web to verify that their Office 365 email account is working correctly.
Instructions: Sign in to Outlook on the web for business
Run Support and Recovery Assistant for Office 365 to fix Outlook problems or account issues - 10 minutes
If a single user in your organization is having trouble receiving email, it could be due to a licensing issue, a profile
problem, the wrong version of Outlook, or a mix of other issues. Fortunately, Support and Recovery Assistant finds
and helps you fix most issues with Outlook or Office 365. As a first step in troubleshooting email delivery
problems for Office 365 for business, we recommend that you download and run Support and Recovery Assistant
on the affected machine. Note that if you are experiencing issues with Outlook for Mac or are having mobile access
issues, you can use the app to check your account settings, but you need to install it on a PC. After you sign in with
the affected account, the app will check for issues. Users can typically download and run Support and Recovery
Assistant without help from their Office 365 admin.
Let us fix your issue Download Support and Recovery

Assistant for Office 365
Watch the following video for more information about how to use Support and Recovery Assistant app.
If Support and Recovery Assistant app doesn't fix the email delivery
issue, try these admin tools
As an Office 365 for business admin, you have access to several tools that can help you investigate why users can't
get email. The following video gives a brief overview of the tools available to you.
The following tools are listed from the quickest to the most in-depth option.
Check Office 365 service health for Exchange Online issues - 5 minutes
The service health page lists the status of Office 365 services and indicates if there have been any recent service
incidents. Use the following steps to check the service health.
1. Where to sign in to Office 365 for business with your work or school account.
2. Select the app launcher icon in the upper-left and choose Admin.
TIP
Admin appears only to Office 365 administrators.
Can't find the app you're looking for? From the app launcher, selectAll apps to see an alphabetical list of
the Office 365 apps available to you. From there, you can search for a specific app.
3. Under Service health, go to View the service health.
If there is an indication that ExchangeOnline service is degraded, email delivery might be delayed for your
organization, and CompanyName service engineers are already working to restore service. Check the service
health page for progress updates. In this case, you don't need to open a service request because CompanyName is
already working to resolve the issue.
Use message trace for in-depth email delivery troubleshooting - 15 minutes
Sometimes an email message gets lost in transit, or it can take a lot longer than expected for delivery, and your
users can wonder what happened. The message trace feature lets you follow messages as they pass through your
Exchange Online service. Getting detailed information about a specific message lets you efficiently answer your
user's questions, troubleshoot mail flow issues, validate policy changes, and can prevent you from needing to
contact technical support for assistance.
Open the message trace tool
If you're an Office 365 Midsize Business, Office 365 Business, or Office 365 Enterprise admin, you access and run
the message trace tool through the Exchange admin center. To get there, do the following:
1. Where to sign in to Office 365 for business with your work or school account.
2. Select the app launcher icon in the upper-left and choose Admin.
TIP
Admin appears only to Office 365 administrators.
Can't find the app you're looking for? From the app launcher, selectAll apps to see an alphabetical list of
the Office 365 apps available to you. From there, you can search for a specific app.
3. Go to Exchange.
4. Under mail flow, go to message trace.

If you're an Office 365 Small Business admin, do the following to find message trace:
1. Go to Admin > Service settings > Email, calendar, and contacts.
2. Under Email troubleshooting, click Troubleshoot message delivery.
Run a message trace and view delivery details of messages sent in the last week
By default, message trace is set to search for all messages sent or received by your organization in the past 48
hours. You can choose Search at the bottom of the page to generate this report. This report can give you a general
idea about what is happening with mail flow in your organization. However, to troubleshoot a specific user's mail
delivery issue, you want to scope the message trace results to that user's mailbox and the time frame that they
expected to receive the message.
1. From the Date range menu, choose the date range that is closest to the time that the missing message was
sent.
2. Use Add sender and Add recipient to add one or more senders and recipients, respectively.
3. Click Search to run the message trace.
4. The message trace results page shows all the messages that match the criteria that you selected. Typical
messages are marked Delivered under the status column.
5. To see details about a message, choose the message and select ( Details).
6. Details appear with an explanation of what happened to the message. To fix the problem, follow the
instructions in the How to fix it section.
To search for a different message, you can click the Clear button on the message trace page, and then specify new
search criteria.
View the results of a message trace that is greater than 7 days old
Message traces for items more than 7 days old are only available as a downloadable .CSV file. Because data about
older messages is stored in a different database, message traces for older messages can take up to an hour. To
download the .CSV file, do one of the following.
Click the link inside the email notification that is sent when the trace is completed.
To view a list of traces that were run for items that are more than 7 days old, click View pending or
completed traces in the message trace tool.
In the resulting UI, the list of traces is sorted based on the date and time that they were submitted, with the
most recent submissions appearing first.
When you select a specific message trace, additional information appears in the right pane. Depending on
what search criteria you specified, this may include details such as the date range for which the trace was
run, and the sender and intended recipients of the message.
NOTE
Message traces containing data that is greater than 7 days old are automatically deleted. They cannot be manually deleted.
Common questions about message trace

After a message is sent, how long before a message trace can pick it up?
Message trace data can appear as soon as 10 minutes after a message is sent, or it can take up to one hour.
Why am I getting a timeout error when I run a message trace?
The search is probably taking too long. Try simplifying your search criteria.
Why is my message taking so long to arrive to its destination?
Possible causes include the following:
The intended destination isn't responsive. This is the most likely scenario.
A large message takes a long time to process.
Latency in the service is causing delays.
The message was blocked by the filtering service.
About Exchange documentation
You're reading a collection of conceptual and procedural topics organized by subject or by technologies used by
Microsoft Exchange. You can access each topic directly from the table of contents in the left pane, from a link in
another Help topic, from the results of a search, or from your own custom list of favorite topics.
Other information related to Exchange documentation is in Third-Party Copyright Notices.
Where to find Exchange documentation

The Exchange Server for IT pros TechCenter is your primary gateway to in-depth technical information about
Microsoft Exchange. Through the TechCenter, which is located on the Microsoft TechNet site, you can access the
Exchange Library and the Exchange Team Blog.
If you're an admin for an Exchange hybrid or Exchange Online deployment, you may also be interested in the
Office 365 for IT pros TechCenter.
The Exchange Library contains the most up-to-date Help documentation. This documentation is reviewed and
approved by the Exchange product team and evolves as new information, issues, and troubleshooting tips becomes
available.
The Exchange Team Blog contains technical articles written by the Exchange Team, as well as product
announcements and updates. The blog is an excellent way to interact with the Exchange Team. We read and
respond to your feedback and comments.
Additional resources
Looking for more than just documentation? Check out these other Exchange resources:
Exchange Server Downloads Use this page to download service packs, add-ins, tools, and trial software to
help you optimize your Exchange organization.
Exchange Server Forums The forum provides a place to discuss Exchange with users and Exchange Team
members.
Exchange Server for Developers You'll find Exchange developer documentation here.
Support for Microsoft Exchange Server Check out this page for support resources for multiple versions of
Exchange.
Accessibility for People with Disabilities_E15 This topic provides important information about features,
products, and services that help make Microsoft Exchange more accessible for people with disabilities.
Accessibility in Exchange Online
Microsoft wants to provide the best possible experience for all customers, including customers with disabilities.
This article contains links to articles written for people who use the screen reader JAWS from Freedom Scientific or
who use Narrator, the screen reader built-in to Windows 10.
These articles provide help that depends only on specified keyboard shortcuts and a screen reader.
Technical support for people with disabilities

Microsoft offers free technical support for people with disabilities in many locations around the world. If you have
a disability or have questions related to accessibility, please contact the Microsoft Disability Answer Desk for
technical assistance.
The Disability Answer Desk support team is trained in using many popular assistive technologies and can offer
assistance in English, Spanish, French, and American Sign Language. Please visit the Microsoft Disability Answer
Desk site to find out the contact details for your region.
Accessibility help content for the Exchange admin center in Exchange

Online
Perform basic tasks
Accessibility in the Exchange admin center in Exchange Online
Get started using a screen reader in the Exchange admin center in Exchange Online
Keyboard shortcuts for the Exchange admin center in Exchange Online
Use a screen reader to open the Exchange admin center in Exchange Online
Use a screen reader to identify your admin role in the Exchange admin center in Exchange Online
Work with mailboxes
Use a screen reader to add a new equipment mailbox in the Exchange admin center in Exchange Online
Use a screen reader to add a new room mailbox in the Exchange admin center in Exchange Online
Use a screen reader to add a new shared mailbox in the Exchange admin center in Exchange Online
Use a screen reader to edit the mailbox display name in the Exchange admin center in Exchange Online
Use a screen reader to archive mailbox items in the Exchange admin center in Exchange Online
Work with distribution groups
Use a screen reader to create a new distribution group in the Exchange admin center in Exchange Online
Use a screen reader to add members to a distribution group in the Exchange admin center in Exchange
Online
Protect against spam and malware
Use a screen reader to manage anti-malware protection in the Exchange admin center in Exchange Online
Use a screen reader to manage anti-spam protection in Exchange Online
Configure features
Use a screen reader to add a new mail contact in the Exchange admin center in Exchange Online
Use a screen reader to work with mobile clients in the Exchange admin center in Exchange Online
Use a screen reader to configure collaboration in the Exchange admin center in Exchange Online
Use a screen reader to define rules that encrypt or decrypt email messages in the Exchange admin center in
Exchange Online
Use a screen reader to configure mail flow rule rules in the Exchange admin center in Exchange Online
Track content with audit and trace
Use a screen reader to run an audit report in the Exchange admin center in Exchange Online
Use a screen reader to export and review audit logs in the Exchange admin center in Exchange Online
Use a screen reader to trace an email message in the Exchange admin center in Exchange Online
Accessibility in the Exchange admin center in
Exchange Online
The Exchange admin center (EAC ) in Exchange Online includes accessibility features that make it easy for users
with limited dexterity, low vision, or other disabilities to work with files. This means you can use keyboard
shortcuts, a screen reader, or a speech recognition tool to work with the EAC.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office
365 subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information
about the EAC, see Exchange admin center in Exchange Online.
Use your browser and keyboard to navigate in the EAC
Exchange Online, which includes the EAC, is a web-based application, so the keyboard shortcuts and navigation
may be different from those in Exchange 2016.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn
more about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up
windows for Office 365.
Confirm your Office 365 subscription plan
Exchange Online is included in Office 365 business and enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
For more information about the Exchange Online capabilities in your subscription plan, go to What Office 36
business product or license do I have? and Exchange Online Service Description.
Open the EAC, and confirm your admin role
Use a screen reader to open the Exchange admin centerUse a screen reader to open the Exchange admin center
and check that your Office 365 global administrator has assigned you to any admin role group, for example,
Organization Management. You know you are assigned to at least one admin role group if you can open the
EAC. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Explore the EAC user interface

The EAC user interface exists within your web browser as part of Exchange Online. Within that window, "Office
365 Admin" shows in the title bar. At the left edge of the title bar is the Office 365 app launcher that contains the
list of Microsoft services and Office Online applications, including Mail (Outlook.com), Excel Online, OneNote,
and more. On the right side of the title bar are commands to get notifications, manage your options, get help,
and sign out.
Under the title bar is the name, "Exchange admin center." The left pane lists about a dozen Exchange
administrative categories, for example, dashboard, permissions, and mail flow. By default, dashboard has the
focus.
The administrative category selected in the left feature pane affects the content of the main window to its right.
For example, when you select dashboard in the left pane, all administrative categories display in the main
window list view, along with their subcategories. Likewise, when you select recipients in the left feature pane, a
list of all user mailbox names and addresses appears in the main window list view.
When you select an item in the main window list view, often a right pane presents a details view about that item.
For example, when you select the permissions administrative category in the left features pane, a list of admin
roles appears in the main window list view, and the first admin role, Compliance Management, has the focus.
Information about Compliance Management appears in the right pane details view.
Across the top of the main window list view, a set of menu tabs appears which lists subcategories for the
administrative category that has the focus. For example, when you select protection in the left feature pane,
menu tabs, such as malware filter and spam filter, appear across the top of the main window. In addition,
sometimes a toolbar appears, with commands such as New, Edit, Delete, and Refresh.
The bottom of the main window is a status bar which indicates how many records are selected.
Use a screen reader and keyboard shortcuts

The EAC includes accessible names that can be read by a screen reader as you work in the application. You can
use Narrator, the built-in screen reader in Windows, or a third-party screen reader, such as JAWS. For more
information, refer to Get started using a screen reader in the Exchange admin center. You can also use Windows
Speech Recognition or a third-party speech tool to give voice commands to the EAC.
To navigate in the EAC and to cycle through groups of screen elements, press Ctrl+F6 (forward) or
Ctrl+Shift+F6 (backward). To cycle through screen elements, including lists of items, press the Tab key (forward)
or Shift+Tab (backward). To select an item, press Enter. To browse within menus or lists, press the Up Arrow key
or the Down Arrow key, and then, to make a selection, press Enter. To exit a menu or mode, press Esc. For more
details, go to Keyboard shortcuts for the Exchange admin center.
As you move around the areas of the EAC, your screen reader provides information about the area that has the
focus, whether it's the left feature pane (you hear "Primary navigation, Link"), menu tabs, toolbar, main window
list view (you hear "Secondary navigation"), or details view in the right pane (in Narrator, you hear the contents
of the pane).
Technical support for customers with disabilities

