Exchange

Thrive as an enterprise organization in Microsoft Exchange Online
If you could only watch one session then it should be this one. In this session, Jeff Kizner reveals a slew of announcements for Exchange Online. Announcements include; highly requested coexistence features for Exchange hybrid and, new advances in a tenant to tenant migrations. Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.

• Mailbox Plans (4:06 mins)
  • Set-MailboxPlan can now assign a retention policy to a mailbox when the mailbox is provisioned.
  • Set-CASMailboxPlan (new cmdlet) can now configure whether ActiveSync, IMAP, and POP are enabled on a mailbox when it is provisioned in Office 365.
• Client Access Rules (6:52 mins)
  • Additional rule conditions for matching source IP, protocol, recipient filters, or, username
  • Great for only allowing certain protocols from certain locations (e.g. ActiveSync from satellite offices)
  • You can have up to 20 client access rules
  • Best practice to have an “Allow PowerShell” rule in priority 1 (don’t lock yourself out!)
• Creating a custom app for message classification (16:00 mins)
  • Jeff demonstrates a custom app that uses the Outlook On Send feature to take action when a user clicks the send button in Outlook
  • On Send must be enabled in the OwaMailboxPolicy assigned to the user
  • Available since Exchange 2016 CU5
• Hybrid delegation (26:40 mins)
  • Jeff discusses and demos advancements in hybrid delegation (full access, auto-map, send as, send on behalf)
• On-premises policies will come over to Office 365 (46:06 mins)
  • Hybrid wizard will ask you which on-prem policies you want to copy into Office 365 (e.g. OWA, ActiveSync and Retention policies)
  • User’s mailbox, when moved to Office 365, will retain their existing policy assignments
• Hybrid publishing (50:52 mins)
• Hybrid recipient management (54:16 mins)
  • Jeff’s team is working towards allowing admins to make changes to attributes in Office 365 and have those attributes sync back to on-prem. This will remove the need to keep Exchange on-prem for recipient management.
  • Jeff’s team is also looking at changing the source of authority on synchronized objects to Azure Active Directory.
• Migrating data between tenants – mergers and acquisitions (59:33 mins)
  • Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.

Scott Schnoll’s Exchange tips and tricks
Scott provides us with his top tips for Exchange. Topics include:

• Server roles in Exchange 2016 (1:41 mins)
• How Exchange is developed (2:41 mins)
• Exchange 2016 Lifecycle (3:56 mins)
• Changes in Exchange 2016 CU7 (4:51 mins)
  • Forest functional level is now 2008 R2 or higher
• Announcing Exchange 2019 (8:48 mins)
  • Preview shipping mid-2018
  • General release second half of 2018
• Bug in Windows Server 2016 that caused IIS to crash – KB3206632 (10:20 mins)
• iOS11 issue with HTTP/2 (11:22 mins)
  • Microsoft turned off HTTP/2 across all Exchange Online servers
  • Microsoft recommends administrators disable HTTP/2 across all on-premises Exchange servers until Apple resolves this issue
  • Microsoft is working with Apple to help them resolve the issue
• New calendar improvements across all Outlook clients (15:16 mins)
• Administrator configured out of office replies (18:00 mins)
• Message Latency in logs (19:47 mins)
• Running antivirus on the operating system (21:00 mins)
  • Windows Server 2016 comes with a built-in fully-fledged antivirus
  • Make sure to configure antivirus with all path, process and file type exclusions
• Health mailboxes (23:22 mins)
  • Do not alter their AD account in any way
  • Do not alter their password or account lockout settings
  • Do not move or alter their mailboxes in any way
• Stalled mailbox migrations to Office 365 (26:40 mins)
• Protocol Agnostic Workflow (PAW) (30:24 mins)
  • New mailbox migration code in Office 365 that improves stability and throughput
  • Individual users can be removed from a batch
  • Batch completions can be scheduled
  • Better reporting
  • Microsoft will automatically enable this for your tenant but only if your tenant has no active or completed batches
• OAuth (35:26 mins)
• Hybrid license key and hybrid diagnostics wizard (39:20 mins)
• When to decommission Exchange on-premises (42:00 mins)
• PST elimination tools (44:27 mins)
• Deprecation of RPC over HTTPS – Outlook Anywhere (46:32 mins)
• Mailbox encryption coming soon to Office 365. You can encrypt with either:  (53:00 mins)
  • Microsoft managed key
  • Customer provided key
• Using Azure VM for DAG witness (55:04 mins)
• Changes to lagged copy behavior (56:15 mins)
• Recovering an Exchange Server with newer CU (59:58 mins)
  • This is possible and supported
  • Admin version will still show old CU build until you go to a newer CU later on
• New anti-phishing behavior in Office 365 (1:01:09 mins)
• Connecting to Security & Compliance Center via PowerShell (1:07:29 mins)
• Azure Information Protection – AIP (1:08:17 mins)
• Advanced Find in Outlook deprecation and reinstatement (1:12:38 mins)
• New TAP program for migrating public folders to Office 365 Groups (1:13:14 mins)

Modern authentication for Exchange Server on-premises
Greg Taylor discusses two new modern authentication scenarios coming to Exchange on-premises. One scenario which will be available to Exchange 2013 and 2016. And a future scenario that will be available in Exchange 2019. No bunnies were harmed in the delivery of this session.

• Importance of Modern Authentication (2:39 mins)
  • Allows Outlook to authenticate with a token
  • An easier route to enable Outlook for Multi-Factor Authentication (MFA)
  • Relies on strong network connectivity
• Two implementations of modern authentication will ship (7:10 mins)
  • Exchange 2013 / 2016 implementation expected by December 2017
  • Exchange 2019 implementation will ship when new release ships second half 2018
• Overview of how modern authentication works (10:00 mins)
  • Modern auth will only work with MAPI over HTTP.
  • No RPC over HTTP support.
  • Exchange will use modern auth for all client connections, regardless of whether they originate from inside or outside the network.
• Example of modern auth during autodiscover (15:35 mins)
  • Authorization type of “Bearer” is Outlook instructing Exchange that it can do modern authentication
  • Exchange responds to the client with STS authorization URL (for example AD FS)
• Explanation of token exchange (17:46 mins)
  • The access token has a lifetime of 1 hour (default TTL)
  • When the Access token expires the client uses their Refresh token to request a new Access Token (re-authenticate)
  • The refresh token is valid for 14 days (default TTL)
  • Password change:
    • Immediately invalidates the Refresh Token.
    • Access token remains valid for the remainder of its duration (up to 1 hour)
• Deep dive into two versions of on-prem modern auth (23:30 mins)
  • Exchange 2019 will ship with an on-prem implementation of Modern Auth
    • AD FS 2016 required
    • Outlook 2016 / 2019 required
      • Outlook 2013 and older will not work
    • Exchange 2013 / 2016 can be in the organization (no Exchange 2010)
    • Device registration is required
  • Exchange 2013/2016 will ship with a hybrid implementation of Modern Auth
    • Will require hybrid connectivity with Office 365
    • AD FS not required (can just use Password Sync with Azure AD Connect)
    • Exchange HCW must be run to enable OAuth
    • On-prem SPNs registered with Azure AD (configuring this is shown at 39:05 mins)
    • Exchange 2010 is completely unsupported and must be removed from the environment – no coexistence
• OAuth tokens rely on TLS for encryption (32:13 mins)