Microsoft hosted its annual conference this September. However, unlike prior Ignite conferences, this one was impacted by COVID-19. As a result, Microsoft took its massive conference, typically attended by tens of thousands of individuals, and converted it into a digital online experience.
This digital Ignite was by no means a shadow of its former self. With 812 scheduled sessions and another 410 on-demand sessions via the Video Hub, this digital experience was massive.
At 1,222 sessions, here are the top 15 sessions I think every Exchange admin should watch.
Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes.”
In this session, Greg Taylor discusses the roadmap for Exchange on-prem and Exchange Online. Topics include:
- Exchange Calculator will now be a separate download, outside of the ISO (0:30 mins)
- Exchange 2016/2019 will support multiple tenants with the HCW (2:15 mins)
- Up to 5 tenants at GA
- Have to rerun the HCW against each tenant
- HMA will be restricted to only 1 of those 5 tenants
- It won’t configure free/busy between the tenants
- New Exchange Admin Center will be GA Q1 2021 (4:40 mins)
- New Exchange Admin Center Home (6:25 mins)
- New Exchange Admin Center Reports (7:25 mins)
- Auto-Forwarded Message Report
- Outbound Message Report
- Exchange PowerShell Module v2 (8:40 mins)
- General availability of certificate-based authentication for unattended scripts
- PowerShell Core support in preview
- Linux PowerShell support in preview
- Plus, Addressing in Exchange Online is GA (11:15 mins)
- Full rollout expected by October
- Administrators need to enable it at the tenant-level
- A new version of on-premises Exchange Server (13:40 mins)
- Released H2 2021
- Only available via subscription purchase
- SharePoint and Skype for Business will follow suit
- Can install into an existing org with Exchange 2013, Exchange 2016, and Exchange 2019
- One more backward-compatible version than normal
- Exchange 2019 users can do an in-place upgrade to vNext (like applying a CU)
- Only for 2 years after vNext release
- Exchange 2019 and vNext can be in the same DAG and load balancer VIP
- No more major Exchange upgrades
- Exchange 2016 end of mainstream support – October 14th (20:00 mins)
- If using the free hybrid key, keep using it during extended support
- If you have on-prem mailboxes, migrate to Exchange 2019
- Removing the last Exchange server (22:30 mins)
- Nothing to announce, but work is still in progress
- Basic Authentication still being retired (23:30 mins)
- Deadline extended to H2 2021
- Easy on/off controls in M365 Admin Center
- OAuth support added for POP, IMAP, and SMTP AUTH
- PowerShell Module v2 uses modern auth
- Outlook 2013 and newer uses modern auth
- Use the Azure AD Sign-Ins report
- Basic auth will be turned off in new tenants by default with security defaults
- Basic auth will be turned off in tenants not using it
- Additional Exchange Online training resources (26:55 mins)
In this session, Kevin Shaughnessy discusses all the advancements coming to Exchange transport. Topics include:
- Support for Plus Addresses (4:55 mins)
- E.g., amypond+newsletter@supertekboy.com
- Now rolling out
- Great way to see who may have sold/leaked your data
- Can target inbox roles to use the new plus address (move to a folder, etc.)
- Could use it to track marketing/sales campaigns you initiate
- Block users from blind carbon copying (BCC) a group (9:00 mins)
- Problem: Inbox rules were ignoring a group added to the BCC line in an email
- Solution: Generate an NDR if a group is added to the BCC line in an email. It can be enabled per group by either the group owner or administrator.
- Rolling out Q4 2020
- New Exchange Admin Center (12:53 mins)
- All mail flow items and insights (e.g., message trace and mail flow reports) are moving from the Security & Compliance Center to the new Exchange Admin Center
- New Exchange Admin Center is an opt-in experience
- DEMO: New Exchange Center mail flow group (14:15 mins)
- New Mail Flow Insights, Notifications, and Reports (16:10 mins)
- Expired / soon to expire certificates report (Q4 2020)
- Expired / soon to expire domains report (Q4 2020)
- Misconfigured connectors report (TBD)
- New Settings
- Message expiration for email delivery issues (Q4 2020)
- Default is 24 hours to generate NDR
- Will be able to configure expiration and NDR value of 8-24 hours
- Expiration for queued due to TLS failures (TBD)
- Default is 24 hours to generate NDR
- Under consideration
- Message expiration for email delivery issues (Q4 2020)
- Reply-All Storm Protection (21:20 mins)
- V1 is currently deployed
- 10 reply-all to emails with 5,000 recipients within 1 hour
- Blocks replies with an NDR for up to 4 hours
- V2 planned
- Customize the number of recipients on the email (new default will be 2,500)
- Customize the number of reply-all messages detected in 1 hour (default will still be 10)
- Customize block replies (default will still be 4 hours)
- Reply-All Storm insights/reports coming to EAC
- V1 is currently deployed
- Message Recall for Exchange Online (26:15 mins)
- Previously message recall is client-based and only works when the client is Outlook (not web or mobile)
- New message recall is client agnostic and will remove the message from the mailbox
- User will see a report of message recall success/failure
- Available by Q4 2020
In this session, Sean Stevenson discusses new security features coming to Exchange transport. Topics include:
- Existing mail flow scenarios and susceptibility for attack (3:04 mins)
- TLS 1.0 deprecation underway (6:55 mins)
- TLS 1.0 already disabled for DoD/GCC High tenants
- 2% of all mail to/from Office 365 with other mail exchangers using TLS 1.0
- Even with TLS 1.0 disabled man-in-the-middle attacks are still a problem
- DEMO: New Exchange Admin Center insights and reports identify mail sending with TLS 1.0 to/from your tenant (10:30 mins)
- New cipher requirements to send/receive mail to Exchange Online (11:40 mins)
- SMTP MTA Strict Transport Security support (RFC 8461) (12:55 mins)
- Office 365 outbound now supports MTA-STS
- DNS TXT record added to external DNS which identify location (and presence) of an MTA-STS policy (TEXT file hosted on a web server)
- DEMO: Example of an MTA-STS policy (TEXT file) (17:50 mins)
- Support for DANE / DNSSEC (18:25 mins)
- DANE for SMTP identifies what TLS protocols the recipient domain supports prior to handshake/TLS negotiation
- Protects against man-in-the-middle or downgrade attacks
- DANE TSLA records protected with DNSSEC to prevent tampering with the DANE records
- Outbound protection will be added before inbound protection
- SMTP Auth Clients (20:52 mins)
- Deprecation of TLS 1.0 for SMTP Auth Clients is still coming
- If your SMTP Auth Clients can’t be easily upgraded to use TLS 1.2, leverage Exchange on-premises for mail relay.
