Exchange Online Upgrades Its Message Tracing Capabilities

Message Tracing Revamp

Microsoft announced the GA for the new message tracing feature on June 3. The old code will be deprecated in September 2025, so it’s time to update any PowerShell scripts that use the Get-MessageTrace or Get-MessageTraceDetail cmdlets. Upgrading is easy and shouldn’t take too long, once you find the time to do the work.

Mailbox Import-Export Graph APIs Leave No Audit Trail

Mailbox Import-Export Graph API

A recent post revealed that the Mailbox Import-Export Graph API doesn’t capture audit events for its operations. The API is in beta, but this is disappointing. Auditing any mailbox is important, but it becomes a critical requirement when the possibility exists that attackers could use the API to exfiltrate mailbox data outside of the tenant. This is a hole that Microsoft needs to close.

New Outlook and OWA Control for Viewing Protected Email

Two-click confirmation for Outlook to read protected email

The new TwoClickMailPreviewEnabled setting in the Exchange organization configuration controls if OWA and the new Outlook for Windows use two-click confirmation to open protected email. The new feature could be useful for people who commonly open confidential and protected email in situations where someone else could see what they’re reading. In other situations, it will irritate people.

Replacing Litigation Holds with Microsoft 365 Retention Policies

Replace litigation holds with a Microsoft 365 retention policy

Litigation holds can retain mailbox data, but that’s it. You can swap litigation holds out for a Microsoft 365 retention policy and gain extra functionality, such as retaining OneDrive for Business content for the mailbox owners. It’s easy to script the transition from litigation holds to retention policy using PowerShell and to show how, we include a fully working script.

Use an OWA Mailbox Policy to Block Attachment Download for the New Outlook for Windows

Use a OWA Mailbox policy to stop the new Outlook downloading attachments

The ConditionalAccessPolicy setting in an OWA mailbox policy can be configured to work with Entra ID conditional access so that OWA blocks access to attachments on unmanaged devices. Microsoft originally introduced the feature in 2018 and as it turns out, the combination of OWA mailbox policy and CA policy also blocks attachment access for the new Outlook for Windows client.

The Downside of Losing the Exchange Mailbox Audit Search Cmdlets

Searching Exchange Mailbox audit data isn't so easy

Microsoft recently announced the deprecation of the Exchange cmdlets to search for mailbox audit data. The audit data is ingested into the Microsoft 365 unified audit log, but it’s more difficult to find and retrieve Exchange mailbox audit events. Methods are available to find mailbox audit data, but interpreting what comes back is different. Any script that depends on the old cmdlets must be updated to interact with the unified audit log.

How to Permanently Remove Mailbox Items with the Graph API

Permanent deletiion of mailbox items

Some new Graph APIs were announced on April 1 to close a feature gap with EWS. The new APIs permanently remove mailbox items and other objects, including folders, calendars, and calendar items. Permanent deletion means that items cannot be recovered through clients because they end up in the Purges folder in Recoverable Items. This article explains how the new APIs work, including a practical example.

Microsoft Introduces Control for Direct Send in Exchange Online

Reject Send for Direct Send in Exchange Online

The Direct Send feature allows apps and devices to send unauthenticated email via Exchange Online to internal receipts. Microsoft doesn’t want unauthenticated connections to send email because these connections could be hijacked by spammers. Enter the Reject Send feature to block Direct Send. Reject Send is in preview now but Microsoft wants it to be the default setting in the future.

How to Find Active EWS-Based Apps in a Microsoft 365 Tenant

Exchange Web Services usage report

Microsoft will retire Exchange Web Services (EWS) from Exchange Online on October 1, 2026. A new usage report helps tenants understand what apps use EWS. Many of the apps are likely to be first-party (Microsoft) apps, but some might be third-party apps developed externally or internally. Those apps need to be retired or upgraded to use Graph APIs. Time is slipping away to do the work.

Replacing Litigation Holds with an eDiscovery Case

Litigation Holds and eDiscovery

Litigation holds were great when introduced with Exchange 2010. Fifteen years on, better methods exist to preserve user information, like eDiscovery holds. It might seem unnatural to move from litigation holds to eDiscovery cases, but this approach allows the preservation of both mailbox and OneDrive content for as long as necessary. Retention policies can serve the same purpose, so choice exists for modern preservation.

