8 MEC sessions every Exchange admin should see (2022 Edition)

Getting Ready for Basic Auth Deprecation in Exchange Online
In this session, Greg Taylor discusses the roadmap for basic authentication, all the great work done so far, and how organizations can opt to keep basic auth until December. Topics include:

• Organizations leveraging basic auth are more suspectible to compromise (1:10 mins)
• 99%+ of password spray attacks use legacy auth
• 97%+ of credential stuffing use legacy auth
• 60% of users re-use passwords
• 921 password attacks every second (almost double last year
• 50 million password attacks launched every day (Q4 2021)
• Beginning October 1st, basic auth will be disabled for: (2:54 mins)
• POP
• IMAP
• EWS
• MAPI
• RPC
• OAB
• ActiveSync
• Exchange Online Remote PowerShell
• Basic authentication will remain enabled for: (3:40 mins)
• Autodiscover
• SMTP AUTH
• Organizations can opt-out or request an extension for basic auth through December 31st, 2022. (4:10 mins)
• Why Microsoft is disabling basic auth (5:53 mins)
• How Microsoft analyzes basic auth usage (8:43 mins)
• What the usage data revealed (11:55 mins)
  • 70 million people using basic auth across 4 million tenants
  • 10 million MAPI users made 60 million basic auth request per day
  • 1.5 million POP users made 80 million basic auth request per day
  • ActiveSync, Outlook and EWS primary drivers of basic auth
  • 1/3rd basic auth comes from tenants with more than 10k users (1% of tenants)
  • 1/3rd basic auth comes from tenants with less than 100 users (90% of tenants)
• Suspicious usage impacting metrics (21:45 mins)
  • Set-CASMailbox blocks a user after they have authenticated successfully
  • Auth policies block basic auth prior to the user authentication attempt
• Deprecating basic auth timeline (30:10 mins)
• Prior delay due to needing more time
• Prior delay due to pandemic
• Disabled basic auth for tenants not using it
• Disabled basic auth for protocols not using it
• Disabled basic auth temporarily for some tenants for 48 hours
• Disabling basic auth for all tenants October 1st, 2022 (unless opt-out or extension requested)
• Backfill disabling basic auth in tenants with security defaults enabled, test tenants, etc.
• Basic auth deprecation for 21Vianet will begin on March 31st, 2023
• Tactics to eliminate basic auth (37:20 mins)
  • Message Center versus Service Health Dashboard (incl. tenant usage statistics)
  • 0.05% of tenants re-enabled basic auth with self help diagnostics
  • Disabling basic auth for 48 hours in some tenants (1-3% of tenants re-enabled)
  • Enabling OAuth2 in tenants
• Apple partnership to switch iOS devices using ActiveSync to OAuth2 automatically (40:52 mins)
  • Requires iOS 15.6+
  • 1 million iOS devices migrated to OAuth

Microsoft Exchange Tips and Tricks
In this session, Scott Schnoll shares his top Exchange tips and tricks. Topics include:

• Exchange Server codebase (2:43 mins)
  • Exchange Server major releases and cumulative updates were historically forks of the Exchange Online code. This could introduce code not applicable to Exchange on-prem or introduce bugs.
  • Exchange Online and Exchange Server now have separate codebases
  • Exchange Online features are ported and fully validated in Exchange Server when desired
  • Separate codebase means less changes for on-prem customers and less chance of update regression
  • Exchange Server team retroactively cleaning up code that only applies to Exchange Online
• Current Exchange landscape (6:10 mins)
  • Most customers still on Exchange 2013 or 2016
  • Over a 2-week period 500,000 Exchange Servers submitted analytics to Microsoft.
  • 100,000 running Exchange 2019
  • 50,000 running Exchange 2010
  • Few thousand running Exchange 2007
  • Customers struggle to stay on latest cumulative update
  • 25% on latest CU
  • 44% on N-1 CU
  • 7% on N-2 CU
  • 24% on unsupported CUs
  • Customers struggle to stay on latest security update
  • 13% of Ex13 CU23 on the latest SU
  • 33% of Ex16 CU22 on the latest SU
  • 50% of Ex16 CU23 on the latest SU
  • 65% of Ex19 CU11 on the latest SU
  • 50% of Ex19 CU12 on the latest SU
• Changes to cumulative updates (CU) (9:43 mins)
  • Changed release cadence of CUs from quarterly to semi-annual
  • Release dates targeted for April and September but ultimately driven by quality
• Changes to security updates (SU) (11:05 mins)
• Available as both a MSP and self-extracting EXE package
• Self-extracting EXE package automatically elevates with administrative rights.
• EXE added to address issue where MSP file was not run with elevated permissions which resulted in installations issues.
• Exchange Support (12:27 mins)
  • The Extended Security Update Program will only be available to Exchange 2016 and 2019
  • Exchange 2013 customers should migrate to Exchange 2019 before end of support (April 11th, 2023)
  • Exchange vNext will leverage the Modern Lifecycle Policy which moves away from major product releases by keeping Exchange Server on a continuous update cadence (same as M365 Apps).
• Updating Exchange Servers (15:05 mins)
  • Use the Exchange Health Checker to look for issues prior to installation.
  • Use the Exchange Update Guide to help prepare for the update.
  • Test updates before putting in production
  • Have backups of Active Directory, Exchange, and any web.config customizations
  • Disable antivirus when updating
  • August SU adds Windows Extended Protection support to Exchange Servers
• Exchange 2019 preferred architecture (20:25 mins)
  • Each preferred architecture is specific to a version of Exchange
  • Up to 48 physical processor cores
  • Up to 256 GB RAM
  • Battery backed write cache
  • Leverage the MetaCache DB with SSDs
  • Scale-out versus scale-up
  • Use physical rather than virtual servers
• Updates to the Exchange 2019 Sizing Calc (24:50 mins)
• What “Check for updates” in the setup wizard does (26:17 mins)
• Updated Exchange Management Pack for SCOM (28:00 mins)
• Exchange Server Bug Bounty Program (29:25 mins)
• Up to $26k awarded per bounty
• $127k awarded in bounties
• Windows Server 2022 support for Exchange 2019 (30:37 mins)
• TLS 1.3 support for Exchange in H2 2023
• Supported Exchange versions can leverage Windows Server 2022 DCs
• Changes to antivirus exclusions on Exchange (33:30 mins)
• Modern auth will be native to Exchange 2019 (35:15 mins)
• Custom configs (e.g., changes to web.config) will be preserved during updates (38:00 mins)
• Changes to the Hybrid Configuration Wizard (37:05 mins)
• HCW will allow admins to pick which steps to perform or skip
• HCW will support a what-if function so admins can see what the HCW will change
• Scheduled for H1 2023
• Exchange Online (41:10 mins)
• 300k server
• 175 datacenters
• 210 network POPs
• 1.4 EB of data
• 42 trillion items
• 7.3 billion mailboxes
• Daily Stats
• 9.2 billion messages
• 2.4 billion spam blocked
• 1.9 trillion items read/opened
• Exchange Online Recent Updates (42:35 mins)
• MRM Retention Tags, MRM Retention Policies, and Journal rules moved to Microsoft Purview
• Changes to Tenant Allow/Block Lists (TABL)
• Custom email notifications and policy tips added to DLP policies
• 42 new sensitivity labels added to protect credentials
• Exchange Online Coming Soon (46:50 mins)
• Exchange Online PowerShell v3 module will be GA on September 20th, 2022.
• Ability to block sender, URL, or attachment while submitting to Microsoft for analysis
• Configure label to apply S/MIME automatically (expected October 2022)
• Dashboard for on-prem Exchange Servers in a hybrid environment (51:08 mins)
• Identifies Exchange Servers that are behind on CUs, SUs, or are out of support
• Currently in private preview.
• Exchange Online Retirements (52:40 mins)
• Exchange Online PowerShell Module v1 retires on Dec 31st, 2022
• Classic Exchange Admin Center going away on Jan 2023
• Replace action going away on Anti-Malware policies. Any existing policies will be converted to Block action instead. This work is currently in progress.
• Redirect messages in the Anti-Malware policy will only be available for the Monitor action.
• Basic authentication going away

Deep Dive on Hybrid Mail Flow
In this session, Hien Nguyen takes a deep dive into hybrid mail flow tackling topics such as message attribution, configurations that could impact hybrid mail flow from being stamped as internal, and advanced routing topics such as other tenants being able to bypass your MX records. Topics include:

• The Challenge (2:28)
  • Making two separate Exchange environments (Exchange Online and On-prem) appear as one.
  • We want this, so it is seamless for the user and provides minimal (if any) impact on the business.
  • We implement this with the Hybrid Configuration Wizard
• The Solution (3:11)
  • MRS moves mailboxes maintaining the existing Outlook profiles and OSTs
  • Organization relationships to allow for free/busy, OWA redirection, and Mail Tips
  • Trusted mail flow between Exchange Online and on-prem
• Concepts (3:45)
  • The difference between internal mail is that it is authenticated (external is anonymous)
  • Mail can be authenticated when sent via Outlook, SMTP Auth, or a secure connector.
  • Physical location does not matter when it comes to authenticating mail
• Internal vs. External (4:50)
  • On-prem Recipient <> EXO recipient should always be marked as internal
  • If not, the messages can be externally tagged, subject to spam and phishing policies, messaging to distribution lists can fail, incorrect OOF, and problems booking resources
  • We can track if a message is considered internal (authenticated) or external (anonymous) via message headers using the X-MS-Exchange-Organization-AuthAs attribute
• SCENARIO: On-prem to Office 365 (6:40)
  • For mail to be processed as INTERNAL
    • Tenant.mail.onmicrosoft.com must be an accepted domain on-prem
    • Send Connector in Exchange On-Prem must be set to CloudServicesMailEnabled = $true
    • Inbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
      • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
    • Exchange On-Prem copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers.
    • Exchange Online copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers.
• DEMO: On-prem to Office 365 (9:42)
  • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
  • This will export these messages as EML files that you can open (be careful with sensitive data)
  • Email sent as Amy (On-Prem) to Hien (EXO) is delivered as INTERNAL
  • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and MS-Exchange-CrossPremises
• DEMO: On-prem to Office 365 (16:00)
  • Changing the CloudServicesMailEnabled = $false on the on-prem send connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• DEMO: On-prem to Office 365 (19:15)
  • Changing the CloudServiceMailEnabled = $false on the Exchange Online inbound connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• Message Attribution (24:00)
  • EXO is a shared service, and mailboxes from different companies can sit on any database, server, and infrastructure
  • Message attribution is how Exchange Online determines which tenant the message belongs to
  • If the certificate subject name, sending IP, or sender domain matches an accepted domain
    • The email is attributed to the tenant with the accepted domain
    • X-MS-Exchange-Organization-MessageDirectionality = ORIGINATING
  • If origination fails (no matching certificate, sending IP, sender domain) and recipient domain matches an accepted domain
    • The email is attributed to the tenant with the accepted domain
    • X-MS-Exchange-Organization-MessageDirectionality = INCOMING
  • If message attribution fails, it sends a non-delivery report to the sender.
• SCENARIO: Office 365 to on-prem (30:52)
  • For mail to be processed as INTERNAL
    • An accepted domain must exist in Exchange Online
    • Outbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
      • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
    • Receive connector for Exchange On-Prem must have TLSDomainCapabilities:{mail.protection.outlook.com:AcceptedCloudServicesMail}
    • Exchange Online copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers
    • Exchange On-Prem will offer SMTP command XOORG to Exchange Online
    • Exchange Online sets MAILFROM domain in XOORG command to one of Exchange On-Prem’s accepted domains
    • Exchange On-Prem copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers
• DEMO: Office 365 to On-Prem (33:45)
  • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
  • This will export these messages as EML files that you can open (be careful with sensitive data)
  • Email sent as Hien (EXO) to Amy (On-Prem) is delivered as INTERNAL
  • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and X-MS-Exchange-CrossPremises
• DEMO: Office 365 to On-Prem (36:55)
  • Nulling out the TLSDomainCapabilities on the on-prem receive connector
  • Switches X-MS-Exchange-Organization-AuthAs headers are missing (not copied from X-MS-Exchange-CrossPremises)
• DEMO: Office 365 to On-Prem (39:36)
  • Changing the CloudServiceMailEnabled = $false on the Exchange Online outbound connector
  • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
• Securing the gaps (44:20)
  • When MX is pointed on-prem
    • SCENARIO 1: Other tenants (or on-prem servers with hybrid) can send mail directly to your tenant
    • SCENARIO 2: Other tenants can send mail directly to your hybrid smart host (e.g., hybrid.domain.com)
  • When MX is pointed to EXO
    • SCENARIO 3: Other tenants can send mail directly to your hybrid smart host (e.g., hybrid.domain.com)
  • If another tenant sends directly to your hybrid smart host (on-prem), the mail is considered EXTERNAL because the X-MS-Exchange-CrossPremises (XOORG) will be missing.
• SCENARIO 1: Prevent EXO Direct Delivery when MX is pointed on-prem (48:50)
  • Create a new inbound partner connector
  • Specify all sender domains (*)
  • RequireTLS = $true
  • RestrictDomainsToCertificate = $true
  • TlsSenderCertificateName = Can be whatever you want it to be (e.g., blocknonmx.domain.com)
  • New-InboundConnector -Name “Block Non MX Record Delivery” -ConnectType Partner -SenderDomains * RequireTls:$true -RestrictDomainsToCertificate:$true -TlsSenderCertificateName blocknonmx.domain.com
• SCENARIO 2: Prevent On-Prem Direct Delivery when MX is pointed to EXO (49:20)
  • Create a transport rule
  • Sender is located Outside the organization
  • Reject the message with explanation “You are not allowed to send directly. Use MX.”
  • Except if message header includes “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
• SCENARIO 3: Prevent On-Prem Direct Delivery when MX is pointed on-prem (50:39)
  • Create a transport rule
  • Sender is located Outside the organization
  • Reject the message with explanation “You are not allowed to send directly. Use MX.”
  • Except if message includes:
    • Header “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
    • Sender IP address is “<1.1.1.1>”
    • Header “Received” matches “<1.1.1.1>”
• Q&A (55:05)