Microsoft wants to provide the best possible experience for all our customers. If you have a disability or have
questions related to accessibility, please contact the Microsoft Disability Answer Desk for technical assistance.
assistance in English, Spanish, French, and American Sign Language. Please visit the Microsoft Disability
Answer Desk site to find the contact details for your region.
Get started using a screen reader in the Exchange
admin center in Exchange Online
You can use a screen reader with the Exchange admin center (EAC ) in Exchange Online to carry out administrative
tasks. The EAC works with Narrator, the built-in screen reader in Windows, or JAWS, a third-party screen reader.
These screen readers convert text to speech to read the contents of the EAC window.
Get started
Navigate with Internet Explorer and keyboard shortcuts, and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information about
the EAC, see Exchange admin center in Exchange Online.
may be different from those in Exchange 2016. Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
about Internet Explorer keyboard shortcuts.
Many tasks in the EAC require the use of pop-up windows so, in your browser, be sure to enable pop-up windows
for Office 365.
Use a screen reader to open the Exchange admin centerUse a screen reader to open the Exchange admin center
and check that your Office 365 global administrator has assigned you to any admin role group, for example,
Organization Management. You know you are assigned to at least one admin role group if you can open the EAC.
Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Work with screen readers

The EAC works with the Narrator and JAWS screen readers, among others. These screen readers convert text to
speech and read you commands, locations, alt text on images, and the contents of EAC screens and pop-up
windows.
To turn Narrator on or off on a PC, in Windows, press Windows logo key+Enter.
To turn Narrator on or off on a tablet, press Windows logo button+Volume Up.
If Narrator doesn't read a newly opened window, press F5. Refreshing the browser window resets the focus
and Narrator reads the window.
If your screen reader stops reading, press Alt+Tab to leave the current window, and then press Alt+Tab
again to return to it. This resets the focus on the current window to get your screen reader to read the
window properly.
For more information about Narrator, refer to Hear text read aloud with Narrator. For more information about
JAWS, refer to the JAWS Screen Reader documentation.
Do more tasks with the EAC and a screen reader

Explore specific tasks that use the screen reader to work in the EAC.
Get started with the EAC
Accessibility in the Exchange admin center in Exchange Online
Keyboard Shortcuts in the Exchange admin center in Exchange Online
Use a screen reader to open the Exchange admin center in Exchange Online
Work with mailboxes and recipients
Use a screen reader to edit the mailbox display name in the Exchange admin center in Exchange Online
Use a screen reader to add a new mail contact in the Exchange admin center in Exchange Online
Use a screen reader to add a new room mailbox in the Exchange admin center in Exchange Online
Use a screen reader to add a new equipment mailbox in the Exchange admin center in Exchange Online
Manage distribution groups and collaboration
Use a screen reader to create a new distribution group in the Exchange admin center in Exchange Online
Use a screen reader to add members to a distribution group in the Exchange admin center in Exchange
Online
Use a screen reader to add a new shared mailbox in the Exchange admin center 2016
Use a screen reader to configure collaboration in the Exchange admin center in Exchange Online
Administer mail flow and security
Use a screen reader to configure mail flow rules in the Exchange admin center in Exchange Online
Use a screen reader to define rules that encrypt or decrypt email messages in the Exchange admin center
2016
Use a screen reader to manage anti-spam protection in Exchange Online
Use a screen reader to manage anti-malware protection in the Exchange admin center in Exchange Online
Use a screen reader to work with mobile clients in the Exchange admin center in Exchange Online
Set up permissions and compliance
Use a screen reader to identify your admin role in the Exchange admin center in Exchange Online
Use a screen reader to run an audit report in the Exchange admin center in Exchange Online
Use a screen reader to trace an email message in the Exchange admin center in Exchange Online
Use a screen reader to export and review audit logs in the Exchange admin center in Exchange Online

Desk site to find the contact details for your region.
Keyboard shortcuts for
the Exchange admin
center in Exchange
Online
Many users find that keyboard shortcuts for the Exchange

admin center (EAC ) in Exchange Online help them work
more efficiently. For users with impaired mobility or
vision, keyboard shortcuts are an essential alternative to
using the mouse.
Get started
Navigate with Internet Explorer and keyboard shortcuts,
and make sure that you have the appropriate Office 365
subscription and admin role to work in the EAC. Then,
open the EAC and get started. For more information
about the EAC, see Exchange admin center in Exchange
Online.
Exchange Online, which includes the EAC, is a web-based
application, so the keyboard shortcuts and navigation
Accessibility in the Exchange admin center.
For best results when working in the EAC in Exchange
Online, use Internet Explorer as your browser. Learn more
Many tasks in the EAC require the use of pop-up windows
so, in your browser, be sure to enable pop-up windows for
Office 365.
Exchange Online is included in Office 365 business and
enterprise subscription plans, but capabilities may differ
by plan. If your EAC doesn't include a function described
in this article, your plan might not include it.
For more information about the Exchange Online
capabilities in your subscription plan, go to What Office
36 business product or license do I have? and Exchange
Online Service Description.
Use keyboard shortcuts

Notes:
The shortcuts in this topic refer to the US keyboard
layout. Keys for other layouts might not correspond
exactly to the keys on a US keyboard.
If a shortcut requires pressing two or more keys at
the same time, this topic separates the keys with a
plus sign (+). If you have to press one key
immediately after another, the keys are separated
by a comma (,).
The EAC runs in your web browser, so it does not
use accelerator keys or KeyTips. For example,
pressing Alt moves the focus to the browser menu
bar, and familiar shortcuts, like Ctrl+P (Print) and
F1 (Help), run browser commands rather than EAC
commands.
To cycle through EAC regions on the screen, press
Ctrl+F6 (forward) or Ctrl+Shift+F6 (backward). The
Ctrl+F6 navigation cycle order is:
Left feature pane, or primary navigation links
Menu bar, or secondary navigation links
Toolbar
Main window list view
Details view in the right pane
Office 365 app launcher
Navigate in the EAC

TO DO THIS PRESS
Move among regions Ctrl+F6 or Ctrl+Shift+F6
Move among regions or The Up Arrow key or the

individual controls Down Arrow key Note: Tab
and Shift+Tab aren't
supported to move between
EAC menu items.
Move within lists from one The Up Arrow key, the Down
item to another Arrow key, Home, End, Page
Up, or Page Down
Note: You can also use the
Up Arrow key, the Down
Arrow key, the Left Arrow key,
or the Right Arrow key to
move between option buttons
or within a group of check
boxes.
TO DO THIS PRESS
Select an item Enter or the Spacebar
Exit a menu or mode Esc

Use a screen reader to add a new equipment mailbox
in the Exchange admin center
Create mailboxes in the Exchange admin center (EAC ) for any printer, projector, or other device that's attached to
your corporate network by using your keyboard and any screen reader.
Get started
subscription and admin role to work in the EAC. Then, open the EAC and get started.
for Office 365.
Exchange Online is included in Office 365 business and enterprise subscription plans; however, capabilities may
differ by plan. If your EAC doesn't include a function described in this article, your plan might not include it.
business product or license do I have? and Exchange Online Service Description..
To add a new equipment mailbox, Use a screen reader to open the Exchange admin center and check that your
Office 365 global administrator has assigned you to the Organization Management admin role group. Learn how
to Use a screen reader to identify your admin role in the Exchange admin center
Add a new equipment mailbox

1. After you are on the EAC Dashboard (home) page, to navigate to the page body, press Ctrl+F6. You hear
"Welcome."
2. Press the Tab key until you hear "Resources," which is the second link after "Recipients."
3. To go to the Resources tab on the Mailboxes page, press Enter. The focus is on the Resources tab.
4. To get to the New button in the Resources pane, press Ctrl+F6. You hear "New button..
5. To open the New Item submenu, press Spacebar.
6. To go to the Equipment Mailbox option, press the Down Arrow key. You hear "Equipment mailbox."
(Narrator says, "Blank line.".
7. To open a New Equipment Mailbox form in a pop-up window, press Enter. You hear the URL of the pop-
up window and, eventually, "Equipment name." The focus is in the Equipment Name box.
TIP
There are only three boxes on this form: Equipment Name, Email Address, and Domain. All three are required.
8. Type in the name of the device and, to move to the Email Address box, press the Tab key. You hear "Email
address..
TIP
This name will appear in users' Outlook Address Book. To make rooms easier for users to find, use a consistent
naming convention within your organization.
9. The email address is also required. Type in the first portion of the email address (before the at sign) and, to
get to the domain drop-down list, press the Tab key. You hear the selected domain option.
10. If the default selection in the domain drop-down menu is not the domain you want to choose, to access
other available domains, press the Down Arrow key. As you move through the available options, you hear
the domain name and suffix. When you find the domain you want to use, to select it, press Enter.
TIP
You cannot type any values into the domain box. It is a prepopulated drop-down list. To add domains to that drop-down list,
contact your Office admin.
11. To go to the Save button, press the Tab key. You hear "Save..
12. Press Enter. This saves the mailbox you created with the values you assigned, and the pop-up window
closes, returning you to the Resources list on the Resources tab. The focus is on the New Mailbox button.
You hear "New mailbox..
TIP
It may take a few minutes to save the new mailbox and close the pop-up window. You do not hear any additional feedback
during this wait time.
If you want to add additional information to your new room mailbox, learn about all the options available in Use a
screen reader to use mailbox properties and options in EAC on Exchange Online.

Use a screen reader to add a new mail contact in the
Using a screen reader with Exchange Online, you can use the Exchange admin center (EAC ) to set up a mail
contact —a mail-enabled directory service object containing information about a person or entity that exists
outside of your Exchange Online organization. Each mail contact has an external email address. For more
information about mail contacts, refer to the Recipients TechNet article.
Get started
for Office 365.
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ
To add a new mail contact, use a screen reader to open the EAC and check that your Office 365 global
administrator has assigned you to the Organization Management and Recipient Management admin group. Learn
how to Use a screen reader to identify your admin role in the Exchange admin center.
Use the EAC to create a mail contact

1. In the EAC, in the primary navigation pane, tab to Recipients. You hear "Recipients, Primary navigation."
Press Enter.
2. To move the focus to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary navigation."
3. Press the Left Arrow key until you hear "Contacts, Secondary navigation," and then press Enter. A table
listing mail contacts appears.
4. To move the focus to the contacts menu bar, press Ctrl+F6 until you hear "New button menu."
5. Press Spacebar, and then press the Down Arrow key until you hear "Mail contact." Then, press Enter. The
new mail contact window opens.
Note: In Narrator, if the menu options for the New button are not read, you hear "Empty line." Mail
contact is the first option. Mail user is the second option. When you select Mail contact, if Narrator
doesn't announce the name of the new mail contact window or the First name box, to refresh the window
and reestablish the focus, press F5.
6. Tab to the following boxes, and complete the contact information:
Note: Required boxes are designated with an asterisk. In screen readers, you hear "star" or "asterisk" before
the label. For example, in the required Display Name box, you hear "Star display name" or "Asterisk
display name..
First name. Type the contact's first name.
Initials. Type the contact's initial.
Last name: Type the contact's last name.
*Display name. To change the default, type the name as it will appear in the contacts list in the EAC
and in your organization's address book. By default, Exchange uses the names you entered in the
First name, Initials, and Last name boxes. This name can't exceed 64 characters.
*Alias. Type a unique alias (64 characters or less) for the contact.
*External email address. Type the contact's email address that is outside of your organization.
Email sent to the contact is forwarded to this email address.
7. When you're finished, tab to the Save button. The new mail contact window closes, and the contact is
added to the table in the contacts window.
Use a screen reader to add a new room mailbox in
the Exchange admin center in Exchange Online
Add a mailbox for conference rooms in the Exchange admin center (EAC ), by using keyboard shortcuts and your
screen reader.
Get started
for Office 365.
To add a new room mailbox, Use a screen reader to open the Exchange admin center and check that your Office
365 global administrator has assigned you to the Organizational Management admin role group. Learn how to
Use a screen reader to identify your admin role in the Exchange admin center.
Add a new room mailbox

1. After you are on the EAC Dashboard (home) page, to navigate to the page body, press Ctrl+F6. You hear
"Welcome."
2. Press the Tab key until you hear "Resources," which is the second link after "Recipients."
3. To go to the Resources tab on the Mailboxes page, press Enter. The focus is on the Resources tab.
4. To get to the New button on the Resources pane, press Ctrl+F6. You hear "New button..
5. To open the New Item submenu, press Spacebar.
6. To go to the Room Mailbox option, press the Down Arrow key. You hear "Room mailbox." (Narrator says,
"Blank line.".
7. To open a New Room Mailbox form in a pop-up window, press Enter. You hear the URL of the pop-up
window and, eventually, "Room Name." The focus is in the Room Name box. This is a required box.
8. Type in the name of the room and, to move into the Email Address box, press the Tab key.
TIP
This name will appear in users' Outlook Address Books. To make rooms easier for users to find, use a consistent
naming convention within your organization.
9. The email address is also required. Type in the first portion of the email address (before the at sign) and, to
get to the domain drop-down list, press the Tab key. You hear the selected domain option.
10. If the default selection in the domain drop-down menu is not the domain you want to choose, to access
other available domains, press the Down Arrow key. As you move through the available options, you hear
the domain name and suffix. When you find the domain you want to use, to select it, press Enter.
TIP
You cannot type any values into the domain box. It is a prepopulated drop-down list. To add domains to that drop-down list,
contact your Office admin.
11. To go to the Save button, press the Tab key. You hear "Save..
12. Press Enter. This saves the mailbox you created with the values you assigned, and the pop-up window
closes, returning you to the Resources list on the Resources tab. The focus is on the New Mailbox button.
You hear "New mailbox..
TIP
It may take a few minutes to save the new mailbox and close the pop-up window. You do not hear any additional feedback
during this wait time.
If you want to add additional information to your new room mailbox, learn about all the options available in Use a
screen reader to use mailbox properties and options in EAC on Exchange Online.