- DEMO: SMTP Auth Client report (23:00 mins)
- SMTP Auth Clients (24:10 mins)
- No plans to deprecate basic authentication for SMTP Auth Clients at this time.
- Modern Auth (OAuth) is available for SMTP Auth Clients (recommended)
- Recommended: Disable SMTP Auth for any mailbox that does not require it
- SMTP Auth being globally disabled on all new tenants (can be re-enabled by the admin)
In this session Smart Kamolratanapiboon discusses the steps required to enable Hybrid Modern Authentication (HMA) for your on-premises Exchange environment. Topics include:
- Why Hybrid Modern Authentication (HMA) (0:40 mins)
- Allows on-premises Exchange Servers to use modern authentication
- Enable additional security measures such as Multi-Factor Authentication (MFA)
- Use Intune to enforce MDM/MAM policies to Exchange on-premises via Conditional Access Policies
- Retire legacy/basic authentication
- Common authentication mechanism for both on-prem and online mailboxes
- HMA prerequisites (3:42 mins)
- Exchange 2013 CU19+
- Hybrid Configuration Wizard (HCW) must be run as Classic Hybrid
- SSL offloading must be disabled
- All identities must be synchronized to Azure AD with Azure AD Connect
- Pass-Through Authentication, Password Hash Sync, and Federation (e.g. ADFS) are all supported
- Clients must support modern authentication (Outlook 2013+)
- Exchange servers must have outbound connectivity to Exchange Online / Azure
- Exchange clients must have outbound connectivity to Azure
- Behavior after HMA is enabled (6:45 mins)
- Simply enabling hybrid modern authentication, does not block legacy authentication
- Existing legacy authentication clients will still continue to work (e.g. POP, IMAP, Outlook 2010) unless your conditional access policies specifically block legacy authentication
- Outlook must restart to reconnect using modern auth (OAuth)
- Outlook mobile account needs to be recreated to switch from legacy auth to modern auth
- MAPI over HTTP must be enabled to use modern auth
- HMA authentication flow diagram (9:05 mins)
- Enabling HMA (10:10 mins)
- Add SPNs to Azure AD for on-premises Exchange namespaces (e.g. autodiscover.domain.com, mail.domain.com)
- Verify OAuth is enabled on all virtual directories (enabled by default)
- OWA/ECP does not support HMA – use Azure App Proxy or ADFS
- Run the following PowerShell commands
- Set-AuthServer -Identity EvoSTS -IsDefaultAuthorizationEndPoint $true
- Set-OrganizationConfig -OAuth2ClientProfileEnable $true
- Fiddler trace showing Bearer token request (Modern Auth / OAuth) (12:42 mins)
- Fiddler trace showing authentication against Autodiscover with Bearer token (Modern Auth / OAuth) (13:17 mins)
- Outlook connection status window showing Bearer authentication (Modern Auth / OAuth) (13:52 mins)
- Post HMA Enablement (14:05 mins)
- All clients capable of modern auth will start using modern auth
- Exchange Online option in Conditional Access now applies to Exchange On-Premises
- You can gradually roll out HMA via the per-mailbox enablement of MAPI over HTTP
- RPC over HTTP clients can not use modern auth (OAuth)
- Outlook Mobile after HMA enablement will show as “OutlookService” as DeviceType (allow this)
- You can block Outlook Mobile from using basic auth by blocking the “Outlook for iOS and Android” device model
- Block legacy auth with auth policy in Exchange 2019 (New-AuthenticationPolicy)
- Outlook Mobile app (18:29 mins)
- Supports basic and modern auth to on-premises mailboxes
- Cache mailbox gets created in Outlook.com when using basic auth
- Cache mailbox gets created in Office 365 when using modern auth (in your tenant)
- Port 443 inbound from Office 365 to Exchange Servers required
- Troubleshooting – OAuth (21:07 mins)
- Ensure OAuth is configured on virtual directories
- When in doubt, rerun HCW
- Test with Test-OAuthConnectivity from Exchange Online and Exchange On-Premises
- Verify Exchange Server Auth Certificate is not expired
- Certificate metadata refresh
- Wait up to 8 hours for the refresh to process automatically (check event logs for event ID 2015 MSExchange AuthAdmin)