Exchange Server and Hybrid Feature Review
In this session Srividya Varanasi and Mukesh Kumar discuss the roadmap for Exchange Server and Exchange hybrid. Topics include:

• Exchange Challenges and Investments (1:15)
  • Need improved security
  • Easier upgrades
  • Simplify managing hybrid and migration to the cloud
• Recent Vulnerability Fixes (2:38)
  • 7 security updates
  • 19 vulnerabilities fixed
  • 70+ bugs discovered and mitigated
  • Exchange Emergency Mitigation
• Extended protection in Exchange Server (4:03)
  • Extended protection safeguards credential exchange with Channel Binding Tokens (CBT)
  • Must be available on both front-end and back-end directories
  • Script can be used to enable Extended Protection across all servers
  • Requires the August 2022 security upgrade (Exchange 2013-2019)
• DEMO: Enabling Extended Protection (5:44)
  • Check current Extended Protection Settings
    • Use ExchangExtendedProtectionManagement.PS1 -ShowExtendedProtection
    • This will list vDirs current and recommended settings
  • Enable Extended Protection
    • Use ExchangExtendedProtectionManagement.PS1
    • The script will do a prerequisite check before enabling EP
    • This will update all vDirs for Extended Protection
  • Do not enable Extended Protection on back-end vDirs if using automatic archiving
    • Fix coming soon
    • As a workaround, restrict connections coming to backend vDirs
    • Use ExchangExtendedProtectionManagement.PS1 -RestrictType EWSBackend -IPRangeFilePath “IPList.txt”
  • To roll back the script changes
    • Use ExchangExtendedProtectionManagement.PS1 -RollbackType RestoreIISAppConfig
• Modern Auth support in Outlook Clients (8:10)
  • Exchange 2019 will support Modern Auth for Outlook
  • ADFS must be used as Secure Token Server (STS)
  • Direct integration of 3rd party IdP as STS will NOT be supported (must be via ADFS)
  • Use authentication policies to enable modern auth
  • Support for Windows, Mac, Android, and iOS Outlook clients in development
• Hybrid Modern Auth (HMA) in Outlook Web App (10:47)
  • HMA enables on-prem Exchange to use OAuth via Azure AD STS
  • Previously limited to Outlook desktop only
  • HMA will be extended to support Outlook on the Web
• Dashboard & Action Center for Software Updates (13:56)
  • New dashboard in the Microsoft 365 Admin Center to show:
    • CU and SU of your Exchange Server
    • Lifecycle of your current Exchange versions
  • New dashboard in the on-premises EAC
    • CU and SU of your Exchange Server
    • Lifecycle of your current Exchange versions
    • Mitigations applied by the Exchange Emergency Mitigation Service
    • Servers enabled for the Exchange Emergency Mitigation Service
• Retaining customizations during CU (18:30)
  • Previously CUs replaced any customizations in the config files (e.g., web.config)
  • Customers would have to backup and restore these settings after each update
  • Future CUs will automatically backup and restore these configurations
• Updates to the Hybrid Wizard (21:10)
  • On subsequent reruns of the HCW, admins can choose which components to rerun (e.g., great if you are just renewing a cert)
  • What-ifs identify all the changes the hybrid wizard will make
• Removing the last Exchange Server (23:38)
  • Only possible if you are only doing attribute management (not applicable if using Exchange for mail relay)
  • Manage all recipients using the Exchange Management Tools (PowerShell but 3rd-party GUIs are available)
  • Shut down the last Exchange Server (do not uninstall)
• DEMO: Installing the Exchange Management Tools (25:30)
  • Verify no mailboxes exist on-prem (migrate any mailboxes)
  • Verify <tenantdomain>.mail.onmicrosoft.com exists as a remote domain
  • Install the Exchange 2019 CU11 Management Tools on domain-joined workstations
  • Launch PowerShell and run Add-PSSnapin “RecipientManagement”
  • Run script .\Add-PerrmissionForEMT.PS1
  • Verify the creation of the Recipient Management EMT group in the default Users OU
  • Add recipient admins to the Recipient Management EMT group
  • Run Exchange commands as necessary (e.g., New-RemoteMailbox)
  • Shut down the last Exchange Server (do not uninstall)
• Removing the last Exchange Server (29:55)
  • Goal is to manage recipients directly in the cloud
  • User and group creation and deletion will still occur in on-prem Active Directory
  • Source of authority of Exchange attributes for users and groups will be moved to the cloud
  • Few critical attributes will be written back on-prem (even with cloud as source of authority)
  • Contacts will be created in the cloud and not written back to on-prem AD.
• Roadmap (32:43)
  • CY 2022 H2 – Hybrid a-la-carte / What-ifs
  • CY 2023 H1 – Modern Auth for Outlook for Windows for Exchange 2019
  • CY 2023 H1 – Software update dashboard in on-prem EAC
  • CY 2023 H1 – Retain customization during CU
  • CY 2023 H2 – Modern Auth for Outlook for Mac and Outlook Mobile for Exchange 2019
  • CY 2023 H2 – Enabling Hybrid Modern Auth for Outlook on the Web
• Q&A (34:00)
  • Should I move away from using individual move requests in favor of migration batches?
    • No plans to deprecate move requests.
  • Is there a better way to migrate DLs to the cloud? Especially mail-enabled security groups, nested DLs, or more than 10k DLs?
    • Noted down as a request.
  • Questions around what version of Exchange Server will get these new features.
    • All new features will be on Exchange Server 2019
  • Do user-managed DLs break after a mailbox is synced to the cloud?
    • This will be solved with the long-term solution of making the cloud the SOA for groups