Use a screen reader to add a new shared mailbox in
You can use your screen reader to create a shared mailbox in the Exchange admin center (EAC ) in Exchange
Online. Shared mailboxes make it easy for a group of people in your organization to monitor and send email from
a common account, such as info@contoso.com or support@contoso.com. When a person in the group replies to a
message sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual
user. Learn more about shared mailboxes.
Get started
for Office 365.
by plan. If your EAC doesn't include a function described in this topic, your plan might not include it.
To add a new shared mailbox, Use a screen reader to open the Exchange admin center and check that your Office
365 global administrator has assigned you to the Organization Management and Recipient Management admin
role groups. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Create a shared mailbox

1. In the EAC, press Ctrl+F6 until the primary navigation pane has the focus and you hear "Dashboard,
primary navigation link."
2. Tab to Recipients, and press Enter.
3. To move to the menu bar, press Ctrl+F6. You hear "Region mailboxes, secondary navigation." (In Narrator,
you hear "Mailboxes, secondary navigation link.")
4. Tab to Shared. You hear "Shared, secondary navigation link." Press Enter.
5. To move to the toolbar, press Ctrl+F6. You hear "New button." Press Enter.
6. In the Shared Mailbox dialog box which opens, the Display name text box has the focus, and you hear
"Type in text." (In Narrator, you hear "Display name, editing.") Type the display name for the shared mailbox
you're creating.
7. Tab to the Email address text box, and type the email address for the new shared mailbox.
8. To select the users who can view and send mail from this new shared mailbox, tab to and select the Add
button.
9. When the Select Shared Mailbox Users dialog box opens, the Search box has the focus. You hear "Filter
or search edit." Type all or part of the name of the first user you want to add to the shared mailbox and
then, to search for the name, press Enter.
10. Press the Tab key four times until you hear the name of the user in the search results list. The name is
selected.
11. Tab to the Add button, and press Enter or Spacebar. The selected name is added to the list of users for the
new shared mailbox.
12. To add a second user, tab several times until you hear "Filter or search edit." Type all or part of the name of
the next user you want to add, and press Enter. Repeat steps 10 and 11. Do this for all users you want to
add to the new shared mailbox.
13. When you finish adding users, tab to the OK button, and press Enter. The Shared Mailbox dialog box has
the focus again, and the selected users are listed in the Shared Mailbox Users box.
14. Tab to the Save button, and press Enter. An alert says "Please wait." After the shared mailbox is created,
you hear another alert that says the mailbox will be available in approximately 15 minutes.
15. With the focus on the OK button, press Enter. The new shared mailbox display name and email address are
listed in the shared list view, and it has the focus. Details about the new shared mailbox are listed in the
details pane on the right. To review these details, press Ctrl+F6 or the Tab key until the details pane has the
focus.
Use a screen reader to add members to a distribution
group in the Exchange admin center in Exchange
Online
Using a screen reader with the Exchange admin center (EAC ) in Exchange Online, you can add and remove
members of a distribution group.
Get started
for Office 365.
To complete the tasks covered in this topic, Use a screen reader to open the Exchange admin center and check that
your Office 365 global administrator has assigned you to the Organization Management and Records
Management admin role groups. Use a screen reader to identify your admin role in the Exchange admin center.
Use the EAC to change distribution group membership

Press Enter.
2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary navigation."
3. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then press Enter. Options for
distribution groups appear.
4. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then press Enter. Options for
distribution groups appear.
5. To locate the distribution group you want to edit, use the Up Arrow and Down Arrow keys and then press
Enter. The Distribution Group window opens for the group you selected. You hear "General tab..
6. Press the Down Arrow key until you hear "Membership tab." A list of members appears with two controls:
Add and Remove.
7. To add a member:
a. Tab to the Add button, and press Enter. The Select Members window opens and lists all users in
your organization. The focus is on the Search button.
b. Press Spacebar, and type all or part of a name. Users with that name appear in the Display Name
table.
c. Tab until you hear the first name listed, if any. (In JAWS, you hear "Out of table" and the name of the
first user, if any were found. In Narrator, if you hear "Button" with no label, to move the focus into the
table and hear the names, press Spacebar.) Select the user you want, tab until you hear "Add button,"
and then press Spacebar. You can add more names in this way.
d. When you're finished, tab to the OK button and press Enter. The Select Member window closes.
8. In the Distribution Group window, to remove a member, select a user in the members table and then
press Shift+Tab until you hear "Remove." Press Enter.
9. When you are finished, tab to the Save button and press Enter.

Use a screen reader to archive mailbox items in the
You can use your screen reader in the Exchange admin center (EAC ) to enable or disable archiving of items in an
Exchange Online mailbox. You can also use your screen reader in the EAC to apply retention policies to mailboxes.
Learn more about the archive mailboxes in Exchange Online.
Get started
For more information about creating distribution groups, refer to Use a screen reader to create a new distribution
group in the Exchange admin center.
for Office 365.
Exchange Online is included in Office 365 business and enterprise subscription plans. But capabilities may differ by
plan. If your EAC doesn't include a function described in this article, your plan might not include it.
Enable mailbox archiving for a user

With mailbox archiving in Exchange Online, also called "in-place archiving," users get additional mailbox storage
space. When enabled, archive mailboxes are accessible through Outlook and Outlook on the web, and offer a
convenient alternate repository for old email messages.
Primary navigation link."
2. Tab to recipients and press Enter.
3. To move to the menu bar, press Ctrl+F6. You hear "Mailboxes, Secondary navigation link." To select the
mailboxes link, press Enter.
4. To search for the user for whom you want to enable archiving, press Ctrl+F6 and then press the Tab key
until you hear "Search button." Press Enter.
5. Type all or part of the user's name and press Enter.
6. Press Ctrl+F6 until you hear the name of the user in the search results list. If the search results list includes
multiple names, press the Down Arrow key or the Up Arrow key until you hear the name you want.
7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link."
8. Press the Tab key about six times until you hear "Archiving link, Enable..
Tip: If the user is already enabled for archiving, you hear "Archiving link, Disable..
9. Press Enter. You hear "Are you sure you want to enable the archive?" With the focus on the Yes button,
press Enter.
Tip: If you want to enable archiving for additional users, move the focus back to the list of mailboxes by
pressing Ctrl+Shift+F6. Select the name you want by pressing the Down Arrow key or the Up Arrow
key, and repeat steps 7 through 9.
Note: For more information, go to Enable or disable an archive mailbox in Exchange Online.
Disable mailbox archiving for a user

If you disable a user's archive, the existing content is retained for 30 days. This means if you re-enable the archive
within that 30 days, all existing content will still be intact. After 30 days, however, all information is permanently
deleted, and if you enable the archive after this time, a new archive mailbox is created.
6. Press Ctrl+F6 until you hear the name of the user whose mailbox archiving you want to disable in the
search results list. If the search results list includes multiple names, press the Down Arrow key or the Up
Arrow key until you hear the name you want.
7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link."
8. Press the Tab key about six times until you hear "Archiving link, Disable..
9. Press Enter. You hear "Are you sure you want to disable this archive?" With the focus on the Yes button,
press Enter.
Apply a retention policy to a user

The messaging records management (MRM ) feature in Exchange Online helps you manage the life cycle of your
organization's email; it allows you to set retention policies. Retention policies specify when certain types of mailbox
items—including regular email messages, deleted items, and junk mail—should be moved, archived, or deleted.
Exchange Online automatically applies the Default MRM Policy when you create a new mailbox with an archive or
when you enable an archive for an existing mailbox user.
Note: You can customize the Default MRM Policy by adding or removing retention tags or by modifying tag
settings. You can also replace the default policy with any retention policies you create. To view, edit, or create a
retention policy, on the EAC primary navigation pane, select the compliance management link and then, on the
menu bar, select the retention policies link. Learn more about retention policies.
You can apply the same retention policy to all users, or you can apply different policies to certain users.
multiple names, press the Down Arrow key or the Up Arrow key until you hear the name you want. Press
Enter.
7. In the Edit User Mailbox dialog box which opens, with the focus on the tab names, press the Down Arrow
key until the focus is on the mailbox features tab.
8. Tab to the Retention policy combo box. Default MRM Policy is the default entry. Press the Down Arrow
key or the Up Arrow key to move through the available policies. Select the policy you want for this user.
9. Tab to the Save button and press Enter. The mailboxes list view has the focus again.
Accessibility information
The Microsoft Accessibility website provides more information about assistive technology. A free monthly
electronic newsletter is available to help you stay current with accessibility topics about Microsoft products. To
subscribe, visit the Microsoft Accessibility Update Newsletter Subscription page.
Use a screen reader to configure collaboration in the
You can use your screen reader in the Exchange admin center (EAC ) in Exchange Online to configure different
methods of collaboration. These methods might include public folders, distribution groups, shared mailboxes, or—
in conjunction with SharePoint—site mailboxes.
Get started
for Office 365.
Set up public folders

Members of workgroups can use public folders as an easy way to collect, organize, and share information with
others in the workgroup.
Public folders organize content in a hierarchy that's easy to browse. Users can discover useful content by browsing
through branches of the hierarchy that are relevant to their work. The full hierarchy is visible to users in their
Outlook folder view. Public folders can be used for distribution group archiving. A public folder can be mail-
enabled and added as a member of the distribution group, so that email sent to the distribution group is then
automatically added to the public folder. Public folders also allow for simple document sharing.
To use public folders, you need to set up at least one public folder mailbox.
2. Tab to public folders and press Enter.
3. To move to the menu bar, press Ctrl+F6. You hear "Public folders, Secondary navigation link..
4. Tab to public folder mailboxes. Press Enter.
5. To move to the toolbar, press Ctrl+F6. You hear "New public folder mailbox button." Press Enter.
6. In the Public Folder Mailbox dialog box which opens, the Name text box has the focus. Type the name
for your public folder mailbox.
TIP
Public folder mailboxes contain the hierarchy information plus the content for public folders. The first public folder
mailbox you create becomes the primary mailbox, which contains the one writable copy of the public folder hierarchy.
Any additional public folder mailboxes you create will be secondary mailboxes, which contain a read-only copy of the
hierarchy.
7. Tab to the Save button and press Enter. It might take up to a minute for the public folder mailbox to be
created, after which you hear an alert that says the mailbox will be available in approximately 15 minutes.
8. With the focus on the OK button, press Enter. The new public folder mailbox is added to the public folder
mailboxes list view.
Learn more about creating public folders.
After you create a public folder mailbox, you can add a public folder.
1. With the focus in the public folder mailboxes list view, to move to the menu bar, press Ctrl+Shift+F6 twice.
You hear "Public folders, Secondary navigation link." Press Enter.
2. To move to the toolbar, press Ctrl+F6. You hear "New public folder button." Press Enter. This creates a
public folder at the root level in the public folder's hierarchy.
TIP
You can create a subfolder within an existing public folder. First, with the focus in the public folders list view, to select
the parent folder, press the Down Arrow key or the Up Arrow key, and then press the Tab key. To open the folder,
press Enter. Then, to move to the toolbar, press Ctrl+Shift+F6. Select the New public folder button, which has the
focus, press Enter, and then go on to Step 3. (If you want to move back to the parent folder, on the toolbar, tab to
the Go to the parent folder button and press Enter..
3. In the Public Folder dialog box which opens, the Name text box has the focus. Type the name for your
public folder.
4. To move to the Path text box, press the Tab key. In this read-only text box, you hear the path for the public
folder. For example, if you're creating a public folder at the root level, you hear "Backslash..
5. Tab to the Save button and press Enter. The name of the new public folder is added to the public folders list
view.
Add users of a public folder
After you create a public folder, specify the users who can access it. Also specify these users' roles in the public
folder, including their read-write permissions.
1. With the focus in the public folders list view, to select the public folder you want to add users to, press the
Up Arrow key or the Down Arrow key.
2. To move to the details pane, press Ctrl+F6. The mail settings Enable link has the focus.
3. To move to the folder permissions Manage link, press the Tab key and then press Enter.
4. In the Public Folder Permissions dialog box which opens, the Add button has the focus. Press Enter.
5. In the dialog box which opens, the Browse button has the focus. Press Enter.
6. In the Select Recipient dialog box which opens, the Search text box has the focus. You hear "Filter or
search edit." Type all or part of the name of the first user you want to add to the shared mailbox and then, to
search for the name, press Enter.
7. Press the Tab key about six times until you hear the name of the user in the search results list. Press Enter.
TIP
If the search results list includes multiple names, press the Up Arrow key or the Down Arrow key until you hear the
name you want. Press Enter.
8. Tab to the Permission level combo box. The default permission level is Publishing Editor, which allows
selected users to create items and subfolders, read items, and edit or delete all items. Other permission
levels include Reviewer, Contributor, Non Editing Author, Author, Editor, Publishing Author, and
Owner. You can also create a custom permission level.
9. To select the permission level for the selected user, press the Up Arrow key or the Down Arrow key.
TIP
To review the rights allowed for a permission level, press the Tab key through the 10 check boxes that specify the
rights for the selected permission level. If you change a check box setting, the permission level changes to Custom. If
you select the Custom permission level, all check boxes are cleared for you to select what you want.
10. Tab to the Save button and press Enter. The user and associated permission level are saved and added to
the table of users in the Public Folder Permissions dialog box.
11. To add another user, activate the Add button, which has the focus, by pressing Enter. Repeat steps 5
through 10. Do this for all users you want to add to the new public folder.
12. When you finish adding users, in the Public Folder Permissions dialog box, tab to the Save button and
press Enter. Wait several seconds for the information to be saved. An alert specifies that the save operation
is complete, and you hear "Close button." To close the alert, press Enter. The public folders main page view
has the focus again.
NOTE
Public folders have size limits, and subfolders inherit permission settings from parent folders in specific ways. In addition, you
can enable mail settings for a public folder. Learn more about creating public folders.
Create a distribution group

Another method for facilitating and configuring collaboration in Exchange Online is a distribution group—a
collection of two or more recipients that appears in the shared address book. When an email message is sent to a
distribution group, it's received by all members of the group. Distribution groups can be organized by a particular
discussion subject (such as "Resource Management Best Practices") or by users who share a common work
structure—as in a workgroup or project team—that requires them to communicate frequently. Use a screen reader
to create a new distribution group in the Exchange admin center. Learn more about managing distribution groups.
Work with a shared mailbox

