SuperTekBoy

Practical Help for Exchange & Office 365

Exchange

Exchange February 2019 Updates

By 2 Comments

25 Shares
Share
Tweet
Share
Reddit
Email
Exchange 2019 CU1

Last week was a big week for Exchange. Microsoft released its first cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2013 Cumulative Update 9

Exchange 2019 Cumulative Update 1 (VLSC)| KB4471391

Exchange 2016 Mini

Exchange 2016 Cumulative Update 12 | KB4471392 | UM Language Pack

Exchange 2013 Cumulative Update 9

Exchange 2013 Cumulative Update 22 | KB4345836 | UM Language Pack

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 26 | KB4487052 (released February)

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 25 | KB4468742 (released January)

Only 325 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

Push notifications are one type of notification a developer can leverage in their application to add value. An example of a push notification might be the notification of new mail on a mobile device.

In this series of cumulative updates, the Exchange Team has changed the way it initiates push notifications through Exchange Web Services. This is in direct response to a security flaw where an attacker could intercept push notifications to gain access to credentials streamed via NTLM. These cumulative updates mitigate this attack by removing these credentials from the stream. Microsoft documents this resolution in KB4490060.

After applying this cumulative update, Microsoft recommends forcing the computer account to change its password by using either the Reset-ComputerMachinePassword cmdlet or, NETDOM. In addition, Microsoft recommends every organization review its user password expiration policies.

In further response to the security flaw, Microsoft is reducing the number of rights Exchange has in Active Directory when operating in a shared permission model.

In a shared permission model, Exchange administrators have the ability to create security principals in Active Directory and mail-enable those security principals. This includes the ability to create a new user as you are creating a mailbox, or, the ability to remove a user when you remove a mailbox. This also extends to tasks such as being able to create a distribution group, or, modify distribution group members.

In a split permission model, the Exchange administrator is restricted from these tasks and can only mail-enable, or, mail-disable existing objects (e.g. users, groups or contacts) that were created by an administrator with Active Directory rights.

Going forward the shared permission model will have fewer Active Directory rights, but that does not mean reduced functionality for Exchange administrators.

[Read more…] about Exchange February 2019 Updates

The following servers in Windows Failover Cluster are not in Active Directory

By Leave a Comment

16 Shares
Share
Tweet
Share
Reddit
Email
The Following Servers in the Windows Failover Cluster are not in Active Directory
The following servers in the Windows Failover Cluster are not in Active Directory: <server name>. This is usually the result of an incomplete membership change (add or remove) of the database availability group.

I ran into this error recently while trying to remove two Exchange 2010 members from a database availability group (DAG).

The error stated that a member of the DAG, a server named EXC3, did not exist in Active Directory. This was odd because queries to the Exchange 2010 management tools only returned two Exchange servers–EXC1 and EXC2.

We further confirmed that there was no computer account for EXC3 in Active Directory Users and Computers. We did however, see remanents of EXC3 in ADSI Edit.

Talking with our customer we discovered that there had been a third Exchange server, named EXC3, that had crashed and was never recovered.

Fix–The following servers in the Windows Failover Cluster are not in Active Directory

To verify the status of all nodes in your database availability group, open PowerShell and import the Windows Failover Clustering cmdlets with Import-Module.

 C:\> Import-Module FailoverClusters

Next, run the Get-ClusterNode cmdlet. This will retrieve the status of all our nodes.

 C:\> Get-ClusterNode

Name                                                  State
----                                                  -----
EXC1                                                     Up
EXC2                                                     Up
EXC3                                                   Down

In the example above, we can see EXC1 and EXC2 are operational, whereas EXC3 is offline.

Because EXC3 no longer exists (and the fact we plan to collapse the entire DAG anyway) we can forcibly evict the failed node. To do this issue the following command.

 C:\> Get-ClusterNode -Name "EXC3" | Remove-ClusterNode

Remove-ClusterNode
Are you sure you want to evict node EXC3
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

You will be prompted to confirm. Press enter to accept the default action of “Yes”.