Microsoft Retires Exchange Server OWA Access to Online Archives

Online archives and Exchange Server OWA

Microsoft’s April 17 announcement that OWA in Exchange Server will not support access to online archives after May 12, 2025, surprised quite a few people. However, the decision is entirely logical and is driven by falling mailbox numbers on-premises and the need to match engineering and support costs with revenue. Outlook classic continues to support access to online archives. Maybe Outlook will be the Exchange on-premises client for the future.

Exchange Online Moves Closer to Dumping EWS

dedicated exchange hybrid app

Microsoft is introducing a Dedicated Exchange Hybrid App to facilitate the transition away from EWS to use Graph API requests for rich hybrid coexistence (free/busy, Mail Tips, and user photos). The plan involves the creation of an Entra ID app to hold EWS permissions (stage 1) followed by Graph permissions (stage 2). Everything has to be complete by October 1, 2026, because that’s when EWS goes away.

Transferring Meeting Ownership From an Ex-Employee Can Be Hard Work

Transfer meeting ownership

Neither Outlook nor Teams includes a transfer meeting ownership feature for user calendars. Moving meetings owned by an ex-employee to give someone else the ownership requires manual intervention to find and reschedule meetings. Administrators can cancel future meetings for a user. In this article, we explore how to generate a report of meetings that might need to be rescheduled.

Duplicate Mail User Objects Created for Guest Accounts

EX1015484 duplicate mail users

The February 2025 EX1015484 incident explains why mail user objects with duplicate SMTP addresses are created for guest accounts. That’s a problem because Exchange Online can’t route messages to objects with duplicate email addresses. Fortunately, you can find out if any duplicates exist in your tenant with some PowerShell. Problems happen!

Updating Email Addresses After Removing Domains

Remove domain from a Microsoft 365 tenant

Microsoft 365 makes it easy to remove domains. However, if you remove a domain and don’t adjust email proxy addresses, some fix-up might be needed to make sure that mail-enabled objects don’t have primary SMTP addresses or proxy addresses that use the removed domains. This article explains how to fix up mail-enabled objects with PowerShell to remove traces of any removed domains.

Why Only Web-Based Outlook Clients Can Recall Encrypted Email

message recall for protected messages

The new message recall facility has been around since 2022. Even after Microsoft revamped the feature in 2023, it’s still only possible to recall protected messages with OWA and the new Outlook. As it turns out, the reason is that a premium license is needed and Outlook classic might need some new code to check for that license. In other news, Outlook mobile now supports message recall.

Exchange Online Restricts the Number of Dynamic Distribution Groups

Limit for dynamic distribution groups

Exchange Online is imposing a new tenant-wide limit of 3,000 Dynamic Distribution Groups. Few tenants might be affected, but the question might be asked why Microsoft is limiting DDGs at this point. Is it a cunning plan to prompt people to use dynamic Microsoft 365 groups instead? Or are some tenants abusing DDGs in weird and wonderful ways? Who knows, but the limit applies from early April 2025.

Using iOS Build Numbers in Exchange ActiveSync Device Access Rules

Exchange ActiveSync device access rules and iOS devices.

A change made in late 2024 allows Microsoft 365 tenants to use IOS build numbers in Exchange ActiveSync device access rules. Apparently, the idea is that tenants can insist that people use iOS devices with very specific build numbers (like iOS 18.3.1 22D72) before the devices can synchronize with Exchange Online mailboxes. You never know when you might need the feature (or so they say).

Another Nail in the Exchange Web Services Coffin

EWSEnabled flag mjust be set in EXO organization configuration

Exchange Web Services (EWS) will retire in October 2026. Tenants that still need to use EWS must explicitly set EWSEnabled to true in the organization configuration. If they don’t, the previous rule that allows mailboxes enabled for EWS to function won’t work. The change is part of the preparation for the phase-out of EWS. To help, we’ve written a script to send email to administrators listing accounts still enabled for EWS.

