Professional Documents
Culture Documents
Page 1 kamshun@outlook.com
Office 365 for IT Pros (Companion Volume for 2023 Edition)
Mastering Microsoft 365 Office Applications
Published by Tony Redmond (https://office365itpros.com)
© Copyright 2015-2022 by Tony Redmond.
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means
without the written permission of the authors.
The example companies, organizations, products, domain names, email addresses, logos, people, places and
event depicted herein are fictitious. No association with any real company, organization, people, domain
name, email address, logo, person, place, or event is intended or should be inferred. The book expresses the
views and opinions of the authors. The information presented in the book is provided without any express,
statutory, or implied warranties. The authors cannot be held liable for any damages caused or alleged to be
caused either directly or indirectly by this book.
Although the authors are members of Microsoft’s Most Valuable Professional (MVP) program, the content of this
book solely represents their views and opinions about Office 365 and any other technologies mentioned in the
text and is not endorsed in any way by Microsoft Corporation.
Please be respectful of the rights of the authors and do not make copies of this eBook available to
others.
Ninth (2023) edition. Previous editions:
• Office 365 for Exchange Professionals (May 2015 and September 2015).
• Office 365 for IT Pros (3rd edition – June 2016).]
• Office 365 for IT Pros (4th edition – June 2017).
• Office 365 for IT Pros (5th edition – July 2018).
• Office 365 for IT Pros (6th edition – July 2019).
• Office 365 for IT Pros (7th edition – July 2020).
• Office 365 for IT Pros (8th edition – July 2021)
This is the companion volume for Office 365 for IT Pros (2023 edition). Its content is valuable, but we do not
update it as often as we do for material in the main book.
This update for the 2023 companion volume published in July 2022.
The photo on the front cover is of a sunset over an island near Dubrovnik, Croatia taken by Tony Redmond in
May 2022.
Page: i Office 365 for IT Pros (Companion Volume) 2022 Edition (May 2022)
Table of Contents
Chapter 1: Introduction .............................................................................................................................................................................. 6
Welcome to the Companion Volume .............................................................................................................................................. 6
Office 365 History .................................................................................................................................................................................... 6
Technical steps along the path to the cloud................................................................................................................................. 7
Wave 14: Office 365 launches .......................................................................................................................................................... 10
Wave 15: Cloud-Ready by Design .................................................................................................................................................. 11
Wave 16: Now in production ........................................................................................................................................................... 12
The Next Wave ....................................................................................................................................................................................... 13
Microsoft 365 ......................................................................................................................................................................................... 13
Chapter 2: Exchange Mailbox Migration .......................................................................................................................................... 15
Migration approaches for Exchange Online .............................................................................................................................. 15
Managing a Migration Project ......................................................................................................................................................... 19
Preparing to Migrate to Exchange Online .................................................................................................................................. 20
Cutover Migration ................................................................................................................................................................................ 26
Staged Migration .................................................................................................................................................................................. 29
Hybrid Migration ................................................................................................................................................................................... 30
Post-Migration Tasks ........................................................................................................................................................................... 31
Other Exchange Online Migration Types .................................................................................................................................... 33
Data Migration with the Office 365 Import Service ................................................................................................................ 35
Migration of legacy public folders ................................................................................................................................................. 39
Migration of modern public folders from on-premises Exchange.................................................................................... 42
Public folder migration methodologies ....................................................................................................................................... 43
Migrating public folders to Office 365 Groups ......................................................................................................................... 45
Migrating legacy email archives ..................................................................................................................................................... 45
Running a Cutover Migration .......................................................................................................................................................... 47
Running a Staged Migration ............................................................................................................................................................ 57
Chapter 3: Managing Office 365 Addressing ................................................................................................................................. 63
Email Address Policies......................................................................................................................................................................... 63
Address Lists ........................................................................................................................................................................................... 68
Offline Address Book (OAB) ............................................................................................................................................................. 71
Hierarchical Address Book (HAB) ................................................................................................................................................... 73
Address Book Policies ......................................................................................................................................................................... 76
Chapter 4: Managing Hybrid Connections ...................................................................................................................................... 80
Page: ii Office 365 for IT Pros (Companion Volume) 2022 Edition (May 2022)
Hybrid Workloads ................................................................................................................................................................................. 80
Hybrid Exchange Architecture ......................................................................................................................................................... 81
The Exchange Hybrid Configuration Wizard .............................................................................................................................. 96
Considerations for a Hybrid Exchange Deployment ............................................................................................................... 99
Preparing for a Hybrid Exchange Configuration .................................................................................................................... 105
Configuring a Hybrid Exchange Connection............................................................................................................................ 106
Managing a Hybrid Exchange Deployment ............................................................................................................................. 110
Life After Hybrid .................................................................................................................................................................................. 111
Chapter 5: Managing Hybrid Recipients ........................................................................................................................................ 115
User Mailboxes .................................................................................................................................................................................... 115
Preserving Mailboxes for ex-Employees .................................................................................................................................... 123
Shared Mailboxes ............................................................................................................................................................................... 128
Archive Mailboxes............................................................................................................................................................................... 130
Hybrid Public Folders ........................................................................................................................................................................ 133
Groups ..................................................................................................................................................................................................... 134
Email Addresses ................................................................................................................................................................................... 140
Directory-Based Edge Blocking ..................................................................................................................................................... 142
Moving Mailboxes .............................................................................................................................................................................. 144
Recovering Soft-deleted Mailboxes in a Hybrid Environment ......................................................................................... 153
Chapter 6: Office 365 Analytics .......................................................................................................................................................... 156
Fitbit for the Office ............................................................................................................................................................................. 156
MyAnalytics (Viva Insights) ............................................................................................................................................................. 156
Using the Insights Dashboard ....................................................................................................................................................... 160
Workplace Analytics........................................................................................................................................................................... 174
Company Culture is Critical............................................................................................................................................................. 175
Chapter 7: Exchange Online ................................................................................................................................................................ 177
Public Folders ....................................................................................................................................................................................... 177
Differences with On-Premises Public Folders .......................................................................................................................... 179
Public Folder Moderation ................................................................................................................................................................ 184
Public Folder Clients .......................................................................................................................................................................... 184
Public Folders and Compliance ..................................................................................................................................................... 187
Discovery mailboxes .......................................................................................................................................................................... 187
Inbox Rules ............................................................................................................................................................................................ 187
Calendar Sharing ................................................................................................................................................................................. 190
Resource Mailboxes ........................................................................................................................................................................... 192
Exchange Online Mailbox Retention Policies........................................................................................................................... 197
Page: iii Office 365 for IT Pros (Companion Volume) 2022 Edition (May 2022)
Office 365 and Groups ...................................................................................................................................................................... 216
Managing POP and IMAP Clients ................................................................................................................................................. 218
Managing the Focused Inbox ........................................................................................................................................................ 220
Reporting Exchange Administrative Audit Data with PowerShell ................................................................................... 226
Reporting Mailbox Audit Data with PowerShell ..................................................................................................................... 228
Exchange DLP policies ...................................................................................................................................................................... 230
Creating a New DLP policy for Exchange .................................................................................................................................. 233
Building out an Exchange DLP policy ......................................................................................................................................... 239
Hybrid Exchange DLP ........................................................................................................................................................................ 240
The Big Funnel Mailbox Index ....................................................................................................................................................... 240
Using the Search-Mailbox Cmdlet ............................................................................................................................................... 241
Chapter 8: Office 365 Information .................................................................................................................................................... 251
Importing PSTs into Office 365 ..................................................................................................................................................... 251
Microsoft Forms .................................................................................................................................................................................. 260
Sway ......................................................................................................................................................................................................... 270
Deprecated SharePoint Online and OneDrive For Business Features ............................................................................ 273
PowerShell for Power Apps............................................................................................................................................................. 274
Chapter 9: Directory Synchronization ............................................................................................................................................. 276
The Basics of Directory Synchronization ................................................................................................................................... 276
Azure AD Connect Technical Concepts ...................................................................................................................................... 277
Installing Azure AD Connect .......................................................................................................................................................... 286
Customizing Azure AD Connect.................................................................................................................................................... 289
Managing and Monitoring Directory Synchronization ........................................................................................................ 291
Upgrading Azure AD Connect ....................................................................................................................................................... 295
Chapter 10: The Hybrid Configuration Wizard ............................................................................................................................ 297
Starting the HCW ................................................................................................................................................................................ 297
Server Detection .................................................................................................................................................................................. 298
Cutover or Hybrid ............................................................................................................................................................................... 299
Trusts and Domains ........................................................................................................................................................................... 300
Minimal or Full Hybrid ...................................................................................................................................................................... 301
Mail Routing ......................................................................................................................................................................................... 303
Organization ......................................................................................................................................................................................... 307
Starting the Configuration .............................................................................................................................................................. 308
Completing Configuration .............................................................................................................................................................. 311
Modern Hybrid Architecture .......................................................................................................................................................... 312
Chapter 11: Active Directory Federation Services ...................................................................................................................... 314
Page: iv Office 365 for IT Pros (Companion Volume) 2022 Edition (May 2022)
Configuring Active Directory Federation Services ................................................................................................................. 314
Restricting access to Office 365 through AD FS ..................................................................................................................... 322
Enabling password updates through AD FS ............................................................................................................................ 326
Enabling "Persistent SSO"................................................................................................................................................................ 326
Chapter 12: Delve .................................................................................................................................................................................... 327
Mastering Information ...................................................................................................................................................................... 327
Delve Browser App ............................................................................................................................................................................. 332
Privacy and Security ........................................................................................................................................................................... 340
Delve and Exchange Online ............................................................................................................................................................ 344
Hybrid Delve ......................................................................................................................................................................................... 345
Chapter 13: Basic Mobile Management ......................................................................................................................................... 346
Mobile Connectivity to Exchange Online .................................................................................................................................. 346
Configuring Mobile Devices and Applications for Exchange ActiveSync ..................................................................... 347
Mobile Device Mailbox Policies .................................................................................................................................................... 349
Managing Mobile Device Associations ...................................................................................................................................... 356
Establishing an ActiveSync Policy for Your Organization ................................................................................................... 361
Microsoft 365 Basic Mobility and Security ............................................................................................................................... 362
Chapter 14: Stream Classic .................................................................................................................................................................. 371
Stream Architecture ........................................................................................................................................................................... 371
Stream User Functionality ............................................................................................................................................................... 374
Stream Administration ...................................................................................................................................................................... 382
Microsoft 365 Groups and Stream ............................................................................................................................................... 386
Page: v Office 365 for IT Pros (Companion Volume) 2022 Edition (May 2022)
Chapter 1: Introduction
Welcome to the Companion Volume
In 2018, the fourth edition of Office 365 for IT Pros reached 1,150 pages (even after trimming, the seventh
exceeds 1,200 pages). The main book had swollen over the years to cater for developments inside Office 365,
such as the introduction of Planner, Teams, and Stream. As you might expect, some of the material included in
the book since 2015 had aged a little, and some of it was not as interesting to everyone. So, we took the
decision to create this companion volume and use it as a home for information that we think is still valuable
and should be shared but might not warrant a place in the main book.
Our focus remains on the content in the main book and we do not try to keep this material updated.
Sometimes, topics are updated, but we don’t guarantee how current the information presented here is. With
that in mind, use the material as guidance and check what the latest situation is with an online search.
Page 6
A remnant of Exchange Labs: If you look at the properties of a mailbox, you’ll see that the
LegacyExchangeDN property still has its roots in Exchange Labs. For example, you might see a value like
this:
Apart from Exchange Labs, the other bit of Exchange history is the fact that an administrative group is still
specified. Administrative groups appeared as a unit of server management in Exchange 2000 and were
phased out in Exchange 2007. However, the LegacyExchangeDN property goes back even further to the
X.500-like directory structure used by the first generation of Exchange (4.0 to 5.5 in 1996-99). All of this
goes to show that you can’t really discard history too easily.
Although BPOS provided a healthy dose of customer reality to Microsoft’s engineers, you cannot take too
many risks with a production offering. Microsoft therefore continued to operate “Exchange Labs” alongside
BPOS to conduct experiments at scale and learn just what it took to transform Exchange from a somewhat
stodgy but powerful email and collaboration server into software that could function in the cloud. Exchange
Labs was the playground while BPOS attempted – sometimes quite well – to deliver a commercial offering,
even if it was handicapped by its enterprise heritage. Together, BPOS and Exchange Labs constituted the
greenhouse for what later evolved into Exchange Online and an operations framework that permeates
throughout Office 365.
During the same period as they were figuring out how to execute their initial cloud deployment strategy, the
Exchange product group made a big bet on PowerShell by using it for many administrative operations in
Exchange 2007. Exchange was the first major Microsoft server application to use PowerShell so extensively
and did so at a time when “Monad” (the original code name) was often derided as a poor combination of
UNIX-style scripting and impenetrable syntax. As it turned out, PowerShell has made a huge contribution to
the success of Exchange in the cloud and Microsoft uses PowerShell scripts to automate many common
administrative operations that run inside Office 365.
Page 7
Autodiscover Exchange 2007 Allows clients to connect to Exchange Online without knowing
details of server names etc.
ActiveSync Exchange 2003 Although its importance to Office 365 is much reduced given
SP1 the prominence of Outlook Mobile for iOS Android, ActiveSync
is still used by many ISVs to connect mobile clients to
Exchange Online.
Role Based Exchange 2010 Allows granular access to user and administrator functionality.
Access Control Also used to control the display of UI in OWA and the Office
(RBAC) 365 administration portals.
Outlook Web Exchange 5.0 The original Exchange Web client goes back to 1997 and has
App evolved dramatically since to keep pace with web
developments. Outlook Web App supports premium access to
Exchange Online from Chrome, IE, Firefox, and Safari browsers
and downgraded access for other browsers.
RPC over HTTP Exchange 2003 RPC over HTTP (Outlook Anywhere) removed the requirement
MAPI over HTTP Exchange 2013 for VPN connectivity to email servers across the Internet.
SP1 Without it, you’d have to create a VPN to connect to Exchange
Online. MAPI over HTTP is a more modern and effective
replacement.
Exchange Web Exchange 2007 Allows programmatic access to items in the Exchange Store
Services (EWS) without having to resort to the far more complicated MAPI
API. Although the Microsoft Graph is a more modern API for
Exchange along with other Office 365 components, EWS
persists and is used in migration and backup products for
Office 365.
Extensible Exchange 4.0 ESE is the engine that lies at the heart of the Exchange
Storage Engine Information Store and has been extended and refined for
(ESE) more than 20 years to arrive at the point where 100GB-plus
mailboxes are usable. Another important aspect is the work
done in the 2004-2012 timeframe to drive the storage I/O
profile of Exchange from being a fat slob to a svelte service
and so enables the ability to exploit low-cost storage that
delivers massive mailboxes at a very low price point.
High Availability Exchange 2007 The first HA implementation allowed just two copies of a
database. The introduction of the Database Availability Group
(DAG) in Exchange 2010 expanded this to 16 copies and
introduced features like the lagged copy, single page
patching, automatic failover, and so on. Exchange 2013
continued to improve matters with database autoreseed and
greater automation to manage lagged database copy,
including the introduction of the Replay Lag Manager in
Exchange 2013. The HA features allow Exchange Online to
operate with a basic model of four database copies spread
across two datacenters (or more) and ensure that the 99.9%
SLA is met or exceeded.
Managed Exchange 2013 Some self-healing capabilities were introduced in Exchange
Availability 2010 but Managed Availability took the idea that servers could
monitor their own health and take action when required to fix
a failed component to a new level. Even if on-premises
administrators don’t like its influence over servers very much,
Page 8
Exchange Online might not be manageable without this
degree of automation.
Workload Exchange 2010 Multi-tenant environments operate on a fair usage basis. In
management other words, the workload of a single tenant should not be
(throttling) able to unduly affect others. Workload management makes
this so.
Modern public Exchange 2013 Without a modernized version, on-premises customers who
folders had invested heavily in the cockroaches of Exchange would
never be able to move to the cloud.
Table 1-1: Technical innovation in Exchange that help Exchange Online work
Some technology developed for Office 365 is difficult to move to on-premises versions. The automatic
filtering of inbound email performed by the Focused Inbox and the Teams, Planner, and Delve Analytics
applications are examples of Office 365 software that will probably never run in a pure on-premises
environment. On the other hand, as demonstrated by the hybrid features in SharePoint 2016 (hybrid sites,
search, and OneDrive sites), it is possible to provide data taken from on-premises servers and process them in
the cloud.
A number of reasons can exist to prevent the transfer of cloud-based software to on-premises deployments,
including:
• The technology is complex to deploy and requires substantial effort to sustain in production.
Integrating different pieces of software together so that they all work as planned is often difficult
when software changes all the time. Traditional IT discipline focuses on structured updates performed
in change windows, something that doesn't work quite so well given the need to execute updates
across many moving parts.
• The technology requires a high cost in infrastructure (servers, network, storage, and automation) to
deploy and keep running, which implies a high cost barrier. Applications that depend on machine
learning and artificial intelligence are often difficult to deploy in an on-premises environment because
of the resources they consume.
• The technology needs to be fine-tuned on an ongoing basis to improve its performance and, in some
cases, accuracy. This work usually requires engineers to be able to make frequent and ongoing
software changes.
• Less importantly, the technology requires a skill set that might not be feasible to expect within
customer environments.
Remember, Microsoft is able to operate and develop Office 365 by employing the full resources of the
company in addition to a massive financial commitment to build out the infrastructure. It’s almost inevitable
that some components developed for and implemented first in Office 365 will prove just too complex to
transfer, but the good thing is that Microsoft has built a strong track record of transfer from cloud to on-
premises and nothing indicates that this trend will not continue.
Page 9
Wave 14: Office 365 launches
Microsoft put all of the experience gained in BPOS to advantage when it designed Office 365. When launched,
Office 365 used the “Wave 14” set of Office server products that shipped to customers as Exchange 2010,
SharePoint 2010, Lync 2010, and so on. The big difference was that Microsoft had had several years of
operational experience to better understand the demands of the cloud. More automation was incorporated
into the products, the code base was simplified, the economics were better, and great attention was paid to
all aspects of design, build, and operation.
Another important point in the evolution of Office 365 was the adoption of a software development method
based on the DevOps concept. In effect, this means that engineering group responsible for the development
of Exchange are the go-to people for problems. In other words, if code fails then it is the engineer who wrote
or maintains the code who has to wake up from blissful slumber to fix the problem. There’s no doubt that the
direct association between code quality and responsibility for maintenance influenced the way that engineers
created features. It’s obviously important for engineers to take personal pride in creating the best possible
code at all times, but it becomes terribly personal for an engineer when they are hauled in at 3am to fix an
irritating bug.
Some initial glitches occurred in Office 365 that interrupted service to customers in August and September
2011, but broadly speaking the performance, reliability, and scalability of the service has proven to be
excellent. We discuss how Office 365 measures performance against service level agreements in Chapter 1 of
the main book.
Exchange 2010 introduced several important technical advances that have contributed greatly to the
subsequent success of Exchange Online. The Database Availability Group (DAG) is the most important
because it allows Office 365 to operate a highly available infrastructure for mailboxes. Exchange Online now
spans several thousand DAGs positioned in Office 365 datacenters around the world; each database has four
copies including a lagged copy; and the high availability features built into the DAG allows work to be
transferred quickly and dependably to another server should a problem arise. It also underpins the concept of
“native data protection”, meaning that Exchange Online does not use traditional backups to protect data.
Instead, a combination of Exchange features such as user-driven recoverable items, single item retention, and
multiple database copies protect user data so that it can be recovered in the case of inadvertent loss.
Apart from making sure that mailboxes stay online, the DAG also contributes to the economics of Office 365
by allowing the use of inexpensive JBOD disks for the massive amount of storage needed to allow users keep
all the information they want inside massive mailboxes. The economics are such now that it is much cheaper
to allow users as much storage as they want rather than invest in the time to manage storage. Gigabytes of
storage cost a fraction of a penny per month (amortized over 24 or 36 months) when bought in the quantities
consumed by cloud datacenters, so the fact that someone is using a 100 GB mailbox that costs a few cents for
the storage is nothing when put into context with their monthly payment. The same is true for other services
like OneDrive for Business or the consumer email services where the providers are happy to have users
consume large amounts of storage in return for the chance to sell other services. Of course, cloud providers
incur massive additional costs other than storage, but it is interesting to see how storage has become so
cheap and plentiful in such a short time and the influence this has had on data management.
Since its introduction, the DAG has steadily added features to improve its ability to support low-cost disks. For
instance, single page patching arrived in Wave 14 to allow Exchange to detect and patch corrupt pages that
appear in both active and passive database copies. Without single page patching, human administrators
would have to take problematic databases offline and fix them manually. Traditionally, this would have been
done by restoring a backup copy, but these don’t exist inside Office 365. Database autoreseed is another
example. Introduced in Wave 15, this feature allows administrators to set aside disk space that Exchange can
Page 10
use to build a new copy of a failed database. The rebuild happens automatically, which is exactly what you
need when the use of low-cost disks makes it easy to predict that disk and controller outages will be the most
common form of failure inside Office 365 datacenters. And, as it turns out, they are.
Microsoft also introduced the Mailbox Replication Service (MRS) in Wave 14. Not quite as exciting or as
technically compelling as the DAG, MRS still plays an enormous role through its ability to move mailboxes
from on-premises servers to Office 365. The transfer is highly automated, batch-driven, happens in the
background, and includes automatic delta synchronization to maintain the copied mailboxes in a current state
until the switchover occurs. If MRS didn’t exist, it would be very much harder for large companies to transfer
mailboxes to Office 365.
Microsoft 365
From a business perspective, the bundling of Office 365 into Microsoft 365 is the most important influence on
Office 365 for the immediate future. Microsoft has invested heavily in cloud infrastructure to build out its
Page 13
datacenters and networks to support Office 365 and Azure. The need exists to achieve a return on that
investment, and that means that Microsoft must continue to grow the number of paid subscriptions for Office
365 and increase the annual revenue for each subscription. Growing the revenue per seat is done by
convincing customers to upgrade their subscriptions to a higher-priced plan (from E3 to E5, for example) or
by buying add-ons for specific functionality. Many of the new features being added to Office 365 now require
E5 licenses and a growing gap is developing between the functionality available to E3 and E5 tenants to justify
the extra cost of E5 licenses.
Convincing Office 365 customers to embrace Microsoft 365 is another example of driving extra revenue, and
to support the activity, you’ll see that Microsoft constantly emphasizes the value to customers of deploying
Office 365, Enterprise Mobility and Security, and Windows 10 together. Marketing and engineering support to
illustrate the benefits of Microsoft 365 will appear in a continual flow to convince customers to embrace the
program. If you want to continue using Office 365 on its own, you can, but a time might come when all you
can buy is Microsoft 365.
Page 14
Chapter 2: Exchange Mailbox
Migration
A green field deployment of the core services of Office 365 is straightforward because you don’t need to deal
with legacy infrastructure or data. Organizations that have an on-premises infrastructure usually need to plan
before they can migrate anything to Office 365. Because the migration methodology and tools are well
established and flexible enough to meet the requirements of almost any scenario, email is often the first and
easiest workload to move to the cloud.
Identity management is a key component of any Office 365 deployment. Many questions need to be
answered about how identity will be managed during and after the migration. Of course, identity
management is important from a security perspective, but it is also important to consider how it impacts the
end user experience. Chapter 3 (in the main book) examines the different identity models available for Office
365. You should understand the material presented there before you choose a migration method. Take your
time on these matters. It is possible that a specific identity model will cause you problems with your preferred
migration method. Or you might choose a migration method, reach the end of your migration project, and
discover that your ongoing identity needs have not been met. Be prepared to be flexible in your decision
making, and if in doubt, always consider the user experience implied in your chosen approach. A poor user
experience means a poor perception of the project outcome, even if the technical execution of the project
goes well.
This chapter examines the decision-making process for choosing a migration method, reviews the cutover and
staged migration processes, and provides an overview of hybrid configurations and other non-Exchange
migration methods. Hybrid configurations are also covered in much more detail in chapter 4. You may well
find that Hybrid is the best approach for your organization, but it is still well worth your time to read and
understand the other options that are available, so that your decision is an informed one. Let’s begin with a
look at the different migration approaches for Exchange Online.
Page 15
The best place to start is with the business requirements for the migration project. Business requirements
should include factors such as the need to complete the migration by a particular date, whether a back-out
option for the migration needs to be included, or if some email workload will remain on-premises. As you will
see, each migration method has different benefits and constraints, and they may not all suit the business
requirements of the project.
Technical requirements are considered next. These often eliminate some of the migration methods and allow
the organization to zero in on the feasible approaches. Figure 2-1 provides an example of the decision-
making process you can work through based on your technical requirements to understand the available
migration methods for your scenario. Even if you find that you meet the technical requirements of a migration
method, you should continue to research the actual processes involved in performing that migration, because
you might still discover some undesirable element that steers you in another direction.
Page 16
migration methods supported for Exchange 2010 and are not limited to the options available for Exchange
2007. Some additional requirements and constraints are mentioned in Table 2-1 that will be explained in more
detail later.
Exchange Version Cutover Staged Hybrid IMAP
Exchange 2003 Yes (if under 2,000 Yes No (unless a Hybrid server running Yes
mailboxes) Exchange 2010 is deployed)
Exchange 2007 Yes (if under 2,000 Yes No (unless a Hybrid server running Yes
mailboxes) Exchange 2010 or 2013 is
deployed)
Exchange 2010 Yes (if under 2,000 No Yes Yes
mailboxes)
Exchange 2013 Yes (if under 2,000 No Yes Yes
mailboxes)
Exchange 2016 Yes (if under 2,000 No Yes Yes
mailboxes)
Table 2-1: Available migration methods for on-premises Exchange versions
In addition to the built-in migration methods, you can consider:
• Migrating user PSTs using the Office 365 Import Service, Microsoft’s PST Collection tool, or a third-
party migration tool. PST-based migrations are discussed later. Note: The PST collection tool is no
longer under active development by Microsoft. Third-party migration utilities are now the
recommended method.
• Third party migration tools that use protocols like Exchange Web Services (EWS) to ingest data into
Exchange Online mailboxes. Third party tools often provide solutions to very complex migration
scenarios that built-in migration methods cannot handle.
Note: Although IMAP is included in Table 2-1, it is the least preferable migration method when you
migrate from an Exchange server, and is generally only suitable when migrating from non-Exchange
platforms such as Gmail or Yahoo!. We discuss the limitations of IMAP migrations later.
The next consideration is whether there are more than 2,000 mailboxes. Organizations with fewer than 2,000
mailboxes are supported for cutover, staged and hybrid migrations, while organizations with more than 2,000
mailboxes are only supported for staged or hybrid migrations. The 2,000-mailbox limit does not mean that
organizations with less than 2,000 mailboxes should automatically choose a cutover migration. For example, if
the organization wants to migrate their users in smaller batches instead of one big batch then a cutover
migration is not suitable.
Real World: 2,000 mailboxes is the threshold specified by Microsoft in terms of support for cutover
migrations. The logistics involved in handling an outage for such a large number of users, as well as the
desk-side support needed to assist with reconfiguring Outlook profiles and mobile devices after the
cutover, may simply make a cutover migration too risky and complex for the organization. In fact, many
experienced Office 365 consultants consider the practical limits of both the cutover and staged migration
methods to be as few as 150 mailboxes. Organizations larger than 150 mailboxes should give strong
consideration to using a hybrid migration instead of a cutover or staged migration.
When cutover is either not possible or not desirable for an Exchange 2003/2007 organization, the remaining
options are staged and hybrid migrations. For an Exchange 2003 environment an Exchange 2010 server can
be deployed to create a Hybrid configuration. If you want to use an Exchange 2013 or Exchange 2016 server
to host the hybrid configuration, you will have to complete a full migration to Exchange 2010 first. For an
Exchange 2007 organization at least one server running either Exchange 2010 or Exchange 2013 must be
installed to provide the hybrid functionality. Both staged and hybrid options require the implementation of
Page 17
directory synchronization. Without directory synchronization, your migration options are limited to the use of
third party migration tools.
An organization migrating from Exchange on-premises can use the free Hybrid license available from
Microsoft (see this discussion for details). This license allows an Exchange 2016, 2013 or Exchange 2010 SP3
server to be deployed in the organization to facilitate a hybrid connection with Office 365 (depending on the
supported versions that can co-exist in an organization). The Hybrid license can’t be used for a server that
hosts mailboxes, but the server can be used during the migration to Office 365 and retained afterwards to
manage the Exchange attributes of the on-premises Active Directory objects. A server assigned with a Hybrid
license can also be used as an SMTP relay server for applications or devices on the corporate network.
If the implementation of a Hybrid server is not possible, for example due to server capacity constraints, then a
staged migration is the way forward. The staged migration method is not available for organizations that run
Exchange 2010 or later. Exchange 2010 or later environments with fewer than 2,000 mailboxes to migrate can
still choose to perform a cutover migration. However, as we’ve already discussed, large cutover migration
projects can be logistically very difficult to perform.
Given that Exchange 2010 (or later versions) is capable of hybrid configuration with Office 365 you should
give strong consideration to using the hybrid approach instead of a staged or cutover migration. Although
hybrid is the most complex of all the migration options in terms of initial setup and configuration, it delivers
the best user experience during the migration. Hybrid configurations allow the on-premises Exchange
organization and Office 365 to function as though they are the same environment with seamless mail flow, a
shared address book and calendar free/busy federation. In fact, most users would not even be aware that they
are working in a hybrid configuration with mailboxes deployed in both on-premises and Office 365. A hybrid
configuration is also the only option that allows mailboxes to be off-boarded from Office 365 to Exchange on-
premises without using third party migration tools. Cutover and staged migrations can’t off-board or roll back
to an on-premises server without significant effort and the risk of data loss.
Hybrid configurations require directory synchronization of the on-premises Active Directory objects into Azure
Active Directory, so that they can be used in Office 365. If for some reason the organization can’t implement
directory synchronization, then the choices are limited to third party migration tools.
Finally, businesses using non-Exchange email platforms such as Gmail or Google Apps for Business can’t use
the cutover, staged or hybrid options. For those businesses Microsoft provides the IMAP migration option to
move mailboxes to Office 365. Alternatively, a third-party migration tool can be used. If you’re engaging the
Microsoft Onboarding Center or an outside consultant to assist with the migration, they will usually
recommend a specific tool or method for the migration, which will probably be the tool for which they have
most experience.
All aspects of the decision-making process require careful consideration. Beyond the technical considerations
are also other factors such as whether the migration project will be handled in-house or by an external
consultant, whether extra training is required for IT staff to understand new features such as hybrid
configurations, and whether funding is available to pay for third party migration tools if built-in migration
options can’t be used.
If you want some specific recommendations to get you started, it is generally recommended to use:
• Hybrid configuration for Exchange 2010 or later.
• PST-based migration if a non-Exchange email system can extract data to PST files.
• IMAP or third-party tools for any non-Exchange email systems that can’t extract data to PST files.
• Third party solutions for very complex migration scenarios.
Note: Before you finalize your decision on which migration method to use it is strongly recommended
that you read through the example migration scenarios from start to finish, so that you can learn about
Page 18
any risks or timing issues that you need to be prepared for. Do not start a migration before you have read
through the process from start to finish at least once, and you understand the support implications of your
migration method and ongoing identity management. You should also consider creating a test
environment and signing up for a separate Office 365 trial tenant so that you can perform a hands-on test
run of your chosen migration method.
Page 19
Preparing to Migrate to Exchange Online
Before you can migrate to Office 365, you need to sign up for a tenant. At this stage, you can opt to sign up
for a free trial that will run for 30 days, or you can decide to start paying immediately. The free trial period has
full functionality, and is a chance to try out features that you are unsure whether you will need. For example,
you can sign up for an Enterprise E5 trial, but then you might discover during the first 30 days that you only
need E1 or E3 licenses instead.
If you are unsure of your ability to work with Office 365 and need to gain experience, it’s best to create a
separate trial tenant at the start and use it to experiment with different services and settings. Then, after
you’ve acquired sufficient experience, you can create a tenant that you intend to use for production services,
and begin to prepare it for the migration of on-premises workload.
During the signup process, you’ll be asked where your organization is located. Selecting the right country for
your organization will determine where your Office 365 tenant is located around the globe. For organizations
that span multiple geographic regions you should choose the country where most of your end users will be
located. In Chapter 1 (main book) you learned that Microsoft operates many datacenters in different regions
to provide Office 365 service to end users. Your proximity to your datacenters is a factor in the quality of the
user experience for your Office 365 services, but not a defining one. A more important consideration for
organizations that reside in countries with strict data sovereignty regulations, for example Germany, is
ensuring that the Microsoft datacenters hosting your services are the appropriate ones.
As you move through the signup process you will be asked to create the first administrator account for your
tenant. This step also involves choosing the service domain (or tenant name) for your tenant, which is the
*.onmicrosoft.com domain assigned to every Office 365 tenant. The service domain will be visible to your
end users in the SharePoint Online URL, Skype for Business meeting invites, and OneDrive for Business
libraries, so choose a name that aligns with your organization’s company name or brand. The service domain
name must be unique within Office 365. Unfortunately, if another tenant already has the name that you would
like to use there is no way to get the name for yourself.
The service domain also cannot be changed later. Some customers make the unfortunate error of signing up
for a tenant with a service domain such as “contosotest.onmicrosoft.com”, then begin using it for production
services before they realize it cannot be changed. A similar naming problem can occur when the company
goes through a rebranding, or is acquired by another company. If it is important to your organization to
change tenant names, the only options are to perform an off-boarding migration to on-premises servers, then
migrate to a new Office 365 tenant, or alternatively to perform a tenant-to-tenant migration. Both options
involve considerable effort and cost, and are best avoided unless necessary. It's possible that in future
Microsoft will develop a tenant renaming process that makes the situation easier for customers, but
considering the complexity of Office 365 and the number of integrated services involved it could be quite
some time before that capability arrives.
Real World: Companies that operate with multiple parent-child companies and different brand identities
have some challenges with Office 365 tenant naming to consider. If the companies do not share an email
domain or any other data and resources, then it’s feasible to consider separate Office 365 tenants.
However, if there are shared domains and resources, and a single Office 365 tenant is deemed necessary,
then a common approach is to use a single parent company as the tenant name, such as
“contosoholdings.onmicrosoft.com”.
Page 21
Some organizations that do not already have HTTPS open for external connections to an on-premises
Exchange server may resist the notion of opening firewall ports to the entire world. In such cases the firewall
access can be restricted to the IP address ranges for Office 365. Using IP address filtering may be an
acceptable temporary measure while the migration is performed, but it becomes difficult to maintain this
configuration over a long period due to the rate of change that occurs with the Office 365 IP address ranges.
Firewalls that can only filter based on IP addresses may require changes as often as weekly. Firewalls that can
filter based on FQDNs, or DNS names, will require far less maintenance on an ongoing basis.
Applying the permissions at the database level is simpler, however, if you decide to grant the service account
permissions for each mailbox instead you can run a single PowerShell command.
[PS] C:\> Get-Mailbox | Add-MailboxPermission -User NRU\O365Migration
-AccessRights FullAccess
Note: If you are migrating from Exchange 2003, PowerShell is not available to run the commands shown
above. Instead, you can use the Exchange System Manager console to add the permissions to each
database.
Unfortunately, it is quite common for on-premises Exchange environments to have shared mailboxes that
were not originally created as shared mailboxes, and are simply user mailboxes instead. In those cases, the
PowerShell command above will not return all the mailboxes that would qualify as “shared” mailboxes. A
manual review of the mailboxes in the organization is recommended. If you have a large number of shared
mailboxes to convert, Oliver Moazzezi published an article to explain an easy method to handle this with
PowerShell.
Page 23
Reviewing Mail-Enabled Groups
For mail-enabled groups in the on-premises Active Directory (whether they are security groups or distribution
groups) the migration process results in new groups being created in Office 365. For cutover and staged
migration scenarios, the newly created groups in Office 365 will be restricted from receiving email from
external senders, as this is the default setting for new groups. This setting may be desirable if your mail-
enabled security and distribution groups are for internal use only, but for any groups that need to receive
email from external senders you will need to manually change the setting in Office 365. To avoid this issue,
you can use the Exchange Management Shell to identify groups that do not require sender authentication so
that you can plan to remediate them during the migration project.
PS C:\> Get-DistributionGroup | Where {$_.RequireSenderAuthenticationEnabled}
In cutover and staged migration scenarios, you need to change the setting in Office 365 after the group has
been created by the cutover migration batch. You can make the change before changing your MX records to
point to Exchange Online. For Hybrid migrations the group will synchronize to the cloud with the same setting
as the on-premises object.
Real World: In some on-premises organizations other configuration factors such as SMTP gateways and
load balancers can cause the RequireSenderAuthenticationEnabled setting to be overridden, and a group
may still receive emails from external senders even when sender authentication is required. When those
factors are removed from the equation after the migration to Exchange Online you may see email being
rejected unexpectedly. You can resolve these on a case by case basis, but if the risk is considered too high
for your organization then you can consider removing the sender authentication requirement from all
groups for an initial period after the migration, then reviewing the groups and turning it back on for those
groups intended for internal usage only.
During a cutover migration, the Office 365 migration service will automatically provision any mail-enabled
distribution groups in the cloud. However, it is not able to automatically provision mail-enabled security
groups. The solution for cutover migration scenarios is to create an empty mail-enabled security group in
Office 365 for each on-premises mail-enabled security before you begin the migration. You can locate mail-
enabled security groups in your on-premises organization by using PowerShell.
[PS] C:\> Get-DistributionGroup | Where {$_.GroupType -like "*SecurityEnabled*"}
In the example above one mail-enabled security group has been located. To create a new mail-enabled
security group in Office 365 login to the Admin center and navigate to Groups section, or use the Exchange
Administration Center. In the Exchange Administration Center navigate to Recipients and then Groups. Click
the icon to create a new group, and choose Security Group. Give the new group the same name and alias as
the on-premises group, but do not assign the same email address. Instead use the *.onmicrosoft.com domain
for your tenant to assign the email address for now. If you have many mail-enabled security groups to migrate
you can use this PowerShell script to automate the creation of the new groups in Office 365.
Page 24
proceeds. Finding mailbox users with delegates is a simple task in PowerShell. For Exchange 2007, use the
Get-MailboxCalendarSettings cmdlet.
[PS] C:\> Get-MailboxCalendarSettings | Where {$_.ResourceDelegates} |
Format-List Identity, ResourceDelegates
Identity : office365itpros.com/ExchangeUsers/Elizabeth.Holloway
ResourceDelegates : {office365itpros.com/ExchangeUsers/Steve Heppful,
office365itpros.com/ExchangeUsers/Alice.Mullins}
However, the output generated by the cmdlets doesn’t tell you which of the delegates may be a stale entry.
Some additional PowerShell is required for that task to locate delegate entries that are not mail-enabled. For
instance, you could use the PowerShell scripts Find-StaleDelegates.ps1 or Glen Scales’ Reverse Delegate
Permissions and Rights Report.
Like delegates, any object in Active Directory that is being migrated to Office 365 can’t be configured with a
link to a Manager that is not also going to be migrated. Again, it is a simple task to locate users with a
Manager that is not also mail-enabled. An example of this is the Find-StaleManagers.ps1 script.
Page 25
Alan.Reid True {12345} Default Policy Alan.Reid@office36...
Elise.Daeth True {12346} Default Policy Elise.Daeth@office...
Michelle.Peak True {12347} Default Policy Michelle.Peak@offi.
To disable the mailboxes for UM, use the Disable-UMMailbox cmdlet. The following command disables all the
UM-enabled mailboxes in the organization. If you want to disable just a single mailbox, use the Identity
parameter to pass the alias of the mailbox to Disable-UMMailbox.
[PS] C:\> Get-UMMailbox –ResultSize Unlimited | Disable-UMMailbox
Confirm
Are you sure you want to perform this action?
Disabling UM mailbox "office365itpros.com/ExchangeUsers/Alan.Reid".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):a
Cutover Migration
A cutover migration migrates all the existing mailboxes, contacts, and distribution groups from an on-
premises Exchange organization into Exchange Online. Cutover migrations do not include public folders or
dynamic distribution groups. Cutover migrations can be performed for up to 2,000 mailboxes, however even
companies smaller than 2,000 mailboxes may find the logistics of a cutover migration do not suit them, and
would prefer to use a different method such as a staged or hybrid migration.
One of the main logistical challenges with a cutover migration is the need to reconfigure every user’s Outlook
profile to connect to Exchange Online. Unlike the staged and hybrid configurations there is no method for
handling this automatically with a cutover migration, at least not within the migration process itself. Instead
the IT team needs to either manually reconfigure every user’s Outlook profile, provide instructions to end
Page 26
users to reconfigure it themselves, or develop an in-house script or solution to handle it automatically. Any of
these choices imposes a significant burden for a cutover migration on larger organizations. However, for very
small businesses the extra effort is negligible.
Another challenge with cutover migrations is the network bandwidth requirements. A low bandwidth
connection to the internet will slow down the migration of the mailbox contents, and will also cause problems
on the first day after the cutover occurs, because every user is resynchronizing their mailbox contents in their
new Outlook profile. Outlook 2013 and 2016 have an adjustable setting that controls the amount of mailbox
content that is synchronized to the offline cache, however even with that setting turned down to a very short
time, a large group of users can still saturate a network with Outlook synchronization traffic. In Figure 2-2,
which shows the internet usage for a small business that performed a cutover migration, the significant
increase in utilization on the day of the cutover can be clearly seen and caused a day’s productivity to be lost.
Had they elected to go with a Hybrid migration instead they would have incurred a slightly higher project
cost, but not impacted productivity for the entire company on cutover day.
Page 27
reasonable starting point. Give the difficulty in predicting exactly how long the synchronization of mailbox
data will take, scheduling the final cutover tasks is something of a grey area. You might plan to perform the
final cutover on a particular weekend, only to discover that the initial synchronization is still running through
that weekend. A flexible approach to scheduling the final cutover is required, and may require you to wait a
few days or a week between the end of the initial synchronization and when you’re able to actually finalise the
cutover.
The high-level process for a cutover migration is as follows:
• Users and mailboxes are automatically provisioned in Office 365 to match the on-premises objects. It
is important not to pre-populate your Office 365 tenant with accounts that already exist in the on-
premises environment as this will cause the cutover migration batch to fail due to the existing objects
in the cloud.
• The migration batch performs an initial synchronization of mailbox content that includes email
messages, contacts and calendar items. Non-content items such as inbox rules and calendar
permissions are not included. The administrator can be notified when this initial synchronization has
completed, but it should also be monitored along the way in case there are individual failures or
errors. No option exists to allow an administrator to prioritize certain mailboxes over other ones, nor
is there much point in trying to do so. The cutover migration by its very nature involves waiting for all
the mailboxes to be synchronized first, so the order in which they are synchronized is of little
importance.
• After the initial synchronization has completed, Exchange Online continues to perform an incremental
synchronization every 24 hours to update online mailboxes with any changes to the on-premises
mailboxes. This process of incremental synchronization continues for up to 90 days unless an
administrator acts to complete or abort the migration. If nothing happens, the migration job is
automatically stopped after 90 days and is then removed after a further 30 days. It is not
recommended to allow the incremental synchronization process to continue for a long period of time.
Even though new mailbox items are synchronized, some changes to existing items are not. For
example, if a user moves a lot of messages out of their inbox into a sub-folder, after the cutover is
completed and the user connects to their Exchange Online mailbox they may notice that the items are
back in their inbox.
• When the organization is ready to complete the cutover migration the MX records for the domains
are updated in DNS, and then a series of other supporting tasks are also performed to complete the
migration.
Because the cutover migration process is essentially just a data synchronization followed by an MX record
change, the rollback process involves simply changing the MX record to point back to the on-premises
Exchange server. However, the data synchronization process is one way only. Cutover migrations do not
provide a way to synchronize new data in Exchange Online mailboxes back to the on-premises mailboxes. This
means that a rollback from a cutover migration risks the loss of new mail items that have arrived in the
Exchange Online mailboxes after the MX record was pointed at Office 365. It doesn’t mean that a rollback is
impossible, only that it carries the risk of data loss unless the effort is made to locate new mailbox items and
manually migrate them back to the on-premises environment, for example by exporting them from Exchange
Online to a PST file and then importing them on-premises. If the lack of a seamless rollback process is a
concern for you, then it is recommended to look at a Hybrid migration instead. Hybrid is the only approach
that allows off-boarding of mailboxes from Exchange Online to an on-premises Exchange server.
A cutover migration involves a reasonable amount of technical work, but there is also some non-technical
work required. For example, you need to communicate to end users when the migration will occur and what it
means to them, and perhaps also request that they clean-up their mailboxes to reduce the amount of data
that is being migrated. You might also advise them to backup any critical messages, contacts or calendar
Page 28
items to a PST file to ensure they can still access them if a problem occurs. And you will also need to
communicate to them any changes that they need to understand or make to access Office 365 after the
migration completes, such as reconfiguring mobile devices, new URLs for accessing services such as OWA for
Office 365, as well as new functionality that they can access after the migration.
At the end of a cutover migration the users provisioned in Office 365 are cloud identities. The most significant
impact of this to your end users is that it is a separate password that they need to manage, in effect giving
them two sets of login credentials; one for on-premises login, and one for Office 365 login. An SSO solution
such as AD FS or password synchronization will improve the user experience by allowing them logon to Office
365 services with the same credentials they use for the on-premises environment. Some organizations
implement SSO immediately after the cutover and before the end users log on to their Exchange Online
mailboxes for the first time so that separate passwords are not required.
Retrofitting directory synchronization after a cutover migration is not a simple task, and gets more
complicated as more time passes after the migration. It also requires that an on-premises Exchange server be
retained for managing mail attributes for users, which is not ideal for organizations that want to reduce the
number of servers they manage. If you do want directory synchronization and SSO in place after your
migration then I recommend you consider a staged or Hybrid migration instead, each of which implements
directory synchronization at the beginning of the project rather than at the end.
Staged Migration
A staged migration can be used to migrate some or all the existing user and resource mailboxes from an on-
premises Exchange 2003 or 2007 organization into Exchange Online. Staged migrations can be performed for
organizations of any size, allowing them to migrate mailboxes to Office 365 over a period of several weeks or
months, with the eventual result of all mailboxes being hosted in Office 365.
A staged migration is not available to organizations running Exchange 2010 or later. Those organizations must
choose between performing a cutover migration or establishing a Hybrid configuration for the migration if
they want to use built-in migration methods.
A staged migration uses directory synchronization to provision users, distribution groups and contacts in
Office 365 by synchronizing them from the on-premises Active Directory. This makes the process more
selective than the cutover migration which does not permit the migration of a subset of on-premises objects,
because the directory synchronization can be filtered to only those objects that the organization wants to
sync to the cloud, leaving other objects such as user accounts for departed staff members behind.
The high-level process for a staged migration is:
• Users and other object types are provisioned in Office 365 by directory synchronization. The
organization has the option to use password synchronization or AD FS as a single sign-on (SSO)
solution as well. Password synchronization is built in to Azure AD Connect, so it can be implemented
without any additional infrastructure required, and it provides a good end user experience because
your users are not required to manage two sets of credentials for on-premises and Office 365 logins.
AD FS requires the deployment of at least one, and often as many as six additional servers into the
organization, depending on the requirements.
• Groups of on-premises mailboxes are added to migration batches. Batches are defined in CSV files
that can contain up to 2000 rows, which is a very large batch. For the early stages of your migration it
is wise to use small batches to test out the process and ensure that everything is working well. When
Office 365 processes a migration batch it mail-enables the cloud user account and synchronizes the
mailbox data.
Page 29
• The migration process immediately, or within a few minutes, configures mail forwarding on the on-
premises mailbox so that new email messages are delivered to the Exchange Online mailbox. At this
stage, the user should not use the on-premises mailbox, as it will be the Exchange Online mailbox that
receives new email. Furthermore, if the migration process has finished processing a folder, no
subsequent changes to that folder will be migrated, because the staged migration process does not
do multiple migration passes of the same folders. The user can be switched to using the Exchange
Online mailbox, but should expect to not see all their mailbox content until the migration batch has
completed.
• The on-premises mailbox user is converted to a mail-enabled user when the migration batch is
completed, which is the end of the migration for that group of mailbox users. The conversion to a
mail user allows Autodiscover to connect the Outlook profile to the Exchange Online mailbox. You
can then repeat the process for additional batches until they are all migrated to Office 365.
A staged migration has similar logistical challenges to a cutover migration, in that you will need to manually
reconfigure users’ Outlook profiles to connect to Exchange Online. As the Outlook profiles resynchronize their
offline caches there is a similar impact on network bandwidth as well. However, being able to control the
batch sizes during your migrations means you can limit the number of users in each batch to a manageable
size.
A staged migration accommodates a very simple level of co-existence between the on-premises organization
and Exchange Online. During a staged migration, the users with mailboxes in Office 365 can send and receive
emails from on-premises users, and vice versa. They can also see each other in their Global Address List (GAL).
However, they are not able to share calendar free/busy information, nor are they able to access each other’s
mailboxes as delegates. These limitations mean it is recommended to move batches of users to Office 365
based on teams or departments, so that the people who are used to collaborating with each other can
continue to do so. It also means that staged migrations are not suitable for very long migration projects, or
for scenarios where an organization will require a permanent co-existence between on-premises and the
cloud. In those cases, a hybrid configuration is the recommended approach.
Although directory synchronization is a requirement for a staged migration, it is not an ongoing requirement
after the migration has been completed. An organization may choose to keep directory synchronization in
place, which can be convenient for password synchronization and other ongoing administration so that
changes can be made to on-premises objects and synchronized to the cloud, rather than having to make the
same changes in both the on-premises and cloud environments separately. However, if the organization plans
to completely remove their on-premises Active Directory and transition to a full cloud model then they can
simply deactivate directory synchronization and perform ongoing identity administration using Office 365
management tools.
Real World: To remain in a supported configuration, if you want to maintain the ability to manage the
email attributes for users and other objects in your on-premises Active Directory, and have those changes
synchronize to the cloud, then an on-premises Exchange server should be retained for those administrative
tasks. If you choose to remove the on-premises Exchange server, and use ADSIEdit or third-party tools to
manage the email attributes in Active Directory, then Microsoft will not provide support for any issues that
may arise.
Hybrid Migration
A Hybrid configuration can be used as both a migration method, and as a permanent state for the Exchange
environment. Hybrid configurations are available for Exchange organizations that contain at least one
Exchange 2010 SP3 or later server. For Exchange organizations that do not already contain an Exchange 2010
Page 30
or later server, a free Exchange 2016, 2013, or 2010 license can be obtained from Microsoft solely for enabling
the Hybrid functionality, but not for hosting mailboxes.
Hybrid configurations require directory synchronization, and it is recommended to also use password
synchronization or AD FS for a single sign-on experience for end users. Without either of those SSO solutions
in place the end user experience when on-boarding or off-boarding mailboxes, as well as during other
Exchange server interactions such as Autodiscover lookups, will be very poor.
Hybrid configurations allow for rich co-existence between the on-premises Exchange organization and Office
365, including:
• Remote mailbox moves that are nearly seamless to end users.
• A unified Global Address List.
• Sharing of Free/busy calendar information.
• The ability to migrate mailboxes back from Office 365 (offboarding).
This rich co-existence makes Hybrid configurations ideal for many migration scenarios and avoids many of the
issues that staged and cutover migrations create. Hybrid is also ideal as a permanent state for organizations
that want to have some mailboxes on-premises and some in the cloud, with the freedom to move mailboxes
back and forth as required. In fact, Hybrid is the only supported scenario in which off-boarding from Office
365 is made possible. Without a Hybrid configuration, off-boarding often relies on third party migration tools
instead. You can learn more about Hybrid configurations in Chapter 4.
Post-Migration Tasks
At the completion of a cutover, staged or Hybrid migration there are several post-migration tasks that need to
be performed.
Page 31
The results will include a table showing all the hops that the message passed through from sender to
recipient. Review the table to verify that the message did not pass through your on-premises Exchange server.
Some mail servers may continue to send new messages to the on-premises Exchange server due to DNS
propagation delays or caching. One of the ways that you can determine this is by running a message tracking
log search. A simple search for log entries in the last 24 hours will show you whether any mail traffic is
continuing to flow through the server.
[PS] C:\> Get-MessageTrackingLog -Start (Get-Date).AddHours(-24)
If you do see some results in that query that look like user-generated email, then you may simply need to wait
longer and try again. However, if you’re still seeing message tracking results long after you changed your MX
records in DNS then there may be some other cause of the email traffic, such as a device or application on
your network that is using the on-premises server for SMTP relay, or simply due to health mailbox probes if
the server is running Exchange 2013 or later. Of course, if you are not planning to decommission the on-
premises server and instead plan to keep it running for ongoing management and SMTP purposes, then you
can expect to see some email traffic still flowing through it. I still recommend you look closely at it though, to
make sure that it isn’t something nefarious like a spammer trying to exploit your Exchange server to send their
spam campaigns.
Configuring Autodiscover
The reconfiguration of Outlook profiles for your end users depends on Autodiscover working correctly. The
Autodiscover service provides configuration details to Outlook clients, telling them exactly how to configure
themselves to connect to Exchange or Office 365.
For cutover migrations, Autodiscover is updated to point to Exchange Online when all the mailboxes have
been migrated. For staged migrations Autodiscover configuration depends on whether you plan to keep the
on-premises Exchange server or decommission it. If you plan to retain an on-premises Exchange server, the
Autodiscover records in Active Directory and DNS point to that on-premises server. The mailboxes have been
converted to mail users, so the on-premises Exchange server will return an Autodiscover response that
instructs the client to connect to Office 365. If Autodiscover was previously working, and worked during the
various migration batches that you ran, then likely you won’t need to modify anything. If you plan to
decommission the on-premises Exchange server, the Autodiscover records need to be modified to point at
the Office 365 servers.
For Hybrid deployments, the Autodiscover configuration should continue to point to the on-premises server if
mailboxes exist on-premises. Autodiscover for Hybrid scenarios is covered in more detail in Chapter 4.
When Autodiscover records are ready to be updated, you can once again refer to the Domains section of the
Office 365 admin center to retrieve the DNS records that are required for each domain name. At this stage,
the Autodiscover CNAME record for Exchange Online is the one to implement.
Add the record to your public DNS zone, making sure to remove any other Autodiscover records that might
also exist. If you also host a DNS zone for your email domain on your on-premises domain controllers, then
you should check for Autodiscover records in that zone as well, and change those to the new Office 365 value.
If an on-premises Exchange server is being retained, and you want the Autodiscover configuration to point to
Exchange Online, then the Autodiscover SCP also needs to be updated. On the on-premises Exchange server
use the Exchange Management Shell to update the SCP by running Set-ClientAccessServer.
[PS] C:\> Set-ClientAccessServer –Identity <servername>
-AutoDiscoverServiceInternalUri $Null
Page 32
The step is not required if you are migrating from Exchange 2003, as Exchange 2003 does not include the
Autodiscover service.
IMAP Migration
Staged, cutover and hybrid migrations utilize Outlook Anywhere or Exchange Web Services to connect from
Office 365 to the on-premises Exchange server during the migration. For customers migrating from non-
Exchange servers those protocols are not available, and other methods must be used instead. IMAP4 is a
widely-supported protocol by email server platforms and therefore serves as the lowest common
denominator protocol for connectivity. Office 365 supports migrations that use the IMAP protocol to extract
information from source mailboxes which is then pushed to Office 365 mailboxes. The migration works in a
similar way to cutover migrations, in that an initial synchronization pass occurs and then multiple incremental
synchronizations can run to keep updating the Exchange Online mailboxes with the latest new items from the
source mailboxes. However, the user accounts in Office 365 must be provisioned separately, either by
manually creating them or by directory synchronization, as the IMAP migration process does not provision
them for you.
Page 33
Figure 2-3: Starting a data migration from an IMAP-enabled email service
Once everything is ready, a cutover-style migration is executed by updating MX records and connecting email
clients and devices to the Exchange Online mailboxes. As with other cutover migrations, this process can be a
logistical challenge, can place a big burden on network connectivity as email clients synchronize with their
new mailboxes, and there is no rollback without the risk of data loss.
IMAP migrations can be initiated from commonly used email services such as Gmail, Yahoo, Outlook.com and
Hotmail by navigating to Users and then Data migration in the Office 365 admin center (Figure 2-3). Each
service has some preparation steps in which it is generally recommended to enable two-factor authentication
for the external email account, and then generate an app password that is used by the data migration service
to authenticate to the mailbox over IMAP.
When you select a service such as Gmail, the settings for the migration are automatically configured with the
IMAP server settings for that service. If the email service that you migrate data from is not one of the listed
options, you can choose Other email sources and manually configure your own IMAP settings. You can
choose to migrate data to any licensed Exchange Online mailbox user. However due to the nature of this
migration type you will need to know the account passwords, or app passwords as mentioned earlier, for the
accounts (Figure 2-4) on the other email service. The passwords are necessary so that the data migration
process can log on to them to retrieve data, unless the external service you are migrating from supports
administrator or impersonation access to all the mailboxes.
Figure 2-4: Configuring the email address and password for accessing IMAP email services
Because IMAP4 is exclusively an email protocol, any migration based on this protocol will have some natural
limitations. The process will only migrate mail items. No calendars, contacts, notes or other item types will be
migrated. There is also a limit of 500,000 items per mailbox, and 50,000 total mailboxes. Despite these
Page 34
limitations, it is good that the IMAP migration method exists, giving non-Exchange customers a reasonable
pathway to Office 365.
Page 35
PST imports can be an Exchange Online primary or archive mailbox, or an Inactive mailbox. Inactive mailboxes
are covered in the Exchange Online chapter of the main book.
The Office 365 Import Service is not available to every Office 365 tenant. Currently the network upload service
is available for tenants hosted in the United States, Canada, Brazil, the United Kingdom, Europe, India, East
Asia, Southeast Asia, Japan, Republic of Korea, and Australia. The drive shipping service is available in United
States, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, and Australia. The list of countries
will change over time, so you should double check where the Import Service is available when you plan your
project. Government customers also need to consider whether they are willing to use the public Azure cloud
as the staging ground for the data that will be imported (bring-your-own-key encryption is available, which
should satisfy some government customers).
No Drive Shipping for SharePoint: Microsoft used to support the drive shipping method for the Office
365 Import Service to move data from on-premises SharePoint to SharePoint Online. Support ended in
July 2017 and the approved and supported method is now the SharePoint Migration Tool.
You can test the Import Service process by uploading a few PSTs to see how the import process works and to
satisfy yourself that the procedure is suitable for your organization. Of course, technology is only one part of
the solution. The more challenging issue might be to track down all the PSTs that lurk on personal drives and
to persuade users that they really can trust the cloud to store their most secret data. That might sound simple,
but discovering and collecting all those PST files on your network is a big challenge. The PST Collection Tool
uses an agent that you can deploy to your network computers to discover PST files, and some third-party
tools also provide agents to assist with the discovery process. Even when the PST files are all accounted for,
disconnecting them from users' Outlook profiles so that they can be copied and uploaded will be a purely
manual task without the assistance of non-Microsoft tools.
Other challenges include the deduplication of information held in PSTs (which the Import Service does not
do), attribution of PST files to users (which the Import Service itself also does not do), and the speed in which
PST information can be ingested by Office 365 (some third-party technologies claim to be faster than the
Import service, depending on the network conditions of the environment). And for some organizations it is
simply preferable to hand over responsibility for the import process to Microsoft by shipping the data on hard
drives instead of attempting a network transfer.
Apart from importing PSTs that have been accumulated by users, Microsoft also intends the Import service to
persuade customers to move data back to Exchange from third-party archiving solutions such as Veritas
Enterprise Vault. The idea is that you can export data from these repositories (using tools provided by the
archive vendor or other ISVs) to PSTs and then upload or send these PSTs to Microsoft for ingestion into user
primary or archive mailboxes. This is all possible, but you should be wary of plunging into a migration project
without considering:
• The potential impact on users as the location of their information moves from the old repository to
Office 365 (including a potential requirement for client software updates)
• How the old archive information (such as Enterprise Vault “stubs”) are handled as data is migrated to
Office 365
• How information in the PSTs is collected, verified, and tracked so that a complete chain of custody
record is retained to prove the immutability of the migrated data. Without a believable chain of
custody record, any information extracted from a repository and imported to Office 365 might not be
viable if required for the purposes of litigation.
• Deduplication of information held in PSTs before the information is imported to Office 365 (both to
reduce the overall processing requirement and to ensure that you don’t swamp Office 365 with piles
of duplicate content).
Page 36
The fact is that right now the Import service is a functional tool that will work for many organizations, but
doesn’t handle some of the considerations above that third-party solutions are designed to handle. Let’s look
at each of the migration methods for PST data available to the Office 365 Import Service.
Page 37
the Office 365 Import Service, refer to the bonus guide included with your download of this eBook, or
available at https://practical365.com/office-365-bonuses.
Page 38
Retaining data after import
In many cases the archive data that you import into Office 365 through the Import Service or other methods
will include content that is quite old. PST files could hold items that were created more than a decade ago, but
without a means of analyzing the data you’ll need to apply your own judgement as to how old (and how
valuable) the data might be.
What’s important to consider is how much of that data you want to preserve after it has been imported into
Office 365. If your tenant uses retention policies to control the age of items that can be stored in Exchange
Online mailboxes, then you should also expect any imported data that is older than the retention period to be
deleted or archived by the Managed Folder Assistant the next time the mailbox is processed. To prevent
unexpected removal of data, the Office 365 Import Service applies a retention hold to any mailbox to which it
has imported data so that the mailbox owner can review the imported data and apply retention tags to
folders or specific items to make sure that they are retained. The retention hold remains in place on the
mailbox until it is removed by an administrator. If you're importing data using third party tools, then you
should consider manually applying retention holds to the target mailboxes before you begin importing data.
Retention policies are explained in more detail in the Compliance chapter of the main book.
Another approach is to only migrate the desired data from the PST files. For organizations that have
Enterprise E5 licenses, the Office 365 Import Service offers the ability to filter the PST contents by date, so you
can let the Import Service automatically ignore older data you do not need to migrate to Exchange Online.
Filtering out the data during the import process doesn't save you any network bandwidth as the PST files still
need to be uploaded to Azure store for processing, but it does avoid potential complications with the amount
of PST data exceeding available mailbox quotas.
Page 39
Examine the CSV output file created by the script and decide which public folders are not needed. Ideally, you
should remove all redundant and unused public folders at this point. You might need to preserve the data
from the folders you remove by using Outlook to copy the data to a PST file. It is also a good idea to look for
any public folder that is larger than 2 GB. If you find some, consider splitting the content across multiple
folders to make it easier to migrate. Again, this is a great opportunity to remove some old data from the
hierarchy.
It doesn’t make sense to migrate old and unused public folder data to Exchange Online as it will only extend
the migration timeframe (because more data must be transferred over the Internet) to move the obsolete and
unwanted data into the cloud. That data must then be managed in Exchange Online. Overall, it is a much
better idea to do the work to examine the legacy public folder hierarchy and prune it as hard as you can
before you start the migration. Unfortunately, there are no automated tools to help with this work as only
humans can decide whether to keep or discard data, whether folders are still in use or obsolete, or whether
any business value is contained in items stored in a public folder. No one looks forward to reviewing a public
folder hierarchy that holds tens of thousands of folders, but this work needs to happen if you are to migrate a
clean and efficient hierarchy to the cloud. After pruning and cleaning up the public folder hierarchy, you
should run Export-PublicFolderStatistics.ps1 again to generate a new CSV file. Give the CSV file a quick check
to verify that it contains the data you expect.
Now run the PublicFolderToMailboxMapGenerator.ps1 script. This script takes the CSV file that you created in
the earlier step and uses the data about public folders to generate a mapping between the folders in your
hierarchy and a set of public folder mailboxes to which the migration process will move the public folders.
After the script completes, you need to examine the CSV output that it creates and decide whether the
distribution of folders is good enough or you can improve it. For instance, you might decide to use some
extra public folder mailboxes as migration targets. This is a manual process and it can be exhausting to review
the distribution of thousands of folders.
Before you can move public folders to Exchange Online, you must create a migration endpoint for the
Mailbox Replication Service to use. The endpoint points to an on-premises public folder server that will act as
the source for the migration and includes the credentials of an account that has enough permissions to
perform administrative activities. This example shows how to create an endpoint:
[PS] C:\> New-MigrationEndpoint –Name PublicFolderEndpoint
–RPCProxyServer pfserver.contoso.com –Credentials (Get-Credential)
–SourceMailboxLegacyDN $source_remoteMailboxLegacyDN
-PublicFolderDatabaseServerLegacyDN $source_remotePublicFolderServerLegacyFQDN
–Authentication Basic
The next step is to create the set of target public folder mailboxes in Exchange Online. You must use the same
names as contained in the CSV file because these mailboxes are the target for the migration. You do not have
to limit the set of public folder mailboxes to that suggested by the script as it is perfectly acceptable to create
some extra mailboxes and then change the CSV mapping file so that some public folders are directed to the
additional mailboxes. The HoldForMigration parameter tells Exchange Online that these mailboxes are not yet
in use and will not be until the migration is complete. The command to create a new public folder mailbox is
like this:
[PS] C:\> New-Mailbox -PublicFolder 'PF Mailbox 1' -HoldForMigration:$True
Once the public folder mailboxes are ready, you can launch the public folder migration request. Create a new
migration batch that points to a migration endpoint for the source public folder server in the on-premises
environment. Note that the CSV mailbox mapping file is also an input for the migration batch is. When the
batch is ready, you can start it.
Page 40
[PS] C:\> New-MigrationBatch –Name PublicFolderMigrationJob
–CSVData (Get-Content "PFMapping.csv" -Encoding Byte)
–SourceEndpoint "PublicFolderEndPoint" -NotificationEmails Admin@Office365ITPros.com
Exchange uses the Mailbox Replication Service (MRS) to transfer all the data found in legacy public folders to
new public folder mailboxes created in Exchange Online. The batch migration procedure creates a separate
migration job for each target public folder mailbox. Obviously, the more public folder mailboxes you use, the
more distributed the workload is when transferring information from the on-premises servers to Exchange
Online. Although splitting up the workload into multiple streams makes more efficient use of available
resources, it will not allow you to transfer any more data than the network connection between the on-
premises servers and Exchange Online can handle. In other words, if you have a lot of public folder data to
migrate, it might take some time for the transfer to happen.
The batch process continues to copy data from the on-premises public folders to the target public folder
mailboxes. This work happens in the background. When the first synchronization is complete (a task that
could take many days for large public folder hierarchies), the migration job will auto-suspend and await
administrator permission to go ahead. When you are ready to complete the migration, you must lock the
public folder infrastructure to prevent further change. To do this, run this command on an on-premises
mailbox server:
[PS] C:\> Set-OrganizationConfig -PublicFoldersLockedForMigration:$True
Depending on the size of the on-premises organization and the health of the public folder replication
between the servers that host public folder databases, it might take some hours before the lock-down is
complete. Users must disconnect from public folder databases during this time. You can check the progress of
the individual migration threads (one for each public folder mailbox) through the migration section of the EAC
(found under recipients). After locking public folders for the organization, you can instruct the migration batch
job to complete. The time taken to complete depends on how many changes happened in the legacy public
folders since the first synchronization occurred.
[PS] C:\> Complete-MigrationBatch -Identity "PublicFolderMigrationJob"
You will know when the migration process has finished when the status for the migration job is "Completed".
Before switching on public folders for end users, you can test that everything is correct by examining the
Exchange Online public folders by configuring a mailbox to point to a public folder mailbox. Log on to the
mailbox with Outlook or OWA and compare the contents of several public folders to ensure that everything is
as it should be. It is also a good idea to post items to a few folders to make sure that write access works.
[PS] C:\> Set-Mailbox -Identity 'Kim Akers' -DefaultPublicFolderMailbox 'PF Mailbox 2'
If everything checks out, we can release the block and allow users access to the newly migrated public folders.
These steps allow all the public folder mailboxes to serve the hierarchy to clients, mark the organization
configuration to say that the migration is over, and that the public folders are local to Exchange Online.
[PS] C:\> Get-Mailbox -PublicFolder | Set-Mailbox -PublicFolder
-IsExcludedFromServingHierarchy $False
[PS] C:\> Set-OrganizationConfig -PublicFolderMigrationComplete:$True
[PS] C:\> Set-OrganizationConfig -PublicFoldersEnabled Local
Public folders are not mail-enabled by the migration process. If you need some public folders to be mail-
enabled, you must do this after the migration is complete.
You cannot apply a filter or otherwise instruct Exchange Online to ignore some of the legacy public folders
because the migration process is designed to move everything found in the old infrastructure. It is usually true
Page 41
that some debris has accumulated in a legacy public folder infrastructure due to unused folders or folders that
contain obsolete information.
No Dumpster
Items deleted from public folders go into the “dumpster” before Exchange permanently removes the data
upon the expiration of the retention period. Often, a substantial amount of data accumulates in the dumpster
that you probably don’t want to migrate to Exchange Online. Apart from anything else, moving the dumpster
data extends the timeframe for a migration. To check the size of dumpster folders, run the following
command:
[PS] C:\> Get-PublicFolder \NON_IPM_SUBTREE\DUMPSTER_ROOT -Recurse -ResultSize:unlimited |
?{$_.FolderClass -ne $null} | Format-Table Name, FolderSize
Page 42
To exclude the dumpster from public folder migrations, you include the ExcludeDumpsters switch when you
create a new migration batch. For example:
[PS] C:\> New-MigrationBatch -Name PFMigrationBatch2 -CSVData $bytes -SourceEndpoint
$PfEndpoint.Identity -ExcludeDumpsters
Excluding dumpster content will speed up migrations at the expense of eliminating the ability of users to
recover deleted items. It’s a trade-off between speed and utility.
