Microsoft announced the GA for the new message tracing feature on June 3. The old code will be deprecated in September 2025, so it’s time to update any PowerShell scripts that use the Get-MessageTrace or Get-MessageTraceDetail cmdlets. Upgrading is easy and shouldn’t take too long, once you find the time to do the work.
A recent post revealed that the Mailbox Import-Export Graph API doesn’t capture audit events for its operations. The API is in beta, but this is disappointing. Auditing any mailbox is important, but it becomes a critical requirement when the possibility exists that attackers could use the API to exfiltrate mailbox data outside of the tenant. This is a hole that Microsoft needs to close.
This week’s Microsoft layoffs provide a timely reminder to review how to retain and secure ex-employee data. OneDrive for Business might be the biggest challenge because of the variety of application data that now ends up in user OneDrive accounts. Agents and Flows are also an area of concern, as are objects like apps, phone numbers, and recurring meetings.
Microsoft recently announced the deprecation of the Exchange cmdlets to search for mailbox audit data. The audit data is ingested into the Microsoft 365 unified audit log, but it’s more difficult to find and retrieve Exchange mailbox audit events. Methods are available to find mailbox audit data, but interpreting what comes back is different. Any script that depends on the old cmdlets must be updated to interact with the unified audit log.
The Direct Send feature allows apps and devices to send unauthenticated email via Exchange Online to internal receipts. Microsoft doesn’t want unauthenticated connections to send email because these connections could be hijacked by spammers. Enter the Reject Send feature to block Direct Send. Reject Send is in preview now but Microsoft wants it to be the default setting in the future.
Litigation holds were great when introduced with Exchange 2010. Fifteen years on, better methods exist to preserve user information, like eDiscovery holds. It might seem unnatural to move from litigation holds to eDiscovery cases, but this approach allows the preservation of both mailbox and OneDrive content for as long as necessary. Retention policies can serve the same purpose, so choice exists for modern preservation.
The February 2025 EX1015484 incident explains why mail user objects with duplicate SMTP addresses are created for guest accounts. That’s a problem because Exchange Online can’t route messages to objects with duplicate email addresses. Fortunately, you can find out if any duplicates exist in your tenant with some PowerShell. Problems happen!
Exchange Web Services (EWS) will retire in October 2026. Tenants that still need to use EWS must explicitly set EWSEnabled to true in the organization configuration. If they don’t, the previous rule that allows mailboxes enabled for EWS to function won’t work. The change is part of the preparation for the phase-out of EWS. To help, we’ve written a script to send email to administrators listing accounts still enabled for EWS.
Microsoft announced Delicensing Resiliency, a new feature for tenants with over 10,000 paid seats, to avoid inadvertent data loss due to licensing errors. Essentially, the feature adds an extra 30-day grace period post license removal during which mailboxes work as normal. The idea is that administrators will have extra time to detect and fix licensing errors that lead to mailbox removal. Overall, the new feature seems like a great idea (for large tenants).
On July 17, Microsoft announced the public preview of inbound SMTP DANE with DNSSEC for Exchange Online, a welcome step forward to improve messaging security. A previous attempt to launch the preview foundered because Microsoft wanted to insist on Microsoft 365 E5 licenses for the feature. Mature reflection prevailed and inbound DANE with DNSSEC is available to all, which is how it should be.
Exchange Online announced two important changes on April 15. SMTP AUTH is being depreciated and a new external recipient rate limit is being introduced. The changes are intended to improve the security of Exchange Online. The introduction of an external recipient rate limit is also intended to reduce the ability of spammers to abuse the platform.
A question was asked about the best way to find out if shared mailboxes received email from certain domains over the past 60 days. Exchange Online historical message traces can extract trace data to allow us to check, but the process of running the message trace and then analyzing the data is just a little disconnected.
Microsoft is introducing a block to stop customers attempting to move auto-expanding archives to Exchange Server. No very of the on-premises server has ever supported auto-expanding archives, so it’s reasonable to have a block. It’s still possible to move a primary mailbox back to Exchange Server, but its auto-expanding archive must stay in the cloud. It’s a good factor to take into account if an organization plans to use auto-expanding archives in the future.