- Run Set-AuthServer EvoSts -RefreshAuthMetadata to manually start the refresh
- Troubleshooting – Autodiscover V2 (24:35 mins)
- Use the EASHMA script on the Technet Gallery to troubleshoot ActiveSync
- Troubleshooting – HTTPS Publishing (26:30 mins)
- Autodiscover, EWS, OAB, MAPI have to be publicly accessible from the internet over HTTPS 443 for remote users
- Security can be managed via an Azure Conditional Access Policy and Multi-Factor Authentication (MFA)
- Troubleshooting – Authentication Issues (27:49 mins)
- Check Azure AD Sign-In Logs, ADFS Logs, and Azure Conditional Access Logs
- Troubleshooting – Third-party applications and OAuth (28:35 mins)
- Exchange 2013 won’t support EWS third-party applications when enabled for OAuth
- Upgrade to Exchange 2016 to support EWS third-party applications with OAuth
In this session, Ross Smith discusses how to protect Outlook data with conditional access. Topics include:
- Modern Authentication Overview (1:00 mins)
- Based on OAuth2
- Legacy Authentication is used in:
- 99% of password spray attacks
- 97% of credential stuffing attacks
- Disabling Legacy Auth results in 67% fewer compromises
- Legacy auth can be disabled via Exchange Online and Azure AD
- Use sign-in reports in Azure AD to identify users and apps leveraging legacy auth
- Use Multifactor Authentication (MFA) (3:14 mins)
- Reduce the impact of compromised accounts
- Passwords by themselves are insecure
- Legacy auth needs to be disabled for MFA to be effective
- Disable Legacy Auth for Exchange Online (3:58 mins)
- Use the Office 365 Admin Center to disable legacy auth for specific protocols (e.g. Outlook, ActiveSync, IMAP, POP, SMTP Auth, Powershell)
- Use Exchange Online PowerShell V2 module for management (supports modern auth and certificate base auth for unattended scripts)
- Blocking legacy auth with Azure AD (5:35 mins)
- Security Defaults (for those without Azure P1 or P2 licensing)
- Disables legacy authentication for all protocols
- Requires users and admins to register for MFA with authenticator app (does not support text, or, call)
- Enabled by default for all new tenants
- Conditional Access Policies
- More granular policies to grant/deny access (for example, device compliance)
- Requires Azure Premium licensing
- Security Defaults (for those without Azure P1 or P2 licensing)
- Conditional Access: Best Practices (8:48 mins)
- Use Office 365 cloud app to target all apps
- Do not create policies targeting individual apps
- Do not create a block all policy with exceptions (service dependencies might break – e.g. Teams)
- No policy precedence – all policies must be satisfied
- Conditional Access: Conditions (11:35 mins)
- Device Platform
- Target Operating System
- Client Apps
- Target modern auth client
- Target legacy client (e.g. POP, IMAP, ActiveSync)
- Device Platform
- Conditional Access: Grant controls (12:13 mins)
- Require MFA
- Require compliant devices
- Require specific client app
- Require app protection policy
- Conditional Access: Session access (14:55 mins)
- App restrictions on unmanaged devices to keep content off the device
- e.g. block download or print of attachments
- App restrictions on unmanaged devices to keep content off the device
- Conditional Access Scenario: Require MFA (16:40 mins)
- Conditional Access Scenario: Require desktop Office apps as the client (18:32 mins)
- Conditional Access Scenario: Require mobile Office apps as the client (20:00 mins)
- Conditional Access Scenario: Enforce desktop browser restrictions (22:20 mins)
- Conditional Access Scenario: Enforce mobile browser restrictions (23:18 mins)
- Conditional Access Scenario: Block basic authentication for ActiveSync (24:56 mins)
- Conditional Access Scenario: Block all other clients (27:05 mins)
- Advanced Conditional Access Policies (premium license) (29:25 mins)
- User Risk – can force password reset if compromised
- Sign-In Risk – can be used to force additional user action if suspicious behavior is detected (suspicious travel)
- Microsoft Defender ATP – can be used to assess device risk (malware, etc.)