Page 43
Third party migration utilities
Do not assume that Microsoft is the only source of public folder migration tools. Whenever possible, you
should consider the tools Microsoft makes available, if only because they are free. But other tools available
from third-party providers that might be more effective or can handle a situation. For example, the basic
migration facilities available from Microsoft do not accommodate the parallel migration of both content types
because this functionality needs bi-directional public folder coexistence, which is not a feature that Microsoft
has engineered for Office 365. In this instance, you will need to use a third-party product that can perform the
bi-directional synchronization for both public folder hierarchy and contents. Some of the third-party tools can
prune and graft public folders as the migration is ongoing, which is an attractive choice when faced with the
need to migrate a massive public folder infrastructure.
Because third-party products often go well beyond the migration tools available from Microsoft, it is sensible
to review what is available in the market before making any decision about how you will execute a migration.
These tools might not use standard migration techniques (for example, they might transfer data using
Exchange Web Services rather than the Mailbox Replication Service) and they will cost, but might be the only
choice. Examples of the factors that you should consider in assessing any third party public folder migration
tool include:
• Is it possible to perform a selective migration (for example, only the public folders used by a group of
mailboxes that are being moved to Office 365) or do you have to move the complete public folder
infrastructure at one time (the approach taken by the Microsoft tools)?
• Is bi-directional synchronization supported to allow a portion of the public folder infrastructure to be
moved to Office 365?
• If bi-directional synchronization is supported, can the public folder hierarchy be maintained on both
cloud and on-premises platforms? Is synchronization performed on a scheduled basis or on-demand
(this could be important for public folders that change frequently).
• What throughput is attainable for moving public folder content? This is seldom an issue for small
public folder deployments (less than a few thousand folders) but can be an issue when large amounts
of content (terabytes) are stored in public folders. Microsoft’s tools mitigate this issue by moving data
behind the scenes over an extended period before performing a final synchronization just before the
public folders are switched over to Office 365.
• What downtime is needed to migrate public folders?
• Is the tool proven to scale to deal with the numbers of public folders to be migrated?
• What planning tools or other assistance is available to help you decide upon the most effective
migration strategy for public folders? Are reporting tools available to analyze the public folder
infrastructure and the overall progression of the migration?
• Do the tools work against old-style and modern-style on-premises public folders?
• How much does the tool cost? Is it based on the number of public folders or the overall size of the
infrastructure (factors that could assist in the decision to prune public folders before starting a
migration)?
Another factor to consider is whether now is the time to move away from public folders. Like any migration
project, a move to drop public folders is not something that you should do without careful planning. Ideally,
the work should happen as part of an overall project to review the use of public folders within an
organization. Ideally, the review should divide public folders into a set of buckets, such as:
• Public folders that are obsolete and you can discard without further action. For example, a folder that
no-one has accessed in the last five years is probably obsolete and unwanted.
• Obsolete folders whose content you need to keep for legal or regulatory reasons.
Page 44
• Public folders in active use that are good candidates to move to a more modern collaboration
platform like Office 365 Groups.
• Public folders that you can transform to other objects within Office 365, such as shared mailboxes.
• Public folders that you cannot migrate and need to stay as public folders within Exchange Online.
Perhaps the review will conclude that no business needs to move any public folders to Office 365 and that
you can leave the folders to wither away while all efforts concentrate on how best to exploit the newer and
more powerful collaboration tools offered by Office 365.
If you decide to keep some or all public folders, the result of the review will guide the choice of the tools to
achieve your goals. A tool selected and used successfully in one company is no guarantee of the same
outcome in another. Planning is all-important and that must include a review of the current infrastructure, an
assessment of what data should be moved and what can be dropped, and some testing to identify the right
migration strategy for your organization and the tools to be used. Experience demonstrates that public
folders are left without much thought until the last phase of the migration project, at which time they can
become a major pain point for both the users who have been moved to Exchange Online and the IT
department who now needs to figure out how to move public folders without causing extra disruption to
users. The more familiar you become with the advantages and disadvantages for the different approaches to
public folder migration, the more successful the outcome will be.
Page 46
• How much data needs to be moved? It’s likely that the archive contains information that is quite old
and might not be relevant anymore for compliance purposes.
• How are “leavers” dealt with? Any archive that has existed for more than a few months will contain
messages originally sent or received by people who no longer work with the company. Where should
these messages go when they are extracted from the legacy archive? In addition, it’s possible that the
SMTP address for someone who has left the company has been reused by someone who now works
for the company. These and other edge conditions need to be considered and resolved before the
migration can proceed.
Automation and orchestration of processing help smooth the rough edges of legacy email archive migration
but there is no disguising the fact that these are costly and complicated projects that need buy-in from many
interested parties, including IT, business units, and legal. In some cases, it might be possible to migrate the
email archives that can be associated with current mailboxes and leave the remainder of the email archives
and the journal reports in the legacy archive, which can then be consolidated into a smaller set of servers to
reduce the cost of hardware and software licenses. Later on, when the usefulness of the information held in
the legacy email archive has expired, it can be decommissioned and removed from use. In the interim, if an
eDiscovery investigation needs to access information over an extended period, it might be necessary to
perform separate searches in the legacy archive and Office 365 and then combine the results.
Log in to the Office 365 administration portal and navigate to Setup and then Domains. Click the Add
domain button to add your domains, as shown in Figure 2-5.
Page 47
Figure 2-5: Adding domains to Office 365
As you run the wizard to add a domain, the wizard provides you with a domain validation record to add to
your external DNS zone, which proves that you own the domain. As discussed earlier, I recommend using the
TXT record so that you do not cause any issues with your mail flow by adding an MX record at this stage.
Page 48
There's also the question of whether to host your DNS in Office 365, or to host and control your own DNS
records separately (Figure 2-6). For most organizations that already have a public DNS zone and DNS hosting
provider, and who are comfortable making DNS changes themselves, the prospect of moving the zone to
Office 365 offers no advantages. For the remainder of this example scenario it will be assumed that we'll be
managing our own DNS records.
Microsoft then checks your domain for the DNS records that are needed for Office 365 services to work. For a
new domain, or domain that you're already using with an on-premises, most if not all those DNS records
won't exist in the zone. At this stage, do not make any changes to your DNS records. Instead, select the
option to skip this step (Figure 2-7).
Figure 2-7: Don't add any DNS records to your zone yet
Real World: Until the full list of required records is added to the DNS zone for your domain Office 365
will warn you that there are “Possible service issues” with your domain. You can ignore this warning until
you’ve completed adding all the DNS records later.
Name : EX2007SRV
OutlookAnywhereEnabled : True
ServerName : EX2007SRV
ClientAuthenticationMethod : Ntlm
ExternalHostname : mail.notrealuniversity.com
To test the Exchange configuration, we can use the Exchange Remote Connectivity Analyzer to perform an
Outlook Connectivity test (Figure 2-8).
Page 49
Figure 2-8: Microsoft Remote Connectivity Advisor
This test will validate that both Autodiscover and Outlook Anywhere are working correctly for the on-premises
organization, which is important for Office 365 to be able to detect and connect to your on-premises server
during the migration process. It will also validate that the expected firewall ports are open and NATing to the
Exchange server.
Real World: It is common to see a “Test Successful with Warnings” result from the Remote Connectivity
Analyzer due to the use of an SSL certificate that will require clients to have downloaded the root CA
updates from Windows Update.
Preparing Recipients
Many preparation and review tasks are recommended for the recipients in your on-premises organization
before beginning the migration:
• Reduce the migration load by reviewing large mailboxes, and large mailbox items
• Review shared mailboxes
• Review the sender authentication setting for mail-enabled groups
Page 50
• Pre-provision a security group in Exchange Online for each mail-enabled security group that exists in
the on-premises environment
• Clean up stale delegates and managers
• Disable Unified Messaging
Page 51
Figure 2-11: Monitoring the migration batch job
Be patient, as the initial provisioning can take several minutes, and the initial synchronization can take days or
weeks depending on the amount of mailbox data to be migrated. You may notice that not all mailboxes are
processed simultaneously. The limits for simultaneous processing vary, but you can expect 100 mailboxes to
be processed at a time.
Page 52
After connecting to Exchange Online with PowerShell, run the following command to see the status of each
mailbox being migrated.
[PS] C:\> Get-MigrationUser | Get-MigrationUserStatistics | Select identity,status,percentage* |
Format-Table –AutoSize
Alternatively, use the Get-MigrationBatch cmdlet to view the progress of the batch as a whole. This command
lists all migration batches and their status.
[PS] C:\> Get-MigrationBatch | Format-Table Identity,Status
Continue to monitor the progress of the migration at regular intervals, or simply wait for the notification email
to arrive to let you know when initial synchronization has completed.
If you look at the list of users in the Office 365 admin portal, or the list of mailboxes in the Exchange
Administration Center, you will notice that it is populated with all of the users you are migrating to Office 365.
At this stage the mailboxes are fully functional and users could login to services such as Outlook Web App,
but new email is not being delivered to those mailboxes until you change the MX records for the domain to
point to Office 365. This gives you total control over when the final cutover will occur. In the meantime, your
users should continue to connect to their on-premises mailboxes and use them as normal.
When the initial synchronization is complete, you’ll receive an email notification to let you know the results.
Now you can begin the final cutover tasks. These include:
• Changing MX records to point to Office 365.
• Configuring Autodiscover to point to Office 365.
• Running a final synchronization of mailboxes. One way to do this is to stop the migration batch in
EAC and then restart it again to resume synchronization. Any outstanding transactions will then be
processed. You can then delete the migration batch. After the migration batch is removed, the on-
premises mailboxes are no longer synchronizated with Exchange Online.
You will need to communicate this change to your end users and advise them of what they need to do (e.g.,
log out of Outlook for the cutover period) as well as any user experiences that will change (e.g., the Office 365
OWA interface looks very different to Exchange 2010 and earlier). Finally, you need to provide users with their
login credentials for their new Office 365 accounts. Like anything to do with credentials, this should be done
in a secure manner.
Note: Providing users with their Office 365 credentials before the cutover time allows them to login to the
Office 365 portal and set their password to one that they will remember. However, if you do this make sure
you clearly communicate to your users that they should not use their Office 365 mailbox to send or receive
email yet.
The scheduling of the cutover will really depend on the size and complexity of your business. Whether you
choose to do it during a business day, one evening during the week, or over the weekend, if planning and
communication is in good order the cutover should go well. Because multiple DNS changes are required to
enable the switchover to Office 365, it is strongly recommended to review your existing DNS records first
(Figure 2-13).
Page 53
Figure 2-13: Reviewing DNS records
The value for TTL (time to live) is important here. This indicates to DNS servers and clients how long they
should cache the value of the DNS record. Until the TTL has expired a DNS server will continue to answer
queries for your records with the old, cached value instead of the new value. In other words, the TTL is
approximately how long you can expect to wait before a change to your Autodiscover or MX records takes
effect, which means new email will still deliver to your on-premises Exchange server for that period.
Real World: A common approach is to lower the TTL value to something very short, such as 5 minutes
(300 seconds). If this is done a day or two before the planned cutover time, then it improves the
likelihood that the change to the Autodiscover and MX records will take effect much quicker.
For details on the steps required to update MX and Autodiscover records in DNS, refer the section earlier in
this chapter.
Page 54
Figure 2-14: Entering credentials for Outlook
You can read more about configuring and managing clients and devices in the Clients chapter of the main
book.
The output (Figure 2-15) will show the last logon time for each mailbox, sorted in order of the last logon
timestamp, and will also display the name of the user account that was responsible for the last logon.
Page 55
Figure 2-15: Viewing the output of Get-MailboxStatistics
In the example above you can see that “Alan Reid” has logged on to his mailbox more recently than the
migration service account. This indicates that his Outlook or mobile device may still be configured to connect
to the on-premises server. It may also mean that there are unsynchronized email messages in his mailbox, for
example new sent items that have not yet been copied to Office 365. That is an example of something that
should be followed up before removing the migration batch.
Another method to check that the migration batch can be removed is to check the last sync time for the
mailboxes. You can check this in the Exchange Administration Center for Office 365 in the Recipients section
under Migration. Review the last synced time for the migration batch (Figure 2-16) to confirm that at least
one incremental synchronization has occurred since you changed the MX records to point to Office 365 and
reconfigured all the end users’ Outlook profiles and mobile devices.
Page 56
If you need to manually force another incremental synchronization click Resume. When you’re ready to
remove the migration batch, click Delete.
Preparing Recipients
Many preparation and review tasks are recommended for the recipients in your on-premises organization
before beginning the migration:
• Reduce the migration load by reviewing large mailboxes, and large mailbox items
• Review shared mailboxes
• Review the sender authentication setting for mail-enabled groups
• Disable unified messaging
Page 57
Directory synchronization is an important part of almost all Office 365 migration scenarios, not just the staged
migration approach. After you implement directory synchronization for your organization you can continue
with the next steps in the staged migration process.
Login to the Office 365 Exchange admin center and navigate to Recipients → Migration. Click the + (plus)
button to create a new migration batch and choose Migrate to Exchange Online.
Select Staged migration from the list of migration types. Click Browse and choose the CSV file you created
earlier (Figure 2-17). The New Migration Batch wizard will calculate the number of mailboxes in the CSV file.
Page 58
organization. So simply choose a name that makes sense to you. Finally, choose a recipient for the migration
batch reports to be sent to, and choose whether to manually or automatically start the migration batch.
Staged migration batches cause new email for the mailboxes to be redirected to the Exchange Online
mailbox, which means users should begin using their Exchange Online mailbox shortly after the migration
batch starts. The steps to perform after a staged migration batch completes are explained a little later in this
section.
Real World: While the migration batch is running users should not access their on-premises mailbox to
send or receive email. However, because the mailbox hasn’t been converted to a mail-enabled user yet,
Autodiscover will still configure Outlook or a mobile device to connect to the on-premises mailbox. To
access the Exchange Online mailbox during the migration Outlook or the mobile device can be
manually configured to point to the server “outlook.office365.com”, or the user can simply use Outlook
Web App by browsing to https://outlook.office365.com/owa. While a staged migration batch is running
it is a good opportunity to visit the computers of those users in the batch and upgrade Office as well.
Page 59
Converting Mailboxes to Mail-Enabled Users
Before a staged migration batch runs the mailboxes that exist on the on-premises Exchange server are just
regular mailbox users. Email sent to that mailbox’s email address is delivered to the on-premises mailbox, and
that is where the user connects with their Outlook client.
[PS] C:\> Get-Recipient alan.reid | fl name,recipienttype,*external*
Name : Alan.Reid
RecipientType : UserMailbox
ExternalEmailAddress :
When the staged migration batch is started the ExternalEmailAddress attribute of the mailbox is updated with
the email address of the Exchange Online mailbox. This happens generally within the first few minutes of the
migration batch running.
[PS] C:\> Get-Recipient alan.reid | fl name,recipienttype,*external*
Name : Alan.Reid
RecipientType : UserMailbox
ExternalEmailAddress : SMTP:Alan.Reid@office365bootcamp.onmicrosoft.com
This causes all email that is sent to the mailbox’s email address to be forwarded to the Exchange Online
mailbox. Although the end user can still connect to their on-premises mailbox they will not see any new email,
and any email they send may not be migrated to Office 365 if the migration batch has already finished
processing their Sent Items folder. A staged migration batch does not do multiple synchronization passes like
a cutover migration batch does, and doesn't handle new items that appear in folders that have already been
processed.
When all existing mailbox contents have been migrated to Office 365, and new email is being delivered to the
Exchange Online mailbox, the user also needs to update their Outlook profile to connect to Office 365 instead
of the on-premises Exchange server.
During a staged migration, the Autodiscover records in DNS still point to the on-premises Exchange server,
except when the on-premises environment is running Exchange 2003 which does not have an Autodiscover
service. If the user were to create a new Outlook profile, Autodiscover would still configure them to connect to
the on-premises Exchange server. To get Autodiscover to tell Outlook to connect to Office 365 instead the
mailbox user needs to be converted to a mail user.
Microsoft provides two sets of scripts to convert Exchange 2007 mailboxes to mail-enabled users and to
convert Exchange 2003 mailboxes to mail-enabled users. In each case the process is basically the same. First a
PowerShell script is run that exports some user information from Office 365 based on the list of users in the
CSV file you used to create the migration batch. Secondly, a script is run that modifies the on-premises
mailbox users.
For Exchange 2003 the second step uses a VBScript, as there was no PowerShell available for Exchange 2003.
For Exchange 2007 the second step uses a PowerShell script. Let’s look at the process for an Exchange 2007
scenario.
First, download the scripts to the Exchange server. You may need to unzip the files and rename them to a .ps1
file extension. You should also have the migration batch CSV file in the same folder (Figure 2-19). The file
must be named migration.csv for the script to run successfully.
Page 60
Figure 2-19: Preparing files for the migration
Open a PowerShell console and run the ExportO365UserInfo.ps1 script.
[PS] C:\Admin> .\ExportO365UserInfo.ps1
You will be prompted to enter your Office 365 administrator credentials. After authenticating the script will
collect the required information and output it to a file named cloud.csv.
The next step is to run the Exchange2007MBtoMEU.ps1 script. This script takes the information in cloud.csv
and uses it to update attributes on the on-premises user objects, and then converts them from mailbox users
to mail users.
The script uses Exchange cmdlets, so it needs to be run from an Exchange Management Shell console. The
name of a domain controller must also be specified.
Warning: Do not run this script until the mailbox has been successfully migrated to Exchange Online.
At this stage, the user can no longer connect to the on-premises mailbox with Outlook because it has been
removed. The Outlook profile must be recreated so that it is configured to connect to Office 365.
When the new Outlook profile is created the user will be prompted for their Office 365 credentials to connect
to Exchange Online. With password synchronization enabled on the directory synchronization server the
credentials the user enters will be the same as their on-premises credentials – their UPN/email address, and
their password.
Note: To make it easier for end users to remember their username for logging in to Office 365 services
it is recommended to match their UPN with their email address.
Based on the targetAddress attribute of the mail user, which refers to the service domain for the Office 365
tenant (e.g., “alan.reid@office365bootcamp.onmicrosoft.com”), Autodiscover will reconfigure the Outlook
profile to connect to Exchange Online. You can verify that this has occurred by looking at the server name for
the profile. Instead of your previous Exchange server name you will now see a string of characters that looks
like an email address (Figure 2-20).
Page 61
Figure 2-20: Checking the user profile
One more restart of Outlook may be necessary to complete the reconfiguration. If the Outlook profile is not
recreated Outlook will display error messages when it launches. To fix the problem, the easiest solution is to
recreate the user profile as described earlier.
Page 62
Chapter 3: Managing Office
365 Addressing
All mail-enabled recipients must have a routable email address to allow them to receive email. But unless
users know the email address of an intended recipient, they cannot send messages to them. Inside cloud-only
deployments, Azure Active Directory obviously plays a huge role for Office 365 tenants as the source for
authentication and repository for information about objects, including mail-enabled recipients. The situation
is more complicated with hybrid deployments where the on-premises Active Directory is authoritative and the
source for authentication when Active Directory Federation Services is deployed.
Users access directory information through address books, otherwise known as address lists. You do not have
to do anything to provide address books to users as Exchange Online will generate all the necessary data in
the right format at the right time. But you can exert a certain amount of control over what is in the address
books through the features discussed in this section:
• Email Address Policies.
• Address Lists.
• Offline Address Book (OAB).
• Hierarchical Address Book (HAB).
• Address Book Policies.
These features are supported in both Office 365 and on-premises Exchange. If you are involved in a hybrid
deployment, to avoid user confusion, you must make sure that the features are used in the same way on both
sides.
Page 63
RecipientFilter : Alias -ne $null
LdapRecipientFilter : (mailNickname=*)
LastUpdatedRecipientFilter :
RecipientFilterApplied : False
IncludedRecipients : AllRecipients
RecipientContainer :
RecipientFilterType : Precanned
Priority : Lowest
EnabledPrimarySMTPAddressTemplate : @office365itpros.onmicrosoft.com
EnabledEmailAddressTemplates : {SMTP:@office365itpros.onmicrosoft.com}
DisabledEmailAddressTemplates : {}
HasEmailAddressSetting : True
HasMailboxManagerSetting : False
NonAuthoritativeDomains : {}
AdminDescription :
ManagedByFilter :
ManagedByLdapFilter :
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Policy
This policy makes sure that every mail-enabled object has a valid SMTP address. Its priority is “lowest”, which
indicates that it is applied last. The policy is valid for all object types (the IncludedRecipients setting is
AllRecipients) providing they have an email alias (RecipientFilter looks for any object with a non-blank alias).
Finally, the EnabledEmailAddressTemplates setting determines the email domain that will be combined with
the object alias to create a valid SMTP address. As you can see, the domain used is the tenant’s sub-domain of
“onmicrosoft.com”. All of this means that if the alias is “Test”, the resulting email address will be
Test@office365itpros.onmicrosoft.com).
This command creates a new email address policy to ensure that any group created by a user covered by the
filter specified (Department equals “Marketing”) gets two email addresses as defined by the
EnabledEmailAddressTemplates property. Assuming that the group name is Football, the addresses are:
• Football@marketing.Office365ITPros.com. This is the primary address (we know this because SMTP is
uppercase in the template address) and is stamped onto outbound messages from the group.
• Football@anotherdomain.com (secondary as indicated by the lowercase smtp prefix).
The domains defined in the EnabledEmailAddressTemplates setting must belong to the tenant and be
configured as an accepted domain. In addition to the addresses assigned by policy, Exchange Online also
gives the group an address belonging to the tenant’s service domain (tenant.onmicrosoft.com).
Page 64
The email address policy is given priority 1, meaning that it is applied first before other policies. You can have
multiple policies, each with a different priority from 1 down, each applying to a separate set of users (for
example, different departments). If you want to have a catch-all policy to assign groups with an address from
a specific domain owned by the tenant, create a policy without a filter. For example:
[PS] C:\> New-EmailAddressPolicy -Name AllOtherGroups -IncludeUnifiedGroupRecipients
-EnabledPrimarySMTPAddressTemplate "SMTP:@Office365ITPros.com" -Priority 3
Make sure that the catch-all policy has a lower priority than any policy that contains a filter. In this case, we
only want groups to have a primary SMTP address, so we can use the EnabledPrimarySMTPAddressTemplate
parameter instead of EnabledEmailAddressTemplates as used above to assign multiple SMTP addresses to a
group.
If you introduce a new vanity domain to your tenant, you can update the email address policies with the Set-
EmailAddressPolicy cmdlet. For example:
[PS] C:\> Set-EmailAddressPolicy -Identity AllOtherGroups -EnabledPrimarySMTPAddressTemplate
"@Office365ITPros.com"
Creating new email address policies does not affect the SMTP addresses for groups that already exist. In other
words, there’s no way to retrospectively update Office 365 Groups with email addresses except by doing so
individually or by writing some PowerShell to find all the groups that you want to process and then add a new
address to them. In the same way, removing an email address policy with the Remove-EmailAddressPolicy
cmdlet leaves addresses that are stamped on groups in place.
Page 65
[PS] C:\> Set-Mailbox –Identity TRedmond –EmailAddresses
@{Add="Tony.Redmond@Office365ITPros.com"}
However, you might want to ensure that the primary SMTP address is set to the address in the chosen format.
In this case, you might rewrite the entire set of addresses and indicate which address is primary. For example,
this snippet overwrites whatever addresses exist for a mailbox and adds three new addresses. The first one
(prefixed with SMTP – capitalization is important) becomes the primary email address.
[PS] C:\> Set-Mailbox –Identity TRedmond –EmailAddress
SMTP:Tony.Redmond@Office365ITPros.com,tony@Office365ITPros.com,tredmond@Office365ITPros.com
The third method of attacking the problem is to update the WindowsEmailAddress attribute. This will update
the primary SMTP address for the object with the address passed to WindowsEmailAddress and retain the
previous primary SMTP address in the list of proxy addresses held in the EmailAddresses attribute. For
example, these PowerShell commands update the WindowsEmailAddress attribute for the mailbox belonging
to Ben Owens. We can see the value for PrimarySMTPAddress before and after the update. The old primary
address is now in the list of proxy addresses, which is what we want because mail can continue to be delivered
to the old address.
[PS] C:\> Get-Mailbox –Identity 'Ben Owens' |
Format-List PrimarySMTPAddress, WindowsEmailAddress
PrimarySMTPAddress : Ben.Owens@Office365ITPros.com
WindowsEMailAddress: Ben.Owens@Office365ITPros.com
PrimarySmtpAddress : B.J.Owens@Office365ITPros.com
WindowsEmailAddress : B.J.Owens@Office365ITPros.com
EmailAddresses : {SMTP:B.J.Owens@Office365ITPros.com, smtp:Ben.Owens@Office365ITPros.com,
SPO:SPO_4e030ae4-12bf-49d3-951b-dd4c9158ca8f@SPO_b662313f-14fc-43a2-9a7a-d2e27f4f3478,
SIP:Ben.Owens@Office365ITPros.com...}
You can’t set the WindowsEmailAddress property for an Office 365 Group because it is not supported for these
objects. Use the Set-UnifiedGroup -PrimarySmtpAddress command instead if you need to change the primary
SMTP address for an Office 365 Group.
Proxy addresses exist for many reasons. Some are used by applications, some to route email, and some to
preserve old email addresses for previous email domains. For instance, if your company has been through a
merger or acquisition, it’s likely that a new email domain is created for the new company. To make sure that
the addresses for the old email domain can still be used to deliver messages to recipients, they are retained as
proxy addresses. The usual rule is that the older a mail-enabled object is, the more likely it is to have a large
number of proxy addresses. The documented maximum number of proxy addresses supported for a mail-
enabled object in Exchange Online is 400. Although you can exceed this number, it is unwise to go past 400 as
you will eventually hit a hard limit. The exact limit depends on the size of the proxy addresses. Because a
similar restriction does not exist for on-premises mail-enabled objects, this raises the issue of what happens
when on-premises mail-enabled objects are synchronized to Office 365. The answer is that the objects might
not synchronize properly. With this in mind, it is a good idea to check whether any on-premises mail-enabled
objects exist that might need to be adjusted. You can identify potentially problematic objects with the
following command:
[PS] C:\> Get-Recipient | Where {($_.EmailAddresses).count -gt 400} | Format-Table DisplayName,
Alias, RecipientType
It is quite common to find that mailboxes and other mail-enabled objects have multiple email addresses,
especially when the tenant owns multiple domains. An object might have twenty or more valid email
Page 66
addresses, in which case it's probably easier to input a new address via the Office 365 Admin Center by
editing the email properties of an account as shown in Figure 3-1. All of the secondary addresses are equally
valid in terms of routing messages to the right object. The address on any message arriving into Exchange
Online is validated against Azure Active Directory to determine whether it can be delivered and the scan
includes all secondary addresses. The primary email address and username are the same, which is the best
practice for Office 365 deployments. The primary address is the one used as the reply-to address for
messages sent by the user.
Page 67
Business sites generate sharing notifications that are sent to the people with whom the content is shared. The
notifications can be found in the Sent Items folder of the sharer’s mailbox.
Using EWS in this manner means that the notifications are less likely to be picked up as spam and suppressed
by junk mail filters. The reason why a special address of such an odd format is used is that it makes it less
likely that regular mailbox maintenance will ever attempt to interact or interfere with the addresses, which are
after all, owned by SharePoint Online. For more information, see Microsoft KB3134824.
Address Lists
The Global Address List (GAL) is the best-known example of an address list and is the one that receives most
use because it includes all mail-enabled recipients. Exchange Online provides other standard address lists:
• All rooms: All room mailboxes.
• All users: All mailboxes – including, shared, and resource (room and equipment) mailboxes (but not
Office 365 group mailboxes).
• All distribution lists: All standard and dynamic distribution groups, including Office 365 Groups.
• All contacts: All mail-enabled contacts.
• All groups: All Office 365 groups. The recipient filter still refers to these objects as “group mailboxes”.
• Offline Global Address List: The GAL as downloaded and made available for offline use by Outlook
clients. Mail-enabled public folders are included in this address list.
• Public Folders (an address list generated on-premises when in a hybrid deployment).
The “Offline Global Address list” address list is not used in current Exchange on-premises deployments.
An address list is created by applying an OPATH query to find objects in Azure Active Directory. The OPATH
query specifies the properties that are used to locate the desired objects. You can see the query used for an
address list by running the Get-AddressList cmdlet. For example, here is the query used for the Offline Global
Address List. An account needs to be assigned the Address Lists RBAC role before you can run any of the
Address List cmdlets. We’ll cover how an account is assigned this role shortly.
[PS] C:\> Get-AddressList –Identity "Offline Global Address List"
RecipientFilter : ((Alias -ne $null) -and (((((((((((ObjectClass -eq 'user') -or (ObjectClass
-eq 'contact'))) -or (ObjectClass -eq 'msExchSystemMailbox'))) -or (ObjectClass
–eq msExchDynamicDistributionList'))) -or (ObjectClass -eq 'group'))) -or (ObjectClass
-eq 'publicFolder'))))
This query finds all users, contacts, system mailboxes, distribution groups, Office 365 groups, and public
folders.
Users access address lists through the address book option in Outlook or the Directory section of the OWA
People option. Mobile clients do not typically offer an option to browse the directory through address lists as
the nature of the interaction between a mobile client and the server is designed to minimize communication.
Instead, mobile clients are able to search the directory for a specific recipient.
Often the need arises to create a separate address list, perhaps to identify recipients in a specific business unit
or location. Exchange Online supports up to 1000 address lists per tenant but does not include functionality in
the EAC to manage address lists so the work to create a new address list has to be done with PowerShell.
Page 68
assigned by default to any administrative role group, so the first task is to include the role in a suitable role
group. Follow these steps:
1. Open the EAC and click Permissions.
2. Click Admin roles.
3. Select the role group that you want to amend. “Organization Management” is a good choice as it is
the usual role group assigned to tenant administrators. Click the Pencil icon to edit the role group.
4. Add the “Address Lists” role to the set of roles included in the Organization Management role group
(Figure 3-2) and then save the change.
5. Alternatively, you can create a new management role group that includes the Address Lists role and
use the new group to assign permission to accounts to work with address lists.
Figure 3-2: Adding the Address Lists role to the Organization Management role group
Now start PowerShell and connect your session to Office 365. When you connect, RBAC will load all the
cmdlets assigned to the role groups that you belong into the PowerShell session, including the Address Lists
cmdlets (New-AddressList, Get-AddressList, and Remove-AddressList). If these cmdlets are not available in your
session, the change to add the Address Lists role to the role group that you updated did not work.
Page 69
Microsoft recommends that the fifteen custom attributes provided by Exchange Online for mail-enabled
objects are used as the basis for recipient filters because they are consistent across all recipient types, but you
can use any recipient filter you like as long as it works and finds the objects that you want to include in the
address list. Note that not all properties are filterable.
After a couple of minutes, you should be able to sign into OWA, access People, and see the new address list
under “Directory” – and better again, if the recipient filter works and the right information has been populated
about the objects you want to display, you will see a populated list. The last point is important – address lists
can only work if Exchange Online can locate objects by using the filter criteria you specify to execute the
query against Azure Active Directory. If an object is missing some value, then it won’t be found. For instance, if
a user doesn’t have “Ireland” in their StateOrProvince property, then they won’t appear in the “Ireland Users”
view (queries executed by a RecipientFilter are not case sensitive).
Because Exchange Online does not support the Update-AddressList cmdlet, objects that already exist might
not show up in the new address list. The reason is that address list membership is evaluated when an object
changes, so any recipients that should be in the list already exist in the directory will not appear until the next
time that their object is updated (by EAC, Office 365 Admin, or PowerShell). Microsoft says that this is “by
design” and it’s understandable in some respects because Microsoft clearly wants to avoid processing
operations that could be resource-intensive and impact multiple tenants. Address list updates, especially for
large tenants, fall into this category. If you want to be sure that a new address list is correctly populated, you
have to force this by updating all of the objects that should be in the list. Once again, this has to be done in
PowerShell.
For example, these steps use the recipient filter for the address list that we just created to locate all of the
users that come under the scope of the recipient filter and then update a custom attribute for each mailbox to
force Exchange Online to update the mailbox's address list membership. You don't have to write the word
"Updated" into the attribute as all we're doing here is forcing Exchange Online to re-evaluate the address lists
that the object belongs to. Some administrators like to write the date and time into the attribute as in
"Updated: 26-Apr-2015 10:00". Before selecting an attribute to use to hold update information, it’s a good
idea to validate that the attribute is not used for another purpose.
[PS] C:\> $Filter = (Get-AddressList –Identity "Ireland Users").RecipientFilter
These commands work because the address list only includes mailboxes. Other code would be required if
different recipient types were included in the list. This update is only necessary to include pre-existing
recipients into an address list. Recipients who are subsequently created will be evaluated for address list
membership at that time and their AddressListMembership property will include all of the address lists to
which they belong.
Because of the lack of a GUI and any assistance to navigate the OPATH syntax, it can be difficult to create a
satisfactory recipient filter. One workaround is to create a dynamic distribution group with a filter for the same
recipient set that you’d like to use in an address list and then reuse the filter. You can extract the filter for a
dynamic group to a variable with a command like:
[PS] C:\> $Filter = (Get-DynamicDistributionGroup –Identity "Dynamic User").RecipientFilter
Then, use the $Filter variable as input to either the New-AddressList or Set-AddressList cmdlets to create a new
address list or modify an existing address list.
Page 70
Offline Address Book (OAB)
The OAB is a point-in-time version of the Global Address List made available for download by Outlook clients
for use offline. Outlook clients configured to use cached Exchange mode use the OAB for address validation
and directory lookup. By comparison, other clients use the online GAL when they need directory information.
All mail-enabled recipients in the directory, except receipients whose HiddenFromAddressListsEnabled property
is set to $True, are included in the OAB.
In an on-premises deployment, it is normal to generate the OAB daily and that's what happens in Exchange
Online too. However, unlike on-premises organizations, an Office 365 tenant cannot force the generation of
the OAB and must wait for Exchange Online to run the OAB generation process, which is sometimes delayed
due to server load. Depending on the age of the OAB files present on a client and the percentage of change
within the directory, a download is either a set of six files containing delta changes to bring the client’s copy
of the OAB up to date or a complete copy of the OAB. The latter is only used if the client’s OAB has not been
updated for more than 30 days or more than 12.5% of the objects in the directory have been updated. This
can happen if the organization is in the middle of a change like a corporate acquisition or merger or indeed
when mailboxes are being migrated to Office 365.
OAB updates occur using an Outlook background thread. Users are usually unaware that they have happened.
The most common complaint is that a new user or other mail-enabled recipient is not present in the OAB, a
fact that is easily accounted for because new objects do not appear in the OAB until after Exchange Online
next generates OAB updates. A further delay occurs until the client downloads and applies the OAB updates.
Users can force an OAB update by selecting Download Address Book from Outlook’s Send/Receive menu,
but the client can only download the available OAB updates, which might not include new recipients.
However, if the user knows the SMTP address of the new user, they can use that to address messages.
Alternatively, they can access the online Global Address List in Outlook’s address book or use the People
section of OWA to look up the online directory for recipient details.
Page 71
You can change the attributes contained in the OAB by running the Set-OfflineAddressBook cmdlet
and specifying the set that you’ll like to have. Each attribute has a qualifier to indicate its use. The
qualifiers are “ANR”, indicating that it can be used for ambiguous name resolution (when several
objects have the same value in the attribute), “Value”, indicating that the attribute contains whatever
is in the directory and is not indexed, and “Indicator”, meaning that a restriction might be in place that
prevents the delivery of a message to the recipient (such as they only accept messages from specified
users).
• DiffRetentionPeriod : The number of days that delta changes (differences) files are retained by
Exchange Online for clients to copy.
• Name: This will be “Default Offline Address Book” unless you have created additional OABs for use
with Address Book Policies.
Although you can create and modify new OABs, unlike Exchange 2013 or Exchange 2016, Exchange Online
does not allow you to assign a different OAB to a mailbox by running the Set-Mailbox cmdlet. In addition, you
cannot make a new OAB the default OAB. The only way that a customized OAB can be provided to a user is
through Address Book Policies.
Clients fetch photo information from the mailbox when working online. Because Outlook can work offline, it
needs a mechanism to store thumbnails locally, which is the OAB. The default configuration of the OAB marks
the ThumbnailPhoto attribute with an Indicator flag, meaning that it is only available online and is not
downloaded. If you want to create an OAB that includes the thumbnails, you can do this by changing the flag
to be "Value" instead as shown below. This is acceptable in small tenants where downloading photo data is
unlikely to make a lot of difference to the overall size of the OAB, but it is not a good idea for larger tenants
where it might create a severe case of “OAB bloat.“
[PS] C:\> $Attributes = (Get-OfflineAddressBook -Identity "\Default Offline Address
Book").ConfiguredAttributes
[PS] C:\> $Attributes.Remove("ThumbnailPhoto, Indicator")
[PS] C:\> $Attributes.Add("ThumbnailPhoto, Value")
[PS] C:\> Set-OfflineAddressBook -Identity "\Default Offline Address Book"
-ConfiguredAttributes $Attributes
Page 72
The changes made to the OAB configuration are effective the next time Exchange Online updates the OAB. In
addition to creating a larger OAB, making a change that might affect many OAB records creates the possibility
that Outlook clients will have to download a complete copy of the OAB the next time they connect.
Page 73
[PS] C:\> Set-OrganizationConfig –HierarchicalAddressBookRoot HAB-CEO
• Assign the seniority index to all of the groups that make up the HAB and set the flag to tell Exchange
Online that the group forms part of a hierarchy. Using the information described in Table 3-1, this
means that the following commands are needed (the alias for each group is used to identify it rather
than its display name).
[PS] C:\> Set-Group –Identity HAB-CEO –SeniorityIndex 1 –IsHierarchicalGroup $True
After these tasks are complete, you have to wait for Exchange Online to update the OAB before you can
download the updates to Outlook and check whether the HAB works as planned. If everything is in order, you
should now find that two tabs are available in the Address Book. The traditional OAB is available through the
“Name List” tab and the HAB through the “Organization” tab. As you can see in Figure 3-3, the HAB is
organized in the seniority levels that were previously defined and the members of each level are displayed.
Page 74
The individual members of the group used to form each level are ordered alphabetically. You can affect the
sort order in two ways:
1. Assign a seniority index value to individual objects. The seniority index takes precedence and the sort
order is descending from 100. The most important user in a group should be therefore assigned a
seniority index of 100 and those who are less important should be assigned smaller values.
[PS] C:\> Set-User –Identity "David Pelton" –SeniorityIndex 100
2. If seniority index values are not assigned, Outlook uses the phonetic display name if it exists. A
phonetic display name was originally intended for use in the Exchange Unified Messaging system as it
allowed administrators to provide a phonetic form of a user’s name to help the UM Attendant sound
the name properly in the greeting heard when someone calls their mailbox.
[PS] C:\> Set-User –Identity "MVanHorenbeeck" –PhoneticDisplayName "Michael Van Hybrid"
It’s clear that many interesting office political games could be played by a tenant administrator who
selectively alters the seniority index for users.
Organizing by job level is one way to create an HAB. Another way is to build it via organizational units with
the root of the organization provided by corporate HQ and then the various divisions and units underneath.
Table 3-2 illustrates an example organization. Note that in this instance the hierarchy is more complex
because multiple units exist with the same seniority level.
Seniority
Index
Corporate HQ 1
Divisions 2
Manufacturing 3
VP Office 4
Production 4
Engineering 4
Human Resources 3
HR management 4
Corporate Finance 3
Accounting 4
Budgets 4
Forecasts 4
Table 3-2: Charting an organizational layout for a HAB
Page 75
Figure 3-4: A hierarchical address book organized by company departments
The same approach is taken to build this form of HAB. Establish the distribution group for the root and the
groups needed to define the levels underneath. Define the root for the HAB and the seniority level for each
group within the hierarchy and wait for Exchange Online to update the OAB. Figure 3-4 illustrates the kind of
HAB that results. Note the sort order in this example. David Pelton is assigned a seniority index to move him
to the top of the list and the other entries are sorted alphabetically.
ABPs were originally introduced to handle scenarios where the on-premises version of Exchange is deployed
for hosting purposes and you don’t want the users from one customer to see the users belonging to another.
Of course, Office 365 is a hosted environment and the segmentation already exists between tenants insofar as
the users belonging to one tenant cannot see the users belonging to another. Even so, ABPs can still be a
useful method to provide a customized view of a tenant to a targeted group of users as in the example found
in schools or colleges where administrators want to provide one view of the directory to students and a
completely different view to teachers and other employees. Although Exchange Online supports ABPs, the
interface available in the version of the EAC used by on-premises Exchange is not provided. All of the work
done to implement and manage ABPs has to be done through PowerShell.
Page 76
Admin Center, select Teams settings, and then toggle the switch for Scope directory search in Teams using
an Exchange address book policy to On. After a short pause to allow cached data to clear, Teams will
respect the address book policy setting for user mailboxes and only allow users to see the organizational
information available to their assigned policy.
Just like Exchange users can communicate with people outside their ABP by entering the SMTP address of a
recipient, the use of ABPs in Teams is not a complete block. For instance, the membership of teams that
someone belongs to might include people inside and outside the scope of an ABP (including org-wide teams).
Any member of a team can select another member and chat without them without hindrance, perhaps after
browsing the full membership of the team with the Manage team menu option.
Remember that Teams is designed to foster communication, not stop it, and ABPs are not intended to be a
full block on interpersonal communication between different sections of an organization. Other methods like
transport rules exist for that purpose in email, and if you want a full block in Teams, you;ll use Information
Barriers.
If the expected set of recipients are not returned you know that either:
Page 77
• The recipient filter is incorrect, or
• The underlying data does not contain the values that are needed by the filter. In our case it means
that “Engineering” has not been input to CustomAttribute10 for some of the objects we expect to
find.
After creating our type-specific address lists, we now create a GAL and an OAB based on that GAL.
[PS] C:\> New-GlobalAddressList –Name "Engineering GAL" –RecipientFilter
{(CustomAttribute10 –eq "Engineering")}
The Update-OfflineAddressBook cmdlet is unavailable in Exchange Online, so we will have to wait for the OAB
generation assistant to generate the new OAB during its regular workcycle processing. Finally, we can bring
everything together by creating an ABP for the engineering department.
[PS] C:\> New-AddressBookPolicy –Name "Engineering ABP" –AddressLists "Engineering-Users",
"Engineering-Rooms", "Engineering-Contacts" –OfflineAddressBook "\Engineering OAB"
–GlobalAddressList "Engineering GAL" –RoomList "\Engineering-Rooms"
Figure 3-5: OWA directory view when under the control of an ABP
We now have an ABP but we still need to make it effective by assigning the new policy to users. Pick one user
to test things on and assign it to them by running the Set-Mailbox command or by editing their record
through the EAC (the ABP assignment is under “Mailbox features”).
[PS] C:\> Set-Mailbox –Identity "Kim Akers" –AddressBookPolicy "Engineering ABP"
Figure 3-5 illustrates what we expect to see. A limited number of users are shown in the directory and the
three specific Engineering address lists are listed. Another example is shown in Figure 3-6 where an ABP is
used to restrict access for Teams users. In this instance, the user tries to chat with someone who is outside the
scope of the ABP. Teams fails to find the intended correspondent in the ABP and signals an error.
Page 78
Figure 3-6: An ABP restricts access to the drectory for a Teams user
It is important to note that ABPs do not erect barriers to prevent users communicating with one another.
Another mechanism is necessary if you need to stop specific user groups sending mail to each other, such as
the ethical firewalls that can be constructed using transport rules.
Note that you cannot remove an ABP if it is assigned to mailboxes. To find and remove an ABP from
mailboxes, use the Get-Mailbox cmdlet to find the mailboxes and Set-Mailbox to remove the property:
[PS] C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -Filter {AddressBookPolicy -eq "Engineering
ABP"} | Set-Mailbox -AddressBookPolicy $Null
Page 79
Chapter 4: Managing Hybrid
Connections
A hybrid connection is a deployment model where an existing on-premises environment runs seamlessly
alongside a cloud solution like Office 365 so that end users see an integrated environment. Microsoft first
delivered hybrid connectivity between on-premises Exchange and Exchange Online in Exchange 2010 Service
Pack 1. Since then, the ability to deliver unified address lists, mail flow, and other functionality across on-
premises and cloud services has proven to be a very important competitive and operational feature of Office
365 and has allowed customers to move millions of mailboxes between the two environments. More recently,
Microsoft added support for other workloads to function in a hybrid deployment, such as Skype for Business
and SharePoint.
The success of the hybrid model for Exchange is undoubted and many organizations have used hybrid
connectivity as a transit method to get to the cloud. At the Ignite conference 2017, Microsoft said that 70% of
hybrid customers have moved all mailboxes to the cloud. They also said that the average number of on-
premises mailboxes running in hybrid configurations is 105. The low average surprised many, but it probably
means that many small tenants have completed moving to Exchange Online and have just a few mailboxes
left on-premises. On the other hand, the hybrid model is here to stay as many large enterprises consider it
essential to preserve the choice of having mailboxes on-premises or in the cloud.
Hybrid Workloads
Exchange
Today, two types of hybrid Exchange deployments exist: a "full" hybrid connection and a "minimal
configuration." Unlike other migration methods, a full hybrid connection is not a short-term solution to
migrate mailboxes between Exchange on-premises and Exchange Online. Maintaining a hybrid connection
enables you to keep some of your mailboxes on-premises while others stay in Office 365, and it is the only
migration type that allows you to move mailboxes back to an on-premises server. Hybrid connectivity is a
unique selling point for Microsoft because other cloud platforms do not offer companies the chance to keep
some workload on-premises.
The following features are available in a hybrid configuration:
• Move mailboxes in and out of Exchange Online using built-in tools. As discussed later, a huge benefit
of a hybrid mailbox move is that it does not need Outlook's offline cache to be resynchronized after
the mailbox is moved to or from Exchange Online.
• Almost seamless co-existence between Exchange Online and one or more on-premises Exchange
organizations (over a longer period). Among other benefits, mail can flow securely between the
different platforms and users can share Free/Busy information. Note that “full” hybrid connections
with multiple on-premises Exchange organizations are only supported from Exchange 2013 SP1
onwards.
• Cloud-based archiving for on-premises mailboxes, also known as Exchange Online Archiving.
• Simplified administration using a single Exchange admin console or PowerShell.
• Transfer of configuration settings from Exchange on-premises to Exchange Online.
Page 80
Because of the advantages that it offers over other migration options, many organizations deploy a hybrid
connection solely for moving mailboxes to Office 365. Originally, the only choice was to deploy a full hybrid
connection, which meant that all the hybrid features were enabled as part of the configuration process,
whether a tenant needed them or not. To reduce the configuration effort for customers that only need to
(quickly) move mailboxes in/out of Exchange Online, without the need for elaborate coexistence capabilities,
Microsoft introduced the "minimal hybrid configuration" option. Unlike the full version, the minimal hybrid
configuration only configures the essentials to enable a customer to move mailboxes to and from Office 365.
Although most the work to set up and run a hybrid connection is executed within the on-premises Exchange
organization, maintaining a successful connection to Office 365 involves other components that might be new
to the Exchange administrator. One of these is Directory Synchronization, which plays a significant role in
making sure that both sides of a hybrid deployment have the same information to work with. This chapter
discusses the various features and components of a Hybrid deployment and explains how everything fits
together. We also walk through the configuration of a Hybrid connection using the Hybrid Configuration
Wizard.
SharePoint
SharePoint Server 2013 and later allow you to configure a hybrid connection with Office 365. Like Exchange, a
hybrid SharePoint connection enables a customer to migrate to Office 365 at their own pace. Following the
footsteps of the former, hybrid connectivity through SharePoint Server 2016 now also uses a configuration
wizard, which largely automates the configuration process.
In a hybrid configuration, some SharePoint workloads run on the on-premises SharePoint servers while other
workloads move to SharePoint online. For example, you can host users’ personal OneDrive for Business sites
in Office 365 while keeping other SharePoint sites hosted on-premises. The following features are available in
a hybrid configuration:
• Hybrid Search is one of the major benefits of a hybrid SharePoint connection. Instead of using
federated queries (forwarding search queries cross-premises) as in previous version of SharePoint, the
search service (and crawler) now stores indexes and relevant information directly in Office 365. Not
only does this increase the relevance and speed of the searches, but also makes the discovered
information available to the Office Graph and Delve.
• When a user follows a site, a link is added to the user's Followed Sites-list. Without a hybrid
connection, lists for both locations might be different. With SharePoint hybrid, the information from
both locations are consolidated in SharePoint Online to make a single list available to the user
containing links to resources in both locations.
• The Self-Service Site Creation feature automatically redirects users the online version of the
SharePoint Online Group Creation page, allowing users to directly create sites in SharePoint Online.
• Although profiles exist in both locations. SharePoint on-premises redirects user profile links to their
profile location in SharePoint Online.
Express Migrations
The minimal hybrid configuration also underpins the Express Migration option, which can be initiated from
the Office 365 Admin portal by navigating to Users > Data Migration, and from there choosing Exchange.
If you have not setup a hybrid connection before, you will be asked to download and run the Hybrid
Configuration Wizard. Once the wizard starts, you should choose the minimal hybrid configuration option.
While running the HCW, on the User Provisioning page, you have the choice to select Synchronize my users
and passwords one time. When you do so, Azure AD Connect will be downloaded and prompt you to install
using the Express Settings configuration option. Once successfully installed, your directory will synchronize to
Azure AD and provision user accounts. After that, directory synchronization is disabled; leaving you with a
cloud-only accounts.
Page 82
This option offers a great alternative to solutions like a Cutover migration, as mailbox are now moved to
Office 365 using the Mailbox Replication Service. As such, you can preserve the Outlook profile (and cache) on
client computers, greatly improving the efficiency on the network and end user experience.
The added benefits come at a small price though: you not only need to run the HCW, but you also must install
Azure AD Connect as part of the process. Although experience shows that most of the times this all goes
according to plan, the directory synchronization process itself can generate some added problems when you
have conflicting objects in your on-premises directory etc. In such case, not all your users are (correctly)
synchronized to Azure AD, and mailbox moves for those users will not be possible.
The Express migration option also comes with some limitations/challenges:
• Only a single migration endpoint is supported.
• Although you can create multiple migration batches, they will only be executed one at a time. This
means that the time to complete mailbox moves can be considerably longer over a regular hybrid
deployment (where multiple batches can be executed at the same time)
• You must assign a license to the user, before trying to migrate the mailbox
• During the initial synchronization, the user’s password is synchronized once to Office 365 as well. If
the user decides to change their password in the on-premises organization before the mailbox has
been moved to Office 365, that change will not be reflected in Azure AD and can therefore cause
some confusion; the password the user must use to login to his mailbox in Office 365 is still the same
as his previous on-premises password.
Some of the limitations clearly show that the Express migration option is not targeted at large, complex
environments with a large number of users, or multiple datacenters which only increase the risk of running
these limitations. Instead, it is a valuable alternative for smaller environments with perhaps only a handful to a
few tens of users, where the on-premises Active Directory is very unlikely to yield conflicts.
Page 83
Figure 4-1: ExchangeGUID on-premises before mailbox move
Migration Endpoints
When creating a migration batch, the wizard verifies if it can connect successfully to the on-premises
migration endpoint. If a connection cannot be established, you'll see an error message: "The connection to
the server '<endpoint>' could not be completed." There are many reasons why the inbound connection
might fail and the error message provides little information as to what might be causing the problem. For
instance, the proper DNS records might not have been configured, there might be a networking issue, or
perhaps the MRS Proxy has not been enabled properly.
Page 84
To figure out what might have happened, you can use the Test-MigrationServerAvailability cmdlet (part of
PowerShell for Exchange Online) to test the on-premises endpoint using the same code as the New Migration
Batch Wizard does. The output of the cmdlet might reveal more information to the cause of the failure.
PS C:\> Test-MigrationServerAvailability -RemoteServer webmail.exchangelab.be -ExchangeRemoteMove
-Credentials (Get-Credential)
RunspaceId : 67af4669-b1d9-4403-aef3-cd50c72f72da
Result : Failed
Message : The connection to the server 'webmail.exchangelab.be' could not be completed.
ConnectionSettings :
SupportsCutover : False
ErrorDetail : Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The
connection to the server 'webmail.exchangelab.be' could not be completed. --->
Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The Mailbox Replication
Service was unable to connect to the remote server using the credentials provided. Please check the
credentials and try again. The call to 'https://webmail.exchangelab.be/EWS/mrsproxy.svc' failed.
Error details: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The
authentication header received from the server was 'Negotiate,NTLM'. --> The remote server returned
an error: (401) Unauthorized.. --> The HTTP request is unauthorized with client authentication
scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. --> The
remote server returned an error: (401) Unauthorized.
...
If needed, the administrator can make changes to the migration endpoint using the Set-MigrationEndpoint
cmdlet.
Real World: A frequent problem with migration endpoints is that each migration endpoint is configured with
an account that is used to set up a connection with the on-premises environment. If the password for the
account changes, but the endpoint is not updated in Office 365, the above error message appears, and
there's nothing that indicates it is because of an expired password.
Sometimes it might be necessary to define added migration endpoints. For instance, when you have multiple
offices in different regions that each have some Exchange servers with mailboxes. In such case, the default
migration endpoint points to Client Access Servers in one region, but the mailboxes that must be moved
might be in a different region. If the default endpoint is used to start the mailbox move, the WAN link
between the regional offices carries the migration load. Often these WAN links (or the utilization thereof) are
costly and perhaps not capable of carrying such a heavy amount of data. In these circumstances, it would be
more sensible to connect directly to the Exchange servers in the regional office.
Creating a new migration endpoint, which defines a different endpoint URL, allows an administrator to select
this endpoint for a given migration batch and thus ensure that the inbound MRS connection is made to the
Exchange Servers closest to the mailboxes that must be moved. For example, the code below shows how to
use PowerShell to create a new migration endpoint using the New-MigrationEndpoint cmdlet and specifying
the different endpoint FQDN in the RemoteServer property. Alternatively, you can create a new endpoint
through the migration section of the EAC.
[PS] C:\> New-MigrationEndpoint –Name "Endpoint 2" –ExchangeRemoteMove
–RemoteServer target.domain.com –Credential (Get-Credential)
Communications with the migration endpoint must happen securely over SSL. This means that when defining
a new migration endpoint, you must make sure that a valid certificate is used on the Exchange server: the
hostname must be covered by the certificate and the certificate must be issued by a trusted third-party
certification authority. If already available, you can also use a wildcard certificate.
Real World: Although Microsoft officially supports only a handful of certification authorities, you will find
that certificates from many other certification authorities not on the list will also work. Keep in mind that,
when you purchase such a certificate, you have no guarantee it will work as expected. I’ve rarely come across
Page 85
a certificate did not work for securing HTTPS communications, regardless of the certification authority that
issued it. On the other hand, I’ve seen numerous cases where certificates from non-supported authorities
caused all sorts of problems related to secure mail flow.
It is common to find that a migration endpoint connects to a set of load-balanced Exchange servers. Although
this configuration is suitable for many Exchange workloads, mailbox moves to Office 365 can be negatively
impacted for the following reasons:
• In a set of load-balanced Exchange 2010 servers, session affinity must be maintained. This means that
once an incoming connection has been established with a specific Exchange server, all subsequent
communication should be routed to that same Exchange server. Thus, all connections coming from
Office 365 are likely to be routed to a single Exchange server. This is especially true when you use the
source IP as the identifier for an incoming connection; most mailbox moves initiated by Office 365 will
be coming from the same set of IP addresses. So, when all traffic is routed to a single Exchange
server, that server can become a bottleneck and significantly slow down mailbox moves. Additionally,
if the incoming connection is transferred to another Client Access server, for example because affinity
was setup incorrectly, mailbox moves can stall and even fail completely.
• Exchange 2013 and 2016 do not need a load balancer to have session affinity. This means that
incoming connections can switch from one Exchange server to another, a desirable situation to ensure
fault tolerance when mailboxes might move within a Database Availability Group. When a switch
occurs, the connection must be re-authenticated and any operation that was in progress must be
resumed or restarted. If a switchover affects the server that is handling the inbound connection for
Office 365, the mailbox move can stall which causes the move operation to slow down dramatically
and sometimes might cause the move to fail. If this happens, you will see the problem reported in the
error details logged for the move request.
• If you troubleshoot mailbox moves to/from Office 365, having a load balancer in place makes it
harder to figure out which server handles the connection. This means you must go through the log
files on each server in the array to decide what server was involved in the mailbox move you are
trying to troubleshoot.
Although using a load balancer is a supported scenario, you can avoid these problems by (temporarily)
defining a unique migration endpoint for each Exchange server from which you want to process move
requests. The benefit is that the connection path is now much more predictable (you can specify a different
migration endpoint per migration batch) and mailbox moves generally complete faster. Additionally, this
approach usually yields a higher number of concurrent mailbox moves as you can manually control how many
mailbox moves are directed to each Exchange server.
The downside of defining a separate endpoint for each Exchange server (or for as many as you need), is that
you need an external IP address, hostname, and SSL certificate for each endpoint before the Exchange servers
behind the endpoint can accept incoming connections and process mailbox moves.
Page 86
To allow for TLS mail flow in a hybrid deployment, the following requirements must be met:
• The Subject Name or Subject Alternative Name on the certificate used to negotiate TLS must match
the FQDN used to connect to the remote server. This allows the use of SAN or wildcard certificates.
• The certificate must be issued by a trusted public Certificate Authority.
• The certificate must be valid; it must not be expired or revoked.
• The Certificate Revocation List (CRL) must be available.
The certificate information needed to establish and enforce a TLS connection between both environments, is
also stored as part of the configuration of the various mail flow connectors in the on-premises and Exchange
Online organization. For more information on what Inbound and Outbound connectors are, have a look at
mail flow chapter in the main book.
• The on-premises Send, and Receive Connectors hold certificate details of the on-premises
organization which are presented to Office 365 (EOP) whenever a message is sent to or received from
Office 365. This information is recorded in the TlsCertificateName attribute and can be viewed using
the Get-ReceiveConnector or Get-SendConnector cmdlets.
• In addition to the certificate information, the on-premises Receive Connector also includes an
attribute called TlsDomainCapabilities. This attribute specifies which added features are offered for a
specific domain. For example, the value mail.protection.outlook.com:AcceptCloudServicesMail,
indicates that messages coming from the hostname mail.protection.outlook.com (EOP) are, in fact,
part of the same organization, and should be treated as such.
• The inbound connector in Office 365 has certificate information of the on-premises organization. This
information is used to confirm (compare) the information presented by the on-premises organization
whenever messages are sent to Office 365.
• The outbound connector in Office 365 does not hold any details about the on-premises certificate,
but it specifies the domain name that the on-premises domain part of the hostname should match
with, to establish a secure (TLS) connection when sending messages to the on-premises organization.
For instance, if the Outbound connector specifies "office365itpros.com" in the TLSDomain attribute, a
valid on-premises hostname would be mailserver.office365itpros.com. The certificate installed on the
on-premises server(s) must then also match that hostname. As mentioned earlier, it can also be a
wildcard certificate covering all hostnames for a specific domain.
If any of the information in the various connectors does not match, the secure connection between the on-
premises organization and Office 365 might fail, therefore halting (hybrid) mail flow. If that happens, emails
will queue on the sending server.
Messages sent between Exchange Online and the on-premises organization are treated differently from
messages that originate elsewhere. This allows Exchange Online to bypass anti-spam filtering or added
Advanced Threat Protection (ATP) processing for messages that are received from on-premises Exchange
servers. Every message in the hybrid mail flow is stamped with an added SMTP X-MS-Exchange-Org-AuthAs
header. The value for this header should always be Internal for messages flowing across a hybrid connection.
If Exchange Online Protection detects that the X-MS-Exchange-Organization-AuthAs header is set to Internal
for a message, the Spam Confidence Level header (SCL) for that message is automatically set to -1. This value
allows the message to be forwarded to the recipient without going through message hygiene processing and
potentially being marked as spam. The authentication header also allows Outlook clients to recognize the
sending partner as being part of the same organization, triggering Outlook to display a full contact card
instead of a summarized version.
Real World. The presence of the X-MS-Exchange-Organization-AuthAs header is one of the key differences
between a hybrid deployment, and a staged migration or a minimal hybrid configuration. Although the latter
two options also offer mail flow coexistence, they do so without configuring extra connectors (with TLS). As
Page 87
such, the end user experience in Outlook is different. If needed, an administrator can manually update the
connector configuration, so that the user experience in a staged migration or minimal hybrid scenario mimics
the one in a hybrid scenario.
The presence of the header also has implications for the on-premises architecture. The Exchange header
firewall strips any X-headers from messages that come from non-Exchange servers and therefore break this
functionality. For this reason, hybrid mail flow must not be configured to pass through a third-party mail
filtering solution. If your organization requires external connections to be terminated in the perimeter network
(DMZ), you must route messages through an on-premises Edge Transport Server as it is the only Exchange
Server Role supported to be installed in the DMZ.
Real World. Edge Transport servers aren’t really known for excellent message hygiene features. Other
solutions, including Microsoft’s own Exchange Online Protection, offer a much higher level of protection
when it comes to spam and malware. This doesn’t mean Edge Transport servers cannot be useful. First, they
help you fulfil the requirement to terminate incoming connections (for SMTP!) in the DMZ. They can also be
used to configure more transport rules (and thus separate those rules from the internal deployment). The
servers offer some basic address rewriting capabilities, something which can easily be extended using a
custom (or third-party) transport agent. Aside from perceived security benefit in hybrid deployments, Edge
Transport servers can be a flexible mail-handling solution!
There are several ways in which outbound mail flow can be configured. Here, outbound is used to define
messages sent to recipients which are not part of the hybrid deployment:
• Centralized Mail Flow enables all outbound messages from both organizations to be routed through
the on-premises organization. This allows for added processing by on-premises message hygiene or
compliance solutions.
• Non-centralized Mail Flow is selected by default in the Hybrid Configuration Wizard; Office 365
sends messages directly to the Internet and the on-premises organization continues to send
messages as configured before. Alternatively, you can configure the on-premises organization to
route all outbound email through Exchange Online Protection.
Page 88
Figure 4-4: (Non-)Centralized Mail flow without Edge Transport
Similarly, there are two options for inbound mail flow:
• The MX record points to the on-premises organization. This scenario is illustrated in Figure 4-3
and Figure 4-4. Email to on-premises mailboxes is delivered locally. Email to Office 365 mailboxes is
forwarded to the destination recipient in Office 365. Exchange will always forward messages to the
email address specified in the targetAddress attribute if it is configured. The targetAddress attribute is
set on the on-premises Mail-Enabled User account that represents the mailbox in Exchange Online.
• Alternatively, as illustrated in Figure 4-5, the MX record points to Exchange Online Protection
where email is filtered and scanned. From there, messages are either sent directly to mailboxes in
Exchange Online or forwarded to the on-premises organization through the Outbound Connector
that is created automatically by the Hybrid Configuration Wizard. Just like the outbound mail flow
scenarios described earlier, the use of an on-premises Edge Transport service is optional.
Figure 4-5: MX records are pointing to Exchange Online Protection (with Edge Transport)
Real World. In the latter scenario, the MX record doesn’t necessarily have to point to EOP. Although
Microsoft recommends not using additional mail handling/filtering solutions in front of EOP (this can cause
certain features to become less effective), often third-party solutions that manipulate inbound/outbound
messages require MX records to point to their solution. One such example is when an organization uses a
third-party (hosted) solution to automatically add signatures to email.
Exchange Federation
One reason why organizations create a full hybrid deployment is to allow mailboxes in both environments to
collaborate as if they are hosted in the same organization. This is especially useful if a migration to Office 365
is spread over an extended period, or if your organization has decided to keep certain mailboxes on-premises
indefinitely. Regardless of the reason of the hybrid connectivity, two common scenarios are: looking up
Page 89
calendar information for another user when booking a meeting, and delegating access to another user's
mailbox. These are user actions, but there are also other, system-driven, actions such as displaying MailTips
that are automatically executed. Federating the on-premises organization with Exchange Online allows many
types of cross-platform data sharing. Note that this kind of federation has nothing to do with federated
authentication.
Despite the sharing capabilities available through the federation process, it is important to understand that
not all sharing scenarios are supported. Although Microsoft now supports Full Access and Send-on-behalf-of
permissions, Send-As, folder-level permissions or Automapping are not. More information on limitations on
cross-premises permission is in "Limitations of a Hybrid Deployment," later in and in Chapter 5. Before
Exchange 2010, if an organization wanted to share Free/Busy calendar information with another organization,
a direct trust relationship had to be created in which a shared- or pre-defined service account is specified.
Exchange Federated Sharing introduced a third-party trust broker called Azure AD Authentication System, or
previously the Microsoft Federation Gateway (MFG). The Azure AD Authentication System ends the need to
create direct trust relationships between organizations. First, each organization sets up a trust with
Authentication System in Azure AD. This is done through the New-FederationTrust cmdlet and is executed
automatically by the Hybrid Configuration Wizard. In a hybrid deployment, this trust only needs to be created
for the on-premises organization as Exchange Online already has an existing trust with the Azure AD
Authentication System. The trust, also known as the Federation Trust, uses a custom X.509 certificate to
encrypt and sign delegation tokens issued by the Azure AD Authentication System. By default, a self-signed
certificate is generated when the Federation Trust is created. Even though you could use a third-party
certificate, it is recommended to use the self-signed certificate.
When the Federation Trust is created, an Organization Identifier is created for your organization. This
identifier defines which accepted domains in your organization are enabled for federation. The Azure AD
Authentication System will only allow users that have one of the configured domains in their email address to
use the federated sharing features. Like the Organization Identifier, the Federation trust creates an AppID for
your organization which is used to uniquely identify the organization. The AppID is used to verify whether
your organization owns the SMTP domains that are configured as part of the Federation Trust. Like how the
validation of a domain in Office 365 works, an administrator must configure a public DNS TXT record for each
domain in the Federation trust so that Microsoft can confirm the ownership of those domains by looking up
the record with the specific AppID value.
The federation trust is represented by an object in the configuration partition of Active Directory. The object
contains many other items of information about the trust, also called the trust metadata. Running the Get-
FederationTrust cmdlet in the on-premises Exchange PowerShell instance, will reveal various elements of the
federation trust. Note that some information is omitted from the output below for brevity:
[PS] C:\> Get-FederationTrust
RunspaceId : f11725de-1fd2-430d-a6d8-a9909a7b4413
ApplicationIdentifier : 0000000040027F13
ApplicationUri : FYDIBOHF25SPDLT.EXCHANGELAB.BE
OrgCertificate : [Subject] CN=Federation [Issuer] CN=Federation
Amongst other items, the federation trust object also holds information about the certificates that Microsoft
uses for the Azure AD Authentication System. Although the federation trust does not require much
maintenance, Microsoft recommends that the federation trust metadata is updated regularly to ensure that
the information is up-to-date, and that any feature relying on the Azure AD Authentication System is not
affected. The metadata is updated automatically if you run servers with Exchange 2013 SP1 or later, but if you
run an earlier version, you should regularly update the metadata by running the following command:
[PS] C:\> Get-FederationTrust | Set-FederationTrust –RefreshMetaData
Page 90
After the federation trust is setup, organizations must configure an implicit one-to-one relationship with each
other, called an Organization Relationship. This Organization Relationship controls what information is shared
with the other organization. Both the trust with the Azure AD Authentication System, and the organization
relationships are configured automatically by the Hybrid Configuration Wizard. Figure 4-6 illustrates how the
Exchange Federation process works when an on-premises mailbox requests Free/Busy information for an
Office 365 mailbox.
Figure 4-6: Free/Busy information flow using the Azure AD Authentication System
The following steps occur:
1. An on-premises mailbox requests Free/Busy calendar information for an Office 365 mailbox.
2. The on-premises Client Access Server checks if it has an Organization Relationship for the remote
organization. It does so by verifying if one of domains configured in the Organization Relationship
matches the domain for which Free/Busy information is requested.
3. If an Organization Relationship is found, the Exchange server requests a delegation token from the
Azure AD Authentication System.
4. The delegation token is sent along with the request for Free/Busy information to the remote
organization.
5. The remote organization (Exchange Online, in this scenario) will first validate the delegation token
that was sent along with the request for Free/Busy information with the Azure AD Authentication
System. Once the token is verified, the remote organization knows the originating request is valid and
will honour the request by looking up the Free/Busy information returning it to the on-premises
organization.
OAUTH Trusts
Some organizations are restricted by laws, or regulations which prohibit offloading authentication to an
external broker service, such as the Azure AD Authentication System. This introduces a problem because
organizations cannot create a direct trust with Office 365 using a shared or pre-defined service account.
Microsoft introduced a new feature called OAUTH, and is available from Exchange 2013 Cumulative Update 5
onward. This feature enables organizations to setup a direct trust relationship with one another without the
need of a shared account or credentials, thus keeping authentication local. The feature is based on the
industry standard OAUTH.
Page 91
Like how Exchange Federation needs Organization Relationships to create a trust between both organizations,
OAUTH uses an Intra-Organization Connector (IOC) to explicitly define the trust. The difference is that in a
scenario based on Organization Relationships, Direct Authentication or DAUTH is used instead of OAUTH.
DAUTH is not a standard like OAUTH and relies on an external service, in Exchange's case the Azure AD
Authentication System, to handle authentication.
Just like an Organization Relationship, the IOC contains information about the domains and endpoints of the
remote organization. OAUTH relies on certificates to authenticate requests between both environments. The
on-premises authorization certificate is exported to Exchange Online as part of the OAUTH wizard in the
Hybrid Configuration Wizard. The ability to automatically configure OAUTH is only available if the on-
premises organization contains only Exchange 2013 (or later) servers. If older servers are used, you must
configure OAUTH manually to use it. If you have both OAUTH and traditional federation configured, the two
features work independently and are not used as a fallback in case either method fails. The order in which
Exchange will use OAUTH or the Azure AD Authentication System is listed below:
1. A user with a mailbox on an Exchange 2013 mailbox server tries to access Free/Busy calendar
information for a mailbox in Office 365.
2. The Exchange Availability Service checks if OAUTH is configured and whether it can find an Intra-
Organization Connector for the remote organization of the queried mailbox. The remote organization
is identified using the email address of the mailbox specified in the Free/Busy request.