Secure Exchange Online with Privileged Identity Management
In this session, Ingo Gegenwarth discusses how configure and use Privileged Identity Management for Exchange Admins. Ingo also covers PIM tips and tricks and how to leverage PIM with PowerShell. Topics include:

• What is PIM? (2:24)
  • A service in Azure AD
  • Allows management, control, and monitoring of privileged roles (e.g., Exchange Administrator)
  • Time-based privilege access (automatic removal after or at a defined time)
  • Approval flows (someone needs to approve)
  • Auditing (detailed logs)
• Why should I use PIM? (3:40)
  • Follows least privilege principle
  • Reduced risk when an account is compromised
  • Simple mechanism for increasing security
• Licensing Requirements (4:59)
• Azure AD Premium P2 licenses for the following users
  • Those who need eligible assignment
  • Those who need time-bound assigned
  • Those needed to perform audits
  • Approvers of requests
• DEMO: How an admin activates an eligible role (6:00)
  • Steps using the Azure Portal
    • Navigate to portal.azure.com and search or select Azure Privileged Identity Management
    • Select My Roles
    • Select the desired role and click Activate
    • Specify a duration for the role (and custom start time)
    • Specify a reason for the elevation
    • Click the Activate button.
  • Users may also be prompted for MFA
  • Role is shown as an active assignment.
  • Admin performs tasks with elevated privilege.
  • Admin can deactivate the role (must at least be activated for 5 minutes)
• DEMO: How to configure PIM (11:40)
  • Roles can be assigned to groups (in preview)
  • Navigate to portal.azure.com and Azure Active Directory
  • Create a new security group
  • Specify Azure AD roles can be assigned to group as Yes
  • Go to the group properties and select Assigned Roles
  • Click Add Assignments button.
    • Under the Membership tab, select the role you want to assign to members
    • Under the Settings tab, specify whether the role is Eligible or Active.
      • Eligible Assignments are roles that group members can request in PIM (e.g., Exchange Admin)
      • Active Assignments are permanent roles that the group members always have (e.g., Global Reader)
    • Specify whether the role elevation is only available between two dates or if the role is available permanently.
  • Go to Members and add members to the group that needs assignments.
  • Go to Privileged Access (Preview) in the left navigation and select Enable Privileged Access
  • Navigate back to portal.azure.com and Privileged Identity Management
  • Select Privileged Access groups (preview) to see all role groups
  • Go to the properties of an access group and select Settings.
  • Select Members
  • From here, define various settings such as role expiration (e.g., 8 hours), justification, require MFA, require approval, etc.
• DEMO: Enable PIM role via PowerShell (20:45)
• DEMO: Review PIM audit history shows your elevation requests (24:58)
• Problem: Exchange Admin may need to grant admin consent for Exchange-related apps (26:30)
  • Exchange Admin role does not have the right to grant admin consent on behalf of users
  • Built-in roles such as Application Admin could grant too many permissions to an Exchange Admin
  • Solution: Create a custom admin role
    • Cannot be created with the GUI
    • Use the following Microsoft Graph SDK cmdlets
    • New-MgPolicyPermissionGrantPolicy
    • New-MgPolicyPermissionGrantPolicyInclude
    • New-MgRoleManagementDirectoryRoleDefinition
• DEMO: Create a custom role for an Exchange admin to grant admin consent for Exchange-related apps (27:45)
• Tips and Tricks (35:20)
  • Go passwordless
    • Consider FIDO2 security key
    • There is a wizard for AAD which helps you deploy passwordless
  • Connect your admin account to Windows (Settings > Accounts > Email & Accounts > Add a workplace or school account)
  • Share credentials across My devices only (Settings > Apps > Apps & Features > Share Across Devices > My devices only)
• Q&A (39:00)
  • How do you create PIM RBAC roles (Exchange Admin is too much)?
    • Exchange RBAC is not currently available for PIM.

