Office 365 News

Microsoft hosted its annual conference this September. However, unlike prior Ignite conferences, this one was impacted by COVID-19. As a result, Microsoft took its massive conference, typically attended by tens of thousands of individuals, and converted it into a digital online experience.

This digital Ignite was by no means a shadow of its former self. With 812 scheduled sessions and another 410 on-demand sessions via the Video Hub, this digital experience was massive.

At 1,222 sessions, here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes.”

(watch video)

Exchange – Here, There and Everywhere
In this session, Greg Taylor discusses the roadmap for Exchange on-prem and Exchange Online. Topics include:

• Exchange Calculator will now be a separate download, outside of the ISO (0:30 mins)
• Exchange 2016/2019 will support multiple tenants with the HCW (2:15 mins)
  • Up to 5 tenants at GA
  • Have to rerun the HCW against each tenant
  • HMA will be restricted to only 1 of those 5 tenants
  • It won’t configure free/busy between the tenants
• New Exchange Admin Center will be GA Q1 2021 (4:40 mins)
• New Exchange Admin Center Home (6:25 mins)
• New Exchange Admin Center Reports (7:25 mins)
  • Auto-Forwarded Message Report
  • Outbound Message Report
• Exchange PowerShell Module v2 (8:40 mins)
  • General availability of certificate-based authentication for unattended scripts
  • PowerShell Core support in preview
  • Linux PowerShell support in preview
• Plus, Addressing in Exchange Online is GA (11:15 mins)
  • Full rollout expected by October
  • Administrators need to enable it at the tenant-level
• A new version of on-premises Exchange Server (13:40 mins)
  • Released H2 2021
  • Only available via subscription purchase
  • SharePoint and Skype for Business will follow suit
  • Can install into an existing org with Exchange 2013, Exchange 2016, and Exchange 2019
  • One more backward-compatible version than normal
  • Exchange 2019 users can do an in-place upgrade to vNext (like applying a CU)
  • Only for 2 years after vNext release
  • Exchange 2019 and vNext can be in the same DAG and load balancer VIP
  • No more major Exchange upgrades
• Exchange 2016 end of mainstream support – October 14th (20:00 mins)
  • If using the free hybrid key, keep using it during extended support
  • If you have on-prem mailboxes, migrate to Exchange 2019
• Removing the last Exchange server (22:30 mins)
  • Nothing to announce, but work is still in progress
• Basic Authentication still being retired (23:30 mins)
  • Deadline extended to H2 2021
  • Easy on/off controls in M365 Admin Center
  • OAuth support added for POP, IMAP, and SMTP AUTH
  • PowerShell Module v2 uses modern auth
  • Outlook 2013 and newer uses modern auth
  • Use the Azure AD Sign-Ins report
  • Basic auth will be turned off in new tenants by default with security defaults
  • Basic auth will be turned off in tenants not using it
• Additional Exchange Online training resources
 (26:55 mins)

Show more session notes

Show less session notes

(watch video)

Exchange Online Transport – New Email Management, Optics and End-user experiences
In this session, Kevin Shaughnessy discusses all the advancements coming to Exchange transport. Topics include:

• Support for Plus Addresses (4:55 mins)
  • E.g., amypond+newsletter@supertekboy.com
  • Now rolling out
  • Great way to see who may have sold/leaked your data
  • Can target inbox roles to use the new plus address (move to a folder, etc.)
  • Could use it to track marketing/sales campaigns you initiate
• Block users from blind carbon copying (BCC) a group (9:00 mins)
  • Problem: Inbox rules were ignoring a group added to the BCC line in an email
  • Solution: Generate an NDR if a group is added to the BCC line in an email. It can be enabled per group by either the group owner or administrator.
  • Rolling out Q4 2020
• New Exchange Admin Center (12:53 mins)
  • All mail flow items and insights (e.g., message trace and mail flow reports) are moving from the Security & Compliance Center to the new Exchange Admin Center
  • New Exchange Admin Center is an opt-in experience
• DEMO: New Exchange Center mail flow group (14:15 mins)
• New Mail Flow Insights, Notifications, and Reports (16:10 mins)
  • Expired / soon to expire certificates report (Q4 2020)
  • Expired / soon to expire domains report (Q4 2020)
  • Misconfigured connectors report (TBD)
  • New Settings
    • Message expiration for email delivery issues (Q4 2020)
      • Default is 24 hours to generate NDR
      • Will be able to configure expiration and NDR value of 8-24 hours
    • Expiration for queued due to TLS failures (TBD)
      • Default is 24 hours to generate NDR
      • Under consideration
• Reply-All Storm Protection (21:20 mins)
  • V1 is currently deployed
    • 10 reply-all to emails with 5,000 recipients within 1 hour
    • Blocks replies with an NDR for up to 4 hours
  • V2 planned
    • Customize the number of recipients on the email (new default will be 2,500)
    • Customize the number of reply-all messages detected in 1 hour (default will still be 10)
    • Customize block replies (default will still be 4 hours)
    • Reply-All Storm insights/reports coming to EAC
• Message Recall for Exchange Online (26:15 mins)
  • Previously message recall is client-based and only works when the client is Outlook (not web or mobile)
  • New message recall is client agnostic and will remove the message from the mailbox
  • User will see a report of message recall success/failure
  • Available by Q4 2020