3. If an IOC connector is found, Exchange will use OAUTH to authenticate the Free/Busy request. It is
important to understand that even when an IOC is misconfigured, no attempt is made to fall back to
using Organizational Relationships (DAUTH).
4. Only if no IOC connector is found, Exchange will verify if it can find an Organization Relationship for
the remote organization (Office 365). If it does, it will make a call to the Azure AD Authentication
System requesting an authentication token which it will send to Office 365 along with the Free/Busy
request. The remote organization, which also has a trust with the Azure AD Authentication System,
can validate the token and will process the request.
5. However, if no Intra-Organization Connector or Organization Relationship can be found, Exchange
falls back to using Availability Address Spaces to look up Free/Busy calendar information, if these are
configured.
As soon as OAUTH is configured, it becomes the preferred method for authenticating requests and Exchange
Online will only use OAUTH and not even attempt to use the Azure AD Authentication System. The on-
premises situation is a little different. For instance, a mailbox hosted on an Exchange 2010 server will never
attempt to use OAUTH because Exchange 2010 does not support OAUTH for federation. In a mixed
environment, this might cause various methods to be used interchangeably. Although implementing OAUTH
is optional, you must implement OAUTH if you want to leverage the following hybrid cross-premises features:
• In-place eDiscovery search and hold.
• In-place Archiving (automatically moving items from an on-premises mailbox to a cloud-based
archive).
• Messaging Records Management (MRM).
Autodiscover
The Autodiscover process ensures that clients receive the necessary information to connect to their mailbox,
and any other resources that they use such as delegate mailboxes, and public folders. The process for a cloud
mailbox is like that for on-premises mailboxes. When an organization only uses Exchange Online, the
Autodiscover record must point to Office 365. This process uses a CNAME record which ultimately points to
autodiscover.outlook.com.
Page 92
Because a hybrid deployment allows mailboxes to be on-premises as well as in Office 365, the Autodiscover
endpoint (for example, autodiscover.office36itpros.com) must point to the on-premises organization if the
information for on-premises mailbox and mailboxes in Office 365 must be discoverable through the on-
premises Exchange servers.
Clients trying to connect to a mailbox in Office 365 will first connect to the on-premises Exchange servers
after which they are redirected to the Autodiscover endpoint in Office 365 if the targetAddress property is
configured. Figure 4-7 outlines the client-server communication flow for Autodiscover in a hybrid deployment:
Page 93
Exchange Online will now lookup the user’s mailbox with the targetAddress. Because the mailbox's
proxyAddresses attribute contains the same address, the connection information is returned to the client. As
part of running the Hybrid Configuration Wizard, the proxyAddresses attribute for each mailbox is populated
automatically with the value that will be used for the targetAddress. This step is explained in more detail later.
Using the connection information from the Autodiscover response, the client now tries to connect to the
endpoint in Office 365 and gets access to its mailbox.
The Autodiscover process is not only used to retrieve connecting information for the primary mailbox. If the
user has an archive mailbox or access to other mailboxes which might use automapping to show up in the
user’s Outlook client, additional Autodiscover processes are kicked off automatically to discover the
connection information for those additional resources. In the initial Autodiscover response, Exchange (or
Exchange Online) will send back the connection information to the primary mailbox along with the SMTP
addresses of the additional resources the user has access to. The example below shows the XML-format
information returned by Autodiscover about a shared mailbox to which the user has access:
<AlternativeMailbox>
<Type>Delegate</Type>
<DisplayName>Mark Spencer</DisplayName>
<SmtpAddress>mark.spencer@contoso.com</SmtpAddress>
<OwnerSmtpAddress>mark.spencer@contoso.com</OwnerSmtpAddress>
</AlternativeMailbox>
The type node in the XML output tells Outlook what kind of object the resource represents. For instance,
when an online archive is listed, the value is "Archive" instead of "Delegate".
Page 94
premises organization to Exchange Online only exist on-premises. In the image, the server role-specific
workloads are shown as separate servers. However, many deployments use multi-role Exchange servers which
run both the Client Access and Mailbox Server roles, which means that all Hybrid workloads exist on the same
Exchange server.
Some confusion exists around the use of the term “Hybrid Server.” This is not a separate or special Exchange
server role. Instead the term is used to refer to an Exchange server or a set of Exchange servers assigned the
task of handling Hybrid workloads. The assignment of these workloads to servers is done as part of the Hybrid
Configuration Wizard.
In most Exchange deployments, there is no need to install more servers to perform Hybrid-related tasks. The
existing servers can easily accommodate the workload. This is also the reason why there is no specific design
or sizing information for Hybrid servers. The general recommendation is to treat these servers just like any
other Exchange server in the organization. Of course, some common sense is needed too. If your Hybrid
deployment adds more mailboxes into your environment (on-premises or in Exchange Online), the added
workload should be considered. Hybrid services can only run on a server that has Exchange Server 2010 SP3+
or Exchange Server 2013 (or later) installed. See this page for more information about the requirements for
hybrid deployments.
Note. Despite extensive information with regards to sizing an on-premises Exchange deployment, there is
little information about sizing for a hybrid deployment. In part this is because there is little difference in
the requirements for a purely on-premises vs. hybrid deployment. Unfortunately, the same is not true for
Edge Transport servers. It’s not uncommon for an organization to deploy Edge Transport servers for a
hybrid configuration to meet specific security requirements. To properly size Edge Transport servers, the
following two items are most important to consider: storage and CPU. To calculate how much storage you
need, you should follow the same guidance as for internal Transport Services: You must calculate the
overall transport storage requirements and then divide that across the number of Edge Transport servers
you will deploy. To calculate how much processing power you need, you should consider deploying one
Edge Transport server CPU core per five to eight Mailbox Server CPU cores. Because the latter is not an
exact science, deploying Edge Transport servers virtually will provide you with a bit more flexibility to scale
up (or down) depending on the observed load. More information on the topic of Edge Transport servers in
a hybrid deployment can be found in this article.
Page 95
permissions require an (unsupported) workaround. Other permissions, such as Delegate Access, work
in most cases but are unsupported. The safest and most functional approach is to have all mailboxes
that share delegate permissions on the same platform (on-premises or cloud) to guarantee the best
end user experience. In other words, if you move someone’s mailbox, make sure that you also move
any other user who has delegate access to that mailbox. This is the best way to avoid permission
hiccups and ensure that users can continue to work as before the move. Cross-premises permissions
also do not work for all clients and can be influenced by how authentication is performed. It is
recommended that you use Modern Authentication and install the latest available client version (and
updates).
• Multi-forest scenarios need extra planning and effort. Although Exchange 2013 Service Pack 1 (CU4)
and later support multiple on-premises Exchange organizations in a Hybrid deployment with a single
Office 365 tenant, these scenarios are technically very challenging because of the conflicting
requirements that might arise when synchronizing objects between the different forests. In addition,
cross-premises permissions can behave differently compared to a single on-premises forest. This is
mainly because of which accounts are used to authenticate, what forest permissions are assigned in,
and how or what attributes are synchronized between various forests and Azure AD.
Real World. The inability to use all available permissions in a hybrid configuration in a predictable way can
be a real pain when moving mailboxes to the cloud. It is best practice to move mailboxes using one of the
various delegate permissions like Send-As, Send-On-Behalf-Of or specific folder and calendar permissions
to Exchange Online together. Larger organization often find that, while they intend to move only a limited
set of mailboxes, they end up moving a much higher number (at the same time) because of the need to
keep delegates on the same platform to ensure that permissions work. Although Microsoft extended
support for a variety of cross-premises permissions, some delegate permission scenarios are still not
supported today. It’s still best to move interconnected mailboxes together.
Note. Although it is technically possible to execute all the steps performed by the Hybrid Configuration
Wizard manually, running the wizard is now the only method supported by Microsoft to set up a Hybrid
environment.
The Hybrid Configuration Wizard greatly simplified connectivity between an on-premises Exchange
organization and an Office 365 tenant, but there were still manual steps an administrator had to go through
before the configuration was complete. For instance, the wizard did not support Edge Transport servers,
Page 96
forcing the administrator to manually add Edge Transport servers to the hybrid configuration after running
the Hybrid Configuration Wizard.
Another problem a lot of organizations faced, is the way secure mail flow worked between both
environments. The Hybrid Configuration Wizard would create a Receive Connector in the on-premises
organization and scope it down so that it would only accept connections from a handful of IP addresses that
belonged to the Forefront Online Protection system in Office 365 and were used to send mail from Office 365
to the on-premises organization. Because Microsoft would sometimes add, remove, or change IP addresses,
the administrator needed to regularly re-run the Hybrid Configuration Wizard to ensure the list of IP
addresses on the Receive Connectors was kept up to date. Additionally, every time an administrator ran the
Hybrid Configuration Wizard, it would re-configure everything that was already configured before, possibly
overwriting manual configuration changes an administrator might have made.
One of the side effects of shipping the Hybrid Configuration Wizard with Exchange is that the wizard code
depends on the version of Exchange running on the server. For example, a customer running the Hybrid
Configuration Wizard with Exchange 2013 CU4 does not have the same experience as a customer running the
wizard on Exchange 2013 CU5 or later. This created the problem that customers do not always run the latest
version of the wizard. With components in Office 365 moving forward at light speed, this can cause issues. For
instance, in 2014, Microsoft introduced several changes in Office 365 which broke hybrid functionality, or the
ability to run the Hybrid Configuration Wizard. In the latter scenario, customers must install a hotfix, if one is
available. If not, they must wait until the next Cumulative Update which has a fix for the issue. In the worst
case, the next update could be a quarter away.
To mitigate this problem, Microsoft issued a new Hybrid Configuration Wizard. Instead of shipping the wizard
as part of the on-premises server, customers now download the latest code from a Microsoft server. This
approach allows Microsoft to have full control over the wizard software, ensures that administrators always
use the latest version, and it decouples the experience from whatever Exchange version you are running.
By default, the Hybrid Configuration Wizard automatically uploads log files to Microsoft. The development
team analyzes these logs to help detect the emergence of problems. If Microsoft detects a problem for finds a
bug, they can update the wizard almost instantaneously. The uploaded log files give Microsoft a large amount
of data that they might otherwise have to gather from customers (for instance, through support cases) to
understand and then fix the problem. The agility Microsoft gains from this automated approach reduces the
time between the report of an error (or its automatic detection) and the generation of a fix. That time can be
as short as a few days, which is a lot better than having to wait for Microsoft support to release a hotfix or the
next Cumulative Update! In general, Microsoft publishes an updated version of the Hybrid Configuration
Wizard on a weekly basis.
If you do not want to automatically upload hybrid configuration log files to Microsoft, create a new DWORD
registry key called DisableUploadLogs on the server before running the Hybrid Configuration Wizard.
Depending on the version of Exchange you use, the registry key is in one of the following locations. Substitute
[XX] with 15 for Exchange 2016 and Exchange 2013, or 14 for Exchange 2010:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v[XX]\Update-HybridConfiguration]
Page 97
• Secure mail flow between Exchange Online and the on-premises organization no longer relies on the
list of IP Addresses on the Receive Connector. Hybrid deployments can now solely rely on the use of
certificates for determining if TLS encryption should be used or not.
• Built-in support for Edge Transport servers removes the need to manually add and configure them
after the wizard executes.
• Support for added mail routing scenarios removed some limitations that existed previously. For
example, prior to Exchange 2013 an organization could not point its MX records to Office 365 if the
hybrid deployment was configured for centralized mail flow.
• Mailbox moves between Office 365 and the on-premises environment now use an improved mailbox
move wizard. This allows for more flexible scheduling and a unified experience for the administrator.
• The steps executed by the Configuration Wizard are recorded with a lot more detail, giving a greatly
enhanced log file for troubleshooting purposes.
• The wizard supports the use of Multi-Factor Authentication during run-time. This allows an
administrator, whose account is enabled for MFA, to run the wizard instead of having to use either an
app password or a (temporary) service account without MFA.
Perhaps not related to the new wizard itself, but in Exchange 2013 CU5 the wizard already received several
under-the-hood improvements such as support for OAUTH Federation, and the automatic configuration of
the MRS Proxy for selected Client Access Servers.
Now that we have a broader understanding of what the Hybrid Configuration Wizard entails, let's have a
closer look at how it works, and how changes are made to the environment.
Note: Throughout the rest of this chapter, we refer to the cmdlets used by the Hybrid Configuration
Wizard to illustrate how the wizard works. It is one of the few scenarios where using the GUI is an easier,
and faster way to configure something.
The Hybrid Configuration Wizard creates a new Hybrid Configuration object in Active Directory in the
Exchange container of the configuration partition. The object holds details of the parameters selected during
the execution of the Hybrid Configuration wizard.
CN=Hybrid Configuration,CN=[OrgName],CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Domain,DC=TLD
The Get-HybridConfiguration cmdlet retrieves and displays the values stored by the Hybrid Configuration
Wizard:
[PS] C:\Windows\system32>Get-HybridConfiguration
ClientAccessServers {}:
EdgeTransportServers {}:
ReceivingTransportServers :
{E15-01, E15-04}
SendingTransportServers :
{E15-04, E15-02}
OnPremisesSmartHost :
smtp.exchangelab.be
Domains :
{EXCHANGELAB.BE}
Features :
{FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection,
OnlineArchive, SecureMail, Photos}
ExternalIPAddresses : {}
TlsCertificateName : <I>CN=DigiCert Secure Server CA, O=DigiCert Inc,
C=US<S>CN=outlook.exchangelab.be, OU=IT,O=VH Consulting & Training, L=Vichte, S=Vlaams-Brabant, C=BE
ServiceInstance : 0
Name : Hybrid Configuration
Page 98
DistinguishedName : CN=Hybrid
Configuration,CN=HybridConfiguration,CN=ExchangeLab,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=EXCHANGELAB,DC=BE
Page 100
directly to Exchange Online. Upgrading to Exchange 2013/2016 then becomes a trivial task as there is no end-
user impact, and no namespaces left to switch over.
From a hybrid connectivity point-of-view, you are not getting many new features by upgrading to Exchange
2013/2016. You are essentially just substituting your Exchange 2010 servers with a newer version. Of course,
the same supportability and product lifecycle arguments as before are valid in this scenario as well. The
question is whether this should really drive your decision to upgrade? Unless some functionality breaks, or
Microsoft changes its support statement and moves an Exchange 2010 hybrid deployment out of the scope of
supported topologies, there is no rush to upgrade.
If you are not yet in a hybrid state, but you are looking to configure a hybrid connection, there are a few
things to consider:
• If you have Exchange 2010 deployed on-premises, and you are planning to use a hybrid connection
solely for migration purposes, continue using Exchange 2010. After the migration, and because you
must keep an Exchange server around for management purposes, you should consider upgrading the
remaining Exchange server to either Exchange 2013 or 2016. The normal reasons for not upgrading
from Exchange 2010 to Exchange 2013 or 2016 are complexity and cost. If you want to upgrade to
Exchange 2013/2016 prior to migrating to Office 365, you essentially face a semi-full on-premises
migration because you must switch over namespaces to the most recent version of Exchange server.
This action typically introduces short periods of service interruption for the end user.
• If you plan on long-term coexistence, using Exchange 2013, or 2016 has its benefits. As both versions
are still fully supported, you can keep workloads on-premises without having to worry about the
supportability of the entire solution (also non-hybrid components).
In the end, if you need a long-term coexistence, in my opinion, it is better to go with a newer version of
Exchange for your hybrid deployment. If you only want to use hybrid for migration purposes, even if it is for
several weeks, it is acceptable to continue using Exchange 2010 – provided that your intention is to move all
mailboxes to Office 365 and keep the on-premises server(s) for management purposes only. In the latter case,
I recommend switching Autodiscover and your MX records to Exchange Online shortly after the migration.
That enables you to easily upgrade your remaining on-premises management server(s) to Exchange
2013/2016 with little to no hassle.
If you have made the decision to upgrade to Exchange 2016 for your hybrid deployment, I suggest that you
first perform the on-premises migration before setting up hybrid. This might save you some work having to
re-run the HCW afterwards –although running the wizard is typically not disruptive.
Page 101
work, the SSL certificate installed on the on-premises servers must be issued by a third-party Certificate
Authority and it must be valid!
The case of why you might want to pick a different Autodiscover domain is best illustrated with an example.
Consider the following: you currently have three domains: contoso.com, office365itpros.com, and
fabrikam.com. You include all these domains in the Hybrid Configuration Wizard and the wizard picked
contoso.com to be the Autodiscover domain. Because autodiscover.contoso.com is not included in the on-
premises SSL certificate, you select fabrikam.com to be the Autodiscover domain instead. By doing so, you
instruct the wizard, and therefore also Exchange Online, not to send Autodiscover requests to
autodiscover.contoso.com but to use autodiscover.fabrikam.com instead. In this scenario, if you had retained
the domain picked by the Wizard, all Autodiscover requests performed by the Wizard or by Exchange Online
would fail, resulting in a variety of hybrid features, like Free/Busy, not working properly! Of course, if the
wizard selects the right domain, there is no need to change it.
Note: If you use multiple primary email domains in the on-premises organization, it is very likely that you
have correctly configured Autodiscover for each of those domains. However, many organizations own
several domains, some of which they never use to send emails with. As such, they might not have
configured Autodiscover for those domains. Also note that specifying a specific Autodiscover domain in
the Wizard does not change the need for Autodiscover to be configured correctly from an on-premises
perspective. You should always make sure to properly configure Autodiscover for all email domains that
are actively used (stamped as the user's primary email domain).
Although you rarely need to configure the settings for the Hybrid Configuration Wizard without using its GUI,
you can define the Autodiscover domain in PowerShell using the Set-HybridConfiguration cmdlet:
[PS] C:\> Set-HybridConfiguration –Domains "contoso.com, office365itpros.com","autod:fabrikam.com"
Rights Management
Although Office 365 supports rights management through Azure Information Protection, ensuring coexistence
between the on-premises organization and Office 365 needs some extra planning. This is especially true if the
on-premises organization uses RMS. Without extra configuration, messages previously encrypted by the on-
premises organization would potentially become inaccessible in Office 365. For example, Outlook Web App
would not be able to display those messages as it has no way to decrypt the contents. However, if you
Page 102
configure Azure Rights Management Services and import the Trusted Publishing Domain (TPD) from the on-
premises organization, decryption is possible. Of course, the configuration must be in place before you move
any mailboxes into Office 365. See Chapter 20 (main book) for more information about using Microsoft
Information Protection in Office 365.
Organization Configuration
The HCW includes the ability to transfer organization configuration from on-premises to Exchange Online. In
effect, this means that the HCW copies and applies settings to ensure that the same configuration applies for
both sides of the hybrid organization. The settings are:
• Mailbox retention policies and retention tags.
• OWA mailbox policy.
• ActiveSync mailbox policy.
• Mobile device mailbox policy.
Transfer is a one-time, one-way event that does not overwrite existing settings within Exchange Online. After
the transfer completes, you still have the task of keeping settings on both sides synchronized, if that’s what
you decide to do.
Unified Messaging
UM-enabled mailboxes must also be treated with care. If you have not configured Unified Messaging in Office
365, you cannot move a UM-enabled mailbox from the on-premises organization, unless you disable the
functionality first. If you care to keep the UM functionality, you must first setup Unified Messaging and
coexistence with the on-premises organization before trying to move UM-enabled mailboxes; mailboxes that
are not UM-enabled can be moved just fine. More information on this topic is in Chapter 5.
Mobile Devices
Moving mailboxes from an on-premises organization to Office 365 is normally transparent to end-users.
However, this is not always the case for mobile devices. Most mobile devices use the Exchange ActiveSync
protocol to communicate with Office 365. Although the protocol is well documented and stable, every mobile
device vendor that licenses ActiveSync is free to choose what features they implement, and how. As a result,
the experience of moving mailboxes might vary from device to device, and sometimes mobile devices do not
reconnect to the mailbox after it has been moved to Office 365. Even though the workaround is to simply
recreate the account settings on the device, the impact it can have from an organizational point of view can
be substantial, especially when you must cover several hundreds if not thousands of devices. Since Exchange
2013 CU8, and Exchange 2010 SP3 RU9 this limitation is addressed by changing how the on-premises
Exchange server responds to an ActiveSync connection after a mailbox has been moved to Office 365. Instead
of sending a mailbox not found status to the device, Exchange returns a HTTP 451-redirect. This redirect holds
the endpoint information in Office 365 and is generated automatically based on the value of the
TargetOwaUrl parameter of the Organization Relationship with Exchange Online. Once the device successfully
connects to Exchange Online, the profile on the device is normally updated automatically so that all future
connections flow to Exchange Online. For the redirect to work though, the following must be true:
• The device itself must be able to handle the incoming redirect. Not all devices support this ability. It is
paramount to test this functionality so that you can set your user's expectations accordingly.
• The username that is used to connect to Exchange must be based on the User Principal Name (UPN)
instead of the traditional domain\username format.
Page 103
Real World: The mobile device redirect only happens if the source mailbox (which is moved to Office 365)
resides on Exchange 2010, 2013, or 2016. If the mailbox is still hosted on Exchange 2007, and you are
moving through an Exchange 2010, or 2013 server, the redirect is never generated, and you must manually
update, or recreate the profile on the device.
Client Versions
Running a hybrid deployment creates several implications in terms of client compatibility. One example is the
Outlook version that is needed to support cross-premises permissions, or the ability to display Office 365
groups in Outlook. Just like the on-premises Exchange servers must meet specific version requirements, the
same is true for client operating systems and applications. Despite the support for older versions, the best end
user experience will be obtained by always installing the latest version of a certain client. This is not only true
from a functionality perspective, but updates might also have bug fixes. Some organizations have difficulties
keeping up with the release cadence of updates. Let's take Outlook as an example: unless you deploy
Microsoft's Click-to-Run version to update Outlook on an ongoing basis, updates must be manually
distributed to, and installed on every client computer that uses Outlook. Depending on the size of your
organization, this might be quite an undertaking and will require some additional planning.
Network Connectivity
Running a hybrid deployment changes the demand on network connections. Every mailbox that moves to
Office 365 will no longer connect to the on-premises Exchange servers, but instead connect to their mailbox
over the Internet. For many organizations, this means a substantial increase in bandwidth utilization for their
Internet connection. Microsoft has a set of articles and recommendations to help organizations plan
appropriate networks for Office 365 deployments.
In terms of Exchange Online, it’s important to understand the traffic characteristics for email activity. For
instance, the amount and average size of message being sent and received each day might help to
understand what the added load will be. Next to regular mail flow, mailbox moves and offline cache
synchronization (.OST files) play an important role in understanding the network traffic. While mail flow
typically is a stable amount of bandwidth that is used, the latter two scenarios burst (spike) network traffic and
can potentially congest the network unless network traffic rules exist to prevent that from happening. Another
change in behavior that is easily underestimated is the effect of mailing to a (large) group of people.
Consider the following example: a user sends a message to ten colleagues with a 10 MB attachment. In a
traditional on-premises deployment, that message would be sent to Exchange which then distributes the
message to the mailboxes (if they are all located on the same server) or sends a single copy of the message to
another Exchange server which will then deliver the message to the mailboxes held there, and so on. In Office
365, the message is sent to Office 365 across the Internet. Luckily Exchange will only send a single copy of a
message to Exchange Online, even if there are multiple recipients addressed in the message. Exchange Online
then delivers the message to mailboxes in Office 365. If one of the recipients is still an on-premises Exchange
user, a copy of the message will go to the on-premises Exchange server. Next, Outlook clients will download
the message from their mailbox. If the mailbox is on-premises, the message is downloaded from a local
server. However, if the mailbox is hosted in Office 365, the message will be downloaded through the Internet,
increasing the load on the Internet connection. Potentially this means that a single message might be
downloaded many times through the same Internet connection. For smaller messages that might not be a
problem, but it might be for larger messages. If you know that the maximum attachment limit in Office 365 is
currently 150 MB, it is obvious where the issue might lie. All-in-all, there will be a significant shift in how the
network is utilized. Typically, internal network connections are low-latency, high bandwidth while Internet
connections usually have a higher latency, lower bandwidth but above all a higher cost to consider.
Page 104
Real World: Bandwidth is not the only measure; connection latency is equally important as it relates 1:1 to
the end-user experience in clients like Outlook. Continuously increasing bandwidth isn't always the
solution to connectivity-related issues. Although it is possible to implement a dedicated network
connection to Office 365, such as Microsoft’s Azure ExpressRoute for Office 365 service, this option is not
recommended nor actively promoted by Microsoft.
Real World: EOP is not the only scenario that might be affected by running the Hybrid Configuration
Wizard. Basically, every deployment where an external (third-party) mail filtering or mail handling solution
is used must carefully consider the implications of running the wizard and how it affects their specific
setup.
Page 105
• Ensuring that Office 365 and the on-premises organization and clients can communicate correctly is
key. As such, several outbound and inbound ports must be opened on the firewall to allow for these
communications to happen. Microsoft keeps an up-to-date list which describes what ports, protocols,
URLs and IP addresses are used by the different services in Office 365. An important note here is that
the list is maintained on a best-effort basis; the recommendation is to allow communications based
on domain names rather than IP addresses. If the organization is using proxy servers for internet
traffic, you might need to add the necessary exclusions to allow traffic to pass through
unauthenticated. Exchange itself can be reconfigured to use a proxy server using the Set-
ExchangeServer cmdlet. Microsoft’s Office 365 Support and Recovery Assistant is a great way to verify
connectivity and performance to Microsoft’s datacenters. Amongst other things, the tool checks
network performance by measuring routes and calculating bandwidth. In addition, it verifies DNS
configuration and checks that the necessary networks ports are open for Office 365.
• If your organization plans on using Edge Transport servers to secure hybrid mail flow, the Edge Sync
connection between the on-premises organization and the pool of Edge servers must be created
before running the Hybrid Configuration Wizard.
Not all these prerequisites apply to a minimal hybrid configuration. For example, because no coexistence is
configured by the Hybrid Configuration Wizard, you do not necessarily need to configure a certificate for the
transport services. On the other hand, the requirements for the SSL certificate used for securing
communications, directory synchronization, AutoDiscover, and network connectivity stay unchanged.
Real World: For many strictly-secured organizations, opening firewall ports can be a real nightmare. In
complex environments, it can take months of planning to get the right firewall rules in place. During the
Ignite 2017 conference, Microsoft announced a new hybrid architecture using a new connector to negate
the need for opening inbound firewall ports. The principle that underpins the connector architecture is
similar to an Azure AD App Proxy where requests to and from Exchange Online travel through a mutually-
authenticated connection via well-known ports. Only traffic from known sources, in this case, Exchange
Online or the on-premises servers, can travel through the connector. The expectation is that the new
connector will be in limited testing in early 2018. While a lot can happen between now and then, the
promise of a simpler hybrid architecture is something to look forward to!
Page 106
consume the content. This tool is a web-based utility run from an Exchange server in the on-premises
organization to check a variety of parameters such as certificates, network connectivity, Exchange federation
trust properties and DNS records.
The tool reads the Hybrid Configuration Log File and parses the information to verify other areas of interest.
The result is an interactive web page which you can click through to quickly display what issues were found
and how to potentially solve them.
The text-based log files hold a lot of useful information on the configuration process as illustrated in the
following example:
2015.12.10 13:14:47.607 [Activity=OnPremises Connection Validation] START
2015.12.10 13:14:47.607 [Activity=OnPremises Connection Validation] Resolving DNS for EX2016-
01.OFFICE365ITPROS.AD...
2015.12.10 13:14:47.607 [Activity=OnPremises Connection Validation] EX2016-01.OFFICE365ITPROS.AD
resolved as: fe80::2066:883e:23d4:b73a%12, 192.168.10.65
2015.12.10 13:14:47.607 [Activity=OnPremises Connection Validation] Checking port 80 on host
EX2016-01.OFFICE365ITPROS.AD ...
Each line represents an action of the Hybrid Configuration engine and also shows in which environment a
certain command is executed by mentioning in what session (Activity=OnPremises or Activity=Tenant) the
command was issued:
2015.12.10 13:14:47.748 [Activity=OnPremises Connection Validation] Connecting to http:// EX2016-
01.OFFICE365ITPROS.AD/powershell...
2015.12.10 13:14:47.748 [Activity=OnPremises Connection Validation, Provider=OnPremises] Opening
Runspace.
2015.12.10 13:14:48.076 [Activity=Tenant Connection Validation] outlook.office365.com resolved
as: 132.245.73.18, 132.245.229.146, 132.245.226.82, 132.245.229.162, 132.245.36.114, 132.245.55.18,
132.245.57.34, 132.245.56.98, 132.245.196.34, 132.245.193.130
2015.12.10 13:14:48.076 [Activity=Tenant Connection Validation] Checking port 443 on host
outlook.office365.com...
The information contained in the log files is very useful to troubleshoot any errors you might run into when
running the Hybrid Configuration Wizard. It is also useful because it tracks the changes made by the wizard. In
addition to the commands and changes that the wizard executes, the logs also contain a summary of the
previous configuration.
Page 107
Allowing cross-premises access to public folders needs additional configuration and is not done automatically
by the Hybrid Configuration Wizard. The process for legacy Public Polders (Exchange 2007, 2010) and modern
Public Folders (Exchange 2013, 2016) is very similar. However, for legacy Public Folders, you first need to
complete the following steps:
1. For the Public Folders on the legacy Exchange versions to be accessible, the RpcClientAccessService
must be available on those servers. This means that if you are running the Mailbox Server Role
separately, you must add the Client Access Server role to those servers that are hosting public folder
databases. This is only true for Exchange 2010 Public Folder deployments.
2. An empty mailbox database must be created on each server that hosts a public folder database. To
avoid mailboxes being created automatically by Exchange's built-in provisioning load balancing
mechanism, make sure to set the IsExcludedFromProvisioning switch to $true. As in the previous step,
this is only necessary for Exchange 2010 Public Folder deployments.
[PS] C:\> New-MailboxDatabase -Server <ServerName> -Name <NewDbName>
-IsExcludedFromProvisioning $True
3. Create a mailbox for each Mailbox Database that you created. The SMTP address of this mailbox will
be returned in the Autodiscover response for the Public Folder information:
[PS] C:\> New-Mailbox –Name "PublicFolder1" –Database "DBName"
4. If working with Exchange 2010, it is also necessary to reconfigure the RPCClientAccessServer attribute
on each of the Mailbox Database you created earlier. This to enable Autodiscover to return the proxy
Addresses of the mailboxes that have been created:
[PS] C:\> Set-MailboxDatabase "name" –RPCClientAccessServer "PFServerName"
Note: For an Exchange 2013 or Exchange 2016 environment, it suffices to create a single proxy mailbox. If
you have a large, distributed, environment, it might make sense to add multiple proxy mailboxes.
The following steps are identical, regardless of whether you are using legacy or modern Public Folders:
1. You must synchronize the on-premises Public Folder hierarchy to Office 365. The hierarchy
information is needed for mailboxes in Office 365 to be able to connect to legacy public folders.
Despite newer versions of Azure AD Connect now synchronizing Mail-Enabled Public Folders to Azure
AD, they do not synchronize with the Exchange Online Directory Store. You must still use a series of
downloadable scripts to provision and automatically synchronize public folders to Office 365. There
are two scripts: an export script and an import script. The first script is used to export information
about public folders to a file while the second script will import that information into Office 365. By
creating a scheduled task of both scripts, a sort-of synchronization of public folder information is
achieved.
2. After the import and synchronization of the public folders has completed, you must enable the
Exchange Online organization to access the on-premises public folders. This is done by adding the
names of the on-premises mailboxes created in step 3 to the Organization configuration:
[PS] C:\> Set-OrganizationConfig -PublicFoldersEnabled Remote
-RemotePublicFolderMailboxes PublicFolder1, PublicFolder2, PublicFolder3
Marking as Remote: In the previous example, the PublicFoldersEnabled parameter indicates that the
Public Folders for this organization exist in a remote forest (the on-premises Exchange organization). Once
all the public folders have been migrated to Exchange Online, you must update this parameter to local to
reflect the new situation.
Page 108
When a mailbox in Office 365 performs an Autodiscover request, that request will include the SMTP address
of one of the Public Folder mailboxes specified in the Organization configuration. As described earlier,
Outlook performs an added Autodiscover request for the SMTP address of each resource, such as public
folders in this case. This Autodiscover request will connect to the on-premises organization which will return
the connection information for the Public Folder Mailbox. The returned information holds the Outlook
Anywhere endpoint of the on-premises organization, allowing the client to connect to the Public Folders.
When the wizard runs, it makes some other changes. For instance, to create the new on-premises organization
object in Office 365, the wizard creates two (temporary) disabled mail flow connectors. This is because the
New-OnPremisesOrganization cmdlet needs the InboundConnector and OutboundConnector parameters to be
specified. However, once the on-premises organization object is created, both connectors are removed.
Page 109
Managing a Hybrid Exchange Deployment
In most environments, the hybrid connection is created and then stays untouched for a long time because
most of the configuration changes are only needed once. Nonetheless, there are tasks which might need an
administrator to make change to the hybrid connection. For instance, the certificates that are used in a hybrid
configuration will inevitably expire at some point. Some organizations choose to buy a certificate which is
valid for only one year, others might have a certificate that lasts 5 years. Next to certificate information, there
are other parameters that might trigger the update of the hybrid connection, like adding and removing new
domains, or adding new servers into the environment. Point is that at some point the information in the
Hybrid Configuration must be updated.
Updating the hybrid configuration is a relatively straightforward and easy task. One can either re-run the
Hybrid Configuration Wizard or use the Set-HybridConfiguration and Update-HybridConfiguration cmdlets to
reflect necessary changes.
The message tells us that the cmdlets already exist in the PowerShell session and hence the Proxy creation
was abandoned. As you will notice, most the Exchange cmdlets are included in the list. When an admin would
now try to execute the Get-Mailbox cmdlet, results from the on-premises organization are still returned. Given
that the Get-Mailbox cmdlet has no parameter to tell it where to fetch information, another workaround must
be applied.
When creating a Remote PowerShell connection, you can specify a prefix parameter. For instance:
[PS] C:\> Import-PSSession (New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://ps.outlook.com/powershell -Authentication basic
-Credential (Get-Credential) -AllowRedirection) -Prefix Online
This time, the remote connection is successfully created without a warning. Instead of using the default
cmdlet names, PowerShell has now created proxy names including the Prefix that was specified in the
command. As such, Get-Mailbox effectively becomes Get-OnlineMailbox and so on.
While this technique allows an administrator to manage both environments from a single PowerShell window,
it does give some added challenges in terms of scripting. Any scripts you have created must now consider
that a prefix might exist, and you must ensure that you always use the same prefix if you want to re-use
Page 110
scripts. Any scripts that you find on the Internet and want to reuse will need to be updated before they can be
run in your environment. Given these issues, you might conclude that although it is possible to use a single
window, it is much easier to use separate PowerShell windows instead.
Page 111
migration vehicle. In this context, the hybrid connection exists to enable the transfer of mailboxes from on-
premises Exchange to Office 365, and you can shut it down after moving all the mailboxes. The question then
arises as to how to remove the hybrid connection and/or the remaining on-premises Exchange servers.
After all mailboxes are in Office 365, Exchange servers become glorified management tools. As explained in in
Chapter 5, because some mailboxes start as on-premises objects, the on-premises directory is the source of
authority for those objects when synchronized to Office 365, which then means that you must manage the
synchronized objects through on-premises Exchange tools.
Real World: Various third-party tools are available to carry out basic recipient management tasks that you
normally perform in the Exchange management tools. Although these tools usually work just fine,
Microsoft does not support them. This does not mean you cannot use the tools: it just means that
Microsoft has not tested the software and therefore cannot guarantee that they work as expected. If you
run into problems with a third-party management tool, you must contact the vendor to get support.
In scenarios where you need to keep Directory Synchronization to support other applications, you can follow
the process to remove the hybrid configuration but keep one on-premises Exchange server. You only need a
second server if you want to spread the processing load, as in the case of a geographically dispersed
organization. The pre-requisites for being able to completely remove on-premises Exchange servers are that
all mailboxes are in Office 365, you no longer use the on-premises Exchange servers to host workloads such
as journaling, public folders, or mail flow, and you disable directory synchronization. In my experience, few
organizations ever disable Directory Synchronization.
Real World: Companies who implement Directory Synchronization and never used Exchange in the past
must still install Exchange to manage recipients in Office 365. This is common when an organization
migrates from foreign email systems like Lotus Notes to Office 365.
Before explaining how to go about removing the hybrid connection, it is important to understand which tasks
the on-premises Exchange servers perform in a hybrid configuration. Understanding the role of a hybrid
server makes it easier to understand the various steps you must run through before decommissioning your
hybrid connection and removing Exchange servers from your environment. The hybrid server performs the
following functions:
• Managing the attributes of both on-premises and Office 365-based recipients through the Exchange
management tools.
• Enabling the use of Email Address Policies to automatically generate email addresses for recipients.
• Handling mail flow between on-premises and Office 365 recipients. If you enable centralized mail
flow, the servers are also responsible for handling inbound/outbound mail flow between Office 365
mailboxes and the internet.
• Handling free/busy requests between on-premises and Office 365 recipients.
• Handling Autodiscover requests for on-premises and Office 365 mailboxes.
• Handling mobile device redirects after mailboxes move to Office 365.
• Redirecting Office 365 users who log in via OWA to the Exchange Online OWA URL.
Although you only need one on-premises Exchange server, leaving the hybrid configuration untouched and
removing all but one server might be undesirable because that server is then a single point of failure. This is
especially true in a scenario where you enable centralized mail flow.
Page 112
1. Run the following command from the Exchange Online PowerShell and verify that the value for
PublicFoldersEnabled is set to Local:
[PS] C:\> Get-OrganizationConfig | Select PublicFoldersEnabled
If the value of PublicFoldersEnabled is set to Remote, set it to Local, assuming you have migrated all
public folders or you do not need access to public folders anymore:
[PS] C:\> Set-OrganizationConfig –PublicFoldersEnabled Local
It might take a while for this change to take effect. If you previously have migrated all public folders
to Exchange Online, this value should already have been set. If you have not yet migrated Public
Folders to Office 365 and still need access to them, you should not continue until the public folders
are moved.
2. Ensure no part of mail flow is handled by the on-premises organization. If not done already, start by
pointing the MX records for your email domains directly to Office 365. Remove any connectors that
may have been created by the Hybrid Configuration Wizard. In the on-premises organization, logon
to the Exchange Admin Center and navigation to mail flow > send connectors and remove the
appropriate connector. The connector created by the HCW is typically called Outbound to <uid>.
Similarly, logon to the Exchange Online EAC and navigate to mail flow > connectors and remove
both the Inbound and Outbound connectors called Inbound from <uid> and Outbound to <uid>.
3. Point the public Autodiscover DNS record directly to Office 365 by creating a CNAME record for
autodiscover.yourdomain.com which points to autodiscover.outlook.com.
4. The official documentation suggests setting the internal Autodiscover SCP to $null. However, I have
seen cases where this caused some issues. Instead, it is safer to point the SCP also directly to Office
365. Either set it to a value of https://autodiscover.outlook.com/Autodiscover/autodiscover.xml, or make
sure your internal DNS record for the Autodiscover SCP resolves to autodiscover.outlook.com. To
update the SCP, run the following command from the on-premises Exchange Management Shell:
[PS] C:\> Set-ClientAccessServer –AutodiscoverserviceInternalUri
https://autodiscover.outlook.com/Autodiscover/autodiscover.xml
5. Remove the Organization Relationships that were created by the Hybrid Configuration Wizard in both
the on-premises organization and in Exchange Online. In the on-premises organization, open the
Exchange Admin Center and navigate to organization > sharing. From there, remove the
Organization Relationship called On-premises to O365 - <guid>. Similarly, logon to the Exchange
Online EAC and remove the Organization Relationship named O365 to On-premises - <guid>.
6. Next, remove the hybrid configuration object from the organization by running the following
command from the on-premises Exchange Management Shell:
[PS] C:\> Remove-HybridConfiguration
Note that the Remove-HybridConfiguration cmdlet only exists in Exchange 2013 or later. The only way
to remove the object in Exchange 2010 is to use ADSIEdit.
If you are running an Exchange 2013 or Exchange 2016 hybrid configuration and have configured OAuth,
disable the configuration by doing the following:
7. Logon to the on-premises Exchange Management Shell and run the following command:
[PS] C:\> Get-IntraOrganizationConnector <name> |
Set-IntraOrganizationConnector –Enabled $False
8. Repeat step 7, but this time run the command from the Exchange Online PowerShell.
Depending on how you have configured OAuth, the name of the IntraOrganizationConnector might vary. If it
was setup through the HCW, the connectors are typically named HybridIOC - <uid>.
Page 113
Once you have completed all the steps above, you can uninstall all Exchange servers, with exception of the
server(s) you want to keep for managing hybrid recipients.
Real World: Keeping a single Exchange on-premises server just for recipient management comes as a
surprise for many organizations. As explained in Chapter 5, the requirement exists because the on-
premises Active Directory is the source of authority for all Exchange-related object attributes. Therefore,
you cannot edit Exchange attributes in Office 365 if Azure AD Connect is still synchronizing objects from
on-premises. The inability to manage mail recipients using native online tools is frustrating for many
administrators. Although this limitation has been there since day one, Microsoft is actively working on a
solution to allow organizations to remove the last on-premises Exchange server gracefully. We don’t yet
know what the final architecture will be (Microsoft gave some hints at Ignite 2018), but there is no doubt
that something is coming to make the problem more manageable.
Page 114
Chapter 5: Managing Hybrid
Recipients
An email system that cannot deliver messages to recipients is all but useless. When deployed as a hybrid
organization, the Exchange on-premises and Exchange Online components behave as a unified environment.
From an end user perspective, slight differences exist in how they interact with Exchange. Unfortunately, an
administrator does not have the same experience. Under the hood, an on-premises Exchange 2013/2016
organization and Exchange Online are fundamentally different systems that need a different approach to
recipient management at various levels. Although the management tools used to manage hybrid recipients
are the same as those used to manage on-premises recipients, the structure needed to ensure consistent
coexistence of both environments and the resulting feature gap create many management challenges. In
addition, the dependency on Directory Synchronization adds a layer of complexity to hybrid deployments
which ultimately creates differences in how certain elements of recipient management are performed in
Exchange on-premises or Exchange Online.
The term "hybrid recipient" refers to recipients that are part of a hybrid deployment. More specifically, these
recipients exist in the on-premises organization and are synchronized with Office 365. A hybrid recipient could
have a mailbox on-premises or in Office 365, it could be an on-premises mailbox with an archive in Office 365,
but it could just as well be a mail-enabled user or distribution group in either environment. As explained in
Chapter 4, the directory synchronization process synchronizes objects from the on-premises organization into
Azure Active Directory. Because this is largely a one-way synchronization, the on-premises Active Directory is
considered the "source of authority". This is where adds, deletes and changes to objects should be made.
In this chapter, we review the challenges introduced by Directory Synchronization and consider the
differences between managing pure online and on-premises recipients when compared to hybrid recipients.
We also discuss the most common actions an administrator performs for each recipient type, including
managing individual recipients and the various features available to those recipients. Despite some of the
differences between traditional recipients and hybrid recipients, many actions occur in the same way, meaning
that you can follow the advice contained in the chapters dealing with those objects.
User Mailboxes
Creating a New Hybrid Mailbox
To create a mailbox for a hybrid recipient, you must use the on-premises EAC or PowerShell. If a mailbox
already exists, it can be moved from the on-premises organization to Office 365. Although it is possible to
create a new on-premises mailbox and then move it to Office 365, it is easier and faster to just go ahead and
create the mailbox in Exchange Online.
The on-premises version of EAC has built-in support for Office 365 which allows you to create a new user
object in the on-premises Active Directory and a new mailbox in Office 365. The functionality is like that in the
Office 365 version of EAC. However, the difference is in what happens behind the scenes, as the on-premises
EAC runs the New-RemoteMailbox command to create an on-premises mail-enabled user account instead of
connecting to Office 365 to create a new mailbox there. This is the command an administrator runs in a
PowerShell session connected to an on-premises Exchange server if they want to create a new cloud mailbox.
Page 115
However, in both cases, the Office 365 mailbox is only provisioned after the object is synchronized from the
on-premises directory to Azure AD and then back to the Exchange Online Directory Store.
Note: To create a new Office 365 mailbox from the on-premises environment, the administrator must at
least be a member of the Recipient Management role group. However, being a member of this group
alone only allows the administrator to create a mailbox using PowerShell. To light up the ability to create
an Office 365 Mailbox directly from the Recipients tab in the EAC, the user must also be a member of
the View-Only Organization Management role group.
Various recipient types exist within Exchange. For instance, a user with a mailbox is a UserMailbox, and a
regular Mail-Enabled User is a MailUser. Recipients are differentiated by the value of the RecipientTypeDetails
attribute of the object in Active Directory. When a new mailbox in Office 365 is created for an on-premises
user, the RecipientTypeDetails property for the on-premises mail-enabled user account (or MEU) is set to a
decimal value of 2147483648, which translates into the value assigned to RemoteUserMailbox.
In a typical on-premises Exchange deployment, the RecipientTypeDetails property can have many different
values. However, in a hybrid configuration, only the following values are used to identify hybrid recipients:
Value Meaning Mailbox Location
2147483648 RemoteUserMailbox Office 365
1 UserMailbox On-premises
4 SharedMailbox On-premises
16 RoomMailbox On-premises
128 MailUser On-premises
Table 5-1: RecipientTypeDetails values and meaning
Note: In the case of a remote mailbox, the msExchRemoteRecipientTypeDetails attribute denotes the type
of mailbox in Office 365. The values used for that property are those listed in Table 13-1. A full list of
values and their corresponding recipient types is available here.
Every mail-enabled user account should automatically get a proxyAddress based on the tenant's routing
domain, sometimes also referred to as the coexistence or service domain. If you create your hybrid
configuration using the Hybrid Configuration Wizard, the remote routing domain is added to the on-premises
Exchange Organization, where it is configured as a Remote and Accepted Domain. The routing domain is also
added to all email address policies. This ensures that every recipient in the organization (such as a remote
mailbox) gets stamped automatically with an address that matches the remote routing domain. As a result,
when an object is synchronized with Office 365, it is addressable using that proxyAddress. For instance, an on-
premises user might receive the proxyAddress: tredmond@office365itpros.mail.onmicrosoft.com.
The remote routing domain is automatically created in Office 365 as soon as directory synchronization is
enabled. As you can see in the example below, the routing domain is in the format of
<tenantname>.mail.onmicrosoft.com. You can examine the domain by looking at Settings > Domains in the
Office 365 portal or through the PowerShell Module for Azure Active Directory with the Get-AzureADDomain
cmdlet:
PS C:\> Get-AzureADDomain
As mentioned earlier, the creation of an Exchange Online mailbox is triggered after the Mail-Enabled user
account (which you created using the on-premises management tools) is synchronized from the on-premises
directory. Once the mailbox is created, you can query Exchange Online for the mailbox and detect its presence
Page 116
using a remote PowerShell session to Exchange Online using the Get-Mailbox command as illustrated in the
example below:
[PS] C:\> Get-Mailbox TRedmond
Although typically faster, the creation of the mailbox in Exchange Online might take several minutes after the
account is synchronized to Azure AD. If you do not see a mailbox right away, wait a short while and then try
again. The user can only access their mailbox after it is fully created in Exchange Online and they are assigned
a valid license.
Licensing: Moving a mailbox from the on-premises organization or creating one directly in Exchange
Online will not automatically assign an Office 365 license to the account. This is a task that has to be
executed manually. Also, unlike a cloud-only identity for which a mailbox is automatically created after a
license is assigned (if a plan including Exchange Online is chosen), assigning a license to a synchronized
('hybrid') user object in Office 365 will not automatically create a mailbox. A good way to avoid forgetting
to assign a license is to create a PowerShell script that runs periodically and automatically assigns a license
to unlicensed accounts.
In the process of enabling the mailbox, the local user account is converted to a RemoteMailbox account. As
soon as this happens, one of the Email Address Policies is applied and the user's proxyAddresses attribute is
updated automatically to include additional addresses, including the routing address, as you can see from the
following command:
[PS] C:\>Get-RemoteMailbox swalker | Select -ExpandProperty EmailAddresses |
Select SMTPAddress
SmtpAddress
-----------
Steve.Walker@office365itpros.com
swalker@office365itpros.com
swalker@office365itpros.mail.onmicrosoft.com
As we've seen, there are two ways to create a hybrid mailbox: either enabled directly in Office 365 or the
mailbox is moved to Office 365 from the on-premises organization. As an administrator, it is useful to
understand the distinction between the two methods. It might also be useful to know exactly how each
mailbox in the organization was created. In the on-premises Exchange Management Shell, you can execute
Page 117
the Get-RemoteMailbox cmdlet to list all mailboxes in Office 365. As part of the returned information, there is
a property called RemoteRecipientType. This property indicates whether the mailbox was moved (Migrated) or
created directly in Office 365 (ProvisionMailbox):
[PS] C:\> Get-RemoteMailbox
The same information can also be retrieved directly from Exchange Online, using the Get-Mailbox command.
The difference here is that mailboxes in Office 365 are shown as a regular UserMailbox instead of a
RemoteUserMailbox:
[PS] C:\> Get-Mailbox | Select Name, RecipientTypeDetails, RemoteRecipientType
Name ExchangeGuid
---- ------------
Joseph Baker 4a38eded-77b5-43f6-8e2d-bf356d8497e0
Name ExchangeGuid
Page 118
---- ------------
Joseph Baker 4a38eded-77b5-43f6-8e2d-bf356d8497e0
When you use the New-RemoteMailbox or Enable-RemoteMailbox cmdlet, the on-premises organization does
not generate the ExchangeGuid, possibly because the on-premises organization knows that the mailbox is to
be created in the cloud and therefore no need exists for Exchange to stamp an identifying GUID on the new
mailbox. Instead, Exchange Online takes over and stamps the mailbox in Exchange Online with its GUID.
Because the ExchangeGuid is not an attribute that is written back to the on-premises organization as part of
any of the write-back features, both environments are now out of sync. When querying the remote mailbox
from on-premises Exchange, you will now see that the ExchangeGuid is empty:
[PS] C:\> Get-RemoteMailbox JReese | Select Name, RecipientTypeDetails, RemoteRecipientType
Name ExchangeGuid
---- ------------
John Reese 00000000-0000-0000-0000-000000000000
Because the ExchangeGuid value is missing, some problems can be encountered. For instance, if you attempt
to move a mailbox created by the New-RemoteMailbox cmdlet to the on-premises organization, the mailbox
move fails. Unfortunately, this behavior is by design and directly related to how the New-RemoteMailbox or
Enable-RemoteMailbox cmdlets work.
Two things can be done if you meet the problem of a missing ExchangeGuid. The simplest solution is to avoid
using the New-RemoteMailbox and Enable-RemoteMailbox cmdlets entirely. This means that if you ever want
to create a cloud mailbox from the on-premises organization, you must first create an on-premises mailbox
and then move it to Office 365. As such, you ensure that all properties are stamped on the mailbox in the on-
premises organization and then maintained through the directory synchronization process. For many
organizations, this could mean that an additional step is needed in their provisioning process, but it’s not a
huge issue as creating and moving the new mailbox to Office 365 is quickly done.
If you absolutely want to use the New-RemoteMailbox or Enable-RemoteMailbox cmdlets, you can update the
on-premises object with the ExchangeGuid of the Office 365 mailbox. Obviously, you only need to do this if
you want to move the mailbox to the on-premises organization. First, look up the value of the ExchangeGuid
for the mailbox in Exchange Online with the Get-Mailbox cmdlet:
[PS] C:\> Get-Mailbox JBaker | Select Name, ExchangeGuid
Name ExchangeGuid
---- ------------
Joseph Baker 4a38eded-77b5-43f6-8e2d-bf356d8497e0
Next, connect to the on-premises Exchange server, and stamp the ExchangeGuid onto the on-premises
recipient (remote mailbox) using the Set-RemoteMailbox cmdlet:
[PS] C:\> Set-RemoteMailbox JBaker –ExchangeGuid 4a38eded-77b5-43f6-8e2d-bf356d8497e0
Once you've manually stamped the object in the on-premises Exchange organization, you will be able to
move the mailbox.
Real world: In addition to mailbox moves failing, there have been some reports of cross-premises
permissions not working properly when the ExchangeGuid property is blank for an on-premises object.
Your mileage may vary as some organizations have reported that cross-premises permissions work just
fine, even without the ExchangeGuid.
Page 119
all, hybrid recipients are supposed to be managed using on-premises tools. However, certain options such as
Mailbox Usage, Mailbox Delegation and Mailbox features are absent. This is because the on-premises
environment cannot access the information with regards to mailbox usage etc. The option pages missing in
the on-premises EAC are available through the EAC in Office 365. But remember, synchronized objects cannot
be managed using the online tools, which is the EAC in Office 365 can only view those properties and access
information like mailbox usage. Attempts to update a property will result in a warning (Figure 5-1).
Figure 5-1: A warning that you cannot update a synchronized object in Office 365
Real world: A new mailbox sometimes takes a few moments to synchronize across directories. This is
because of how identities are synced to and inside Office 365. The synchronization from on-premises is
done with Microsoft Azure Active Directory. From there, a "back sync" process ensures object are
synchronized to the directory used to support Exchange Online (EXODS). Once the synchronization
happens, the mailbox is created. Usually, this entire process only takes a few seconds, but it's common to
have to wait a few minutes after the initial synchronization from the on-premises organization.
Page 120
Granting an Office 365 user (mailbox) access to a mailbox in the on-premises Exchange environment can be
done through the EAC or with PowerShell:
[PS] C:\> Add-MailboxPermission –Identity <OnPrem-Mailbox> -User <Office365Mailbox>
-AccessRights FullAccess –AutoMapping $False
By default, Automapping will work when the Full Access permission was granted prior to moving one of the
mailboxes to Exchange Online. If you have assigned the permission while one of the mailboxes was on-
premises and the other in Exchange Online, you must apply a workaround as described here.
Real World. As with many things, the end-user experience in sharing scenarios can vary, depending on
various factors like the client application and the authentication type. If Modern Authentication is enabled,
the experience is more likely to be seamless, but with basic authentication the user might see additional
credential prompts. This is because once Outlook has established a connection to the on-premises
organization, it then needs to connect to Office 365 which triggers the additional authentication.
Real World. Note that you only need to make this update if you wish to support cross-premises
permissions such as Send-on-behalf-of, Delegate Access, etc. If you only need Full Access, no changes are
necessary.
When a mailbox is moved to Exchange Online, the on-premises recipient is updated from a "Mailbox User" to
"Remote Mailbox, Migrated" after the move is completed. Without an update to your configuration, the
object has a value of "-2147483642" in the msExchRecipientTypeDetails attribute of that recipient. However,
that value does not allow it to be assigned permissions to. Instead, a value of "-1073741818" is required. To
ensure that the attribute is correctly updated in the future, you must first update the on-premises
organization configuration:
[PS] C:\> Set-RemoteMailbox -ACLableSyncedObjectEnabled $true
Note: Microsoft's documentation states that you do not need to perform this step when running Exchange
2016 on-premises. However, personal testing contradicts this. Until this ambiguity has been resolved, it's
better to perform this step anyhow. If not, you will have to continue to update recipients manually, as
explained below.
Any mailbox that is moved to Exchange Online after you make the change will automatically be updated with
the correct value. For mailboxes that have been moved prior to the update, you must manually update the
msExchRecipientTypeDetails attribute. The easiest way is to use the on-premises Exchange Management Shell:
[PS] C:\> Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid -Properties
msExchRecipientDisplayType} | Set-ADObject -Replace @{msexchRecipientDisplayType=-1073741818}
To verify that the command completed successfully, run the following command:
[PS] C:\> Get-RemoteMailbox | ForEach { Get-AdUser -Identity $_.Guid -Properties
msExchRecipientDisplayType} | Select UserPrincipalName,MSExchRecipientDisplayType
Page 121
UserPrincipalName MSExchRecipientDisplayType
----------------- --------------------------
bweaver@office365itprobook.com -1073741818
bchang@office365itprobook.com -1073741818
blane@office365itprobook.com -1073741818
bcampbell@office365itprobook.com -1073741818
bwilson@office365itprobook.com -1073741818
bkelly@office365itprobook.com -1073741818
bjones@office365itprobook.com -1073741818
tredmond@office365itprobook.com -1073741818
After you update all the migrated mailboxes, you can assign permissions to them.
Send-on-Behalf-of
In addition to the Q1 2018 service update, you must install the April 2018 update of Azure AD Connect
because it adds the two-way synchronization of the PublicDelegates attribute between the on-premises
organization and Exchange Online. This attribute contains information on what recipients have been granted
the Send-on-behalf-of rights and is required to ensure that permissions that are granted on-premises show
up in Exchange Online and vice versa. When you assign a permission to a recipient cross-premises, there
might be a delay before the permission starts to work; this is because Azure AD Connect first needs to
synchronize the update attribute.
The process of granting Send-on-behalf-of permissions in a hybrid deployment is no different from on-
premises; you can use both PowerShell or the Exchange Admin Center in Exchange Online to do so. To assign
the permission using the EAC, follow these steps:
1. Login to the EAC.
2. Navigate to recipients > mailboxes and then select properties of the mailbox you want to assign Full
Access permissions for.
3. In the properties window, navigate to mailbox delegation.
Scroll down to the Send on Behalf-section. From there, use the recipient picker (plus-sign) to add the
on-premises mailbox to which you wish to grant permissions.
Note: Once you have updated the ACLableObjectSynced parameter in your Organization Configuration,
you will be able to do the same in Exchange on-premises for a mailbox in Exchange Online.
Delegate Access
Delegate Access is typically configured by users without administrator help using a client like Outlook
desktop. Depending on what level of access is given, the delegate can perform various tasks such as accessing
specific mailbox folders, sending messages on behalf of the user, or managing the user's calendar. When a
user grants other users delegate access to his mailbox, specific attributes of the user object and the mailbox
are updated to reflect the newly granted permissions. If both the source mailbox and the assignee are in the
same environment (on-premises or Office 365), delegate access will work just fine.
This is not exactly true when the involved mailboxes are in different environments. Although cross-premises
Delegate access is not supported, most of the functionality (like calendar access, meeting requests forwarding
rules, etc.) work most of the time. In that statement also lies the danger: testing shows that the end-user
experience can be unpredictable and greatly depend on the (type of) client, authentication mechanism, etc.
Furthermore, more complex on-premises organizations (like multi-forest deployments) might have additional
challenges of their own.
As Microsoft is working to provide a more coherent story around cross-premises Delegate Access, you should
follow the advice given in this article.
Page 122
Send-As
Like Delegate Access, both the mailbox and assignee's mailbox must be hosted in the same environment for
these permissions to work without added effort. However, you can apply a workaround to make these
permissions work cross-premises. Paradoxically, although Microsoft provides details of the workaround, they
do not officially support this permission cross-premises yet. However, testing shows that Send-As seems work,
even in some complex scenarios.
Unlike other Exchange permissions, Send-As permissions are granted at the Active Directory level. This is why
you need to run the Set-ADPermission cmdlet, and not Add-MailboxPermission. Because there is currently no
mechanism to synchronize these permissions cross-premises, Send-As permissions will only work without
added effort if you assign them prior to moving a mailbox to Exchange Online. If you wish to assign Send-As
permissions cross-premises, you must manually keep the permissions in sync between Exchange Online and
on-premises. If an on-premises recipient adds an Exchange Online mailbox as assignee, you must manually
run the Add-ADRecipientPermission cmdlet in Exchange Online. In the reverse scenario, you must run the Set-
ADPermission cmdlet within the on-premises organization.
In the following example, an Exchange Online mailbox (TRedmond) is granted Send As permissions to an on-
premises mailbox (PGreen). To ensure that TRedmond can exert its rights, the administrator manually runs the
following command within the on-premises organization:
[PS] C:\> Set-ADPermissiong "PGreen" -User "Tredmond" -ExtendedRights "Send As"
In the reverse scenario, where PGreen would have been granted to TRedmond's mailbox, the administrator
would have to execute the following command in Exchange Online:
[PS] C:\> Add-RecipientPermission "TRedmond" -AccessRights SendAss -Trustee "PGreen"
Page 123
[PS] C:\> Set-Mailbox MSpencer –Type Shared
After executing the command, you can call the Get-Mailbox cmdlet and observe that the RecipientTypeDetails
for the mailbox have successfully changed from UserMailbox into SharedMailbox:
[PS] C:\> Get-Mailbox MSpencer | Format-List *type*
ResourceType :
RemoteRecipientType : Migrated, UserMailbox
RecipientType : UserMailbox
RecipientTypeDetails: SharedMailbox
In a cloud-only deployment, this would be the end of it. However, in a hybrid deployment we still have the
on-premises counterpart where the "Remote Mailbox" is still shown as a regular mailbox instead of a Shared
Mailbox. If you are only using your on-premises Exchange servers for management purposes, you might not
care a great deal about what the value of the RecipientTypeDetails property is for a Remote Mailbox. However,
if your hybrid deployment contains mailboxes in both Exchange on-premises and Exchange Online, you want
both environments to show the mailbox for what it really is: a shared mailbox.
We took care of Exchange Online by executing the Set-Mailbox command to convert the mailbox to be a
shared mailbox. Officially, the 'correct' way of converting a regular user mailbox into a shared mailbox is to
convert it on-premises and then move it to Office 365. While this approach will work, it means that you would
have to off-board the mailbox to the on-premises environment first, convert it into a shared mailbox and the
move it back to Office 365. This seems like an awful lot of work to just convert a mailbox.
Another way exists to accomplish the same task. Unfortunately, it involves getting your hands dirty with a low-
level attribute editor such as ADSIEdit. Alternatively, you can also use the Attribute Editor in the Active
Directory Users and Computers console or edit the attribute in PowerShell. Note that neither of these
approaches are supported by Microsoft.
As discussed earlier, in a hybrid deployment the on-premises user object is synchronized to Azure Active
Directory so that the object is identical in both the on-premises organization and Office 365. In the previous
PowerShell example, we examined the RecipientTypeDetails attribute. The value of this attribute tells Exchange
what the type of a mailbox is. When viewing the RecipientTypeDetails through PowerShell, the value you see is
a string. For example, 'SharedMailbox' or 'UserMailbox'. However, the actual decimal value is what is stored in
Active Directory in the msExchRecipientTypeDetails attribute. In case of a hybrid deployment, a mailbox in
Office 365 isn't represented as a regular mailbox in the on-premises environment, but as a remote mailbox. In
fact, the attribute that controls the type of a mailbox in Office 365 is not the msExchRecipientTypeDetails but
msExchRemoteRecipientType (Figure 5-2).
Figure 5-2: The msExchRemoteRecipientType attribute of a remote mailbox, viewed through ADSIEdit
Page 124
The decimal value '6' (six) means a mailbox, migrated from on-premises, with a provisioned archive in
Exchange Online. Provisioned means that the archive was created in Exchange Online rather than being
moved from the on-premises environment. Using PowerShell connected to Exchange Online, you will see the
corresponding values when running the Get-Mailbox command and looking at the RemoteRecipientType
property:
[PS] C:\> Get-Mailbox Adunn | Select RemoteRecipientType
RemoteRecipientType
-------------------
ProvisionArchive, Migrated
Now that we know what attribute is used to control the type of the mailbox, we can examine the different
values that it can have. Table 5-2 gives the necessary guidance.
msExchRemoteRecipientType Explanation
3 ProvisionedMailbox, ProvisionedArchive (both the mailbox and
the archive were created directly in Office 365, for example using
the New-RemoteMailbox command)
4 Migrated mailbox (the mailbox was moved from the on-premises
organization to Office 365)
6 Migrated mailbox, ProvisionedArchive (the mailbox was moved
from the on-premises organization to Office 365, but the archive
was created directly in Exchange Online)
20 DeprovisionArchive, Migrated mailbox (this value is used when
an archive for a migrated mailbox is disabled)
97 Provisioned Mailbox, Shared
100 Migrated Mailbox, Shared
Table 5-2: Remote Recipient Type values
If we take the above information and put it together, converting a regular mailbox to a shared mailbox in a
hybrid deployment consists of the following two steps:
1. Convert the mailbox in Exchange Online to a shared mailbox using the Set-Mailbox –Shared
command. This will change the RecipientTypeDetails of the mailbox in Office 365 to 'Shared'.
2. Match the on-premises user object with the object in Office 365 by manually changing the value of
the msExchRemoteRecipientType attribute into 97 or 100 and then wait for directory synchronization
to happen. This change will ensure that the RemoteRecipientType property of the mailbox in Office
365 is changed into either ProvisionMailbox, SharedMailbox or Migrated, SharedMailbox. There is no
effective difference between the value of '97' and '100' for the msExchRemoteRecipientType and the
value does not affect how a shared mailbox works.
Looking back at the previous PowerShell example, we can see that the value of the RemoteRecipientType in
Exchange Online was 'ProvisionArchive, Migrated'. After executing both steps, the properties of the mailbox
will look differently as you can see from the following output:
[PS] C:\> Get-Mailbox Adunn | Format-List *type*
ResourceType :
RemoteRecipientType : Migrated, SharedMailbox
RecipientType : UserMailbox
RecipientTypeDetails: SharedMailbox
The process of converting a hybrid mailbox to a shared mailbox is not straightforward. It would be much
easier to just be able to run the Set-RemoteMailbox command with a –Shared parameter. However, until
Microsoft decides to create such a switch, this is just what you will have to do!
Page 125
Converting a Regular Mailbox into an Inactive Mailbox
Luckily, the process for converting a mailbox into an Inactive Mailbox is much simpler that the one to convert
into a Shared Mailbox. To remind you, an Inactive Mailbox is a mailbox in Office 365 for which litigation hold
or an in-place hold is activated before the user account is removed. Instead of purging the mailbox after the
deleted mailbox retention period, Office 365 keeps the mailbox in the soft-deleted state until the hold is
removed.
Following the general rule in a hybrid deployment, activating an in-place hold for a hybrid mailbox is done
through the on-premises management tools. For instance, using the EAC, you can create a new in-Place hold
policy for the mailbox you want to preserve. In-place holds are managed in the compliance section of EAC.
After the in-place hold is enabled, you must wait for the next directory synchronization cycle for the change to
be applied to the mailbox in Office 365. To verify that the changes were successfully synchronized and applied
to the online mailbox, you can use the Get-Mailbox command in PowerShell for Exchange Online:
[PS] C:\> Get-Mailbox Adunn | Select InPlaceHolds
InPlaceHolds : {f26df6b770e841f8a0b78b0f7c75d020}
Alternatively, you can also enable an In-Place Hold directly in Exchange Online and wait for the directory
synchronization process to synchronize the change back into the on-premises environment. This too is one of
the exceptions where you can manage a hybrid recipient through online tools because the attribute which
contains information about the hold policies (msExchUserHoldPolicies) is one of the few write-back attributes
that exist today.
If you perform this action for the sole purpose of being able to delete the user account, there is no real
purpose in making sure that the settings are consistent across both environments. After all, you are going to
delete the user object shortly anyway. Exactly for this reason, you can also choose to enable Litigation Hold
for the mailbox in Office 365 without waiting for any changes to be written back into the on-premises
environment. To do this, run the Set-Mailbox command with the LitigationHoldEnabled switch set to $True in
an Exchange Online PowerShell session:
[PS] C:\> Set-Mailbox Adunn –LitigationHoldEnabled $True
WARNING: The hold setting may take up to 60 minutes to take effect.
Note that this change will not be synchronized back into the on-premises Active Directory. But for the sole
purpose of converting a mailbox into an Inactive Mailbox, this is OK. After the mailbox has been successfully
configured for Litigation Hold or placed under an in-place hold, you can remove the user account. This will
ensure that the mailbox is 'disconnected' from the account and placed in a soft-deleted state. It will remain in
such a state until the hold is removed, or until you decide to recover or restore the Inactive Mailbox.
In a hybrid deployment, several options exist to delete a user account:
• Delete the on-premises account and wait for the directory synchronization process to sync the
deletion to Azure Active Directory after which the account is also removed from Office 365
automatically.
• Forcefully remove the user account from Azure Active Directory and exclude the on-premises user
object from being synchronized again.
The latter approach is a little tricky and should only be tried if you cannot remove the on-premises user
object. If you go down this route, it is critical that you make sure the user object is not (accidentally)
synchronized back to Office 365. If it is synchronized back, the soft-deleted mailbox will automatically be
reconnected to the user account. The recommendation to change the account password before converting a
mailbox is very relevant as this ensures that none can access the mailbox if it is accidentally revived.
Page 126
More About Inactive Mailboxes
To see which inactive mailboxes exist in your tenant environment, you can run the following command from
the Exchange Online PowerShell session. Note that this command is not available in on-premises Exchange
PowerShell:
[PS] C:\> Get-Mailbox -InactiveMailboxOnly
If you need to regain access to the information held in an inactive mailbox, there are two different actions we
can perform:
• Restoring an Inactive Mailbox.
• Recovering an Inactive Mailbox.
The difference between both is more than just semantics. Restoring an inactive mailbox means that the
contents of the Inactive Mailbox are transferred into another – already existing – mailbox. Recovering, on the
other hand, is the process of converting the inactive mailbox into a mailbox which can be used by a different
person. Both processes are explained in the Exchange Online chapter (main book) and apply to hybrid
recipients. However, there are some particularities to keep in mind.
Of course, the mailbox into which you want to restore the contents of the Inactive Mailbox must already exist.