Shared mailboxes make it easy for a group of people to monitor and send email from a common account, such as
info@contoso.com or support@contoso.com. When a group member replies to a message sent to the shared
mailbox, the email looks like it was sent by the shared mailbox, not by the group member. Use a screen reader to
add a new shared mailbox in the Exchange admin center 2016. Learn more about shared mailboxes.
Accessibility Information
The Microsoft Accessibility website provides more information about assistive technology. A free monthly
electronic newsletter is available to help you stay current with accessibility topics about Microsoft products. To
subscribe, visit the Microsoft Accessibility Update Newsletter Subscription page.
Use a screen reader to create a new distribution
group in the Exchange admin center
Using a screen reader and keyboard shortcuts, you can create a new distribution group in the Exchange admin
center (EAC ) in Exchange Online. This topic explains how to create a new distribution group in your Exchange
organization and how to mail-enable an existing group in Active Directory.
Get started
Notes:
The different types of groups that are covered in this topic are::
Distribution groups: Can be used only to deliver messages.
Mail-enabled security groups: Can be used to deliver messages as well as grant permissions (a
security group is a security principal that can has permissions assigned to it).
For more information, see Create and manage distribution groups in Exchange Online.
If your organization has a group naming policy, it's applied only to groups created by users (not admins).
For more information, see Create a distribution group naming policy in Exchange Online and Override the
distribution group naming policy in Exchange Online.
for Office 365.
Use the EAC to create a distribution group

Press Enter.
2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary navigation link..
3. Press the Left Arrow key until you hear "Groups, Secondary navigation link..
4. Press Enter. You hear "Groups options." A list of distribution groups appears.
5. To move the focus to the distribution group menu, press Ctrl+F6. You hear " New," which is the first
button.
6. To open the New submenu, press Spacebar.
7. In the New menu, press the Down Arrow key until you hear "Distribution group." Then, press Enter. (In
Narrator, you may hear "Empty line" or nothing at all. The three items on this menu are distribution
group, security group, and dynamic distribution group. Select the first item in the menu.) The new
distribution group page opens in a new browser window.
TIP
The new distribution group window includes two buttons named Add and two named Remove. The first set of
Add and Remove buttons affects the Select Owners box. The second set applies to the Select Members box.
8. Tab to the following options, and complete the group details.
TIP
Required boxes are designated with an asterisk. In screen readers, you hear "Star" or "Asterisk" before the label. For
example, for the required Display name box, you hear "Star display name" or "Asterisk display name." You also hear
the text of a tool tip that appears when you move the focus to an option.
*Display name. Type the name you want to appear in your organization's address book. This name
appears on the To: line when email is sent to this group and in the Groups list in the EAC. The
display name is required. Make it recognizable for users and unique in the forest.
*Alias. Type a name of 64 characters or less for the group's alias. Make it unique in the forest. When
a user types the alias in the To: line of an email message, it resolves to the group's display name.
*Email address. If you want to change the default name used for this group's email address, type
the name you want. The default is the alias you specified.
Notes. If you want to add a description for this distribution group, type a note. The text you type
appears on the group's contact card and in the address book.
Add. To open the Select Owners window, where you can add owners to the distribution group,
select Add. By default, the person who creates a group is the owner and is listed in the Owners box.
All groups must have at least one owner. For help using the Select Owners window, refer to Use a
screen reader in the Select Owners window later in this topic.
Remove. To remove a selected name from the Owners box, use this option.
*Owners. This option lists the names of the distribution group's owners. Screen readers read the
selected name, not the label. For example, you hear "Sara Davis, Button..
Add group owners as member. By default, this check box is selected.
Add. To add members to the distribution group, select this option. By default, the group owners are
members and are listed in the Members box. When you select the Add button, the Select
Members window opens and you can search for or select the names you want. To return to the new
distribution group window, select the OK button. For detailed steps, refer to Use a screen reader to
add a member to a distribution group.
Remove. Use to remove the selected name from the Members box.
Members. This option lists the names of the distribution group's members. In Narrator, you may
hear "Please wait" or nothing, when this list is empty.
Choose whether owner approval is required to join the group. Screen readers read the
selected option. The default is Open. To require approval for people to join the group, use an arrow
key to select one of the other two options: Closed or Owner Approval.
Choose whether the group is open to leave. Screen readers read the selected option. The
default is Open. To require approval for people to leave the group, use an arrow key to select
Closed.
9. When you've finished, tab to the Save button and press Enter.
NOTE
By default, new distribution groups require that all senders be authenticated. This prevents external senders from
sending messages to distribution groups. To configure a distribution group to accept messages from all senders, you
must modify the message delivery restriction settings for that distribution group.
Verify that you've successfully created a distribution group

1. In the EAC, tab to Recipients and press Enter.
2. To move the focus to the menu bar, press Ctrl+F6. You hear, "Mailboxes, Secondary navigation."
3. Press the Left Arrow key until you hear "Groups, Secondary navigation," and then press Enter. The table of
current distribution groups appear.
4. Press Ctrl+F6 until you hear the name of a distribution group, indicating that the focus is on the table of
5. To locate the distribution group you just created, use the Up Arrow and Down Arrow keys. The screen
reader reads the display name, group type, and e-mail address.
Use a screen reader in the Select Owners window
In the new distribution group window, the Add button for the * Owners box opens the Select Owners window,
which some screen readers have difficulty reading. To add an owner.
1. In the new distribution group window, tab to the Add button and press Enter. The Select Owner
window opens, and the focus is on a search box.
2. Type all or part of the name of the user you want to add, and then press Enter. A list of names appears in
the Display Name table. If there are no names, press Shift+Tab until you hear "Filter or search edit" or the
text of your previous search and then type new search text.
3. To select a name, tab until you hear a name, indicating that the focus is on the names in the Display Name
table. (In JAWS, you hear "Out of table" and the name of the first user listed..
4. To select the name you want, use the arrow keys.
5. Tab until you hear "Add button" and then press Spacebar. The name is added to a text box. Each name you
add includes a Remove link.
6. To add more names, tab to the Search button and repeat the previous steps.
7. When complete, tab to the OK button and press Enter. The Select Owner window closes, and the focus is
in the Owners box in the new distribution group window.

Use a screen reader to configure mail flow rules in
Using a screen reader and keyboard shortcuts, you can create mail flow rules (also known as transport rules) in
Exchange Online in the Exchange admin center (EAC ) to look for specific conditions in messages that pass through
your organization and take action on them. The main difference between mail flow rules and Inbox rules you
would set up in an email client application (such as Outlook) is that mail flow rules take action on messages while
they're in transit as opposed to after the message is delivered. Mail flow rules also contain a richer set of
conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging
policies.
Note: To learn more about mail flow rules, see Mail flow rules (transport rules) in Exchange Online.
Get started
subscription and admin role to perform this task. Then, open the EAC and get started.
for Office 365.
Management admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange
admin center.

1. In the EAC, to move the focus to the first link in the navigation pane— Dashboard —press Ctrl+F6 twice.
You hear "Dashboard, Primary navigation link..
2. To move the focus to the mail flow link in the navigation pane, press the Tab key until you hear "Mail flow,
Primary navigation link." Press Enter.
3. To move the focus to the mail flow settings in the content area of the page, the first of which is the rules
link, press Ctrl+F6. You hear "Rules, Secondary navigation link..
4. To create a new rule, move the focus to the New button by pressing the Tab key until you hear "New
button." Press Enter. You hear "Menu." To select the Create a new rule option from the list of options that
opens for the button, press the Down Arrow key. You hear "Create a new rule." Press Enter.
5. As the focus moves to the Name text box in the new rule pop-up window, you hear "New rule, Name,
Edit." Type the name of the new rule. To move to the next option in the window, press the Tab key.
6. As the focus moves to the Apply this rule if drop-down box, you hear "Apply this rule if, Combo box."
Press the Down Arrow or Up Arrow key until you hear the condition you want to select. Press Enter. As the
focus moves to the first user interface (UI) element in the pop-up window that opens for the selected
condition, you hear the name of the pop-up window followed by the name of the first UI element in the
window. The following table gives you an overview of the UI elements in each condition's pop-up window. .
|Condition|UI elements in the condition's pop-up window| |:-----|:-----| |• The sender is
• The recipient is
• The sender is a member of
• The recipient is a member of|• Search, Refresh, and More buttons.
• Display Name and Email Address column headers.
• List of names and email addresses.
• Add button and text box that includes the selected names.
• Check names button and text box in which you type the name you want to check.
• OK and Cancel buttons.| |• The sender is located
• The recipient is located|• Drop-down box that opens a list of locations.
• OK and Cancel buttons.| |• The subject or body includes
• The sender address includes
• The recipient address includes
• Any attachment's content includes|• Edit and Remove buttons.
• Text box in which you type words, and an Add button to add each entry.
• List of entries.
• OK and Cancel buttons.| |[Apply to all messages]|No pop-up window opens|
TIP
To move the focus to each setting that's listed in a pop-up window, press the Tab key. As you select each setting, you
hear information about it. To open drop-down box lists, press Spacebar. To move between and select options in
drop-down box lists, press the Down Arrow and Up Arrow keys. To choose an option, press Enter. You can also use
the Spacebar to select or clear the selection for check boxes.
7. After you've accepted your condition settings in the appropriate pop-up window, move to the next option in
the new rule pop-up window by pressing the Tab key.
8. As the focus moves to the Do the following drop-down box, you hear "Do the following, Combo box."
Press the Down Arrow or Up Arrow key until you hear the action you want to select. Press Enter. As the
focus moves to the first UI element in the pop-up window that opens for the selected action, you hear the
name of the pop-up window followed by the name of the first UI element in the window. The following
table gives you an overview of the UI elements in each action's pop-up window.
ACTION UI ELEMENTS IN THE POP-UP WINDOW

ACTION UI ELEMENTS IN THE POP-UP WINDOW
• Forward the message for approval to • Search, Refresh, and More buttons.
• Redirect the message to • Display Name and Email Address column headers.
• Bcc the message to • List of names and email addresses.
• Add button and text box that includes the selected
names.
• Check names button and text box in which you type
the name you want to check.
• OK and Cancel buttons.
Reject the message with the explanation • Text box in which you type the explanation OK
• OK and Cancel buttons.
Delete the message without notifying anyone No pop-up window opens
Append the disclaimer No pop-up window opens, but an Enter text link and a
Select one link are inserted in the window after the drop-
down box.
• If you select the Enter text link, a pop-up window opens
that includes a text box in which you type the disclaimer,
and the OK and Cancel buttons.
• If you select the Select one link, a pop-up window
opens that includes a drop-down box that opens a list of
fallback actions in case the disclaimer can't be inserted,
and the OK and Cancel buttons.
9. After you've accepted your action settings in the appropriate pop-up window, move to the next option in the
new rule pop-up window by pressing the Tab key.
10. As the focus moves to the Audit this rule with severity level check box, you hear "Checked" or
"Unchecked" depending on whether the box is selected or not, followed by "Audit this rule with severity
level, Check box." To select or clear the selection for the check box, press Spacebar. You hear "Checked" or
"Unchecked." Do either of the following two actions.
If you selected the Audit this rule with severity level check box, when you press the Tab key, the focus
moves to a drop-down box that lists severity levels ( Low, Medium, or High ). To move between severity
levels in the list, press the Up Arrow or Down Arrow key. You hear the name of each severity level. To select
a severity level, press Enter. To move to the next option in the window, press the Tab key.
If you didn't select the Audit this rule with severity level check box, to move to the next available option
in the window, press the Tab key.
11. As the focus moves to the first of three available modes for the rule, you hear the name of the first mode (
Enforce ) followed by "Radio button." Do any of the following three actions.
The Enforce mode is selected by default. To move to and select the next mode, press the Down Arrow key.
After you've selected the mode you want, to move to the next area of options in the window, press the Tab
key.
To select the Test with Policy Tips mode, press the Down Arrow key. You hear "Test with Policy Tips"
followed by "Radio button." To move to and select the next mode, press the Down Arrow key. After you've
selected the mode you want, to move to the next area of options in the window, press the Tab key.
To select the Test without Policy Tips mode, press the Down Arrow key. You hear "Test without Policy
Tips" followed by "Radio button." To move to and select the next mode, press the Down Arrow key. After
you've selected the mode you want, to move to the next area of options in the window, press the Tab key.
12. As the focus moves to the More options link, you hear "More options link." If you want to add more options
for the rule, press Enter. The following nine UI elements are added to the window.
After the Apply this rule if drop-down box, an add condition button is added.
After the Do the following drop-down box, an add action button is added.
After the add action button, an add exception button is added.
After the options for the modes for the rule, the following UI elements are added:
Activate this rule on the following date check box, followed by a date drop-down box and a time drop-
down bo.
Deactivate this rule on the following date check box, followed by a date drop-down box and a time
drop-down bo.
Stop processing more rules check bo.
Defer the message if rule processing doesn't complete check bo.
Match sender address in message drop-down box that includes Header, Envelope, and Header or
Envelope option.
Comment text bo.
13. To save the new rule, move the focus to the Save button by pressing the Tab key until you hear "Save
button." Press Enter. .
14. As the focus moves back to the New button on the rules content area of the page, you hear "Rules, New
button." The new rule is turned on by default.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the
Up Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule,
press the Tab key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
Use a screen reader to define rules that encrypt or
decrypt email messages in the Exchange admin
center in Exchange Online
In the Exchange admin center (EAC ) in Exchange Online, you can create mail flow rules (also known as transport
rules) to enable or disable Office 365 Message Encryption. This lets you encrypt outgoing email messages and
remove encryption from encrypted messages coming from inside your organization or from replies to encrypted
messages sent from your organization.
Note: To learn more about message encryption, go to Encryption in Office 365. Your organization must have
Windows Azure Rights Management set up for Office 365 Message Encryption to complete the tasks in this topic.
Get started
for Office 365.
Create a mail flow rule to encrypt email messages