In this session, Ross Smith discusses how to protect devices with app protection policies. Topics include:
- Unified Endpoint Management (UEM) Overview (0:25 mins)
- App configuration
- Device wipe
- Device push
- Device configuration
- Device compliance
- Device inventory
- App Management Overview (1:45 mins)
- App configuration
- App wipe
- App protection
- App self-service
- Does not require device enrollment
- Enforcement through conditional access policies (3:15 mins)
- Assignments
- Identity
- Apps
- Conditions
- Sign-in Risk
- Device Platform
- Location
- Client Apps
- Grant Controls
- Require MFA
- Require device compliance
- Require approved client apps
- Require app protection policy
- Assignments
- Device Risk (4:35 mins)
- Compliance
- Compromised
- Malicious apps
- Unusual activity
- Detecting Device Risk (5:13 mins)
- Endpoint Analysis
- Microsoft Defender ATP
- Includes Windows, macOS, Android, and Linux
- Third-party
- Mobile-only
- Microsoft Defender ATP
- Intune compliance policies mark risky devices as non-compliant
- Conditional access policies block non-compliant devices
- Endpoint Analysis
- Protect Windows 10 managed devices (8:55 mins)
- Windows Hello (MFA)
- Compliance Policy
- Security Baselines for Windows 10, Defender ATP, Edge Browser
- BitLocker policy (drive encryption)
- Automatic Microsoft updates
- Protect unmanaged Windows devices (11:10 mins)
- Restrict access to Outlook on the Web only
- Protect OWA with conditional access policies
- Prevent printing or downloading of attachments
- Set-OWAMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly
- Protect mobile devices (12:15 mins)
- iOS
- Device Managed
- User enrolled vs. Apple Corporate Programs (VPP + DEP/ASM)
- App Managed
- Device Managed
- Android
- AE Fully Managed
- AE Dedicated (Kiosk)
- AE Work Profile
- App Managed
- iOS
- App Protection Policies (15:30 mins)
- Protect corporate accounts
- Device requirements
- Device health
- Minimum OS/app requirements
- Protect against rooted/jailbroken devices
- Access requirements
- PIN (e.g. complexity requirements)
- Biometrics
- Credentials
- Inactivity
- Data protection
- Prevent data from being copied between apps or accounts
- Managed vs. unmanaged apps
- Corporate accounts vs. personal accounts
- Selective wipe only target corporate data within a specific app
- Encrypt corporate data
- Prevent data from being copied between apps or accounts
- Predefined app protection policies (19:50 mins)
- Basic Data Protection (Level 1)
- Requires PIN
- Device Encryption
- Selective Wipe
- Android device attestation
- Enhanced Data Protection (Level 2)
- All items from Level 1
- Enforces minimum OS requirements
- Enforces DLP between apps/accounts
- High Data Protection (Level 3)
- All items from Level 2
- Advanced data protection
- Enhanced PIN configuration
- Requires Mobile Threat Defense
- Basic Data Protection (Level 1)
- DEMO: App protection policies (22:25 mins)
- Restrict cut, copy, and paste between apps (managed vs. unmanaged)
- Restrict web content transfer (requires managed web browser)
- Access requirements (e.g. PIN requirements)
- Device conditions (block rooted/jailbroken/OS requirements)
- DEMO: End-user experience with app protection policies (25:45 mins)
- Copying data between managed and unmanaged apps
- Copying data between corporate and personal accounts
- Open links in a managed web browser
In this session, Rob Whaley discusses how to troubleshoot hybrid configuration wizard errors and how to resolve them. Also, Rob explains what to do when there are no errors. Topics include:
- Overview of troubleshooting Hybrid Configuration Wizard errors (2:15 mins)
- HCW logs folder (3:40 mins)
- Review *.log and *.xhcw files
- Finding errors in log files
- XHCW files are XML files that can be read with an XML viewer
- XHCW files show every command run by the Hybrid Configuration Wizard
- Troubleshooting example: Migration endpoint can’t be removed (5:16 mins)
- Log identified to remove batches before removing endpoint
- Log identified permissions issue when removing batches
- Resolution: Reset administrative permissions on the migration endpoint or delete/recreate endpoint
- Troubleshooting example: Migration endpoint can’t be added (8:58 mins)
- Log identified timeout when verifying the creation of the migration endpoint
- Log identified (504) Gateway Timeout
- Verify IIS logs on Exchange servers
- If there are no entries in IIS, verify proxies, firewalls, load balancers to determine the root cause
- Troubleshooting example: HCW Error 8064 – OAuth (13:23 mins)
- Log identifies permissions issue
- Resolution: Fix SPNs in Azure AD with on-premises URLs
- Ports required for Hybrid Configuration Wizard (16:20 mins)
- Ports for Classic Minimal Hybrid
- Ports for Classic Full Hybrid
- Ports for Modern Minimal Hybrid
- Ports for Modern Full Hybrid
- When hybrid is broken but HCW completes without errors (17:40 mins)
- Identify which component is not working
- Check the HCW logs
- Find cmdlet and try running yourself
- Check manual steps for OAuth – https://aka.ms/ConfigOAuth
- Check HMA configuration – https://aka.ms/ConfigHMA
- Testing Hybrid Agent – https://aka.ms/HCWTestAgent
- Check for blocks by the network (firewall, proxies, load balancers)
Fabrizio Berton discusses the steps needed to make Exchange On-Premises integrate with Microsoft Teams. Topic includes:
- Teams and Exchange On-Premises integration overview (1:55 mins)
- Calendars from mailboxes in Exchange Online work out of the box
- Calendars from mailboxes in Exchange On-Premises require Exchange hybrid
- Without Exchange hybrid the calendar icon in Teams for on-prem mailboxes is hidden