[PS] C:\> New-Mailbox –InactiveMailbox $Inactive –Name "Joe Healy" –FirstName Joe
–LastName Healy –DisplayName "Joe Healy" –PrimarySMTPAddress "Joe.Healy@Office365ITPros.com"
Page 127
–Password (ConvertTo-SecureString –String "Testing123!" –AsPlainText –Force)
–ResetPasswordOnNextLogon $True
Next, you must create a matching object (RemoteMailbox) in the on-premises organization using the same
email address as the cloud-based mailbox that was created to attach the Inactive Mailbox to
(Joe.Healy@Office365ITPros.com). Additionally, you must ensure that the ExchangeGuid of the on-premises
object matches the one of the mailbox in Office 365. The next step is to run the following command in an
Exchange Online PowerShell session to get the ExchangeGuid of the recovered mailbox and update the
corresponding on-premises user object by adding the ExchangeGuid to it:
[PS] C:\> $mailbox = Get-Mailbox "Joe Healy"
[PS] C:\> Set-RemoteMailbox –Identity RecoveredMailbox –ExchangeGuid $mailbox.ExchangeGuid
If you do not already have an on-premises mail-enabled user object of the RemoteMailbox type, you can
create one with the New-RemoteMailbox cmdlet first as described earlier.
The next time that the Directory Synchronization process runs, the on-premises object will be "soft-matched"
to the cloud-based object so that in subsequent synchronizations the object is updated automatically. If you
have deployed SSO, at this point the on-premises user account can access the cloud-based mailbox using its
on-premises credentials instead of the credentials managed and stored in Office 365.
Shared Mailboxes
Shared mailboxes have a lot in common with regular mailboxes. Moving a shared mailbox to Office 365 is a
simple and straightforward process. Things become a little more complicated when attempting to create a
new hybrid shared mailbox directly in Office 365. If a cloud-only shared mailbox is created, only Office 365
users will be able to see the mailbox in the GAL. Therefore, just like hybrid recipients, a shared mailbox should
be created on-premises.
Only the cloud version of EAC supports the option to convert a shared mailbox to a regular mailbox and vice
versa. An administrator can convert a regular mailbox to a shared mailbox in Office 365, but that creates an
inconsistency between the on-premises object and Office 365 in the process. In the on-premises Exchange
organization the mailbox is still known as a regular mailbox, while it is a shared mailbox in Office 365. Because
users in both environments can access shared mailboxes cross-premises, this can cause confusion. The
inconsistency can be seen by looking at recipient details in both the on-premises organization and Exchange
Online. In the on-premises organization, the remote mailbox is of the type RemoteUserMailbox:
[PS] C:\> Get-RemoteMailbox <user> | Format-List *recip*
RemoteRecipientType : Migrated
RecipientLimits : Unlimited
RecipientType : MailUser
RecipientTypeDetails : RemoteUserMailbox
RecipientLimits : 500
RemoteRecipientType : Migrated
RecipientType : UserMailbox
RecipientTypeDetails : SharedMailbox
Today, the only supported way to create a hybrid shared mailbox directly in Office 365 is to create a shared
mailbox on-premises and then move it to Office 365. Another effective workaround – albeit unsupported - is
to first create a shared cloud mailbox in Office 365 and then use the 'soft-matching' process to connect the
on-premises object and cloud-object with one another. This approach is very similar to the one used to
Page 128
recover an Inactive Mailbox. When running the New-Mailbox cmdlet, make sure to specify an email address
using the PrimarySMTPAddress parameter as this is what will be used to match the on-premises object to the
cloud object later on. Run the following command from an Exchange Online PowerShell session to create a
new shared mailbox (and cloud-only user account):
[PS] C:\> New-Mailbox –Name SharedMBX –Shared
–PrimarySMTPAddress SharedMBX@office365itpros.com
Next, you create an on-premises remote mailbox using the New-RemoteMailbox cmdlet. This should be done
from the on-premises server. As you can see from the output below, the RemoteRecipientType is set to
ProvisionMailbox which means this is a regular mailbox, not a shared mailbox. To create a shared mailbox,
specify the -Shared switch.
[PS] C:\> New-RemoteMailbox –Name SharedMBX
–RemoteRoutingAddress sharedmbx@office365itpros.mail.onmicrosoft.com
–Password (Get-Credential).Password –UserPrincipalName "sharedmbx@office365itpros.com"
–PrimarySMTPAddress SharedMBX@office365itpros.com
To convert the mailbox to a shared mailbox, you must manually change the MsExchangeRemoteRecipientType
attribute of the on-premises object to a value of '97' using a tool like ADSIEdit. To be effective, this must be
done before the next directory synchronization cycle. Alternatively, you can also edit the attribute using
PowerShell, as illustrated in the following example:
[PS] C:\> Set-ADUser MSpencer –Replace @{msExchRemoteRecipientType=97}
Note: To avoid any problems due to the directory synchronization process starting while you are still
performing these actions, it is a clever idea to temporarily disable the synchronization schedule on the
directory synchronization server (AAD Connect).
As soon as you make the change, you can verify that the mailbox shows up as a "SharedMailbox" in the on-
premises environment:
[PS] C:\> Get-RemoteMailbox SharedMBX | Select Name,RecipientTypeDetails,RemoteRecipientType
At the next synchronization cycle, the on-premises object will be linked to the mailbox in the cloud thanks to
the soft-matching process. The mailbox in Office 365 will now still be a shared mailbox, as you can see from
the output below after running the Get-Mailbox cmdlet in the Exchange Online PowerShell session:
[PS] C:\> Get-Mailbox SharedMBX | Select Name, RecipientTypeDetails
Name RecipientTypeDetails
---- --------------------
SharedMBX SharedMailbox
Resource mailboxes: Unlike shared mailboxes, an administrator can easily change the type of a resource
mailbox using the Set-RemoteMailbox cmdlet in the on-premises organization. By adding the –Type
Page 129
parameter and specifying the desired value (Regular, Room, Equipment), the mailbox's type will be changed
at the next synchronization cycle.
Archive Mailboxes
Enabling Exchange Online Archives for On-premises Mailboxes
One of the features in a hybrid deployment is the ability to create a cloud-based archive for an on-premises
mailbox. Like most other tasks, an administrator can enable a cloud-based archive either using the on-
premises EAC or PowerShell. To enable the archive from the EAC, select the mailbox, click Enable under In-
Place Archiving in the action pane and then select Cloud-based archive: <tenant>.mail.onmicrosoft.com:
You can also enable a cloud-based archive for a mailbox using PowerShell. An example of doing so is shown
below. The command must be executed from an on-premises server.
[PS] C:\> Enable-Mailbox TRedmond –RemoteArchive
–ArchiveDomain office365itpros.mail.onmicrosoft.com
Now, let's discuss what happens in the background when a cloud-based archive is enabled.
Page 130
2. Exchange "stamps" the on-premises object with archive details such as an Archive Name, the Archive
Guid, quota settings, and a temporary Archive Status of HostedPending as illustrated below:
[PS] C:\> Get-Mailbox bjones | Format-List Archive*
ArchiveDatabase :
ArchiveGuid : 5cddc878-69f9-4eef-a4c1-f5677d4b51f0
ArchiveName : {In-Place Archive - Brian Jones}
ArchiveQuota : Unlimited
ArchiveWarningQuota : Unlimited
ArchiveDomain : office365itpros.mail.onmicrosoft.com
ArchiveStatus : None
ArchiveState : HostedPending
ArchiveRelease :
3. The Directory Synchronization process updates the cloud-based object with the new attribute values
written to the on-premises object when the archive was enabled.
4. The updated values trigger a process in Exchange Online to create the archive mailbox. The archive
mailbox will be created using the Archive GUID from the on-premises mailbox. Once the archive
mailbox is created, the cloud-based mail-enabled user account is updated by changing the value of
the ms-Exch-ArchiveStatus attribute to 1.
5. The next time the directory synchronization process runs, the updated attribute is written back into
the on-premises Active Directory. When this happens, the ArchiveState attribute of the user's mailbox
is changed from HostedPending into HostedProvisioned.
6. Next time the user opens his mailbox in Outlook or Outlook Web App, the Autodiscover process
includes information of the cloud-based archive which triggers the client to connect to the added
resource as described in the Clients chapter (main book).
Note: The first time a user tries to connect to their archive mailbox, a credential prompt might appear,
depending on how authentication is configured. When you use the default authentication, Outlook
connects to Exchange Online using basic authentication which triggers the prompt for credentials. When
this happens, the user can select to save their password and they are not asked for credentials the next
time they connect to the online archive. However, if you have configured Single Sign On and have enabled
Modern Authentication, no more password prompts will appear.
Page 131
archive to a PST and later import from the PST to the target destination. Outlook desktop is the only client
that can access an on-premises mailbox and a cloud archive.
Finally, many of the PowerShell cmdlets available for Exchange do not support execution against an online
archive when the primary mailbox is on-premises. The problem here is that if you run cmdlets from a session
connected to the on-premises server, you can access the primary mailbox but not the archive (Get-
MailboxStatistics is a notable exception). On the other hand, if you connect to a cloud mailbox, you cannot
access archives that belong to on-premises mailboxes.
It is possible that these issues exist because of a view that on-premises mailboxes with cloud archives will
eventually move everything to the cloud and so cause the problems to disappear. It is unclear whether
Microsoft will dedicate any resources to fix the problems and they might then be something that you just
have to live with if you want to use this on-premises/cloud mailbox configuration.
ArchiveState : HostedProvisioned
ArchiveGuid : f5ab68ba-f026-4e8f-b931-e95d08187bed
ArchiveName : {In-Place Archive – Joe Pearson}
ArchiveQuota : 100 GB (107,374,182,400 bytes)
ArchiveWarningQuota : 90 GB (96,636,764,160 bytes)
ArchiveDatabase :
ArchiveStatus : Active
Now compare the values created when an archive is created for an on-premises hybrid mailbox from the
Security and Compliance Center. Notice the lack of values for ArchiveGuid, ArchiveState, or ArchiveName:
[PS] C:\> Get-RemoteMailbox jbaker | Format-List Archive*
ArchiveState : None
ArchiveGuid : 00000000-0000-0000-0000-000000000000
ArchiveName : {}
ArchiveQuota : 100 GB (107,374,182,400 bytes)
ArchiveWarningQuota : 90 GB (96,636,764,160 bytes)
ArchiveDatabase :
ArchiveStatus : Active
Page 132
Despite the advantage of faster provisioning, the inconsistency that is generated between the on-premises
object and its Office 365 counterpart can create some management challenges. Through the normal
provisioning process, the on-premises objects have all the archive information and can be queried using the
on-premises management tools like PowerShell. In this approach, however, the on-premises objects have no
values for archive-specific attributes. As such, if you use archives both on-premises and in Office 365; you
must target reporting scripts and tools to fetch information from both Exchange environments to get the full
picture of your environment –rather than querying just the on-premises Exchange servers.
The lack of an ArchiveGuid stamped on the on-premises object also prevents you from moving the archive
back to the on-premises organization! Before you can move the archive, you must manually copy the value
from the mailbox in Office 365 to the on-premises object.
If you do not plan to off-board archives and you can live with the idea that you must focus on Exchange
Online any time information is needed about archives, you might not care a great deal about this issue. But if
you want to keep maximum flexibility, you might want to ensure that archives are created consistently using
only the on-premises EAC or PowerShell.
Note: The May 2017 release of Azure AD Connect introduced the ability to synchronize mail-enabled
Public Folders to Office 365. This functionality, however, cannot be used to make Public Folders available
cross-premises. The migration and hybrid configuration process for Public Folders still relies on the use of
scripts provided by Microsoft.
Page 133
TechNet. An assumption is made that the on-premises and cloud organizations share a hybrid configuration
that is working smoothly. In outline, the process follows these steps:
• Make the legacy public folders available to Exchange Online mailboxes. This is done by creating an
empty mailbox in a database on every on-premises mailbox server that hosts public folder databases.
The mailbox does nothing except to act as a proxy for incoming connections from Exchange Online
users.
• Exporting details of the on-premises mail-enabled public folders to an XML file. Microsoft provides a
script for this purpose.
• Importing the XML file to create mail-enabled objects so that they are recognized as such by
Exchange Online. Again, Microsoft has a script to do the work. Note that exporting and importing
public folder data needs to be done periodically to pick up changes made in the public folder
hierarchy on the on-premises servers. Synchronization using the scripts provided by Microsoft is not
automatic. However, you can deploy DirSync or Azure Active Directory Sync Services to achieve
automatic cross-premises synchronization of public folder objects. This is the preferred solution if you
want to maintain legacy public folders on-premises.
• Configure the Exchange Online tenant so that it knows to redirect attempts to access public folders to
the on-premises servers. This is done by running the Set-OrganizationConfig cmdlet to provide the
names of the public folder proxy mailboxes for the on-premises servers.
It is also possible to have the reverse configuration and have Exchange Online provide public folders to on-
premises mailboxes. In this scenario, the public folder mailboxes pointed to by the Set-OrganizationConfig
cmdlet are hosted by Exchange Online. In either case, it is recommended that the set of public folder
mailboxes used to redirect connections from legacy to on-premises or vice versa do not contain the primary
public folder mailbox as this mailbox should be reserved (as far as possible) for hierarchy maintenance and
propagation.
Cross-premise access is only supported by Outlook clients as these are the only clients that consume the
information provided by Autodiscover which tells the client how to find the on-premises public folders.
Outlook 2016 for Mac (with the April 2016 update) supports certain cross-premises scenarios for access to
public folders. OWA doesn't use Autodiscover so Exchange Online users can't use this client to access public
folders.
Groups
Although some types of groups are only available in Office 365 it does not mean that the other group types
aren't relevant in a hybrid deployment. As you will notice in the topics below, there are some particularities
which you need to look out for!
Note: When you create an OPATH query for an on-premises dynamic distribution group, you must pay
attention to the directory scope for the query, as defined in the RecipientContainer property for the group.
The scope is established by an Active Directory OU such as “/contoso.com/Exchange users”, including all
its child OUs. You can continue to do this in a hybrid environment because the on-premises Active
Directory is used to resolve the query. However, things are a little different in a pure cloud environment
because Office 365 creates all user accounts in the top level organizational unit for the tenant (as in
Page 135
tenant.onmicrosoft.com). All dynamic distribution groups created in this scenario will have their
RecipientContainer property set to the top-level organizational unit. You cannot change this value, so the
queries for dynamic distribution groups created in a pure cloud deployment of Exchange Online are
scoped to execute against the entire directory.
For example, assume a Dynamic Distribution Group called "DDG_Sales" exists in the on-premises organization
and the email address of the group is Sales@Office365ITPros.com. The administrator can then create a
contact in Exchange Online which preferably uses the same name (to avoid confusion amongst users) and
matching email address:
[PS] C:\> New-MailContact –DisplayName "DDG_Sales" –Alias "DDG_Sales"
-ExternalEmailAddress "sales@office365itpros.com"
The membership of a dynamic distribution group is calculated through its recipient query, which is resolved
against Active Directory to calculate the group members each time the group is used by someone to address
a message. The query can include only Exchange mailboxes. Exchange Online mailboxes are represented as
mail-enabled Users in the on-premises Active Directory which means that a mailbox, after it is migrated to
Exchange Online, will no longer be found within the scope of these queries.
To ensure that dynamic distribution groups also include Exchange Online mailboxes, their scope must be
modified to also include mail-enabled users. The easiest way to do so is through the on-premises EAC:
1. Click recipients and then groups.
2. Double-click the dynamic distribution group you want to modify.
3. On the membership tab, under Members, make sure to select Mail users with external email
addresses.
Note: You can apply the same workaround for dynamic distribution groups that exist in Office 365, but
not on-premises. By changing the scope of the cloud-based distribution group and adding a contact to
the on-premises organization, the distribution group can be used by people whose mailbox is hosted in
the on-premises organization.
Next, you create an on-premises Distribution List named "Human Resources". In the on-premises
organization, the details of the DL are as follows:
[PS] C:\> Get-DistributionGroup "Human Resources" | Select Name,DisplayName,PrimarySMTPAddress
Once the DL is synchronized to Office 365, the names assigned to the DL in EXODS (and therefore, in the
address lists visible to end users) are updated according to the policy. The email addresses remain untouched.
[PS] C:\> Get-DistributionGroup "Human*" | Select Name,DisplayName,PrimarySMTPAddress
Page 136
The naming policy has no retrospective effect over DLs that already exist in the directory. It is only applied
when a DL is created. Having different names for the same DL in the on-premises and cloud directories is
obviously not a good situation. The best approach is therefore to ensure that the same naming policy is
applied in both environments.
smtp:o365book@office365labonline.onmicrosoft.com
SMTP:o365book@office365lab.be
Real world: An on-premises Exchange organization does not bifurcate messages sent to an Office 365
Group. Instead, on-premises Exchange routes messages to Exchange Online, which can determine the full
and up-to-date membership for the groups. Exchange Online applies the necessary logic to route
messages to the members of the group – even if that means sending a copy of the message back to the
on-premises Exchange servers.
The experience is slightly better when you implement directory synchronization and enable the group write-
back feature. The group write-back feature is a part of Azure AD Connect and automatically takes care of
creating an on-premises object, and stamping it with a targetAddress. Unfortunately, the value that is written
back as the targetAddress is the Group's primary SMTP address. By default, the Group's primary SMTP address
is based on the tenant's routing domain. As such, if the default SMTP address' domain is not used in the on-
premises organization, if it is based on the tenant's routing domain, or if the domain is set to an Internal Relay
domain on-premises, you should be fine.
However, problems might appear if the domain used for the primary SMTP address for a group is the same as
any of the SMTP domains used by the on-premises organization. For example, if a group’s primary email
address is O365Group@Office365ITPros.com, then the value for its targetAddress attribute will also be
O365Group@Office365ITPros.com. When an on-premises mail user sends a message to that address, the
Page 137
email will not be delivered as the on-premises organization will not forward the message to Office 365 if the
on-premises organization is Authoritative for that domain. As explained earlier, changing the domain to an
Internal Relay domain could fix the problem, but that is not a change you want to make without careful
consideration. Not even the Hybrid Configuration Wizard updates the domain type when it runs!
Two workarounds exist. Either use the tenant's routing domain as the primary email address domain for all
Office 365 groups or implement a specific "Groups Domain" as outlined in the hybrid groups guidance by
Microsoft. Although neither of these options is ideal, they are the only options if you intend to synchronize
Office 365 Groups with an on-premises organization until Microsoft changes Azure AD Connect to always use
the tenant routing domain – as is the case with regular mailboxes.
Information on how to enable the various write-back capabilities in Azure AD Connect is in Chapter 3 (main
book). After enabling the group write-back feature, existing Office 365 Groups will automatically synchronize
with the on-premises Active Directory at the next synchronization cycle. Synchronized groups go into the
Organization Unit that was selected during the configuration of the write-back feature. To prevent duplicate
objects and resulting synchronization conflicts, the name used for synchronized Office 365 Groups in Active
Directory is not the actual display name of the Group. Instead, the objects receive names composed of the
word “Group” followed by a unique value (a GUID), which originates from the ObjectID property for the group
in AAD.
For instance, a group called “Test Group” in Office 365 might have a name of “Group_69e08789-46cd-49ec-
b2e8-8297636c788c2” in the on-premises directory. However, the display name of the Office 365 Group stays
the same as it is in AAD. As obvious in Figure 5-4 the use of identifiers for the name of synchronized groups
might make it difficult to understand which group objects are synchronized when viewed through tools like
the Active Directory Users and Computers console or the Active Directory Administrative Center:
Figure 5-4: Synchronized Office 365 Groups in the Active Directory Users and Computers console
You can retrieve the ObjectID for an Office 365 Group in two ways. First, with the Get-AzureADGroup cmdlet:
[PS] C:\> Get-AzureADGroup –SearchString "Test Group" | Select DisplayName, ObjectId
DisplayName ObjectId
----------- --------
Test Group 69e08789-46cd-49ec-b2e8-8297636c788c
Alternatively, you can retrieve the identifier using the Get-UnifiedGroup cmdlet. In this case, the
ExternalDirectoryObjectId property has the value.
[PS] C:\>Get-UnifiedGroup | Select DisplayName, ExternalDirectoryObjectId
DisplayName ExternalDirectoryObjectId
----------- -------------------------
Test Group 69e08789-46cd-49ec-b2e8-8297636c788c
Test Group2 af905347-5322-4183-a1aa-9522a85bfeb9
Page 138
Note: Group writeback only works one way: from Office 365 to Active Directory. Changes made to
synchronized groups in the on-premises Active Directory are not synchronized back to Azure AD. On top
of that, any change you make on-premises is lost at the next synchronization cycle; the synchronization
process automatically overwrites any value that do not match with the source object in Azure AD. Servers
need to run the latest cumulative update for Exchange 2013 or Exchange 2016 to ensure that groups can
be written back correctly into the on-premises Active Directory.
By default, synchronized Office 365 Groups appear as distribution groups in the on-premises Active Directory.
To get around the requirement for Azure Active Directory premium licenses, some have created scripts to
writeback Office 365 Groups as other objects (here’s an example where they are written back as mail
contacts). As with any code downloaded from the internet, be careful to test this script before you put it into
production.
Normally, synchronized groups automatically appear in the on-premises Global Address List (GAL).
Unfortunately, this is not the case in the version of Azure AD Connect used for this book (May 2017), as you
must update the synchronized group objects manually to populate all the required Exchange properties. It is
expected that Microsoft will fix this problem in the future. Until then, you need to run the Update-Recipient
cmdlet to update a synchronized group object. It is easy enough to find and update new group objects after
each synchronization cycle. Each group object is updated like this:
[PS] C:\> Update-Recipient Group_b5f87098-3f41-470b-ae8a-70e69a51f982
After they have the necessary properties, the group objects appear in the GAL the next time it is generated.
You can force an update of the GAL by running the Update-GlobalAddressList cmdlet to update the Default
Global Address List. The update might not be instantaneous as the on-premises Exchange servers must crawl
through all objects to rebuild the Global Address List. Outlook users have another step to take as they must
then download the Offline Address Book (OAB) after Exchange regenerates the GAL. However, the Office 365
Group objects will be visible in the online directory. Synchronized Office 365 Groups will never be displayed in
the on-premises EAC; they can only be viewed using PowerShell.
You can add on-premises users as members of an Office 365 Group. Unlike true hybrid recipients, the
membership or other properties of Office 365 Groups cannot be managed through the on-premises directory.
Instead, you must add new members using the methods described in the Groups chapter (main book). If you
have enabled group write-back, the group membership is automatically updated in the on-premises directory
at the next synchronization interval.
Real-world: Group membership in the on-premises Exchange organization is only reflected for valid
recipients that also exist in the on-premises directory. Valid recipients include Mail Users, Mailbox Users, or
Remote Mailbox Users. If your Office 365 Group consists of both hybrid and cloud-only recipients, the
latter will not show up in the group membership list in the on-premises organization. This is not surprising
because to update the group membership, the on-premises directory must have objects representing all
the members. Because cloud-only recipients do not exist in the on-premises organization, they cannot be
added to the list of members.
When you add on-premises users to an Office 365 Group, they might not be able to access the full breadth of
resources that are available to group members, like plans managed by Microsoft Planner or the chats
managed by Microsoft Teams. However, if their identity is synchronized with Office 365 and they can
authenticate with the service, they can access files in the group document library. In addition, on-premises
users are auto-subscribed to the group, which means that they receive all the contributions made to group
conversations and any group meetings through email. The users can then reply to messages they receive from
the group and participate in group conversations.
Page 139
Limitations for on-premises users: Several limitations exist in terms of how on-premises users can interact
with an Office 365 Group.
• On-premises users can send email to an Office 365 Group, but only if they use the primary SMTP
address of the group. They cannot use a secondary address because that address is probably
unknown to the on-premises Active Directory.
• The links to resources like Files contained in the notifications sent by Office 365 Group might be
invalid unless on-premises users can authenticate and connect to the group document library.
• On-premises users cannot be administrators of a group.
• On-premises users cannot use the SendAs or Send On Behalf features for a group because the
necessary permissions are not available to them.
For these and other reasons, if on-premises users begin to use Office 365 Groups extensively, it is best to
move them to Office 365.
Email Addresses
In a non-hybrid deployment, managing email addresses for an Exchange Online mailbox is a labor-intensive
manual process because Office 365 does not allow tenants to manage Email Address Policies except for Office
365 Groups. One of the benefits of a hybrid deployment is that the on-premises Email Address Policies also,
indirectly, apply to hybrid recipients. This is because when an on-premises policy is applied, the address
information that is written to the on-premises object is also synchronized to Office 365.
However, as mentioned before, the limitations imposed by the synchronization process must be considered: a
policy might be enabled and applied in the on-premises environment, but that does not mean the changes
have already been synchronized to Office 365.
Real-world: Although email address policies also apply to hybrid recipients, Office 365 mailboxes created
through the on-premises EAC as described in "Creating a new hybrid mailbox' earlier in this chapter, do
not have the Automatically update email addresses based on the email address policy flag set. As
such, email address policies will by default not apply to those hybrid recipients, unless you configure the
recipients manually to use an email address policy. For more information, you can check this KB article.
Page 140
[PS] C:\> Set-Mailbox JoePearson –WindowsEmailAddress NewAddressforJoe@office365itpros.com
Real world: There seems little to no documentation about the use of this attribute. During my testing, I
found that the values I had configured persisted through subsequent Delta or Full synchronizations.
However, other MVPs reported that the values disappeared after a full synchronization. Proceed with
caution until more information is publicly available. Forewarned is forearmed!
Page 141
want to upload pictures of a larger size, you must establish your remote PowerShell connection to Exchange
Online in a different manner. Note the addition of ?proxyMethod=RPS to the PowerShell endpoint:
[PS] C:\> $UserCredential = Get-Credential
Once the session is established, you can import larger pictures. Similar to how the command operates in an
on-premises environment, a 648 x 648-pixel version of the picture is uploaded into the mailbox in Exchange
Online and a 96 x 96-pixel version is uploaded to Azure Active Directory. Pictures that are uploaded directly
into Office 365 do not show up in the on-premises environment because the directory synchronization
process does not write-back the thumbnailPhoto attribute, nor will the on-premises Exchange servers access
the pictures stored in the mailbox in Exchange Online. If you need profile pictures for Exchange Online
mailboxes to be available both on-premises and in Office 365, you have two options:
1. Upload the profile pictures using the Set-UserPhoto cmdlet before moving the mailbox to Office 365.
This ensures that a correct version is stored in the on-premises Active Directory which remains
available even after the mailbox is moved to Office 365.
2. If you upload pictures to Office 365 accounts, you can manually upload a thumbnail version of the
picture into the on-premises Active Directory. Be aware that if you upload a different version into the
on-premises directory from what has been generated in Office 365, the change will overwrite the
version stored in Azure Active Directory at the next synchronization interval.
Real world: If you thought the above was confusing, then wait until you read the whole story! The
workloads running inside Office 365 do not solely rely on Azure Active Directory. As discussed in more
detail in Chapter 3 (main book), each workload has its own instance of a directory service and is kept up-
to-date with Azure AD through a back-sync process which happens entirely transparently and is managed
by Microsoft. The sync process ensures that user data is kept consistent across all the Office 365
workloads. This is not always the case. Pictures uploaded through the directory synchronization process or
through the Set-UserPhoto cmdlet are almost instantaneously available in Exchange Online or Skype for
Business. The same seems untrue for SharePoint Online. There does not seems to be a logical explanation
as to why, nor does the experience seem to be consistent across all tenants. I recommend reading this
article which describes how SharePoint Online deals with synchronized profile pictures.
Page 142
Microsoft has a script that can be run (on a scheduled basis) to mimic the synchronization of mail-enabled
public folders to Office 365 to cater for situations when tenants do not enable the feature in Azure AD
Connect or run an older version. The script works differently from the Azure AD Connect tool. The script
creates a “Sync Mail Public Folder” in Office 365 for each on-premises mail-enabled public folder, while the
Azure AD Connect tool will only create an object in Azure AD. These objects are not synchronized back to
Exchange Online. As such, you cannot use the feature in Azure AD Connect to configure hybrid public folder
access, or if you are planning to move Public Folders to Exchange Online.
When using the scripts, you might sometimes run into some additional problems. There is a known issue with
Exchange Online Protection and on-premises mail-enabled public folders where sometimes Exchange Online
Protection does not recognize the objects created by the script. This is most likely because of a limitation or
issues in the synchronization between the various service-specific directories in Office 365. The result is that
incoming messages are still blocked by DBEB.
Until Microsoft solves this problem, there are a few workarounds:
1. Use the synchronization in Azure AD Connect in addition to the scripts. The former will create objects
in Azure AD while the latter takes care of relevant objects in Exchange Online.
2. Disable DBEB by converting the domain in Exchange Online from Authoritative to Internal Relay. The
problem with this approach is that you open your environment for a potentially high number of
emails addressed to non-existing recipients. In addition, these messages might cause mail loops as
Exchange Online will blindly forward the email to your on-premises organization which, in turn, will
do the same. Although Exchange has ways to detect mail loops of this nature, it does not prevent the
mail from traveling back-and-forth a few times first.
3. Manually create MailContacts (or MailUsers) instead of Sync Mail Public Folders (through the sync
scripts). Those objects are picked up by EOP correctly and allow mail to pass DBEB. Note that it can
take up to one hour to replicate the objects to all servers in Exchange Online Protection, and thus for
mail to be delivered correctly.
Note: Microsoft added the ability to optionally synchronize Mail-Enabled Public Folders in version
1.1.524.0 of Azure AD Connect (released in May 2017). However, this feature is currently in preview which
means it may change between now and when it’s released.
Page 143
Until Microsoft rectifies the problem, you can remove the secondary email address on the Office 365 Group,
create a Mail Contact and then forward all messages sent to the email address to the Office 365 Group using.
a transport rule.
Moving Mailboxes
Dealing with the Feature Gap between Exchange On-premises and
Exchange Online
One of the challenges an administrator faces is the growing feature gap between Exchange on-premises and
Office 365. In the early days of hybrid deployments Exchange on-premises used to have a feature advantage
over Exchange Online: many features that were available in the on-premises Exchange organization were
missing in Office 365. Today it's quite the opposite. Microsoft has released numerous new features such as
Office 365 Groups which are not available to on-premises customers. We know that it is unlikely that some of
these features will ever make it into the on-premises product. The net result is the creation of a feature gap
that forces an administrator to think twice when moving mailboxes back-and forth between Exchange On-
Premises and Exchange Online as moving a mailbox might lead to a loss in functionality.
There are not only technical challenges involved, but over time other problems are likely to rise. For instance,
Microsoft's decision to leave items undisturbed in the Deleted Items folder might create an interesting side-
effect: mailboxes are now likely to grow larger, faster. Imagine the situation where an organization decides to
move back from Office 365 in a year or two from now: chances are that the amount of data that must be
moved back will have grown significantly. Of course, one can decide to implement a policy in Office 365 to
delete the deleted items anyway or you can purge old data from a mailbox before moving it back to on-
premises servers. But regardless of what you choose to do at that point, it illustrates that the feature imparity
between both environments is something to consider.
Permissions
When moving mailboxes using hybrid mailbox moves, only permission that are applied explicitly to the
mailbox are migrated. Any non-explicit (inherited) permissions and permissions applied to non-mailbox
objects like regular mail-enabled users or distribution groups are not migrated.
Although explicit permissions are migrated, it does not mean that all permission types work or are supported.
A good example are delegate permissions. Although these permissions are migrated across, functionality
breaks if the mailbox of the owner and assignee are not migrated at the same time. For example, if a CEO's
Page 144
mailbox is moved to Office 365, his or her assistant's mailbox should be moved too to maintain delegate
access. It is also sensible to use the company’s organizational structure as the basis for grouping users when
the time comes to move their mailboxes as this will ensure that connected mailboxes are moved at the same
time and permissions will continue to work as before.
As discussed in the Permissions and Sharing scenarios earlier, Full Access permissions are migrated, and
supported. However, those permissions aren't always the only ones used. Hence, it is still better to try to
schedule mailbox moves of mailboxes that are connected at approximately the same time. That way, a lot of
hassle with non-supported permissions is avoided. Using the cross-premises permissions is a good thing
whenever you cannot keep the migration batch to a manageable size, for example because there are too
many mailboxes interweaved with one another.
Real world: When designing the migration batches (determining what mailboxes are best moved at the
same time), you often start with a handful of mailboxes, only to find out that each of these mailboxes is
interweaved with other mailboxes, and that those other mailboxes in turn are connected to yet another
batch of mailboxes. The process can sometimes feel like a duck hunt where the handful of mailboxes end
up being several hundred. Because permissions tend to fan like a spider-web, it is sometimes better to
stop at a certain level and just inform users that they will (temporarily) lose the ability to interact with
another mailbox or set of mailboxes. Although it is never pleasant to give bad news, it is sometimes the
only way to keep migration batches manageable and the project moving forward.
Enumerating mailbox permissions therefore becomes an important pre-migration task and one that can
quickly become very time consuming. Especially in larger environments, it can take a while to figure out the
dependencies between mailboxes. The scripts below are a great starting point for anyone wanting to manually
enumerate permissions. In very large organizations, it is sometimes just easier to invest in a tool that offers
these kinds of reports. Although a certain cost is associated with purchasing such a tool, it often saves you a
lot of time and thus money further down the road.
The default output of the command also contains the permissions that are granted by default such as to the
object itself, administrators and the Exchange subsystem. When moving a mailbox, these permissions are not
of interest. Explicit permission assigned to other users (mailboxes) are the ones that matter. You can filter the
output to exclude results that you don't care about, like shown in the following example:
[PS] C:\>Get-MailboxPermission wlopez | ?{$_.User –notlike "O365EXCH\Administrator"
–and $_.User –notlike "O365EXCH\Domain Admins" –and $_.User –notlike "O365EXCH\Enterprise Admins"} |
Select User,AccessRights,IsInherited | Format-Table –AutoSize
Page 145
O365EXCH\Organization Management {FullAccess} True
NT AUTHORITY\SYSTEM {FullAccess} True
Although this approach cleans up the output of the cmdlet significantly, there are a lot of user accounts which
you want to exclude. Additionally, the way that PowerShell handles this approach to filtering is that it will still
enumerate all permissions, but only display the ones that are not excluded through filtering. An alternative
approach is to export the results to a CSV file and use for instance Excel's built-in filtering capabilities to filter
out the unwanted user accounts. No matter what approach you take, enumerating permissions is a resource-
intensive task. If you have several hundreds, or thousands of mailboxes it is not a very good idea to run the
above command for all mailboxes at the same time. The chances are you will hit the imposed throttling limit,
or unwillingly consume a lot of resources on the server from where you run the command.
Real world. There is no fixed number which tells you for how many mailboxes you can safely enumerate
permissions without consuming “too much” resources. Various elements are at play here. It is not only the
number of mailboxes that you query, but also the amount of entries for each mailbox. So, it is very hard to
“predict” what a safe number of mailboxes to query is. It is better to start with a smaller number of
mailboxes and then gradually increase the amount until you see the performance drop or, worse, you are
throttled. However, that experience is still very subjective. For instance, an organization might choose to
temporarily lift the throttling policy to allow the script to run. In such case, you might not experience any
issues at all.
The Get-MailboxPermission cmdlet only retrieves a specific set of permissions, such as the FullAccess
permission. If you want to retrieve the Send-As, Receive-As, or Send-on-Behalf permissions, you will have to
execute several other commands as illustrated below.
GrantSendOnBehalfTo
-------------------
{O365EXCH.COM/Accounts/Users/Tony Redmond}
Page 146
A few years ago, I wrote a script to automatically enumerate various permissions on mailboxes in an
organization. The script includes logic to loop through group memberships and display the actual user
accounts that are part of those groups. This reveals a list of indirect permissions, which makes re-assigning
those permissions afterwards a little easier. Alternatively, you can ask users to request specific access again
after their mailboxes have been moved to Office 365. This is a less user-friendly approach, but might
sometimes be the better option.
If you want to keep functionality and be able to move a mailbox without having to disable UM prior to the
move, it's not only important that you make sure that Unified Messaging in Office 365 is configured correctly,
but the UM policies and dial plan names that you create in Office 365 must match the policies and dial plans
that exist on-premises. The goal is to have policies in Exchange Online that have the same settings. After you
have created the UM Mailbox Policies in Office 365, use the Set-UMMailboxPolicy cmdlet to link the Exchange
Online policy to a on-premises policy:
[PS] C:\> Set-UMMailboxPolicy "Exchange Online Policy" –SourceForestPolicyNames "On-Prem Policy"
Similarly, if you envision to off-board mailboxes in the future, link up the on-premises UM Mailbox Policy to
its corresponding policy in Exchange Online, by running a similar command in the on-premises Exchange
Management Shell:
[PS] C:\> Set-UMMailboxPolicy "On-Prem Policy" –SourceForestPolicyNames "Exchange Online Policy"
Retention Policies
Whether you configure Retention Policies to move items into an Exchange Archive or you use them to delete
messages after a specified period, you want items that have been tagged to remain so after a mailbox is
moved to Office 365. The components of the retention system such as tags and policies and how the age of
items is calculated is identical across Exchange Online and On-premises. However, without adjusting the
configuration, when a mailbox is moved to Office 365, items that are tagged by the on-premises Exchange
server might lose their tag if a corresponding retention tag or policy is not found in Exchange Online. For this
reason, you must ensure that the tags and policies that are available in the on-premises Exchange
organization are also available in Exchange Online; very similar to how you must make sure that UM Mailbox
Policies are also present and matching if you want to move a UM-enabled mailbox.
Real world: Despite carrying out the export and import of the retention tags and policies, mailboxes that
are moved to Office 365 are automatically stamped with the Default MRM Policy after the move. If you
Page 147
have specific requirements regarding the retention of data, it is important that you apply the correct policy
to the mailbox afterwards.
Other Considerations
The above considerations are the most intrusive in terms of functionality loss or the inability to move
mailboxes. There are also some other, smaller, differences which are worth noting too:
• Custom Details Template (Outlook): it is not uncommon to see organizations implement a Custom
Details Template for Outlook. These custom templates modify how the full properties card for a
contact in Outlook looks like, often to include additional information about the contact. Exchange
Online does not allow to create Custom Templates which means a potential loss of functionality after
a mailbox is moved to Office 365.
• Offline access for Outlook Web App: users of Exchange 2013 and Exchange 2016 mailboxes can
maintain an offline copy of their mailbox in OWA. Taking a similar approach to Outlook, offline access
allows users to use OWA when a network connection is unavailable. However, when a mailbox is
moved to Office 365, the offline access cache is reset. Users must plan to manually re-enable offline
access through the options in Outlook Web App.
Page 148
over the last remnants or changes that were made while the other contents were copied over. At this
point, the status of the move – which can be queried using the Get-MoveRequest cmdlet - is changed
from InProgress to CompletionInProgress.
3. Once the final synchronization is completed, the MRS Service in the source environment (on-
premises) converts the mailbox to a mail-enabled user account. Similarly, the migration platform in
Exchange Online will change the mail-enabled user account to a mailbox user in Office 365.
4. If Outlook is still running, the user will be asked to close and re-open Outlook. This will trigger the
Autodiscover process which then points the user to Office 365 instead of to the on-premises
Exchange Organization. The update of the Outlook profile might take a few moments and require
Outlook to restart once or twice depending on the user's patience.
Real world: An administrator can decide to not complete a mailbox move right away, but have it suspend
when ready to complete. When this option is selected, the switchover of the mailbox (pointing the on-
premises user to Office 365) is held off, until the administrator decides to complete the move later. This
option if often used to prevent the "The Microsoft Exchange administrator has made a change that
requires you quit and restart Outlook"-popup from showing at an uncontrolled time. This is because
when, after the switchover, the user's Outlook client connects to the on-premises server, the latter will
issue a redirect to Office 365 in the form of forcing the client to perform an Autodiscover lookup. Once the
Autodiscover process is completed, the Outlook profile is updated. At that point, the pop-up will show.
Delaying the completion of a move allows you to decide when to complete the move and thus somewhat
control when the message box appears -- for instance after hours.
Hybrid mailbox moves are one of the main benefits of a hybrid deployment. However, in order to execute a
remote mailbox move, you must configure a hybrid connection first. Depending on the type of hybrid
connection (full or minimal), other features such as cross-premises Free/Busy and mail flow, amongst other
things; are automatically configured.
The downside of creating a hybrid connection is that it can be complex and time-consuming. Sometimes, all
an organization wants to do is to move mailboxes from an on-premises environment to Exchange Online,
without all the bells and whistles associated with a hybrid configuration. In such case, other migration options
such as a staged, cutover or third-party migration are generally used; if technically feasible. Unfortunately,
none of these options give you the benefits of a hybrid mailbox move. This is the reason why Microsoft
introduced the minimal hybrid configuration (Chapter 4). Unlike the full hybrid configuration, the minimal
hybrid option does not configure any of the enhanced coexistence features, but it does allow you to move
mailboxes cross-premises in the same way.
To execute an MRS or hybrid mailbox move, there must be a mail-enabled user object in Exchange Online
which matches the details of an on-premises mailbox. Hence why you need Directory Synchronization. The
required object details include a variety of Exchange attributes and the proxyAddresses attribute. All email
addresses that exist for the on-premises object, must also be present for the online mail-enabled account.
Additionally, the on-premises mailbox must have a proxyAddress which matches the coexistence domain of
the tenant to which the mailbox is moved. For instance, if your tenant's name is
office365itpros.onmicrosoft.com, the coexistence domain will be office365itpros.mail.onmicrosoft.com. When
you run the Hybrid Configuration Wizard, it automatically takes care of creating an additional accepted
domain and modifying the default email address policy in the on-premises organization to ensure that every
mailbox is stamped with such an email address. However, you can also do this manually and circumvent the
need to run the Hybrid Configuration Wizard.
Secondly, the MRS proxy component must be enabled on the internet-facing Client Access Server. This allows
Exchange Online to make an inbound connection into the on-premises environment and initiate the mailbox
move. Once these requirements are met, the mailbox move can be initiated from pretty much any on-
premises Exchange organization; even if the Exchange organization is in a remote Active Directory forest! All
Page 149
you need to do is point the migration batch or move request to a new migration endpoint which is linked to
the on-premises organization which has the mailboxes that need to be moved.
The minimal hybrid configuration is very popular for the growing number of cross-forest migrations to Office
365 which for example need to happen after a merger or acquisition where the target organization is already
in Office 365 or a hybrid configuration.
Real world: Executing a cross-forest mailbox move to Exchange Online is no different from an on-
premises cross-forest mailbox move. You can use the prepare-moverequest.ps1 script to create accounts in
the target Active Directory forest and those accounts will then synchronize with Azure AD. Once the
objects are available to Exchange Online, you can configure the migration batch to use the migration
endpoint pointing to the source Active Directory and Exchange Organization. Exchange Online will then
move the contents of a source mailbox belonging to a different Active Directory forest than the one used
for the hybrid part of the Office 365 tenant.
By using the outlined approach, you avoid having to go through a double-hop migration where mailboxes are
first moved from one Exchange organization to the other before being moved to Office 365. Alternatively, it
also prevents you from having to deploy a complex hybrid configuration with two on-premises Exchange
organizations. Careful planning is needed to ensure that these moves execute successfully.
If you are not familiar with executing the actions manually and you are unsure about what objects or object
attributes to synchronize between forests and to Azure AD, it is sometimes better to pick a third-party tool
which can automate a lot of the steps for you.
Page 150
1. Select migration type where you should select Remote move migration
2. Select the users to migrate to Exchange Online. Select them through the recipient picker or specify a
CSV file which includes the users you want to include in the batch.
3. Select the migration endpoint which allows you to select the migration endpoint through which
mailbox content will be migrated. More information on migration endpoints is in Chapter 4.
4. Mailbox Move configuration where you can specify options such as:
a. Bad item limit which denotes how many corrupted (non-movable) items the underlying
move request can encounter before aborting the move. The default limit is 10 items.
b. Large item limit which specifies how many items over 150 MB can be skipped before the
move request is aborted. The default limit is zero items.
c. Allows you to specify whether to move the mailbox and archive or archive only.
5. Migration batch options such as who gets to receive the notifications and whether the migration
batch should be started and completed automatically. If you choose to automatically start a batch, it
will almost immediately start moving mailbox contents. There might be a small delay to get the
underlying move requests generated. Selecting to automatically complete the batch will ensure that
the final synchronization and switch-over to Office 365 will happen immediately after the initial
synchronization has happened. If you do not select to automatically complete the batch, the
migration batch will stay in a pending state and perform incremental synchronizations every 24 hours
until an administrator decides to manually start the completion process.
Because we did not specify the AutoStart parameter, the migration batch will not be started. To start the batch
job, run the following command:
[PS] C:\> Start-MigrationBatch –Identity $MigrationBatch.Identity
Page 151
• Failed indicates there was an issue with the move request and that the migration (initial
synchronization) failed.
Other states, like Syncing or Completing, also exist. However, these states are self-explanatory and only
appear when a migration batch is active. You can retrieve the status for current migration batches with the
Get-MigrationBatch cmdlet:
[PS] C:\> Get-MigrationBatch
Unlike move requests, there is no Get-MigrationBatchStatistics cmdlet. Instead, you can get information about
each migration user through the Get-MigrationUserStatistics cmdlet. The output contains a variety of
information such as overall performance statistics as well as item counts and, if the batch is incomplete, a
progress report:
[PS] C:\> Get-MigrationBatch First-Migration-Batch | ForEach {Get-Migrationuser
-BatchId $_.BatchGuid} | Get-MigrationUserStatistics | Select EmailAddress, BatchId,
SkippedItemCount, TotalItemsinSourceMailboxCount, SyncedItemCount, Status, Error, SkippedItems
BatchId : First-Migration-Batch
EmailAddress : bcampbell@office365itpros.com
SkippedItemCount : 0
TotalItemsInSourceMailboxCount: 24
SyncedItemCount : 22
Status : Completed
Error :
SkippedItems : {}
If you want a more detailed overview of what happened during the migration, specify the IncludeReport
parameter to generate a detailed report of the underlying mailbox move. This example is formatted for
readability:
[PS] C:\> Get-MigrationBatch First-Migration-Batch | ForEach {Get-Migrationuser
-BatchId $_.BatchGuid} | Get-MigrationUserStatistics -IncludeReport |
Select EmailAddress, BatchId, SkippedItemCount, TotalItemsinSourceMailboxCount, SyncedItemCount,
Status, Error, SkippedItems
BatchId : First-Migration-Batch
EmailAddress : bcampbell@office365itpros.com
SkippedItemCount : 0
TotalItemsInSourceMailboxCount : 24
SyncedItemCount : 22
Status : Completed
Error :
SkippedItems : {}
Report : 3/13/2015 2:44:36 PM [AMSPR06MB133] '' created move request.
3/13/2015 2:44:58 PM [AMSPR06MB037] The Microsoft Exchange Mailbox Replication service
'AMSPR06MB037.eurprd06.prod.outlook.com' (15.1.106.16 caps:1FFF) is examining the request.
3/13/2015 2:44:58 PM [AMSPR06MB037] Connected to target mailbox
'exchangelabonline.onmicrosoft.com\63f45db4-a95e-4f09-b956-eec7c62dd044 (Primary)', database
'EURPR06DG003-db122', Mailbox server 'AMSPR06MB037.eurprd06.prod.outlook.com' Version 15.1 (Build
106.0)
3/13/2015 2:44:59 PM [AMSPR06MB037] Connected to source mailbox
‘office365itpros.onmicrosoft.com\63f45db4-a95e-4f09-b956-eec7c62dd044 (Primary)', database 'DB15-
02', Mailbox server 'E15-02.O365EXCH.COM' Version 15.0 (Build 1076.0), proxy server 'e15-
02.EXCHANGELAB.BE' 15.0.1076.0 caps:1F7FFFFFCB07FFFF.
3/13/2015 2:44:59 PM [AMSPR06MB037] Request processing started.
3/13/2015 2:44:59 PM [AMSPR06MB037] Source mailbox information:
Page 152
Regular Items: 7, 103.9 KB (106,344 bytes) Regular Deleted Items: 0, 0 B (0 bytes) FAI Items: 12,
14.9 KB (15,254 bytes) FAI Deleted Items: 0, 0 B (0 bytes)
Note: The information that is returned by the Get-MigrationUserStatistics also pulls information from the
underlying move request. If you want view just the information about the move request itself, you can do
so using the Get-MoveRequest and Get-MoveRequestStatistics cmdlets. This might be the case if you
manually created a move request, instead of a new migration batch.
Next, you can remove the mailbox(es) from the batch, using the Remove-MigrationUser cmdlet. Don't forget
to either include the Force parameter, or confirm when prompted for confirmation as in the example below:
[PS] C:\> Get-MigrationUser Tony.Redmond@office365itpros.com | Remove-MigrationUser
Confirm
Are you sure you want to perform this action?
Remove the migration user Tony.Redmond@office365itpros.com?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
Once the migration request for the user has been removed, start the Migration Batch again:
[PS] C:\> Start-MigrationBatch "Batch 1"
Confirm
Are you sure you want to perform this action?
Remove the migration batch "AndrewDunn"?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
Page 153
recreation of the deleted user account. Once the account is restored or a new account is created, restoring the
mailbox data can either be done automatically or by executing some PowerShell command. Unfortunately,
recovering the user account is usually the hard part.
Before starting, it is important to understand what caused the user account to be removed in the first place.
Basically, two major scenarios exist that result in a user account being removed from Azure Active Directory
(and thus pushing a mailbox into a soft deleted state):
1. The on-premises user account is (accidentally) filtered from directory synchronization resulting in the
removal of the account from Azure Active Directory.
2. The user account is removed from the on-premises Active Directory and the deletion is then
synchronized to Azure Active Directory.
Regardless of how the account is deleted, restoring the original account is always the easiest resolution. If the
object was filtered from directory synchronization (for instance because it was moved to an OU which is out of
scope for synchronization), all you need to do is include the object back into the synchronization scope to
automatically revive the corresponding account in Azure Active Directory. Once the user account is restored in
Azure Active Directory, the mailbox is automatically re-attached to it along with other resources such as those
managed by SharePoint and OneDrive for Business.
If the account was deleted from Active Directory, your on-premises remediation steps will dictate what
approach you can take. If you have enabled the Active Directory recycle bin, the solution is to restore the
deleted user object and wait for the directory synchronization process to pick it up. The same is true when you
use a third-party backup solution which can restore the same object.
However, if the Active Directory recycle bin is not enabled, or you do not have a backup, you are forced to
take a different approach. The best solution is to use a process which I like to call a “reverse restore”. Instead
of restoring the object in Active Directory and syncing it to Azure Active Directory, you restore the object in
Azure Active Directory, create a new on-premises user object and then (manually) recreate the link between
the new on-premises account and the restored object in Azure Active Directory. Here is how it works:
1. Before starting the recovery process, it is a clever idea to pause directory synchronization until you
complete the steps below. This prevents directory synchronization running while the recovery steps
are in progress which might potentially cause issues.
2. Restore the deleted user account in Azure Active Directory from the Office 365 Admin portal. Within
the portal, go to Users and then select Deleted Users. Select the user object you would like to restore
and then click Restore. This step will restore the user account and the data that was previously
associated with the user account. At this point you have a cloud-only account with no link to an on-
premises user object.
3. Create a new remote mailbox using the on-premises management tools. The easiest way to do this is
to either run the New-RemoteMailbox or Enable-RemoteMailbox cmdlet. This will ensure that a new
on-premises user account is updated with the required attributes so that the cloud-based mailbox
can be attached to it after it is synchronized.
4. Link the on-premises user account to the restored object in Azure Active Directory. There are two
ways to do this. Both rely on the ability of the directory synchronization to match two objects
together. The first option is to “hard match” the on-premises user account to the account in Office
365. The second option is to “soft match” both accounts. In case of the latter approach, you must
modify either the primary SMTP address or UPN of the account in Azure Active Directory and ensure
that the on-premises account (remote mailbox) has the same SMTP address as user in Office 365
before running directory synchronization with AAD Connect. More detail on the approaches to how to
link an existing user account is in Chapter 3 (main book).
After the next directory synchronization cycle, both accounts will be linked again.
Page 154
By now you might be wondering: why go through all the trouble of restoring the user account? Why not just
create a new user account and attach the mailbox to it? Although this approach would work, all the
permissions that were granted to/on the user and mailbox will be lost and it could potentially result in data
loss outside of Exchange Online. The reason for this is when you restore the original user account, the
connected object in Azure Active Directory is also restored to ensure that the object keeps its ObjectGUID
(which is used to tie everything together). A new user account has a new ObjectGUID and therefore starts with
a blank slate in Exchange Online, SharePoint, OneDrive for Business, and so on. It should come to no surprise
that this approach is therefore not supported.
The most important thing to keep in mind is that you can only take the above approach when the mailbox is
in a soft deleted state. Once the mailbox is hard deleted from Exchange Online, there is absolutely no way it
can be recovered.
Page 155
Chapter 6: Office 365 Analytics
Fitbit for the Office
At the Dreamforce 2015 conference, Microsoft CEO Satya Nadella described Delve Analytics (since renamed to
MyAnalytics) as “a new information discovery and knowledge tool to track your time, because that’s the valuable
resource you have.” In other words, MyAnalytics (now Viva Insights) analyzes information extracted from Office
365 (mostly email) to help people work smarter. Another description often trotted out is to say that Insights is
the equivalent of “Fitbit for the office” because like a health tracker, your habits should improve if you pay
attention to the information Insights delivers about your activities within Office 365.
I have been down the path before of trying to use data collected from Office products to predict and
influence human behavior. An HP Labs project from the 2002-2003 period interpreted results extracted from
data captured from Outlook to understand how people worked within an organization. Microsoft was also
investigating the possibilities of analyzing data gathered from user activities in a project called “Knowledge
Navigator.” Despite a lot of co-operation to develop these ideas on the part of both companies, the idea
foundered on the rock of privacy because no one could quite figure out how to protect user data in the way
that it needed to be. Privacy is still a huge concern within Office 365, but we have now a better understanding
of how to protect user data. It is also true that the advent of the Microsoft Graph means that size of the data
set available to describe user activities and the interaction that exists between individuals is richer and deeper
than ever before.
Technology moves on a lot in a decade and privacy and security is at the heart of the Microsoft Graph, which
never makes information available to anyone if they do not have access to that data. Apart from helping users
to find information, the signals gathered into the Microsoft Graph offer a rich vein of data to analyze to
understand how people interact with Office 365 applications, and that is where analytics and specifically the
Insights features come into the picture.
This chapter covers two applications that use the data in the Microsoft Graph to analyze how people use
Office 365. The intention is that the analysis will help individuals and businesses make changes to become
more effective and efficient. For the individual, the increase in effectiveness might result in them working
fewer hours by doing things smarter. For the business, it might help managers be better leaders. Insights is
the personal side of Office 365 analysis. Workplace Analytics is its business-centric counterpart.
Page 156
attending the meeting will probably spend some time preparing for it and that preparation might involve
effort from other team members. Let’s assume that each department spends 8 hours preparing for the weekly
meeting, so a further 4,800 hours of effort is consumed to support the weekly staff meeting, giving us a total
of 6,000 hours. To put a cost on what that means, we can assume that the fully-loaded hourly cost of each
executive is $125 and the cost for a team member is $60. The cost is therefore calculated as (1,200 * $125) +
(4,800 * 60) or $438,000. Some value is unquestionably gained from coordinating activities through the weekly
staff meeting, but you would wonder whether the value gained surpasses the cost. Changing the schedule to
a biweekly meeting or reducing the time set aside to an hour are two examples of how the organization can
gain benefit by simply understanding how people use time. The key here is that making data available helps
people to make better decisions.
In January 2019, Microsoft announced that MyAnalytics is now “available to everyone using Office 365 and
Microsoft 365 Enterprise and Business suites that include Exchange Online” In other words, anyone with Office
365 Business Essentials or the E1, E3, or E5 plans can use MyAnalytics. The app is an interesting attempt to
bring big data analysis to the world of the office to understand how people interact with each other and use
tools such as email. Let’s see what that means in practice.
In September 2021, Microsoft announced the rebranding of MyAnalytics as Microsoft Viva Insights as part of
an exercise to consolidate intelligence derived from user activity within Microsoft 365. The rebranding means
that:
• The daily briefing message from Cortana now comes from Viva. Microsoft says that the content will
be expanded with recommendations to help users prepare for the day and week ahead.
• The user digest comes from Microsoft Viva and is delivered monthly rather than weekly. The first
edition of the digest appeared in targeted release tenants in early September 2021. Microsoft says
that the new digest will “aggregate insights across these four outcomes: focus, wellbeing, network, and
collaboration.” Like the weekly digests, the monthly digests are injected directly into user mailboxes
and don’t pass through the Exchange Online transport system, which means that they’re not subject
to inbox or transport rules.
• A new Viva Insights home page is available to Microsoft 365 users.
• The Outlook Insights add-in is rebranded as Viva Insights.
• The MyAnalytics settings available in the Microsoft 365 admin center to control the defaults for new
accounts will receive the Microsoft Viva branding. The same will happen for the MyAnalytics user
dashboard where individual users can see insights derived from their activity and control if they can
access the dashboard, receive the monthly digest, and use the Outlook insights add-on.
Until the rebranding is complete in November 2021, you’ll see a mixture of MyAnalytics and Microsoft Viva
Insights in administrative and client interfaces.
Although the Insights dashboard and email digest have served as the primary delivery method for Insights in
the past, the Viva Insights app for Teams is now the preferred interface.
Page 157
can therefore conclude that the form and focus of user activity differs considerably depending on an
individual’s position in the company and their responsibilities.
When Microsoft introduced a prototype of MyAnalytics at the Ignite 2015 conference, it was obvious that this
might be an interesting project. The demonstration showed how data could be analyzed to help someone
understand how to work smarter and achieve a better work-life balance. It was an effective demo, even if it
immediately set off some alarm bells from those who are concerned about personal privacy.
The code shown at Ignite was just a prototype. Reality kicked in before Microsoft made MyAnalytics available
to customers. No obvious trace of any work-life analysis exists in the current implementation of the
MyAnalytics personal dashboard. Although it made for a compelling demo, removing an arbitrary assessment
of how anyone should balance their life between work and non-work activities is a wise move. The problem
here is that the analysis needed to come to such a conclusion needs far more insight and data than is
available to MyAnalytics. And anyway, figuring out how to spend your time is an intensely personal choice
that cannot really be held up against some artificial standard.
Instead of trying to be proscriptive about what constitutes a good work-life balance, the current
implementation of Viva Insights focuses on giving insights based on data for an individual to interpret. You
might think that working for twenty hours per week outside the normal working day is a good thing because
you need to interact with people in many parts of the world. I might disagree and avoid any notion of working
outside a 9-5 window. We are both right because it all depends on the individual. If you get your work done
one way and I get mine done another, we are both effective. The question then is whether you can be more
effective and achieve the same results in a different way.
Removing the attempt to figure out a user’s work-life balance makes Insights much more acceptable to those
who raised questions about privacy. It also addresses the concern that some management might be tempted
to analyze work practices drawn from departments or workgroups to highlight inefficient or ineffective
workers. Hearing assertions that Insights “uses big data [gathered from Office 365] to reveal how [user]
behavior drives business outcome” adds fuel to user concerns, but it is not what it seems.
With the Microsoft Graph delivering the data and algorithms applied to interpret and refine that data, the
Insights personal dashboard helps people understand where they spend their time and how they might do
better. For example, salespeople who are burdened with internal meetings can see where time is being soaked
up and take steps to spend more time with customers. People who work at the weekend might better
understand the factors that are driving this activity and be better able to manage it and so avoid the potential
for burn-out.
Overall, I have a more positive view of the value that analysis of working habits can bring. The real value from
Insights is on helping people to work smarter by making better use of their time. We all have limited time and
it makes a heap of sense to look at how time is consumed in the office to see whether we have lapsed into
working habits that consume too much of our most precious resource.
Page 158
Microsoft’s thinking about how judicious use of technology can help organizations achieve productivity gains
without being bogged down in bureaucracy, this Harvard Business Review article on “The Paradox of
Workplace Productivity” is a good read.
Page 159
options for the MyAnalytics application. Click the cogwheel, select Settings, and then toggle the On/Off
slider. Separate sliders are available to control access to the MyAnalytics dashboard and weekly email digest.
Administrative control for Insights access by individual users (mailboxes) is available by:
Turning Viva Analytics on or off for individual mailboxes by running the PowerShell code in this article.
Users can re-enable Analytics afterwards if they wish. As explained in the article, administrators can use the
Set-MyAnalyticsFeatureConfig cmdlet (in the Exchange Online management PowerShell module) to remove
access to individual features. For instance, many users don’t like the monthly email digest message. You can
block the mail digest while allowing users access to the Analytics dashboard and Outlook add-in by running a
command like:
[PS] C:\> Set-MyAnalyticsFeatureConfig -Identity Vasil.Michev@office365itpros.com -PrivacyMode "opt-
in" -Feature digest-mail -IsEnabled $False
Removing the Insights by MyAnalytics service plan from individual user licenses using the PowerShell
script described in this article. It’s likely that Microsoft will rename the service plan in the future to reflect the
Viva brand. Users cannot reenable Analytics after the service plan is removed from a license.
Page 160
Figure 6-1: A snapshot of a working week
The idea behind the Insights is that they might help you change the way that you work and become more
effective. For example:
• Reduce the amount of time spent working after hours to create a better work-life balance for yourself
and to avoid giving co-workers tasks or other things to take care of when they are relaxing.
• Improve the effectiveness of meetings by reducing the amount of time scheduled to focus the minds
of attendees on what they need to do.
• Improve your responsiveness to email that you receive.
• Understand the impact of different technologies. For instance, does a new mobile email client
increase the hours spent working with email? Does the introduction of Teams within an organization
reduce the hours spent working on email?
The insights suggested in the dashboard are based on common sense, but common sense can be overtaken
by bad work habits developed over years. Some will appreciate the insight and advice, and some will think
that the recommendations will never work for them. The inferences and suggestions picked up by Insights are
based on observation of the working habits of millions in conjunction with the data available through Office
365. You know yourself best, and just like when you examine the output from a health monitor and can put it
into context with your current aches and pains, you should look at the dashboard as an opportunity to gain
insight into how you work rather than a definitive statement of what you do. People are highly individual in
the ways that they approach and deal with tasks and a technique that is effective for one is not necessarily
effective for another. In other words, don’t disengage your brain and accept everything shown in the
dashboard as absolute fact.
Anonymized Data
When Insights compares the time spent by a user against the company average, it uses anonymized
information gathered for those who opt-in for Insights (we will get to discuss how to opt out soon). Because
Page 161
the company data is anonymized, you cannot compare your weekly results against any other specific
individual. To avoid the possibility that information can be associated with individual users, Insights only
displays company averages if more than five users within the tenant are active within the analysis period and
make their data available for analysis.
Working Week
In today’s world, the notion of a working day is pretty fluid. Some people have a fixed schedule and never
contemplate doing anything work-related after that period ends. It is more common to find “knowledge
workers” are active at various times during the day, depending on the makeup of their team and the level of
responsibility they have. For instance, someone who works in an international company where colleagues
work across in multiple continents invariably finds that they need to schedule or attend conference calls at
times outside the traditional working day. It is just a fact that adds some context when you consider the out-
of-hours workload reported in the dashboard. The default working day is usually 9AM to 5PM, but you can
customize this to suit through the Calendar section of OWA Options or by clicking the cogwheel symbol to
change your time settings.
Insights normally displays information for each category based on a sliding six-week window of data,
including comparisons to show how time spent on different activities varies over time. The Trends view (Figure
6-2) gives a long-term overview of how a user devotes their time to different areas of work. You can use the
slider to move the date range back through up to two years of data. The work to preserve activity data began
in March 2017, so it will be March 2019 before users can access the full two years of activity data.
Page 162
by responding to every email you receive within five minutes while your correspondents might be totally
unhappy with the quality of your responses. Solving that issue is a totally different challenge to understanding
the flow of email. After all, a one-word “Yes” or “No” response is proper and useful in one context and could
offend in another.
Unsurprisingly, it is usual to discover that we spend more time dealing with inbound messages than writing
new messages and responses. A couple of factors are at play here. Although the Focused Inbox feature is
reasonably good at filtering low-priority messages from immediate view, we all deal with an ever-increasing
volume of email. Perhaps we belong to too many distribution groups and receive email that we really do not
need to see. Perhaps it is just a function of our job and we receive notifications of tasks that need attention or
updates on developments that we should know about. Or perhaps we are just chatty and use email for that
purpose instead of moving all social interaction to Twitter, Facebook, or even Yammer. For whatever reason,
Insights usually reports that people spend more time reading messages than they do writing and spending
new email.
The way that Insights calculates the time spent dealing with email also contributes to the expected outcome.
A relatively simple algorithm calculates how much time you spend working with email. Instead of trying to
track exactly what happens with a message when it arrives in your Inbox or how much effort you put into
composing a message, data gathered by Volometrix based on observations of multiple large organizations
shows that people spend an average of 2.5 minutes dealing with an inbound message and five minutes to
compose and send a message. As we will see later, Insights uses these measurements as benchmarks for
reporting email activity. A message counts as read when its read status changes from “unread” to “read.” This
applies no matter what folder the message is in or whichever client processes the message. In other words,
unread mail moved by rules to a non-Inbox folder also count. However, a message that is deleted without
being opened is not included in the calculations. A new message counts when the user sends it, including
messages to people outside the tenant. Finally, messages read or sent outside the defined working day end
up in the After-Hours calculation.
To take account of the diverse ways that people process email, Insights does the following:
• For created (and sent) messages: Measure the difference between the time when someone first
creates a message and starts to write text and the time when they send it. To make things simple,
Insights calculates that this operation takes five minutes (the benchmark time). However, if the user
sends multiple messages within a five-minute period, Insights assigns the time between each send
operation to the relevant email.
• For read messages: Measure the difference between the time when someone first opens a message
and when the read status changes because the user closes the message. Insights does not count
messages that the user deletes without opening, including when they take a quick peek at the
message content in the preview pane. Insights assigns 2.5 minutes for a user to read a message.
However, if you open an email and then open or send another message within the 2.5-minute period,
Insights assigns the time difference between the two operations to the first email.
• A message must have the user’s email address as a TO: or CC: recipient to count, including when the
user is a member of a group that is a TO: or CC: recipient.
• Because any client can create, send, or read messages, it follows that the analysis includes messages
accessed using any client.
• Messages accessed after the defined work hours go into the After-Hours category.
This sounds complicated, but the ruleset is logical. Messages have timestamps that Insights can analyze to
measure activity.
With these assertions in mind, it is possible to reckon how much time someone spends working with email by
counting the number of messages that they send and receive and then calculating the minutes spent on this
Page 163
activity. Because the calculation happens on the server, it does not matter what client you use. Figure 6-3
shows the data for a typical week of my email activity. To understand the total of 12.1 hours reported for
email hours in the screen shot, we must understand how Insights computes the time working with email.
Every message is different, and every person differs in how they read messages., Applying the benchmark
measurements is one way to produce a result. If we use the 5-minute benchmark to break down the 5.8 hours
reported for writing messages, the calculation is (348 minutes/5) = 69.6 messages. The calculation for the 6.2
hours reading email is (372 minutes/2.5) = 148.8 messages.
Page 164
Mastering Meetings
We all spend too much time in meetings and possibly not always to good effect. The calendar is a rich source
of data for analytics because it holds blocks of formally scheduled time set aside for specific topics. But
meetings vary from a 1:1 discussion with a direct report or your manager to much larger group meetings
whose only benefit is in an opportunity to grab some free coffee and donuts. Unfortunately, many of the
meetings that occur inside corporate environments are not particularly useful or productive and some can be
a huge soak of valuable time (another good article on the topic of avoiding unproductive meetings is
available here).
The time reported for meetings is based on calendar events that include at least one other participant
(external or internal). The logic here is that events that have no other participant are personal. Only meetings
marked as “busy” are counted, so meetings that are tentatively scheduled but not accepted are excluded
because you probably never devoted any time to these events. Meetings marked as private and meetings that
have more than 500 attendees are excluded from the calculations, as are all-day meetings. Research shows
that all-day meetings are seldom for collaborative purposes and are often used to block out large amounts of
time. Private meetings are excluded because of their nature as are meetings with more than 500 attendees,
which are at the other end of the privacy scale. Neither are particularly interesting from the perspective of
collaboration. And obviously, if you do not add items to your calendar, those time slices are never analyzed.
The ability for a user to tell Insights what type of meetings to include in its calculation does not exist today.
The only data used to review meetings are the start time, duration, number of attendees, and who attends
(used to figure out working relationships). Again, all this information is available in the header of calendar
notification messages. The data reported in Figure 6-4 reveals that I spent quite a lot of time in meetings
during a week. Most of the meetings were scheduled by me, meaning that I avoided being pulled into a lot of
meetings arranged by other people. It is also obvious that I multitask quite a lot during the meetings I
attended (probably by processing email when listening to conference calls) and that a lot of after-hours time
was consumed by meetings. The contradiction in some of these results (for example, 45 hours spent
multitasking in a total of 28.4 hours in meetings) is explained by multiple meetings being scheduled at the
same time (42.3 hours of conflicting meetings). Although these data are a little extreme, this kind of
scheduling happens. It is common that corporate executives have multiple competing requests for their time,
many of which appear in their calendar to allow a last-minute decision about which meeting is more
important.
Page 165
Figure 6-4: Clocking up meetings in a week
The requirement for a meeting to have at least one other participant in addition to the organizer before the
analysis includes it in its calculations results in the exclusion of many calendar events. For example, I
commonly create events for airline bookings so that the information is available in the calendar on my mobile
device. Those events do not count unless I add someone to the event, such as when my wife joins me on a
trip, and I add her to the event so that she knows when we are flying. In the eyes of Insights, it is a meeting
that counts. Again, you can criticize the algorithm for measuring meeting hours as being overly simplistic. It is
correct that the calculations are simple, but it is only a start and over time this is another area that Microsoft
will probably tweak based on the experience gained at Volometrix. To find out what meetings are counted
and what are excluded in a week, click the View Details link in the Meeting Hours tile.
The Meeting Quality assessment is an attempt to estimate just how effective the time spent at meetings really
is. Again, you must put the data presented in this section into context because the raw information might not
really tell the whole story. For instance, if attendees at a meeting send email, Insights considers this to be
evidence of “multitasking” on the basis that people who come to a meeting should give their undivided
attention to the topic at hand to drive to a resolution. Unfortunately, given the way we use mobile devices
today, getting the undivided attention of a complete room is difficult. However, an email exchange during a
meeting is not necessarily bad. Messages sent to request information or start an action might instead be an
indicator that the meeting was effective in terms of getting things done.