Recent and Upcoming Features from the Exchange Online Transport Team
In this session, Kevin Shaughnessy discusses new roadmap items such as improved message recall and new reporting and configuration options. Topics include:

• DEMO: Mail flow in the new EAC (6:00)
  • Message Trace moved to new EAC
  • Remote Domains
  • Accepted Domains
  • Connectors
  • Transport Rules (still using old EAC model)
• DEMO: New Transport Rule UI (9:43)
  • Uses the new EAC pop-outs and wizard design
  • Planned release end of September
• DEMO: Mail Flow Settings provides options for (12:45)
  • Plus Addressing
  • Sending from aliases
  • Disable SMTP AUTH for the organization
  • Enable legacy TLS endpoint (enables TLS 1.0 / TLS 1.1)
  • Reply-all storm protection
  • Message Recall
• Q&A (23:05)
  • What happens to “read” recalled messages?
    • They are hard deleted and moved to the purges folder in the users’ mailboxes
  • Is message recall supported cross-tenant?
    • No
• Customizing message expiration (26:15)
  • By default, Exchange Online expires queued messages after 24 hours
  • Admins can customize this expiration between 12 and 24 hours
  • Use Set-TransportConfig -MessageExpiration to change default expiration
  • GA October 2022
• Reply-All Storm Protection Report (29:00)
  • Report summarizes current reply-all protection settings
  • Report shows all the detected reply-all storms
  • Report shows the number of blocked messages
  • Details on messages causing the reply-all storm
• Reply-All Storm alert policy available in October 2022 (32:15)
• Message Recall (33:35)
  • Classic message recall
    • Previously relied on the Outlook client
    • Did not work for OWA, Mobile, or other clients
  • New message recall
    • Cloud-based and client agnostic
    • Works in Outlook, OWA, Mobile, and other clients
    • Uses the message recall agent
    • Read messages can also be recalled
    • Can recall from any folder (except for Drafts and Sent Items)
    • Aggregate report to show success of the recall
  • 97% success rate with new method
  • Currently in private preview
  • Roll-out in Q4 2022
• DEMO: Message recall with Outlook desktop (43:00)
  • Using the message recall report to monitor in real-time.
• Message Recall (46:25)
  • Does not work cross-tenant or on-prem (legal requirement)
  • Recipient settings to allow/reject recall is ignored (Options > Mail > Tracking)
  • Recalls are logged for eDiscovery and holds
  • Recall report comes from microsoft.com address
  • Admins can disable recall for read messages with Set-OrganizationConfig -RecallReadMessagesEnabled $false
  • Triggering a recall is only available for Outlook desktop (other clients on the roadmap)
• Q&A (51:20)
  • Does message recall work for shared mailboxes?
    • Testing currently in progress for shared mailboxes
  • Is there a time limit for message recall?
    • No time limit after the message is sent.
    • Recall will try for 24 hours and then expire.
    • Recall reports are only available for 7 days after the recall is performed.
  • Can admins recall on behalf of a sender?
    • Currently on the roadmap for next year.
  • Are recalls shown in the audit log?
    • It does appear in the audit log as a hard delete.
  • Can message recalls be impacted by transport rules?
    • Yes, recalls are sent as an IPM message that can be impacted by transport rules and moderation.
  • How would the recall work if the recipient already replied to it?
    • The original message to the recipient would be recalled
    • The sent item would remain
  • Is there a report to show mailboxes that have exceeded the message rate limit?
    • Nothing at present.
  • Can we recall messages sent to a DL?
    • Yes.

Cross-Tenant User Data Migration in Exchange Online
In this session, Georgia Huggins, Robert Lowe, and Estelle Wang discuss and demo the new cross tenant domain sharing and tenant-to-tenant migration features. Topics include:

• How M&A scenarios impact tenant migrations and collaboration (3:30)
• Collaborating indefinitely in multi-tenant scenarios (6:30)
• Microsoft’s approach for cross-tenant migration (8:25)
  • Third-party migration products built on APIs not designed for migration
  • Microsoft data migration uses the native MRS technology
    • Data never leaves Microsoft 365
    • MRS is capable of migrating (on avg.) 1 GB per hour per mailbox (with 300 concurrent connections, that is 300 GB per hour of mailbox data)
• Product Roadmap (10:50)
  • Cross tenant user migration
    • Exchange Online and OneDrive for Business will GA in Q4 2022
    • At GA, Exchange Online migrations will support auto-expanding archive moves
    • At GA, OneDrive migrations will support 5 TB OneDrive repositories
    • Single add-on license required for each user data migration
  • Cross tenant shared migration
    • Migrating SharePoint is in preview
    • Migrating M365 Groups and Teams in development
  • Tenant Sharing
    • Domain sharing for email in private preview
    • Identity mapping in private preview (matches users between tenants for migration)
    • Admin UI in development to support cross-tenant migrations
    • Orchestrated migration in development
• Data Migration Process (15:05)
  • Allows users to keep their primary email address during tenant-to-tenant migration
  • Allows for users to be migrated in smaller batches while keeping their primary domain intact
  • Share domains between the tenants
  • Establish trust between the tenants
  • Create and map source and target identities
  • Migrate mailboxes
  • Migrate domains from source to target
  • Remove trust and cleanup source
• DEMO: Domain sharing and mailbox migration (17:40)
  • If a domain is shared from another tenant, domain status displays “Shared from another organization”
  • The original owning tenant maintains a status of “Healthy” for the domain it shared
  • An org relationship exists between the source and target tenants
    • Source relationship shows MailboxMoveCapability = RemoteOutbound
    • Source identifies mailboxes in scope for migration
    • Target relationship shows MailboxMoveCapability = Inbound
  • Target tenant has migration endpoint identifying source tenant
  • Mailbox-enabled users (MEUs) exist in the target for each mailbox in scope
    • MEUs are stamped with MailboxGUIDs from source
    • MEUs are stamped with X500 proxies from source
  • Mailboxes are moved with migration batches using Cross Tenant Migration type
    • Target delivery is the shared domain
  • After migration
    • Mailbox in the source is converted to a MEU
    • MEU in the target is converted to a mailbox
• Domain sharing: Setup (25:40)
  • Fabrikam shares domain
  • Contoso adds the shared domain (invitation from Fabrikam)
  • Both tenants create inbound connectors
  • Fabrikam creates routing objects (MEUs for objects in the target tenant) to facilitate inbound mail routing
  • Contoso assigns shared domain email addresses to their mailboxes
• Domain sharing: Mail flow (27:53)
  • Inbound Mail
    • External mail for Fabrikam delivered to Fabrikam tenant (following MX record)
    • External inbound mail leverages Fabrikam message hygiene policies
    • MEU (representative of a user in the Contoso tenant) accepts mail as Fabrikam.com.
    • External address routes to Contoso tenant email address.
    • Contoso tenant accepts message as Contoso tenant address (secondary address on user object)
  • Outbound Mail
    • Outbound mail from Contoso, addressed as the Fabrikam domain, goes directly to the internet (and not back from Fabrikam)
• Domain sharing: Mailbox migration (30:45)
• Preview Resources (32:10)
  • To apply for the preview, email CTIMPreview@service.microsoft.com
  • Microsoft 365 tenant-to-tenant migrations
  • Cross-Tenant Mailbox Migration Document
  • Cross-Tenant Identity Mapping Document
• Q&A (34:00)
  • Does using a MEU for other M365 workloads cause conflicts with domain sharing?
    • Using the MEU for Azure B2B (for accessing other workloads) is on the roadmap.
    • License the MEU in the target tenant but copy the source mailbox GUID to the target MEU before licensing, so a mailbox is not created.
  • How is DKIM signing handled with domain sharing?
    • The “owning” tenant does the DKIM signing.
    • No additional DKIM setup is required in the secondary tenant.
    • Everything will go out DKIM signed
  • Are migrations limited to batches, or can move requests be used?
    • It is limited to migration batches, but you can do single-user batches.
  • Can you use domain sharing with Exchange hybrid?
    • Yes, it is possible, but it is only available for cloud mailboxes (not on-prem)
  • How are EOP policies handled in domain sharing?
    • External inbound mail is processed by the “owning” tenant policies and then sent to the secondary tenant.
  • How are Outlook profiles handled in a cross-tenant migration?
    • Outlook profile has to be recreated, and the OST resynced.
    • This is due to the UPN changing (you are essentially a new user).
    • This is on the roadmap to remediate the Outlook profile rebuild.
  • Will Teams meetings links update to the new tenant (or be broken)?
    • Those links are broken currently.
    • Workaround is to edit the meeting request.
  • How does this impact guest accounts?
    • Microsoft would prefer the routing objects to be Azure B2B objects (on the roadmap).
  • Have you seen any issues with mail loops in domain sharing?
    • Have only seen mail loops with incorrect configurations.
    • Typically, only see issues when customers want to use third-party mail handlers with domain sharing.