- Teams integrations supported based on mailbox location (3:22 mins)
- For Exchange Online Mailbox
- Only contacts in the primary contacts folder are supported in Teams (no subfolder support)
- Teams leverage the Outlook on the Web photo
- For Exchange On-Premises Mailbox
- Retention items are stored in a shadow mailbox attached to the mail user
- Voicemails are delivered to the on-prem mailbox but voicemails can’t be viewed or played within Teams
- Cannot modify the profile picture
- Cannot access on-premises mailbox contacts
- For Exchange Online Mailbox
- Identity Prerequisites (5:58 mins)
- All users should be synchronized to Azure AD with Azure AD Connect
- All users need to be synchronized to avoid issues scheduling meetings in Teams (e.g. non-existent user)
- Exchange On-Premises Prerequisites (7:00 mins)
- Exchange 2010 cannot exist in the organization
- Classic full hybrid configuration (no modern hybrid)
- Autodiscover and EWS must be published on the internet (Exchange 2016 CU3+)
- The mailbox must be hosted on Exchange 2016 or later
- OAuth must be configured
- Hybrid Configuration Overview (8:47 mins)
- Enablement Steps (10:05 mins)
- Install Exchange 2016 CU3+ or Exchange 2019
- Move Autodiscover to Exchange 2016/2019
- Move mailboxes to Exchange 2016/2019
- Decommission Exchange 2010 (if present)
- Configure Azure AD Connect Synchronization
- Run Hybrid Configuration Wizard (HCW)
- Assign licenses
- DEMO (11:47 mins)
- Mailbox on Exchange 2013 – No Calendar tab
- Move mailbox from Exchange 2013 to 2016
- Mailbox on Exchange 2016 CU3+ – Calendar tab now available with data
- Create meeting in Outlook shows up in Teams calendar
- Troubleshooting – Azure AD SPNs (20:00 mins)
- Check SPNs for on-premises FQDNs are listed in Azure AD (e.g. https://autodiscover.domain.com/, https://mail.domain.com/)
- Troubleshooting – Autodiscover Redirection (21:47 mins)
- Verify Office 365 Autodiscover is redirecting Autodiscover back on-prem for on-prem mailbox (e.g. https://outlook.office365.com/autodiscover/autodiscover.json?Email=yourname@yourdomain.com&Protocol=EWS&RedirectCount=5)
- Troubleshooting – Teams Client Logs (22:52 mins)
- Restart Teams client to force calendar load
- Get the logs by using CTRL + ALT + SHIFT + 1 for Windows and COMMAND + OPTION + SHIFT + 1 for Mac
- For Windows these logs will be saved to your “Downloads” folder under your user profile
- Look for entries such as UserAppsStore: Added calendar app
- Troubleshooting – EWS Allow Agent Strings (uncommon) (24:08 mins)
- EWS Allow settings may have agents strings defined and blocked at the mailbox or organization level
- Do not block MicrosoftNinja/1.0, Teams/1.0, ExchangeServicesClient, SkypeSpaces, or, Scheduling Service in Agent Strings in EWS
- Scheduling Service is used by Teams
- IIS logs can identify if EWS is configured to block these agent strings
- Troubleshooting – OAuth is disabled on-prem (26:08 mins)
- OAuth is enabled by default in Exchange 2016
- Confirm OAuth has not been disabled (e.g. Get-WebServicesVirtualDirectory)
- Use Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Prem Mailbox> -Verbose | FL to test
- Additional considerations (28:13 mins)
- SharePoint Online is required to share and store files (SharePoint on-prem cannot be used)
- Users must be assigned a SharePoint Online license if they want to share files in Teams Chats (can share files in Channels without a SharePoint license)
- Users must be able to create Microsoft Groups in order to create Microsoft Teams
- To ensure all meetings are discoverable, disable private meetings for on-prem mailboxes
- If you uninstall Skype for Business Client (while in Teams only mode) presence may break until you register Teams as the chat app for Office (Teams options)
Tim McMIchael discusses how to manage distribution lists in Exchange hybrid. Topic includes:
- How distribution lists are replicated to Exchange Online (0:40 mins)
- Azure AD Connect replicates DLs from on-premises to Azure AD
- Scope of synchronization can be controlled by filtering via AAD Connect (e.g. OU filtering, and attribute filtering)
- Mail-enabled DLs are also synced from Azure AD to Exchange Online
- Distribution List life cycle in Exchange hybrid (2:00 mins)
- Common Issues – Users missing in Exchange Online (3:30 mins)
- Not all DL members receive an email
- Occurs when certain DL members are not being synchronized to Azure AD
- Common Issues – Groups missing in Exchange Online (5:30 mins)
- Group missing in address list after user migrated to Exchange Online
- The group is not being synchronized to Azure AD
- Common causes – Missing users and groups (6:46 mins)
- OU containing the user or groups was excluded from synchronization
- Filtering, such as attribute filtering, blocks the user or group from being synchronized
- Azure AD Connect account does not have permissions to all organizational units
- Synchronization between Azure AD and Exchange Online fails
- Troubleshooting – Missing users and groups (8:20 mins)
- Perform a metaverse search in Azure AD Connect
- Verify user or group contain connections to both on-premises and Azure AD
- Review membership of the group in Azure AD
- Review membership of the group in Exchange Online
- Perform a metaverse search in Azure AD Connect
- Common Issues – Access Denied for end-user group management (11:44 mins)
- Managed by users via the Global Address List in Outlook
- Error: “Changes to the public group membership cannot be saved. You do not have sufficient permissions to perform this operation on this object.”
- Common causes – Access denied for end-user group management (14:25 mins)
- Error is due to the source of authority being on-prem Active Directory (not Azure AD).