Double-booking is an easier problem to understand as people who have good control over their calendar
should not end up with multiple events at the same time. If you are constantly double- or triple-booked
during the work day, you might need some help to understand why this happens so that you can use your
time more effectively (for example, by sending a deputy to a meeting). In some large companies, people are
invited to meetings just to make sure that they know about the gathering rather than in the expectation that
they will show up. If you have many double-booked timeslots, it is a sign that it might be time to review which
meetings are important to you, accept the invitation for those meetings, and decline the others.
Other problem signs for ineffective meetings include situations where more than 20 people are invited (which
often makes it more difficult to make decisions) or when managers from more than two levels attend (creating
the question whether every one of the managers need to be there). Of course, there will always be important
meetings that involve more than 20 people and really do get things done or those that require the
involvement of many levels of management. But when you think about it, these are out-of-the-norm meetings
Page 166
and too many of them might be a sign that the organization is becoming obsessed with meetings, a sickness
that I have observed many times.
Assessing the quality and effectiveness of meetings is another complex task. For now, we have a simple
calculation of the hours consumed in meetings. I suspect a lot more data and a lot better understanding of
how to gather that data and preserve user privacy is needed to go much further.
Focus Time
Insights defines focus time as a two-hour block in the calendar during working hours that is free of meetings.
The idea is that you use focus time to concentrate on specific activities that need to get done, such as creating
a budget or working on a presentation. If you realize how successful (or not) you are at finding focus time to
attack complex issues, the theory is that you will be able to rearrange your schedule to become more
productive.
Of course, theory is often negated by real life. Structured individuals whose working day is not ruled by the
interruptions caused by arriving email often reserve blocks to focus on certain tasks while others whose days
tend to be more fluid and crisis-driven might struggle to find the time to be able to dedicate to tasks. You
might argue that your practice is to set aside one-hour blocks to tackle tasks and find that this is enough time
to get the job done. On the other hand, it can be argued that while some can keep focus and driving to a
conclusion about a topic quickly, on average it takes humans longer. Studies have identified 90 minutes as a
good average and the developers decided to use a more aspirational two-hour block. A tenant administrator
cannot change this definition.
Insights does not try to track anything that you do during focus time. You could, for instance, spend the entire
period playing Solitaire or looking at cat videos on YouTube. It does not matter because as measured, you are
“focused.” In my case (shown in Figure 6-5), Insights reported that I had 40.5 focus hours during the week. I
also spent 7 hours in meetings, meaning a total of 47.5 hours, so it seems like I had a full week. However, it is
possible that the two figures do not add up to 40 hours. When this happens, it is usually because the extra
time over the working week is explained by the fact that some meetings started before the working day
began or ended after the working day finished.
Page 167
Like any measurement, focus hours need to be put in personal context. For instance, does a two-hour period
spent over a long lunch count as focus time? On the surface, it might because you are not in meetings or
working on email, but on the other hand you might not be too focused during the meal.
After Hours
The notion of working from 9AM to 5PM every day sounds archaic to many who work in IT who are
accustomed to the need to perform systems maintenance and other tasks once other workers have left for the
day. As noted earlier, it is common for those who work on international teams to need to stretch the working
day at either end to accommodate conference calls with other team members. Insights measures how much
time a user spends on late-night or early-morning activities as measured by meetings or working on email.
You can process email during an after-hours meeting and clock up time for all measurements to seem like
you are really putting in the time.
As before, the data used to figure out when you are working outside normal business hours (Figure 6-6)
comes from the calendar and email headers and divides between time spent processing email and time spent
in meetings. The time reported for email activity is a subset of the overall time reported in the email section.
We can see here that the sum of after-hours email activity is 6.9 hours (3 hours for meetings).
Page 168
Teams Signals
Signals for Teams come in two forms: chats with other people and meetings. Scheduled online meetings have
always been counted by Insights because these events are in user. Teams ad-hoc meetings, which are not in
the calendar, are now counted based on the actual length of the meeting. This data shows up in the meetings
and after-hours charts and a total time spent in online meetings is reported in the user’s Your Time overview.
Chats are recorded based on 30 seconds per sent chat, with no time taken for read chats. Based on
observation of user data, the Insights development group believes that only counting sent chats delivers an
accurate estimate of how much time someone spends on IM. Time spent on chat is reported in the user
overview and the out-of-hours chart. Chats also affect the multitasking report but chats during a meeting
don’t count because they are an inherent part of the meeting experience.
Working Relationships
The “Network” section of the dashboard (Figure 6-7) displays information about the other people with whom
you collaborate with most often. In effective, this is an attempt to measure with whom you spend your
working time. The data used are:
• Time spent together with individuals in 1:1 or small meetings (less than 25 attendees).
• Time spent in email exchanges.
The calculation of how many hours you spent with key contacts is then adjusted based on the number of
people who attended meetings that you participated in with key contacts. Clearly, a 1:1 meeting provides far
more “face time” with someone than when you gather around a conference table with 20 others. In the same
way, email exchanged between you and someone else is more personal and important in terms of
maintaining contact than if you both receive a message sent to a distribution list where you might delete the
message because you consider it unimportant while your contact thinks it is critical. Further adjustments are
made based on the frequency of meetings and email communication.
Microsoft has been down this path before with the (now deprecated) People View feature in OWA, which tried
to find the most important correspondents for a user and offer fast access to messages that they had sent.
The view presented here might be thought of as quite the reverse, as Insights helps you understand when you
are losing touch with key contacts who are important to you. In this context, losing touch means that you
have not emailed someone in a while or scheduled a meeting with them. Of course, you might meet them for
coffee every day, but that kind of human interaction is not logged by the Microsoft Graph. “All caught up”
means that I manage to keep in touch with all my important contacts, which seems like a good thing.
Insights misses some ways people communicate. Even email might be underreported because interactions
with people could flow through email conversations in a Microsoft 365 group that do not appear in user
mailboxes because people turn off email notifications for the group. This underlines the importance of
treating this data as a baseline for discussion rather than a statement of fact.
Time Investments
The Time Investments view shows how the user spends their time with different people (internal and external)
and groups. In Figure 6-7, we see the breakdown of a week’s activity based on total time. The set of people in
the list is determined by Insights based on the email and calendar interaction between you and those
individuals and varies from week to week. People whom the user deems important to them are marked with a
star. To add someone to your important list, click the star opposite their name. To remove someone from the
important list, do the reverse. External people are listed with their email address while internal people (those
who have accounts in the tenant) do not. You can view the list by All (show everyone), Important (just starred
users), and Work Groups (distribution groups, Microsoft 365 Groups, and Teams).
Page 169
Figure 6-7: Time spent communicating with different people and groups
If Insights finds that you are losing touch with people that you used to communicate with often, it lists them
in a section called “Losing Touch.”
Management relationships are the glue that keep organizations together. You have a different relationship
with your direct manager than you have with a co-worker, so it is important for Insights to understand the
corporate structure. To do this, Insights depends on the management relationships recorded in Azure AD to
know for whom someone works as well as their direct reports. If this information is missing or inaccurate then
some parts of the personal dashboard are not going to be as exact as they would otherwise be.
Page 170
Figure 6-8: Viewing the people map
Page 171
responded to on a mobile device, which then begs the question if the device can be powered off from
time to time, like on a weekend.
• Network: Who are the important people in someone’s network? How many people are they actively
connected to by email or chat and how many in total in the last four weeks have they contacted.
• Collaboration: How much time does someone spend working with other people on collaborative
activities.
Page 172
• View outstanding tasks that you might have committed to delivering in an email.
• Add people to your important list.
You can dismiss cards from the list shown to request Insights to show you other insights in the same category.
Figure 6-9 shows a typical set of cards shown by the Insights app (left-hand screen). At the end of the list, we
see that Insights thinks we might have left some important people off the list that Insights tracks, so it
suggests that we add these people.
Task Reminders
Insights uses natural language processing and artificial intelligence to scan messages in user mailboxes to
identify email that might contain commitments to do something and then highlights those commitments as
potential tasks in the Insights app. For instance, in Figure 6-10, we see that I made a comment in a message to
someone that Insights has found and now surfaces as something I might have forgotten to do.
Page 173
Figure 6-10: Highlighting a task
To generate these reminders, Insights relies on a mailbox assistant that uses machine learning techniques to
analyze messages as Exchange delivers them to mailboxes. The code looks for text strings that might show
that you have made a commitment to the recipient to do something. For instance, the first and second
examples both have “I shall” in the text, showing that the sender intends to do something in the future.
Because the message is going to someone else, you can reasonably conclude that the intention is to do
something for that person. If the assistant considers that a message holds a commitment, it creates an item in
the MyAnalytics-ActionLog folder in the user’s mailbox. This folder is hidden from clients and can only be
seen using a utility like MFCMAPI when working online rather than in cached Exchange mode. The items
include information to find the source email containing the commitment. The next time that the user consults
Insights, the app displays a list of the items in the folder for the user to process.
Like all machine learning programs, Microsoft constantly tweaks the code to make it more precise and better
at detecting commitments. This insight is only available in English.
Insights Digest
The Viva Insights settings include a choice to receive a monthly email digest summarizing the user’s activities
from the last month using the same methodology as in the personal dashboard. The digest aggregates
insights across four outcomes: focus, wellbeing, network, and collaboration.” In addition, the digest includes
some personalized tips that the user might like to consider. These tips are like those displayed by Outlook
Insights and include information such as the person whom you collaborated most during the week, whether
you send email during meetings, and what day of the week was most open in terms of focus hours.
Workplace Analytics
On July 5, 2017, Microsoft announced that Workplace Analytics is now available as an add-on for any Office
365 enterprise plan. The post says: “Workplace Analytics provides unprecedented behavioral insights that can
be used to improve productivity, workforce effectiveness and employee engagement.” Workplace Analytics does
not combine the collective personal dashboards within a tenant to tell management who is productive and
who needs some help sorting out their overpacked calendar. Instead, Workplace Analytics is a tool to help
understand how an organization functions. For instance, among the examples of how organizations use
Workplace Analytics included in Microsoft’s post are:
Page 174
“…the behaviors of managers were pivotal in determining employee engagement and retention”
“…analyzed the metadata attached to employee calendar items to calculate the travel time associated with
meetings.”
Anyone who has ever worked inside a large organization likely understands that how direct-line managers
deal with employees directly affects how people work and whether they stay with the company. The same is
true for travel time. If you force people to come into central offices to attend meetings, you expect a
productivity hit when attendees are traveling to the meetings.
The critical item to understand is that Workplace Analytics generates a set of collaboration metrics that
analysts can use to detect inefficiencies and problems within a company. Like anything dealing with people,
this is an imperfect science, and context is all-important in understanding why people work the way that they
do.
Workplace Analytics is only available to Office 365 enterprise tenants with over 5,000 seats. The cost is $6/user
per month unless you have E5 licenses, in which case the cost is $2/user per month. The price of Workplace
Analytics is enough to pause for thought. In addition, before you deploy, consider that you probably need to
do some up-front work such as working with HR to ensure employee privacy is respected, establishing the
core population for analysis, setting the goals for the exercise, and so on.
Outside the U.S. or in multi-national companies where worker unions or councils are more common, it is
probable that approval is necessary from these bodies before any analysis can go ahead. For these and other
reasons, you will likely need help from outside consultants with proven ability in similar exercises to help run
the project and gain usable results.
Another thing to consider is that Viva Insights and Workplace Analytics both focus in on email and calendar
data and do not look at other areas of activity within Office 365. Analysis includes time spent on Teams calls if
it is in your calendar but not otherwise. But it ignores the time composing an article like this in Word, even if
you store the document in OneDrive for Business or SharePoint. Chatting in Teams or Yammer is also outside
the current boundary for analysis.
Page 175
Those charged with introducing Insights to an organization will have to be able to clearly outline why the
company wants to deploy Insights and the personal advantages that its users can gain. At the Ignite 2016
conference, speakers from companies that had deployed MyAnalytics reported how they use the data to
change user behavior. One company took the simple step of changing the default length for an internal
meeting from one hour to 30 minutes and said that this had returned four hours per week to knowledge
workers. Your mileage might vary.
Outside the U.S., Viva Insights and Workplace Analytics might find a more measured welcome in many
international companies, especially in Europe, where personal space is more heavily protected and valued
than it in the U.S. Microsoft clearly has a tightrope to walk here when it comes to privacy and to communicate
the value its analysis tools.
Page 176
Chapter 7: Exchange Online
This chapter covers Exchange Online topics that we couldn’t fit into the main book.
Public Folders
If you are a new Office 365 tenant who has never used Exchange before, you might never use public folders
and can ignore this text. After all, better collaboration functionality exists in Microsoft 365 Groups or Teams,
and it is obvious that Microsoft is investing here rather than in public folders. On the other hand, if you want
to create a platform for large-scale company-wide discussions, Yammer is probably a better choice. For all
that, public folders are known as the "cockroaches" of Exchange for a reason: this is a feature that has existed
since the earliest day of the product, one that Microsoft tried to kill off over the years only to run into
enormous customer resistance at each attempt because public folders are an easy-to-use shared repository
suitable for many purposes. Public folders are still in widespread use to manage large amounts of corporate
data to this day.
Originally introduced in 1996 with Exchange 4.0, public folders received their first major architectural
makeover in Exchange 2013. The upgrade was necessary for two major reasons. First, public folders used
separate databases for their data and synchronized the databases with an old-and-creaking replication model
that had been in place since 1996. Replication usually worked, but it was a black box when the need arose to
understand what was happening to synchronize databases. The second requirement was to create a form of
public folders that could run in Exchange Online, preferably using an architecture based on existing
investments in database and high availability technologies. Although it might seem strange to want to bring
an antiquated part of Exchange into Office 365, the fact is that public folders have been in use within many
large organizations for years, they hold a lot of corporate knowledge and are embedded in working practices,
and a migration to Office 365 would be impossible for many customers if public folders could not be moved.
To address these issues, Exchange 2013 introduced a new public folder architecture based on using public
folder mailboxes to store the hierarchy, the public folders, and the data held in the folders. The approach
offered many advantages including that public folders no longer used a separate repository and could take
advantage of Exchange’s high availability features. But most importantly, Exchange Online could now support
public folders. The set of supported clients for public folders hosted by Exchange Online is Outlook 2013,
Outlook 2016, Outlook 2016 for Mac, and OWA. No mobile clients support access to public folders. Although
migrations are limited to moving up to 250,000 public folders from an on-premises organization to the cloud,
thereafter Exchange Online can expand the hierarchy to accommodate 500,000 public folders.
The options included in the Exchange Online version of the EAC to manage public folders are like those for
on-premises Exchange and the same cmdlet set is available to help scripted management. The same
recommendation exists to exert tight access over the root folder to prevent users creating root-level public
folders.
Figure 7-1 shows the public folder management interface in EAC. Among the items shown in the details pane,
we can see that the mail settings for the selected folder are enabled and that it holds 2,981 items amounting
to 259 MB.
Page 177
Figure 7-1: Public folder management in the Exchange Admin Center
Cmdlet Inconsistencies
The same inconsistencies that exist in the PowerShell cmdlets on-premises also exist in Exchange Online. For
instance, you can use the name of a public folder with the Get-MailPublicFolder cmdlet, but not with Get-
PublicFolder. For example, this works:
[PS] C:\> Get-MailPublicFolder –Identity "Exchange MVP Private List"
But even though the same folder is targeted, this command does not work:
[PS] C:\> Get-PublicFolder –Identity "Exchange MVP Private List"
Instead, you must provide the full path to the public folder through the hierarchy, like this:
[PS] C:\> Get-PublicFolder –Identity "\Email Lists\Exchange MVP Private List (PF)"
It is all to do with the way that Exchange Online considers that two kinds of public folders exist: those that are
mail-enabled and those that are not (the default). Mail-enabled means that the public folder can receive email
and that email can be sent on behalf of the folder.
Apart from mail-enablement, one technical reason why some public folders are different to others is where
Exchange Online must fetch information from when you work with a public folder. Details of all public folders
are registered in the public folder hierarchy and the *-PublicFolder cmdlet set reads data about folders from
the hierarchy. However, some of the information about mail-enabled public folders must be retrieved from
EXODS (see Chapter 4) as these objects do not exist in Azure Active Directory, which then creates a need for
the –MailPublicFolder cmdlet set. It would have been better if the software masked these differences and
resolved matters internally to allow administrators to work with public folders using a single method but now
we must deal with the legacy of the past.
Page 178
On the upside, because the same quirks exist on both platforms, you can be sure that on-premises scripts
used to manage public folders should work within Exchange Online. The downside is that this is an area that
often confuses people who are new to working with public folders.
Oddly, the method of finding public folders using the full path from the root also works with Get-
MailPublicFolder! Another example that might confuse is that Get-MailPublicFolder returns all mail-enabled
public folders while Get-PublicFolder only returns the root public folder. You must run Get-Public Folder –
Identity “\” –Recurse to list all public folders.
Storage
Public folders are stored in public folder mailboxes in mailbox databases. As with user mailboxes, tenant
administrators do not have the choice of the databases where public folder mailboxes are placed. Each public
folder mailbox holds a copy of the public folder hierarchy. The first public folder mailbox created in Exchange
Online holds the only writable copy of the hierarchy. As with on-premises, you cannot change the public
folder mailbox that holds the primary writeable copy of the hierarchy. However, you do not have to worry
about protecting the primary public folder mailbox because Exchange Online automatically protects all
mailboxes with Native Data Protection. All other public folder mailboxes have secondary read-only copies. The
easiest way to discover which mailbox holds the primary copy of the hierarchy is to check with EAC. However,
you can also look at the organization configuration. For example:
[PS] C:\> Get-OrganizationConfig | Select RootPublicFolderMailbox
RootPublicFolderMailbox
-----------------------
7297de53-15d8-4bbc-9b98-1dde1022ff9b
The output from this command is a GUID, a unique identifier that Exchange Online can use to look up its
configuration data to locate the primary public folder mailbox by matching the GUID against the
ExchangeGUID stored for each of the public folder mailboxes that exist in the tenant. You can do the same
thing by using the Get-Mailbox cmdlet to retrieve a list of public folder mailboxes and then checking the GUID
returned from the organization configuration against the value of the ExchangeGUID for each mailbox. As you
can see from the results shown below, we know that the "PF Mailbox" is the primary public folder mailbox
because the (bolded) GUID reported for "PF Mailbox" matches the value reported for RootPublicFolderMailbox
by the Get-OrganizationConfig cmdlet. Simple!
Get-Mailbox –PublicFolder | Select Name, ExchangeGUID
Name ExchangeGuid
---- ------------
PF Mailbox 7297de53-15d8-4bbc-9b98-1dde1022ff9b
PF Mailbox 1 1a120b51-efff-4ef2-805a-8f7e90d0342d
PF Mailbox2 1c60d391-da63-4bc1-ba66-46fa0c4afb42
Hierarchy Synchronization
A synchronization process ensures that all the updates made to the primary copy of the public folder
hierarchy are replicated to the secondary copies. This process happens automatically, and a tenant
administrator doesn't have to do anything to ensure that hierarchy updates are performed. The
synchronization process used to update copies of the public folder hierarchy is unique to public folders and
Page 179
only applies to the hierarchy. Public folders and the data contained in public folders differ across public folder
mailboxes. The regular replication mechanism used by the Database Availability Group is used to protect the
contents of public folder mailboxes.
Although you cannot control the synchronization process, you can force Exchange Online to synchronize a
specific public folder mailbox by running the Update-PublicFolderMailbox cmdlet. As we can see here, the final
output tells us that synchronization with the primary hierarchy is complete.
[PS] C:\> Update-PublicFolderMailbox –Identity PFMailbox2 –FullSync –InvokeSynchronizer
RunspaceId Message
---------- -------
dfdb12ee-dfe5-4018-b452-3fc54558b79d Synchronizing folder hierarchy of mailbox "PFMailbox2" w...
dfdb12ee-dfe5-4018-b452-3fc54558b79d Sync in progress - job state is: "Queued".
dfdb12ee-dfe5-4018-b452-3fc54558b79d Sync with mailbox that contains primary hierarchy is com...
This technique is commonly used on-premises where administrators have much better awareness of where
public folder data is held and how close that data is (in terms of network paths) to its users. However, the
same conditions don't exist inside Exchange Online and a case can be made that you should not attempt to
assign a default public folder mailbox to a user mailbox as this might affect the way that Microsoft
automatically balances public folder load within Exchange Online by splitting large public folder mailboxes up
after they reach a certain size. When this happens, a user might be left in a position where all their favorite
folders are in a different public folder mailbox, yet they are still configured to use the same default public
folder mailbox. All in all, it's best to leave automatic management to do its work and not attempt to second-
guess load balancing. The only time when you might need to explicitly define a default public folder mailbox
for a user mailbox is when you test the results of a migration, as explained later.
To search for mailboxes that connect to the public folder mailbox holding the primary mailbox and move
them to another public folder mailbox, you can use a command like the one shown below. Of course, this
command moves all mailboxes to another public folder mailbox. If you have multiple public folder mailboxes
in use (excluding the one holding the primary hierarchy), it would be best to distribute the users across the set
of available public folder mailboxes:
[PS] C:\> Get-Mailbox | Where-Object {$_.DefaultPublicFolderMailbox –eq "PF Mailbox" } |
Set-Mailbox –DefaultPublicFolderMailbox "PF Mailbox 1"
You can stop Exchange Online from selecting a public folder mailbox as the default connection point for user
mailboxes by excluding it from serving the hierarchy. In this case the mailbox becomes a simple repository for
public folder data. A copy of the hierarchy still exists in the mailbox, but it is not used by clients. An example
of how to stop a public folder mailbox serving the hierarchy is shown below:
Page 180
[PS] C:\> Set-Mailbox –Identity 'PF Mailbox 1' –IsExcludedFromServingHierarchy $True
-PublicFolder
To set the organization configuration, run the Set-OrganizationConfig cmdlet. For example:
[PS] C:\> Set-OrganizationConfig -PublicFolderShowClientControl $True
After changing the setting, it takes a little time for cached information to clear and the new setting to be
effective. You should expect to see public folders appear or disappear (depending on the setting) from
Outlook within an hour of an update. Because these settings control how AutoDiscover behaves, it is not
dependent on any specific version of Outlook. However, the settings do not affect OWA as it does not use
AutoDiscover to retrieve resource information.
The default value for PublicFolderClientAccess is $False, so it is not a good idea to update the organization
configuration and set PublicFolderShowClientControl to $True unless you first update the mailboxes that you
want to continue accessing public folders. For instance, you might decide that only users in the U.K. should
use public folders, you can run some PowerShell to find those mailboxes and update the setting. For instance:
[PS] C:\> Get-Mailbox -RecipientTypeDetails UserMailbox -Filter {UsageLocation -eq "United Kingdom"
} | Set-CASMailbox -PublicFolderClientAccess $True
Page 181
the largest known on-premises implementations are in the order of 10 TB, more than enough headroom
exists for growth.
Unlike on-premises Exchange 2013/2016, you cannot use the New-PublicFolderMoveRequest cmdlet to move
folders from one public folder mailbox to another. Likewise, you cannot redirect the creation of new content
for a folder to a different mailbox as you can on-premises by running the Set-PublicFolder –
OverrideContentMailbox command. These restrictions are in place because Microsoft takes care of the
management of public folder data. For these reasons it is absolutely critical that you ensure that public folders
are created in the right mailbox.
To discover what public folders are stored in a mailbox, use the Get-PublicFolder cmdlet as shown below:
[PS] C:\> Get-PublicFolder –Mailbox PFMailbox1 –Recurse –ResidentFolders
The Get-PublicFolderStatistics cmdlet provides a different view of what’s in a public folder mailbox.
[PS] C:\> Get-PublicFolderStatistics –Mailbox PfMailbox2
To see statistics for all public folder mailboxes, you cannot pipe the results of Get-Mailbox –PublicFolder to
Get-PublicFolderStatistics because the identity returned by Get-Mailbox isn't the input value needed by Get-
PublicFolderStatistics (remember the discussion about software disguising issues like this?). In any case, you
can do the same thing by using Get-PublicFolder. Note the use of the –Recurse switch to force Exchange
Online to transverse the entire public folder hierarchy.
[PS] C:\> Get-PublicFolder –Recurse | Get-PublicFolderStatistics
Page 182
This is interesting, but it's even better when we know what mailboxes are storing the data. We can tweak our
command as follows:
[PS] C:\> Get-PublicFolder –Recurse | Get-PublicFolderStatistics | Sort MailboxOwnerID |
Format-Table Name, ItemCount, MailboxOwnerID –AutoSize
Warning! Although this command returns some interesting data and tells us that the public folder mailbox "PF
Mailbox" is the one that is currently overloaded (it’s also the primary public folder mailbox), commands like
this are great examples of ones that work so nicely in small environments (like demos) and can be horrible
when faced by the scaled-up realities of production systems. In other words, you might need to call for a
beverage of choice when waiting for this command to complete if more than a few thousand folders need to
be processed.
Mail-enabling a public folder assigns it a number of properties to allow Exchange Online to route email to the
public folder. This command reveals the set of mail-enabled public folders in a tenant. Only one of the public
folders is hidden from the GAL.
[PS] C:\> Get-MailPublicFolder | Format-Table Identity, PrimarySmtpAddress,
HiddenFromAddressListsEnabled –AutoSize
One of the slightly irritating features of Exchange Online is the control exerted by email address policies that
cannot be overridden by a tenant administrator. In this instance, the email address assigned to a public folder
when it is mail-enabled is derived from the primary domain for the tenant. Some companies have vanity email
domains (like Office365ITPros.com) that they want to use for communication with external clients, but you
cannot assign SMTP addresses for the vanity domains to mail-enabled public folders. Any attempt to do so
Page 183
will be resisted with a firm admonition that the object is under the control of an email address policy (that you
can't change) and so the address can't be updated.
When you're happy that the right people have access to the folder, go ahead and populate the moderation
properties for the public folder.
[PS] C:\> Set-MailPublicFolder –Identity "Departments\Finance\Budget 2016"
–ModeratedBy "JSmith", "Bowens" –ModerationEnabled $True - SendModerationNotifications Always
Messages posted to the public folder after moderation becomes effective are redirected to the moderators.
Note that direct posting to the public folder is not controlled by moderation. Users will be able to add the
public folder to their folder favorites in Outlook or OWA and then post items into it.
Page 184
Figure 7-2: Accessing Office 365 public folders from Outlook 2013
Outlook also allows users to manipulate permissions for folders that they own. Figure 7-3 shows how
permissions are set through Outlook. In this case, we see that the default permission is "Author", meaning that
any user can access and add items to the folder.
Page 186
Public Folders and Compliance
Public folders do not enjoy the same breadth of support for the compliance features available in Office 365 as
mailboxes do. Table 7-1 lists the major areas of compliance features available in Office 365 and the degree of
support available for these features in public folders. As you can see, apart from the ability to include public
folders in content searches, the picture is not particularly good. Note that you cannot specify individual public
folders to be a search source – all public folders are included. In addition, only public folders that exist in
Office 365 be a search source.
Compliance feature Public folder support
Mailbox or Microsoft 365 Retention Unsupported
policies
Content searches The contents of public folders are indexed and fully
discoverable. Folders can be added as a source for a content
search and a hold can be placed on the results. If an attempt is
made to alter content in a public folder that is on hold, details
of the change are kept in the DiscoveryHolds folder in the
public folder mailbox and remain indexed and discoverable.
eDIscovery cases Public folders can be included in the searches and holds used
by eDiscovery cases.
Data Loss Prevention policies Unsupported
Administrative auditing (unified Public folder administrative and user events are not recorded in
auditing) the Office 365 audit log.
Table 7-1: Public folder support for Office 365 compliance features
Discovery mailboxes
Discovery mailboxes are special repositories to hold items retrieved through Exchange eDiscovery searches. In
many respects, they function like a regular shared mailbox, but often receive special attention because of their
involvement in confidential discovery operations. Microsoft is replacing Exchange eDiscovery searches with
Office 365 content searches and eDiscovery cases.
Inbox Rules
Exchange Online supports both server-based rules and client-side rules. Server-based rules, or Inbox Rules as
they are referred to in the documentation, are kept in the user mailbox and are accessible to all clients. Inbox
rules run whether a client is connected to the mailbox or not and have priority over client-side rules (which are
specific to a client) because they are processed as part of the delivery pipeline. Inbox rules also have priority
over server-based processing like the Focused Inbox and offer the significant benefit of being able to process
inbound messages no matter what client is used. On the other hand, client-side rule implementations like the
one found in Outlook differ across client types and are highly specific to that client. In other words, you
cannot take a rule created on one client and expect to be able to use it with another.
You can also create Inbox rules with Outlook if the actions performed by the rule can be executed on the
server. For instance, a rule that calls for an item to be moved to a folder in a PST cannot be processed by
Exchange Online because the server does not usually have access to PSTs. In all cases, client-side rules can
only process whatever messages are left in the inbound mail stream after the transport system is finished its
processing and Outlook is running.
The processing steps that can be performed with Inbox rules include:
Page 187
• Delete an inbound message.
• Move or copy the message to a folder.
• Mark the message with a category, importance level, or as read.
• Redirect or forward the message to another email address.
The conditions and exceptions that can be incorporated into an Inbox rule include if the message:
• Was sent by a specific person or addressed to a specific user.
• Has specific words in the subject, body, sender’s address, recipient’s address, or message header.
• Includes the recipient’s name in the To: or CC: box or is the only recipient listed.
• Is marked with a specific importance or sensitivity level.
• Has an attachment, is of a specific type, is classified, or flagged as something.
• Is a specific size.
• Is received within a specific date range.
Users create and edit Inbox rules by selecting a message and using the “Create rule” option in OWA.
Alternatively, they can manage rules through the Automatic processing section of OWA options (Figure 7-6).
Page 188
Figure 7-7: Creating a sweep rule
Given the complexity of the conditions and exceptions that can be defined for a rule, the easiest approach to
creating a rule is to use the OWA interface. For instance, you could create the rule for your own mailbox, make
sure that the rule works as expected, and then replicate it for a user mailbox. When the rule is ready, you can
see all its properties with a command like this:
[PS] C:\> Get-InboxRule –Mailbox "Kim Akers" –Identity "Remove Rubbish" | Format-List
You need to note all the conditions and exceptions for the rule and then use them as the basis for the
parameter values provided to the New-InboxRule cmdlet. For example, this rule looks for inbound messages
that have “Hello World” in their subject and forwards the messages to a different SMTP address, unless the
message is marked with high importance. In this case, we assign a name to the rule to show that this is an
administrator-created rule. Using a naming convention like this is not mandatory, but it is a good practice
because, in the case of disputes, it helps to isolate user-created rules from administrator-created rules. It is
always a good idea to secure agreement with a user before you create a rule on their behalf – or at least to
tell them that a rule exists after creation.
[PS] C:\> New-InboxRule –Name "Process Email (Created by Admin)" –Mailbox "Kim Akers"
–StopProcessingRules $True –SubjectContainsWords "Hello World" –ExceptIfWithImportance High
–ForwardTo "Jill.Smith@Office365ITPros.com"
When creating the new rule, Exchange Online places it at the top of the rule priority order by assigning it a
priority value of 1. You might not want this to be the case as other rules should be processed first. If this is the
case, you can change the priority order with the Set-InboxRule cmdlet. Note that you always must tell
Exchange Online to which mailbox the rule belongs.
[PS] C:\> Set-InboxRule –Mailbox "Kim Akers" –Identity "Process Email (Created by Admin)"
–Priority 3
Outlook can also manage user rules. Because it spans actions and conditions that take advantage of the
client’s capabilities, Outlook supports a more comprehensive set of rule conditions and actions than OWA
Page 189
does. For this reason, Outlook can be a better choice for rule creation. For instance, you can create an Outlook
rule to have Exchange Online send a template message in response to inbound mail (the “have server reply
with a specific message action”). This feature is not supported by the *-InboxRule cmdlet set. Outlook rules
that use advanced options cannot be edited through OWA.
The standard quota for the storage of inbox rules in a mailbox is 64 KB. This is usually enough, especially as
anyone who uses the Focused Inbox can probably remove many rules that filter unwanted messages. Once
the quota is reached, a user won't be able to create new rules. You can increase the rule quota to a maximum
of 256 KB by running the Set-Mailbox cmdlet. For example:
[PS] C:\> Set-Mailbox –Identity 'Kim Akers' –RulesQuota 256KB
You can also create and remove sweep rules. However, an administrator can only create a sweep rule for the
mailbox that they own. Here is an example of using the New-SweepRule cmdlet to create a new rule:
[PS] C:\> New-SweepRule -Name "Messages from Microsoft Tech Community" -Provider Exchange16 -
KeepForDays 7 -SourceFolder "Kim Akers:\Inbox" -Mailbox "Kim Akers" -DestinationFolder "Kim
Akers:\Deleted Items" -Sender "notift@mstechcommunity.onmicrosoft.com" -Enabled $True
On the other hand, an administrator can remove a rule from a mailbox, if they know the identity for the rule,
which can be retrieved with Get-SweepRule. The identity for a rule is composed of the mailbox name and a
unique string. For example:
TRedmond\CzzdSOaFuESmQGBLtw/yZw==
We can remove the rule as follows:
[PS] C:\> Remove-SweepRule -Identity TRedmond\CzzdSOaFuESmQGBLtw/yZw==
Calendar Sharing
Asking for the ability to share their calendar with external recipients is a common user request. This is possible
with Office 365, but only after you enable calendar sharing through the Office 365 Admin Center (Figure 7-8).
To control calendar sharing, go to Settings, then Services & Add-ins, and then Calendar.
Page 190
Figure 7-8: The choices to control how users share calendars
Sharing can take three forms. Users control how much data is revealed when they issue a sharing invitation to
another person. The options are:
• View when I am busy: The calendar shows slots to indicate when the person is free, busy, or has a
tentative appointment. This is the same free/busy data used to establish whether a potential attendee
is available for a meeting.
• Titles and locations: The calendar shows booked time slots with some information – time, subject, and
location.
• All details: All the information held in calendar events is available for view.
After a tenant allows calendar sharing, users can click the Share button in the OWA calendar or Share
Calendar in Outlook to generate a sharing invitation to people within the tenant or in external organizations.
Within the tenant, individual users can assign delegate permission to other users to allow them to process
calendar events on their behalf. If you assign someone to be a delegate, you can restrict access to calendar
events marked as private.
Sometimes administrators like to know which users are sharing their calendars. This PowerShell command
generates a list of all calendar sharing, internal and external, and is one way to find out what is happening
inside the tenant.
[PS] C:\> ((Get-Mailbox –RecipientTypeDetails UserMailbox).Alias) | % { Get-MailboxFolderPermission
–Identity ($_+":\Calendar") } | Where-Object { $_.User –notlike "Anonymous" } | Format-Table
Identity, FolderName, User –AutoSize
Any entry under “User” that starts with “ExchangePublishedUser” indicates that a calendar is shared externally
with the email address that follows.
Strictly speaking, shared mailboxes do not support calendar sharing. However, you can set up calendar
sharing for a shared mailbox with these steps:
• Grant an account Full Access to the shared mailbox.
Page 191
• Use OWA to log into the shared mailbox with the account.
• Set up sharing using the Calendar as normal.
• Check that everything works.
A detailed discussion of how to convert a mailbox type from shared to regular and back again is later in the
next chapter.
The Default or My Organization calendar permission: The Default permission for calendars sets the
level of access that other users in the tenant or other federated organizations have to free and busy data.
Typically, this information is used by the Scheduling Assistant when it displays the set of available slots for
a requested meeting. The normal is to allow free and busy slots to be displayed, in which case the assistant
can show when a person is available, but it can be changed to display more information, such as the titles
and locations for events. The default permission is also used if a user opens another person’s calendar. As
part of the new sharing model, the default permission is renamed “My Organization” to clarify that this is
how the permission is used. In addition, Microsoft is removing the ability of clients to remove this
permission from calendars.
To complete the process, run the same command inside the other tenant, changing the domain name to point
to the first tenant and the name of the relationship appropriately. To test that everything works, create a new
meeting and use the scheduling assistant to browse the free and busy information for a user in the other
tenant. If you can see some details, you know that the relationship works. Alternatively, use the Test-
OrganizationRelationship cmdlet to verify that the configuration with another organization is correct.
Resource Mailboxes
Exchange Online supports both room and equipment mailboxes, collectively referred to resource mailboxes. A
room mailbox is a mailbox created to allow users to reserve a room for a meeting. In other words, the
calendar of the room mailbox is used to reserve a time slot for the meeting to take place in the room. An
equipment mailbox is very similar except that the mailbox represents a piece of equipment such as a TV set,
projector, or other moveable device. Experience indicates that room mailboxes are used more than equipment
mailboxes. Apart from anything else, room mailboxes can be used to build room lists (see the section in the
Groups chapter).
Page 192
Resource mailboxes are valid Office 365 users, but they don’t need to be licensed because no one logs into
their user accounts. They can be created from the EAC or PowerShell, or indeed from the Office 365 Admin
Center under "Meeting Rooms". Here’s how to create the two types of resource mailbox:
[PS] C:\> New-Mailbox –Name "Sonoma Conference Room" -Room
[PS] C:\> New-Mailbox –Name "TV Set" –Equipment
After we create some resource mailboxes, the list of resource mailboxes that exist in a tenant can be
discovered with this command:
[PS] C:\> Get-Mailbox –Filter {RecipientTypeDetails –eq "RoomMailbox, EquipmentMailbox"} |
Format-Table DisplayName, RecipientTypeDetails
Resource mailboxes operate on the basis that they have a calendar and can be scheduled for meetings just
like regular user mailboxes. Meeting requests sent to resource mailboxes are processed by the Resource
Booking Assistant, a background process responsible for arbitrating requests to schedule resources. The
assistant works with the Exchange Calendar Attendant, another background process that is responsible for
coordinating responses from meeting attendees, to ensure that the resource calendar is correctly updated
and accurate. Direction as to how inbound meeting requests should be processed is given to the Resource
Booking Assistant by updating the calendar processing properties of resource mailboxes. You can view these
options through the EAC (Figure 7-9) or use the Get-CalendarProcessing cmdlet to view the properties and the
Set-CalendarProcessing cmdlet to set them.
Figure 7-9: Viewing the calendar processing options for a room mailbox
For example:
[PS] C:\> Get-CalendarProcessing –Identity "Sonoma Conference Room" | Format-List
AutomateProcessing : AutoUpdate
AllowConflicts : False
Page 193
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : True
RemovePrivateProperty : True
DeleteSubject : True
AddOrganizerToSubject : True
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
ResourceDelegates : {}
RequestOutOfPolicy : {}
AllRequestOutOfPolicy : False
BookInPolicy : {}
AllBookInPolicy : True
RequestInPolicy : {}
AllRequestInPolicy : False
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
RemoveForwardedMeetingNotifications: False
Identity : Sonoma Conference Room
Based on user feedback that too many options existed to control calendar processing, Microsoft simplified
matters so that the EAC does not reveal all the properties that can be set for the mailbox. However, you can
still manipulate them with PowerShell.
Table 7-2 describes the most important parameters used by Exchange Online to automate the processing of
meeting requests that arrive in a resource mailbox.
Parameter Meaning
AutomateProcessing The default value is AutoAccept, meaning that the Calendar Attendant
will process inbound meeting requests and create a meeting in the
calendar in the resource mailbox if the requested meeting is within
policy. AutoUpdate will create a tentative meeting in the calendar and
the meeting is then processed by the resource booking assistant, which
will confirm the meeting based on the policy in force for the mailbox.
None means that all meeting requests sent to the mailbox have to be
manually processed by a delegate.
AllowConflicts The default value is False, meaning that conflicts are not allowed. If set
to True, the ConflictPercentageAllowed parameter then governs the
maximum percentage of conflicts allowed for recurring meetings. The
default for this parameter is 0 (zero).
BookingWindowInDays The default is 180, meaning that the resource can be booked up to 180
days in advance. This parameter is used in conjunction with the
EnforceSchedulingHorizon parameter, which controls how recurring
meetings are processed. If True (the default), an attempt to schedule a
recurring meeting past the booking horizon is automatically declined. If
False, the meeting is accepted but the number of recurring events is
limited so that meetings will not occur after the booking horizon.
Page 194
MaximumDurationInMinutes The maximum length for a meeting. The default is 1440 minutes (24
hours), which seems excessive.
DeleteAttachments If set to True (the default), the resource booking assistant will delete any
attachments included with a meeting request. Similar parameters control
whether Comments (DeleteComments), the meeting subject
(DeleteSubject), non-calendar items (DeleteNonCalendarItems) are
provided to strip information from meeting requests and to remove
non-calendar items that arrive into the resource mailbox. The idea is that
the calendar should only store free/busy slots to indicate when the room
is available and should not be used to store non-calendar items. In
addition, stripping non-essential data from calendar requests preserves
the privacy of the scheduled appointments from others who can view
the calendar.
AllBookInPolicy Controls whether meeting requests from all users should be
automatically approved if compliant with the policy (like the length of
the meeting and the booking window). The default is True.
AllRequestInPolicy Controls whether users must submit meeting requests for manual
approval by a room delegate. The default is False. It is overridden if
AllBookinPolicy is True. A similar parameter (AllRequestOutOfPolicy)
controls whether users can submit meeting requests that do not comply
with policy. The default for this parameter is False.
AdditionalResponse Specifies some customized text to add to the message sent back to
meeting organizers when a meeting is accepted.
ProcessExternalMeetingMessages Controls whether meeting requests from external domains will be
processed. The default is False, but this should be set to True in hybrid
deployments to enable correct cross-platform processing of meeting
requests.
Table 7-2: Parameters to automate room calendar processing
The default values of the calendar processing parameters are set in such a way that you should not have to
change them unless you have good reason to do so.
Page 195
text (also sent to the calendar delegate, perhaps as a reminder to them too) tells us that the
conference room is restricted to meetings of the corporate financial planning staff.
• One of the delegates decides to accept or decline the meeting request. If the meeting is accepted, it
is inserted into the room calendar. As some of the meeting data might be confidential, the Booking
Assistant only retains the time and date of the meeting, the name of the organizer, and the number of
attendees in the item created in the room calendar.
• A notification message is sent to the meeting organizer to tell them that their request is accepted or
denied.
The situation is a little different if you enable a room to auto-accept meetings. If the room is configured to
accept meeting requests automatically, incoming meeting requests will be accepted as long as no conflict
occurs and the meeting organizer will receive a confirmation message. If a conflict happens because two or
more people want to book the room at the same time, some human intervention is required to sort out who
gets the room. If delegates are assigned to the room, the following occurs:
• A tentative meeting is created in the room calendar. Again, any confidential data is removed from the
meeting entry.
• It would be unreasonable to expect calendar delegates to stay fixated on a room calendar, forever
scanning for new meetings to pop up for approval. Exchange Online therefore sends a notification
message to calendar delegates to ask them to accept or reject the meeting request.
• Another notification will go to the meeting organizer to tell them that the booking is regarded as
tentative and is awaiting confirmation.
• A delegate processes the meeting request to confirm or reject the tentative meeting and a
notification of their decision is sent to the meeting organizer.
This goes to prove that a certain amount of testing is required to settle on a room calendar booking
configuration that matches the need of a particular organization!
The other property is ResourceCustom. Originally this was intended to provide more context for those
scheduling meetings so that they knew what resources are available in different rooms. This property is not
Page 196
supported by Exchange Online, nor is the associated Set-ResourceConfig cmdlet. One way around this
restriction is to create a MailTip for the room mailbox.
[PS] C:\> Set-Mailbox –Identity 'Las Vegas Conference Room'
–MailTip 'Capacity 121; contains video conferencing equipment'
Equipment Mailboxes
Equipment mailboxes are like room mailboxes in that they have a calendar that can be scheduled as part of a
meeting. At one point in time it must have seemed like a good idea to provide a facility to add mobile
equipment like a projector to meeting requests and allow booking delegates to arbitrate incoming requests
for their use. Unfortunately, practice demonstrates that equipment mailboxes are not used extensively.
You can create new equipment mailboxes through the EAC or PowerShell. As shown below, the PowerShell
command is very simple. Delegate access can be configured after the new equipment mailbox is created.
[PS] C:\> New-Mailbox –Name "VCR Recorder" –Equipment
Page 197
allow users to clearly mark items needed for audit or other regulatory purposes and default tags can
be deployed to remove non-essential items that the company considers should not be retained.
Of course, operational needs differ enormously from company to company and a general-purpose retention
framework such as that in Exchange Online can only deliver value if work is done to understand the business
requirements and then adapt the available functionality in the most effective way to meet those requirements.
Gaps might exist, but it is always surprising quite how much can be done with off-the-shelf software.
The meaning of retention: People who approach Exchange retention policies for the first time can be
forgiven for misunderstanding what “retention” means in this context. Retention means “keep what you
need”. There are two ways of achieving the goal. You can either make sure that you preserve what is
needed or you can remove information that is not needed. Tenants often use Exchange retention policies
to remove information after the items reach a certain age. You can also use retention policies to preserve
items by moving them from primary mailboxes to archive mailboxes where the items can be kept for a
further period. Policies can combine delete actions and archive actions to achieve the retention goals of
the organization. Unlike Office 365 retention policies, Exchange retention policies do not place holds on
content.
Page 199
result that a different retention model runs for the newly-moved mailboxes. The potential exists for no one to
notice the issue for months or years afterwards, which might or might not create a compliance issue.
For this reason, experienced consultants often recommend that customers do not use the Default MRM Policy
and create and apply a new specially-tailored retention policy to all mailboxes. The new policy can be
imported into Exchange Online and stamped onto mailboxes as they are moved to the cloud to ensure that
the same retention regime is applied on both sides of the on-premises/cloud divide. Some added scripting is
necessary to ensure that the correct policy is assigned to mailboxes, but this is not difficult to do. We will get
to discussing how to assign retention policies to mailboxes later.
Figure 7-10 shows a set of retention policies as viewed through the compliance management section of the
EAC. A custom retention policy called "Management retention policy" is highlighted and the tags in the policy
are shown in the details pane. This retention policy has a mixture of default retention tags available in every
Office 365 tenant and some custom tags created to meet specific business needs.
Figure 7-10: Details of the retention tags contained in a mailbox retention policy
Page 200
Name ItemsInFolder FolderSize NewestItemReceivedDate OldestItemReceivedDate
---- ------------- ---------- ---------------------- ----------------------
Inbox 15642 1.845 GB (1,981,302,727 bytes) 05/06/2016 23:38:01 25/04/2012 00:40:18
Sent Items 12946 1.685 GB (1,809,115,575 bytes) 05/06/2016 09:11:00 12/04/2011 16:52:41
You can also use the Get-MailboxStatistics cmdlet with the Archive switch to list the properties of an archive
mailbox. For example:
[PS] C:\> Get-MailboxStatistics -Identity "Kim Akers" -Archive | Format-List
Name RetentionPolicy
---- ---------------
ExchangeOnline-12c139bc-eafa-4a43-b4d2-e285f83e075d Default MRM Policy
ExchangeOnlineDeskless-bc1e76cc-4c0b-491c-a518-3a0a43cbf78e Default MRM Policy
ExchangeOnlineEnterprise-8fc1c029-5e32-485e-9810-179fb4701447 Default MRM Policy
In an on-premises Exchange organization you can change the default retention policy by setting the IsDefault
flag to $True:
[PS] C:\> Set-RetentionPolicy –Identity 'New Retention Policy' –IsDefault $True
However, this approach does not work in Exchange Online. The command to reset the IsDefault flag
completes but Exchange Online continues to use whatever retention policy is assigned in the mailbox plan. If
you want to ensure that new mailboxes get a different retention policy, you can update the retention policy
defined in the mailbox plans used within the tenant. For example, to assign a different retention policy to the
plan used for users holding Office 365 E3 and E5 licenses, we run this command:
[PS] C:\> Set-MailboxPlan -Identity ExchangeOnlineEnterprise-8fc1c029-5e32-485e-9810-179fb4701447 -
RetentionPolicy "Management Retention Policy"
You can then check that the correct retention policy is assigned to the plan by running the Get-MailboxPlan
cmdlet. The final check is to create a new user account and assign them an E3 or E5 license. When Exchange
Online creates the user’s mailbox, it should assign the “Management Retention Policy”. We check this with:
[PS] C:\> Get-Mailbox -Identity NewUser | Select RetentionPolicy
To make sure that the intended retention policy stays assigned to mailboxes, it is sensible to check from time
to time. For example, this PowerShell code looks for user mailboxes that do not have the right policy assigned
(or no policy assigned) and then assigns the correct policy:
[PS] C:\> Get-Mailbox –RecipientTypeDetails UserMailbox -Filter {RetentionPolicy –ne "Preferred MRM
Policy" –or RetentionPolicy –eq $Null} | Set-Mailbox –RetentionPolicy "Preferred MRM Policy"
Page 201
shows the properties of a retention tag created to control how long items stay in the Inbox. These properties
are:
• Tag name. Folder and default tags are never shown to users, so their names do not matter as much
as the personal tags that appear in client user interfaces (see discussion later). However, in all cases,
the tag name should show its purpose and in the case of personal tags, they should tell users the
length of the retention period. “1 Week Delete” is a reasonable example of a personal tag name that
combines both pieces of information. Some companies prefer the simplicity of names like “Required
for Audit” to communicate the use of a personal tag without bothering users with details of what this
means in terms of time.
• Retention action. This is the instruction given to MFA to execute when the retention period expires.
Exchange retention policies support three actions:
o Delete and Allow Recovery: MFA moves the item into the Recoverable Items\Deletions folder.
o Permanently Delete: MFA removes the item from the database unless it comes under the
control of a hold. This action can be dangerous unless you are certain that you want to
remove items. Given the storage quota available to mailboxes, it is safer to use the Delete and
Allow Recovery action as users can then recover items if necessary.
o Move to Archive: MFA moves the item into a folder of the same name in the archive. This
action only applies when an archive mailbox is available. MFA ignores the tag if an archive is
not enabled for the mailbox. The Move to Archive action is only available for default tags and
personal tags.
• The retention period. This sets the age of an item before MFA will process the retention action in the
tag. The period can be “Never” or between 1 and 24,855 days. Microsoft has published an interesting
description explaining how MFA calculates retention dates for items. If a tag uses Never as a retention
period, it means that MFA will never execute the retention action because the item will never expire.
Tags that have a retention period of Never also have their RetentionEnabled property set to False.
• Comment. Free-form text used to explain the purpose of a retention tag when administrators work
with the tags through EAC. The comment is also seen by users when they use OWA options to add
personal tags to the set of tags made available to them through policy.
Page 202
Figure 7-11: Properties of a retention tag
Folder tags are always associated with one of the default folders while default tags apply to items across the
entire mailbox. You must define the tag type when you create a new retention tag and you cannot change a
tag to another type thereafter. If you make a mistake, you will have to remove the bad tag and recreate it as
the right type.
You can also create retention tags with PowerShell. To begin, here is an example of a personal retention tag
that applies to all types of items. The effect of the tag is to move items to the archive after 180 days.
[PS] C:\> New-RetentionPolicyTag –Name "Project Contoso Documents" –AgeLimitForRetention 180
–Comment "Archive documents required for Project Contoso" -RetentionEnabled $True
–Type Personal –RetentionAction MoveToArchive
Remember that the MoveToArchive retention action can only be specified for default and personal tags and is
not available for folder tags that apply to one of the default folders. Items that are processed by this retention
action are moved to a folder of the same name in the archive mailbox.
The first retention tag created in the next example is for the Inbox folder and removes items that are more
than 30 days old. The items can be recovered if necessary. The second is to remove items from the Deleted
Items folder after they are 120 days old. Again, the mailbox owner can recover items if necessary.
[PS] C:\> New-RetentionPolicyTag –Name "Inbox 30 day expiry" –AgeLimitForRetention 30
–Comment "Move items out of Inbox after 30 days" –RetentionEnabled $True
–RetentionAction DeleteAndAllowRecovery –Type Inbox
Page 203
Finally, here is how to create two types of default retention tag. The first removes any item in a mailbox that is
more than seven years old. The second specifically processes voicemail messages (as defined in the message
class) and will remove these items after 7 days.
[PS] C:\> New-RetentionPolicyTag –Name "Delete Items after 7 years" –AgeLimitForRetention 2555
–Comment "Clean up mailboxes by removing items older than 7 years" –RetentionEnabled $True
–RetentionAction PermanentlyDelete –Type All
Although it is always best to come up with a logical name that makes sense to end users, you can give a
retention tag any name you like and can set translated values for display through different language
interfaces. This must be done through PowerShell as the EAC does not allow you to manipulate language
settings. Unfortunately, OWA does not support language translations, but Outlook does. In this example, we
configure French, Dutch, and Spanish values for the “Keep for Audit” tag:
[PS] C:\> Set-RetentionPolicyTag –Identity "Keep for Audit"
–LocalizedRetentionPolicyTagName "fr-FR: Conserver pour verification", "nl-NL: Houden voor
controle", "es-ES: Mantenga la auditoria"
Remember that a retention tag is not unique to a policy. Multiple policies can use the same retention tag, so it
is best to create tags with the intention in mind that they can be used in many policies. Users can also add
personal retention tags to the set available to their mailbox through OWA Options.
Retention Processing
Although date calculation differs slightly for different item types, to simplify the discussion, we can say that a
retention period begins at the point when an item is first created in a mailbox (for messages, this is when the
item is delivered to the mailbox).
If you remove a default or folder tag from a policy, MFA will remove the tag from all items to which it
previously applied and will restamp these items with whatever tag now applies. This might be a default tag or
no tag. Clearly MFA must do a lot of work to do to update the items in a mailbox, so it is not recommended to
remove tags without some consideration of the possible impact. It is always less disruptive to change the set
of tags contained in a policy than it is to remove a policy and start again.
Any change made to the default tags or the retention policy tags in a policy will force the MFA to assess every
item in a mailbox to which the updated tags are applied and potentially update the properties of the item to
reflect a new retention expiry date. For example, changing the retention period for a tag invokes similar
processing in that MFA must find every item stamped with the tag and then update its retention period and
expiry date. The same is true if you change the retention action defined in a tag.
In addition, for Outlook desktop clients, if MFA updates an item because of a change to its tag, Outlook must
synchronize that update from the server to the cached copy in the OST. Although the amount of data involved
to synchronize the updated property for an item is small (less than 1 KB per item), the number of items in user
mailboxes and the number of mailboxes affected by the change might combine to create an unexpected load
on the network. The load is temporary and will pass once synchronization is complete.
An exception exists for personal tags. These tags stay in place on whatever items to which they have been
applied and MFA will continue to process the tags as before. The idea is that the user explicitly placed these
tags on items or folders and Exchange Online should continue to follow their wishes. However, personal tags
that are removed from the retention policy will be invisible to the user and cannot therefore be applied to
newly-created items unless the user chooses to add them back as optional tags using OWA settings.
Page 204
Removing a tag forces its removal from every retention policy known to Exchange Online and creates a great
deal of server processing to remove the now-deleted tag from items. MFA cannot process a non-existent tag
so as it processes mailboxes, it finds items that were previously stamped with the defunct tag and restamps
the items with whatever tag is now applicable (usually a default tag).
You can disable a tag by setting its retention period to Never. MFA will leave these tags in place but will
ignore the items stamped with the tag because it knows that they will never expire. Another way of forcing
MFA to ignore previously-stamped items is to set the RetentionEnabled property to False (this is what happens
when you use the EAC to set the retention period for a tag to "Never"). For example:
[PS] C:\> Set-RetentionPolicyTag –Identity "Keep for Audit" –RetentionEnabled $False
If you remove a retention policy, Exchange Online removes the policy from its configuration and removes it
from any mailbox to which it applied. This means that MFA will no longer process these mailboxes. You can
find out if any mailboxes have not been assigned a retention policy and apply a policy to these mailboxes by
running the command:
[PS] C:\> Get-Mailbox –Filter {RetentionPolicy –eq $Null} |
Set-Mailbox –RetentionPolicy "New Default MRM Policy"
Renaming a retention policy does not force any processing on the part of MFA. Exchange Online uses the
policy GUID to associate the policy with mailboxes and the GUID is unchanged if a policy is renamed. The
name of the policy is simply a convenience to allow the administrator to know the intent and purpose of the
policy, so the policy can be renamed as often as you wish. For instance, here is how you can rename the
Default MRM Policy.
[PS] C:\> Set-RetentionPolicy –Identity 'Default MRM Policy'
–Name 'Tenant Default Mailbox Retention Policy'
If you rename the default mailbox retention policy, be aware that MFA will process and remove items from the
Deleted Items folder.
Page 205
• If a mailbox has an archive, MFA moves deleted items into the archive after 14 days. The items are
stored in corresponding folders in the Recoverable Items structure in the archive mailbox. The items
remain in the archive indefinitely because the retention policy does not contain a default delete tag to
instruct that items should be permanently removed after a set period. In addition, the normal deleted
items retention period does not apply to archive mailboxes.
• If the mailbox is not archive-enabled, MFA ignores the instruction contained in the tag.
•
A cause of possible conflict: A retention policy can have default tags for both deletion and archival. Tags
applied to items in the primary mailbox stay active when items move into the archive. When both a delete
tag and an archive tag are stamped on items, care must be taken that the retention periods cause actions
to be taken in the correct sequence. For example, if the delete tag specifies that an item is to be
permanently removed after 365 days and the archive tags causes items to be moved into the archive after
730 days, logic dictates that nothing will end up in the archive because items will be permanently removed
long before they can be old enough to be archived. Logic works if the retention periods for the two tags
are reversed because in that case, MFA will move items to the archive after 365 days and then remove
them after a further year.
Page 206
Compliance features are designed to support the regulatory and legal requirements of large enterprises. In
this instance, Microsoft seems to have done the right thing by building retention policies into Exchange
Online and assigning a default policy to user mailboxes. The only retention tags in the default policy that
could be construed to interfere with user management of personal data are the folder tag that remove items
from the Deleted items folder and the default archive tag that moves items from the primary mailbox to the
archive (if enabled) after two years. Looking at the arguments advanced above, you can see how a case can be
made to stop cleaning out the Deleted Items folder.
By default, users can accumulate deleted items for as long as they like. If you decide that this is not sensible
and believe that the Deleted Items folder needs to be managed, you can:
• Rename the Default MRM Policy to use any other name. MFA will recognize the new name and
understand that it should process the Deleted Items tag as before.
• Create a new retention policy that has the standard Deleted Items tag and apply that policy to all
mailboxes. You might want to increase the retention period (to between 60 and 120 days) to allow
users more time to recover items. If someone has not worked out that they have lost something
important after an extended period, it is possible that the information might not be so important after
all.
• Include a default delete tag in the Default MRM Policy that removes items in all folders after a certain
period. This approach is not as precise as applying a folder tag, but the Deleted Items folder will come
under the control of the default delete tag if no other more specific tag is in place.
If users empty the Deleted Items folder, normal processing will continue, and items will stay in Recoverable
Items until the deleted items retention period expires. Given human nature, you can expect that users will not
empty the folder (unless someone tells them how to do it) and so will be able to recover deleted items for as
long as they need.
The change in policy means that items will continue to accumulate in the Deleted Items folder over time.
Apart from increasing the size of the OST synchronized to workstations, this should not be a concern because
a single folder in an Exchange Online mailbox can hold up to one million items and adequate quota is
available to mailboxes to keep the data for many years. Most users will accumulate two or three gigabytes of
deleted information annually, so this should not be a problem in an era of 100 GB mailboxes. And if an archive
mailbox is available, the default archive tag in the policy will mean that items are moved to the Deleted Items
folder in the archive after two years.
Some ramifications from keeping Deleted Items around: Although the notion that you can keep a
deleted item for as long as you want might seem like a promising idea, many large companies consider
this to be perfectly horrible because of the impact on their compliance strategy. Items that stay in
mailboxes stay discoverable and items that are discoverable can be found by investigators. Companies do
not want to break any regulations but equally they do not want to keep anything around that might be
embarrassing or useful in eDiscovery situations. If you are in this situation, you need to create a new
retention tag to govern Deleted Items and include that tag in the retention policies that are applied to user
mailboxes. The steps needed to create a new retention tag for the Deleted Items folder are explained in
above.
A further issue is created for those running hybrid environments as MFA behaves differently on-premises
to the way that it processes online items. For example, if you move a mailbox from Exchange Online back
to an on-premises server, MFA will begin to process items in the Deleted Items folder according to
whatever on-premises retention policy is applied to the mailbox. If the on-premises retention policy
applies a retention action to these items, many items might be removed from the mailbox. The other issue
when moving mailboxes around between cloud and on-premises environments is that the dramatically
increased size of the Deleted Items folder means that moving a mailbox from Exchange Online will take
much longer than before. It is always best to ensure that information is treated the same on both
Page 207
platforms, so you should make sure that the same retention policies that apply the same retention actions
for the same periods are used for all mailboxes.
Page 208
Figure 7-12: Creating a new retention policy with EAC
You can also create a new retention policy with PowerShell. The command is very simple because all it must
do is to associate the policy with a set of links to the tags.
[PS] C:\> New-RetentionPolicy –Name "Business Analysts"
–RetentionPolicyTagLinks "Keep for Audit", "6 Month Delete", "1 Year Delete", "Inbox 30 day expiry",
"Never Delete"
If you forget to include a tag or need to remove a tag from a policy, you can add or remove it with the Set-
RetentionPolicy cmdlet. When reviewing the example shown below, you might ask why the complete set of
tags is passed to the cmdlet instead of trying to add or remove a single item from the list. The answer is that
experience shows that this is the safest way to update a set of tags in a policy. Too many instances have
occurred where administrators tried to update a policy and ended up with just a single tag, which then causes
MFA to do a lot of work to remove tags from mailbox items. If you do not like this approach, use the EAC
instead. (In fact, if you look at the command log, you will see that the EAC always writes out the complete set
of tags when it updates a retention policy).
[PS] C:\> Set-RetentionPolicy –Identity "Business Analysts"
–RetentionPolicyTagLinks "Keep for Audit", "6 Month Delete", "1 Year Delete", "Inbox 30 day expiry",
"Never Delete", "Junk Email"
The Remove-RetentionPolicy cmdlet can be used to remove a retention policy from a tenant. When this
happens, MFA removes the tags in the policy from items the next time it processes mailboxes. To ensure that
automatic maintenance continues smoothly for mailboxes, make sure that an alternate policy is assigned to
mailboxes before you remove a policy.
[PS] C:\> Remove-RetentionPolicy –Identity "A bad retention policy"
After you remove the policy, you might use the Get-RetentionPolicy cmdlet to view the set of retention
policies that are defined in the tenant. The RetentionPolicyTagLinks property shows the set of tags that are
linked or associated with the policy and link the policy with its tags.
Page 209
[PS] C:\> Get-RetentionPolicy | Format-Table Name, RetentionPolicyTagLinks -AutoSize
Name RetentionPolicyTagLinks
---- -----------------------
ArbitrationMailbox {AutoGroup, ModeratedRecipients, Never Delete, AsyncOperationNotification}
New MRM Policy {Keep for Audit, Keep 10,000 days, Recoverable Items 14 days move to archive,
Junk Email...}
Business Analysts {Inbox 30 day expiry, 1 Year Delete, 6 Month Delete, Keep for Audit...}
Default MRM Policy {5 Year Delete, 1 Year Delete, 6 Month Delete, Personal 5 year move to
archive...}
You might wonder why a retention policy called “ArbitrationMailbox” is present. Do not remove this policy. It
is used by Exchange Online to look after the contents of arbitration mailboxes, which are used for different
background processes such as message moderation and OAB generation. Although irreversible harm will not
be caused by removing this policy, it will stop MFA processing the arbitration mailboxes and they will
consequently swell up with unremoved content.
System tags: The set of tags defined for the ArbitrationMailbox policy have some special tags like
ModeratedRecipients, AutoGroup, and AsyncOperationNotification that are not available for use in normal
retention policies. You can view these tags by running the Get-RetentionPolicyTag cmdlet and passing the
IncludeSystemTags parameter. Do not remove these tags!
Page 210
A retention hold can exist alongside a litigation or in-place hold. The retention hold only stops the processing
performed by the Managed Folder Assistant; the other holds stop items being removed from mailboxes until
the holds elapse. Exchange Online automatically places any recovered inactive mailbox on retention hold for
30 days after the recovery. See the Exchange Online chapter in the main book for more information on how to
recover inactive mailboxes.
Page 211
Figure 7-13: How OWA displays retention tags
Unfortunately, experience proves that most users have no idea whatsoever what the meaning of personal tags
are and what happens when personal tags are applied to folders or items. They have no concept of the
difference between an archive policy and a retention policy. Indeed, most users have never explored how to
use “Assign Policy” to tag an item. In addition, if they use a mobile client, they will never see this information
because the client does not have the necessary user interface to expose policy information.
You can apply personal tags to folders in an archive mailbox. However, when this happens, the MFA checks to
see if a personal tag is stamped on the same folder in the primary mailbox and if a difference exists, the tag
used for the primary mailbox is replicated to the archive folder. This is done deliberately to ensure that a
difference does not exist in processing behavior for the two folders.
Users are sometimes confused to discover that Outlook uses a slightly different approach. However, the same
principles apply. Select an item and use Assign Policy to see the available tags. In the case shown in Figure 7-
14, a different mailbox is open, and a different set of retention tags are available. The tags are divided into
archive and retention (which is how Outlook refers to what OWA calls labels). Again, the retention period is
clearly visible. In this case, because a tick does not appear beside any tag, we know that this folder does not
have an explicit tag assigned to it. Note that if Outlook’s user interface cannot display the full set of tags
available to the user, they see an entry for More retention policies, which they can select to see all the tags.
If you select a tag and apply it to an item, Outlook checks the retention period and compares it to the age of
the item. If the item is older than the retention period, Outlook warns the user that applying the tag will cause
the item to expire. In other words, the next time that the MFA processes the mailbox, it will apply the
retention action to this item. The user can then decide to go ahead and apply the tag or not. OWA does not
Page 212
check items in the same way and it is possible for a user to assign a tag using OWA that will cause an item to
expire without warning.
Page 213
Figure 7-15: Viewing the policies assigned to a folder
Revealing the actual retention dates: Although you might have read and understood the information
published online to explain how the Managed Folder Assistant calculates the retention period stamped
onto items, there is nothing quite like checking to satisfy yourself that the right period is being used. You
can confirm how long an item will be kept by examining its properties with MFCMAPI. Look for the
PR_RETENTION_DATE property and you will find the date and time that the item will expire. Once expired,
the Managed Folder Assistant will invoke the retention action and the item will be remove or archived.
Page 214
Figure 7-16: How to use OWA options select personal tags to use with items
Blocking the ability for users to select personal tags. The retention requirements for your company
might not accommodate the ability of users to select personal tags to apply to items because you want to
restrict users to whatever tags exist in the retention policies that are applied to their mailboxes. It is easy to
prevent users from being able to add personal tags by editing the default role assignment policy, the role-
based access control policy that controls the options available to users. To block users from selecting
personal tags:
1. Go to the Permissions section of the EAC
2. Select User Roles
3. Edit the Default Role Assignment Policy and scroll down to the MyRetentionPolicies section
4. Uncheck MyRetentionPolicies and save the policy
The restriction will be enforced the next time the user logs on to OWA.
An administrator can also add a tag to a set available to a user by running the Set-RetentionPolicyTag cmdlet.
In this example, two personal tags are added to the mailbox of Kim Akers and the Get-RetentionPolicyTag
cmdlet is then used to check that the tags are in the set available to the mailbox.
[PS] C:\> Set-RetentionPolicyTag –Mailbox "Kim Akers" –OptionalInMailbox "Keep 10,000 days", "Keep
for Audit"
Name
----
5 Year Delete
1 Year Delete
6 Month Delete
Page 215
Personal 5 year move to archive
Personal 1 year move to archive
Personal never move to archive
1 Week Delete
1 Month Delete
Never Delete
Keep 10,000 days
Keep for Audit
Default 2 year move to archive
To remove optional personal tags from a mailbox, run the Set-RetentionPolicyTag cmdlet and null the list. This
is also a good way to force a refresh of the MRM configuration data for a mailbox.
[PS] C:\> Set-RetentionPolicyTag –Mailbox "Kim Akers" –OptionalInMailbox $Null
Page 217
Managing POP and IMAP Clients
POP3 and IMAP4 are email access standards-based protocols that are now quite old. However, because they
are standards-based, many organizations and individuals continue to use clients based on POP3 or IMAP4.
Both protocols support access to mailboxes but as they don’t include any functionality to send email, they
both need to configure an SMTP connection to send messages. The difference between the two is that POP3
(the older) downloads and removes messages from the server while IMAP4 allows clients to synchronize with
a server-based mailbox. Because it is more functional and is still under development, IMAP4 is the
recommended choice.
Users can connect clients using these protocols to Exchange Online mailboxes using a variety of software
including Mozilla Thunderbird, Eudora, eM, and the Mail client for Mac OS. People use these clients for a
variety of reasons including:
• They prefer to use a simpler client than the feature-rich Outlook or OWA (many newer versions of
IMAP4-based clients include functionality like OWA). It’s important to recognize that any functionality
that depends on a specific understanding of Exchange Online will never appear in IMAP4 clients.
Focused Inbox and support for retention policies and tags are two examples.
• They run on a platform like Linux and prefer to use a standards-based client.
• They’ve used a specific client for years and wish to connect it to several servers, including Exchange
Online.
• Their Office 365 subscription doesn’t include access to Outlook (for example, Office 365 F1 or
Exchange Online Plan 2).
Outlook supports both protocols to allow it to connect to other email systems like Gmail, but there’s no
reason to connect Outlook to Exchange with IMAP or POP. Several mobile email applications also use POP
and IMAP instead of ActiveSync to connect to mailboxes. POP and IMAP are also commonly used by third
party applications that need to retrieve email items from a mailbox for processing.