If we repeat the first Get-ClusterNode command we will only have the two operation cluster nodes remaining.

 C:\> Get-ClusterNode

Name                                                  State
----                                                  -----
EXC1                                                     Up
EXC2                                                     Up

With no more failed nodes we can remove the two operational nodes using either the Exchange 2010 management console or PowerShell.

Twitter

Have you run into this error while add or removing members to a DAG? What did you do to fix it? Drop a comment below or join the conversation on Twitter

RunAs Radio #618 – Exchange 2019 with Gareth Gudger

By Leave a Comment

15 Shares
Share
Tweet
Share
Reddit
Email

On November 30th I had the great pleasure of being a guest on the RunAs Radio podcast. I joined host Richard Campbell to discuss all the new features in Exchange 2019. We discuss the MetaCache Database (MCDB), the benefits of the new search architecture, and several client-side features.

Listen to the podcast

(Originally posted at http://runasradio.com/shows/show/618)

[Read more…] about RunAs Radio #618 – Exchange 2019 with Gareth Gudger

The F12 easter-egg in Hybrid Configuration Wizard

By 1 Comment

28 Shares
Share
Tweet
Share
Reddit
Email

One of the best-kept secrets in the hybrid configuration wizard (“HCW”)
 is the F12 easter-egg. Jeff Kizner demonstrated this feature during his Ignite session back in September.

Tip: For a break down of Jeff’s session, with notes and timers, I highly recommend checking out 15 Ignite sessions every Exchange admin should see.

If you press F12 this enables a new section called Diagnostic Tools. This section provides shortcuts to the following tools or folders.

Hybrid Configuration Wizard F12 Diagnostic Tools
  • Open Exchange Management Shell opens a remote PowerShell session to your on-premises Exchange servers.
  • Open Exchange Online PowerShell opens a PowerShell connection to Exchange Online. This supports MFA-enabled admin accounts.
  • Open Log File opens the active HCW log file in Notepad. The HCW logs are stored in the profile of the user running the HCW. For example, C:\Users\<user>\AppData\Roaming\Microsoft\Exchange Hybrid Configuration
  • Create Support Package will combine your HCW log files into a single ZIP file which can easily be sent to Microsoft support. This link actually opens a second screen where you can specify to ZIP logs from the last 24 hours, or, between a certain date range. You then have the option to copy the file to the clipboard so it can be easily attached to an email.
  • Open Logging Folder opens the folder location of the HCW logs. 
    The HCW logs are stored in the profile of the user running the HCW. For example, C:\Users\<user>\AppData\Roaming\Microsoft\Exchange Hybrid Configuration
  • Open Process Folder opens a Command Prompt to the HCW process directory.

Pressing F12 a second time will hide these tools.

Twitter

What do you think about this easter-egg? Have you run into any cool easter-eggs in other Microsoft products? Drop a comment below or join the conversation on Twitter

What Ignite taught us about Exchange 2019

By 3 Comments

36 Shares
Share
Tweet
Share
Reddit
Email
Microsoft Ignite

It’s amazing to believe that Microsoft Ignite was over a month ago. With 1,610 sessions Microsoft gave us a massive amount of announcements and demonstrations of new product features. This included Exchange 2019.

If not already, I highly recommend checking out 15 Ignite sessions every Exchange admin should see.  Each session in this article includes extensive notes on what each session contained. In addition, those notes contain timers so you can jump to the section that interests you the most. Hopefully, it will also serve as a reference if you need to search for a certain announcement or feature weeks (or even months) down the road.

Here is what Ignite taught us about Exchange 2019.

Changes to Exchange development

The tagline for Exchange 2016 was that it was “forged in the cloud”. This was a result of Exchange Online and Exchange on-prem sharing a common code base. The greatest benefit of this common code was that it ran in the cloud for a number of months before shipping on-prem as a cumulative update. By the time the code was released on-prem, it had been more than validated as stable and able to run at scale.