- Write scope is limited to on-premises Active Directory
- Azure AD is read-only on the group object
- User may not have the MyDistributionLists user rights assignment
- User is not the owner of the group
- Solutions – Access denied for end-user group management (15:00 mins)
- Ensure the user is the owner and has the MyDistributionLists role
- Migrate distribution groups to Exchange Online, so Azure AD is the source of authority
- Distribution List Migrations (15:55 mins)
- No way to change the source of authority for a distribution list from on-premises to online
- No way to convert a synced group to a cloud-only group
- Distribution Groups must be manually recreated in the cloud to become the source of authority
- Challenges of recreation
- Time-consuming
- Need to ensure on-premises mailboxes and SMTP relays can still send email to the cloud group
- Need to ensure all members, nesting, and attributes are recreated
- Distribution List Recreation Script (18:45 mins)
- Script available at https://github.com/timmcmic/DLConversion
- Backs up all members and group attributes to XML
- Validates that all members, owners, and moderators exist in Office 365 prior to group recreation
- Migrates all group attributes, members, and nested groups
- Deletes the on-premises version of the DL
- Creates a mail-user on-prem with a target address of the migrated DLs onmicrosoft.com address to allow mail flow for on-premises mailboxes and SMTP relays.
- Script options:
- Track dependencies
- Not tracking dependencies increases migration performance
- Simple distribution groups should not use tracking
- Retain group on-premises vs. mail user conversion
- Not recommended in case you resync the old DLs to the cloud which will soft-match and overwrite the cloud only distribution group
- Convert group type
- Security > Distribution List
- Distribution List > Security
- Track dependencies
JJ Caldiz discusses how Outlook clients across all platforms will be transitioning to a common codebase and the benefits of Outlook on the Web Powered Experiences (OPX). Topics include:
- Benefits of a common Outlook architecture (1:30 mins)
- DEMO: Grammar, synonym, and writing suggestions in Outlook on the Web (2:12 mins)
- DEMO: Grammar, synonym, and writing suggestions in Outlook (2:45 mins)
- DEMO: Translator app demo (3:13 mins)
- Translate a word or phrase
- Translate the entire message
- Automatic translation
- DEMO: Immersive reader in Outlook (3:43 mins)
- Immersive reader customizations to text, background color, and more
- Current and future state for Outlook client (4:45 mins)
- Historical architecture of different Outlook client
- Future shared architecture of Outlook clients
- Microsoft Sync technology (common sync stack)
- DEMO: Outlook for Mac powered by the new Microsoft Sync technology
- Performance improvements by switching to React for Outlook on the Web (6:25 mins)
- 4.5x increased render speed in list view
- 7.8x increased render speed of reading pane
- 5.9x reduction in conversation memory footprint
- Outlook on the Web Powered Experiences (OPX) in Outlook for Windows (6:50 mins)
- DEMO: Room Finder
- Option to end appointments early via settings (8:48 mins)
- Option to add an online meeting to all meetings by default (9:30 mins)
- DEMO: Integrated Teams chats in Outlook on the Web (10:00 mins)
- DEMO: Outlook on the Web notification pane to highlight when you receive @mention in documents (10:45 mins)
- DEMO: Same @mentions added as an OPX into Outlook for Windows
- DEMO: Microsoft ToDo added to Outlook for Windows via OPX (11:30 mins)
Julia Foran discusses all the recent and roadmapped calendar features coming to all Outlook platforms. Topics include:
- Calendars from Personal Accounts (e.g. Outlook.com) (1:10 mins)
- Available on all platforms
- Allows colleagues to see free/busy time of personal events when scheduling meetings
- Personal meeting details are never shown (including title, details, etc.
- Shared and delegate calendars (1:50 mins)
- Available on all platforms
- Import ICS files (2:00 mins)
- Available for Windows, Mac, Web, and Android
- Coming to iOS
- Calendar pane (2:15 mins)
- Available for Windows, Mac, and Web
- Suggested meeting times (2:37 mins)
- Available for Mac and Web
- Coming to Android and iOS
- Room Finder (3:30 mins)
- Available for Windows, Mac, and Web
- Includes room capabilities (audio devices, capacity, etc.)
- Room Finder for Recurring Meeting Series (4:00 mins)
- Available for Windows and Web
- Coming to Mac
- Room policies will refine suggestions from Room Finder (4:30 mins)
- For example, max meeting duration, allow recurring meetings, booking windows
- Automatic placement of meetings on calendars (4:50 mins)
- For example, mandatory all-hands meetings
- Meetings will auto-accept and not require recipient intervention
- Admin must create two transport rules to identify which sender is allowed to generate auto-accept meetings and automate the action of acceptance by the recipient
- Workspaces (5:45 mins)
- Similar to conference rooms when configuring as an admin
- New-Mailbox RoomName -Room
- Set-Mailbox -Type Workspace -ResourceCapacity {int32}
- Set-CalendarProcessing -Room RoomName -EnforceCapacity $true -MinimumDurationInMinutes {int32}
- Similar to conference rooms when booking as a user
- Teams Meetings (6:45 mins)
- One-click join
- Available on all platforms
- Option to make every meeting a Teams meeting by default
- Available on Mac, Web, Android, and iOS
- Coming to Windows
- One-click join
- Meeting Breaks (7:25 mins)
- Option to end meetings early via settings
- Available on Windows and Web
- Coming to Mac, Android, and iOS
- Option to start meetings late via settings
- Available on Web
- Coming to Windows, Mac, Android, and iOS
- Plans to allow admins to configure as a global policy via Set-OrganizationConfig
- Option to end meetings early via settings
- Meeting Insights (8:00 mins)
- Quickly find files and emails to present during the meeting
- Available to Mac, Web, Android, and iOS
- Coming to Windows
- Shared calendars and delegates (8:20 mins)
- Old model
- Primary calendar – read/write against local OST cache
- Shared calendar – read/write against Exchange Online
- Performance issues
- New model
- Primary and Shared calendars all read/write to the local OST cache
- Much better performance
- Available on all platforms
- Windows is still an opt-in experience
- Select “Turn on shared calendar improvements (preview)” under mail account options and reboot Outlook (delegate/shared calendar will show as “Preview” in calendar view).