Edit." Type the name of the new rule (such as Encrypt email for email address). To move to the next option
in the window, press the Tab key.
Press the Down Arrow or Up Arrow key until you hear the condition you want to select. Press Enter. For
example, if you want to encrypt messages for a particular email address, perform the following five steps.
a. In the Apply this rule if drop-down box, press the Down Arrow key until you hear "The recipient is."
Press Enter.
b. As the focus moves to the Search button in the Select Members pop-up window that opens, you
hear "Select Members, Search..
c. To move the focus to each of the following three elements of the user interface, press the Tab key:
a. The Display Name column. You hear "Display Name, Column header..
b. The list of names of each person in your organization in the Name column. You hear the
name of the first person followed by "Button..
c. The first person in the list. You hear the name of the first person followed by "Row."
d. The first person in the list. You hear the name of the first person followed by "Row."
e. To accept your changes, move the focus to the OK button by pressing the Tab key until you hear
"Okay button." Press Enter.
7. As the focus moves back to the new rule pop-up window, you hear "New rule..
8. To move the focus to the More options link in the new rule pop-up window, press the Tab key until you
hear "More options link." Press Enter.
TIP
When you select the More options link, more user interface (UI) elements are added to the page and more options
are added to the combo boxes. To have access to the Modify the message security option that you need to select
in the next step, you must select the More options link.
9. To move the focus back to the Do the following drop-down box in the new rule pop-up window, press
Shift+Tab until you hear "Do the following, Combo box." Perform the following two steps.
a. In the Do the following drop-down box, to select the Modify the message security option, press
the Down Arrow key until you hear "Modify the message security." Press Enter.
b. As the focus moves to a list of message security options, you hear the first option in the list, "Apply
rights protection." To select the Apply Office 365 Message Encryption option, press the Down
Arrow key until you hear "Apply Office 365 Message Encryption." Press Enter.
button." Press Enter.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the Up
Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule, press the Tab
key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
Create a mail flow rule to decrypt email messages

Edit." Type the name of the new rule (such as Remove encryption from incoming mail). To move to the next
option in the window, press the Tab key.
Press the Down Arrow or Up Arrow key until you hear the condition you want to select. Press Enter. For
example, if you want to decrypt all incoming messages for your organization, perform the following four
steps.
a. In the Apply this rule if drop-down box, press the Down Arrow key until you hear "The recipient is
located." Press Enter.
b. As the focus moves to a list of locations in the select recipient location pop-up window that opens,
you hear "Select recipient location..
c. To move between and select a location in the list, press the Down Arrow and Up Arrow keys. You
hear the name of each location. For example, to select the Inside the organization location, press
the Down Arrow key until you hear "Inside the organization..
d. To accept your changes, move the focus to the OK button by pressing the Tab key until you hear
"Okay button." Press Enter.
7. As the focus moves back to the new rule pop-up window, you hear "New rule..
8. To move the focus to the More options link in the new rule pop-up window, press the Tab key until you
hear "More options link." Press Enter.
TIP
When you select the More options link, more user interface (UI) elements are added to the page and more options
are added to the combo boxes. To have access to the Modify the message security option that you need to select
in the next step, you must select the More options link.
9. To move the focus back to the Do the following drop-down box in the new rule pop-up window, press
Shift+Tab until you hear "Do the following, Combo box." Perform the following two steps.
a. In the Do the following drop-down box, to select the Modify the message security option, press
the Down Arrow key until you hear "Modify the message security." Press Enter.
b. As the focus moves to a list of message security options, you hear the first option in the list, "Apply
rights protection." To select the Remove Office 365 Message Encryption option, press the Down
Arrow key until you hear "Remove Office 365 Message Encryption." Press Enter.
button." Press Enter.
TIP
To turn off a new rule, press the Tab key to tab through the elements of the rules content area of the page, use the Up
Arrow and Down Arrow keys to select a rule, and then press Spacebar. To hear the settings for a selected rule, press the Tab
key until the focus moves to the details pane for the selected rule, and you hear the details for the rule.
Use a screen reader to edit the mailbox display name
in the Exchange admin center in Exchange Online
Use keyboard shortcuts and your screen reader to add or edit a mailbox's display name in the Exchange admin
center (EAC ) in Exchange Online.
Get started
For best results, when working in the EAC in Exchange Online, use Internet Explorer as your browser. Learn more
for Office 365.
For more information on the Exchange Online capabilities in your subscription plan, go to What Office 365
Edit mailbox display name

1. Once you are in the EAC, to navigate to the page body, press Ctrl+F6. You hear "Welcome."
2. Press the Tab key until you hear "Mailboxes." This is the first link after "Recipients."
3. To select the link and go to the Mailboxes page, press Enter. This takes you to the Mailboxes tab on the
Mailboxes page. The focus is on the Mailboxes tab.
4. To get to the Mailbox pane, press Ctrl+F6 twice. You hear the first name in the list of mailboxes.
5. Use the arrow keys to select the mailbox you want to update. You hear each mailbox user's name as that
listing is selected.
6. When you have found the mailbox you want to edit, press Enter. This opens a pop-up window. You hear the
URL of that pop-up window. The focus is on the General tab within the Edit Mailbox page.
7. To get to the Display Name field on the General tab, press the Tab key. You hear "Display name..
8. Type in the new display name.
9. To get to the Save button, press the Tab key (you hear "Save button"), and press Enter. This returns you to
the Mailbox List tab. The focus will be on the name you just edited.
TIP
It may take a few minutes to save the new mailbox and close the pop-up window. There is no additional feedback to
provide during this wait time.
Use a screen reader to export and review audit logs
in the Exchange admin center
You can export and review mailbox audit logs by using your screen reader in the Exchange admin center (EAC ) in
Exchange Online. When enabled, Exchange mailbox auditing logs information in the mailbox audit log whenever a
user other than the owner accesses the mailbox. Each log entry includes information about who accessed the
mailbox and the actions performed.
Get started
for Office 365.
To export and review mailbox audit logs, Use a screen reader to open the Exchange admin center and check that
admin center.
Configure mailbox audit logging
Before you can export and review audit logs, you or another admin must enable mailbox audit logging and
configure Outlook to allow XML attachments. These tasks are done in Exchange Online PowerShell. For more
information, go to Export mailbox audit logs.
Export a mailbox audit log

2. Tab to compliance management and press Enter.
3. To move to the menu bar, press Ctrl+F6.
4. Tab to auditing. You hear "Auditing, Secondary navigation link." Press Enter.
5. To access the main window list view, press Ctrl+F6. You hear "Audit reports..
6. Press the Tab key about six times until you hear " Export mailbox audit logs," and press Enter.
7. In the Export Mailbox Audit Logs dialog box which opens, the Start date year combo box has the focus,
and you hear "Year of Start date combo box..
TIP
By default, the start date is set to two weeks before yesterday's date. When enabled, the mailbox audit log typically
stores entries for 90 days.
a. If necessary, type the start date year for the audit logs. You can also select the start date year by
pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the start date month.
c. Tab to the day text box, and type or select the start date day.
8. Tab to the End date year combo box. You hear "Year of End date combo box..
TIP
The default end date is today's date.
a. If necessary, type the end date year for the audit logs. You can also select the end date year by
pressing the Up Arrow key or the Down Arrow key.
b. Tab to the month text box, and type or select the end date month.
c. Tab to the day text box, and type or select the end date day.
9. To access the select users button, press the Tab key twice. You hear "Search these mailboxes or leave blank
to find all mailboxes accessed by non-owners..
TIP
If you want to export audit logs for all mailboxes, don't select any users, and go on to step 10. When the Search
these users box is blank, the search includes all mailboxes.
a. To open the Select Mailbox dialog box, with the focus on the select users button, press Enter. The
Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first mailbox whose audit logs you want to export and then, to search for the name, press Enter.
b. To select a mailbox, press the Tab key four times until you hear the name of the mailbox owner in the
search results list. If there are multiple mailboxes in the search results list, press the Down Arrow or
Up Arrow key until you hear the name of the mailbox owner.
TIP
You can select multiple consecutive mailboxes. To work with all mailboxes, leave the Search box blank, or enter all or
part of the mailbox names you want to add. Tab to the search results. Press the Down Arrow key to hear each name.
To add them all, press Ctrl+A. To add several mailboxes listed consecutively, press the Down Arrow key or the Up
Arrow key until you hear the first mailbox name you want to add, hold down the Shift key, press the Down Arrow
key or the Up Arrow key until you hear the last mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.
c. To add the selected mailbox(es) to the list to be included in the audit log export, press Enter. The list of
mailboxes retains the focus, so you can continue to add more mailboxes by selecting them and pressing
Enter.
TIP
To check the mailboxes you've added, tab to the Add button. To hear the list of mailboxes, press the Tab key again.
You hear the first mailbox name in the list. To hear the second mailbox name in the list, press the Tab key one more
time. Continue pressing the Tab key until you hear the names of all the mailboxes you've added. To delete a mailbox
from the list, activate the Remove link by pressing Enter when you hear the mailbox name.
d. To search for another mailbox or set of mailboxes, tab several times until you hear "Filter or search
edit." Type all or part of the name of the next mailboxes you want to add, and press Enter. Repeat
steps b and c. Do this for all mailboxes you want to add.
e. To add an external mailbox, press the Tab key until you hear "Check names edit, Type in text." (In
Narrator, you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to
select the Check names button, and then press Enter. This verifies the email address and adds it to
the list of mailboxes.
TIP
Be aware that if you type an external email address and press Enter, this adds the address to the list and then closes
the dialog box. If you're not finished, use the Check names button to add it instead.
f. When you finish adding mailboxes, tab to the OK button and press Enter. The Export Mailbox Audit
Logs dialog box has the focus again, and the Search these mailboxes text box lists the selected
mailboxes.
10. Tab to the Search for access by combo box. This specifies which types of mailbox non-owners you want
the audit logs to show.
To have the audit logs show all non-owners, you don't need to do anything, as this is the default.
To specify a certain group of non-owners, like External users (Microsoft datacenter administrators),
Administrators and delegated users, or Administrators, press the Down Arrow key to move to the user
type you want, and then press Enter.
11. Press the Tab key twice to access the next select users button. You hear "Send the audit report to picker
button." To open the Select Members dialog box, press Enter. The Search button has the focus.
12. To search for a user within your organization, press Enter, type all or part of the name of the first audit log
recipient, and then press Enter.
13. Press the Tab key several times until you hear the name of the user in the search results list.
14. To add the user to the list of audit log recipients, press the Down Arrow key until you hear the user's name,
and then press Enter. The list of users retains the focus, so you can continue to add more recipients by
selecting their mailboxes and pressing Enter.
TIP
To check the recipients you've added, tab to the Add button. To hear the list of recipients, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key one more time. Continue pressing the Tab key until you
hear the names of all the recipients you've added. To delete a recipient from the list, activate the Remove link by pressing
Enter when you hear the username.
4. To search for another name or set of names from within your organization, tab several times until you hear
"Filter or search edit." Type all or part of the name of the next user you want to add, and press Enter. Repeat
steps b and c. Do this for all audit report recipients in your organization.
5. To add an external recipient, press the Tab key until you hear "Check names edit, Type in text." (In Narrator,
you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to select the Check
names button, and then press Enter. This verified the email address and adds it to the list of recipients.
TIP
Be aware that if you type an external email address and press Enter, this adds the recipient to the list and then closes the
dialog box. If you're not finished, use the Check names button to add it instead.
6. When you finish adding users, tab to the OK button and press Enter. The Export Mailbox Audit Logs
dialog box has the focus again, and the Send the audit report to text box lists the audit log recipients.
7. Tab to the export button and press Enter. Exchange retrieves entries in the mailbox audit log that meet
your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an
email message sent within 24 hours to your selected audit log recipients.
TIP
If you hear an error message that says the items you're trying to open couldn't be found, check that audit logging is enabled
for the selected mailboxes. Also check that the selected dates are within range. The dates need to be after the date audit
logging was enabled, and, by default, within the past 90 days.
Review a mailbox audit log

1. Open Outlook and sign in to your mailbox (or the mailbox where the audit log was sent).
2. In the Inbox, find and open the message sent by Exchange or Outlook with a subject including "Mailbox
Audit Log Search" and an XML file attachment named SearchResult.xml. The body of the email message
contains the search criteria for this exported audit log.
TIP
If Outlook is not configured to allow XML attachments, you might receive the email message but not be able to
open the XML attachment. Also, if you can't find the message, you might need to wait longer. Recipients typically
receive the exported audit log within 24 hours, but in some cases it might take a few days.
3. Select the message attachment and specify that you want to download the XML file.
4. Open the SearchResult.xml file in Excel. Each log entry includes information about non-owners of the
mailbox who accessed the mailbox and the actions performed. The following fields are included, among
others, in the audit log:
THIS MAILBOX AUDIT LOG FIELD GIVES THIS INFORMATION
Owner The owner of the mailbox accessed by a non-owner
LastAccessed The date and time of the most recent mailbox access
Operation The action performed by the non-owner
OperationResult Whether the action performed by the non-owner succeeded

or failed
LogonType The type of non-owner access, like administrator, delegate, or

external Microsoft datacenter administrator
ClientIPAddress The IP address of the computer used by the non-owner to

access the mailbox
LogonUserDN The display name of the non-owner
Subject The subject line of the message affected by the non-owner