Going forward Microsoft has separated Exchange on-prem into its own code branch. This means that Exchange online is no longer driving cumulative updates for on-prem. What will drive updates are security patches and feature requests from customers. So, be sure to make your voice heard on UserVoice, at conferences, and in the various TAP programs.

Exchange 2019 Forked Code Base From Exchange Online

While Microsoft currently plans to keep cumulative updates quarterly, they have opened up the conversation on whether updates should occur less frequently. Common feedback is that the current release cadence of quarterly cumulative updates is too aggressive for some customers. The product group also believes this could result in more stable releases.

[Read more…] about What Ignite taught us about Exchange 2019

Exchange October 2018 Updates

By Leave a Comment

26 Shares
Share
Tweet
Share
Reddit
Email
Exchange Server 2016 CU11

Last week was a big week for Exchange 2016. Microsoft released Cumulative Update 11. At this time no updates were released for Exchange 2013 or Exchange 2010. Exchange 2013 entered extended support back on April 10th, and Microsoft announced in June that cumulative update 21 was the last planned update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2016 Mini

Exchange 2016 Cumulative Update 11KB4134118UM Language Pack

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 24 | KB4458321 (released September)

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 23 | KB4340733 (released August)

So, what’s new in these Cumulative Updates?

Cumulative Update 11 now officially supports .NET Framework 4.7.2. Framework 4.7.2 is only optional at this point and will not become mandatory until the June 2019 updates. Due to no quarterly update scheduled for December, it is expected that CU13 will be the first version to enforce 4.7.2 as a requirement.

Support for 4.7.2 has been officially added to Exchange 2013 CU21, which was released back in June. 4.7.2 will also be a requirement for Exchange 2019. However, 4.7.2 is preinstalled with Windows Server 2019, so it will not require a separate download. For a great resource on navigating which .NET update goes with which CU I recommend reading Upgrade Paths for CU’s & .NET by Michel de Rooij.

In the June updates, it was stated that all Exchange roles would require Visual C++ 2013. Microsoft has since clarified this statement to the following:

  • Mailbox role will require both Visual C++ 2012 & Visual C++ 2013
  • Edge & Management tools only require Visual C++ 2012

Cumulative Update 11 will now perform prerequisite checks to confirm the necessary versions of Visual C++ are installed.

These updates contain 22 security and bug fixes. Check KB 4134118 for a list of issues CU11 resolves.

[Read more…] about Exchange October 2018 Updates

Free Exchange chapters – Manage Users, Groups & Public Folders

By Leave a Comment

28 Shares
Share
Tweet
Share
Reddit
Email

Last year I was invited to write an Exchange 2016 book with a few fellow MVPs. Unfortunately, due to unforeseen circumstances, the book was later cancelled

Rather than have my chapters go to waste (combined these chapters are 40,000 words) I wanted to offer them to you for free.

Below you will find three chapters covering the management of mailboxes, groups, contacts, mail-enabled users, and public folders.

That said I do want to warn you that these chapters only received a brief technical review. They did not go through any formal editorial process, so I apologize in advance for any errors. Please read these at your own risk.

While I offer these for free I would like to state that my work is under copyright. By viewing or downloading these chapters you agree to the copyright notice below.

Chapter 6 – Managing MailboxesDownload
Chapter 7 – Managing Groups, Contacts & Mail-Enabled UsersDownload
Chapter 8 – Managing Public FoldersDownload

Copyright © 2018 by Gareth Gudger

All rights reserved. No part of these chapters may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, please email info@supertekboy.com.