Upgrading to Exchange Server 2019
In this session, Siegfried Jagott and Thomas Stensitzki discuss best practices, tips, and tricks for upgrading to Exchange Server 2019. Topics include:

• Why should you upgrade? (4:00)
  • Get the latest features
  • Get the latest security patches
  • Upgrades from Exchange 2019 to Exchange vNext will allow in-place upgrades
  • Supports Windows Server 2019 or 2022
  • Consider using Windows Server Core to reduce attack surface
  • Ability to disable legacy auth with Auth Policies (leverage modern auth instead)
• Coexistence with previous versions of Exchange (7:55)
  • Coexistence with Exchange 2013 or 2016 only
  • Exchange 2010 (or older) will require a double-hop migration
• Exchange Hybrid (8:45)
  • Exchange 2019 preferred for hybrid (since H1 2022 CU)
  • HCW provides a coexistence key for Exchange 2019
  • Exchange 2019 Management Tools allow for the last Exchange Server to be turned off
• Exchange Server lifecycle (10:00)
  • Exchange 2013 extended support ends April 11, 2023
  • Exchange 2016 and 2019 extended support ends October 14, 2025
  • Exchange 2019 mainstream support ends on January 6, 2024
• Preparing to upgrade (12:30)
  • Use Exchange Server Deployment Assistant
  • Use Exchange Server Sizing Calculator
  • Active Directory Requirements
    • Requires AD FFL/DFL of 2012 R2+
    • Global Catalog in each AD site hosting Exchange
  • Upgrade existing Exchange 2013/2016 to latest CUs
  • Enable MAPI over HTTP org-wide
  • Reuse the existing Exchange namespace
    • e.g., mail.contoso.com + autodiscover.contoso.com
  • Reuse the existing Exchange cert on Exchange 2019 servers.
• Exchange Server 2019 Prerequisites (16:55)
  • .NET Framework 4.8
  • Visual C++ 2012 Redistributable
  • Visual C++ 2013 Redistributable
  • Unified Communication Managed API (UCMA) 4.0 from Exchange ISO file
  • IIS URL-Redirect Module (Manual Download Option)
• Install Exchange Server 2019 (19:15)
  • Perform Exchange 2019 schema update
  • Install Exchange Server 2019
  • Configure virtual directories
  • Import certificate and assign services
  • Check server configuration with HealthChecker script
• Build a new database availability group for Exchange 2019 (20:25)
  • Exchange 2016 and 2019 servers cannot coexist in the same DAG
  • Create a new DAG for and assign Exchange 2019 servers as members
  • Create new databases and database copies
  • Verify successful database replication
• Add Exchange 2019 servers to load balancing pool (22:10)
  • Exchange 2016 and Exchange 2019 servers can be members of the same load balancer pool
  • Exchange 2019 can proxy client connections to Exchange 2016 if needed
  • Exchange 2016 can proxy client connections to Exchange 2019 if needed
• Exchange and Kerberos (24:20)
  • Exchange 2013, 2016 and 2019 can share the same Alternate Service Account (ASA) for Kerberos
  • Exchange 2010 cannot share ASA accounts with other versions of Exchange
• Migrate to Exchange 2019 (25:35)
  • Copy relay connectors to Exchange 2019
  • Update firewall rules or message hygiene services to Exchange 2019
  • Add Exchange 2019 to send connectors
  • Rerun HCW to move mail flow to Exchange 2019
  • Move arbitration mailboxes to Exchange 2019
  • Move all mailboxes to Exchange 2019
• Offline Address Book (27:50)
  • No OAB migration needed in newer versions of Exchange
  • Newer versions of Exchange generate OABs
• Move public folder mailboxes to Exchange 2019 (29:30)
• Notes from the field (30:15)
  • Use the same TLS cert and same TLS configuration on all Exchange Servers
  • Check default DB quota settings on new DBs (2GB by default!). Mailboxes larger than the quota will fail to move.
  • Allocate adequate space for the mail transport DB (mail.que)
  • Make sure your receive connectors do not include the IPs of the new Exchange 2019 servers
  • Make sure virtual Exchange Servers have reserved CPU and RAM resources
• Notes from the field: How to roll out MAPI over HTTP gradually during mailbox migrations (37:20)
• Notes from the field: Public Folder coexistence (39:20)
  • Symptom: User could not access public folders from Outlook on the Web
  • Symptom: User could not access forms using Outlook for Desktop
  • Move public folders mailboxes to Exchange Server 2019 before user mailboxes
• Notes from the field: Edge Transport (40:10)
  • Use a dedicated TLS certificate (not used by mailbox servers)
  • Use CAPI1 certificate (CNG certificate not supported)
  • Do not use TLS offloading or TLS bridging between Mailbox and Edge servers
  • Edge Transport can be updated at any time
• Q&A (43:30)