Use a screen reader to identify your admin role in
the Exchange admin center
To complete administrative tasks in the Exchange admin center (EAC ) in Exchange Online, you need the
appropriate administrative permissions, which are grouped and assigned by role. By using a screen reader and
keyboard shortcuts, you can identify your admin role, in addition to the role you must be assigned to complete
particular tasks.
NOTE
To learn how to open the EAC, refer to Use a screen reader to open the Exchange admin center. To learn more admin
role groups, go to Understanding management role groups.
1. In the EAC, to move the focus to Dashboard, which is the first link in the navigation pane, press
Ctrl+F6 twice. You hear "Dashboard, Primary navigation link..
2. In the navigation pane, to move the focus to the Permissions link, press the Tab key until you hear
"Permissions, Primary navigation link." Press Enter.
3. To move the focus to the admin roles link on the content area of the page, press Crtl+F6. You hear
"Admin roles, Secondary navigation link."
4. To move the focus to each of the following three elements of the user interface, press the Tab key for
each element:
a. The main content for admin roles. You hear "Role groups."
b. The Name column. You hear "Name, Column header..
c. The list of admin role groups in the Name column. You hear the name of the first role group,
which is Compliance Management, followed by "Row..
5. In the list of admin role groups, to move between and select the name of a group, use the Up Arrow
and Down Arrow keys. As you select each group, you hear its name, followed by "Row."
6. Select the admin role group that includes the role you need to complete a task.
TIP
If you don't know the role required for a particular task, select the admin role group that you think might
include roles related to your task, perform step 6, and pay particular attention to the assigned roles.
7. To move the focus to the details pane for the admin role group, press Ctrl+F6.
If you're using Narrator, you hear all the details for the admin role group, including a description
of the group, assigned roles, members, managed by, and write scope.
If you're using JAWS, to hear the description of the admin role group, press the Down Arrow key,
and then, to hear the rest of the text in the details pane, press Alt+Down Arrow.
8. If you do not hear your name among the members, you have not been assigned the appropriate role to
complete your task. Contact your Office 365 administrator.
Use a screen reader to manage anti-malware
protection in the Exchange admin center in Exchange
Online
Exchange Online offers multilayered protection that's designed to catch all known malware. All messages are
scanned for malware (viruses and spyware), and if malware is detected, the message is deleted. Administrators do
not need to set up or maintain these filtering technologies, which are enabled by default. However, administrators
can make company-specific filtering customizations in the Exchange admin center (EAC )—all using a screen reader
and keyboard shortcuts.
NOTE
To learn more about protecting your organization's email messages from malware in Exchange Online, go to Anti-Spam and
Anti-Malware Protection.
Get started
for Office 365.
your Office 365 global administrator has assigned you to the Organization Management and Hygiene
admin center.
Move the focus to your malware filter settings in the EAC

To complete the steps for malware filter customizations covered in this topic, move the focus to your malware filter
settings in the EAC:
2. In the navigation pane, to move the focus to the Protection link, press the Tab key until you hear
"Protection, Primary navigation link." Press Enter.
3. To move the focus to the protection settings in the content area of the page, the first of which is the
malware filter link, press Ctrl+F6. You hear "Malware filter, Secondary navigation link." Press Enter.
Add a new malware filter

1. Move the focus to your malware filter settings in the EAC.
2. To move the focus to the New button, press Ctrl+F6. You hear "New button." Press Enter.
3. As the focus moves to the Name box in the content area of the Anti-malware policy pop-up window that
opens, you hear "Anti-malware policy, Name, Edit..
4. In the Anti-malware policy pop-up window, specify new filter settings such as name, description, malware
detection response, notifications, and applied to.
TIP
This page doesn't contain a navigation pane. To move the focus to each setting that's listed on the page, press the
Tab key. As you select each setting, you hear information about the setting. To open menus, press Spacebar. To move
between and select menu options, press the arrow keys. To choose an option, press Enter. You can also press the
Spacebar to select or clear a check box selection.
5. After you've pressed the Tab key to tab through all the settings on the page, the last two elements on the
page are the Save button and the Cancel button. To activate either button, press Enter.
6. As the Anti-malware policy pop-up window closes and the focus moves back to the New button in the
malware filter content area, you hear "Malware filter, New button..
Edit a malware filter

2. To move the focus to each of the following three elements of the user interface, press the Tab key:
The Name column. You hear "Name, Column header..
The list of malware filters in the Name column. You hear the name of the first malware filter
followed by "Button..
The first malware filter in the list. You hear the name of the first malware filter followed by "Row."
3. To move the focus to one of your malware filters, press the Up Arrow or Down arrow key until you hear the
name of the filter you want to edit. Press Enter.
4. As the focus moves to the Name box in the content area of the Anti-malware policy pop-up window that
opens, you hear "Anti-malware policy, Name, Edit..
5. In the Anti-malware policy pop-up window, specify new filter settings such as name, description, malware
detection response, notifications, and applied to.
TIP
page are the Save button and the Cancel button. To activate either button, press Enter.
7. As the Anti-malware policy pop-up window closes and the focus moves back to the malware filter
content area, you hear "Malware filter..
Delete a malware filter

name of the filter you want to delete.
TIP
You must disable a malware filter before you can delete it. To learn how to disable a filter go to the Enable or disable
a malware filter section in this topic.
4. Press Delete. You hear "Warning, Are you sure you want to delete the policy" followed by the name of the
policy. To select the Yes button, press Enter. To select the No button, press the Tab key, and then press Enter.
Enable or disable a malware filter

name of the filter you want to enable or disable.
4. To toggle between enabling and disabling the filter, press Spacebar.
Hear the details for a malware filter

name of the filter whose details you want to hear.
4. To move the focus to the details pane for the malware filter, press the Tab key. You hear the details for the
filter.
Use a screen reader to manage anti-spam protection
in Exchange Online
Exchange Online includes spam filtering capabilities that help protect your network from spam transferred
through email. Administrators do not need to set up or maintain these filtering technologies, which are enabled by
default. However, administrators can make company-specific filtering customizations in the Exchange admin
center (EAC )—all using a screen reader and keyboard shortcuts.
NOTE
To learn more about protecting your organization from spam in Exchange Online, go to Anti-Spam and Anti-Malware
Protection.
Get started
subscription and admin role to work in the EAC. Then, open the EAC and get started. For more information about
the EAC, see Exchange admin center in Exchange Online.
for Office 365.
your Office 365 global administrator has assigned you to the Organization Management and Hygiene
admin center.
Customize your spam filter settings

Exchange Online uses proprietary anti-spam technology to help achieve high accuracy rates. It provides strong
connection filtering and content filtering on all inbound messages.
Move the focus to your spam filter settings in the EAC
To complete the steps for spam filter customizations covered in this topic, move the focus to your spam filter
settings in the EAC:
2. In the navigation pane, to move the focus to protection, press the Tab key until you hear "Protection,
3. To move the focus to the protection settings in the content area of the page, the first of which is the
malware filter link, press Ctrl+F6. You hear "Malware filter, Secondary navigation link..
4. To move the focus to the spam filter link, press the Tab key until you hear "Spam filter, Secondary
navigation link." Press Enter.
Add a new spam filter
1. Move the focus to your spam filter settings in the EAC.
2. To move the focus to the New button, press Ctrl+F6. You hear "New button." Press Enter.
3. As the focus moves to the Name box in the content area of the Spam filter policy pop-up window that
opens, you hear "Spam filter policy, Name, Edit..
4. In the **Spam filter policy **pop-up window, specify new filter settings such as name, description, spam and
bulk actions, block lists, allow lists, international spam, and advanced options.
TIP
page are the Save button and the **Cancel **button. To activate either button, press Enter.
6. As the Spam filter policy pop-up window closes and the focus moves back to the New button in the
spam filter content area, you hear "Spam filter, New button..
Edit an existing spam filter
The list of spam filters in the Name column. You hear the name of the first spam filter followed by "Button..
The first spam filter in the list. You hear the name of the first spam filter followed by "Row."
3. To move the focus to one of your spam filters, press the Up Arrow or Down arrow key until you hear the
name of the filter you want to edit. Press Enter.
4. As the focus moves to the general link in the navigation pane in the Edit Spam Filter Policy pop-up
window that opens for the filter, you hear "Edit Spam Filter Policy, Selected, General..
5. In the navigation pane in the Edit Spam Filter Policy pop-up window, press the arrow keys to move
between and select the links in the navigation pane on the page, which correspond to the settings you can
edit: general, spam and bulk actions, block lists, allow lists, international spam, and advanced
options.
TIP
When a link is selected in the navigation pane, press the Tab key to move the focus to the content area of the page.
To move through and select the elements in the content area, press the Tab key. As you select each setting, you hear
information about the setting. To open menus, press Spacebar. To move between and select menu options, press the
arrow keys. To choose an option, press Enter. You can also press the Spacebar to select or clear a check box selection.
6. After you've customized the settings for the filter and pressed the Tab key to tab through all the links in the
Edit Spam Filter Policy pop-up window, the last two elements on the page are the Save button and the
Cancel button. To activate either button, press Enter.
7. As the pop-up window closes and the focus moves back to the spam filter content area, you hear "Spam
filter..
Delete a spam filter
The list of spam filters in the Name column. You hear the name of the first spam filter followed by
"Button..
name of the filter you want to delete.
TIP
You must disable a spam filter before you can delete it. To learn how to disable a filter, go to the Enable or disable a
spam filter section in this topic.
4. Press Delete. You hear "Warning, Are you sure you want to delete the policy" followed by the name of the
policy. To select the Yes button, press Enter. To select the No button, press the Tab key, and then press Enter.
Enable or disable a spam filter
The list of spam filters in the **Name **column. You hear the name of the first spam filter followed
by "Button..
name of the filter you want to enable or disable.
4. To toggle between enabling and disabling the filter, press Spacebar.
Hear the details for a spam filter
The list of spam filters in the Name column. You hear the name of the first spam filter followed by
"Button..
name of the filter whose details you want to hear.
4. To move the focus to the details pane for the spam filter, press the Tab key. You hear the details for the filter.
Customize your outbound spam settings

You can also use the proprietary anti-spam technology in Exchange Online to filter spam in outbound email.
Move the focus to your outbound spam settings in the EAC
To complete the steps for outbound spam customizations covered in this topic, move the focus to your outbound
spam settings in the EAC:
In the EAC, to move the focus to the first link in the navigation pane— Dashboard —press Ctrl+F6 twice.
In the navigation pane, to move the focus to the protection link, press the Tab key until you hear
"Protection, Primary navigation link." Press Enter.
To move the focus to the protection settings in the content area of the page, the first of which is the
malware filter link, press Ctrl+F6. You hear "Malware filter, Secondary navigation link..
To move the focus to the outbound spam link, press the Tab key until you hear "Outbound spam,
Secondary navigation link." Press Enter.
Edit your outbound spam settings
1. Move the focus to your outbound spam settings in the EAC.
The list of outbound spam filters in the Name column. You hear the name of the first outbound
spam filter followed by "Button..
The first outbound spam filter in the list. You hear the name of the first outbound spam filter
followed by "Row."
3. To move the focus to one of your outbound spam filters, press the Up Arrow or Down arrow key until you
hear the name of the filter you want to edit. Press Enter.
4. As the focus moves to the general link in the navigation pane in the Edit Spam Filter Policy pop-up
window that opens, you hear "Edit Spam Filter Policy, Selected, General..
5. In the navigation pane in the Edit Spam Filter Policy pop-up window, to move between and select the
links in the navigation pane, press the Down Arrow and Up Arrow keys. The links correspond to the options
you can edit: general and outbound spam preferences.
TIP
When a link is selected in the navigation pane, press the Tab key to move the focus to the content area of the page.
To move through and select the elements in the content area, press the Tab key. As you select each setting, you hear
information about the setting. To open menus, press Spacebar. To move between and select menu options, press the
arrow keys. To choose an option, press Enter. You can also press the Spacebar to select or clear the selection for
check boxes.
6. After you've customized the options for the outbound spam setting and pressed the Tab key to tab through
all the links in the window, the last two elements on the page are the Save button and the Cancel button.
To activate either button, press Enter.
7. As the Edit Spam Filter Policy pop-up window closes and the focus moves back to the spam filter content
area, you hear "Spam filter..
Hear the details for an outbound spam setting
1. Move the focus to your outbound spam settings in the EAC.
The list of outbound spam filters in the Name column. You hear the name of the first outbound
spam filter followed by "Button..
The first outbound spam filter in the list. You hear the name of the first outbound spam filter
followed by "Row."
3. To move the focus to one of your outbound spam filters, press the Up Arrow or Down arrow key until you
hear the name of the filter whose details you want to hear.
4. To move the focus to the details pane for the outbound spam filter, press the Tab key. You hear the details
for the filter.
Use a screen reader to open the Exchange admin
center in Exchange Online
The Exchange admin center (EAC ) is a web-based app that lets you manage your Exchange Online
organization in a web browser. Using a screen reader and keyboard shortcuts, you can open the EAC and
perform administrative tasks (based on your permissions).
NOTE
When you work in the EAC, we recommend that you use Internet Explorer as your web browser. For more information
about the keyboard shortcuts you can use to navigate the EAC and about other accessibility features that are available
for Exchange Online, see Learn more about Internet Explorer keyboard shortcuts and Accessibility in Exchange Online.
1. Sign in to your organization's Office 365 account. In the App launcher, move the focus to the Admin
app. You hear "Go to the Office 365 admin center, Link." Press Enter.
TIP
If you use the My apps page to open your apps, to quickly move to the Admin app (sometimes one of the last
apps on the list), move the focus to the Search apps box (one of the first elements on the page). In JAWS, you
hear "Leaving menus, My apps, Edit, Type text." In Narrator, you hear "Search apps, Editing." Type admin, and
then move the focus to the only search result on the page: Admin app. You hear "Admin link." Press Enter.
2. As the Office 365 admin center opens, in JAWS, you hear "Office 365, Office admin center, Home." In
Narrator, you hear "Office 365, Editing..
3. To move the focus to the Expand link in the navigation pane, press the Tab key until you hear one of
the following two options.
"Expand navigation menu button." To expand the navigation pane, press Spacebar.
"Collapse navigation menu button." The navigation pane is already expanded, so no action is
required.
4. To move the focus to Admin centers (the last item in the navigation pane), press the Tab key until you
hear "Admin centers..
5. To ensure that the Admin centers list is expanded so that you can access the items in it, press the Tab
key. Then, based on the audible feedback you hear, perform one of the following two actions.
If you hear "Exchange link, Open Exchange admin center in a new tab," the list is already
expanded and you've selected Exchange.
If you hear something other than "Exchange link, Open Exchange admin center in a new tab,"
the list is collapsed. To move the focus back to the Admin centers list, press Shift+Tab. To
expand the list, press Enter. In the expanded Admin centers list, to select Exchange, press the
Tab key until you hear "Exchange link, Open Exchange admin center in a new tab..
6. To open the Exchange admin center, press Enter. As the Exchange admin center opens in a new
tab in your web browser, in JAWS, you hear "Exchange admin center." In Narrator, you hear "Microsoft
Exchange..
7. To move the focus to Dashboard (the first link), in the navigation pane of the Exchange admin
center, press Ctrl+F6 twice. In Narrator, you hear "Dashboard, Primary navigation link..
TIP
To move to the rest of the items in the navigation pane, press the Tab key. To open an item, press Enter. After
you've opened an item, to move directly to one of its elements in the content area on a page, press Ctrl+F6. To
identify the admin role groups to which you've been assigned, which determine the tasks you can perform in
the EAC, refer to Use a screen reader to identify your admin role in the Exchange admin center.
Use a screen reader to run an audit report in the
You can run audit reports and search for audit information by using your screen reader in the Exchange admin
center (EAC ) in Exchange Online. Certain audit reports can help you troubleshoot configuration issues by tracking
specific changes made by administrators. Other audit reports can help you monitor regulatory, compliance, and
litigation requirements.
Get started
for Office 365.
To run audit reports, Use a screen reader to open the Exchange admin center and check that your Office 365
global administrator has assigned you to the Organization Management and Records Management admin role
groups. To run In-Place eDiscovery or In-Place Hold reports, check that you are assigned to the Discovery
Management role group. Learn how to Use a screen reader to identify your admin role in the Exchange admin
center.
Find data to troubleshoot configuration and security issues