Primer: Using Exchange Online PowerShell in Azure Automation Runbooks

Using Azure Automation to process Exchange Online data

In this primer, we cover how to create and execute Azure Automation Exchange Online runbooks (scripts) using cmdlets from the Exchange Online management module. Some setup is necessary before runbooks can process Exchange cmdlets, but once the necessary resources and permissions are in place, it’s all plain sailing. The next challenge is how to output data created in a runbook…

Primer: Using Exchange High Volume Email with Azure Automation

Use HVE with Azure Automation

This article covers how to use HVE with Azure Automation to send email. HVE is Exchange Online’s High Volume Email solution for internal communications. In the discussion, we cover how to retrieve credentials from Azure Key Vault, how to retrieve data from a web page, and how to bring everything together in a message submitted to HVE.

February Deadline Looms for Legacy Exchange Tokens Used by Outlook Add-Ins

A February 2025 deadline looms for Outlook classic add-ins that use legacy Exchange tokens for authentication. Add-ins must switch to nested app authentication (NAA) to have continued access to Exchange mailboxes and other objects. The upgrade is easy enough if the ISV that developed the original add-in is still in business. Things get a lot more complicated when they’re not, or you have no idea who developed an add-in.

Finding Inactive Mailboxes Based on Message Trace Data

This article covers how to use Exchange Online message trace data to find inactive mailboxes based on their message send activity. The script processes user mailboxes but can easily be adapted to process shared mailboxes too. This is only one of the available methods to find inactive mailboxes. The other methods mentioned in the article might be better suited to your purpose.

Microsoft Details Progress Towards a More Secure Exchange Online

In a November 18 post, Microsoft describes some Exchange Online security updates that are due to land between now and 2026. Some of the news is a restatement of previously announced information, like the deprecation of EWS in October 2026. New information includes some information about feature caps that the Graph APIs cannot close when EWS goes away. And then there’s a hint about the demise of public folders (again!)

Exchange Online Adds Delicensing Resiliency

Microsoft announced Delicensing Resiliency, a new feature for tenants with over 10,000 paid seats, to avoid inadvertent data loss due to licensing errors. Essentially, the feature adds an extra 30-day grace period post license removal during which mailboxes work as normal. The idea is that administrators will have extra time to detect and fix licensing errors that lead to mailbox removal. Overall, the new feature seems like a great idea (for large tenants).

No Reason to “Upgrade” Distribution Lists to Microsoft 365 Groups

The Exchange admin center feature to allow administrators to initiate an upgrade distribution list process to request group owners to migrate distribution groups to Microsoft 365 groups is terrible. In my experience, the request goes into a black hole and never emerges, or the process fails immediately. But you shouldn’t be upgrading distribution lists to Microsoft 365 groups anyway because groups are often overkill when all that’s needed is a way to distribute email to multiple recipients.

How to Add Contacts to User Mailboxes From a CSV File

Import contacts from a CSV File

A recent script demonstrated how to import contacts into user mailboxes using a list in a SharePoint site as the source. With a quick change, a CSV file becomes the source. This is a great example of how adaptable PowerShell is and how to update code found in articles to meet your needs. If you do ask an author to change their code, remember to try to make the change yourself first, and if you fail, explain to the author why the change should be made.

Get-Mailbox Versus Get-ExoMailbox

Microsoft’s advice is to use the Get-ExoMailbox cmdlet instead of its older Get-Mailbox counterpart. Generally, this is good advice that you should follow. However, the older cmdlet can do a job in certain circumstances, so don’t write it off completely. More importantly, make sure that filtering of objects is done using server-side filters. This will improve script performance significantly.

Using the Get-RecoverableItems Cmdlet to Report Recoverable Items

Sometimes you don’t need the full-fledged Graph API to report details of items in Recoverable Items and the Get-RecoverableItems cmdlet can do the job. The data fetched by the cmdlet isn’t as rich as the information available through the Graph, but if all you want is a simple listing of what’s in a mailbox’s Deletions folder, Get-RecoverableItems is a good solution. And best of all, we provide a full script to show how.