Show more session notes

Show less session notes

(watch video)

Exchange Online Transport – Email Security Updates
In this session, Sean Stevenson discusses new security features coming to Exchange transport. Topics include:

• Existing mail flow scenarios and susceptibility for attack (3:04 mins)
• TLS 1.0 deprecation underway (6:55 mins)
  • TLS 1.0 already disabled for DoD/GCC High tenants
  • 2% of all mail to/from Office 365 with other mail exchangers using TLS 1.0
  • Even with TLS 1.0 disabled man-in-the-middle attacks are still a problem
• DEMO: New Exchange Admin Center insights and reports identify mail sending with TLS 1.0 to/from your tenant (10:30 mins)
• New cipher requirements to send/receive mail to Exchange Online (11:40 mins)
• SMTP MTA Strict Transport Security support (RFC 8461) (12:55 mins)
  • Office 365 outbound now supports MTA-STS
  • DNS TXT record added to external DNS which identify location (and presence) of an MTA-STS policy (TEXT file hosted on a web server)
• DEMO: Example of an MTA-STS policy (TEXT file) (17:50 mins)
• Support for DANE / DNSSEC (18:25 mins)
  • DANE for SMTP identifies what TLS protocols the recipient domain supports prior to handshake/TLS negotiation
  • Protects against man-in-the-middle or downgrade attacks
  • DANE TSLA records protected with DNSSEC to prevent tampering with the DANE records
  • Outbound protection will be added before inbound protection
• SMTP Auth Clients (20:52 mins)
  • Deprecation of TLS 1.0 for SMTP Auth Clients is still coming
  • If your SMTP Auth Clients can’t be easily upgraded to use TLS 1.2, leverage Exchange on-premises for mail relay.
• DEMO: SMTP Auth Client report (23:00 mins)
• SMTP Auth Clients (24:10 mins)
  • No plans to deprecate basic authentication for SMTP Auth Clients at this time.
  • Modern Auth (OAuth) is available for SMTP Auth Clients (recommended)
  • Recommended: Disable SMTP Auth for any mailbox that does not require it
  • SMTP Auth being globally disabled on all new tenants (can be re-enabled by the admin)

Show more session notes

Show less session notes

This week was a big week for Exchange. Microsoft released its sixth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 6 (VLSC)| KB4556415

Exchange 2016 Cumulative Update 17 | KB4556414 | UM Language Pack

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft added thirteen new blocked file types for use with the OWA Mailbox Policy. The additions included several scripting extensions, including many python file types such as .py, .pyc, and .pyo. For a full list of the new extensions, check the following article.

These cumulative updates also correct an issue when using the Restore-RecoverableItems command in a pipe. We covered the cloud-exclusive GUI version of this command in an article earlier this week. Be sure to check it out.

Companies leveraging Hybrid Modern Authentication will also want to take note of these updates as they fix unexpected authentication prompts during certificate rollovers.

Customers leveraging Edge Transport will also want to take note as these updates resolve a situation where Edge Transport servers may become unresponsive due to deadlock in the shadow redundancy manager.

For a full list of all fixes, be sure to check out the KBs KB4556415 and KB4556414.

Recover deleted mail using the new Exchange Admin Center in Office 365

In the last quarterly update, we covered the new Exchange Admin Center in Office 365. Exclusive to the new admin center is the ability to recover deleted items back into a user’s mailbox. This process has been available using PowerShell for some time.

Keep in mind you can only recover up to the limit of your single item recovery policy. By default, this is 14 days in Office 365, but can be increased to 30 days (although you will need to set this ahead of time).

You can read more about how to recover deleted items in the following article.

Preventing Reply-All Storms in Exchange Online

Microsoft has added a new feature to combat reply-all storms. These storms are particularly prevalent when numerous people execute a reply-all to a massive distribution list.

Microsoft’s initial reply-all protection will block replies to an email thread for 4 hours if it detects more than ten reply-all messages within 60 minutes to a thread with over 5,000 recipients.

The eleventh sender will receive a non-delivery report titled Reply-All Storm Protection with the reason the message was blocked.