Office 365 News

This week was a big week for Exchange. Microsoft released its fourth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 4 (VLSC)| KB4522149

Exchange 2016 Cumulative Update 15 | KB4522150 | UM Language Pack

Exchange 2010 support extended

Back in September, the Exchange Team announced that is was extending support for Exchange 2010 by nine months. Exchange 2010 now shares the same end-of-life date as Office 2010 and SharePoint 2010, which is October 13th, 2020.

While this extension allows for a little more breathing room, it does not extend support for Windows Server 2008 R2, which is the underlying operating system for many Exchange 2010 installations. Server 2008 R2 will still go end of life on January 14th, 2020.

The Exchange Team has provided this extension to allow companies more time to migrate to a newer email platform, such as Office 365, or, Exchange 2016.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem, you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019.

For more information on migrating from Exchange 2010 to 2016, check out this recent blog article from the Exchange Team: Exchange On-Premises Best Practices for Migrations from 2010 to 2016

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft has resolved a number of security and non-security issues. You can read more about those in KBs 4522149 and 4522150.

Most notably this fixes an issue I had run into myself in both Exchange 2016 CU13 and CU14. The issue was after running the Hybrid Configuration Wizard you could no longer modify the Outbound to Office 365 send connector if your source servers were Edge Transport servers.

Attempting any modifications to the send connector would result in the errors: Error 0x5 (Access is denied) from cli_GetCertificate or Error 0x6ba (The RPC server is unavailable) from cli_GetCertificate. This error was caused because the Exchange organization was attempting to access the certificates on the Edge Transport servers. I can confirm CU15 resolved this error for me.

Note: Error 0x5 (Access is denied) from cli_GetCertificate was also reported in Exchange 2019 CU2 and CU3. It has been resolved in CU4.

This week was a big week for Exchange. Microsoft released its third cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 3 (VLSC)| KB4514141

Exchange 2016 Cumulative Update 14 | KB4514140 | UM Language Pack

Exchange 2010 SP3 Rollup 29 | KB4509410 (Released in July)

Exchange 2010 support extended

In a recent blog post, the Exchange Team announced that is was extending support for Exchange 2010 by nine months. Exchange 2010 now shares the same end-of-life date as Office 2010 and SharePoint 2010, which is October 13th, 2020.

While this extension allows for a little more breathing room, it does not extend support for Windows Server 2008 R2, which is the underlying operating system for many Exchange 2010 installations. Server 2008 R2 will still go end of life on January 14th, 2020.

The Exchange Team has provided this extension to allow companies more time to migrate to a newer email platform, such as Office 365, or, Exchange 2016.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem, you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019.

For more information on migrating from Exchange 2010 to 2016, check out this recent blog article from the Exchange Team: Exchange On-Premises Best Practices for Migrations from 2010 to 2016

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft has resolved a number of security and non-security issues. You can read more about those in KBs 4514141 and 4514140. In addition, this set of cumulative updates addresses changes to daylight savings.

This week was a big week for Exchange. Microsoft released its second cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 2 (VLSC)| KB4488401

Exchange 2016 Cumulative Update 13 | KB4488406 | UM Language Pack

Exchange 2013 Cumulative Update 23 | KB4489622 | UM Language Pack

Exchange 2010 SP3 Rollup 27 | KB4491413

The final countdown – 208 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

In the last set of cumulative updates, Microsoft reduced the number of permissions Exchange had in Active Directory. In an ongoing effort to further tighten the security posture of Exchange, Microsoft has further reduced Exchange’s permissions in Active Directory.

This includes two notable changes. The first is that Exchange can no longer assign service principal names (SPN). Second, a deny attribute has been added to the DNS Admins group. The Exchange Team determined neither of these rights was necessary for the operation of Exchange.

In the previous Exchange 2019 cumulative update, you could disable legacy protocols on a per-user basis. In cumulative update 2, you can now globally disable legacy authentication at the organization level.

This series of updates also introduces support for .NET Framework 4.8. While optional now, 4.8 will be mandatory as part of the December 2019 updates.