Exchange Online tenants have a choice between inactive mailboxes and shared mailboxes when the need arises to keep “leaver” data like that belonging to ex-employees. Inactive mailboxes are essentially a compliance tool and sometimes shared mailboxes are better choices. We explore both in this short article.
October 1, 2022, is when Microsoft begins the final process of removing support for basic authentication for 7 email connection protocols from Exchange Online. The process will take several months to complete, and when it’s done, Office 365 will be a safer place that attackers will find more difficult to penetrate. But it’s time for tenants to prepare, if you haven’t already done so, and we highlight some critical points from Microsoft’s most recent post on this topic.
Microsoft intends to make the Exchange Online plus addressing feature available by default to all Microsoft 365 tenants after April 17, 2022. If you don’t want this to happen, you need to update the Exchange Online organization configuration to update the DisablePlusAddressInRecipients setting to True. After the opt-out 30-day period finishes, Microsoft will proceed with the deployment, so don’t say you weren’t warned!
A post by the Exchange development group tried to explain why mailboxes have SharePoint Online proxy addresses. It’s all down to the Microsoft 365 substrate, which needs the proxy addresses to ingest digital twins from SharePoint Online into Exchange Online for use by shared services like Microsoft Search. The upshot is that you can’t remove a mailbox permanently without some background processes kicking in to make sure that SharePoint is taken care of.
Microsoft announced the preview of the Send from Email Aliases feature on January 25. The only problem is that the same feature was released in April 2021. And OWA gained full support for it in October 2021. So why would Microsoft reissue an existing feature? They’re not saying, but I suspect it’s down to fixing some issues in the Exchange Online transport service to make sure that messages sent from an email alias work properly in every circumstance.
On January 10, Microsoft announced that the base Office 365 workloads support Continuous Access Evaluation (CAE) for critical Azure AD events like password changes or account deletions. Although you can take CAE even further with conditional access policies, giving Exchange Online, SharePoint Online, and Teams the ability to react to critical events in almost real-time is a very big thing indeed.
To make Microsoft 365 DLP policies work like Exchange transport-rule based DLP, a January change will switch evaluation of sender conditions away from envelope information to message headers. Although this change might seem to be something beloved of email geeks, it’s actually an important update for organizations who want to move away from ETR-based DLP to Microsoft 365 DLP policies.
Microsoft is changing the way the Exchange Online transport service resolves the membership of dynamic distribution groups. Instead of doing this when someone sends a message to a dynamic group, Exchange resolves the membership once daily and whenever the recipient filter changes. It’s a reasonable approach designed to make messages move faster and more reliably, and it’s similar to the way that Azure AD dynamic groups maintain their memberships, so it shouldn’t make much difference.
To help you recover from the blizzard of Microsoft 365 information released at Fall Ignite 2021, here are some notes about features and functionality you might have missed. Like any list created by a conference (virtual) attendee, it reflects my interests and what I was looking for. Feel free to disagree on the importance of any or all of the topics discussed here… and suggest some of your own in the comments.
A new Microsoft 365 DKIM management page is a good prompt to check that all domains used to send email in n Office 365 tenant are configured properly for DKIM. The process of enabling DKIM and key rotation is easily done through the GUI or PowerShell once the correct CNAME records are in DNS.
A recent update to OWA adds the option to allow users to choose which proxy addresses assigned to a mailbox they would like to send messages from. It’s a small change which completes the client support for the earlier server-side update to allow users to send using mailbox proxies, and it makes using proxy addresses more approachable and useful. OWA also includes a drop-down list in the compose message screen to allow users to select an address to send from, and makes sure that message headers are updated correctly so that messages go back to the right address.
A change rolling out in mid-October will remove storage pressure on the Recoverable Items structure in Exchange Online mailboxes by offloading some data to archive mailboxes. The idea is a good one because it means that the storage allocated to Recoverable Items won’t fill up and require intervention so often. Users won’t know anything about what’s happening under the covers as it’s all hidden from view.