Troubleshoot configuration issues by examining logged information about mailbox access by non-owners,
Exchange Online configuration changes, and administrator role group updates. This information is available on the
Compliance Management tab and the Auditing page of the EAC.
Search for non-owner mailbox access
When Exchange mailbox auditing is enabled for a mailbox, information is recorded in the mailbox audit log
whenever a user other than the owner accesses that mailbox. Each log entry includes information about who
accessed the mailbox and what actions were performed. Search for non-owner mailbox access when you need to
troubleshoot possible security issues.
NOTE
Before you can search for non-owner mailbox access, you or another Admin must enable mailbox audit logging, which is
done in Exchange Online PowerShell. Learn more about running a non-owner mailbox access report.
6. Press the Tab key about three times until you hear "Run a non-owner mailbox access report." Press Enter.
7. In the Search for Mailboxes Accessed by Non-Owners dialog box which opens, the Start date year
combo box has the focus, and you hear "Year of Start date combo box..
TIP
By default, the start date is set to two weeks before yesterday's date. When enabled, the mailbox audit log typically
stores entries for 90 days.
a. If necessary, type the start date year for your administrator configuration change search. You can
also select the start date year by pressing the Up Arrow key or the Down Arrow key.
TIP
a. If necessary, type the end date year for your administrator configuration change search. You can also
select the end date year by pressing the Up Arrow key or the Down Arrow key.
9. Press the Tab key to access the search button, and press Enter.
TIP
If you want to search all mailboxes for non-owner access, don't select any specific mailboxes, and go on to step 10.
When the Search these mailboxes box is blank, the search includes all mailboxes.
a. To open the Select Mailbox dialog box, with the focus on the select mailboxes button, press Enter.
The Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first mailbox you want to include in the non-owner mailbox access search and then, to search for the
name, press Enter.
b. To select a mailbox, press the Tab key about four times until you hear the name of the mailbox owner
in the search results list. If there are multiple mailboxes in the search results list, press the Down
Arrow key or Up Arrow key until you hear the name of the mailbox owner.
TIP
You can select multiple consecutive mailboxes. To work with all mailboxes, leave the Search box blank, or enter all or
part of the mailbox names you want to add. Tab to the search results. Press the Down Arrow key to hear each name.
To add them all, press Ctrl+A. To add several mailboxes listed consecutively, press the Down Arrow key or the Up
Arrow key until you hear the first mailbox name you want to add, hold down the Shift key, press the Down Arrow key
or the Up Arrow key until you hear the last mailbox name you want to add, and then release the Shift key. All
mailboxes between the first and last mailbox names are selected.
c. To add the selected mailbox(es) to the list to be included in the non-owner mailbox access search, press
Enter. The list of mailboxes retains the focus, so you can continue to add more mailboxes by selecting
them and pressing Enter.
TIP
To check the mailboxes you've added, tab to the Add button. To hear the list of mailboxes, press the Tab key again.
You hear the first mailbox name in the list. To hear the second mailbox name in the list, press the Tab key once more.
Continue pressing the Tab key until you hear the names of all the mailboxes you've added. To delete a mailbox from
the list, activate the Remove link by pressing Enter when you hear the mailbox name.
d. To search for another mailbox or set of mailboxes, tab several times until you hear "Filter or search
edit." Type all or part of the name of the next mailboxes you want to add, and press Enter. Repeat
steps b and c. Do this for all mailboxes you want to add.
e. To add an external mailbox, press the Tab key until you hear "Check names edit, Type in text." (In
Narrator, you hear "Editing.") Type the email address of the external recipient, press Shift+Tab to
select the Check names button, and then press Enter. This verifies the email address and adds it to
the list of mailboxes.
TIP
Be aware that if you type an external email address and press Enter, this adds the address to the list and then closes
the dialog box. If you're not finished, use the Check names button to add it instead.
f. When you finish adding mailboxes, tab to the OK button and press Enter. The Search for Mailboxes
Accessed by Non-Owners dialog box has the focus again, and the Search these mailboxes text box
lists the selected mailboxes.
10. Tab to the Search for access by combo box. This specifies which types of mailbox non-owners you want
the non-owner mailbox report to show.
To search the audit logs for administrator access, you don't need to do anything, as this is the default.
To search the audit logs for another group of non-owners, like All non-owners, External users (Microsoft
datacenter administrators), or Administrators and delegated users, press the Up Arrow key to move to
the user type you want.
11. Press the Tab key to access the Search button, and press Enter.
12. Press the Tab key about four times to access the search results. If any mailboxes were accessed by a non-
owner of the type you specified in the time period you selected, you hear the name of the mailbox owner
and the date the mailbox was accessed by a non-owner. If none of the mailboxes were accessed by a non-
owner, you hear "There are no items to show in this view." (In Narrator, you hear "Contains 0 items.")
13. For more details about a non-owner mailbox access, with the item selected in the search results list, press
the Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
contents of the details pane, press Tab again.
14. To close the dialog box, tab to the Close button and press Enter.
TIP
You can also export the log of non-owner access of mailboxes and review it in an XML file. Learn more in Use a screen reader
to export and review audit logs in the Exchange admin center.
Search for configuration changes on a mailbox

With administrator audit logging, Exchange records specific changes an administrator makes to the organization's
Exchange configuration. Such changes can include adding users, adding public folders, creating policies or rules,
and so on. This can help you troubleshoot configuration problems or identify the cause of security-related or
compliance-related problems. Learn more about viewing the administrator audit log.
6. Press the Tab key about 12 times until you hear "Run the admin audit log report." Press Enter.
7. In the View the Administrator Audit Log dialog box which opens, the Start date year combo box has
the focus, and you hear "Year of Start date combo box..
TIP
By default, the start date is set to two weeks before yesterday's date. The administrator audit log typically stores
entries for 90 days.
also select the start date year by pressing the Up Arrow key or the Down Arrow key.
TIP
also select the end date year by pressing the Up Arrow key or the Down Arrow key.
9. Press the Tab key to access the search button, and press Enter.
10. Press the Tab key about five times to access the search results. Press the Down Arrow key or the Up Arrow
key to hear the list of configuration changes made in the time period you specified. For each item, you hear
the date of the change, the type of configuration change made, and the name of the Administrator who
made the change. If there were no configuration changes, you hear "There are no items to show in this
view." (In Narrator, you hear "Contains 0 items.")
11. For more details about a configuration change, with the change selected in the search results list, press the
Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
TIP
You can also export the admin audit log to an XML file and email it to specified recipients. On the auditing page, press the
Tab key until you hear "Export the admin audit log." Press Enter and work through the Export the Administrator Audit
Log dialog box which appears. For more information, go to Use a screen reader to export and review audit logs in the
Exchange admin center.
Search for administrator role group changes

You can search for administrator role changes, which, like configuration changes, are recorded in the administrator
audit log. With a targeted search, you can examine the admin audit log for changes made to role groups, which are
used to assign administrative permissions to users. Learn more about running an administrator role group report.
6. Press the Tab key about nine times until you hear "Run an administrator role group report." Press Enter.
7. In the Search for Changes to Administrative Role Groups dialog box which opens, the Start date year
TIP
a. If necessary, type the start date year for your administrator role group change search. You can also
select the start date year by pressing the Up Arrow key or the Down Arrow key.
TIP
a. If necessary, type the start date year for your administrator role group change search. You can also
select the end date year by pressing the Up Arrow key or the Down Arrow key.
9. To access the select role groups button, press the Tab key twice. You hear "Search these role groups or
leave this box blank to find all changed role groups..
TIP
If you want to search all role groups for changes, don't select any specific role groups, and go on to step 10. When
the Search these role groups box is blank, the search includes all role groups.
a. To open the Select a Role dialog box, with the focus on the select role groups button, press Enter.
The Search box has the focus, and you hear "Filter or search edit." Type all or part of the name of the
first role group you want to include in the search and then, to search for the role group, press Enter.
b. To select a role group, press the Tab key about three times until you hear the name of the role group
in the search results list. If there are role groups in the search results list, press the Down Arrow key
or Up Arrow key until you hear the name of the role group.
TIP
You can select multiple consecutive role groups. To work with all role groups, leave the Search box blank, or enter all
or part of the role group names you want to add. Tab to the search results. Press the Down Arrow key to hear each
name. To add them all, press Ctrl+A. To add several role groups listed consecutively, press the Down Arrow key or
the Up Arrow key until you hear the first role group name you want to add, hold down the Shift key, press the Down
Arrow key or the Up Arrow key until you hear the last role group name you want to add, and then release the Shift
key. All role groups between the first and last names are selected.
c. To add the selected role group(s) to the list to be included in the role group change search, press Enter.
The list of role groups retains the focus, so you can continue to add more role groups by selecting them
and pressing Enter.
TIP
To check the role groups you've added, tab to the Add button. To hear the list of role groups, press the Tab key
again. You hear the first role group name in the list. To hear the second role group name in the list, press the Tab key
once more. Continue pressing the Tab key until you hear the names of all the role groups you've added. To delete a
role group from the list, activate the Remove link by pressing Enter when you hear the role group name.
d. When you finish adding role groups, tab to the OK button and press Enter. The Search for Changes to
Administrator Role Groups dialog box has the focus again, and the Search these role groups text
box lists your selected role groups.
11. Press the Tab key about four times to access the search results. If any of your selected role groups were
changed in the time period you selected, you hear the name of the role group and the date of the change. If
none of the role groups were changed, you hear "There are no items to show in this view." (In Narrator, you
hear "Contains 0 items.")
12. For more details about a role group change, with the change selected in the search results list, press the Tab
key to move to the details pane. To print the contents of the details pane, press Enter. To hear the contents
of the details pane, press Tab again.
Find data about changes to compliance status