- Can be configured via a GPO (option is “REST updates for calendars”)
- 4,000 delegates have already opted in to the new preview experience
- Old model
- Week Numbers (14:10 mins)
- Available on all platforms
- Time zone scheduling now available on iOS (14:29 mins)
- Outlook calendar can be synced to Android device calendar (14:40 mins)
- Can be blocked with Intune
- Flexible day view released to Web (15:00 mins)
- Web will prompt to change calendar time zone if it notices a location change (15:10 mins)
- Calendar features added to the new Outlook for Mac (15:40 mins)
- Office 365 Group calendars
- Strikethrough for canceled events
- Can show appointment as working elsewhere
- Calendar pane in the main mail window
- Suggested meeting times
- Location suggestions
- Meeting insights
- Coming soon: Automatic removal of attendees from meetings who no longer exist in the organization (16:00 mins)
- Bug fixes to Teams join buttons on meetings (16:40 mins)
In this session, Ankur Lal showcases all the new features in Outlook on the Web. Topic includes:
- DEMO – Teams Integration (2:25 mins)
- Configure new meetings to be Teams meetings by default
- One-Click join appears 15 minutes before the start of the meeting and for the duration of the meeting
- Reply to Teams message within Outlook on the Web
- Share email to Teams
- Share Teams message to email
- Meet Now button in Outlook on the Web with email recipients
- Teams chat integration in Outlook on the Web
- DEMO – Yammer Integration (6:05 mins)
- Reply to Yammer message within Outlook on the Web
- DEMO – Office integration (6:44 mins)
- Reply to @mentions in Office documents
- Upload and share documents to OneDrive from Outlook on the Web
- DEMO – Editor improvements (7:45 mins)
- Suggested replies now include schedule a meeting and attach file options
- Text predictions
- Spelling and Grammar
- Making sentences more concise and improving writing
- DEMO – Search (11:07 mins)
- Suggested searches
- Searches across all Office products
- Can join Teams meetings from search results
- Natural language search
- Search filters
- DEMO – Send Later (16:14 mins)
- Let’s you schedule delivery of a message
- DEMO – Personal calendar (16:57 mins)
- Allows you to add calendar events from your personal calendar to your work calendar
- Free/busy is only shared with colleagues
- Roadmap (18:45 mins)
- Command bar customization
- Link icon in the message list for emails containing SharePoint links
- How Outlook on the Web is improved (19:45 mins)
- Feedback
- User Voice
- Surveys
- Interviews
- Experiments
- 100+ experiments running at once
- 700+ changes every year
- When an experiment does not go right
- Insights
- Feedback
Vivek Kumar discuss all the features in the new Outlook for Mac client, as well as items on the roadmap.
- New Outlook for Mac (0:20 mins)
- Connects with Microsoft Sync technology
- New features added including, Calendar 3-day View, MailTips, Meeting Insights, Natural Language Search, and Snooze.
- UI improvements (2:21 mins)
- Dark mode
- Rounded corners
- Fluent icons
- Big Sur ready
- DEMO: Toggle to switch between the new/old Outlook for Mac experiences (3:30 mins)
- DEMO: Showcasing performance improvements of Microsoft Sync technology (4:00 mins)
- DEMO: Calendar Bar UI improvements (5:05 mins)
- Calendar views (Agenda vs. Day)
- Join Teams meetings from Calendar
- Creating new appointments with drag and release
- Hiding calendar meeting pane
- DEMO: Toolbar UI improvements (7:45 mins)
- Customizing the toolbar
- Adding add-ins to the toolbar
- DEMO: Message UI Improvements (9:05 mins)
- Snoozing a conversation
- RSVP button added to message list
- New reply/forward buttons and message composition experience
- Reading pane locations
- Customizing the message list view and options (swipe left/right actions)
- New rules wizard experience
- DEMO: Search (12:30 mins)
- Search bar relocated to the header (same as Outlook for Windows)
- Search autocorrection on misspellings
- Advanced search queries available
- Natural language search
- Offline search
- DEMO: Calendar (15:30 mins)
- Scheduling assistant
- Room Finder
- Drag in the calendar to create an event
- Option to make every meeting a Teams meeting by default
- DEMO: People (19:25 mins)
- People views
- Editing a contact
- Contact quick actions (IM, email, call)
- Add contact to favorites creates a search folder for contact
- Roadmap items (21:30)
- Adding iCloud and IMAP to Outlook
- Shared calendars
- Shared mailboxes
- Delegates
- S/MIME
- ICS support
- Saved search
- End meetings early
- Online meetings for consumer accounts
In this session, Jeffrey Kalvass take a deep dive into the new Outlook for Mac. Topic includes:
- Outlook version recap (0:50 mins)
- Outlook 2016 for Mac (v15.x – v16.x) end of support October 13, 2020
- Apps will continue to function
- No more updates
- No more technical support
- Outlook 2019 for Mac (v16.7+) end of support October 10, 2023
- Outlook 2016 for Mac (v15.x – v16.x) end of support October 13, 2020
- Outlook to block injection-based plugins (2:20 mins)
- Top cause of Outlook crashes
- Original deadline moved from June 2020 to TBD
- Replace injection-based plugin with replacement from Office Store
- Remove injection-based plugins