Last week was a big week for Exchange. Microsoft released its first cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 1 (VLSC)| KB4471391

Exchange 2016 Cumulative Update 12 | KB4471392 | UM Language Pack

Exchange 2013 Cumulative Update 22 | KB4345836 | UM Language Pack

Exchange 2010 SP3 Rollup 26 | KB4487052 (released February)

Exchange 2010 SP3 Rollup 25 | KB4468742 (released January)

Only 325 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug, and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

Push notifications are one type of notification a developer can leverage in their application to add value. An example of a push notification might be the notification of new mail on a mobile device.

In this series of cumulative updates, the Exchange Team has changed the way it initiates push notifications through Exchange Web Services. This is in direct response to a security flaw where an attacker could intercept push notifications to gain access to credentials streamed via NTLM. These cumulative updates mitigate this attack by removing these credentials from the stream. Microsoft documents this resolution in KB4490060.

After applying this cumulative update, Microsoft recommends forcing the computer account to change its password by using either the Reset-ComputerMachinePassword cmdlet or, NETDOM. In addition, Microsoft recommends every organization review its user password expiration policies.

In further response to the security flaw, Microsoft is reducing the number of rights Exchange has in Active Directory when operating in a shared permission model.

In a shared permission model, Exchange administrators have the ability to create security principals in Active Directory and mail-enable those security principals. This includes the ability to create a new user as you are creating a mailbox, or, the ability to remove a user when you remove a mailbox. This also extends to tasks such as being able to create a distribution group, or, modify distribution group members.

In a split permission model, the Exchange administrator is restricted from these tasks and can only mail-enable, or, mail-disable existing objects (e.g. users, groups, or contacts) that were created by an administrator with Active Directory rights.

Going forward the shared permission model will have fewer Active Directory rights, but that does not mean reduced functionality for Exchange administrators.

It’s amazing to believe that Microsoft Ignite was over a month ago. With 1,610 sessions Microsoft gave us a massive amount of announcements and demonstrations of new product features. This included Exchange 2019.

If not already, I highly recommend checking out 15 Ignite sessions every Exchange admin should see.  Each session in this article includes extensive notes on what each session contained. In addition, those notes contain timers so you can jump to the section that interests you the most. Hopefully, it will also serve as a reference if you need to search for a certain announcement or feature weeks (or even months) down the road.

Here is what Ignite taught us about Exchange 2019.

Changes to Exchange development

The tagline for Exchange 2016 was that it was “forged in the cloud”. This was a result of Exchange Online and Exchange on-prem sharing a common code base. The greatest benefit of this common code was that it ran in the cloud for a number of months before shipping on-prem as a cumulative update. By the time the code was released on-prem, it had been more than validated as stable and able to run at scale.

Going forward Microsoft has separated Exchange on-prem into its own code branch. This means that Exchange online is no longer driving cumulative updates for on-prem. What will drive updates are security patches and feature requests from customers. So, be sure to make your voice heard on UserVoice, at conferences, and in the various TAP programs.

While Microsoft currently plans to keep cumulative updates quarterly, they have opened up the conversation on whether updates should occur less frequently. Common feedback is that the current release cadence of quarterly cumulative updates is too aggressive for some customers. The product group also believes this could result in more stable releases.

Last week was a big week for Exchange 2016. Microsoft released Cumulative Update 11. At this time no updates were released for Exchange 2013 or Exchange 2010. Exchange 2013 entered extended support back on April 10th, and Microsoft announced in June that cumulative update 21 was the last planned update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2016 Cumulative Update 11 | KB4134118 | UM Language Pack

Exchange 2010 SP3 Rollup 24 | KB4458321 (released September)

Exchange 2010 SP3 Rollup 23 | KB4340733 (released August)

So, what’s new in these Cumulative Updates?

Cumulative Update 11 now officially supports .NET Framework 4.7.2. Framework 4.7.2 is only optional at this point and will not become mandatory until the June 2019 updates. Due to no quarterly update scheduled for December, it is expected that CU13 will be the first version to enforce 4.7.2 as a requirement.