Out of the box, POP and IMAP are insecure protocols that transmit all client-server communications (including
usernames and passwords) in clear text that can be read by any intermediate network device. To secure the
use of POP and IMAP, Exchange Online enforces SSL/TLS encryption for all POP and IMAP client connections.
While on-premises Exchange servers permit administrators to relax the SSL/TLS requirement, Office 365 allows
no such choice to customers. You must use the protocols securely with SSL/TLS if you want to use them at all.
Page 218
Figure 7-17: Setting up IMAP access to Office 365
PopEnabled : True
PopUseProtocolDefaults : True
PopMessagesRetrievalMimeFormat : BestBodyFormat
PopEnableExactRFC822Size : False
PopSuppressReadReceipt : False
PopForceICalForCalendarRetrievalOption : False
ImapEnabled : True
ImapUseProtocolDefaults : True
ImapMessagesRetrievalMimeFormat : BestBodyFormat
ImapEnableExactRFC822Size : False
ImapSuppressReadReceipt : False
ImapForceICalForCalendarRetrievalOption: False
These default settings work just fine for most mailboxes. But there are always a few mailboxes that need some
extra customization, particularly when it comes to mailboxes being accessed via IMAP or POP by software
systems. Before any custom configurations for a mailbox take effect the *UseProtocolDefaults settings must be
set to $False. You can set this for POP only, IMAP only, or for both protocols if required.
[PS] C:\> Set-CASMailbox ServiceDesk -PopUseProtocolDefaults $False
-ImapUseProtocolDefaults $False
For both POP and IMAP, the EnableExactRFC822Size settings that are visible in the Get-CASMailbox output are
not configurable in Exchange Online. The Set-CASMailbox cmdlet simply doesn’t make that parameter
available to you, unlike on-premises Exchange. That leaves the following settings that can be configured.
Page 219
processing. If the service desk system is having issues reading the email messages, then the MIME format can
be configured to a different setting using Set-CASMailbox.
[PS] C:\> Set-CASMailbox ServiceDesk -PopUseProtocolDefaults $False
-ImapUseProtocolDefaults $False
This option has no impact on meeting requests from external senders, which will arrive as an email message
with an .ICS file attachment instead.
Page 220
deal with an overflowing Inbox cluttered up with unimportant notifications, update messages, marketing
bulletins, and so on. Over time, users train Clutter to become more precise by moving items into the Clutter
folder to show that they are unimportant. Conversely, they can mark messages that end up in the Clutter
folder as important by moving them back to the Inbox or another folder.
Time and organizational politics have a habit of changing strategy. Microsoft’s acquisition of Acompli in 2014
created the opportunity to explore a different approach because the Outlook for iOS and Android clients
supported a feature called the “focused inbox” that was popular with their users. Much the same idea existed:
to filter items that did not require immediate user attention to a place where the user could process those
messages when they had some time. The mechanism used to filter messages was simpler than Clutter, but it
delivered a great user experience that worked well, especially on mobile devices.
Client Updates
Microsoft has deployed two different approaches for intelligent email filtering for Exchange Online. The client-
side approach implemented in the Focused Inbox delivers a good user experience. The server-side approach
implemented in Clutter is potentially more powerful and flexible in terms of machine learning and extensibility
and is also easier to administer centrally. However, Clutter never achieved high degree of acceptance with
users. As part of the introduction of Focused Inbox, Microsoft rolled out updates for Outlook clients. The
changeover will complete when everyone uses a version of Outlook that supports the Focused Inbox.
Microsoft will then remove Clutter from Office 365 in January 2020.
Outlook was the last major client to support the Focused Inbox, largely because this client has the most
complex of all user interfaces. Support became available in Office ProPlus from March 2017. Only the click-to-
run version of Outlook in Office Pro Plus supports the Focused Inbox: the MSI version of Outlook 2016 does
not. However, Microsoft says that the MSI version of Outlook 2019 will include the necessary code.
Because the protocol does not support folder views, ActiveSync (EAS) clients do not support the Focused
Inbox. The EAS architecture is based on folder storage and retrieves and displays information on that basis.
Many third-party mobile device vendors such as Apple and Samsung license and use EAS to allow their email
clients to access Exchange mailboxes. Even if Microsoft released an updated version of the protocol to
support folder views, no guarantee exists that any of the mobile email client vendors would ever implement
the feature in their clients.
Page 221
can move an item from one folder to another, it is possible to use any client based on a supported protocol to
train the algorithms that make the decision about how to categorize new mail.
Figure 7-18: Using MFCMAPI to view the Focused Inbox tag for a mailbox item
Acquiring intelligence
The Focused Inbox gains knowledge about the importance someone assigns to different messages by
gradually building up a training model based on how the mailbox owner deals with messages. The model is
based on over 40 distinct characteristics of messages, including the sender, the recipients, the subject, priority,
and so on. Over time, the characteristics of the messages left by the user in the Focused view creates a more
reliable model against which new messages can be assessed. On the other hand, messages moved by the user
to the Other view gives a strong signal that these messages are relatively unimportant.
To ensure that the Focused Inbox works even for new mailboxes, a basic set of rules is applied to messages
from the start. For instance, anything that looks like a notification message is directed to the Other view while
mail from someone’s boss (using a lookup against Azure Active Directory) is considered important and
remains in the Focused Inbox.
Outlook clients support other mail systems like Gmail and Outlook.com in addition to Exchange Online and
Exchange on-premises servers. The same model is used for all servers and is implemented within Office 365
using the architecture deployed by Microsoft to support background processing for mobile clients. Microsoft
plans to make the Focused Inbox available to users of on-premises Exchange and non-Microsoft email servers
but they have not yet announced when this will be possible.
If you used Clutter, the transition to the Focused Inbox is easy. All the work you did in the past to train Clutter
is carried over to the Focused Inbox. Items in the Clutter folder stay there until you remove them. Once you
begin using the Focused Inbox, the Clutter folder loses its status as a system folder, which means that you can
Page 222
remove all the items out of the folder and then remove it. In fact, if the Clutter folder is empty when a mailbox
switches to the Focused Inbox, the folder is removed automatically.
If a message arrives into the Focused view that should not be there, the user can flag the message as
unimportant by using the “Move to Other inbox” option in the context-sensitive menu exposed by a right
click. It is also possible to rescue an important message that ends up in the other view and move it back to the
Focused view (Figure 7-19). In either case, you can either move the selected conversation or all messages from
the sender (Always move). Unlike Clutter, the Focused Inbox does not send notifications to users telling them
about messages that Clutter recently categorized as unimportant and moved to its folder. The notifications
are unnecessary because the two views are always available in the Inbox.
FocusedInboxOn FocusedInboxOnLastUpdateTime
-------------- ----------------------------
1/1/0001 12:00:00 AM
The FocusedInboxOn setting indicates the overall state of the feature. As you’d expect, this is True when
enabled or False when disabled. If the value is not set, the mailbox-specific settings take precedent (see
below). FocusedInboxOnLastUpdateTime is a timestamp recording when an administrator last updated the
FocusedInboxOn setting. It’s quite normal to see a blank value for FocusedInboxOn and a rather strange date
value for the last update timestamp as shown in the example. This is because Microsoft doesn’t explicitly
enable the Focused Inbox for any tenant and a blank value means that it’s enabled by default. In fact, the
tenant configuration setting really exists to allow a tenant to block the Focused Inbox if required. To disable
the Focused Inbox for a tenant, use the following command:
[PS] C:\> Set-OrganizationConfig -FocusedInboxOn $False
Page 223
To enable the feature again, we set the property back to $True:
[PS] C:\> Set-OrganizationConfig -FocusedInboxOn $True
If you examine the organizational configuration after manipulating the Focused Inbox organizational setting,
you’ll see that the date and timestamp is updated.
[PS] C:\> Get-OrganizationConfig | Format-Table FocusedInbox*
FocusedInboxOn FocusedInboxOnLastUpdateTime
-------------- ----------------------------
True 10/11/2016 11:15:06 AM
After the feature is enabled for a tenant, all new mailboxes are automatically enabled to use the Focused
Inbox. The settings are configured when a new user first logs onto their mailbox and learning commences as
soon as messages start flowing into the mailbox. The learning model will gradually improve over time and
refine the initial basic classification as more messages are received. Basic classification means that items such
as notification messages will end up in the Other view while personal messages are more likely to be placed in
the Focused view. You can control the Focused Inbox for individual mailboxes by running the Set-
FocusedInbox cmdlet. For example, here is the command to disable the feature for a mailbox:
[PS] C:\> Set-FocusedInbox -Identity TRedmond -FocusedInboxOn $False
When the cmdlet executes, it confirms that the Focused Inbox is enabled and stamps the current date and
time into FocusedInboxOnLastUpdateTime property for the mailbox. We can check the status of mailboxes by
running a command like this:
[PS] C:\> Get-Mailbox -RecipientTypeDetails UserMailbox | Get-FocusedInbox | Format-Table
MailboxIdentity, FocusedInboxOn, FocusedInboxOnLastUpdateTime
To force a switchover for all user mailboxes in a tenant, we can construct some code to find all user mailboxes
and then use the Set-FocusedInbox cmdlet to enable the Focused Inbox and the Set-Clutter cmdlet to disable
Clutter. A slight downside exists in this approach in that disabling Clutter is a signal to the learning algorithms
that the user is unhappy at the way that Clutter functions, which might in turn change the way that the
learning model behaves in the future. However, the experience is that no great harm follows from taking this
approach.
Because the cmdlets used to manipulate the settings are slow, this code will take some time to complete. As
explained above, the tenant setting controls whether new mailboxes are enabled for Focused Inbox, so you
don’t have to worry about maintaining settings for those mailboxes.
[PS] C:\> $Mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
$Mbx | Foreach {
$DN = $_.DistinguishedName
$Status = (Get-FocusedInbox -Identity $DN).FocusedInboxOn
If ($Status -eq $False -or $Status -eq $Null )
{
Write-Host "Processing Focused Inbox for" $_.DisplayName "current status" $Status
Set-FocusedInbox -Identity $DN -FocusedInboxOn $True
Set-Clutter -Identity $DN -Enable $False
}
}
Aside from a desire to switch all mailboxes at one time, disabling Clutter for a mailbox should not be done
without good reason. The preferred way for a user to switch from Clutter to the Focused Inbox is to wait for a
client to offer the switch and then accept the option. If someone prefers to continue using Clutter, you can
disable the Focused Inbox for their mailbox and make sure that Clutter is enabled to revert to the older
feature. Clutter will continue working until Microsoft finally deprecates Clutter (expected in about a year or
so), at which time Clutter will be removed from Office 365.
Page 224
Sorting out the various Focused Inbox settings: The mixture of organization and mailbox settings for
Focused Inbox might be confusing, so here are the rules:
• If the Focused Inbox setting does not exist for a mailbox, the tenant configuration applies.
• If an explicit value for the Focused Inbox is not set at either the mailbox or tenant level, the Focused
Inbox is enabled.
• If the feature is blocked for the tenant, then the mailbox setting is ignored.
To check that the rule works, create a message with the bypass key words in the subject and send it to a user.
Use a tool like MessageHeaderAnalyzer (Figure 7-20) to check the received copy in the user’s mailbox and
look for the X-MS-Exchange-Organization-BypassFocusedInbox: header, which should contain a value “true.”
See this article for more information on viewing message headers.
Figure 7-20: Examining a message header to check that the bypass rule is working
Page 225
To ensure backwards compatibility with Clutter, any message stamped with the old X-MS-Exchange-
Organization-BypassClutter header is marked as important.
Page 226
[PS] C:\> New-AdminAuditLogSearch –StatusMailRecipients Jan@contoso.com, Jim@contoso.com
–Cmdlets New-Mailbox, New-DistributionGroup, New-DynamicDistributionGroup
–StartDate (Get-Date).AddDays(-14) –EndDate (Get-Date)
The audit report that you receive from a background search is in XML format and audit events appear as
shown below. The example reports the creation of a room mailbox. Although the information is easily
recognizable in terms of what it conveys, some work is necessary to transform the XML content into
something more digestible for those who do not speak fluent XML.
<Event OriginatingServer="AM3PR04MB0775 (15.01.0049.002)" ExternalAccess="false"
ObjectModified="EURPR04A002.prod.outlook.com/Microsoft Exchange Hosted
Organizations/Domain.onmicrosoft.com/Sonoma Conference Room" Succeeded="true" RunDate="2015-01-
12T09:47:49+00:00" Cmdlet="New-Mailbox" Caller="EURPR04A002.prod.outlook.com/Microsoft Exchange
Hosted Organizations/Domain.onmicrosoft.com/TRedmond">
<CmdletParameters>
<Parameter Value="SonomaConferenceRoom@Domain.onmicrosoft.com" Name="WindowsLiveID"/>
<Parameter Value="<*******>" Name="Password"/>
<Parameter Value="Sonoma Conference Room" Name="Name"/>
Parameter Value="True" Name="Room"/>
</CmdletParameters>
</Event>
To audit specific actions. In this example, you want to know who has recently modified mailboxes or
distribution groups. To find the audit records, you specify the cmdlets that are used for these purposes. The
ObjectModified property returned in each audit log tells you the name of the mailbox or group that was
operated on.
[PS] C:\> Search-AdminAuditLog –Cmdlets Set-Mailbox, Set-DistributionGroup | Out-GridView
To audit within a date range. In this case, you want to find out who has been creating new mailboxes over a
specified period. It is important to check the Succeeded property in the output because it is possible that some
attempts to run the New-Mailbox cmdlet were unsuccessful. Figure 7-21 shows the kind of information you
can expect to see in the output grid generated by the Out-GridView cmdlet (the easiest way to go through
audit entries). The names of the new mailboxes are clearly visible.
[PS] C:\> Search-AdminAuditLog –StartDate "01-Jan-2018 00:00"
–EndDate "15-Jun-2018 23:59" –Cmdlets New-Mailbox | Out-GridView
Page 227
Figure 7-21: The creation of new mailboxes as reported in Exchange Online administrative audit records
To analyze what the Office 365 Administrators are doing with your tenant. The Office 365 administrators
do a lot of maintenance behind the scenes that you might not be aware of. You can gain some insight into
their activities by adding –ExternalAccess $True to a Search-AdminAuditLog command. To see all the
commands executed by Office 365 administrators over a month, use a command like this:
[PS] C:\> Search-AdminAuditLog –StartDate "01-Mar-2015" –EndDate "31-Mar-2015"
–ExternalAccess $True | Out-GridView
Count Name
----- ----
10 Add-MailboxPermission
4 Add-RecipientPermission
3 Enable-AddressListPaging
3 Install-AdminAuditLogConfig
3 Install-DataClassificationConfig
3 Install-DefaultSharingPolicy
3 Install-ResourceConfig
1 New-DistributionGroup
3 New-ExchangeAssistanceConfig
5 New-Mailbox
3 New-OutlookProtectionRule
4 Remove-Mailbox
A useful script to help interrogate and interpret the administration audit log is available here.
Page 228
searches all mailboxes to look for audit entries recorded when someone used delegate access to a mailbox to
send a message using the SendAs permission:
[PS] C:\> Search-Mailboxauditlog -ShowDetails -StartDate "5-feb-2018" -EndDate "25-Feb-2018"
-LogonTypes Delegate -Operations SendAs | Format-Table LastAccessed, MailboxOwnerUPN,
LogonUserDisplayName, ItemSubject
As an example of a more focused search, here we search for audit entries in the Customer Services mailbox for
delete actions from the Inbox performed by a delegate. As with all searches, the more specific you make the
criteria, the better, so specifying a date range and the operations you are interested in knowing about is
always a good idea. A busy shared mailbox might accumulate thousands of audit entries and examining them
all can quickly become tiresome.
[PS] C:\> Search-MailboxAuditLog –Identity "Customer Services" –ShowDetails
–StartDate "1-Jan-2017" –EndDate "28-Feb-2017" –LogonTypes Delegate –ResultSize 1000 |
Where-Object {$_.Operation –eq "SoftDelete" –and $_.FolderPathName –Like "\Inbox"} |
Format-Table LastAccessed, Operation, LogonUserDisplayName, FolderPathName, SourceItemSubjectsList,
LastAccessed –AutoSize
This output certainly helps to understand what might have happened within a mailbox. An alternate approach
is to pipe the search results to the Out-GridView cmdlet to create a grid containing information about all the
objects that match the search criteria. You can then drill down into the results set as you wish, including the
ability to sort items via the different headings.
For some reason, Out-GridView does not display the LastAccessed property (the date and time when an
operation occurred), the ItemSubject property (the subject line of a message), or the ClientInfoString property
(which can reveal information such as the type of mobile device used with an ActiveSync transaction). Even
with these restrictions, it is still a very useful tool.
Exchange Online also supports the New-MailboxAuditLogSearch cmdlet. Instead of interrogating audit entries
interactively, this cmdlet performs a batch search and returns the information found to a nominated email
address. Here is an example of how to run a batch search to examine delegate access audit entries for the
Customer Services mailbox.
[PS] C:\> New-MailboxAuditLogSearch –Name "Review of Delegate Access"
–LogonTypes Delegate –Mailboxes "Customer Services" –StartDate "1-Dec-2016"
–EndDate "31-Dec-2016" –StatusMailRecipients "Tony.Redmond@Office365ITPros.com"
The exact time when the email holding the result returns depends on the current workload within Office 365.
As you might expect, Office 365 assigns batch jobs a relatively low priority and the results might not arrive for
quite some time. When the email arrives, you will find an XML format attachment with the search results. The
data are complete, but some help is necessary to make sense of it.
You might have to wait: New mailbox audit events might not accessible to searches created with the New-
MailboxAuditLogSearch cmdlet. For several reasons, including caching for performance reasons, it takes a
little time before audit events show up. What is frustrating is that the audit records exist in the user
mailboxes. In any case, to ensure accuracy of audit information, it is best to wait for a couple of hours after
the period you are concerned with elapses, just to give Exchange Online a little time to expose all the
necessary information. The same delays occur for on-premises Exchange servers.
A useful script by Paul Cunningham (available in the TechNet gallery) interrogates the mailbox audit log for a
selected mailbox and mails the results back in the form of a nicely formatted report. Apart from the value that
Page 229
the script delivers, its code is an excellent example of how to extract information from Exchange Online and
format it so that the data is much more consumable for non-technologists, such as a legal investigator who
might be interested in this kind of information.
Bypass auditing: Sometimes you have service accounts or other accounts that access the mailboxes of other
users to retrieve information. This is less likely within Office 365 than it is in an on-premises situation because
fewer add-on products, which often use this approach, are supported. If you run into the situation where it
does not make sense to accumulate all the audit entries recording mailbox access by a service account, you
can bypass auditing for that account with the Set-MailboxAuditBypassAssociation cmdlet. For example:
[PS] C:\> Set-MailboxAuditBypassAssociation –Identity "ServiceAccount"
–AuditBypassEnabled $True
To discover whether any mailboxes are enabled for audit bypass, use the command:
[PS] C:\> Get-MailboxAuditBypassAssociation | Where {$_.AuditBypassEnabled –eq $True} |
Format-Table Name
Page 230
attachments many levels deep in a message and can detect attempts to hide information contained in a zip
file in a zip file in a zip file and so on.
Blocking Actions
One question that you need to answer is what should happen when sensitive data is detected in messages.
The set of available actions that can be specified in a DLP rule is described in Table 7-6. The NotifySender
value is used with PowerShell to create a new DLP rule (New-TransportRule) or to amend the action specified
in an existing rule (Set-TransportRule).
Action Meaning NotifySender value
Notify Notify the user that a problem exists because NotifyOnly
sensitive data has been found in a message but
allow the message to be delivered as normal.
Reject and block Transport will block the message and notify the RejectMessage
user with a non-delivery notification.
Reject unless false Transport will block the message unless the RejectUnlessFalsePositiveOverride
positive user marks it as a false positive.
Reject but allow Transport will block the message unless the RejectUnlessSilentOverride
override user overrides the policy and decides to send
the message even though some sensitive data
is detected.
Page 231
Reject but allow Transport will block the message unless the RejectUnlessExplicitOverride
override with user overrides the policy and gives a business
justification justification that can be logged for auditing.
Table 7-6: Available DLP actions
Policy Modes
Exchange Online supports three modes for DLP policies. The modes are:
• Test without policy tips: This is the default mode when a new policy is created. It allows the
transport system to check messages for the sensitive data types dictated by the policy and to track
the actions that would have been taken if the policy was enforced. This data can be viewed through
DLP reports.
• Test with policy tips: This mode exposes policy tips to Outlook clients to allow you to know whether
the policy tips have the desired effect of informing users about the need to protect sensitive data.
Actions associated with the rules are not applied. Some functionality does not work in test mode. For
example, you cannot override a rule by giving a business justification.
• Enforce: The actions in DLP rules are active and enforced as messages pass through the transport
system.
If you change the mode for a policy, all the rules associated with the policy are updated to reflect the new
mode. However, you can selectively set a different mode for a rule by editing its properties. The processing of
an individual rule can also be limited by a start and end date.
DLP policies also have an enable state. When enabled, the policy is in force according to its mode as
described above. When disabled, the rules associated with the policy are disabled within the transport
pipeline.
Page 232
2 The message Is sent to an external recipient Set the audit severity level to “Medium” and
and has a low (less than 4) count of these notify the user that the message violates a DLP
sensitive data types: policy but allow the message to be sent.
Credit card number
U.S. Bank Account Number
U.S. Individual Taxpayer Identification
Number (ITIN)
U.S. Social Security Number (SSN)
3 The message Is sent to an external recipient Set the audit severity level to “High” and notify
and has a high (4 or more) count of these the user that the message cannot be sent
sensitive data types: because of the sensitive data in its content.
Credit card number Allow the user to give an override. If an
U.S. Bank Account Number override is not provided, reject the message
U.S. Individual Taxpayer Identification with a DSN status code 5.7.1.
Number (ITIN)
U.S. Social Security Number (SSN)
4 The message has an attachment that Set the audit severity level to “High” but allow
cannot be fully processed for some reason. the message to be delivered.
5 The message has an attachment that Set the audit severity level to “Medium” but
cannot be opened. allow the message to be delivered.
Table 7-7: Rules created by the U.S. Patriot Act DLP template
You might decide that the rules created from a template are insufficient or unsuitable for your DLP policy. If
so, you can edit rules to add, remove, or change conditions and actions, remove rules, and add your own rules
to the base set inherited from the template.
DLP rules are executed alongside other transport rules as messages pass through the transport pipeline.
Although an organization can use multiple DLP policies, this can create confusion and the possibility that rules
might interfere with each other. For this reason, it is recommended to use a single DLP policy that
encompasses all the sensitive data types of concern to the organization and to make sure that the DLP
execute without causing problems for other transport rules.
[PS] C:\> New-TransportRule –Name "Irish Personal Documents: Credit Card Data"
–DLPPolicy "Irish Personal Documents" –Mode Enforce
–MessageContainsDataClassifications @{"Name" = "Credit Card Number"}
Page 233
–SetAuditSeverity High –NotifySender RejectUnlessExplicitOverride
–SentToScope NotInOrganization
Soon after the new policy and rule are created, they become active within the transport pipeline. To explore
what happens then, we can use Outlook and OWA to create and send some messages holding some credit
card information.
The guid part of these names is a unique identifier for the policy. Outlook refreshes these files every 24 hours.
You can force Outlook to refresh the DLP policy information by editing the system registry and removing the
HKCU\Software\Microsoft\Office\16.0\Outlook\PolicyNudges key. Substitute “15.0” for “xx.x” if you use Outlook
2013.
As the user types text into a message body, Outlook can scan the text for sensitive data types, including
custom sensitive data types created by document fingerprinting. When sensitive data is detected, Outlook
consults the policy to decide how to tell users that such data is present and what they should do about it. The
Policy Tip might display a message saying the email cannot be sent because of the presence of some sensitive
data, or the Policy Tip might just be advisory (e.g., "you shouldn't really be sending that kind of data).” It is
also possible to allow users to override a policy by asking them to give a justification for the override. That
justification can then be sent together with information about the message to a compliance manager, who
can decide on what action to take after they examine the full context of the message. For example, an HR
representative might need to send a message with a social security number from time to time. An override
received from a HR representative is OK, while an override from an administrator working in another
department who circulated some HR data might not be. This is not an approval process that eventually leads
to the release of a message; it is simply noting that a policy violation was detected and overridden by
someone.
Page 234
Figure 7-22 shows what happens when some credit card information of the type covered by the one-rule DLP
policy we created is found in an Outlook message. The cheery policy tip shown above the recipients is a
customized policy tip. We will discuss how you can customize the standard policy tips shortly. Because our
rule allows users to override that choice is available. Clicking the override link in the policy tip invokes the
dialog shown in the center. You can see that the user has input what they believe to be a valid business
justification to override the restriction on sending credit card data through email. Click Override to complete
the process. Outlook then displays a different policy tip to inform the user that even though they have opted
to override and send the message, that decision might be later reviewed by the organization. In other words,
an audit report – called a DLP incident report - is created and might be reviewed by a compliance manager.
The user can choose to go ahead and send the message and it will be delivered.
Page 236
informing users when they have erred and included some sensitive information in a message, but sometimes
you want to emphasize the point by using different language. You can do this by customizing the policy tip.
The four DLP policy tips are:
• Notify the sender: “This message appears to contain sensitive data. Make sure all recipients are
authorized to receive it.”
• Allow the sender to override: “This message can’t be sent because it appears to contain sensitive data.”
• Block the message: “This message can’t be sent because it appears to contain sensitive data.”
• Provide a link to compliance URL: Used to configure a URL to a web page that hopefully explains the
organization’s compliance policy and how sensitive data types should be handled in email. This link
shows up in OWA when the user clicks Learn More in response to a policy tip “View details about the
information that appears sensitive.”
Exchange Online provides local language translations for the default policy tips. You can see the default text
for a language with the Get-PolicyTipConfig cmdlet. For example, to show the original (exclude any custom
text) values for the English language (or locale), use the command:
[PS] C:\> Get-PolicyTipConfig –Original –Locale en
You cannot change the default text for policy tips, but you can input custom text for Exchange Online to use
instead. The EAC offers the choice to customize policy tips through an icon that resembles a document with
check marks and a superimposed gear. The navigation from this point is straightforward and leads you
through adding a new custom policy tip, selecting the language, and finally inputting the custom text. As can
be the case, it might be faster to do the job with PowerShell. Here is how to change the text shown when
some problematic data is detected in a message and to set up a URL for users to learn more about our
compliance policy. Note that Exchange Online is picky about the capitalization of “Url”.
[PS] C:\> New-PolicyTipConfig –Name en\NotifyOnly –
Value "Oh dear! We have a problem. Some of this text is sensitive data. What shall we do next?"
Quite logically, you cannot have multiple custom text entries for a policy tip, so if custom text already exists
for a policy tip, we must use the Set-PolicyTipConfig cmdlet to overwrite it with new text.
[PS] C:\> Set-PolicyTipConfig –Identity en\NotifyOnly
–Value "Oh dear! We have a problem. Some of this text is sensitive data. What shall we do next?"
Updates to policy tips take a little while to become effective because caches must be refreshed before clients
see the new text. Although you can change the text shown in policy tips, you cannot change the text shown
under the tips to inform users about actions they can take such as removing an external recipient or
overriding the policy.
Page 237
DLP incident reports give the necessary information to fine-tune DLP policies and improve user education on
the subject. An incident report is emailed to an incident manager whenever a DLP transport rule has the
optional “generate incident report” action. Figure 7-24 shows a rule being changed to add this action. As you
can see, you can specify the information that should be included in the incident report, including a copy of
the original message.
Incident reports can be sent to any user mailbox. However, using a “normal” mailbox to hold incident reports
is bad practice and should only be done during testing. Any instance when oversight is applied to user
messages needs to be done under controlled circumstances and incident reports can hold confidential
information. It is therefore best if a special incident mailbox is created for this purpose and access to the
mailbox is restricted on a need-to basis. To avoid paying for a license, you might think about using a shared
mailbox to hold incident reports. Note that you can nominate a distribution group to receive incident reports,
so it is possible to ensure that people who need to know about the reports receive them along with a copy
going to the dedicated mailbox.
Figure 7-24: Amending a rule to add the generation of DLP incident reports
The value of an incident report is that a human being can review the content to decide whether this is a real
violation of policy or something more benign. Perhaps the policy is detecting too many potential problems
and needs to be updated, possibly by increasing the threshold for sensitive data types that can be included in
messages. On the other hand, incident reports might show that rules are not firing as you would expect, so
they are a useful way to confirm that rules work properly.
From an auditing perspective, incident reports hold the justifications given by users when rules allow for an
override. The provided reason needs to be considered in the light of the recipients for the message, its
content, and the business rationale that can be construed by reading the content. It would seem reasonable
Page 238
to send some credit card information to an external address when a credit card is needed to complete a
justifiable business purchase. It might even be acceptable when someone sends email with a credit card
number for personal purposes, like to pay for a child’s after-school activity. It is completely a different matter
if someone is circulating batches of credit card numbers for no good reason to people outside the company.
Standard DLP reports tell you that incidents occur; the incident reports tell you why they occurred.
Page 239
Like the rule described above, the process of building out a DLP policy involves understanding the conditions,
actions, and exceptions for each scenario in which we need to give protection. Common scenarios that might
be considered include:
• Allow clients to override by including a code word in the subject. An incident report should always be
gathered to ensure that this facility is not abused.
• Allow some level of sensitive data to be circulated within the organization with different thresholds
used for external recipients.
• Block messages that cannot be scanned for some reason. These are usually file formats that cannot be
accessed by the set of filters supported by Microsoft Search, such as the files generated by an
unsupported application.
You might also decide that protection is needed for a sensitive data type that Microsoft has never heard of
because it is unique to your company. A custom DLP document type can help here, but it is often easier to
create a document fingerprint from a sample of a specific document.
BigFunnelIsEnabled : True
BigFunnelUpgradeInProgress : False
BigFunnelMessageCount : 321633
BigFunnelIndexedSize : 6.021 GB (6,464,565,475 bytes)
BigFunnelPartiallyIndexedSize : 124.5 MB (130,597,574 bytes)
BigFunnelNotIndexedSize : 3.816 KB (3,908 bytes)
BigFunnelCorruptedSize : 0 B (0 bytes)
Page 240
BigFunnelShouldNotBeIndexedSize : 417.7 MB (437,972,533 bytes)
BigFunnelIndexedCount : 321487
BigFunnelPartiallyIndexedCount : 141
BigFunnelNotIndexedCount : 1
BigFunnelCorruptedCount : 0
Restricting a search to specific folders: Search-Mailbox always searches the full mailbox. You can’t
restrict the search to specific folders. You can limit the search to the primary mailbox by passing the
DoNotIncludeArchive parameter. If you need a finer degree of control, you can use Exchange Web Services
as this API allows the scope of a search to be defined. An example of how to use EWS to perform mailbox
searches can be found here.
Page 241
RBAC Requirements for Search-Mailbox
Like other Exchange cmdlets, the ability for anyone to run Search-Mailbox is controlled by RBAC. Two RBAC
roles exist that include Search-Mailbox:
• The Mailbox Search role allows users to search mailboxes. This role is included in the Discovery
Management role group.
• The Mailbox Import Export role allows users to remove items from mailboxes. The Mailbox Import
Export role is not included in any standard role group. To use it, you must add the role to an existing
role group (like Organization Management) or create a dedicated role group and include the role.
Only members of the role group that includes the Mailbox Import Export role can run searches and
remove the results of those searches. The restriction exists to ensure that only nominated
administrators can remove content from user mailboxes.
To discover who has access to the Mailbox Import Export role, we run the Get-ManagementRoleAssignment
cmdlet:
[PS] C:\> Get-ManagementRoleAssignment -Role 'Mailbox Import Export' -
GetEffectiveUsers | ? {$_.AssignmentMethod -eq "RoleGroup"} | Format-Table
EffectiveUserName, Name
EffectiveUserName Name
----------------- ----
TRedmond Mailbox Import Export-Organization Management-Delegating
James Redmond Mailbox Import Export-Organization Management-Delegating
Marc.Vigneau Mailbox Import Export-Organization Management-Delegating
Brian Weakliam Mailbox Import Export-Organization Management-Delegating
TempAdmin Mailbox Import Export-Organization Management-Delegating
Administrator Mailbox Import Export-Organization Management-Delegating
TRedmond Import Export Org Management
James Redmond Import Export Org Management
Marc.Vigneau Import Export Org Management
Brian Weakliam Import Export Org Management
TempAdmin Import Export Org Management
Administrator Import Export Org Management
In this case, the Mailbox Import Export role is part of the Organization Management role group and has been
delegated from that role group to the special Exchange Administrators role group that’s populated when
users are nominated to be an Exchange administrator through the Office 365 Admin Center. It is sensible to
review the list of those assigned the Mailbox Import Export role periodically to ensure that the right people
have access. You can see a list of the users who can run the cmdlet by running this command:
Running Search-Mailbox
Although you can use Search-Mailbox to search a single mailbox, you can also pass a set of mailboxes
retrieved with the Get-Mailbox or Get-Recipient cmdlets to search up to a maximum of 10,000 mailboxes at
one time. Up to 10,000 results can be returned for a query, which means that if more results are available, you
need to split the search. For example, if you need to remove 50,000 items from a mailbox, you will have to run
the cmdlet to find and remove items five times.
The goal is always to be as precise as possible with the search used to find messages. This can be a little
challenging at times because no GUI is available to help construct complex queries in KQL syntax, but you can
build queries for content searches in the Compliance Center and use the same queries with Search-Mailbox.
To help understand what Search-Mailbox can do, let’s look at some common examples of its use.
Page 242
Estimate Only
As you develop search queries to find, copy, and even remove mailbox content, you can use the
EstimateResultOnly parameter to estimate how many items a search is likely to retrieve. For example:
[PS] C:\> $Search = Search-Mailbox -Identity "Customer Services" -SearchQuery "My Best Customer"
-EstimateResultOnly
Putting the output in a variable allows us to use the different results returned by the search.
[PS] C:\> Write-Host "The search found" $Search.ResultItemsCount "of size" $Search.ResultItemsSize
The search found 630 of size 32.33 MB (33,897,743 bytes)
Remember that the result returned is an estimate and that the actual results returned when you execute a
search might differ.
We fetch all user mailboxes in the tenant and pipe them to Search-Mailbox to search for messages with a
string starting with Kazuma in the message subject (using the wildcard character to say that we want to find
any message with this word in the subject). Search-Mailbox copies the messages it finds to the target folder in
the mailbox specified. We also pass the SearchDumpster parameter to force Search-Mailbox to look through
items in the Recoverable Items folder.
Any messages that match the search query are copied to the target folder in the target mailbox. If we don’t
want this to happen, we pass the -LogOnly parameter. The example pipes all user mailboxes to be processed
by Search-Mailbox. If you only want to process a single mailbox, pass its identifier direct to Search-Mailbox:
[PS] C:\> Search-Mailbox -Identity James.Ryan
When people ask for messages to be “taken back” from recipients’ mailboxes, you should be able to find out a
lot of information about the problem message, including its originating email address, so we can improve the
search query by including the sender:
[PS] C:\> Get-Mailbox –Filter {Office -eq "Dublin"}| Search-Mailbox -TargetMailbox Searches
-TargetFolder "Retrieve Email" -SearchQuery {Body:"*I have announced today the promotion of John
Baker*" From:"Senior.Manager@outlook.com"} -LogLevel Full -SearchDumpster
In this case, we use the SMTP address of the sender. If we know what the display name (resolved name) of the
sender is, we can use it instead. If we are unsure of the exact SMTP address but know the domain the message
came from, we can use it instead, as in:
From:"*outlook.com"
Page 243
If we know the sent date for a message and its subject, we can include those pieces of information in the
query:
[PS] C:\> Get-Mailbox –Filter {Office -eq "Dublin"}| Search-Mailbox -TargetMailbox Searches -
TargetFolder "Retrieve Email" -SearchQuery {Body:"*I have announced today the promotion of John
Baker*" From:"Michael McArthur" Sent:"14-Aug-2018" Subject:"Promotions"} -LogLevel Full
-SearchDumpster
When you use multiple keywords within a query, like the one above, Exchange combines them with AND
operators when it executes the search. You can include the OR operator in a query. For example:
From:"Michael McArthur" OR From:"Kim Akers"
In effect, what we’re doing here is building up a complex search query to focus in on the exact message we
are interested in. This might not be so important when you only search and copy messages, but it is critical
when the time comes to remove the messages from the source mailboxes.
For example:
[PS] C:\> Get-Mailbox –Filter {Office -eq "Dublin"} | Search-Mailbox -SearchQuery {Sent: "13-Aug-
2018" HasAttachments -eq $True} -TargetMailbox Searches -TargetFolder AttachmentSearch
-LogLevel Full -SearchDumpster
To look for messages with a specific attachment, specify the AttachmentNames keyword and the name of the
attachment in the search query. For instance:
[PS] C:\> Get-Mailbox –Filter {Office -eq "Dublin"} | Search-Mailbox -SearchQuery {Sent: "13-Aug-
2018" AttachmentNames:Sales_data_2018-7-1.CSV} -TargetMailbox Searches -TargetFolder
AttachmentSearch -LogLevel Full -SearchDumpster
Keyword queries also support wildcard matching for attachment names. For example, you can look for all
spreadsheets starting with "SalesForecast" by including "AttachmentNames:SalesForecast*" in the search
query. A variant is to look for messages that have an attachment of a specific type. For instance, to look for
messages with PDF attachments, use “AttachmentNames -like "*..pdf." You can even look for messages of a
certain size. For example, to look for messages that have .DOCX attachments and are larger than 10 MB, you’d
use
{AttachmentNames -like "*.DOCX" Size -gt 10 MB}
Page 244
The date format used depends on the default format used on your workstation. You can spell the dates out if
you want to avoid problems with different date formats. For example
Received:"1-Jan-2021..1-Sep-2021"
Here’s an example of specifying a canned period in a search. In this case, we want to look for items received in
the previous year:
[PS] C:\> Search-Mailbox –SearchQuery {Received: "last year"}
Other date intervals supported by KQL include "today", "yesterday", "this week", and "this month." Note that
although KQL supports ISO 8601 DateTime data types in searches, you cannot use date/time values when
searching against fields such as “Read” and “Sent” because the parser used by Exchange Online drops the
time segment and uses only the date. This means that you cannot search for a message sent or received at a
specific time using a value such as Read:”20-July-2019T19:53.”
You don’t have to enclose the clauses in a search query within curly braces unless the KQL parser needs to
resolve something. For example, the query contains an AND or OR logical operator. In most cases, you can
proceed without the braces and add them if the KQL parser complains about a query.
No matter what identifier you use with Exchange Online cmdlets like Search-Mailbox, Exchange resolves the
identifier to find the associated mailbox and then searches the mailbox. If an archive mailbox is available, it is
included unless you specify the DoNotIncludeArchive parameter. You cannot use an identifier to make Search-
Mailbox process a group mailbox.
When should you use identifiers to find mailboxes for Search-Mailbox to process? Sometimes there are many
mailboxes with the same or similar names. The identifiers are always unique, so by passing an identifier you
can be sure that Exchange will process the precise mailbox you want to search or remove items from.
Page 246
imagine the potential havoc that might be wreaked on user mailboxes, so you need to be careful that the
correct items are found before you try to remove anything. You should make sure to take account of the
following points.:
• You cannot use the DeleteContent parameter unless your account is part of a management role group
that holds the RBAC “Mailbox Import Export” role.
• Items removed by Search-Mailbox go into:
o If not subject to a hold, the Purges sub-folder in Recoverable Items and remain there until the
single item recovery period for the mailbox lapses.
o If items are subject to a litigation or in-place hold, they go into the
SearchDiscoveryHoldsFolder folder in the Recoverable Items structure of their host mailboxes
until all retention requirements elapse.
When all holds expire on an item, the Managed Folder Assistant permanently removes it. While the
items are in Recoverable Items, they are inaccessible by users, but the items still are available for
search and compliance purposes. If you need to remove items under hold, follow the guidance in this
article.
• If you need to keep a copy (for instance, for investigation purposes), you can specify the name of a
target mailbox in the TargetMailbox parameter. In this case, Search-Mailbox copies the items to the
target mailbox before removing them from the source mailboxes. Note that if the logging level for
the search is set to Basic or Full, you must supply the name of a target mailbox and folder to store the
log file. To remove messages without copying them, omit the LogLevel, TargetMailbox, and
TargetFolder from your command.
• Have management backing in place and have approval clearly documented before removing any
content from user mailboxes. Make sure that removals follow the data governance policy for your
organization.
• Test, test, and test again before you begin to remove content. The WhatIf switch for the Search-
Mailbox cmdlet is especially useful here, as is the EstimateResultOnly parameter, which gives an
estimate of the total number and size of found items. Obviously, you should check the accuracy and
precision of any search which returns thousands of items before using it to remove data. Make sure
that the search criteria are as exact as possible and run them against a test mailbox to validate that
they will work when used. It would be a shame to clean out everything in the CEO’s mailbox just
because of a slip in a PowerShell command. Remember that Exchange Online does not use backups,
so if you permanently remove an item, it is irrecoverable.
For example, this command searches all user mailboxes and permanently removes the items found by the
search query. Search-Mailbox prompts for confirmation that deletions should go ahead unless you include the
Force parameter:
[PS] C:\> Get-ExoMailbox -RecipientTypeDetails UserMailbox | Search-Mailbox -SearchQuery {Subject:
"Spam Email" AND Received:1-Apr-2018..1-Aug-2018} -DeleteContent -Force
An example script to demonstrate how to use Search-Mailbox to report estimate results for a search query
and remove items if required is downloadable from GitHub.
Auto-Expanding Archives: Microsoft recommends that if you have mailboxes with auto-expanding
archives, you should be very careful when removing items using the Search-Mailbox cmdlet. You can
certainly remove items from primary mailboxes, but if you remove items from archives that are in the
middle of the expansion process, a small chance exists that some data loss might occur.
Page 247
the Purges or Deletions folders in Recoverable Items. If you just want to delete messages without having the
items pass through Recoverable Items, consider reducing the deletion item retention time for the mailbox.
Don’t do this with mailboxes where it’s important to retain deleted items for compliance purposes. It’s strictly
something that should only happen where a good reason exists to clean out a mailbox. This command tells
Exchange that deleted items should be retained for zero days and disables the single item recovery feature (as
the deleted item retention period is set to zero, the feature wouldn’t apply anyway). With these settings in
place, running Search-Mailbox to remove items means that Exchange removes the items immediately and
permanently from mailboxes.
[PS] C:\> Set-Mailbox -Identity BigMailbox -RetainDeletedItemsFor 0 -SingleItemRecoveryEnabled
$False
It can take a couple of hours before the updated single item recovery setting becomes active. To return the
mailbox to the normal state, run the command:
[PS] C:\> Set-Mailbox -Identity BigMailbox -RetainDeletedItemsFor 14 -SingleItemRecoveryEnabled
$True
Page 248
this command finds all the audit records created for Search-Mailbox operations run by a specified user
on a specific day.
[PS] C:\> [array]$Records = Search-UnifiedAuditLog -StartDate 13-Sep-2021 -EndDate 14-Sep-2021
-UserIds ComplianceAdmin@office365itpros.com -Operations Search-Mailbox -Formatted -ResultSize 1000
• Records logging the removal of items: The record reveals who ran the command and what items
were removed from a mailbox. If more than a few items are removed and the details of the items
cannot fit in the audit data part of a record, Exchange captures a series of records. These records can
be found using the “HardDelete” operation.
See the auditing and reporting chapter for details about how to search the Office 365 audit log.
DisplayName CountryLetterCode
----------- -----------------
Office365ITPros US
Database : EURPR04DG049-db159
ServerName : vi1pr04mb3039
It is difficult to tell exactly which data center hosts the database because the “EUR” prefix in the database
name is non-specific. We know that the database is in the EMEA region, but the mailbox could be active on a
server in any data center within the region. The database name is composed of the DAG name and the
database within the DAG, so we can say that this mailbox is in the DB159 database in the EURPR04DG049
DAG. Each database has four copies within the DAG, so we still do not know which copy is active and what
server hosts that copy.
The ServerName property is a hangover from on-premises Exchange and only tells us the server where
Exchange Online originally provisioned the mailbox. You cannot control where Exchange Online creates a new
Page 249
mailbox within a region or where the mailbox is active afterward. The first two characters of the server name
indicate the data center that owns the original server. For instance, “db” is a server in the Dublin data center
while “vi” belongs to the Vienna data center. Exchange does not update the ServerName property when it
moves mailboxes across servers within a data center to rebalance load or to transfer mailboxes to a different
server within a DAG, nor when databases move between regions because of a tenant relocating when a new
data center region is available or if they decide to use the multi-geo capability. Because of its limited
usefulness, the Get-ExoMailbox cmdlet does not return the ServerName property.
Given these limitations, it can still be interesting to understand the way that Exchange distributes mailboxes
(at least at the time of the last update). This code shows that even for a small tenant, Exchange places
mailboxes in all the data centers within a region (in this case, EMEA).
[PS] C:\> $Mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Select
DisplayName, ServerName
Write-Host $Mbx.Count "user mailboxes found"
$Mbx | Group {$_.ServerName.SubString(0,2)} | Select @{Name="Data center";Expression={$_.Name}},
Count
Page 250
Chapter 8: Office 365
Information
This chapter discusses some topics relating to Office 365 topics that we couldn’t fit into the main book.
Configuring the RBAC Permissions for the Office 365 Import Service
Before creating a new import job, you first need to assign the Mailbox Import Export role to the Office 365
administrator account that you will be using for the task. You can either add the role to an existing
management role group or create a new management role group that can then be assigned to the accounts
responsible for processing import jobs. To create a new management role group, go to the Exchange Admin
Center, navigate to Permissions, and select Admin Roles. Click on the “plus” icon to create a new role group.
Give the new role group a meaningful name such as “Mailbox Import Export”, then click the “plus” icon below
Roles.
From the list of available roles choose Mailbox Import Export and click Add. Click OK, then click the “plus”
icon below Members to add the user accounts that you wish to grant the mailbox import/export permissions
to. When you have added all the users that you need click Save to complete the task of creating the new role
group. The new permissions will take effect for the users the next time they log in to the Microsoft 365 admin
portal.
Page 251
Figure 8-1: Creating a new management role group to control PST imports
Once the data is uploaded, you can then run an import job to process the PSTs and transfer the content to
user mailboxes.
If you have a requirement for additional encryption of the individual PST files, you can use Azure Rights
Management (Azure RMS) to encrypt the files before they are uploaded. This process follows a similar process
as uploading unencrypted files but uses the Office 365 Import Tool to perform the encryption and upload,
instead of AzCopy which simply performs the upload, although AzCopy is still installed as part of this process.
Page 252
Uploading Unencrypted PST Files to Office 365
In the Office 365 admin portal select Users, then Data Migration from the left menu, and then choose
Upload PST files. Click the “plus” icon to start a new import job (Figure 8-2). For this example, we’re choosing
to “Upload email messages (PST files)”. The option to ship data on physical hard drives might not appear if
your Office 365 tenant is hosted in a datacenter that doesn't support that option yet.
Page 253
Figure 8-3: Accessing the network upload SAS URL
Next, we use AzCopy to upload the PST files to Azure. In this example the PST files are stored on a shared
folder on the network called \\MGMT\PST. The source path, destination (secure upload URL), and secure
storage account key need to be provided as command line options for the AzCopy tool. The AzCopy tool can
be run from CMD.exe.
C:\>cd "Program Files (x86)\Microsoft SDKs\Azure\Azcopy"
The network upload URL must be placed in quotes or you will receive an error message. Some additional
command line parameters are also used in this example:
• /S tells AzCopy to also upload files in subfolders of the source directory
• /V specifies the file to output logging information to
Warning: You may be tempted to enter the command line into a batch file to make it easier to run. However,
if you do then you must keep the batch file secure, as it contains the highly sensitive secure upload URL and
storage key for Azure that will be used for the PST file uploads.
AzCopy runs as an interactive process, not a background service. You will need to keep the CMD window
open and running while the PST files are uploaded. However, you do not need to keep the web browser
window open that provides you with your storage key and secure upload URL. Those can be retrieved again at
any time in the Import section of the Office 365 admin center by clicking on the “key” icon (Figure 8-4).
Page 254
Figure 8-4: Accessing secure information for the import job
Naturally the amount of time it takes to upload all the PST files will largely depend on the speed of your
network connection to the internet. While AzCopy is running it stores two journal files in the
%appdata%\Local\Microsoft\Azure\AzCopy folder so that it can detect whether a transfer succeeded or failed.
If you encounter timeout errors, you can simply run the command again and any incomplete transfers will
resume.
Real World: AzCopy uses default parameters that are optimized for high bandwidth network connections. If
you’re attempting to upload PST files over a low bandwidth connection, you may see the operation
repeatedly failing due to time out errors. If that occurs, you can reduce the number of concurrent operations
to avoid overloading the network.
When the file upload is complete you’ll see a summary confirming the number of successful, skipped, or failed
file transfers.
Finished 3 of total 3 file(s).
[2016/05/09 17:03:55] Transfer summary:
-----------------
Total files transferred: 3
Transfer successfully: 3
Transfer skipped: 0
Transfer failed: 0
Elapsed time: 00.00:52:13
Page 255
Generate a new encryption key that will be used for encrypting the PST files. This is a symmetric key, meaning
it can be used for both encryption and decryption. You should protect this key as you would any other
password. When you run the New-MsolServicePrincipal command shown below, the key will be output to your
PowerShell console.
PS C:\> New-MsolServicePrincipal -DisplayName PstEncryptionPrincipal
The output from the command also includes an application identifier, displayed as the AppPrincipalId
attribute. You will also need to save that value for use later in this process. If you neglected to save the
information you can retrieve it later by running the following command.
PS C:\> Get-MsolServicePrincipal | Where {$_.DisplayName -eq “PstEncryptionPrincipal”}
Connect to the Azure RMS again, and run the following commands to retrieve the BPOSId and the
LicensingIntranetDistributionPointUrl values. You’ll need these values in an upcoming step as well.
PS C:\> Connect-AadrmService
BPOSId
------
2b9bca49-687e-4e5f-8a52-21350b719b06
LicensingIntranetDistributionPointUrl
-------------------------------------
https://e1180438-e46b-4695-9cde-cafbcbf06b36.rms.eu.aadrm.com/_wmcs/licensing
Page 256
encrypt and upload the files using a single tool called O365ImportTool.exe. However, that tool is not available
as a download. Instead, the O365Protect.exe tool is made available. Microsoft has not added a link to the tool
in the new admin center, but you can access it here. You’ll need to be logged into the portal in your web
browser for that link to work. There’s no installation required for the encryption tool, just download the zip file
and extract the O365Protect.exe file to a folder on the computer where AzCopy is installed, and that you’ll be
uploading the PST files from.
Next, click on Show network upload SAS URL to retrieve the secure storage account key. You should protect
this URL in a secure location as you would with any other administrative usernames and passwords for your
environment.
The syntax for O365Protect.exe is as follows:
C:\Admin> O365Protect.exe /sourcefolder:<source folder> /sourcepattern:"*.pst" /rmsserver:<RMS URL>
/tenantid:<BPOS Id> /ownerid:<owner Id> /key:<Symmetric Key>
Wrap each of the parameter values in quotes when you construct your own command line. When you’re
ready, run the O365Protect.exe command line you’ve constructed, and watch the output to determine
whether encryption was successful or not.
Encrypting \\mgmt\pstimport\Import Demo 1.pst
100%
Elapsed Time: 00:00:00.1933768
Encrypting \\mgmt\pstimport\Import Demo 2.pst
100%
Elapsed Time: 00:00:04.2313517
Encrypting \\mgmt\pstimport\Import Demo 3.pst
100%
Elapsed Time: 00:00:03.9624163
Total Elapsed Time: 00:00:20.1379127
After the encryption process has finished you can use AzCopy to upload the PST files following same steps
outlined earlier in this guide when demonstrating the upload of unencrypted files.
Page 258
Monitoring the Import Process
After the import job begins, from the Import Service area of the Office 365 admin center you can click the
View details link to view the progress of the data import and see any errors that have occurred. The most
likely error you’ll run into is a PST file that either hasn’t been uploaded or can’t be found by the import job
because the path you specified CSV file is not correct.
The PST file names and paths are also case sensitive, so you should take care to use the correct case in the
CSV file when you create it. As the import proceeds and information is loaded into user mailboxes, the owners
of the mailboxes will see the imported data appear in the root folder that you specified in the CSV mapping
file (Figure 8-8).
Real World: Importing PST data into Office 365 is only part of the process. Naturally you need to find the
PST files first, using tools such as Microsoft Exchange PST Capture Tool. You’ll also need to disconnect any
Outlook profiles from the PST files, work out who owns each PST file that you find, and prevent creation of
new PST files by users in your environment.
Page 259
Figure 8-9: Group Policy options to control PST files
If you have multiple versions of Outlook in your environment, you’ll need to configure Group Policies that use
the administrative templates for each specific version.
Microsoft Forms
Forms allows users to collect information from other people through surveys, quizzes, and polls. The person
who creates the form decides what type of form it is and the questions it contains. They then publish the form
online or through an application like Teams for the target audience to complete. After the answers come in,
the form’s author can then evaluate and analyze the responses using the built-in analytics or export the
answer data for further analysis using Excel or Power BI. Forms is intended for simple forms processing and
not designed to replace something more comprehensive like SharePoint Lists.
Forms is available to all Office 365 business and enterprise tenants and is in public preview for consumer
Office 365 plans. By default, every licensed user in a tenant can access Forms by using their tenant credentials
to sign into the Forms portal or select Forms from the apps listed in the Office 365 waffle menu. If you want to
stop specific users accessing Forms, you must disable the Forms option in their license through the Office 365
Admin Center or with PowerShell. Forms data is stored in Office 365 datacenters in the U.S. (for U.S. and non-
European tenants) and EMEA (for European tenants).
Page 260
Figure 8-10: Forms settings in the Office 365 Admin Center
• Send and collect responses allows users to create forms.
• Share to collaborate allows users to share their forms with users inside and outside the organization.
• Share as a template allows users to share forms as template so that others can use the forms to create
new forms.
• Share form result summary allows users to share the summary results for a form.
An individual user can create up to 200 forms. Each form can receive up to 50,000 responses.
Creating a Form
The best way to understand an application like Forms is to see it in action. Let’s go ahead and create, share,
and complete a form. When you go to Forms for the first time, you have the choice of creating a new form or
a new quiz. The difference between the two is that a form leads respondents through a series of questions to
collect ad-hoc information while a quiz is composed of a series of questions with set answers that the
respondent is graded against. You can assign different points for the correct answer to each question and
Forms will tot up the total and report the result when a respondent finishes the quiz.
Click New form to begin the creation process. In Figure 8-11, we see that the title, description, and a picture
for the form are populated. You don’t have to add a picture, but this is a good way to highlight the purpose of
the form or the organization responsible for the form (if you use its logo). The title for a form can be up to 90
characters and the subtitle up to 1,000 characters. Forms automatically saves your work as you make changes.
Page 261
Figure 8-11: Entering a title, description, and picture for a new form
The […] (ellipsis) menu has settings controlling how the form is used (Figure 8-12), including the ability to set a
start and end date for responses, and if users can submit multiple responses. If someone tries to respond
outside the date range, they are told that the form isn’t accepting responses at present. Another option is to
shuffle questions so that each respondent sees them in a different order.
Choice Questions
These questions ask the respondent to choose an answer from one or more values. In Figure 8-13, we ask the
respondent to choose how often they want to see updates appear for an eBook. If we move the Multiple
answers slider to On, they can pick multiple options. The Required slider controls whether the respondent
must answer the question before they can move to the next question. The Other option allows respondents
to input their own answer. If added context is needed for a question, click the ellipsis menu and add a sub-
title. This menu also exposes the choice to shuffle answers for each respondent.
Page 263
• Move a question up and down in the list.
You can also add a graphic to each question to make the form more visually attractive.
Text Questions
These questions ask a respondent to enter an opinion about a stated topic. In Figure 8-14 we see that a long
answer is selected, which means that we want to allow plenty of room for our respondent to tell us about
their answer.
Rating Questions
These questions ask respondents to rate a topic on a scale using stars or numbers (you can decide how many
points to use in the scale). In Figure 8-15 we use the Label option (in the ellipsis menu) to tell respondents
what 1-star and 5-star values mean.
Page 264
Figure 8-15: Adding a rating question
Likert Questions
A Likert scale is often used to measure how people feel about different subjects with a more subtle nuance
than is possible with a simple yes/no response. Likert questions ask respondents how strongly they agree with
a set of supplied statements. As you can see from Figure 8-16, you can change the heading for each choice to
convey the true meaning of the respondent’s view about a statement. You can also add as many statements
and responses as you want, subject only to always avoiding any chance that the respondent will fall into a
state of boredom before they reach the end.
Page 265
Other Question Types
Forms also supports these question types:
• Date. These questions ask respondents to select a date value as their response.
• Ranking. These questions ask respondents to move a set of supplied values up and down in a list to
rank them in order of importance.
File Upload
A file upload question allows respondents to upload an Office, image, video, or PDF file as the answer for a
question. Up to ten files can be uploaded at a time and the size of a single file can be between 10 MB and 1
GB. Uploaded files are stored in:
• Personal forms: In a sub-folder of the Apps\Microsoft Forms folder in the form owner’s OneDrive for
Business account.
• Group forms: On a sub-folder of the Apps\Microsoft Forms folder in the group’s SharePoint Online
document library.
In both cases, the name of the account that uploads a file is appended to the file name to make it unique. If
you move a form from personal to group ownership, any files uploaded to OneDrive for Business are not
automatically transferred to SharePoint Online. Instead, Forms treats the form as brand-new with a new set of
responses. Because uploaded files are stored inside Office 365, all the normal protection features that might
be active within the tenant such as Advanced Threat Protection and Data Loss Prevention apply.
Forms does not support guest users, so once a form includes a file upload question, it is automatically
restricted to tenant users.
Page 266
Figure 8-17: Branching controls for questions
Sharing a Form
When you are sure that the form is ready to go, click Share and select how you’d like to make people aware
that you’d like them to complete a form. You can use the following methods to share a form:
• URL: Forms generates a unique hyperlink to the form that you can paste into email, a web page, or a
Teams conversation. The URL looks like this:
https://forms.office.com/Pages/ResponsePage.aspx?id=PzFitvwUokOaetLif080eFjN9O-
4G5lIlN55X2VrShhUOERRQVlaUTRGUFBYRTdWQ1BUVllPQVJTWC4u
• QR-code: Forms generates a QR-code that you can display on a web page or elsewhere.
• Embedded code: Forms generates code suitable for insertion in a web page or Sway. The form
displays in an iFrame.
• Email: Forms switches to the default email client defined for your workstation and creates a new
message, inserting the URL to the form (same as above) along with some boilerplate text. All that
remains to be done is to personalize the text and address the message.
Form authors can decide whether the link can be used only by other users in the same organization or by
anyone who has the link. An author can also share a link that allows other users in the tenant to work on the
design of a form, for instance to help refine the wording of questions.
You can also add Forms as an app to a team. This allows you to create a direct link to a form through a tab in
a channel. Go to the Teams app store, select Forms, then select the team and the channel that you want to
use Forms in, and then select Tab. You can then choose to create a new form or open an existing form. You
can also add a Forms bot to a team and use it to create a simple questionnaire (Figure 8-18). In all cases, the
form needs an internet connection to access data.
Page 267
Figure 8-18: Creating a quick questionnaire in Teams with the Forms bot
When Forms opens a survey or quiz, it renders the questions and layout based on the client type. Figure 8-19
shows how the form appears on an iPhone.
Page 268
creators. To associate a form with a video, access the Interactivity tab and click Add New. Then input the URL
of the form (copied from the Share option of Forms) and select when in the video timeline (drag the timeline
slider to the right point) when you want viewers to see the form. When Stream plays the video, it will halt at
the appointed time and display the form to collect viewer input.
Analyzing Responses
If selected, the author receives email notifications as users respond to the form. As responses come in, the
author can see what kind of results are obtained by clicking the Responses tab for the form (Figure 8-20). You
can also click View results to go through each of the individual responses, or Open in Excel to have Forms
generate an Excel file holding the results, including the date and time for each completion. For more
complicated analysis, you use Excel’s data analysis features or import the file into Power BI.
Group Forms
So far, we have discussed personal forms, which are under the control of a single user. Forms also supports
the notion of Group Forms, where a form is owned by an Office 365 Group. Click the Group forms tab to
access the group forms belonging to groups that you belong to. To create a new group form or edit an
Page 269
existing group form, click the down arrow beside Recent group forms. Forms now displays the set of Office
365 Groups that you are a member of to allow you to select the target group to host the form. Figure 8-21
shows that three groups have associated forms. If you use the Forms bot in Teams to create a quick poll, the
resulting form is listed here but is read-only.
The process of creating and editing a group form follows the same process as a personal form. The only
difference between the two is that any member of the associated Office 365 group can see and manage a
group form.
Sway
Microsoft calls Sway a digital storytelling application that allows people to gather, format, and share their
ideas and experiences using a mixture of different media from text to video. Elements are arranged on an
electronic canvas. Originally launched as a consumer application, Sway is now part of the Office 365 suite.
Page 270
Users log on to the Sway site using their Office 365 credentials to collect the content that they want to
combine to form their story there. Everything is stored in the Sway cloud service. Nothing apart from source
elements that are uploaded as input for a Sway is needed to be held on a user device. Up to ten people can
co-author a single sway.
A big selling point of Sway over other presentation applications such as PowerPoint is its ability to
dynamically rearrange elements to display in an attractive manner on different device form factors. Initially,
this led to some speculation that Sway was a replacement for PowerPoint, which is inaccurate. Instead, Sway
offers a unique way to present information such as reports, training material, newsletter, brochure, briefing
documents, or even personal travel logs. Sway is very suitable for subjects that are graphic-rich and involve
elements such as video clips.
Creating a new Sway is easy. You need to know the elements that you want to combine in the story. These
include:
• Text
• Pictures and other graphics
• Video
• Tweets
• Charts
To begin, click the Sway icon in the app menu to connect to the Sway service. You can then select an existing
file or create a new Sway. In either case, you work with a card-based storyline to assemble the different
elements of the story and arrange the cards in order. Each card holds an element such as an image plus the
ability to add some text (such as a caption) plus some controls to allow for actions such as adding a web link
or emphasizing the element (for instance, to make an image larger when it is displayed). You can also add
“focus points” for images to let Sway know where the most important parts of the image are found.
Elements can be fetched from online sources such as YouTube or Flickr or uploaded from your PC. You can
also cut and paste text from other documents into Sway or input and edit text directly there. Basic text
formatting controls are provided, but it is usually better to use purpose-designed tools like Word to create
content before moving it over to Sway. Graphics should be in their desired form before being imported to
Sway as no tools are available to crop or otherwise adjust them within Sway. However, a nice search tool is
available to look for image available on the Internet that are covered by the Creative Commons license, so it
should be possible to find a suitable image for almost any purpose if you do not have a suitable one of your
own. Videos that match the search term will also be found and can be dropped into the Sway too. You can
upload a video file of up to 256 MB from a local drive or 768 MB from OneDrive for Business. You can also
add voice recordings to a Sway through the web app to explain more about the topic or make the Sway more
engaging.
Page 271
When posting a Sway for display in a place like a booth in a trade show, people often want it to auto-play on
a continual loop. To do this, click the Settings icon, select Autoplay, and set the delay and then Start.
Sway is an application that is evolving fast. It is user-centric with limited administrative capabilities. The
content of the files is not exposed to Search and are therefore invisible to compliance features or Delve. Sway
does captures audit events that reveal who is creating and updating files and these events show who is using
the application. None of this is surprising given the consumer focus from which Sway originated and no doubt
some administrative infrastructure will be put in place over time.
Administrative settings for Sway: A number of administrative settings are available to allow control over
how the application behaves. You can disable Sway completely for a tenant, control whether Sways can be
shared externally, use licenses to control access on a per-user basis, and block or allow different content
sources (such as YouTube) that users can search to add content to their Sways.
Sway Clients
Sway supports all modern browsers. Microsoft recommends that you use the latest version of:
• Edge
• Chrome
• Firefox
• Internet Explorer
• Safari
Ideally, sways need a reasonable amount of screen real estate to display to best effect. The application can
resize the elements of the sway to fit small screens, but the best results are seen on larger screens (1600 x
1200 or better). Figure 8-22 shows the composition of a Sway with the storyline revealed. You can see the
kind of editing controls that are available to the user.
Page 272
In addition to browsers, a mobile Sway client is available for iOS and an UMP app is available in the Microsoft
Store for Windows. You can view and edit files using the mobile client. However, editing can be a little
frustrating on a small iPhone. Figure 8-23 shows how Sway displays the same content on different device form
factors. The larger PC (left) is obviously able to display more of the picture and text while the more
constrained iPhone (left) still gets the message across, albeit with a little less elegance. Regretfully, Microsoft
is retiring the iOS app from December 17, 2018. The app will no longer be available in the iOS store from
October 19, 2018.
Sway Data location: At the time of writing, the Azure service that holds the data for Sway runs in
Microsoft’s U.S.-based datacenters. This fact might create a deployment issue for non-U.S. companies. If
concerned about this issue, you should check with your local Microsoft office to verify the current
situation.
Page 273
As an alternative, Microsoft recommends using Team News, Communication
Sites, and/or Yammer.
Machine Translation Beginning September 2018, Microsoft started to remove the user interface
Services for SharePoint entry point for Machine Translation Services from SharePoint Online. This
Online deprecation has the following impacts:
• It is not possible to perform manual or on-demand translation
requests from SharePoint Online.
• It is not possible to create new variation labels for multilingual
scenarios based on the variations feature in SharePoint online.
As an alternative to this feature, Microsoft recommends using Microsoft
Translator APIs.
Classic Popularity Classic usage and popularity reports for classic sites are not available
Reports anymore after February 29, 2020.
SharePoint classic and SharePoint classic and Delve blogs will not be supported after July 17, 2020.
Delve blogs After that date, users cannot create classic SharePoint blogs and Delve blogs
will be removed from Delve profiles. Delve blogs creation was disabled on
January 18, 2020.
Activity column in The activity column in both OneDrive for Business and Shared Libraries is
OneDrive for Business being retired by Microsoft. Once the feature is retired, the Activity column
and shared libraries will no longer be visible. As an alternative, Microsoft recommends using the
Activities section in the Details pane for a selected file or folder.
Custom Forms creation After identifying a code issue related to the creation of custom forms in
with SharePoint SharePoint Online, Microsoft deprecated the feature on April 25, 2020. The
Designer decision was based on the impact to data integrity the issue could cause and
the difficulty in developing a fix guaranteed not to impact other SharePoint
components.
Table 8-1: Deprecated features in SharePoint Online and OneDrive for Business
And to get the properties of only one of the apps, use the same cmdlet filtering by the name of the app:
[PS] C:\> Get-AdminPowerApp "Help Desk"
You can combine native PowerShell cmdlets with the Power Apps cmdlets to manipulate data. The following
example uses the Select function to isolate the Owner attribute from the set returned by the Get-
AdminPowerApp cmdlet. The name of the owner object is pipelining that output into another Select function.
Finally, passing the second Select function output into the Group function returns a table that includes a
count of each owner’s number of apps:
[PS] C:\> Get-AdminPowerApp | Select –ExpandProperty Owner | Select –ExpandProperty displayname |
Group
Page 274
Reviewing Users with Trial Licenses
You can export and review information about users with trial licenses using the PowerShell cmdlet: Get-
AdminPowerAppLicenses. The exported file contains both self-service internal trial plans signed up for by
individual users and plans sourced from Azure Active Directory. Internal trial plans are not visible to admins in
the M365 admin center and are only visible through exporting via PowerShell.
[PS] C:\> Get-AdminPowerAppLicenses -OutputFilePath -<licenses.csv>’
Page 275
Chapter 9: Directory
Synchronization
To synchronize identities from your on-premises directory with Office 365, you must enable directory
synchronization in the Office 365 tenant and install the appropriate directory synchronization tool.
More information about the synchronization process in general, its various features, the supported
synchronization tools, and how to manage the synchronization process can be found in Chapter 3 of the main
book. Read through the chapter to familiarize yourself with the core concepts before following the steps
outlined below.
Real World: Directory synchronization underpins the Staged and Hybrid migration scenarios for Exchange
Online. When a cutover migration is performed, directory synchronization cannot be used before or during
the migration. However, synchronization can be implemented once the migration is complete. In situations
where third-party migration tools are used, it is critical that the documentation provided by the vendor is
carefully reviewed before any migration activity commences. In many cases, the Microsoft directory
synchronization tools can’t be implemented before or when a third-party migration tool is in use, as the
vendor might provide their own synchronization tools.
Because of the critical role directory synchronization plays in your ongoing identity management strategy,
several decisions must be made before you implement directory synchronization. These decisions include:
• Are you synchronizing objects from a single AD forest or from multiple forests?
• What kind of authentication will you use? Should you use password hash synchronization, pass
through authentication (PTA), or federation?
Page 276
• Should you synchronize every object from AD or only a subset of objects?
• Do you need to use a dedicated SQL Server instance or is the built-in SQL Server LocalDB instance
sufficient for your environment?
• Should Azure AD Connect be installed on an existing server, a dedicated server, or even in Microsoft
Azure?
These decisions can lead to some potential for confusion when the time comes to implement Azure AD
Connect. We will now take a deeper look at Azure AD, how directory synchronization works, and the role that
directory synchronization plays in a hybrid deployment.
Note: Although we focus here on directory synchronization in the context of Azure AD, directory
synchronization can also be used to enable federation and single sign-on for a wide range of other
software as a service (SaaS) applications from Microsoft and other vendors.
Page 277
object, but rather a shadow copy with the subset of the object's attributes that are marked to be
synchronized. Each connector has its own connector space and defines what objects and attributes
are stored within the connector space.
• Attribute flow: This is the process that copies data from one connected data source to another.