15 Ignite sessions every Exchange admin should see (2018)

By 2 Comments

174 Shares
Share
Tweet
Share
Reddit
Email
Microsoft hosted its annual Ignite conference in Orlando this September. Ignite was massive at 1,610 sessions. That is a lot of sessions! For the first time ever, Microsoft live streamed most of its sessions. Not just the keynotes! You can find the on-demand sessions at the Microsoft Tech Community. Here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes”



Welcome to Exchange Server 2019
(watch video)

Welcome to Exchange Server 2019
In this session, Greg Taylor and Brent Alinger discuss all the new features shipping in Exchange 2019. They also discuss features that have been discontinued and the system requirements for Exchange 2019.

  • Current state of Exchange Online (1:05 mins)
    • Office 365 revenue 38% YoY growth
    • Office 365 seats 29% YoY growth
    • 135 million users in Office 365
    • Outlook mobile on >100 million devices
    • 94% of Fortune 500 have Office 365
  • Exchange 2019 only available via volume licensing (3:30 mins)
  • Changes to Exchange development (4:20 mins)
    • Exchange on-prem & Exchange online were developed in tandem using the same code
    • Exchange on-prem code moved to its own code branch & will be independent of Exchange online
    • Discussion on cumulative update schedule going forward
  • Unified Messaging removed from Exchange 2019 (10:40 mins)
    • UM functions have been removed
    • Migrating a UM-enabled mailbox to Exchange 2019 will UM-disable that mailbox
    • Recommend replacement is Cloud Voice Mail which can still store voice mail in Exchange mailboxes via EWS or SMTP
    • If you need Unified Messaging:
      • Move all mailboxes to Office 365
      • Migrate to Skype for Business Server 2019 & utilize Cloud Voice Mail
      • Stay on Exchange 2016
      • Deploy a 3rd party voice mail solution
    • For more information see BRK3229 – Everything you need to know about Skype for Business Server
  • Unified Messaging Migration scenarios for Exchange 2019 (15:30 mins)
    • Exchange 2013 or 2016 + Skype for Business
      • Migrate to Skype for Business Server 2019
      • Enable Cloud Voice Mail
      • Migrate to Exchange Server 2019
    • Exchange 2013 or Exchange 2016 + 3rd Party PBX
      • Implement a 3rd party voice mail solution
      • Migrate to Exchange Server 2019
    • Note: Due to the discontinuation of Session Border Controllers, 3rd party PBX systems cannot use Cloud Voice Mail.
  • Vision for Exchange 2019 (17:30 mins)
  • Exchange Server 2019 requires Windows Server 2019 (19:20 mins)
    • Windows Server 2019 available in October
  • Exchange Server 2019 supports Server Core (20:15 mins)
    • Microsoft recommends server core for improved performance, smaller attack surface & smaller disk footprint.
    • Exchange 2019 can still be installed on an OS with a GUI.
  • Exchange 2019 will only use TLS 1.2 (23:15 mins)
    • RC2, RC4, DES, 3DES, MD5 & SHA disabled during install
    • Preference for elliptic curve key exchange
    • Exchange will use forward key secrecy
    • EHLO Blog: Getting ready for TLS 1.2
  • Exchange RAM requirements (25:55 mins)
    • Max supported RAM = 256 GB
    • Mailbox role min RAM = 128 GB (2016 was 8 GB)
    • Edge role min. RAM = 64 GB (2016 was 8 GB)
    • Max processor count = 48 cores (2016 was 24)
  • Search changes in Exchange 2019 (29:35 mins)
    • Big Funnel (powered by Bing technology) replaces Fast Search
    • Indexes now stored in the DBs (in each mailbox)
    • No more potentially huge index files that can become unhealthy
    • Index health no longer an issue for DB failovers or switchovers
    • DB log shipping includes the indexes
    • Outlook 2019 in cached mode will attempt to pull search results from the server (not locally)