Support for 4.7.2 has been officially added to Exchange 2013 CU21, which was released back in June. 4.7.2 will also be a requirement for Exchange 2019. However, 4.7.2 is preinstalled with Windows Server 2019, so it will not require a separate download. For a great resource on navigating which .NET update goes with which CU I recommend reading Upgrade Paths for CU’s & .NET by Michel de Rooij.

In the June updates, it was stated that all Exchange roles would require Visual C++ 2013. Microsoft has since clarified this statement to the following:

• Mailbox role will require both Visual C++ 2012 & Visual C++ 2013
• Edge & Management tools only require Visual C++ 2012

Cumulative Update 11 will now perform prerequisite checks to confirm the necessary versions of Visual C++ are installed.

These updates contain 22 security and bug fixes. Check KB 4134118 for a list of issues CU11 resolves.

Microsoft hosted its annual Ignite conference in Orlando this September. Ignite was massive at 1,610 sessions. That is a lot of sessions! For the first time ever, Microsoft live-streamed most of its sessions. Not just the keynotes! You can find the on-demand sessions at the Microsoft Tech Community. Here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes”

(watch video)

Welcome to Exchange Server 2019
In this session, Greg Taylor and Brent Alinger discuss all the new features shipping in Exchange 2019. They also discuss features that have been discontinued and the system requirements for Exchange 2019.