• Source anchor: The sourceAnchor is the attribute of the on-premises object used to link it to an
object in Azure AD. By default, the value of the object's objectGUID attribute is used. The value of the
objectGUID attribute is stored as a base64-encoded string in the ImmutableID property of the
corresponding object in Azure AD. As of version 1.1.524.0 of Azure AD Connect, the tool uses the
msDs-ConsistencyGuid attribute instead of the read-only objectGUID attribute if you have not
populated the msDS-ConsistencyGuid attribute for other purposes. When Azure AD Connect uses the
msDS-ConsistencyGuid, it takes the value of objectGUID and writes it back into msDs-ConsistencyGuid
in binary form. Doing this enables you to manually update the reference later; for instance, when you
need to link the object to another (already existing) cloud object, or if you have multiple AD forests
and need to re-link the account from another forest to the matching object in the cloud after a user
moves from one forest to another.
Azure AD Connect stores the source anchor value in its metaverse in the sourceAnchor attribute. The
chosen attribute must not change during the life of the object or it will cause synchronization
problems, authentication problems if you are using federation, and other unwanted effects on
Microsoft 365 services.
The basic concepts outlined here apply regardless of the version of the directory synchronization tool in use,
and you are likely to encounter them in any directory synchronization project.
The operation on mailbox "Britta Simon" failed because it's out of the current user's write scope.
The action 'Set-MailUser', 'HiddenFromAddressListsEnabled', can't be performed on the object 'Britta
Simon' because the object is being synchronized from your on-premises organization. This action
should be performed on the object in your on-premises organization.
This happens because directory synchronization is a mostly one-way operation that flows from the on-
premises AD forest to Azure AD. The on-premises version of the object is the source of authority. Objects that
are created directly in Microsoft 365 are considered cloud-only objects and are, by default, not synchronized
back to the on-premises AD. The only exception to that rule is when you have a writeback feature enabled.
Writeback is a capability in Azure AD Connect which permits the synchronization of some object types (such
as Groups) and attributes (such as device partnerships) back to the on-premises AD forest. Note that the
decision to implement writeback can affect how hybrid recipients are managed. The various writeback
capabilities and their limitations are discussed later.
Despite the general rule that objects synchronized from on-premises cannot be managed using online tools,
some mailbox features can be managed in both environments. More specifically, this applies to features for
which the synchronization process will write back attributes to the on-premises environment, or for which no
on-premises management capabilities exist. For example, a litigation hold can be enabled on an Exchange
Online mailbox associated with a hybrid identity because the update made to the mailbox attributes can be
synchronized back to Exchange on-premises.
Page 278
Identifying which objects are synchronized from AD is straightforward. If you manage user objects from within
the Microsoft 365 admin center, you can add a column called "Sync status" which states whether or not the
account is a standalone or hybrid identity. Similarly, you can use the PowerShell Module for Azure AD to run
the following query:
[PS] C:\> Get-AzureADUser -Filter "DirSyncEnabled eq true"
As this blog post points out, there is a quirk in the behavior of the Get-AzureADUser cmdlet when retrieving
details of synchronized or non-synchronized users: it returns true or null to indicate whether an account is
synchronized. In the above example, the filter property uses server-side filtering to find matching objects
before passing retrieved objects to the pipeline. This can significantly increase performance when working
with larger sets of objects.
However, server-side filtering does not support the use of all operators. For example, you cannot use
“DirSyncEnabled ne true” to query for non-synchronized accounts. As explained in the blog, all (user) objects
go to the pipeline first when using client-side filtering. While this approach can consume more time and
memory – especially when working with large object sets – it allows for more flexibility, such as using the
“NotEquals (-ne)” parameter which allows you to filter for non-synchronized users, etc.
Synchronization Interval
Azure AD Connect synchronizes Azure AD with the on-premises directory every 30 minutes. An administrator
can control various aspects of the synchronization schedule like the interval between synchronizations (up-to
a Microsoft-enforced minimum interval of 30 minutes) and the type of synchronization. Administrators can
also force a synchronization to occur outside the regular schedule. This topic is explained later.
In some cases, the period between change and effect will be longer. For example, when you enable a cloud-
based archive for an on-premises mailbox, the archive will be unavailable until directory synchronization has
run twice: one cycle to transit the change from the cloud to on-premises, and one cycle to synchronize back,
which means a longer delay could exist between enabling the archive and it being accessible in client
interfaces.
Note: The synchronization delay only applies to synchronized objects, such as user accounts. Password
hashes, which are synchronized if password hash synchronization is enabled, are synchronized every two
minutes.
Page 279
Single forest, Single Azure AD tenant
This scenario is the simplest and most common synchronization scenario. A single on-premises AD forest is
synchronized with Azure AD through a single Azure AD Connect server. Except for staging mode server(s)
(more on this later), you cannot use multiple directory synchronization servers to synchronize with Azure AD.
Even though you could theoretically configure multiple synchronization servers to each only synchronize a
subset of objects by configuring exclusions, it will not work properly.
Page 280
filtering at any time, it is not critical that you decide this during the planning process. Note that if you
decide to use group based filtering, you must make that decision at the time of installation.
• Review on-premises objects and make sure they do not contain illegal characters or duplicate values.
It is important that no objects with duplicate or conflicting proxyAddresses attributes are synchronized
to Azure AD as this could disrupt the service for the user. The list of characters that are supported
varies from attribute to attribute. A full list of unsupported characters is available here. Microsoft
provides a variety of tools which can review and remediate potential deployment blockers. These
tools, and how to use them, are explained in the section “Review and remediate directory
synchronization blockers” later.
• You must also make sure that the UPN suffix for the on-premises user objects is an Internet-routable
domain such as yourdomain.com, for example john.doe@yourdomain.com. Preferably, the UPN should
also match the user’s email address. This is because the UserPrincipalName attribute is used to sign in
into Microsoft 365.
To synchronize the value from the on-premises environment you must have previously validated the
domain in your tenant. Given that you can only register public domains in your tenant that you can
verify that you own by adding DNS records as directed by Microsoft, the on-premises value must
match a domain that has been registered in your tenant. If you cannot update AD to use an Internet-
routable UPN suffix, you will need to modify the default Azure AD Connect configuration prior to
completing the installation.
Page 281
Figure 9-1: The IdFix tool
The Action drop-down menu allows you to select what action you want to perform on the object. If you select
Edit and then click Apply in the top-level menu bar, the on-premises objects will be updated with the value in
the Update field. Note that the value in the Update field is only a suggestion. As an administrator, you can
put in any value you like.
The thought of bulk-editing on-premises objects might sound scary at first. In a way, it is. However, the IdFix
tool will only display non-critical objects. Nonetheless, you should make sure that any change you make does
not have an adverse effect, for example to a line-of-business application that references AD attributes.
Real World: The IdFix tool covers the most common synchronization errors. However, there are some
conditions that can break the directory synchronization process but that IdFix does not check or fix. For
instance, it does not check whether different accounts in the environment have a matching UPN and
proxyAddresses.
Imagine there are two users in your organization with a similar name: Jane Doe and John Doe. Jane Doe's
UPN is jdoe@contoso.com and John Doe's UPN is DoeJ@contoso.com. However, for some reason, one of
Jane Doe's email addresses (in the proxyAddresses attribute) is DoeJ@contoso.com. Although potentially
confusing, this is a fully supported on-premises scenario. However, because of the importance of the UPN
in Azure Active Directory, the directory synchronization process perceives these two objects as a conflict,
because the UPN of one user is on the proxyAddresses list of the other. This scenario might not be very
common, but because it is not reported in either tools from Microsoft, it is also very hard to detect
upfront. Another scenario that is not covered by IdFix is checking whether a synchronized attribute value is
too long. For instance, if you have an extensionAttribute that holds 1,200 characters, it will not be reported
by IdFix, nor will it be synchronized to Azure Active Directory because the value is too long.
Page 282
synchronize all objects until the conflict is resolved and the action succeeds. When the Duplicate Attribute
Resiliency feature is enabled, objects may be created successfully despite possible conflicts and therefore the
synchronization errors only show up in the report once. Because it is possible that an administrator misses the
report, the list of conflicting objects and attributes is available through the MSOnline PowerShell module:
[PS] C:\> Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict
In large environments, the above command can potentially return a lot of results. If needed, you can reduce
the number of results by using filtering parameters like PropertyName and PropertyValue. The following
example only shows synchronization errors caused by a conflicting proxy address. Note that more filtering
parameter and options are available and can help to further refine results.
[PS] C:\> Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName
ProxyAddresses
Depending on the synchronization error, and conflicting attribute, various strategies exist to resolve the issue.
Some suggestions to tackle different conflict scenarios is in this article. You can also use Azure AD Connect
Health in the Azure portal to visually review and download a list of synchronization failures.
Page 283
Windows Server 2016 DC into your on-premises AD environment.
As such, you might find that you run Exchange Server 2010 and
need to configure the appropriate permissions to allow
synchronization to write this attribute too!
publicDelegates This attribute stores information about who has (delegate) access
to this mailbox. Exchange Online uses the cloudPublicDelegates
attribute to control which users have Send-On-Behalf-Of
permissions, while on-premises Exchange uses the publicDelegates
attribute. Versions 1.1.553.0 and later of Azure AD Connect enable
writeback on this attribute, which means that you can now
synchronize sending permissions in hybrid organizations.
Table 9-1: Writeback attributes
Note: Microsoft is working to enable the ability to write back more than the limited set of attributes that
synchronization currently supports. When Microsoft delivers that capability, it might enable scenarios
where hybrid recipients can be managed from both environments. Today, various writeback capabilities
are available either under general availability or in preview. Each of these features has its own set of
objects and object attributes that are written back into the on-premises directory. We will discuss the
various writeback capabilities later.
The idea that the directory synchronization process can potentially modify object attributes in the on-
premises environment can be scary at first. However, it is important to understand that updates happen
securely. First, secure sockets layer (SSL) encryption protects communications between the on-premises
directory synchronization server and Azure AD. Secondly, the account created in the installation of Azure AD
Connect only holds the minimum set of permissions required.
Then, you can continue using the cmdlets. For example, to configure permissions for password writeback:
[PS] C:\> Set-ADSyncPasswordWritebackPermissions –AdConnectorAccountName "<service account>"
–ADConnectorAccountDomain "<fully-qualified domain name>"
Page 284
cloud object. However, by the time you start Azure AD Connect, you may already have created cloud objects
in Azure AD.
To match existing on-premises user accounts to pre-existing users in Azure AD, the directory synchronization
process uses two different approaches: hard matching and soft matching.
To save you some typing, you can use a PowerShell script to generate the ImmutableID for an Active Directory
user object. Next, connect with PowerShell to Azure AD and update the ImmutableID for the cloud-based
object that you wish to link to the on-premises object:
PS C:\ Set-MsolUser –UserPrincipalName britta.simon@Office365ITPros.onmicrosoft.com –ImmutableId
28yuIZMiVUuT2GJj6+qPDg==
After you have manually configured the ImmutableID, you run Azure AD Connect. Once the process
completes, Azure AD Connect will link both objects together.
In the scenario of an Exchange Online cutover migration, both the on-premises and Azure AD user object
should already have a matching SMTP address. This means that, once the migration completes, you can
Page 285
configure directory synchronization and it should be able to soft-match all existing objects with little to no
effort if you do not have duplicate SMTP addresses. Duplicate addresses may exist when you have contacts in
the on-premises AD with the same email address as an Exchange Online mailbox. In this situation, you will
receive a directory synchronization error telling you that duplicate objects exist, and that Azure AD Connect
was unable to create or update the object. If you only have objects in Azure AD and wish to link on-premises
objects to them, copy the value of the email address from the object in Azure AD onto the on-premises
object.
Page 286
Figure 9-2: Azure AD Connect service account
When the account is created, it is granted permissions in your environment to execute the tasks which are
configured as part of the configuration wizard.
Real World: If permissions inheritance is blocked somewhere in your domain tree, you must manually set
the permissions on the organizational unit that has inheritance disabled. If inheritance is blocked again at
lower levels, you must repeat this step for each OU that does not automatically inherit permissions.
Note: To install the AD FS and WAP servers remotely, the target servers must have Remote Management
(WinRM) enabled. Additionally, if the WAP server(s) is/are an untrusted, non-domain joined computer, you
must add the target host to the list of trusted hosts on the machine that is used to run the configuration
wizard. For more information, review this Microsoft article.
Page 287
In addition to the above options, the custom installation also enables you to configure the following
capabilities:
• Object Filtering. Object filtering enables you to select what objects are synchronized to Azure AD.
The different filtering options are explained in Object Filtering later.
• Multi-Forest synchronization. You can add multiple on-premises domains to synchronize to Azure
AD. For each domain, Azure AD Connect creates a new connector. You can also specify how objects
are matched between the various domains. This is particularly useful when accounts are represented
in more than a single forest. This would for example be the case in a resource forest scenario: users
are represented once in the accounts forest, and a second time with a disabled account in the
resource forest.
Staging Mode
In the last step of the Azure AD Connect configuration process, you can configure directory synchronization in
Staging Mode. If enabled, staging mode will prevent the directory synchronization tool from writing
(exporting) data to either Azure AD or the on-premises AD. All the read-only matching and data collection
steps are still performed but nothing will be written either to Azure AD or the on-premises AD. This can be
particularly useful in two scenarios: when performing a swing upgrade from one version of Azure AD Connect
to another or when you want to have a second directory synchronization server configured as a warm
standby, ready to take over in case the primary server experiences an extended outage.
One can argue if a real need exists for a highly available directory synchronization setup. By default, directory
synchronization happens every 30 minutes. If an Azure AD Connect outage lasts less than that time span,
there is little to no noticeable impact. Who and what functionality is impacted depends on the features
enabled in Azure AD Connect. For instance, if you have password hash synchronization enabled, no password
changes will be synchronized to Azure AD during the outage. The longer the outage takes, the more calls the
helpdesk will get about passwords or other user attributes being out of sync. Password writeback will also fail
to work if Azure AD Connect is unavailable since it requires a real-time communication channel with Azure AD
Connect.
If the Azure AD Connect server cannot be recovered, the simple solution is to deploy a new server. The
installation of Azure AD Connect, not including the time to build a new server from scratch, only takes a few
minutes. However, depending on the size of your organization, the initial synchronization can take several
hours (or much longer for very large organizations). The more objects that are synchronized, the longer it
takes. Depending on the situation, the time to wait for the initial synchronization to complete might no longer
be a viable option.
Staging mode allows you to have a second (or even third or fourth) synchronization server running in parallel
with the active instance. In case you need to activate the second server, all you must do on the staging server
is rerun the setup wizard to disable staging mode. At the next synchronization, the second server will now
start functioning as the “real” Azure AD Connect server, writing changes to both Azure AD and the on-
premises environment. Because the synchronization server has been running in parallel with the active
instance, but not previously writing changes, it will pick up synchronization where the formerly active server
left off.
The only caveat to this approach is that you must make sure that no two synchronization servers are active at
the same time, as this can yield unexpected results. With exception of the sync scheduler configuration (which
is stored in Azure AD), the configuration of both synchronization servers must be kept identical, manually. This
means that any custom synchronization rules that are configured on the primary synchronization server must
also be applied to the second server to keep them consistent.
Page 288
The staging mode option is also used during a swing migration. It allows you to install a second server and
verify that it is configured correctly by monitoring the synchronization process. Once the second server is
setup correctly, you can disable the legacy synchronization server and disable staging mode on the new
server. Finally, you can install a new staging mode server.
If you have a large Azure AD tenant and an in-place upgrade of the Azure AD Connect server will trigger a full
synchronization, you can also begin by upgrading the staging mode server. Once the staging server upgrade
is complete, you can place the legacy Azure AD Connect server in staging mode and activate the upgraded
server. Finally, upgrade the version of Azure AD Connect on the legacy server.
Object Filtering
Except for some system accounts, the default mode of directory synchronization will synchronize every user,
group, and contact in your on-premises AD to the cloud. Although having the accounts in Azure AD will not
cost you money (since no licenses are consumed), some organizations do not want to have unnecessary
objects in Azure. This leads to the requirement to control which objects are synchronized and which objects
Page 289
are excluded. While filtering can be used for this purpose, it is important to consider the tradeoff of added
complexity when you customize Azure AD Connect.
If the added complexity is acceptable, four methods can be used to apply filtering to your directory
synchronization:
• Domain-based – in a multi-domain forest you can select which domains should be synchronized with
Azure AD. This is common in scenarios where all the users, contacts, and groups are in a single
“account” domain within the forest. In this situation, it is more efficient to only synchronize this
domain, and ignore other resource domains.
• Organizational Unit (OU)-based – this allows you to specify which OUs contain objects that will be
synchronized to Azure AD. This method of filtering is a straightforward way to enable a slow, phased
approach to directory synchronization, in which objects are moved in small batches into an OU that is
in scope for directory synchronization.
• Attribute-based – this approach allows you to specify which object attributes (for example, the
department attribute for users) should be used to determine which objects synchronize to Azure AD.
Attribute-based filtering can be applied using either inbound or outbound synchronization rules.
Inbound rules are generally recommended as these will be preserved in an upgrade of Azure AD
Connect, while outbound rules will be overwritten during upgrades.
• Group-based – this allows you to specify a group in the local AD. Only member objects of this group
are synchronized to Azure AD. This option is only available when performing a custom installation of
Azure AD Connect. Note that you can only configure group-based whilst first running the setup
wizard. Once you’ve completed the setup, you cannot reconfigure group-based filtering using the
wizard anymore.
Detailed steps to apply each type of filtering in Azure AD Connect are available on Microsoft's website. The
filtering options covered here are only available if you choose a custom installation. If you implement filtering,
understand that you are potentially changing the way users interact with on-premises recipients. This could be
the case in a hybrid deployment where you decide to only synchronize user objects with an Exchange Online
mailbox. Microsoft 365 users may not see most or all the on-premises mailboxes in the GAL.
Real World: If filtering is enabled, you must tread carefully with moving on-premises objects in AD. For
instance, if you excluded an OU from synchronizing to Azure AD, every object moved into that OU will not
be synchronized to Azure AD. If an object which was previously synchronized with Azure AD is moved to
that OU, it will automatically be deleted in Azure AD at the next synchronization interval.
Page 290
3. Preview the rule on a single object. You do not have to do this, of course, but it’s an excellent idea. Fix
any errors you find and verify that the target object is modified in the way that you expect.
4. Run a Full Synchronization. Fix any errors that you find and check a selection of objects to verify that
the rule did what you thought it would.
5. Re-enable the synchronization scheduler.
You can access the history of synchronization rule changes using the Get-ADSyncRuleAudit cmdlet (introduced
in version 1.6.2.4 of Azure AD Connect).
AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval :
NextSyncCyclePolicyType : Initial
NextSyncCycleStartTimeInUTC : 2/28/2019 4:47:40 PM
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : False
MaintenanceEnabled : False
StagingModeEnabled : False
Page 291
Forcing Synchronization
The default synchronization interval is 30 minutes. However, sometimes you might need to manually trigger a
synchronization sooner, for example if an urgent change needs to be synchronized.
To start a new delta synchronization cycle, run this PowerShell command on the Azure AD Connect server:
[PS] C:\> Start-ADSyncSyncCycle –PolicyType Delta
If you need to trigger a full synchronization, replace Delta with Initial in the command shown above.
The change in how the synchronization service handles UPN updates for managed (synchronized) accounts
does not apply to accounts that are part of a federated domain. These accounts automatically handle UPN
updates without any administrator intervention.
$pwSyncSettings = New-Object
Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter
"Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$pwSyncSettings.Value = 1
$onPremCon.GlobalParameters.Remove($pwSyncSettings.Name)
$onPremCon.GlobalParameters.Add($pwSyncSettings)
Page 292
After completing these commands, you should see multiple events with ID 650 in the Application event log.
Each of these events indicates a batch of users whose passwords are being synchronized to Azure AD.
Monitoring Synchronization
Once directory synchronization has been setup and the initial synchronization completes the synchronization
process will be run again every 30 minutes. The history of synchronization attempts is called the “run history”
and is stored in the SQL Server database used by the tool. Monitoring the run history is an effective way to
keep track of your directory synchronization deployment. The run history is exposed through the
Synchronization Service Manager tool on the Azure AD Connect server, which provides the administrative
interface for managing the tool. If you have Azure AD Premium, you can also check Azure AD Connect Health
in the Azure portal for a more in-depth view of the status of your Azure AD Connect servers.
If you want more detail, you can always use the Synchronization Service Manager, which exposes far more
controls than an administrator typically needs. You should always use caution when viewing information in
this tool. A good rule to stick to is “look but don’t touch”, unless you are making a supported change using a
Microsoft documented procedure. The Synchronization Service Manager is found on the Start Menu. After the
tool is open, you can see the run history from the Operations tab (Figure 9-3).
Multiple entries are logged for each synchronization cycle. Depending on the number of domains and
whether you are running a hybrid deployment or not, you will see different entries per cycle. Each step within
a synchronization cycle has its own status that shows the overall result of the step. Of course, "success" is
what you are hoping to see, but often other statuses like "completed-export-errors" can be observed too.
Those are the type of events you look for to start troubleshooting.
Page 293
Monitoring Azure AD Connect, AD FS, and AD DS with Azure AD
Connect Health
Azure AD Connect Health is a solution for monitoring Azure AD Connect that also allows tenants to monitor
federation servers (AD FS) and AD domain controllers (AD DS). The agent that uploads diagnostic information
to Azure is automatically installed with Azure AD Connect. As a result, no other configuration is required to
start using the service. The analytics and monitoring information collected by Azure AD Connect Health for
AD FS and AD DS is detailed and often exceeds what other off-the-shelf monitoring systems can provide.
From the health dashboard, the administrator can navigate through different widgets that give insights into
various aspects of the synchronization process, like detailed information about the latest synchronization
attempts, connection latency, the number of synchronized objects, and synchronization errors. If needed, the
administrator can also configure notifications so that an email is sent for all detected problems. Even if you
already have a monitoring platform for AD FS or AD DS, we recommend that you strongly consider whether
deploying Azure AD Connect Health will add additional value. It never hurts to have more information than
less!
Note that you must have at least one Azure AD Premium license to access the dashboard shown in Figure 9-4.
If you have more than one Azure AD Connect server or other servers monitored by Azure AD Connect Health,
you must have an additional 25 Azure AD Premium licenses per monitored server. Microsoft documents this
licensing model in their FAQ for Azure AD Connect Health.
Page 294
Upgrading Azure AD Connect
New versions of Azure AD Connect are released as new features are added, and bugs are fixed. The in-place
upgrade is the easiest way to upgrade. After launching the installer, Azure AD Connect will detect that it is
already installed and offer you to upgrade to the latest version. While the upgrade process will preserve most
customizations, we recommend that you:
• Make as few customizations to the synchronization service and synchronization rules as possible
• Export your custom synchronization rules using the Synchronization Rules Editor before running any
upgrade
• Document all other customizations so that you can reapply them after an upgrade
Synchronization is disabled during the upgrade, which usually takes anywhere between 10 to 30 minutes
depending on the size of the existing metaverse. During the upgrade process, you cannot make any
configuration changes. The credentials that you must specify to connect to Azure AD and the on-premises AD
must match with what was used before.
Some upgrades to Azure AD Connect may require a full synchronization to be performed. In a large
environment, this process can take a long time to complete. To prevent extended outages, consider
leveraging a staging mode server to perform the upgrade process.
It is important to stay current with Azure AD Connect updates. Microsoft generally supports Azure AD
Connect versions for a year after their release. From March 2024, Microsoft requires customers to run a
version newer than 1.1.751.0.
The cmdlet can return three values: Enabled, Disabled or Suspended. Both Enabled and Disabled clearly show
their meaning. Suspended means that the system determined that it is no longer eligible for automatic
upgrades. For instance, this is the case when Azure AD Connect was reconfigured with custom settings.
If your system is enabled for automatic upgrades, but you do not want to automatically install new versions,
you can run the following command to manually disable it:
[PS] C:\> Set-AdSyncAutoUpgrade –AutoUpgradeState Disabled
Real World: Even when automatic upgrade is enabled, you might not see the latest version installed. This
is because Microsoft also must enable customers for automatic upgrade in the service. It might take a
Page 295
while before all customers have been enabled for automatic updates (in the service). Until then, you can
still upgrade manually.
Page 296
Chapter 10: The Hybrid
Configuration Wizard
A fundamental part of creating a hybrid Exchange connection with Office 365 is running the Hybrid
Configuration Wizard. However, before you can do so you must carefully consider the implications of a hybrid
connection and configure the necessary prerequisites, all of which is covered in Chapter 4 of this book.
Once you have successfully configured all prerequisites, you are ready to run the Hybrid Configuration Wizard.
Note that when running the wizard for the first time, the steps you will have to go through might be a little
different from when you run it for a second or third time. This is mainly because some aspects of the Hybrid
Configuration, like the federation trust with Azure AD Authentication System, only need to be configured once
and never change afterwards.
Some situations will prevent you to successfully run the HCW and force you to revert to PowerShell first. For
instance, if an Exchange server which was previously part of the hybrid configuration is uninstalled without
being removed from the hybrid configuration first, the HVW will display an error message and not let you
continue before you corrected the situation. To do so, you must manually remove the server from the existing
hybrid configuration using the following PowerShell command:
[PS] C:\> Set-HybridConfiguration –ReceivingTransportServers @{Remove="Server1"}
The following steps describe how to step through the HCW for the first time. Even though the HCW is a web-
based wizard, you should run it from an Exchange server because some components need local interaction
with the server.
Real World. The sources of the Hybrid Configuration Wizard are downloaded from
https://mshrcstorageprod.blob.core.windows.net/o365exchangehybrid/. If you have a locked down
environment or if Internet Explorer's Enhanced Security is enabled, you will not be able to run the applets
unless you add an exception to Internet Explorer's safe sites for this hostname.
Another issue for automatic configuration is that it requires the wizard to be run from an Exchange server.
Although most administrators will likely do this anyway, the EAC could be run from any workstation/server
in the organization.
Page 297
At this point, the latest HCW code is downloaded. You will be prompted to install the wizard, and you must
click Install to continue. Depending on your connection, this might take anywhere between a few seconds to
a few minutes.
After downloading the latest bits and initializing its applets, the HCW will automatically start. The first page in
the wizard is the Welcome page. This page serves no purpose other than to announce that the wizard is about
to start and to give some information about what the wizard does in the form of TechNet links. Click next.
Server Detection
The first real stage in wizard processing is server detection. Unlike earlier versions of the wizard, which
connect to a server based on the existing Remote PowerShell connection, you can now determine from which
server you want to run the wizard. Typically, this is the server you are using to run the HCW from. On this
page (Figure 10-1), you can also select what version of Office 365 you use. Today, there are several options
ranging from Office 365 Worldwide, to various sovereign or government versions of Office 365 like China,
Germany (the sovereign German “Black Forest” region), or GCC. The different versions of Office 365 exist to
meet specific regional requirements. For instance, if you select 21Vianet, the federation trust is not configured.
Click next to continue.
Page 298
appear right under the email address of the Office 365 account you have used. However, it will not prevent
you from stepping forward in the wizard itself. Click next to continue.
Licensing a Hybrid Server: From July 2018 on, the HCW is able to obtain and assign a license
automatically for the on-premises hybrid server. A new Detect the optimal Exchange server step performs a
license check on the target server and will license the server if needed. If you choose not to license the
target server, you must choose another server before HCW can proceed.
Cutover or Hybrid
Depending on the size of your organization, you might be presented with a web page stating that Microsoft
does not believe that creating a hybrid connection is the right option for you (Figure 10-3). If you don’t agree
with this assessment, skip this step. While there is no arbitrary number to depict if and when to use a hybrid
connection, it is true that for very small environments other (migration) options might be a better fit. To
continue, check the check box next to I understand that a Hybrid Configuration and then click next.
Page 299
Figure 10-3: The cutover choice
Page 300
Figure 10-4: Domain ownership
Real World. While verifying domain ownership, the wizard must obtain federation information for the on-
premises organization. As part of this process, the wizard uses Autodiscover to discover that information.
Sometimes, Autodiscover is not configured correctly for the internal organization and caused previous
versions of the wizard to fail. In an attempt to minimize failures during that process, the wizard now
automatically attempts to launch an external DNS query by connecting to an DNS server whenever it detects
a problem with the internal Autodiscover process. The wizard then tries to connect to the external
Autodiscover endpoint and, hopefully, acquires the required information to proceed. Of course, if
Autodiscover is broken both internally and externally, this will not help.
Page 302
Figure 10-5: Configuring Hybrid Features
Mail Routing
On the following page, you select the options for mail routing. The default value is to only configure selected
Client Access and Mailbox servers. However, you can opt to include the configuration of Edge Transport
servers as well as to enable centralized mail transport (Figure 10-6). Click next.
Page 303
Figure 10-6: Configuring mail transport
Next, you select the Exchange Servers for which the HCW will configure Receive Connectors. Using the drop-
down menu, you can select one or more servers (Figure 10-7) and then click next.
Page 304
Figure 10-7: Selecting Exchange servers for the receive connector configuration
The next page (Send Connector Configuration) is similar to the previous one, albeit that you now select the
servers for which the HCW will create a Send Connector (Figure 10-8). Note that you can only select servers
that run either Exchange 2013 or Exchange 2016. Click next to continue.
Page 305
Figure 10-8: Send connector configuration
After you select the servers to include in the hybrid configuration, you must select the appropriate transport
certificate. On the Transport Certificate selection page, the wizard allows you to pick the correct certificate
from a pre-populated list. The list of available certificates (Figure 10-9) only includes certificates that are
present on all selected servers and have successfully been installed and configured for the SMTP service on
those servers. If the wizard cannot find a certificate that matches these criteria, a warning is displayed a valid
certificate could not be found. You cannot move forward until you correct the issue. Once you have selected
the correct certificate (mail.office365lab.be in this example), click next.
Page 306
Figure 10-9: Selecting a certificate to secure mail transport
Organization
On the Organization FQDN page, you must enter the endpoint which connects to the on-premises internet-
facing Exchange Servers (Figure 10-10). The endpoint is used for sending and receiving mail to and from
Office 365, and will also be configured as the first migration endpoint for mailbox moves. For example, enter
hybrid.domain.com if your public namespace pointing to your on-premises Exchange servers is
hybrid.domain.com. Then, click next.
As part of the features selected for HCW, you can choose to transfer some organization configuration settings
from the on-premises organization to Exchange Online. This is a one-time, one-way transfer of mailbox
retention policies and retention tags, ActiveSync and mobile device policies, and OWA mailbox policies. The
intention is to make sure that Exchange Online uses the same settings as the on-premises organization.
However, the HCW will only create objects inside Exchange Online if those objects do not already exist. No
synchronization of the settings occurs after the transfer, so if settings change on one side or the other, you
will have to decide whether to replicate the change to the other platform.
Page 307
Figure 10-10: Entering the organization FQDN
Page 308
Figure 10-11: Ready to create the hybrid configuration
After all input has been gathered, the Hybrid Configuration Engine makes the necessary configuration
changes. As part of the process, the engine collects information about the existing environments by executing
a set of PowerShell cmdlets, very much like how an administrator would do it manually. The gathered
information contains details on items such as Accepted Domains, Current Organization Configuration and
Organization Relationships.
When the wizard detects the configuration of your environment, it uses the ADPropertiesOnly switch to gather
EWS Virtual Directory information. This makes the process significantly faster. In previous versions, this
process would sometimes take over 8 hours to complete in large environments and cause the wizard to time
out as a result. The problem was caused by how the Get-WebServicesVirtualDirectory cmdlet queries
information from a remote server. Without the ADPropertiesOnly switch, the cmdlet requests the data from
the IIS metabase on the remote server, resulting into delays that can span multiple minutes per server.
Once the engine finishes collecting the information, it determines the difference between the existing- and
requested configuration. If there is a difference, which is the case if you run the wizard for the first time or
when you make configuration changes, the engine continues to update the environment's configuration.
First, the service domain is added as a Remote and Accepted Domain to the on-premises environment.
Typically, the service domain will have the format of tenantname.mail.onmicrosoft.com. In addition, the wizard
also adds the tenant name (tenant.onmicrosoft.com) as a Remote Domain to the environment.
Next, the engine modifies the default Email Address policy to include the service domain, so that all recipients
in the organization get stamped with the additional proxy address that matches the service domain. This is
required to ensure mail flow continues after mailboxes are moved to or from Office 365. To ensure that
existing objects are also stamped, the Email Address policy is re-applied to all recipients.
Page 309
Real World. When the email address policy is updated, the wizard uses the UpdateSecondaryAddressesOnly
switch to ensure that no primary email address is changed, and only a new proxyAddresses is added. The
configuration engine updates the default email address policy assuming that it is applied to each recipient
in the organization, and that each recipient is configured to automatically update email addresses based on
an email address policy. In many environments, the check box used when setting mailbox properties to
automatically update addresses is unchecked and email addresses are added manually on an as-needed
basis. Before you can move a mailbox to Exchange Online, it must be stamped with a proxy address based
on the service domain and the changes must be synchronized to Office 365. The solution is to either add
the proxy address manually or to re-enable automatic updating of the recipients.
After the wizard completes, you can use the following PowerShell code to verify if a recipient was stamped
correctly:
[PS] C:\> Get-Mailbox smorris | Select -ExpandProperty EmailAddresses | Format-Table
SmtpAddress,Prefix,IsPrimaryAddress -AutoSize
After recipient configuration, the wizard creates the Organization Relationships between both environments.
The Organization Relationships underpin the Exchange Federation capabilities (such as exchanging Free/Busy
information) and exist in both the on-premises Exchange organization and Office 365. In both environments,
the objects in are named similarly: On-Premises to O365 - <GUID> and O365 to On-Premises - <GUID>.
The GUID that is used in the Organization Relationships stems from the Organizational GUID of the on-
premises organization and can be queried using the following cmdlet in the on-premises organization:
[PS] C:\> Get-OrganizationConfig | Select guid
Guid
----
5b394b2f-8d59-4df4-8eb4-a784111a2fe4
After the Organization Relationships have been created, the engine will also configure an Availability Address
space. Although the address space is not used in a native Exchange 2010, Exchange 2013, Exchange 2016, or
mixed Exchange 2010/2013/2016 environments, it is added in case a legacy Exchange 2007 server still exists.
Of course, this would only apply to Exchange 2010 or 2013 as Exchange 2016 cannot be installed in an
Exchange 2007 organization. Adding the availability address space ensures that requests for Free/Busy
information originating from an Exchange 2007 mailbox are proxied through an Exchange 2010 or 2013
server.
Lastly, the wizard makes the necessary configuration changes with regards to mail flow by making the
following changes in the on-premises Exchange organization:
• A new send connector by the name of Outbound to Office 365. The connector is configured to Force
TLS encryption (-RequireTLS: $true) and updated with the certificate information from the Hybrid
Configuration Wizard.
• The Default Receive Connector is modified to enforce TLS for hybrid mail flow and ensure that SMTP
headers from Exchange Online are maintained by setting the AcceptCloudServicesMail attribute to
$true
Page 310
• A new Inbound Connector named Inbound from <GUID> to which the certificate information of the
on-premises organization is added so that only connections coming from the on-premises
organization are accepted.
• A new Outbound Connector named Outbound to <GUID>. If no centralized mail flow is selected, the
connector will be scoped to the accepted domains selected in the Hybrid Configuration Wizard only.
In a centralized mail flow, the scope includes all internal and external domains and is depicted by a
wildcard. The connector also includes smart host and certificate information which was entered in the
Wizard. The latter is used to ensure that mail is encrypted and only sent to the on-premises Exchange
servers.
The Hybrid Configuration wizard also configures OAUTH if it detects only Exchange 2013 and Exchange 2016
servers are present in the environment. There is no need to run a separate OAUTH wizard, as it used to be the
case before. If you still have older Exchange servers in the environment, like Exchange 2007 or Exchange 2010,
the wizard will not configure OAUTH. It is up to the administrator to complete those steps manually
afterwards.
As part of the OAUTH configuration, an Intra-Organization Connector is created in both the on-premises
environment and Exchange Online. These connectors work in a similar way as the Organization Relationships.
In addition to the connectors, there are several other elements are configured too. If the OAuth configuration
wizard fails to successfully configure OAUTH, it automatically disables the Intra-Organization Connectors and
notifies you of the problem. This is to ensure that the environment is not configured with a corrupt OAUTH
configuration as this can cause all sorts of issues.
Completing Configuration
Once the wizard has configured both environments, you see a page to confirm the wizard ran successfully.. If
the process was able to complete, but could not perform one or more non-critical actions, you might see a
page similar to Figure 10-12. In this case, the HCW was unable to communicate with the on-premises
Autodiscover endpoint, which prevented it to update some properties on the Organization Relationship in
Office 365. In order not to fail the entire process, the HCW used an autodiscover endpoint which is based on
the domain name(s) included in the hybrid configuration. If you specified multiple domain names, the
autodiscover endpoint for the domain designated as the Autodiscover domain is used.
Page 311
Figure 10-12: The wizard completes
At this point you completed your hybrid configuration and you can continue testing various features such as
secure mail flow or moving mailboxes to Office 365.
Page 312
Unfortunately, the new agent does not solve all challenges. Today, the agent can only connect from Office 365
to your on-premises servers and it is limited to HTTPS-traffic only (used for Free/Busy lookups and hybrid
mailbox moves). Messages still have to flow either directly from Exchange Online to your on-premises
Transport Servers or – depending on your topology - Edge Transport servers. Over time, Microsoft will
expand the functionality of the hybrid agent and also include other workloads such as mail flow or perhaps
even a solution to remove the last Exchange servers from the on-premises environment after you have moved
all mailboxes to Exchange Online.
Once the new agent is available, customers that still need to setup a hybrid connection can choose which
architecture they would like to use. Customers that already have deployed a hybrid connection do not need to
upgrade as the new agent will bring them little value, if at all.
Real World. When you decide to trial the modern hybrid topology, you may want to deploy additional
agents. To do so, you should re-run the HCW, and select a different Exchange Server during the initial steps
of the wizard. This will allow you to repeat the above process and install the agent on that particular server.
Page 313
Chapter 11: Active Directory
Federation Services
This chapter gives information about how to configure Active Directory Configuration Services. It should be
read in conjunction with Chapter 3 of the main book.
Real world: In August 2018, the team at Okta (which, coincidentally, makes a product which competes with
AD FS) identified a security vulnerability in AD FS when used with MFA. An attacker who can capture one
user’s password and MFA authentication code can use the same MFA code as a second factor when
logging in as any other user in the organization. Microsoft patched it quickly (see the relevant KB articles),
and because the patch is included in the monthly security rollup, anyone who’s regularly patching their AD
FS servers will get the patch. The specific vulnerability here sounds horrifying but in practice is not quite as
bad as press reports make out. An attacker who wants to compromise Alice’s account using this
vulnerability must have the user name and password for Alice’s account and the user name, password, and
MFA code for Bob’s account. While this is certainly possible, it is fairly unlikely.
Page 314
Configuring AD FS
The following example assumes that you use a Windows Server 2016 machine. You can enable the built-in AD
FS role using the Server Manager UI or through PowerShell:
[PS] C:\> Install-WindowsFeature ADFS-Federation
After restarting the server, you can launch the AD FS configuration wizard (Figure 11-1) from Server Manager.
The wizard will guide you through a series of steps and questions to configure the server.
Page 315
As explained before, you can create some resilience for the AD FS deployment by configuring multiple servers
in a single farm. A load balancing solution such as Windows Network Load Balancing or an external load
balancer must be in place to distribute incoming requests across the different servers in the farm. Microsoft
recommends the deployment of at least two federation servers for redundancy. A single AD FS server can
handle the connections created by approximately 15,000 users. Beyond that, you should add servers into the
farm to increase capacity up to the expected workload. Of course, these are just arbitrary numbers. If you
want to properly size your AD FS environment, use Microsoft’s ADFS Capacity Planning Guide for AD FS 2.0.
The advice also applies to more recent versions of AD FS.
If Windows Integrated Authentication is enabled, the web page might automatically sign you in (SSO) and not
display the authentication form. Note that once you confirm that AD FS works as expected, you should
probably disable the feature again. The only reason to leave it enabled is if you want to use AD FS to provide
SSO for third-party applications that allow users to initiate sign in from their pages. For example, you can
configure Amazon Web Services, BambooHR, or the Roadmunk or Aha! product planning tools in this mode.
If you can successfully authenticate, it means the AD FS servers can successfully talk to Active Directory,
validate user credentials, and produce valid authentication tokens. At this point, however, you cannot accept
logon request from Office 365. For that, you must first configure a trust relationship with Office 365 so that
the service knows where to send logon request, and your AD FS farm is willing to accept them.
Running the Convert-MsolDomainToFederated cmdlet should result in a message that the domain was
updated successfully. Note that running this command requires the use of the 'legacy' Azure AD PowerShell
Page 316
module. This is because the newer version (using the *-AzureAD* prefixes) does not support this functionality
yet.
Note: To test federated authentication, you must have at least one user from your on-premises directory
synchronized with Azure AD and the synchronized user's UPN suffix must match the federated domain.
Alternatively, you can use Microsoft's Remote Connectivity Analyzer, which includes a section specifically
created to test authentication to Office 365 through federation servers. The test can be found under the Office
365-tab and is called Office 365 Single Sign-On test. To check if and for which domains federation has been
enabled, you can look at the Domains section in the Office 365 portal, or connect to Azure AD PowerShell and
run the following command:
[PS] C:\> Get-AzureADDomain | ?{$_.AuthenticationType -eq "Federated"}
Page 317
Name AvailabilityStatus AuthenticationType
---- ------------------ ------------------
Office365itpros.com Federated
To get a list of all federated identities (users who will authenticate through the federation solution), run the
following commands. Note that these commands might take a while to complete in larger environments:
[PS] C:\> $federatedDomains = Get-AzureADDomain | ?{$_.AuthenticationType -eq "Federated"}
[PS] C:\> foreach($domain in $federatedDomains){ Get-AzureADUser | ?{$_.UserPrincipalName –like
"*@"+$($domain.Name)} | Select DisplayName,UserPrincipalName}
DisplayName UserPrincipalName
----------- -----------------
Tony Redmond tredmond@office365itpros.com
Paul Cunningham pcunningham@office365itpros.com
Michael Van Horenbeeck mvanhorenbeeck@office365itpros.com
Federating Sub-domains
Sometimes a customer might want to enable federation only for some of its users. This is common in the
education market, where a large university might have 50,000 or more student accounts in Office 365, but
where it is undesirable to have those students leverage federation because it could generate a heavy load on
their AD FS infrastructure. Another scenario is when an organization seeks to segregate control over domain
authentication. Controlling the authentication per subdomain allows you to specify a different AD FS endpoint
for each domain. For example, federation requests for europe.domain.com can be controlled by an AD FS
server farm in Europe while requests for us.domain.com are handled by a server farm in the US.
When a domain is federated, all its sub-domains are automatically federated with it. However, it is possible to
selectively enable federated authentication for sub-domains by executing the following steps in order:
1. Register the child domain(s) in the Office 365 tenant
2. Register parent domain in the Office 365 tenant
3. Configure authentication per (sub-)domain
It is crucial that you register the child domains before registering the parent domain. If your tenant already
has domains configured, you can use the following PowerShell command connected to Azure AD to
determine if a sub-domain was added before or after the parent domain:
PS C:\> Get-MsolDomain -DomainName childdomain.parent.com | Format-List *
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
Authentication : Federated
Capabilities : None
IsDefault : False
IsInitial : False
Name : childdomain.parent.com
RootDomain : parent.com
Status : Verified
VerificationMethod : DnsRecord
If the RootDomain property points to a parent domain, it means that the child domain and parent domain are
linked. As such, if you modify the authentication type for the parent domain, it automatically changes for the
child domain as well. Unfortunately, there is no uncomplicated way to switch to the scenario where you can
control the child domain separately from the parent domain. If you find yourself in that situation, you should
open a ticket with Microsoft support and seek their help. If the RootDomain property is empty, you can
control the authentication type of the parent and child domain separately. To convert the authentication type
for one or more subdomains, without affecting the parent domain or vice-versa, you must use the
SupportMultipleDomain switch when executing the Convert-MsolDomainToFederated cmdlet as illustrated
below:
Page 318
PS C:\> Convert-MsolDomainToFederated -DomainName childdomain.parent.com -SupportMultipleDomain
Successfully updated 'child1.parent.com' domain
The above approach works perfectly if you only have a single domain tree, like child.domain1.com,
child2.domain1.com, child3.domain1.com etc. In larger, more complex, environments where use multiple
domain trees are used, things become a little trickier if you want to use the same AD FS infrastructure for all
domains; in some conditions authentication will fail as soon as you add another domain that belongs to a
different domain tree.
Next, all other servers in the farm must be reconfigured to now synchronize from the new primary federation
server:
[PS] C:\> Set-AdfsSyncProperties –Role SecondaryComputer
–PrimaryComputerName <FQDN of primary federation server>
Page 319
a. Stop the AD FS Windows service on the primary AD FS server.
b. Use the SQL Management Tools to connect to the Windows Internal Database and detach the
AD FS databases.
c. Copy the database files to the SQL server and attach the databases. Before you do so, ensure
that the AD FS service account has a login on the SQL server.
d. Grant the AD FS service account appropriate permissions to the recently-attached AD FS
databases.
e. Point the AD FS server farm to the SQL database instead of the WID, and then restart the AD
FS service on the primary federation server.
f. Stop the AD FS Windows service on secondary federation servers in the farm and update the
AD FS properties to point to the SQL database, one by one. On each server, restart the AD FS
Windows service.
AD FS proxy servers
Another component to consider deploying is the AD FS Proxy server or alternatively, for AD FS in Windows
Server 2012 R2 and later, the Web Application Proxy (WAP). Although AD FS proxy servers aren't required, it is
highly recommended to deploy them to increase security of the AD FS deployment and unlock additional
features. Like the AD FS servers, you can deploy one or more proxy servers in a load balanced proxy server
farm for redundancy. That farm is then configured to connect to the internal AD FS farm.
A good reason to deploy proxy servers is to avoid exposing the AD FS servers directly to the Internet. The AD
FS proxy server does not have to be a domain-joined server, so it acts as a barrier between clients and the AD
FS servers. The proxy accepts token requests from users and then passes the information securely to the
internal AD FS servers; if the authentication succeeds. For this reason, proxies are frequently deployed in a
perimeter network. It also receives tokens from the internal AD FS servers and passes them back to the user.
Deploying a proxy does not change how AD FS works or the hostname that is used to publish the farm onto
the Internet. However, it does allow additional functionality, such as making a distinction between
authentication requests coming from inside or outside the organization's network.
In Windows Server 2008, 2008 R2 and 2012, the AD FS proxy came as part of the additional AD FS 2.0
download. In Windows Server 2012 R2 and later, Microsoft replaced the dedicated AD FS Proxy server role
with the Web Application Proxy, which is part of the Remote Access service. Some load balancer vendors
such as F5 or Citrix offer alternatives for the AD FS Proxy servers. Instead of deploying additional Windows
Servers, a service within their solution can take on the function of the AD FS Proxy. Of course, it is always a
clever idea to check with Microsoft if the solution you are considering is supported or not.
The process to deploy an AD FS Proxy Server or Web Application Proxy is very similar to how a regular AD FS
server is deployed. The following example guides you through the setup of a Web Application Proxy on
Windows Server 2016. The Web Application Proxy Role Service is part of the Remote Access Server Role and
can be installed using the Server Manager UI or through PowerShell:
[PS] C:\> Install-WindowsFeature web-application-proxy
In addition to the Web Application Proxy, it is recommended that you also install the Remote Access
Management Tools to provide access to the Web Application Proxy wizard. After the tools have successfully
been installed, but before running the Web Application Proxy Wizard, you must import the communications
certificate on the server. This certificate is selected in the wizard and is used to secure communications with
clients. The certificate should, at the very least, include the hostname of the federation endpoint. For instance,
Page 320
adfs.office365itpros.com. When the certificate is imported, open the Remote Access Management Console
and click on Web Application Proxy in the navigation pane. Then click, Run the Web Application Proxy
Configuration Wizard from the results pane and follow the steps on screen:
1. Welcome: informs you that you are about to installe a Web Application Proxy.
2. Federation Server: requires you to enter the federation service name and credentials for an account
that is a local administrator on the federation servers. This account is only used to create the AD FS
Proxy trust with the federation servers.
3. AD FS Proxy Certificate: here you specify the SSL certificate which the Web Application Proxy server
should use to secure communications (HTTPS). The certificate must be issued by a public, trusted
Certification Authority and the subject name of the certificate must match the host name that will be
used to publish the AD FS farm onto the Internet.
If the wizard completed successfully, you should be able to observe a series of events in the AD FS Admin
Event log. First an event ID 391 will be logged, indicating that a trust was successfully established with the
federation service, followed by an event 245, and 252 denoting that the Web Application Proxy was able to
retrieve and update its endpoint information. Finally, an Event ID 198 indicates the federation proxy started
successfully.
Extranet Lockout
Because the Web Application Proxy role allows you to differentiate internal from external access, you can also
benefit from the built-in extranet lockout policy, which further hardens your deployment. The feature
functions as a protection against brute force guesses, but also as a barrier against DDOS attacks.
This feature is a little misnamed. When the maximum number of failed logon attempts is reached, the account
itself isn’t locked out; instead, the AD FS server will stop processing authentication attempts for that account
for the duration specified. This choice was intentional to avoid blocking the user from accessing resources
internally.
By default, the extranet lockout policy is disabled, and it can only be enabled through PowerShell using the
Set-ADFSProperties cmdlet. When configuring the extranet lockout policy, the following options are available:
• ExtranetLockoutThreshold: this parameter defines the maximum number of failed logons before an
account is temporarily locked out.
• ExtranetObservationWindow: this value serves multiple purposes. It defines the time span during
which the AD FS servers keep track of failed logons and also defines how long federation servers will
stop processing requests for the affected account once the maximum number of failed logons has
been reached.
In the following PowerShell example, the extranet lockout feature is enabled, and the threshold for failed
logon attempts is set to 10 failed attempts in 20 minutes:
[PS] C:\> Set-AdfsProperties –EnableExtranetLockout $true
–ExtraNetLockoutThreshold 10 –ExtranetObservationWindow (New-Timespan –Minutes 20)
Page 322
connect through a VPN, if the IP address they’re issued is on the corporate network, they’ll still be able to log
in to services where the claims rule grants access based on being on the corporate network.
Different claim rules and conditions can be used to create a set of Authorization rules that allow or deny
access. To help achieve this purpose, a Microsoft article describes how to prevent access to Office 365 for
external connections.
AD FS and Modern Authentication. Some limitations still apply when using Modern Authentication. For
instance, if you want to restrict access to Office 365 based on the client’s location, or you need to restrict
access to a certain type of applications, it is worth reading through your options here.
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a
federation server farm, restart the service on every server in the farm.
AD FS auditing
By default, older AD FS versions don’t keep track of successful and failed authentication attempts. Yet, this
information can be extremely useful for a variety of reasons. If not for general reporting purposes, it allows
you to keep track of failed authentication and, thus, detect potentially suspicious activity. Most reporting
solutions for AD FS plug in on top of the built-in auditing capabilities. As a best practice, enabling auditing
from the start gives you a history you can work with. To enable auditing, you must first configure the AD FS
farm to log successful and failed authentication attempts. The easiest way is to use PowerShell to apply the
change to one of the AD FS servers in the farm:
[PS] C:\> Set-AdfsProperties -LogLevel $((Get-AdfsProperties).LogLevel
+ "SuccessAudits" + "FailureAudits")
To confirm that the additional events are logged, use the following command and verify that both
SuccessAudits and FailureAudits are shown:
[PS] C:\> Get-ADFSProperties | Select –ExpandProperty LogLevel
Errors
FailureAudits
Information
Verbose
SuccessAudits
Warnings
Next, edit the local security policy on the AD FS servers to allow auditing. This can either be done locally on
each of the federation servers, or through Group Policy. Using the Group Policy Management Console, or local
Page 323
Policy editor, navigate to the following setting: Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy. There, change the Audit object access to include Success and
Failure. Alternatively, you can also modify the local security policy on each federation server using the
following command. Note that, depending on your Group Policy configuration, these settings might be
overwritten at the next Group Policy refresh:
[PS] C:\> auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
The command was successfully executed.
Once auditing has been enabled, the federation servers will start logging additional information in the
Security event log of the federation servers. Each authentication attempt (successful or failed) is accompanied
by several events. For successful authentications, Events with ID 299 and 500 are most interesting. The most
useful information for failed authentications is provided in events with ID 4625.
Troubleshooting AD FS authentication
One of Murphy's laws says that when something can go wrong, it will. Although one can only hope it never
happens, the chances are that sooner or later you are faced with a problem in the AD FS infrastructure.
Depending on the problem, the solution might be simple and straightforward. For instance, a server goes
down because of a hardware issue, or because an underlying dependency failed.
However, when the federation servers are working properly, but the actual authentication fails,
troubleshooting is a lot tougher, especially when you’re using Office 365. This is mainly because you do not
have control over the entire authentication process. Large pieces of the puzzle are hosted and managed by
Microsoft, and you have no visibility into their infrastructure. As such, it is harder to identify the issue, or to
know whether the issues is due to a problem at Microsoft's end, or your federation servers.
In order to troubleshoot some of these issues, you might need to trace an authentication attempt in order to
figure out what exactly is happening to the request. For this, you will need to enable AD FS Debug Logging
first. To enable debug logging, open the Event Viewer on a federation server, click View and select Show
Analytic and Debug logs. In the crimson channel, under the Applications and Services Logs a new folder
called AD FS Tracing will appear. In that folder, there is a Debug event log. By default, this log is disabled. To
start logging, right click the log and select Enable Log. Once the log is enabled, the federation server will start
spawning a ton, mostly informational, events for each authentication. Each of these events contain a piece of
the authentication puzzle and might reveal information such as the values of (some of) the claims passed
through claims pipeline.
Real World. Because of the multitude of events that are generated for each authentication attempt it is
quite difficult to filter out relevant information from the noise. If you have multiple federation servers, it is
easier to (temporarily) single out a federation server for troubleshooting purposes. That way, you can force
only specific authentications to go through the server you have enabled tracing on. Another way to quickly
search for information in the AD FS Tracing log is to use the Activity ID. The is a unique ID which identifies
the authentication attempt and by extension all events associated with it. Typically, the Activity ID is
displayed on screen when the failure happens.
Page 324
Synchronization is not automatic and can take up to two hours to complete. During that time, and depending
on the size of your organization, some users might be able to authenticate, others might not. During all my
testing, I've seen the process complete in under a few minutes. However, those test environments were all
limited in size. Your mileage may vary!
When AD FS is still available, switching from AD FS to password synchronization is done by issuing the
Convert-MsolDomainToStandard cmdlet while connected to Azure AD. This will update both Azure Active
Directory and the AD FS server farm. However, in case of an AD FS outage the on-premises AD FS server farm
cannot be updated, and you should use the Set-MsolDomainAuthentication cmdlet instead. This will only
update Azure AD and removes the need for AD FS to be available. When performing the switch, you do not
explicitly configure password synchronization; instead you are (temporarily) "un-federating" your domain so
that it uses Microsoft's authentication system again. If password synchronization was setup previously, it is
used automatically after the next synchronization by AAD Connect. If you have not yet setup Password
Synchronization, all your users will be assigned a new password in Office 365.
Real World. As a best practice, it is recommended to configure password synchronization, even if you are
using AD FS for SSO. Imagine having to distribute new passwords to users in a large environment when
they don’t have access to email. Wouldn’t it be much easier if they could continue to use their existing
password instead?
While you can depend on different tools, it is better to make sure that your AD FS infrastructure is solid and
highly available. This ensures that users have always access to Office 365-based services, even when a single
AD FS server is experiencing issues. For instance, Microsoft Azure can be used to extend the on-premises AD
FS deployment. Instead of using a second datacenter, the on-premises network can be extended into Azure
where additional AD FS servers are deployed. This hybrid approach is ideal for organizations who do not have
access to a second datacenter but need site resiliency.
The newly-created claim will ensure Office 365 gets the following additional information:
• The exact time when the password expires
• The number of days remaining before the password expires
• The endpoint (URL) where the password can be changed
Before the latter can work, you must first enable AD FS to allow password changes. This is explained in the
next section.
Page 325
Enabling password updates through AD FS
AD FS in Windows Server 2012 R2 and later versions support updating expired passwords, but by default the
feature is disabled. The ability to update an expired password is not the same as a password reset. The latter is
something that the user can do at any given time, while updating an expired password only happens when it
is expired. Resetting passwords is typically done by an administrator or the users themselves through a
password reset portal like the Azure Self-Service Password Reset portal. If you have configured password
writeback, the password can also be changed (reset) in the on-premises directory. To enable the ability to
update an expired password, you must complete the following two steps. If you do not want unregistered
devices to have to option to update passwords, you can skip the first step.
To enable the feature, you must enable the AD FS endpoint used for password updates. Do this by running
the following PowerShell command on one of the federation servers. Afterwards, you should restart the AD FS
Windows services on each of the federation servers in the farm.
[PS] C:\> Enable-AdfsEndpoint "/adfs/portal/updatepassword/"
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a
federation server farm, restart the service on every server in the farm.
If you have deployed Web Application Proxies, you should also run the following command before restarting
the AD FS windows service on each federation server. Once the feature is successfully enabled, users will be
prompted to change their password through the AD FS portal.
[PS] C:\> Set-AdfsEndpoint "/adfs/portal/updatepassword/" –Proxy $True
When enabled, and upon the first authentication, the client receives a cookie which is valid for 24 hours. This
cookie enables the client to login across multiple browsers and sessions for as long as the cookie is valid. After
24 hours, the user must re-authenticate. Without the feature enabled, the authentication cookie is only valid
for the active session.
Page 326
Chapter 12: Delve
On its introduction in 2015, Delve was one of the more interesting Office 365 applications. Some will consider
it essential because of Delve’s ability to find information stored in OneDrive for Business and SharePoint
Online sites and attachments in Exchange Online mailboxes, while others think of Delve as an overrated but
pretty search utility. Like any application, the value you extract depends on how you use the software.
Today, Delve is less interesting. Microsoft Search has got better, more tools are available to help users
organize and process information, and to a certain degree, Microsoft appears to have lost interest. However,
Delve was the first application to use the Office Graph and it is still available today, so it deserves a little
respect.
Mastering Information
The sheer quantity of data accessed by humans has exploded in the last decade. We receive more messages
than ever before, have access to more web sites and pages, and electronic documents have largely replaced
paper equivalents as the basis for most business communications. At the same time, it has not become any
easier for people working within large companies to understand what knowledge existed within the company.
A case perhaps of not being able to see the forest because all the trees got in the way.
When you think about it, an Office 365 tenant is nothing more than a huge data mart with people adding
more data to the mountain every day by creating Word documents, OneNote notebooks, Excel worksheets,
PowerPoint presentations, and other files and storing those files in SharePoint document libraries or
circulating them as attachments to other people within their company. Perhaps valuable information is
glimpsed once and then forgotten in the flood of new data generated daily. It is reasonably common to find
that people know about something but have forgotten where to find the exact information when they need it.
And project teams will work on information in splendid isolation from similar efforts undertaken by other
teams in the same company, perhaps even in the same building. The aim of Delve is to help users master the
information that already exists within their company by exposing information to people who have access to
knowledge but might not know that it exists.
Which brings us to Delve, defined by Microsoft Principal Engineer Alex Pope as “the primary profile experience
and destination for Office 365. Delve helps you contextualize, discover and refind Office 365 content about a
person.”
In other words, Delve makes sense of the data inside Office 365 tenants to make it personal and valuable to
an individual. Delve delivers on this commitment by using signals and information gathered inside the Graph.
Page 327
Microsoft bought Yammer in 2012. When Microsoft integrated Yammer into their operations, they looked at
how to expand the “signals” consumed by the Enterprise Graph to make sense of the actions taken by people
working with the Office applications to better understand the flow of information that occurs between
individuals. These actions include pieces of work like documents and messages, how sharing occurs between
people and groups, who has worked on what document and when, who sends messages to someone else,
access to documents in SharePoint sites, the instant messages sent by Skype for Business Online, who attends
meetings and when meetings occur, and so on. This work resulted in the Office Graph, which Microsoft
announced at the SharePoint conference in early 2014. Subsequently, Microsoft introduced the Microsoft
Graph as a unified programming interface to multiple forms of information including Office 365, Azure Active
Directory, and Windows.
The Graph holds information about Office 365 objects (like users and documents) and the relationship that
exists between them (such as Tony has shared Document A with Paul), The data are stored as nodes and
edges in a graph index (Figure 12-1). Users and documents are nodes and actions such as sharing and
updating documents are edges. Interactions can be private (for instance, you create a document but do not
share it with anyone) or shared (you then share the document with a team via OneDrive for Business). Sharing
is obviously an important signal, but so are other actions like whom someone converses or meets with on a
regular basis. The Graph captures signals for these interactions as people use Exchange Online, SharePoint
Online, and other applications. The signals form the nodes and graphs and connect the dots in a way that
makes sense. That sounds simple, but it takes a huge amount of CPU power and sophisticated machine
learning algorithms to process and make any sense of the data. The data held in the Graph is then consumed
by applications using the Graph Query Language (GQL) and the Microsoft Graph API.
Page 328
• The Active Content Cache: Provides access to active nodes and edges that are used by applications
like Delve for functionality such as “trending around you” or Office 365 Groups to suggest groups to a
user that they might like to join.
• The Input Router: Responsible for notifying internal and external components of changes made the
graph data stored for a tenant.
To keep computation close to the source data, components running within each workload perform analytic
calculations and then push the resulting data to the tenant graph. The data in the tenant graph then becomes
the input for tenant-wide calculations. For example, Exchange Online has information about the people that
users communicate with in mailbox recipient caches. This data is an important input to calculate whom is
important to a user and makes up a set of known edges for the user’s graph. Exchange Online collates the
data and then pushes it to the tenant graph where it joins information gathered from SharePoint, Skype for
Business, and other workloads to build up a complete picture of a user’s activity within Office 365.
Microsoft exploits the Graph in many places within Office 365. For instance, any time you see a reference to
“trending data” inside Office 365, you can bet that the Graph is the source of authority for that information.
Because the Graph gathers signals about how people generate and share information between each other
and understands the organizational relationships that exist within a company, algorithms can figure out
whether a document, video, group, or other object might be of interest to a user. Features like Discover View
in OneDrive for Business, the way that Office 365 Groups suggests new groups a user might like to join, and
information about trending videos in the Office 365 Video Portal are all based on feeds from the Graph.
Figure 12-2 illustrates another example of the Graph in use. In this case, the People Cards used to display
personal information about Office 365 accounts. Contacts are fleshed out with data to show details of how
and when the user interacted with different individuals. As you can see, the information held in the Graph also
spans external recipients and guest accounts as well as tenant users.
Page 329
The more interaction someone has with Office 365 applications, the more data about their activities is
available in the Graph and the easier it becomes to distinguish important work from merely interesting
activities. In the same way, the more interaction occurs between users within a tenant, specifically in terms of
sharing or common work, the easier it is to understand the paths of collaboration between teams and
individuals within the company. Someone who only stores their work on their personal PC will generate
relatively few signals for the Graph (email attachments sent to that person will generate some), so their
experience of using Delve will be much less complete than someone who uses OneDrive for Business and
SharePoint team sites to share documents with their team.
Page 330
of other users to find whether new and interesting information is available. Because Delve knows what is
interesting to you, it has a role in breaking down silos that occur deliberately or by accident by exposing
information to you if your access allows you to see it.
Delve appears as an app in the Office 365 app launcher, and users can access it through a web browser or one
of the Delve apps. Delve is one of the "next generation" portals built inside Office 365 that Microsoft hopes
will allow users to make better use of information. The Office 365 Video portal is another. These portals both
have a tight connection to the Graph. In some ways, the role of Delve is to be the "search and discover" facility
for Office 365. Many people who work in large organizations will say that huge amounts of information are
available to them, if only they could find what they are looking for. Delve shows users the files that they have
worked on most recently, which is a great help in keeping track of things. Two other functions help too. First,
Delve’s uses the Search Foundation to find information, which makes Delve the easiest way to search across
SharePoint and OneDrive sites, including those that are on-premises (the SharePoint hybrid search capability
allows the sharing of metadata from on-premises servers with online services, thus exposing those items to
Delve). Second, humans often remember the person who shared some information with them rather than the
exact details of the shared information that. Delve allows you to navigate to that person’s profile and explore
what they have been working on. If that person has shared something with you, Delve will show it to you.
Delve never extracts content (like the text of a document) from the repositories where data exists. In Instead,
Delve presents users with a view (the cards) onto information that might be of interest together with links to
connect to the information. Delve calculates the files shown under a user’s “Activity” by the actions taken by
that user (such as the files they store in OneDrive) and whom they share information with through access to
SharePoint libraries, as well as explicit sharing of items stored in OneDrive for Business libraries, and Exchange
Online email attachments. The people with whom an individual user works can be figured out by observing
the interactions between users, the sites they share, the email traffic between them, and the meetings they
attend. The information held by the Graph gradually decays over time, so the decisions reached based on its
contents reflect the current state rather an historical trends and interests.
Delve is available to all Office 365 tenants with enterprise plans (E1 to E5 and their academic or government
equivalent). Delve is not available to tenants that use the standalone SharePoint Online plans.
Page 331
Figure 12-3: Enabling access to the Graph
Page 332
shown are those whom the user has interacted with recently based on signals such as email, meetings, or
document sharing. Photos might be missing for some of the users, which is a sign that they have not updated
their profile by uploading a photo.
Apart from the links described above, the navigation pane has two other kinds of navigation to help users to
get to data quickly. The “People” link lists other people whom Delve considers the user to work with closely
(based on the signals gathered in the Graph). Only users within the tenant show up here. Clicking on the link
for a person brings you to their Delve page and displays their profile and documents on which they have been
working. However, only documents that the user has permission to see are surfaced here. The second
navigation aid is a set of links to Delve boards. You can think of a board as a tag that you can add to
documents to form a collection of documents that have the same tag. We will discuss how to create and use
boards shortly.
Page 333
Delve Search
A major benefit of Delve is its ability to search Office 365 for relevant data, especially documents. Of course,
like anything else in Delve, if users do not store information in places where Delve can find it, nothing will ever
turn up. It is quite common to meet this situation at the start of Office 365 projects where the first focus is
often to move on-premises mailboxes to the cloud and nothing happens to convince users that they should
be using SharePoint Online and OneDrive to store business documents (including the document libraries used
with Office 365 Groups and Teams) instead of the file shares or personal storage.
The Search Foundation is very important to Delve because Delve depends on its content indexes to find
information. The Search Foundation began life as technology obtained through the acquisition of Fast Search
and Transfer ASA (FAST) in 2008. The Search Foundation updates the content indexes for data created
through applications like Exchange and SharePoint (the on-premises versions of these products use the same
technology) and the content indexes are available for use by any Office 365 application.
The Search Foundation content indexes come from the content in documents and messages. Usually,
searching against the content indexes is efficient and usually very effective in terms of the results returned.
However, users can dramatically increase the chances of finding a specific document if they take the time to
update document properties like title, tags, and comments to include likely search terms. For instance,
including “personal dashboard” as a tag for the document file for this chapter might make it easier to find the
file. Unfortunately, users are not good at populating document properties and the names given to files are
often strange, misleading, or quixotic, so finding files can often be a challenge.
Indexing does not happen at once when a user adds a document to a library or updates an existing file, and it
can take a little while before a new item appears in Delve. Not all content that you expect might show up
within Delve, but there is usually a good reason why not. For example, if no one has accessed a document in
the last three months, it is unlikely to be an item of immediate interest to someone and therefore will not
appear. In addition, Delve only supports Word, PowerPoint, Excel, Notebooks, and PDF files as well as video
files uploaded to the Office 365 Video portal. Anything outside these boundaries does not appear in Delve,
including common types such as Microsoft Project plans.
Possibly because users find it more difficult to find documents as tenants accumulate more information in
OneDrive for Business and SharePoint Online sites, Microsoft rolled out “intelligence-powered search” in
February 2017 as part of the transition to a new version of Delve. At the time, Microsoft said that the content
indexes for Office 365 grow 10% month over month. We can interpret this to mean that more people use
OneDrive for Business and SharePoint Online sites to store documents instead of local drives. This is exactly
the kind of mindset change that you want to see if you want to maximize the use of Office 365, including
search. However, the downside is that the swelling volume of unstructured and ill-organized data can make it
even more difficult for users to find information. It is a classic example of looking for a needle in a haystack.
To solve the problem of how to find the right information among so much data, Delve combines the raw
content indexes with intelligence derived from the Microsoft Graph to generate more precise and focused
search results. Instead of returning results that match input queries, Delve filters the results to extract
information that is most relevant to users. Delve takes factors such as who created documents, the site
holding the documents, and your relationship to those people and sites into account when presenting search
results. The idea is that you should see the most relevant information first followed by less relevant content as
the search progresses.
Searches start when a user types some characters into the search box as Delve begins to evaluate search
terms and presents information as the search returns results. Figure 12-5 shows what you can expect to see. In
this case, we enter “Office 365” as the search term. The response highlights a mailbox, some documents, and
two boards. The Graph heavily influences the results shown here, so the documents listed are usually the most
Page 334
recent matching items the user has accessed. This makes sense because in many instances, users are
interested in recent work.
Page 335
Figure 12-6: Delve search results
The integration of Graph into Delve search delivers more precise results than the earlier implementation.
Intelligent search does not mean that users can continue to add rubbish to Office 365 and expect Delve to
make sense of what people dump into SharePoint or OneDrive. Paying attention to document titles,
properties and tags is still critical to search precision and the ability of users to find documents quickly and
easily.
Page 336
make sense to update that property in the Delve profile. On the other hand, the user owns their Home Phone
and is therefore writeable. The same logic holds true for the Office and Office Location properties, where the
latter serves as a user-friendly guide to the location of someone in a building (for instance, “behind the large
plants on the 2nd floor”).