    • For more information see – BRK3130 Email search in a flash! Accelerating Exchange 2019 with SSDs (notes and session below)
  • Storage (and MCDB) in Exchange 2019 (32:50 mins)
    • Exchange 2019 can optionally leverage a MetaCache Database (“MCDB”) which is stored on SSD
    • MCDB allows for:
      • Faster logons
      • Faster search
      • Faster retrieval of very small items
    • MCDB caches 10% of key data from a DB including:
      • Index data
      • Mailbox folder structure
      • Very small items
    • If the SSD or MCDB were to fail all requests will be served directly from the mailbox DB on the spindle disk
    • Sizing for MCDB
      • Regardless of whether you deploy MCDB or not, your spindles must always meet the IOPS requirements for your users
      • All servers must have the same spindle & SSD layout
      • Spindle disk to SSD should be 3:1
      • To plan for SSD storage take 5-6% of your total spindle storage
      • Brent’s example
        • 15 spindle disks = 5 SSDs
        • 15 spindle disks at 10 TB each = 150 TB of mailbox storage
        • 5-6% of 150 TB = 10 TB of total MCDB storage
        • 10 TB = 5 SSDs at 2 TB each
  • Code optimizations (45:00 mins)
    • No more UM code
    • No more UM language packs to install
    • Exchange 2019 DVD size reduced by 20%
    • This results in:
      • Faster installs
      • Fewer files and disk usage
      • Improved security
      • Reduced surface area
  • Dynamic Database Cache (46:25 mins)
    • Memory allocation between active & passive DB copies optimized
    • Active copies get more memory and cache than passive copies
  • Performance gains from MCDB & Dynamic Database Cache (49:30 mins)
    • 20% more users per server
    • Latency cut by 50% for many client/server operations
  • Client Access Rules in Exchange 2019 (51:15 mins)
    • This restricts who can access the Exchange Admin Center & Exchange Management Shell
      • For example, allows the Exchange Admin Center to be restricted externally
    • Exchange 2019 should be the front-end for all client communications
    • Administrator mailboxes must be on Exchange 2019 to leverage these rules
  • Remove-CalendarEvents (54:10 mins)
    • Exchange administrators can cancel meetings (not appointments).
    • This is particularly useful to cancel a meeting from an organizer who has left the company
  • Outlook default option for recurring meetings now configures an end-date rather than no-end-date (57:00 mins)
  • Do Not Forward Meetings (57:20 mins)
    • Do Not Forward can now be set on meetings created in OWA.
    • Meeting attendees in OWA will see a banner stating Do Not Forward is enabled & Forward option is greyed out in the menu.
    • Exchange transport enforces the Do Not Forward settings so all Outlook clients honor this setting
    • All other Outlook clients will receive an NDR if they attempt to forward a Do Not Forward meeting
  • New Out of Office (OOF) options in OWA (1:00:20 mins)
    • Automatically decline meeting invites received during the OOF
    • Clear existing meetings during the OOF
    • Mark the user’s calendar as blocked during the OOF
  • Email Address Internationalization (1:01:45 mins)
    • Send/receive messages to/from non-English email addresses such as:
      • Latin
      • Greek
      • Chinese
      • Japanese
      • Cyrillic
      • Hindi
    • Adding EAI proxy addresses or accepted domains in Exchange is not supported
  • Exchange 2019 system requirements (1:03:00 mins)
    • Windows Server 2019
    • .NET Framework 4.7.2 (preinstalled with Windows Server 2019)
    • Forest functional level of Server 2012 R2
    • 128 GB minimum RAM (64 GB for Edge)
    • Minimum coexistence is Exchange 2013
    • For more information see – Exchange Server System Requirements
  • Future plans & roadmap (1:05:15 mins)