Monitor regulatory, compliance, and litigation requirements by finding status changes to In-Place eDiscovery and
Hold and the Per-mailbox Litigation Hold. This information is available on the Compliance Management tab
and the Auditing page of the EAC.
Search for changes to In-Place eDiscovery and Hold status
If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or
lawsuits), In-Place eDiscovery and In-Place Hold in Exchange Online can help you perform discovery searches for
relevant content within mailboxes. You can search the administrator audit log to find mailboxes that have been put
on or removed from In-Place eDiscovery or In-Place Hold. Learn more about In-Place eDiscovery & Hold reports.
6. Press the Tab key about 15 times until you hear "Run an In-Place eDiscovery and Hold report." Press Enter.
7. In the Search for changes to In-Place eDiscovery & Hold dialog box which opens, the Start date year
TIP
a. If necessary, type the start date year for the eDiscovery and Hold change search. You can also select
the start date year by pressing the Up Arrow key or the Down Arrow key.
TIP
a. If necessary, type the end date year for your eDiscovery and Hold change search. You can also select
the end date year by pressing the Up Arrow key or the Down Arrow key.
10. Press the Tab key about three times to access the search results. If any eDiscovery or Holds were changed in
the time period you selected, you hear their names. If none have been changed, you hear "There are no
items to show in this view." (In Narrator, you hear "Contains 0 items.")
11. For more details about an eDiscovery or Hold change, with the change selected in the search results list,
press the Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear
the contents of the details pane, press Tab again.
Search for mailboxes that are enabled or disabled for litigation holds
If your organization is involved in a legal action, you may have to take steps to preserve email messages that
might be used as evidence. You can use the litigation hold feature to retain all email sent and received by specific
people or retain all email sent and received in your organization for a specific time period. Search the
administrator audit log to monitor the mailboxes that have had a change to their litigation hold status (enabled or
disabled) during a specified time period. Learn more about running a per-mailbox litigation hold report.
6. Press the Tab key about 21 times until you hear "Run a per-mailbox Litigation Hold report." Press Enter.
7. In the Search for Changes to Per-Mailbox Litigation Hold dialog box which opens, the Start date year
TIP
a. If necessary, type the start date year for your litigation hold change search. You can also select the
start date year by pressing the Up Arrow key or the Down Arrow key.
TIP
a. If necessary, type the end date year for your litigation hold change search. You can also select the end
date year by pressing the Up Arrow key or the Down Arrow key.
9. To access the select users button, press the Tab key twice. You hear "Search these mailboxes or leave blank
to find all mailboxes with litigation hold changes..
TIP
If you want to search all mailboxes for litigation hold changes, don't select any specific mailboxes, and go on to step
10. When the Search these mailboxes box is blank, the search includes all mailboxes.
a. To open the Select Members dialog box, with the focus on the select users button, press Enter. The
Search button has the focus. To search for a user within your organization, press the Spacebar, type
all or part of the name of the user, and then press Enter.
b. Press the Tab key about seven times until you hear the name of the user in the search results list.
c. To add the user to the list of mailboxes in the litigation hold search, press the Down Arrow key until
you hear the user's name, and then press Enter. The list of users retains the focus, so you can
continue to add more users by selecting their mailboxes and pressing Enter.
TIP
To check the users you've added, tab to the Add button. To hear the list of users, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key once more. Continue pressing the Tab key until
you hear the names of all the users you've added. To delete a user from the list, activate the Remove link by
pressing Enter when you hear the username.
d. To add an external user, press the Tab key until you hear "Check names edit, Type in text." (In Narrator,
you hear "Editing.") Type the email address of the external user, press Shift+Tab to select the Check
names button, and then press Enter. This verifies the email address and adds it to the list of users.
TIP
Be aware that if you type an external email address and press Enter, this adds the user to the list and then closes the
dialog box. If you're not finished, use the Check names button to add it instead.
e. When you finish adding users, tab to the OK button and press Enter. The Search for Changes to Per-
Mailbox Litigation Hold dialog box has the focus again, and the Search these mailboxes text box
lists the mailboxes to be searched for litigation hold changes.
11. Press the Tab key about three times to access the search results. If any mailboxes had a change to its
litigation hold status in the time period you selected, you hear the name of the mailbox owner. If none of the
mailboxes were accessed by a non-owner, you hear "There are no items to show in this view." (In Narrator,
you hear "Contains 0 items.")
12. For more details about a litigation hold change, with the change selected in the search results list, press the
Tab key to move to the details pane. To print the contents of the details pane, press Enter. To hear the
Use a screen reader to trace an email message in the
You can trace email messages by using your screen reader in the Exchange admin center (EAC ) in Exchange
Online. This is helpful if users are wondering whether their messages are delayed or possibly lost in delivery. With
message tracing, you can follow messages as they pass through Exchange Online and determine whether a
targeted email message was received, rejected, deferred, or delivered.
Get started
for Office 365.
To trace a message, Use a screen reader to open the Exchange admin center and check that your Office 365 global
administrator has assigned you to the Organization Management, Compliance Management, and Help Desk
admin role groups. Learn how to Use a screen reader to identify your admin role in the Exchange admin center.
Create a new message trace

You might find that you need a message trace when a user contacts you about messages that are not delivered or
are taking longer than usual to be delivered. You can trace a message using various criteria, including email
address, date range, delivery status, and message ID.
2. Tab to mail flow, and press Enter.
4. Tab to message trace. You hear "Message trace, Secondary navigation link." Press Enter.
5. To access the main window list view, press Ctrl+F6. You hear "Message was sent or received combo box,
Past 48 hours."
6. The Date range combo box has the focus, and the default setting is Past 48 hours. To cycle through the
other choices, including Past 24 hours, Past 7 Days, and Custom, press the Up Arrow or Down Arrow key.
TIP
If you select Custom, you can tab to and enter the time zone, start date and time, and end date and time. These
fields are not available unless you select Custom in the Date range combo box. Note that there might not be any
data for messages that are less than four hours old. You cannot run a message trace on a message more than 90
days old.
7. Tab to the Delivery status combo box. Choices are All (the default setting), Delivered, Failed, Pending,
Expanded, Quarantined, Filtered as spam, and Unknown. Press the Down Arrow or Up Arrow key until
the delivery status you want is selected.
8. Tab to the Message ID text box. This is an optional field, but it can help narrow the search results. The
Message ID or Client ID is generated by the sending system and can be found in the header of the message
with the Message-ID: token. The Message ID might include angle brackets (< >).
9. To specify senders (one or more) in the message trace, tab to the add sender button and press Enter. In the
Select Members dialog box, the Search button has the focus.
a. To search for a user within your organization, press Enter, type all or part of the name of the user, and
then press Enter.
b. Press the Tab key about seven times until you hear the name of the user in the search results list.
c. To add the user to the list of senders for the message trace, press the Down Arrow key until you hear
the user's name and then press Enter. The list of users retains the focus, so you can continue to add
more users by selecting their mailboxes and pressing Enter.
TIP
To check the users you've added, tab to the Add button. To hear the list of users, press the Tab key again. The first
name is read. To hear the second name in the list, press the Tab key one more time. Continue pressing the Tab key
until you hear the names of all the users you've added. To delete a user from the list, activate the Remove link by
pressing Enter when you hear the username.
d. To specify an external user or an email address with a wildcard (for example, *@contoso.com), press the
Tab key until you hear "Check names edit, Type in text." (In Narrator, you hear "Editing.") Type the email
address of the external user or the address with a wildcard. To select the Check names button, press
Shift+Tab and then press Enter. This verifies the email address and adds it to the list of users.
TIP
When you specify a wildcard, you cannot also add full email addresses to the message trace. > Be aware that if you
type an external email address and press Enter, this adds the user to the list and then closes the dialog box. If you're
not finished, use the Check names button to add it instead.
e. When you finish adding users, tab to the OK button and press Enter. The message trace page has the
focus again, and the Sender text box lists the senders you specified for the message trace.
10. To add a recipient to the message trace instead of or in addition to the senders, tab to the add recipient
button and press Enter. In the Select Members dialog box, the Search button has the focus. To add one or
more recipients to the message trace, repeat step 9.
11. On the message trace page, tab to the search button and press Enter. The Message Trace Results page
opens and shows the date, sender, recipient, subject, and status of the message(s) that are a result of the
message trace.
TIP
When you run a trace for messages that are less than seven days old, the messages should appear within 5-30 minutes.
When you run a message trace for messages that are more than seven days old, results may take up to a few hours. So if
the Message Trace Results page appears empty at first, check again later. An easy way to do this is to keep this page open,
and, on the toolbar, periodically tab to the Refresh button and then press Enter.
12. To close the Message Trace Results page, tab to the Close button and press Enter.
Review the status of pending or completed message traces

It might take a few minutes to a few hours for message trace results to return. You can check the status of pending
or completed message traces.
2. Tab to mail flow, and press Enter.
4. Tab to message trace. You hear "Message trace, Secondary navigation link." Press Enter.
5. To access the main window list view, press Ctrl+F6. You hear "Message was sent or received combo box..
6. The Date range combo box has the focus. To move to the View pending or completed traces link, press
Shift+Tab. Press Enter. The pending or completed traces page opens and shows the report title, date
submitted, report status, and messages.
7. To refresh the page, make sure that the Refresh button has the focus (this is the default setting) and then
press Enter.
8. To close the pending or completed traces page, tab to the Close button and press Enter.
NOTE
For more information, refer to Run a Message Trace and View Results.
Use a screen reader to work with mobile clients in the
You can use your screen reader in the Exchange admin center (EAC ) to enable the use of mobile devices for users
of Exchange Online, who can then access information in their Office 365 mailboxes through mobile phones and
tablets. Learn more about clients and mobile in Exchange Online.
Get started
for Office 365.
Configure mobile device mailbox policies and access

You can use the EAC to create mobile device mailbox policies that apply a common set of rules or security settings
to a collection of users. If you don't create your own mobile device mailbox policy, the default policy is applied,
which includes the following settings:
Allow mobile devices that don't fully support policies to synchronize.
Outlook Web App (OWA) for Devices supports all password policies and won't block any devices.
A password is optional.
Device encryption is not required.
To view, edit, or create a mobile device mailbox policy, on the EAC primary navigation pane, select the mobile link
and then, on the menu bar, select the mobile device mailbox policies link. Learn more about the options you
can set for mobile device mailbox policies.
You can also specify Exchange ActiveSync access settings, maintain a list of quarantined mobile devices, and set up
device access rules. To do this, on the EAC primary navigation pane, select the mobile link and then, on the menu
bar, select the mobile device access link.
Enable Exchange ActiveSync and Outlook Web App for users

Exchange ActiveSync is an Exchange synchronization protocol which allows mobile phones to access your
organization's Exchange server. With Exchange ActiveSync, recipients can use their mobile devices to access their
email, calendar, contacts, and tasks. They can also continue to access this information while working offline. Learn
more about Exchange ActiveSync.
With Outlook Web App, users can access their Exchange mailbox from almost any web browser, including from a
browser on their mobile devices. Learn more about Outlook Web App.
Enable Exchange ActiveSync and Outlook Web App for an individual user
4. To search for the user for whom you want to enable Exchange ActiveSync, press Ctrl+F6 and then press the
Tab key until you hear "Search button." Press Enter.
multiple names, press the Down Arrow key or the Up Arrow key until you hear the name you want.
7. To move to the details pane, press Ctrl+F6. You hear "Unified Messaging link, Enable."
8. Press the Tab key. You hear "Mobile devices link, Enable Exchange ActiveSync..
TIP
If the user is already enabled for Exchange ActiveSync, you hear "Disable Exchange ActiveSync..
9. Press Enter. You hear "Are you sure you want to enable Exchange ActiveSync?" With the focus on the Yes
button, press Enter.
10. Press the Tab key. You hear "Mobile devices link, Enable OWA for Devices."
TIP
If the user is already enabled for Outlook Web App for Devices, you hear "Disable OWA for Devices..
11. Press Enter. You hear "Are you sure you want to enable OWA for Devices?" With the focus on the Yes button,
press Enter.
TIP
If you want to enable Exchange ActiveSync and Outlook Web App for additional users, press Ctrl+Shift+F6 to move the
focus back to the list of users. Press the Down Arrow key or the Up Arrow key until you hear the name you want, and repeat
steps 7 through 11.
Enable Exchange ActiveSync and Outlook Web App for multiple users at once
4. Press Ctrl+F6 twice to move to the list of users. Press the Down Arrow key or the Up Arrow key to move to
the first adjacent user. Hold down the Shift key and press the Down Arrow key or the Up Arrow key to
select more adjacent users.
TIP
To select all users, press Ctrl+A.
5. Repeatedly press the Tab key until the Bulk Edit details pane has the focus and you hear "Bulk Edit..
6. Press the Tab key until you hear "Enable link." Press Enter.
7. An alert asks "Are you sure you want to enable Outlook on the web for all the selected recipients?" With the
focus on the OK button, press Enter.
8. Press the Tab key about 10 times until you hear "Show link." Press the Tab key once more. You hear "Enable
link." Press Enter.
9. An alert asks "Are you sure you want to enable Exchange ActiveSync for all the selected recipients?" With
the focus on the OK button, press Enter.

Office 365 Exchange Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Office 365 Exchange Guide PDF

Uploaded by

Copyright:

Available Formats

Contents

End users - see Office help and training

Assign admin permissions

Learn about the Exchange admin center

To manage Exchange Online

Help for Office 365 Admins

Get to the Exchange admin center

Exchange admin center features

AREA WHAT YOU DO HERE

Dashboard An overview of the admin center.

Recipients View and manage your mailboxes, groups, resource

Permissions Manage administrator roles, user roles, and Outlook Web

Organization Manage organization sharing and apps for Outlook

Protection Manage malware filters, connection filters, content filters,

Mail flow Manage rules, message tracing, accepted domains, remote

Mobile Manage the mobile devices that you allow to connect to

Public folders Manage public folders and public folder mailboxes.

Unified messaging Manage Unified Messaging (UM) dial plans and UM IP

ICON NAME ACTION

Add, New Create a new object. Some of these

Edit Edit an object.

Delete Delete an object. Some delete icons

Search Open a search box in which you can

n/a Upgrade a distribution group to an

Refresh Refresh the list view.

More options View more actions you can perform for

Up arrow and down arrow Move an object's priority up or down.

Copy Copy an object so you can make

Remove Remove an item from a list.

Discovery Management Administrators or users who are members of the Discovery

Organization Management Administrators who are members of the Organization

Recipient Management Administrators who are members of the Recipient

UM Management Administrators who are members of the UM Management

Office 365 permissions in Exchange Online

OFFICE 365 ROLE EXCHANGE ONLINE ROLE GROUP

Global administrator Organization Management

Note: The Global administrator role and the Organization

Billing administrator No corresponding Exchange Online role group.

Password administrator Help Desk administrator.

Service administrator No corresponding Exchange Online role group.

User management administrator No corresponding Exchange Online role group.

Work with role groups

Work with role assignment policies

Exchange Online permissions

FEATURE PERMISSIONS REQUIRED

Anti-malware Organization Management

Anti-spam Organization Management

Data loss prevention Organization Management

Office 365 connectors Organization Management

Journal archiving Organization Management

Linked user Organization Management

Mail flow Organization Management

Mailbox settings Organization Management

Microsoft Office 365 Message Organization Management

Message trace Organization Management

Organization configuration Organization Management

Outlook on thew web mailbox policies Organization Management (http://technet.microsoft.com/library/6

POP3 and IMAP4 permissions Organization Management

Quarantine Organization Management

Subscriptions Organization Management

Supervision Organization Management

View reports Organization Management - users

What do you need to know before you begin?