- New Outlook for Mac (3:55 mins)
- Switch from EWS to Microsoft Sync technology
- Designed for Big Sur
- Toggle switch to opt-in to the new experience
- Microsoft Sync Technology (7:45 mins)
- Previously EWS synchronized the entire mailbox to the Mac
- New experience provides a sync window that only downloads the newest 1,000 conversations per folder
- New sync window utilizes much less disk space
- Search (10:40 mins)
- When online Microsoft Search is used
- When offline Spotlight is used
- Requirements for new Outlook for Mac (12:12 mins)
- MacOS 10.14 (Mojave or newer)
- Outlook 16.40 (Slow) or 16.32 (Insider Fast)
- Account Types
- Exchange Online (Office 365)
- Outlook.com
- Account Types Planned
- Exchange On-Premises
- IMAP
- POP
- Yahoo
- iCloud
- OAuth support for (13:55 mins)
- Exchange Online (Office 365)
- Outlook.com
- New early adopter preference key (15:22 mins)
- Possible Values
- 0 = Switch hidden, default to old Outlook
- 1 = Switch displayed, default off (old Outlook)
- 2 = Switch displayed, default on (new Outlook)
- 3 = Switch hidden, default to new Outlook
- Possible Values
- Mailbox setup preference key allows you to manage settings for (17:22 mins)
- Mailboxes
- Online meetings
- Weather location
- Signatures
- Additional mail and calendar settings
- DEMO (18:20 mins)
- Preferences for new Outlook for Mac (System Preferences > Profiles)
- First run experience with preferences
- DEMO (22:30 mins)
- Adding additional accounts to Outlook for Mac (Outlook.com and Google using OAuth)
- Warning user will see if they add an unsupported account (iCloud)
- DEMO (24:30 mins)
- Reviewing profile size with the new sync window technology
- DEMO (24:55 mins)
- User experience switching back to the old Outlook for Mac (EWS)
- DEMO of development build (26:00 mins)
- New UI updates for Big Sur
- Natural language search
- Autocorrect spelling recommendations in search
- Signatures
- Weather
- Online meeting options
- Focused inbox
- iCloud account available in development build
- iCloud calendar support
- iCloud contact support
In this session Chad Solarz & Charlene Stephens share the steps needed to properly decommission Exchange. They also identify common pitfalls. Topics include:
- Decom Don’ts (1:25 mins)
- Stop services as a “test” of removal
- These are still published in Active Directory
- Failures by WS-Man trying to connect to these servers
- Users still proxying through these servers
- Not removing antivirus before uninstall
- AV locking files during uninstall
- Rushing through the uninstall
- Not involving integrators to Exchange (EWS, SMTP)
- Forgetting to rerun the Hybrid Configuration Wizard (HCW) to remove nodes
- Stop services as a “test” of removal
- Third-party integrations (3:47 mins)
- Apps integrating with EWS / SMTP / POP / IMAP
- Fax integration
- Voicemail integration
- Line of business apps
- Decommissioning Client Access Role (4:40 mins)
- Move namespace to new version of Exchange
- Move Autodiscover SCP records to new version of Exchange
- Move SPNs for Kerberos
- Verify if older versions of Exchange have Kerberos SPNs
- Remove HTTP SPNs for old versions of Exchange
- Reminder: Exchange 2010 cannot share SPN with any newer versions of Exchange
- Decommissioning Transport Role (7:00 mins)
- Remove servers to be decommissioned from all send connectors
- Recreate receive connectors to new Exchange servers
- Update DNS records for mail flow to new servers
- Decommissioning Mailbox Role (9:00 mins)
- Identify and move all mailboxes to new Exchange servers (including all system arbitration mailboxes)
- Remove Exchange 2010 Offline Address Book (if applicable)
- Remove Public Folders and public folder database (if applicable)
- Remove database copies, databases, and membership from DAG (also remove DAG if applicable)
- Decommissioning Unified Messaging (13:00 mins)
- Remove dial plans, attendants, IP gateways, hunt groups, and mailbox policies
- Decommissioning Edge Transport (13:20 mins)
- Cleanup Tasks after uninstall (13:47 mins)
- Remove computer accounts from AD
- Remove old Edge subscription
- Remove DAG Cluster Node Object (CNO) if applicable
- Remove Exchange server names from DNS
- Remove file share and Exchange Trusted Subsystem permissions on File Share Witness (FSW)
- Remove old firewall rules
- Remove old load balancer VIPs
- Decommission physical or virtual servers
Download Ignite 2020 videos and slides
Michel de Rooij has developed a script that will download all the Ignite videos and slide decks. You can find his script on Github.
Ignite 2020 slide deck and video downloader by Michel de Rooij.
Further Reading
Here are some articles I thought you might like.
- Sysadmin Today #78: Talking Tech with Gareth Gudger
- Exchange Online Updates (September 2020)
- Exchange Cumulative Update (September 2020)
- RunAs Radio #684 – Exchange in 2020 with Gareth Gudger
- Recover deleted email using the new Exchange Admin Center

What sessions do you think should be on this list? Drop a comment below or join the conversation on Twitter @SuperTekBoy.
Couldnt play most of the videos as they are private
Hey Kiran,
I have let Microsoft know. They were all working previously. Hopefully they resolve them soon.
Looks like all the videos are available again. 🙂
thanks mate