Show more session notes
Show less session notes




Hybrid Exchange - Making it easier and faster to move to the cloud
(watch video)

Hybrid Exchange: Making it easier and faster to move to the cloud
In this session, Jeff Kizner discusses all the advancements coming to Exchange hybrid. Topics include:

  • Future vision for hybrid (3:30 mins)
  • Administration challenges (6:00 mins)
  • Organization Configuration Transfer (“OCT”) (7:30 mins)
    • Version 1 released June 2018
    • Performs a one-time transfer of the following objects (and skips any named policy if it exists in the tenant already):
      • Retention policy
      • Retention policy tags
      • OWA mailbox policy
      • Mobile device mailbox policy
      • ActiveSync mailbox policy
  • Jeff demos OCT Version 2 (9:00 mins)
    • Hybrid key acquisition built into the hybrid configuration wizard (“HCW”)
    • Tip: Pressing F12 in the HCW gives you easy access to logs & PowerShell
    • Version 2 grants the administrator the ability to resolve conflicting policies
    • Rollback_OCT script available in the logging folder.
      • This gives you the PowerShell to reverse changes made by OCT
    • Version 2 adds the following objects into one-time transfer:
      • DLP policy
      • Organization configuration
      • ActiveSync device access rules
      • ActiveSync organization settings
      • Malware filter policy
      • Policy tips
      • Address lists
  • Demo of the new Hybrid Agent (24:15 mins)
    • Designed to establish hybrid with zero inbound connections from the cloud (no firewall, DNS, or, certificate changes required)
    • Utilizes Azure App Proxy technology
    • Demo of free/busy & MRS moves with Exchange on-prem not published over HTTPS 443
    • Demo of the following configuration in Exchange Online
  • Hybrid Agent architecture overview (32:50 mins)
    • Hybrid Agent installed on-prem & talks to Hybrid Proxy Service in the cloud
    • Hybrid Agent only needs outbound HTTPS 443 for mailbox moves & HTTP 80 for CRL checks
    • Each hybrid agent gets a unique Hybrid Proxy Service URL
      • URL formed from a randomly generated GUID
      • GUID can only be found in your on-prem logs or your Office 365 tenant
      • GUID combinations are 2 power of 22
      • Hybrid Proxy Service URL is locked down to just the Exchange Online IP addresses
      • Currently available in private preview
  • Hybrid Agent – Free/Busy lookups (36:05 mins)
    • Free/busy lookups from on-prem to cloud go directly to the internet
    • Free/busy lookups from cloud to on-prem use Hybrid Agent
  • Hybrid Agent – Mailbox migrations (37:05 mins)
    • Always uses the hybrid agent
  • Jeff demos setup of the Hybrid Agent (37:20 mins)
    • HCW asks if you want:
      • Classic Hybrid – same hybrid we use today
      • Modern Hybrid – automatically downloads & starts the Hybrid Agent install process
    • Install process
      • Download the agent
      • Install the bits
      • Register agent
        • This generates a certificate for your tenant that can only be used by you
      • Configure agent
        • Certificate valid for 180 days
        • Certificate auto rolled 30 days before expiration
        • Private key is non-exportable
        • Agent identifies a URL to use
      • Validate agent
        • Tests migration endpoint availability
      • Complete configuration
        • Set organization relationship (TargetSharingEpr, etc.)
  • Hybrid Agent Version 1 (43:40 mins)
    • Supports hybrid free/busy and mailbox moves only
    • Version 1 for new hybrid setups only
    • Install 3 or more agents for high availability
    • Dedicated servers not required (install the agent on existing Exchange servers)
    • Hybrid Agent can be installed in DMZ but required HTTPS back to Exchange on-prem servers
    • Hybrid Agent will auto-update
  • Demo solving hybrid Send As with the Hybrid Agent (49:15 mins)
  • Q&A from the audience (55:00 mins)
    • Can we control the updating of the Hybrid Agent?
    • Can we have a PowerShell version of the OCT?
    • What is the scalability of the Hybrid Agent?
    • Can RBAC be integrated into OCT & Hybrid Agent?
    • How can I get rid of Exchange on-prem?
    • Would the Hybrid Agent eliminate the need to keep Office 365 URLs & IPs up to date on our firewall?
    • Does the Hybrid Agent support multi-forest?
    • How does the Hybrid Agent work with organizational sharing of free/busy?
    • When is the Hybrid Agent expected to GA?
    • Do I still need a 3rd-party SSL cert for on-prem Exchange servers in hybrid?
    • Will there be a path from classic to modern hybrid?
    • Will the hybrid agent support multiple geographically dispersed migration endpoints?
    • Are there any advantages to sticking with the classic hybrid?
    • Is the private preview of the Hybrid Agent fully supported?
    • Does the Hybrid Agent remove the requirement to publish Autodiscover on-prem?
    • Will hybrid Send As work in multi-forest?
    • Will hybrid Send As be available in the classic hybrid?
    • Does the Hybrid Agent eliminate all DNS changes I need to make to go to Office 365?