A 1.5 TB limit applies to Exchange Online archive mailboxes from November 1, 2021. In this article, we use PowerShell to report how close expandable archives are to the new limit. In reality, not many archive mailboxes will approach the new limit, but it’s nice to know things like the daily growth rate for an archive and how many days it will take for an archive to reach 1.5 TB. All whimsical stuff calculated with PowerShell!
Exchange Online already imposes limits on the number of messages a mailbox can receive per hour. New limits will restrict the number of messages individual senders can send to a third of the overall limit. The restriction doesn’t apply to senders with an Exchange Online mailbox in the same tenant. And if a mailbox runs into a limit, it features on the splendidly named Hot Recipients report. What’s not to like about that.
Exchange Online supports the ability to send email using any SMTP proxy address assigned to a mailbox. Following the announcement of the feature, users had many questions including what clients can be used. Here are some common questions and answers about the feature, including some PowerShell to report the set of proxy addresses assigned to user mailboxes.
A new phishing attack is circulating from an Office 365 tenant. The attack attempts to lure recipients into clicking a link to download a document. The phishing email is not quite as crude as other attempts and might lure users into doing the wrong thing, especially as the message is delivered to inboxes.
Exchange Online tenants can activate external email tagging, which causes Outlook clients (not desktop yet) to highlight messages received from external domains. The feature can replace custom implementations to mark external email, usually done with transport rules. It’s easy to implement and control, but the mail tip offering to block an external sender seems a little over the top.
Because it sits on top of so many Microsoft 365 components, Teams is easily the hardest Office 365 workload to backup. You can try to backup Teams by copying its compliance records stored in Exchange Online, but that’s only a partial (and bad) solution that utterly fails to take the full spectrum of Teams data into account.
Changes coming in May and June will allow organizations to make online meetings the norm when created by OWA or Outlook mobile clients. You can control the feature at the organization level and allow individual mailboxes to override the organization setting.
Microsoft has published updates for the Exchange Online management and SharePoint Online PowerShell modules. Generally it’s a good idea to install the latest version of PowerShell modules for the different Office 365 products, but beware of some gotchas that await the unwary…
Microsoft has released information about high-value Office 365 audit events and audit event retention policies. Both are part of a Microsoft 365 Advanced Audit offering. The MailItemsAccessed event is the first high-value audit event (we can expect more) and the retention policies are used to purge unneeded events from the Office 365 audit log.
Some doubt that Exchange Online will disable basic authentication for five email connection protocols in October 2020. The refrain is that it will be too hard for customers. Well, it might be hard to prepare to eliminate basic authentication, but if you don’t, your Office 365 tenant will be increasingly threatened by attacks that exploit known weaknesses.
In November, Microsoft set a 1TB limit for Exchange Online auto-expanding archive mailboxes. Now they’ve retreated and the latest service description says nothing about a limit. The two changes in the service featured little or no customer communications and a total lack of any supporting material, like administrative controls to help manage archive mailboxes approaching the limit. While a limit has gone for now, it will be back.
Nine new REST-based PowerShell cmdlets are available for Exchange Online. They offer the prospect of better performance and reliability. Here are the code samples we used to test the new cmdlets for a theater session delivered at the Microsoft Ignite 2019 conference. Anyone wanting to explore the new cmdlets can use these examples to get going.
In a surprise development, Microsoft reversed course for Exchange Online auto-expanding archives and imposed a 1TB limit. The promise of a bottomless archive that continually expanded to cope with user data is removed. Although it’s reasonable for Microsoft to restrict the consumption of resources, suddenly implementing a limit is not, especially when you don’t communicate with customers.
The ability to see the PowerShell commands executed by Exchange administrative centers has existed since Exchange 2007. Now something has changed in Exchange Online and the command log is blank. It’s sad because many administrators learned to use PowerShell by examining how Microsoft used it to manage Exchange. Let’s hope that Microsoft fixes this bug soon.
Microsoft has implemented a new synchronization mechanism in Outlook ProPlus to deal more efficiently with shared folders. The new approach increases the limit from 500 to 5,000 folders and is a more elegant and precise solution. Users who manage other peoples’ mailboxes will appreciate the change after they install build 11629.20196 or later.