Why Entra ID can Restore Some Types of Deleted Groups and Not Others

The ability to restore deleted groups only covers Microsoft 365 groups. That’s an odd situation to be in given the different types of groups in Microsoft 365, and the reasons why things work (or don’t) the way they do is down to history and different teams within Microsoft. It’s logical that customers assume they can restore any type of deleted group. Microsoft needs to do some magic to make that assumption real.

Finding Non-Compliant Shared Mailboxes

Shared mailboxes have Entra ID accounts. No one needs to sign into the accounts because Exchange Online manages connections using mailbox permissions. But it can happen that people do sign into shared mailboxes and if the accounts aren’t licensed, they don’t comply with Microsoft licensing requirements. As explained here, some PowerShell can check for potential licensing violations.

Comparing Microsoft Cloud Email Services

HVE and ECS are two competing Microsoft Cloud Email Services. At least, they seem to compete. In reality, HVE and ECS serve different target audiences. HVE is all about internal email services for apps and devices while ECS is for high volume external mailings like customer newsletters. We tested both services by sending subscription reminder notifications to Office 365 for IT Pros readers.

Comparing Shared and Inactive Mailboxes for Retaining Ex-Employee Content

Every Microsoft 365 tenant must deal with ex-employee mailboxes. The default choice is to make the mailboxes into shared mailboxes. But inactive mailboxes could be a better option to deal with the requirements to preserve user privacy and avoid inadvertent disclosure of PII to people who don’t need that information. Perhaps it’s time to reassess how your organization deals with ex-employee mailboxes?

Exchange Online Previews Inbound SMTP DANE with DNSSEC

On July 17, Microsoft announced the public preview of inbound SMTP DANE with DNSSEC for Exchange Online, a welcome step forward to improve messaging security. A previous attempt to launch the preview foundered because Microsoft wanted to insist on Microsoft 365 E5 licenses for the feature. Mature reflection prevailed and inbound DANE with DNSSEC is available to all, which is how it should be.

Working with Calendar Permissions using the Microsoft Graph PowerShell SDK

The Set-MailboxFolderPermission cmdlet is usually used to set calendar permissions, including the permission for the default user to allow everyone in an organization to see each other’s calendars. But you can use cmdlets from the Microsoft Graph PowerShell SDK too. The Graph SDK cmdlets are faster, but not enough to warrant replacing the Exchange cmdlet in scripts. We explain why here.

Reporting Mailbox Audit Configurations

A request came in for a PowerShell script to report mailbox audit configurations to check that the important new events are being generated by mailboxes. After diverting into the hellhole of Microsoft licensing, normal sanity was resumed and a PowerShell script written to do the job. The script generates a CSV file or Excel worksheet for tenant administrators to review. After that, it’s up to you.

Exchange Online Moves to Tighten Platform Security

Exchange Online announced two important changes on April 15. SMTP AUTH is being depreciated and a new external recipient rate limit is being introduced. The changes are intended to improve the security of Exchange Online. The introduction of an external recipient rate limit is also intended to reduce the ability of spammers to abuse the platform.

The New Manage Distribution Groups OWA Component Has a Problem with Role Assignments

Microsoft announced a new component for OWA distribution list management but clearly the engineers never took role assignment policy customizations into account. If they had, they wouldn’t have created something that ignores the way organizations block end user ability to create new distribution lists. It’s just a sad indication of Microsoft’s attitude to one of the workhorses of Exchange.

Microsoft Releases View Another Mailbox for the New EAC

Microsoft has released the View Another Mailbox feature for the new EAC. This is part of the build-out of the new EAC functionality before the retirement of the old EAC. Interestingly, the new feature depends on the old Exchange Control Panel dating back to Exchange 2010. Things aren’t quite as modern and fast as Microsoft says they are.

Office 365 for IT Pros eBook Team Welcomes Michel de Rooij

The Office 365 for IT Pros team welcomes Michel de Rooij as a new author. As a PowerShell Pro, he’ll like the code to update the impersonation protection list for anti-phishing policies. Or maybe he’ll rewrite it to make the code better. Either way, we win and the Mail Flow chapter should get a new lease of life.