Show more session notes
Show less session notes




Deploying Outlook mobile securely in the enterprise
(watch video)

Deploying Outlook mobile securely in the enterprise
In this session, Ross Smith IV discusses how to secure the Outlook mobile app for Exchange online and on-prem mailboxes using various technologies. Topics include:

  • Current Outlook mobile connectivity model for online & on-prem (2:50 mins)
  • Future Outlook connectivity model will consolidate all Outlook clients to just 2 protocols (5:10 mins)
    • Proprietary and REST protocols to be replaced by Hx starting EOY
    • Outlook Mac, Outlook Mobile & Windows 10 clients will all use Hx
      • Removes the need of the stateless protocol translator
    • Outlook Windows will continue to use MAPI/HTTP
  • ADAL authentication for Exchange online & on-prem mailboxes (7:20 mins)
  • Outlook mobile authentication explained (federated identity) (9:00 mins)
    • Required for user-based certificate authentication
  • Hybrid modern authentication (HMA) for on-prem mailboxes (11:55 mins)
    • Outlook Mobile only makes connections to Exchange Online
    • MRS syncs data between Exchange online and on-prem with ActiveSync
    • Ability to lock down on-prem ActiveSync to IPs for AutoDetect & Exchange online
  • Securing with Conditional Access (16:15 mins)
  • Require Outlook mobile as the exclusive messaging client with conditional access (19:30 mins)
    • Utilizes required approved client app
    • Use two conditional access policies
      • 1st policy matches either iOS or Android using modern auth and forces them to use Outlook mobile
      • 2nd policy matches for ActiveSync using basic auth and forces them to use Outlook mobile
      • In this config Exchange online will quarantine basic auth ActiveSync
  • Sign-in conditional access (26:50 mins)
    • Requires Azure Identity Protection
    • Can block Outlook mobile access based on leaked credentials or suspicious sign-ins
    • Possible action can force a password reset via SSPR
  • InTune MDM (30:25 mins)
    • Android for Enterprise (Android 5.0) is a container for corporate apps & data
    • Isolates corporate and personal data
  • InTune App Protection (35:25 mins)
    • Protects the individual apps without enrolling the device
    • Control access to app & data
    • Controls movement of data
    • Selective wipe of the app (by admin, user, or, offline interval)
    • Corporate data encrypted independent of device-level encryption
    • Personal or unmanaged data is untouched
  • Application configuration policies (47:00 mins)
    • Allows for the configuration & management of apps (e.g. Outlook mobile email account config)
  • New Outlook mobile admin experience in InTune (52:00 mins)
  • Securing data in Office 365 (53:30 mins)
    • Lockbox (just in time) for Office 365 engineers
    • TLS 1.2 encryption for data in flight
    • BitLocker for data at rest
    • Service encryption for data at rest in Exchange Online
  • Azure Information Protection now Microsoft Information Protection (57:00 mins)
    • Discover & classify sensitive data
    • Apply protection (encryption, restriction, watermarks), governance (retention, deletion, archiving), and monitoring (alerts).
    • Outlook mobile can set & see sensitivity labels
    • Estimated release Q2 2019
  • Demo on conditional access policies & user experience (59:00 mins)

Show more session notes
Show less session notes


[Read more…] about 15 Ignite sessions every Exchange admin should see (2018)