Tenants can define custom properties and make them available in user profiles. However, a critical point to
understand is that all writeable properties only update SPODS (the directory used by SharePoint Online) and
changes to these properties do not synchronize back to Azure Active Directory. The Delve profile also allows
users to enter some information about themselves (Figure 12-7). This information divides into:
• About Me: A free-text personal description.
• Projects.
• Skills and expertise.
• Schools and education.
• Interest and hobbies.
Delve does not apply any checks to any of the information input and it is entirely up to the user what they
choose to include. All the information entered here is visible to other users when they view the contact details
for the user.
Content cards
Delve show information to users through content cards. You can’t control the appearance of these cards or
what information they show. As you can see from the left-hand side of Error! Not a valid bookmark self-
Page 337
reference., a content card gives some added context for the user to understand whether the object
represented by the card is interesting to them. If present, a graphic extracted from the item is used to
highlight content along with the author name and picture. If several graphics are available in an item, Delve
selects the best graphic based on resolution. The author picture is from their Delve user profile, which coms
from the photo data in their Azure Active Directory account. The name of the item used in the card comes
from information inside the file, such as a Heading 1 title used in a Word document or the title used for the
first slide in a PowerPoint deck. Information about the item's location is also provided (for instance, the name
of a SharePoint library or a OneDrive for Business site that holds a document), together with a visual sign to
show if the item is associated with any boards. In this case, we see the number 1 beside the boards icon, so
we know that the document is tagged for a single board. The “titbit” or hint at the top of the card tells the
user why Delve is showing them this information. It could be that someone has recently updated a document
or that some of your colleagues have worked on a document.
Delve Boards
Beneath the navigation links in the left-hand side of Delve’s interface, you might see entries for some
"Boards", which are an easy and convenient way for users to mark items as being of interest for some reason.
Put another way, boards allow users to assemble collections of items that belong together, no matter where
they are stored and managed within Office 365. The collection might be temporary, as in the case when a
Page 338
board is used to focus attention on items of interest for a certain meeting, or have a more permanent nature,
as when a board is used to tag all the items accumulated during a long-running project. Boards also allow
users to reuse and build upon information, as in the case when you create a board for a new project and
incorporate items from other boards to serve as the basis for discussion.
Figure 12-9 illustrates a practical example of boards in use. We can see a set of boards in the left-hand
navigation pane, including those that I use to organize documents associated with projects such as my blogs,
travel arrangements, and presentations. Clicking a board reveals all the files associated with that board and so
allows a board to become a fast shortcut to the files that belong to a specific project or area of interest. In this
case, the board reveals the set of documents containing the text for blog articles. A link to a board can be
emailed (with the Send a link choice) to tell fellow workers about the information tagged in the board. When
the recipient uses the link, Delve reveals all the documents in the board that their permissions allow them to
see (some items might be restricted).
Page 339
whatever name they like. Boards are created by users and there is no administrator intervention to control the
boards that are used or to create boards on behalf of a user. A board assigned to an item by a user becomes
an attribute of the item and is visible to other users. When you add an item to a board, you can click the
board name to find all the other items tagged with that board name. Users can tag an item with many
different boards to reflect the way that users categorize and organize their information.
Board curation: Delve does not include any features to allow users to manage the boards that they create
or for administrators to later fix any problems that might be introduced by users (like spelling mistakes) or
to impose a taxonomy for cards across the tenant. Microsoft said that they might address this need by
listing the boards created by a user in their profile and allow boards to be created, renamed, or removed
there. Although a common request from administrators, especially those dealing with large tenants,
Microsoft has given no sign whether it will be possible to exercise administrative control over boards.
When you add an item to a board or create a new board, Delve automatically adds you to the list of followers
for the board. Following a board is a way of gaining quick access to the contents of the board as a list of the
most recent followed boards always appears in the left-hand navigation pane. Clicking Favorites in the
navigation pane will bring to you a page where all your favorite boards and documents are listed. To find
boards that have been created previously, start typing in the Search box. Delve will list individual documents
that match your query along with boards whose name matches the query.
If you’re not interested in following a board or want to free up space for a board that you think is more
important, you can use Remove from Favorites (available when viewing the contents of a board). Conversely,
if you find a board that seems interesting, you can use Add to Favorites to start following it.
Anyone can remove an item from a board by hovering over board name on the item’s card and clicking the X.
This removes the selected item from all boards. Removing an item from a board does not happen at once for
all users as the change takes time to ripple across the system.
Above the set of boards, you see a listing of other users (from the same tenant) that the Graph believes to be
of interest because they have had some interaction with the user, perhaps as an email attachment or through
common membership of a document library. Clicking a user’s avatar navigates to that person’s Delve
dashboard and reveals information that they have worked on that you can access. Another tile on the
dashboard lists documents that others “working around” that person own that might be of interest. Again,
you won’t see anything here unless you are allowed access to the information. The Graph acquires
information about new users from Azure Active Directory daily, so it might take a little time before a new user
shows up in this list, but they will if they share information with you.
Page 340
the permissions assigned to a document by its owner and enormous care is taken to ensure that access is
controlled by the security settings managed within applications. For example, you won't see an attached
document unless you received that attachment in email or you won't be able to see a document in a
SharePoint library unless your Office 365 account has permission to access that library. Today, only users with
Office 365 credentials for your tenant can use Delve, so there's no chance that someone outside your tenant
can use Delve to gain unauthorized access to information
The impersonation question: SharePoint Online supports the ability to write code that executes in the
context of another user’s identity (impersonation). When code that uses impersonation processes
documents in libraries, the Graph notes this fact but registers the name of the person running the code
rather than the impersonated user as the account that last processed the document. This can lead to
interesting results in Delve where someone appears to become a hyperactive user and the people who
apparently accessed documents do not show up at all.
Delve never presents information to a user if they cannot see that content. However, it is possible that people
will see information through Delve that the authors might prefer not to share. This is through no fault of the
application. Instead, it underlines the importance of setting and updating appropriate permissions on
document libraries and other sources of information so that they can be properly harvested by the Graph.
Because Delve only ever shows a user information they can see, if you visit a co-worker’s page (click on one of
the people listed in your page), the cards revealed by Delve belong to files that you can access rather than the
complete set of information available to the other user. You do not see all the documents belonging to your
co-worker nor do you see cards that Delve considers relevant for them. The search query executed by Delve
when you navigate to the other user’s page takes your credentials into account when it calculates what cards
to display.
Some unverified reports claim that Delve has revealed documents to someone when they should not have
been able to access the information. Invariably, the root cause of these incidents proves to be permissions set
on the document or the hosting site in such a way that the user can view the content. Delve always trims the
results shown in its views to remove items blocked from a user by inadequate permissions. As Delve becomes
better known within an organization, perhaps it will be a catalyst for a review for how administrators secure
SharePoint Online sites through permissions plus the accounts that can grant administrative access to site
collections.
Real World – Administrator permissions and Delve: tenant administrators are usually administrators of
SharePoint site collections. As such, these accounts have access to all documents stored in all sites. If these
accounts are used by administrators for their day-to-day work, Delve will surface information to them
drawn from sites across the tenant. Although Delve will filter this information to only present items
deemed to be relevant to the user, a high likelihood exists that some confidential data will eventually
appear. Again, Delve is only following the rules – these accounts have access to the information through
their site collection administrator status, so it is OK to show the user any file in the site collection. For this
reason, it is best to ask administrators to only log in and use highly permissioned and privileged accounts
when they need to perform administrative operations and to use lower-permissioned personal accounts to
work with Office 365 applications.
Page 341
because someone has explicitly shared a file with them. Even so, a user who works with confidential
information might be happier if they can block any possible disclosure through inadvertent exposure through
Delve. For instance, those working on a document describing a new salary structure for the company might
well prefer the existence of that document to remain a tightly guarded secret until the time comes to reveal
the new structure to employees.
To prevent Delve showing their documents to other members of the tenant, users can disable document
sharing. To do this, go to the cogwheel menu (Figure 12-10), and move the Documents slider from On (the
default) to Off. This does not disable document permissions that are in place. These permissions stay in place,
and users can access documents through normal sharing mechanisms or through their access to a document
library. All the slider does is control the ability of Delve and OneDrive for Business to show documents to
other users if algorithms running against the Graph decide that those documents are “of interest” based to
those users. The set of Delve options includes MyAnalytics. You will see a different screen if your tenant does
not have the necessary licenses for this application.
Page 342
In addition to users selectively disabling sharing of their documents through Delve, administrators of
SharePoint sites can place a filter over what the documents the site reveals to Delve. You might have
situations where complete document libraries or specific documents have content that you want to remain
invisible except when accessed through the document library. As explained by Microsoft in an online post (or
this post for an independent view on the topic) , a site column can be created to allow users to set a managed
property called HideFromDelve to mark documents so that they never show up in Delve, including in the
author’s view of their documents. Marked documents are still indexed and discoverable by searches. They also
remain visible to applications that query the Graph.
It is good to be able to control document sharing activity on a user-by-user basis, but this does not satisfy
some customers who wish to control the gathering of signals by the Graph and limit the collection of the wide
range of signals to track how people interact with Office 365. This data can be interrogated by applications,
like Delve, via the Microsoft Graph API. Some have voiced concern that the Graph gathers too many signals
about user activity and some customers have requested Microsoft to allow organizations to control the type
of signals gathered for a tenant. A smaller and less comprehensive set of signals might lead to poorer
determinations of relevant information for applications like Delve to show to users, but the belief is that this is
an acceptable compromise to take when personal privacy is involved. Microsoft has not said whether they will
deliver a method to customize the signals gathered by the Graph for a tenant, so the question is still open.
Using Graph APIs: The Microsoft Graph API and the Graph Query Language (GQL) are available for third-
party developers to access the contents of the Graph. You can get information about developing against
the Microsoft Graph online.
And here’s an example of content from the Export list of relevant documents.
{"Title": "Project Kazaa", "Address": "https://office365itpros-
my.sharepoint.com/personal/kim_akers_office365itpros_com/Documents/Learning%20from%20massive%20scale
.docx", "ReasonForTrending": "{\"ActorAadId\":\"d36b323a-32c3-4ca5-a4a5-
2f7b4fbef31c\",\"Email\":\"kim.akers@office365itpros.com\",\"Name\":\"Kim
Akers\",\"ModifiedTime\":\"2018-12-05T21:44:34+00:00\"}", "Rank": 8 },
Page 343
Delve and Exchange Online
When Microsoft first made Delve available, only documents stored in SharePoint Online and OneDrive for
Business were exposed to users. The ability to see and search for documents proved the usefulness of Delve
and has been expanded over time to include other types of files like videos, but the fact remains that a great
deal of information circulates as email attachments in all sizes of companies. A fair case can be made that
attaching a file to a message was the first rudimentary form of sharing and that it is still the easiest and most
common way for users to share information with their colleagues today. Tenants using Teams probably find
that fewer attachments circulate in email because more files are shared in team channels, but for most of us,
email attachments are a quick and convenient way to share information with others, which is why Delve tries
to expose interesting information found in attachments stored in the user’s mailbox.
Delve's support for Exchange Online is based on the signals collected in the Graph. Some recent messages
that have attachments are displayed in the document view in the Home page. Not all messages with
attachments appear because Delve applies the same tests for relevancy to decide what should appear. In
effect, Delve is filtering your Inbox (for this is the only folder from which messages are selected) to figure out
what messages are most important to you taking all the signals gathered by the Graph into account. You
might be surprised at the choice made by Delve, but that's part of the delight of Delve as it might unearth
something important that you had completely overlooked as you processed the Inbox.
Page 344
• Reply and Reply All (including reply all with a meeting request)
• Forward
• Delete
• Mark as Unread
• Print
• Flag
• Assign a retention policy
• Print
• View message details
The card for an email attachment does not offer the ability to add the item to a board. This is by design as
attachments cannot be added to boards. Although it might seem like a good idea to be able to tag an
attachment to a board, attachments exist inside user mailboxes. Attachments are therefore personal and
cannot be shared in the same way as files stored in SharePoint or OneDrive sites.
An Inbox can be quite a dynamic place and if you move a message to another folder (or the message is
moved by the Managed Folder Assistant because of a retention tag) then the data held in the Graph might
not point to its current location, which in turn causes OWA to fail when it tries to display the message and its
attachment. In this past, when people commonly moved items out of the Inbox to other folders, this might
have been more of an issue. Today, when people often leave everything in the Inbox (the “piler” syndrome), it
is not a problem.
Hybrid Delve
Delve and the Graph become increasingly useful as the number of data sources available to them grows.
Microsoft has provided the Graph with the ability to consume signals from on-premises repositories deployed
in hybrid tenants. The Hybrid Cloud Search service is available as an add-on for SharePoint 2013 and is
included in SharePoint 2016 and 2019. The service crawls on-premises content sources and transmits
metadata to SharePoint Online. The on-premises data is incorporated into the search index maintained by
SharePoint Online, which acts as the coordinating authority for searches. Users must connect to SharePoint
Online to search across on-premises and cloud resources. The metadata will also be made available to the
Graph and so be exposed through in Delve. If a user wishes to access an on-premises document that surfaces
in Delve, they are redirected to the on-premises library to access the file from there.
Although hybrid connectivity already exists for Exchange, the hybrid connection is not designed to send
metadata to the Graph. In any case, it would be unreasonable to take the same approach for email
attachments. Only users with cloud-based mailboxes can see attachments in Delve that they have received.
Receiving an attachment is a very personal interaction that cannot be compared to working with documents
in a shared library. The only sharing that has taken place is between the sender and the recipient, which is why
Delve only surfaces email attachments in its personal “Me” view.
In addition, Delve only displays attachments that it considers most relevant to the user. The decision to
display one attachment instead of another is taken based on the totality of the signals held in the Graph. For
instance, an attachment from an external correspondent (even one using an on-premises mailbox in a hybrid
organization) might be totally ignored by Delve while one sent by another person is surfaced. The decision is
driven by the collection of signals held in the Graph so the attachment from the hybrid mailbox is overlooked
because no other signals exist to show its relevance while the other attachment is considered more relevant
because it can be connected to meetings, Skype for Business Online calls, and other signals about a related
project.
Page 345
Chapter 13: Basic Mobile
Management
As workers become more mobile and security risks for corporate data increase, it’s important to consider how
you will manage mobile devices for your organization. Microsoft 365 tenants have a choice of solutions that
can be used for mobile device management (MDM) and mobile application management (MAM). Each of
these solutions has different features available, with different strengths and weaknesses.
Some of the considerations that come into play include which devices and operating systems will need to be
managed, and who will own those devices (BYOD vs corporate). We also need to consider whether non-
Microsoft applications such as SaaS apps or custom business apps need to be managed. Some organizations
can take a single approach to mobility management, while others need to apply different policies and
configurations to different sets of uses. Specific compliance requirements are also important, as some
organizations fall under strict government or industry regulations. In this chapter, we’ll focus on the Exchange
ActiveSync protocol, which is nearly old enough to vote in US elections but is still in wide use.
Note: The current version used in Exchange Online is ActiveSync Version 16.1 First introduced in 2016, this
version introduced a few incremental enhancements to its predecessors, notably a way for administrators
to issue an account-only wipe request to mobile devices, which allows for selective wipe of corporate data
while leaving the personal data on the device intact. Don’t expect to see any further updates or
expansions to the protocol going forward.
EAS has the advantage of being very broadly supported by the two dominant mobile operating systems. A
user with an EAS-capable device can quickly configure the device herself to sync Exchange data. However,
Page 346
since the introduction of Outlook mobile, Microsoft has essentially lost interest in EAS, partly because new
EAS features require the device manufacturers to update their OS and built-in applications to take advantage.
On the other hand, Outlook mobile has steadily been receiving new features, including integration with the
on-device OneDrive client, the ability to sync Exchange contacts to the device through Outlook, and so on. It’s
probably best to think of EAS as the lowest common denominator for mobile Exchange access (and
MDM/MAM) and prioritize supporting Outlook mobile and the other mobile Microsoft 365 applications as
you proceed with your deployment.
Page 347
4. Does the user have a personal exemption that blocks the mobile device?
5. Does the user have a personal exemption that allows the mobile device?
6. Is the device blocked by a matching device access rule?
7. Is the device quarantined by a matching device access rule?
8. Is the device allowed by a matching device access rule?
9. Apply the default access level (allow/block/quarantine) specified in the organization settings.
Page 348
they reset or update their password, because the certificate is used instead of the username and
password.
Certificate-based authentication is fully supported by Azure AD, but not every application and client support
it. Microsoft’s basic statement is that all EAS clients should be able to use certificate-based authentication.
However, this requires that each device have a digital certificate, which means that you need your own
Using certificate-based authentication involves running your own Public Key Infrastructure (PKI) such as Active
Directory Certificate Services or a non-Microsoft PKI product, or purchasing certificates from a public
certification authority (CA). The certificates need to be provisioned to users' mobile devices, often achieved
through a mobile device management solution such as Microsoft Intune. In addition, the CA that issues the
client certificates must have a publicly accessible certificate revocation list (CRL) that Azure can access to
check certificate validity. A federation server, such as AD FS, is also required when certificate-based
authentication is used for Android clients to support certificate revocation. Overall, certificate-based
authentication involves a significant cost and operational overhead, so the decision to use it shouldn't be
taken lightly.
At the most basic level you can prevent a user from authenticating to ActiveSync by disabling or removing
their user account or their mailbox. Of course, disabling a user account is not very helpful if you would like the
user to be able to continue using the account for other access, in which case you can consider implementing
one of the controls that we’ll explore next. For certificate-based authentication scenarios, you can revoke the
client certificate to prevent authentication from the mobile device.
Figure 13-2: Editing the security details of a mobile device mailbox policy
Before you save the changes be aware that any existing mobile device users that are assigned this policy will
not be able to connect if their device does not comply with the new policy settings. Different mobile device
operating systems will have different user experiences for this situation, but most of them will display a
message to the end user that explains what change is needed to be compliant (e.g., setting a passcode on the
device).
Next let’s look at creating a new policy. In the mobile device mailbox policies view click the [+] icon to
create a new policy. In this scenario, the sales team needs to be assigned a more secure policy than the
default policy by requiring a longer password, a shorter device lock timeout, and enabling device wipe for too
many failed sign-in attempts. After creating the new mobile device mailbox policy, you need to assign it to the
mailbox users. Navigate to the recipients list and select a mailbox user to assign the policy to, then click View
details under mobile devices in the right pane. When the Mobile Device Details window opens, click Browse
and choose the mobile device mailbox policy to assign (Figure 13-3).
Page 350
Figure 13-3: Assigning the new policy to a mailbox
Mobile device mailbox polices can also be assigned using the Set-CASMailbox cmdlet.
[PS] C:\> Set-CASMailbox alex.heyne -ActiveSyncMailboxPolicy "Sales Team"
Set-CASMailbox would of course be the best way to assign policies to the members of the sales team—you
wouldn’t want to click through the steps required in EAC for more than a couple of users.
At some point you may find it necessary to change a mailbox user back to the default mobile device mailbox
policy. In that situation it’s natural to think you should just use Set-CASMailbox to assign them to the policy
named “Default” again.
[PS] C:\> Set-CASMailbox James.Ryan -ActiveSyncMailboxPolicy "Default"
Because of a quirk in the way policies are applied, this won’t work. To understand why that is the wrong action
to take compare two mailbox users; one with the default mobile device mailbox policy assigned, and one with
a different policy applied.
[PS] C:\> Get-CASMailbox Kim.Akers | Format-List activesyncmailboxpolicy*
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted: True
The important detail is the ActiveSyncMailboxPolicyIsDefaulted attribute. To set a mailbox user back to the
default policy (not necessarily the policy named “Default”), use Set-CASMailbox to null the
ActiveSyncMailboxPolicy attribute. This reverts the user to the default policy and ensures they will be updated
to any different policy that is later marked as the default.
[PS] C:\> Set-CASMailbox James.Ryan -ActiveSyncMailboxPolicy $null
ActiveSyncMailboxPolicy : Default
ActiveSyncMailboxPolicyIsDefaulted: True
Before you change the default mobile device mailbox policy you just need to be aware that all mailboxes
where the ActiveSyncMailboxPolicyIsDefaulted property is set to True will be re-assigned to the new default
policy, and those set to False will not. To see a list of mailboxes that will not be re-assigned when the default
mailbox policy changes, you can run the following commands to discover the name of the default policy, then
Page 351
filter the results of Get-CASMailbox for those that are assigned that policy but have the
ActiveSyncMailboxPolicyIsDefaulted property set to False.
[PS] C:\>$default = (Get-MobileDeviceMailboxPolicy | Where {$_.IsDefaultPolicy}).Name
Real World: Despite your best efforts to configure mobile device mailbox policies that suit your
organization’s security requirements, you should always be aware that mobile devices and applications can
“lie” to Microsoft 365 and report compliance with policy items such as password complexity even though
they do not meet the policy’s requirements. An example of this was the Outlook for iOS and Android
application, which launched without support for enforcing device PIN/passcode requirements. A later
update to the app added support for these policy items.
Allow/Block Exemptions
In some scenarios an organization may wish to block a specific make, model, or operating system of mobile
devices using a device access rule, but still need to allow some of those specific devices to connect on a case
by case basis.
The unique device ID of a mobile device can be allowed or blocked for a mailbox user, and in doing so this
will take effect before any device access rules are assessed. Personal allow/block exemptions can be seen in
the output of Get-CASMailbox. By default, no device IDs are allowed or blocked.
[PS] C:\> Get-CASMailbox -Identity Kim.Akers | Format-List ActiveSync*DeviceIDs
ActiveSyncAllowedDeviceIDs : {}
ActiveSyncBlockedDeviceIDs : {}
The device ID for a specific mobile device can usually be found within the device operating system, or
sometimes on a label attached to the packaging for the device. If you need to pre-allow or pre-block a device,
you will need to retrieve the device ID before it connects to the user’s mailbox. Otherwise, you can determine
the device ID of any device that is already connected by running the Get-MobileDevice cmdlet.
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List FriendlyName, DeviceID
To allow or block a device ID use the Set-CASMailbox cmdlet. Both the ActiveSyncAllowedDeviceIDs and
ActiveSyncBlockedDeviceIDs are multi-value attributes. This makes it easy for an administrator to accidentally
overwrite existing values when they are trying to add a device ID to either the allow or block list. In this
example, a device ID is added to the allow list using Set-CASMailbox.
[PS] C:\> Set-CASMailbox -Identity Kim.Akers -ActiveSyncAllowedDeviceIDs ApplC39GQ8NNDTDL
ActiveSyncAllowedDeviceIDs: {ApplC39GQ8NNDTDL}
Another device is added to the allow list. As you can see this overwrites the existing value if the attribute is
not updated correctly.
[PS] C:\> Set-CASMailbox -Identity Kim.Akers -ActiveSyncAllowedDeviceIDs 63479921AD27F5AB
Page 352
ActiveSyncAllowedDeviceIDs: {63479921AD27F5AB}
The correct method of updating the allowed or blocked device IDs lists is to use the add or remove methods.
[PS] C:\> Set-CASMailbox -Identity Kim.Akers -ActiveSyncAllowedDeviceIDs @{add='ApplC39GQ8NNDTDL'}
Any mobile device that has been allowed or blocked by an exemption will have a DeviceAccessStateReason of
“Individual”.
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List FriendlyName,DeviceID,*AccessState*
With device access being allowed or blocked via a personal exemption it will ensure that the device is still able
to connect even if a device access rule or the default organization setting is configured to block or quarantine
devices. Although that may sound like a good thing it can sometimes be a problem. For example, if you
decide to block a specific version of iOS due to a bug, and you implement a device access rule to block that
specific version, anyone with a personal exemption for their device will still be able to connect because the
personal exemption takes precedence over the device access rule.
If you already know the specific characteristic upon which you want to base the rule, then you can configure a
device access rule regardless of whether a device matching that characteristic has connected to the server or
not.
Page 353
The query string for the characteristics for device access rules are exact match only. There is no partial match
or wildcard allowed for the query string. This means that if you need to block all versions of iOS below a
certain number, you will need to configure a device access rule for every single possible version number
below the minimum that you wish to apply. The situation with Android devices is even worse, due to the
enormous number of different devices that all have unique device types, models, OS or user agent strings. If
you’re not sure of the exact query string for the characteristic, then you can look at the characteristics of
devices that have already connected to the server using Get-MobileDevice.
[PS] C:\> Get-MobileDevice | Format-List DeviceType, DeviceModel, DeviceOS, DeviceUserAgent
DeviceType : Outlook
DeviceModel : Outlook for iOS and Android
DeviceOS : Outlook for iOS and Android 1.0
DeviceUserAgent: Outlook-iOS-Android/1.0
DeviceType : Android
DeviceModel : Nexus 7
DeviceOS : Android 4.3
DeviceUserAgent: Android/4.4.3-EAS-2.0
DeviceType : Outlook
DeviceModel : Outlook for iOS and Android
DeviceOS : Outlook for iOS and Android 1.0
DeviceUserAgent: Outlook-iOS-Android/1.0
DeviceType : Outlook
DeviceModel : Outlook for iOS and Android
DeviceOS : Outlook for iOS and Android 1.0
DeviceUserAgent: Outlook-iOS-Android/1.0
DeviceType : iPhone
DeviceModel : iPhone4C1
DeviceOS : iOS 9.2.1 13D15
DeviceUserAgent: Apple-iPhone4C1/1202.466
Here is an example of a device access rule to demonstrate how they are configured. This rule will block a
device that has a “Model” of “Outlook for iOS and Android”.
PS C:\> New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and
Android" -AccessLevel Block
Notice that the rule has blocked two matching devices, but one is still allowed because individual exemptions
take precedence over device access rules.
[PS] C:\> Get-MobileDevice | Where {$_.DeviceModel -eq "Outlook for iOS and Android"} |
Format-List deviceaccess*
DeviceAccessState : Blocked
DeviceAccessStateReason: DeviceRule
DeviceAccessControlRule: Outlook for iOS and Android (DeviceModel)
DeviceAccessState : Blocked
DeviceAccessStateReason: DeviceRule
DeviceAccessControlRule: Outlook for iOS and Android (DeviceModel)
DeviceAccessState : Allowed
DeviceAccessStateReason: Individual
DeviceAccessControlRule:
It is a good idea to review existing mobile device associations to see which ones will not be impacted by a
device access rule you are implementing. For example, before adding the device access rule to block “Outlook
for iOS and Android” we can run the following PowerShell command to find all matching devices that are
already allowed by individual exemption.
Page 354
[PS] C:\> Get-MobileDevice -filter {$_.DeviceModel -eq "Outlook for iOS and Android"
-and $_.DeviceAccessStateReason -eq "Individual"}
Device access rules can apply an access level of allow, block, or quarantine. An allow rule can be used to
permit specific device types that are considered “safe” to connect when the default access level of the
organization is restrictive (i.e. when it blocks or quarantines). For example, an organization may choose to
quarantine all devices by default so that they can be reviewed on a case by case basis, but then configure a
device access rule to allow all iPhones because they are pre-approved for connection according to that
organization’s security policies. When a device access rule allows a device to connect it does not add the
device as a personal exemption for the mailbox user, therefore the device will only be allowed until the device
access rule is removed, after which they will be re-assessed according to the allow/block/quarantine workflow.
Block rules behave similarly to allow rules except that they block devices instead of allowing them. Other than
that, there is one notable exception: a block rule will continue to block a device even if that device is later
modified in some way that it doesn’t match the rule’s criteria. For example, this user has an iPhone running
“iOS 9.2.1 13D15”, which is the OS version for an iPhone 6S running iOS 9.2.1.
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List friendlyname, deviceos, deviceaccess*
FriendlyName : iPhone 6s
DeviceOS : iOS 9.2.1 13D15
DeviceAccessState : Allowed
DeviceAccessStateReason: Global
DeviceAccessControlRule:
A device access rule is added to block the device OS “iOS 9.2.1 13D15”.
PS C:\> New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 9.2.1 13D15"
-AccessLevel Block
The device is now blocked by the device access rule. The same block would also apply to any other iPhone 6S
device that was upgraded to that exact OS version.
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List friendlyname, deviceos, deviceaccess*
FriendlyName : iPhone 6s
DeviceOS : iOS 9.2.1 13D15
DeviceAccessState : Blocked
DeviceAccessStateReason: DeviceRule
DeviceAccessControlRule: iOS 9.2.1 13D15 (DeviceOS)
The device owner upgrades the device to a newer version of iOS. The device stays blocked if the device access
rule still exists. In effect this means that a user can’t unblock a device themselves by modifying its
characteristics, such as by upgrading the operating system. However, if the device OS (like Outlook) is blocked
and the user installs a different email application on the device that presents itself as a different DeviceOS,
then that application will not be blocked by the same rule.
If a mobile device has been blocked by a device access rule and you want to allow that device to connect
again without deleting the device access rule, then the solution is to add the device as a personal exemption
for that mailbox user. As discussed earlier this can cause issues at a later stage because once the personal
exemption is in place the device will no longer be impacted by any other device access rule you create.
In some cases, a persistent block is not the desired outcome. Sometimes a mobile device OS is found to have
a security vulnerability, and organizations choose to block that version of the device OS only but want the
devices to be able to connect again after the users upgrade to a later version. In those situations, a device
access rule with a quarantine action is more suitable.
[PS] C:\> New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 9.2.1 13D15"
-AccessLevel Quarantine
Page 355
The above example will quarantine iPhone 6S devices running iOS 8.1.3 only until they upgrade to a later
version. After the OS is upgraded, the device can connect again, without having to delete the device access
rule or add a personal exemption for the device.
DefaultAccessLevel : Allow
The default access level can be set to either allow, block, or quarantine, and these settings have the same
effect as they do for device access rules. One exception is the quarantine setting, which has controls at the
organization level to add some additional text to the quarantine notification email that the mailbox user
receives. This text is useful for providing information to end users about how they should respond to their
mobile device being quarantined. For example, some organizations want the device owners to contact the
help desk by phone to request approval for the device, while others may prefer not to burden the help desk
with those calls and will instead instruct the device owner to visit an intranet page to submit a form
requesting approval.
[PS] C:\> Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine
-UserMailInsert "Please visit http://intranet/mobiledevices to accept the mobile device access terms
and conditions and request device approval."
If you are planning to change the default access level for mobile devices that are connecting to your Exchange
Online organization, you should first consider the impact that this will have on the mobile devices that are
already connecting. It would not be a wise move to suddenly block or quarantine hundreds or thousands of
mobile devices, as this will surely cause a sudden influx of help desk calls from confused and angry end users.
Any mobile device that is not being allowed, blocked or quarantine by a personal exemption or device access
rule is controlled by the default access level. These devices will have a DeviceAccessStateReason of “Global”
when you review the output of Get-MobileDevice.
[PS] C:\> Get-MobileDevice | Where {$_.DeviceAccessStateReason -eq "Global"}
The output of that command may be difficult to interpret within a PowerShell console sessions so I
recommend you pipe it to Export-CSV, or run a more comprehensive report such as the Get-
EASDeviceReport.ps1 script, which also shows additional information such as the timestamp of the last mailbox
synchronization attempt by the device.
Page 356
Outlook for iOS and Android 257B371BCF057A09 Outlook for iOS and And
iPhone 6s 4FQI7OF7V143F350CDPJBN9R7C iOS 9.2.1 13D15
PAUL-PC8 B60E81836F754126A509240EEEF5E599 Windows 10.0.10586
An Exchange Online mailbox supports a maximum of 100 mobile device associations. For the average user
that is more than enough, but it is foreseeable that someone who frequently tests different mobile devices
might reach that limit. If 100 device associations already exist and the user attempts to connect a new device
to their mailbox, Exchange Online will first check for any existing mobile device associations that have not
synced in more than 180 days and can therefore be considered inactive. If inactive devices are found, they are
removed from the mailbox. If the attempted removal of inactive device associations reduces the count below
100, then the new device can connect. If necessary, the user can remove mobile devices from their mailbox
using the Mobile devices section of OWA Options (Figure 13-4).
Page 357
ForEach ($Dev in $OutlookDevices) {
$DN = $Dev.DistinguishedName.Split(“,”)[2..10] -join “,”
$Mbx = (Get-Mailbox -Identity $DN)
$Licenses = ($Mbx.PersistedCapabilities -join ";")
$DeviceInfo = (Get-MobileDeviceStatistics -Identity $Dev.DistinguishedName | Select
LastSuccessSync, DeviceUserAgent, DeviceOS, Status, DeviceApplicationPolicyStatus)
$ReportLine = [PSCustomObject]@{
User = $Mbx.DisplayName
Device = $Dev.FriendlyName
UA = $Dev.DeviceUserAgent
DeviceOS = $DeviceInfo.DeviceOS
Status = $DeviceInfo.Status
Operator = $Dev.DeviceMobileOperator
FirstSync = $Dev.FirstSyncTime
LastSync = $DeviceInfo.LastSuccessSync
DeviceAppStatus = $DeviceInfo.DeviceApplicationPolicyStatus
}
$Report.Add($ReportLine)
}
$Report | Sort User, FirstSyncTime | Format-Table User, Device, DeviceOS, LastSync, Operator -
AutoSize
Remote Wipe
Eventually you will meet the situation where someone has lost their mobile device, or an employee leaves the
company under circumstances where there is a concern about corporate data being stored on the device.
ActiveSync provides the capability to perform a remote wipe of mobile devices. However, there are some
caveats with remote wipes that you need to be aware of.
For a remote wipe to be successful the device must connect to Exchange Online after the remote wipe request
has been created. Unfortunately, there are numerous ways in which a lost or stolen device may never contact
the server again:
• the device is not configured for push email, so doesn’t automatically connect to the server.
• mobile and Wi-Fi communications are disabled to prevent connections being made.
• the mobile carrier disables the SIM card.
• the user changes their password in Active Directory.
• the device is blocked by a device access rule.
Originally, an EAS-triggered remote wipe would erase the entire device. This led to many user complaints;
when Microsoft introduced version 16.1 of EAS, they added the ability for the remote wipe command to target
just the data synchronized via EAS. This “selective wipe” ability is a great example of MAM functionality: the
data in the target application can be managed (in this case, removed) without affecting other applications’
data on the device. In addition to the EAS 16.1 applications (such as the built-in Mail and Calendar apps on
iOS), Outlook mobile appears to Exchange as a device itself, unlike the native mail apps that represent the
entire hardware device. Remote wipes for Outlook mobile thus only remove the data from the application, not
the entire hardware device.
In either case, unfortunately remote wipe results are not reliably reported back to the server. No matter
whether the remote wipe request was successful or not, it will often remain in a “pending” state forever, or
until the wipe request is removed. Therefore, you could never know when and if the remote wipe was
Page 358
successful. Think of remote wipe commands as a best-effort attempt to remove data from a device, not a
guarantee of success.
You can test the EAS capabilities of a mailbox by using the Remote Connectivity Analyzer to perform an
Exchange ActiveSync test. In the results, there’s a line called “MS-ASProtocolVersions” which lists the EAS
versions a mailbox supports. For a mailbox where EAS 16.1 has not yet been enabled, the output looks like
this.
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0
For a mailbox where EAS 16.1 is enabled, the output looks like this.
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0,16.1
You can also determine the EAS version in use by querying the mobile devices for a mailbox with the Get-
MobileDevice cmdlet.
PS C:\> Get-MobileDevice -Mailbox "Kim.Akers@office365itpros.com" | Select FriendlyName, DeviceType,
ClientVersion, ClientType
In the example above, the iPad is connecting using the native mail app for iOS and is running iOS 10 which is
the minimum requirement for EAS 16.1 compatibility. So, with all of that in mind, let’s look at the process for
remote wipes.
Warning: EAS remote wipes for older devices (those that don’t support EAS 16.1 or are not using Outlook
mobile) are a destructive process. When a mobile device is connecting using EAS and a native mail
application such as those found on iOS and Android devices, a full remote wipe will remove all data from
the device and return it to its default factory condition. In a BYOD scenario, this could result in the
permanent loss of personal data from the device, such as photos and videos. As there are many third-party
email applications for mobile devices it is possible the applications will not all behave the way you expect
them to, so you should always proceed with caution when dealing with remote wipes.
First, the device owner can initiate their own remote wipe if they want to. This can be performed by logging
into OWA and opening the Options panel. In the Mobile devices section, all the user’s mobile devices will be
visible (Figure 13-4). However, users can only perform full device wipes, not account-only wipes. If a device
owner wants to remove only the corporate data from the personal device, and they still have the device in
their possession, then they can simply remove the accounts from the mobile apps themselves. On the other
hand, if they've lost their personal device, they might consider it worthwhile trying to perform a full device
wipe instead.
For administrators who use the EAC to perform a remote wipe, clicking the Wipe device icon will present the
option to perform an account-only wipe, or a full wipe of the data on the device. After answering Yes to the
confirmation prompt the remote wipe request is created and will have a status of “Wipe pending”. The next
time the device connects the wipe request will be completed, and the user will receive an email notification to
let them know the result.
Page 359
If the device never connects the remote wipe request will remain in place with a “Wipe pending” status
forever. Administrators can initiate remote wipe requests in the EAC, and by using the Clear-MobileDevice
cmdlet. The device Identity attribute is used to identify the device to be wiped. You can retrieve the Identity
attribute of a device using Get-MobileDevice. In the output below, we see that one device is quite old (iPhone
6s) while the other uses the Outlook for iOS mobile client connected via Outlook’s REST protocol rather than
ActiveSync:
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List FriendlyName, Identity
FriendlyName iPhone 6s
Identity Kim.Akers\ExchangeActiveSyncDevices\iPhone§UVEBE4V4K17NT0V1US7QBQIK68
When you issue the remote wipe request with Clear-MobileDevice you can also specify an email address to
receive the notification if the wipe is successful.
[PS] C:\> Clear-MobileDevice Kim.Akers\ExchangeActiveSyncDevices\iPhone§UVEBE4V4K17NT0V1US7QBQIK68
-NotificationEmailAddresses admin@office365itpros.com
To perform an account-only wipe using PowerShell, include the -AccountOnly parameter when using Clear-
MobileDevice. When using PowerShell, even if you choose to perform an account-only wipe, the cmdlet will
present the same warning that all data on the mobile device will be permanently deleted. However, if you try
to issue an account-only wipe for a mobile device associated with a mailbox that hasn't been enabled yet for
EAS 16.1, or if the device itself doesn't support EAS 16.1, you'll receive an error message to that effect. It's
then up to you, your corporate IT policies, and perhaps the device owner themselves, to decide whether the
situation warrants issuing a full device wipe instead.
When a remote wipe request is in a “Wipe pending” status, and before the device is wiped, the request can be
cancelled. Mobile devices with remote wipes pending can be identified using the Get-MobileDeviceStatistics
cmdlet.
[PS] C:\> Get-MobileDevice | Get-MobileDeviceStatistics | Where {$_.Status -eq "DeviceWipePending"}
DeviceType : iPhone
DeviceUserAgent : Apple-iPhone4C1/1204.508
DeviceWipeSentTime :
DeviceWipeRequestTime : 28/03/2015 12:58:59 PM
DeviceWipeAckTime :
DeviceFriendlyName : iPhone 6s
Identity : APCPR04A001.prod.outlook.com/Microsoft Exchange Hosted
Organizations/office365bootcamp.onmicrosoft.com/Kim.Akers/
ExchangeActiveSyncDevices/iPhone§UVEBE4V4K17NT0V1US7QBQIK68
IsRemoteWipeSupported : True
Status : DeviceWipePending
StatusNote : You'll receive an email message that lets you know when the remote device
wipe is complete.
DeviceAccessState : Allowed
DeviceAccessStateReason: Global
DeviceAccessControlRule:
LastDeviceWipeRequestor: admin@office365itpros.onmicrosoft.com
To cancel the remote wipe, use the Clear-MobileDevice cmdlet with the Cancel parameter. Again, this uses the
Identity attribute of the device to identity which mobile device to remote the remote wipe request for,
however the Identity shown in the output of Get-MobileDeviceStatistics is not the correct value to use.
Fortunately, you can pipe the output of Get-MobileDeviceStatistics back to Get-MobileDevice to see the correct
attribute.
[PS] C:\> Get-MobileDevice | Get-MobileDeviceStatistics |
Where {$_.Status -eq "DeviceWipePending"} | Get-MobileDevice | fl FriendlyName,Identity
Page 360
FriendlyName: iPhone 6s
Identity : Kim.Akers\ExchangeActiveSyncDevices\iPhone§UVEBE4V4K17NT0V1US7QBQIK68
After a remote wipe completes, the mobile device partnership for the mailbox user remains in place, and the
mobile device has a state of “Blocked” due to “Policy”. It will remain in this state forever, and if the user
attempts to reconnect the device the remote wipe will immediately be performed again.
[PS] C:\> Get-MobileDevice -Mailbox Kim.Akers | Format-List friendlyname,deviceos,deviceaccess*
FriendlyName : iPhone 6s
DeviceOS : iOS 8.2 12D508
DeviceAccessState : Blocked
DeviceAccessStateReason: Policy
DeviceAccessControlRule:
If you want to allow the user to reconnect that device the remote wipe request must be removed. To remove
the wipe request, you simply need to remove the mobile device partnership for the mailbox using Remove-
MobileDevice.
[PS] C:\> Remove-MobileDevice Kim.Akers\ExchangeActiveSyncDevices\iPhone§UVEBE4V4K17NT0V1US7QBQIK68
Remember that the steps are followed in order, and if at any stage a decision is made to allow, block or
quarantine a device, then the remaining steps of the process are not performed. When you plan your
configuration, you need to take into consideration:
• The process above.
• Whether you want to be a permissive or restrictive organization.
• How much administrative effort will be required for maintaining configurations for each step of the
process.
For example, a permissive organization that wishes to keep administrative effort to a minimum may configure:
• A default access level of Allow.
• Device access rules to block/quarantine only under exceptional circumstances, for example a known
security vulnerability with a new version of a mobile operating system.
Page 361
• A single ActiveSync mailbox policy to enforce a few security settings such as device passwords and
encryption.
A restrictive organization that wishes to keep administrative effort to a moderate level may configure:
• A default access level of Quarantine.
• Device access rules to allow known safe makes/models/operating systems of mobile device.
• Some personal exemptions for users with devices outside of that known safe list.
While a highly restrictive organization that is willing to live with a higher administrative burden may configure:
• A default access level of block.
• Disabling ActiveSync on all new mailboxes when they are created.
• A process for enabling ActiveSync and configuring personal exemptions for specific devices on a case
by case basis.
• A variety of mobile device mailbox polices to apply different security requirements depending on the
level of access to confidential data that the user may have.
Real World: If you do nothing at all and leave the default settings in place, then you are choosing to
operate in a very permissive model in which even basic controls such as passcodes on mobile devices
are not required at all, and any user in your organization can connect any ActiveSync-capable mobile
device to their mailbox.
Page 362
Office Mobile and OneDrive for Business without any device security policies being applied. Microsoft 365
MDM closes that security gap by allowing organizations to enforce device management and security policies
on any mobile device that is accessing corporate data. In addition, Microsoft 365 BMS takes a user and group-
centric approach for targeting policies. In fact, Microsoft recommends blocking Exchange ActiveSync access
for devices that cannot be managed using Microsoft 365 Mobile Device Management.
The Microsoft 365 BMS engine is essentially a stripped-down version of Microsoft Intune, but it doesn’t
require any MEM or Intune licenses, nor does it require as much configuration and setup as the full MEM
platform. At the same time, its feature set is limited compared to its bigger sibling; Microsoft clearly hopes
that customers that start with Microsoft 365 BMS will see its value and decide to buy up to a full Endpoint
Manager environment.
Device and Application Support for Microsoft 365 Basic Mobility and
Security
Microsoft 365 BMS is generally supported on relatively recent versions of Android (currently Android 5.0 and
later) and iOS (currently iOS 11.0 and later), as well as by Windows 8.1 and Windows 10; however, the level of
application support on each device platform may vary. When a user is targeted by a Microsoft 365 MDM
policy, their access to Microsoft 365 resources using Exchange ActiveSync-capable applications (such as the
Mail app on iOS), OneDrive for Business and Office mobile applications (such as Outlook, Word, and Excel)
can be controlled. Microsoft continues to work on the list of supported devices and apps for Microsoft 365
MDM, so it is a good idea to review the current list of supported devices and apps periodically.
Page 363
Figure 13-5: Completing MDM setup
Page 364
company. If you don’t already have a company Apple ID, take a few minutes now to create one on the Apple
web site and then return to continue the setup tasks.
Note: Depending on the web browser used, the upload might return a JSON formatted file that the
browser prompts you to download. You can download and save the file if you like, but this is not the
certificate file that you need.
You will receive a notification to the email address for your Apple ID when the certificate has been created. If,
after a moment or so, it seems like your web browser is stuck on the “Uploading…” page, simply refresh the
Apple portal page to see your available certificates. Click the Download button to download your new
certificate as a PEM file.
Return to the web browser tab or window where you are configuring the APNs certificate, and click Next to
continue to the page to upload your new certificate. Or, if your browser session has timed out, simply start the
APNs process again and skip past steps 1 and 2 to begin step 3 of uploading the APNs certificate. Click the
Browse button and select your PEM file to upload.
The certificate install takes several minutes to complete. If your web browser appears to hang or time out on
the upload you can log back into the Microsoft 365 admin center again, start the process of configuring the
APNs certificate, and just skip through to the step 3 again to upload the certificate you already have instead
of requesting another new certificate from Apple. If everything is in order you should see a green tick for the
Mobile Device Management settings, and you can start managing MDM policies.
Real World: Microsoft 365 Basic Mobility and Security policies are targeted at security groups. Before you
begin configuring additional policies, you should create security groups to serve as policy targets.
Page 365
Configuring Organization-wide Policies
Click the link to Manage organization-wide settings device access settings (Figure 13-8). Here you can
decide whether to allow or block unsupported devices and applications from accessing email when they are
targeted by an MDM device policy.
Note: Before you can add a group to this exclusion list you first need to create the security group in
Microsoft 365. Be aware that the group picker may show no groups at first even if you have groups in your
tenant, so you might need to do a search on a keyword before any groups will appear.
Page 367
making copying or data leakage more difficult (but not impossible). Application stores (such as the iTunes
Store and the Google Play Store) can also be blocked, however this will prevent the user from installing
applications such as Office mobile apps after they’ve enrolled their device.
Next you can decide whether to apply this policy now or later. If you choose to apply it now, you will need to
select at least one security group that will be targeted by the device policy. Again, be aware that the group
picker will show no groups at first even if you have groups in your tenant, you need to do a search on a
keyword before any groups will appear.
After you finish creating the new device policy it will have a status of Turning on… for several minutes, before
it finally displays a status of On when it is ready and active.
Figure 13-10: Intune Company Portal apps in the Apple (left) and Android (right) app stores
Page 368
The exact enrollment process varies depending on the user’s mobile device operating system. Microsoft’s
documentation covers the process thoroughly. Keep in mind that from time to time, Microsoft changes the
set of supported mobile device OS versions; for example, in January 2021 they dropped support in the
Company Portal app for Android version 5 (“Lollipop”), meaning that those devices won’t get updates to the
Company Portal app and thus won’t be able to use managed applications and services.
Once the device is enrolled, it will regularly download policy or app updates that you’ve pushed through the
MEM portal and apply them. The process is intended to be seamless to end users, although this really
depends on the policies you set. For example, if you apply a conditional access policy to require multi-factor
authentication on certain networks before accessing OneDrive or SharePoint Online content, users will
certainly notice the change. Some policy changes will trigger a dialog in Microsoft’s first-party mobile
applications that tells users that the administrator has enabled data protection (and that the app consequently
must be restarted), and there is at least one bug in this process that results in the dialog sometimes showing
up in Outlook mobile even when no changes have been made. In general, though, as with Windows Group
Policy, if you are not changing policies frequently, your users shouldn’t see any obtrusive behavior caused by
device management.
Page 369
Figure 13-11: Preparing to wipe a device assigned to a user in Microsoft 365 BMS
A full wipe is destructive, removing all data from the mobile device including the user’s personal data, and
restoring it to factory default settings. A full wipe would usually be used only in situations where a device has
been lost or stolen. On the other hand, a selective wipe only removes corporate data from the device, leaving
the user’s personal data intact. This is the preferred option for common scenarios such as a staff member
leaving the organization.
Page 370
Chapter 14: Stream Classic
Stream is in the middle of a transition from the V1 implementation based on Azure blob storage (Stream
Classic) to a new version powered by SharePoint Online and OneDrive for Business. This chapter is the content
published in the 2022 edition covering Stream Classic.
Stream Architecture
Stream has a set of core services supplemented by functionality drawn from other parts of the Microsoft 365
ecosystem. The core services are:
• Media Organization: Controls the organization of videos into channels and groups.
• Permissions: Controls who can access what video and what they can do with a video.
• Search: Indexes video content and the automated captions generated for videos.
• Live Events: Organizes live events run through Stream, including those run by Teams.
The biggest dependency Stream has is on Azure Media Services, which delivers this functionality:
• Encoding: After Stream uploads videos, it encodes the files and makes them ready for playback in
multiple formats to accommodate variable network conditions and a range of device formats. The
Encoding process also generates video thumbnails.
• Content protection: The Stream Azure-based video storage encrypts content at rest.
• Streaming: When clients connect to Stream, the streaming service figures out what format and
definition a client can accept and then streams the video to the client.
• Azure Player: The component that plays content back to a client. Content is normally played back in
a unicast (one-to-one) transmission, which can be quite demanding on a network. It is often more
efficient to handle large-scale playback using an enterprise content delivery network.
Stream is deployed as a tier C-compliant service. Apart from Azure Media Services, Stream uses the following
services:
• Azure Blob Storage: Stores the video files and transcripts (captions).
• Azure SQL: Stores video metadata and statistics such as video view counts.
• Azure Active Directory: Authenticates client connections. Stream does not currently support guest or
anonymous connections.
• Telemetry: Captures and analyzes the usage of Stream.
• Microsoft 365 Groups: Manages membership and access to content. It’s not compulsory to use
Groups if you don’t want to, but it’s convenient to do so when Groups manage access to resources
owned by other services.
The Stream portal is how users access the platform. The portal loads as quickly as possible by connecting to
the closest Microsoft 365 data center. However, backend services come from the tenant’s home region.
Pending the migration to its new platform, Stream stores video content and metadata in Azure hosted in
these data center regions:
• The United States.
• U.S. Government Community Cloud (GCC).
• Canada.
• European Union (EMEA).
• The United Kingdom.
• Asia-Pacific.
Page 371
• Australia.
• India.
• GCC.
The plans for the deployment of the classic Stream services in additional regional data centers stalled when
Microsoft began the transition to modern Stream. SharePoint is a core Microsoft 365 workload and
SharePoint Online and OneDrive for Business are available in all Office 365 data centers. Until the transition to
modern Stream is finished, tenants might have two sets of data: videos in classic Stream stored in Azure and
new videos stored in SharePoint Online or OneDrive for Business.
If your tenant is in a country-level region, Stream uses the nearest geographic region to store classic data. You
can discover this location by clicking the question mark (?) icon in the Stream menu bar and then selecting the
About Microsoft Stream link. Stream then reports the location for its classic data (Figure 14-1). In this case,
the European Union (EMEA) data center region hosts Stream.
Stream Licensing
Stream is included in all enterprise plans (including DoD, GCC, and GCC High), the education plans, and the
front-line worker plans. It is also included in the Business and Business Premium plans. See this page for more
licensing information. Stream functionality available to Office 365 E3 and E5 tenants includes advanced
features like speech-to-text and closed captions, transcript and caption generation, and searches.
The Stream tile appears in the app launcher unless you take action to remove it. To stop people from using
Stream, you can:
1. Disable Microsoft Stream for the tenant via the Azure portal.
2. Selectively remove the license for Stream from users by editing their account settings in the Microsoft
365 admin center (select the Microsoft Stream for Office 365 service plan in SKUs such as Office 365 E3
or E5) or PowerShell.
Although Microsoft published roadmap item 27728 covering the ability to allow videos to be embedded in
websites and viewed without licenses, the current situation is that anyone who views or uploads Stream
content must have a license, including access to Teams meeting recordings stored in Stream. The need for
external access is addressed in the transition to Stream 2.0 when all video content is stored in OneDrive for
Business and SharePoint Online. At that point, the normal external sharing mechanism will extend to Stream
videos.
Stream Clients
Stream supports video upload and viewing through a wide range of browsers, including Microsoft Edge and
the current versions of Chrome, Brave, and Safari. The client is localized into many different languages. Stream
mobile apps are also available for iOS and Android.
Page 372
Stream and Other Microsoft 365 Apps
Like many other Microsoft 365 apps, Stream uses components from across the Microsoft Cloud and
contributes functionality to other apps. Examples of how Stream integrates with other applications and
services include:
• Stream uses Microsoft 365 Groups to manage access to videos.
• A Stream channel can be added as a channel in Teams and videos from the channel can be played
back in Teams. You can also paste the URL for a Stream video in a channel conversation or personal
chat for readers to access by clicking the URL.
• Recordings of Teams meetings and Live Events are in OneDrive for Business or SharePoint Online.
However, Stream features are available for these videos.
• Stream videos can be played back in Yammer. You can paste the URL for a Stream video into a
Yammer message and readers can then play the content back inline.
• The SharePoint web part for Stream can highlight a video, channel, or list of videos (from all of
Stream) on a page.
• A link to a Stream video can be inserted into OneNote or the embedded code generated by the Share
option inserted into a Sway.
• Forms can collect feedback through quizzes, polls, and surveys for videos through the Interactivity tab
for a video.
Other apps can use Stream’s implementation of oEmded to display videos or channels. Unlike the older Office
365 Video Service, Stream has no dependency on SharePoint Online. Apart from anything else, this reduces
the amount of SharePoint storage consumed by videos.
Sometimes gaps exist between apps and Stream. For example, you can’t use the standard sharing controls to
share a video with someone inside or outside the tenant. Instead, you must download a copy of the video to
OneDrive for Business and share it there. These gaps are likely to be closed over time.
Another gap is that guest members cannot access video content posted to Teams, Outlook Groups, or Planner
because Stream does not currently support Azure B2B collaboration.
Page 373
Figure 14-2: Stream generates a sharable link
Network Demand
Like any video application, Stream benefits from good network performance between servers and clients.
Microsoft publishes articles to help administrators understand the characteristics of network performance for
stream, including Video delivery and network overview and how to scale video delivery for Stream.
Page 375
While Stream uploads the video, you can add the name of the video, a description, its language (for closed
captioning), and select a thumbnail (when available). In Figure 14-3, Stream is uploading two videos. As soon
as each upload completes, you can publish the video to make it visible, but users won’t be able to access the
content until Stream completes its background processing. You’ll receive an email notification when Stream
completes processing uploaded videos.
Apart from supplying details for the new video, its owner can also set permissions and options. Permissions
control who can see a video. If you don’t do anything to change the permissions, Stream makes the video
available to anyone in the tenant by publishing it in a companywide channel (you can change the default
permissions for new videos through the Stream admin settings). A channel is a way of organizing content and
is not a way to assign permissions. You can control access more precisely by putting the video in channels
belonging to one or more groups (see below). Remember that a video can exist within multiple channels,
some of which are accessible publicly and some confined to members of a group.
Options for a video include whether to allow users to post comments, apply noise suppression, and generate
or upload a caption file. Before publishing a video, it’s always a good idea to review the content and consider
editing the transcript to correct any obvious errors and trimming any extraneous seconds from the start or
end of the video.
In all cases, once the video is uploaded, Stream processes it to create the playback files, captions, and
transcript.
Page 376
Figure 14-4: Listing My Videos
You can’t attach a file to a video to give watchers extra information about a topic. However, you can add a
clickable link to a file stored in OneDrive for Business or SharePoint Online in the video description. A video
owner can also add one or more Microsoft Forms to a video (using the Interactivity tab) to ask watchers to
take a survey or quiz. Each form is linked (via its URL) to a point in the video’s timeline. When that point is
reached, Stream pauses playback and displays the form to collect information. For more information, see the
discussion about Forms in the companion volume.
Video Playback
After organizing videos to make sure that they have the right titles and descriptions and to adjust access,
viewers can watch them. Figure 14-5 shows some of the major features of Stream like closed captioning, the
automatic (and searchable) transcript, user comments (which are part of the data stored by Stream), and
trending videos. If you are the owner of a video (the person who uploads it to Stream), you can edit the
transcript to correct minor errors (via the pencil icon). Editing the transcript does not change the captions
Stream generates for a video.
Users can add videos that they don’t have time to watch to their watchlist and return to those videos through
the My watchlist link on the My content menu in the Stream navigation bar. They can also use Share to
generate a URL link that can point to a specific time in a video.
Page 377
Figure 14-5: Stream plays a video with automatic captioning and (editable) transcript
Transcripts
The transcript for a Stream video is composed of the captions generated when Stream processes a video, so
it’s not like a traditional transcript separated into the different spoken contributions from participants in a
conversation. Instead, a Stream transcript is divided into sections corresponding to times in the video. Unless
you extract captions to an external file, you can’t combine sections of the transcript to create a more coherent
rendition of a conversation or to indicate who spoke. For instance, a section often combines words spoken by
multiple people in a conversation, but you can’t separate the different contributions, probably because this
would break the connection with the captions. Also, you can’t underline or otherwise highlight terms. What
you can do is edit a specific section to correct the text in that section, and that’s usually enough to create an
accurate transcript. Finally, you can’t extract or print a complete transcript from Stream. If you want to capture
some information from the transcript, you must copy and paste individual transcript segments into a file.
Once in the file, you can edit and format the text as you wish, but you have lost any connection with the
video.
Stream used to generate transcripts automatically for new videos after their upload. In addition, from
September 2021, Stream began to remove the automatically generated transcripts for older videos that have
not been watched or updated in the last 3 (U.S.) or 6 months (other regions). These steps are intended to
reduce the amount of data Microsoft must migrate to the Stream 2.0 platform. Stream regenerates the
transcript if a user views the content. A video owner can regenerate the transcript for a video at any time by
editing its details to uncheck and then recheck the control used to control the generation of automatic
captions. Stream will not remove transcripts for videos in active use (people are viewing the video) or when
owners have edited a transcript or uploaded a manual transcript. Video content stored in Stream is unaffected
by this move.
Page 378
Searching for Videos
Stream supports the ability to search against video titles and descriptions. Previously, Stream supported
searching against the contents of video transcripts, but Microsoft removed this useful facility in 2021. Figure
14-6 shows the search interface. The lack of more in-depth search capabilities underlines the necessity to give
videos good titles and descriptions. Stream videos and transcripts do not currently show up in the results
returned by Microsoft 365 content searches.
Screen Capture
It’s often useful to record how to do something in an application or, less positively, how to reproduce a bug.
Stream’s screen capture feature can record short videos of up to 15 minutes to capture screen output. Screen
recording works with Chrome, Edge, and Brave browsers on Windows and macOS workstations. Safari on
macOS is not supported and audio capture is only available on Windows. You can’t disable the screen capture
feature. It is available to any user with a Stream license.
The steps to record a screen capture are:
• Select Record screen or video from the Stream create menu.
• Make sure that the correct camera and microphone are chosen. Screen capture from the camera is
only available when the complete screen is recorded.
• Select the screen area for capture (complete screen, window/application, or browser tab).
• Start and stop the recording to capture the desired material.
• Review the capture and upload it to Stream for processing.
• Make any needed adjustments in Stream such as trimming the video, changing permissions, or
updating metadata before publishing as normal.
Stream doesn’t always create automatic transcripts for screen capture videos. This feature depends on the
language set for the video, so if you don’t see a transcript created, update the video details to make sure that
the correct language is set. Stream notes if you change the language and create a transcript if the language is
supported for transcript generation.
Page 379
Trimming Videos
Often videos have some extraneous material at the start and finish. This is especially true of recordings of
Teams meetings or self-produced videos (like screen captures) where some time is consumed before the
content starts to make sure that everything is ready, check microphones, and so on. To improve the quality of
the video, you can remove content from the start or end of the file using the trim function in the […] menu.
When you trim a video, Stream loads a timeline of the content. You can then move two “trim points” by
dragging them to where you want the video to start and end. When you’re happy that the content is right,
click Apply. After you confirm that the trim should proceed, Stream processes the file in the background to
permanently remove content up to the start trim point and from the end trim point. There’s no recovery from
this operation; once Stream completes processing the video, a new file trimmed to the selected points
replaces the old video and the trimmed content is irrecoverable. For this reason, it is wise to download a copy
of a video before making any changes. Anyone with owner access (for instance, because they are a member of
a group with owner access to the video) can trim a video. Stream doesn’t lock a video to stop multiple people
selecting trim points but does when it is applying trims in the background. In other words, two people can’t
trim a video at the same time.
Depending on the load on the service and the length of the video, trimming can take from a few minutes to
an hour or so to finish, including the generation of new captions/transcript and timeline. When the new video
is available, Stream highlights the fact that the file was updated. If you’ve linked a form to a video, you’ll need
to check and possibly redo the work after trimming.
Replacing Videos
Sometimes videos need a little more post-production work than is possible with a simple trim from the start
and end. Video owners and Stream admins can download a video, process it with a video editor like
TechSmith Camtasia, and replace it with an updated version (or overwrite a video with a completely new file).
Replacing a video keeps its link, which means that the new file will play anywhere the link is used (like in a
Teams channel tab or web page). In addition, many of the video attributes are retained:
• Video details, like name, description, and language.
• Permissions.
• Comments, likes, and view history.
However, because the content of the video changes, anything based on the content is not retained. This
includes:
• The original transcript is replaced by a new transcript generated after the new file is uploaded to
Stream.
• New thumbnails are also generated to replace those generated from the original video.
• If Forms are linked to the original video, the links are removed (because they depend on specific
timelines in the video) and you’ll have to reinsert the Forms at the appropriate times in the
replacement video.
• The people timeline generated for the original video is no longer available. As Stream no longer
generates people timelines for videos, one will not be created for the replacement video.
To replace a video:
1. If you plan to edit the original video, download it from Stream and do whatever processing is needed.
Otherwise, locate the replacement video file. Even if you plan to replace the video with a brand-new
file, it’s a good idea to download the original as there’s no way to restore a video in Stream after the
replacement happens unless you have a copy of the original file.
Page 380
2. Select the video you want to replace in Stream and choose the Replace video option from the […]
menu.
3. Choose the video file to replace the original and click Replace.
4. Stream uploads the replacement video and swaps it for the original. The normal processing for a new
video occurs to generate the automatic transcript. After a short delay, the replacement video will be
available. Like what happens following the upload of a new video, the video owner receives an email
notification when the replacement video is in place.
Stream logs a StreamInvokeVideoUpload audit record when the replacement video is uploaded and a
StreamEditVideo record when the replacement is made. Unfortunately, the file name of the replacement video
is not captured.
Noise Suppression
Noise suppression is an option Stream can apply to new videos as they are uploaded to the portal or for
existing videos. Noise suppression isolates speech from background noise in the audio feed to make it clearer
and more distinct. Team owners or Stream administrators can update the details of existing videos to enable
noise suppression. When noise suppression is enabled, viewers have the option to keep noise suppression on
or disable it during video playback.
Most videos qualify to be processed for noise suppression. The criteria include:
• The video is two hours or shorter, and no larger than 3 GB.
• An audio track is available, but not when multiple audio tracks in different languages exist in a video.
• The video is not a recording of a Teams meeting. This is because noise suppression is automatically
done when Teams meetings are recorded.
Noise suppression is not available for recordings of Live Events. You can’t disable noise suppression on a
tenant-wide level.
Page 381
automatic transcript. Users can also upload videos from the device’s camera roll or a cloud storage app like
OneDrive.
Other mobile applications can be used to create videos, many of which offer functionality over and above
what’s available in the Stream mobile app. The advantage of the Stream app is its integration with Microsoft
365, which makes it easy to upload and share videos. See this page for more information about recording and
editing Stream videos on Android and iOS devices.
Stream Administration
An important point about Stream is that the platform treats all content as belonging to the tenant. Users
might be the owners of videos, but their account can be removed, and the videos will remain in Stream and
be accessible to anyone with permission to view the content. Because this is the case, global tenant and
Stream administrators can manage any video stored in Stream. To access Stream administration, select Admin
settings from the Stream cogwheel menu (only administrators see this link). Figure 14-8 shows the Stream
admin screen.
Page 382
Figure 14-8: Stream Admin settings
Briefly, the Stream admin settings are:
• Administrators: Global tenant administrators can always change privacy settings, ownership of a
video or channel, and other settings. You can define a list of users to assume the role of Stream
administrators. Because Stream was designed to be able to function without Microsoft 365, this is not
a Microsoft 365 or Azure AD administrative role.
• Spotlight videos: Select up to four videos to highlight in the slideshow at the top of the Stream
home page and arrange the order in which the videos appear (Figure 14-8). If you need to add
another video, you must first remove one of the existing videos from the list.
• Live Events: Define the set of users allowed to create live events. The Live Now tab lists currently
active events while the Upcoming tab lists events scheduled in the future.
• Company policies: Define a URL to a page where users can read the company policy governing the
uploading of videos to Stream. This link appears in User settings. You can also set a switch to require
users to accept the company policy before they can upload a video (including screen captures). If the
company policy changes, you can reset the setting to force users to accept the new policy.
• Usage details: Shows the amount of storage currently used for video storage and the remaining
quota. You can also choose that Stream notifies the administrators when the storage reaches 85% of
the assigned quota.
• Recycle bin: Recover videos deleted by Stream users (see the section below). Administrators can also
remove videos individually or in bulk to free up the storage available for Stream.
• Groups: Groups are managed through the Microsoft 365 Admin Center.
• Support: Submit a support ticket to Microsoft.
• Comments: By default, users can post comments to videos. You can disable this feature here.
• Content creation: You can:
o Restrict the set of users allowed to upload new videos. If you block an account here, they
cannot upload recordings of Teams meetings.
o Restrict the ability of users to create companywide channels. Companywide channels must
have a unique name within the tenant.
Page 383
o Define the default viewing permission assigned to new videos, choosing between everyone in
the company or specific groups and people.
• Third-party eCDN provider: You can sign up with an enterprise content delivery network such as
Hive Streaming or Ramp to optimize video traffic within your network. If you do, you must update
Stream so that it knows about the eCDN. Stream doesn’t support the Azure CDN.
Data Privacy
The Data Privacy section of Stream administration includes:
• Manage user data generates a report about a selected user’s activity within Stream. The HTML-
format report lists all the videos uploaded by the user as well as the channels and groups they create,
the groups they belong to, the comments posted, and notifications sent by Stream to the user.
Reports remain online for 30 days after creation.
• Manage deleted users allows an administrator to remove or update references to deleted users that
might appear in Stream. For instance, when you remove a Microsoft 365 account, that user’s object in
Azure AD is removed (after 30 days), but references to the account persist in Stream and appear
beside videos, channels, and comments created by the user. After an account is permanently removed
from Azure AD, you can:
o Replace its name wherever it appears in Stream with a generic name like “Removed user.”
o Remove all references to the account and its email address, perhaps to ensure that personal
data is removed in response to a GDPR right to be forgotten request.
Stream won’t return anything for a deleted user if they have not been active.
Page 384
Stream administrators can also recover videos for users through the Recycle bin option in Admin settings.
This option allows administrators to see and restore videos deleted by any user in the tenant or permanently
remove videos from the recycle bin.
Name Count
---- -----
Jane.Nix@office365itpros.com 74
James.Ryan@office365itpros.com 22
John.Hubbard@office365itpros.com 1
James.Joyce@office365itpros.com 1
Ben.Owens@office365itpros.com 1
Other events are available to track actions such as video uploads, deletions, or even when people like a video.
For instance, if you replace StreamInvokeVideoUpload (upload a video event) with StreamInvokeVideoUpView
(view a video event) in the Search-UnifiedAuditLog command, you’ll create a report of Stream view events to
know who’s looking at videos and what the most popular videos are. To see a summary, you change the
Group-Object command slightly to:
[PS] C:\> $Report | Group-Object Property VideoName | Sort Count -Descending |Format-Table Name,
Count
To find a more comprehensive set of audit records for Stream operations over the last ninety days, you could
do this:
Page 385
[PS] C:\> $StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date)
$Operations = @('StreamEditGroup', 'StreamDeleteGroup', 'StreamInvokeVideoView',
'StreamInvokeVideoSetLink', 'StreamEditUserSettings''StreamEditVideo', 'StreamDeleteVideo',
'StreamInvokeVideoUpload')
$Records = (Search-UnifiedAuditLog -Operations $Operations -StartDate $StartDate -EndDate $EndDate -
ResultSize 2000)
And then process each record to extract information from the AuditData field.
Yet another example of how to use Stream audit data is to look for deleted video events over the last 30 days.
These events should correspond to videos waiting in the recycle bin. After 30 days, Stream removes the
videos. The audit events can be used to create a report for checking to ensure that none of the deleted videos
should be kept. A script, downloadable from GitHub, shows how to create the report and email it to a
recipient.
Page 386
Instead of using Groups as a resource manager, Stream uses Groups as a convenient method to organize and
publish videos with links connecting videos to groups. This allows Stream to treat each group as a type of
mini-portal, meaning that when users select a group, Stream shows a highlight page with trending and new
videos linked to the group (Figure 14-10). Group owners and Stream administrators can change the
highlighted videos through the cogwheel menu on the page. Other group settings such as the display name
or description can be updated through the same menu. Stream doesn’t currently support sensitivity labels for
either group settings or individual videos, nor does it support retention labels for channels or videos.
Within a group, videos can be further divided into channels, which make it easier for users to find the
information they want by following the channel, which puts a link to the channel in their “Followed channels”
list available from the My content link in the Stream navigation bar.
Page 387
Figure 14-11: Stream lists the groups available to a user
Page 388
Figure 14-12 shows the screen to collect settings for the new group. If a group naming policy is in force, it is
applied to the group display name when the group is created. The Allow all members to contribute setting
controls who can upload videos to the group and create or remove channels. This is a setting specific to
Stream and does not affect how the group works. If users cannot upload content, they are restricted to view-
only access to videos. After creating the group, you can add members.
Page 389