• Current state of Exchange Online (1:05 mins)
  • Office 365 revenue 38% YoY growth
  • Office 365 seats 29% YoY growth
  • 135 million users in Office 365
  • Outlook mobile on >100 million devices
  • 94% of Fortune 500 have Office 365
• Exchange 2019 only available via volume licensing (3:30 mins)
• Changes to Exchange development (4:20 mins)
  • Exchange on-prem & Exchange online were developed in tandem using the same code
  • Exchange on-prem code moved to its own code branch & will be independent of Exchange online
  • Discussion on cumulative update schedule going forward
• Unified Messaging removed from Exchange 2019 (10:40 mins)
  • UM functions have been removed
  • Migrating a UM-enabled mailbox to Exchange 2019 will UM-disable that mailbox
  • Recommend replacement is Cloud Voice Mail which can still store voice mail in Exchange mailboxes via EWS or SMTP
  • If you need Unified Messaging:
    • Move all mailboxes to Office 365
    • Migrate to Skype for Business Server 2019 & utilize Cloud Voice Mail
    • Stay on Exchange 2016
    • Deploy a 3rd party voice mail solution
  • For more information see BRK3229 – Everything you need to know about Skype for Business Server
• Unified Messaging Migration scenarios for Exchange 2019 (15:30 mins)
  • Exchange 2013 or 2016 + Skype for Business
    • Migrate to Skype for Business Server 2019
    • Enable Cloud Voice Mail
    • Migrate to Exchange Server 2019
  • Exchange 2013 or Exchange 2016 + 3rd Party PBX
    • Implement a 3rd party voice mail solution
    • Migrate to Exchange Server 2019
  • Note: Due to the discontinuation of Session Border Controllers, 3rd party PBX systems cannot use Cloud Voice Mail.
• Vision for Exchange 2019 (17:30 mins)
• Exchange Server 2019 requires Windows Server 2019 (19:20 mins)
  • Windows Server 2019 available in October
• Exchange Server 2019 supports Server Core (20:15 mins)
  • Microsoft recommends server core for improved performance, smaller attack surface & smaller disk footprint.
  • Exchange 2019 can still be installed on an OS with a GUI.
• Exchange 2019 will only use TLS 1.2 (23:15 mins)
  • RC2, RC4, DES, 3DES, MD5 & SHA disabled during install
  • Preference for elliptic curve key exchange
  • Exchange will use forward key secrecy
  • EHLO Blog: Getting ready for TLS 1.2
• Exchange RAM requirements (25:55 mins)
  • Max supported RAM = 256 GB
  • Mailbox role min RAM = 128 GB (2016 was 8 GB)
  • Edge role min. RAM = 64 GB (2016 was 8 GB)
  • Max processor count = 48 cores (2016 was 24)
• Search changes in Exchange 2019 (29:35 mins)
  • Big Funnel (powered by Bing technology) replaces Fast Search
  • Indexes now stored in the DBs (in each mailbox)
  • No more potentially huge index files that can become unhealthy
  • Index health no longer an issue for DB failovers or switchovers
  • DB log shipping includes the indexes
  • Outlook 2019 in cached mode will attempt to pull search results from the server (not locally)
  • For more information see – BRK3130 Email search in a flash! Accelerating Exchange 2019 with SSDs (notes and session below)
• Storage (and MCDB) in Exchange 2019 (32:50 mins)
  • Exchange 2019 can optionally leverage a MetaCache Database (“MCDB”) which is stored on SSD
  • MCDB allows for:
    • Faster logons
    • Faster search
    • Faster retrieval of very small items
  • MCDB caches 10% of key data from a DB including:
    • Index data
    • Mailbox folder structure
    • Very small items
  • If the SSD or MCDB were to fail all requests will be served directly from the mailbox DB on the spindle disk
  • Sizing for MCDB
    • Regardless of whether you deploy MCDB or not, your spindles must always meet the IOPS requirements for your users
    • All servers must have the same spindle & SSD layout
    • Spindle disk to SSD should be 3:1
    • To plan for SSD storage take 5-6% of your total spindle storage
    • Brent’s example
      • 15 spindle disks = 5 SSDs
      • 15 spindle disks at 10 TB each = 150 TB of mailbox storage
      • 5-6% of 150 TB = 10 TB of total MCDB storage
      • 10 TB = 5 SSDs at 2 TB each
• Code optimizations (45:00 mins)
  • No more UM code
  • No more UM language packs to install
  • Exchange 2019 DVD size reduced by 20%
  • This results in:
    • Faster installs
    • Fewer files and disk usage
    • Improved security
    • Reduced surface area
• Dynamic Database Cache (46:25 mins)
  • Memory allocation between active & passive DB copies optimized
  • Active copies get more memory and cache than passive copies
• Performance gains from MCDB & Dynamic Database Cache (49:30 mins)
  • 20% more users per server
  • Latency cut by 50% for many client/server operations
• Client Access Rules in Exchange 2019 (51:15 mins)
  • This restricts who can access the Exchange Admin Center & Exchange Management Shell
    • For example, allows the Exchange Admin Center to be restricted externally
  • Exchange 2019 should be the front-end for all client communications
  • Administrator mailboxes must be on Exchange 2019 to leverage these rules
• Remove-CalendarEvents (54:10 mins)
  • Exchange administrators can cancel meetings (not appointments).
  • This is particularly useful to cancel a meeting from an organizer who has left the company
• Outlook default option for recurring meetings now configures an end-date rather than no-end-date (57:00 mins)
• Do Not Forward Meetings (57:20 mins)
  • Do Not Forward can now be set on meetings created in OWA.
  • Meeting attendees in OWA will see a banner stating Do Not Forward is enabled & Forward option is greyed out in the menu.
  • Exchange transport enforces the Do Not Forward settings so all Outlook clients honor this setting
  • All other Outlook clients will receive an NDR if they attempt to forward a Do Not Forward meeting
• New Out of Office (OOF) options in OWA (1:00:20 mins)
  • Automatically decline meeting invites received during the OOF
  • Clear existing meetings during the OOF
  • Mark the user’s calendar as blocked during the OOF
• Email Address Internationalization (1:01:45 mins)
  • Send/receive messages to/from non-English email addresses such as:
    • Latin
    • Greek
    • Chinese
    • Japanese
    • Cyrillic
    • Hindi
  • Adding EAI proxy addresses or accepted domains in Exchange is not supported
• Exchange 2019 system requirements (1:03:00 mins)
  • Windows Server 2019
  • .NET Framework 4.7.2 (preinstalled with Windows Server 2019)
  • Forest functional level of Server 2012 R2
  • 128 GB minimum RAM (64 GB for Edge)
  • Minimum coexistence is Exchange 2013
  • For more information see – Exchange Server System Requirements
• Future plans & roadmap (1:05:15 mins)

Show more session notes

Show less session notes

(watch video)

Hybrid Exchange: Making it easier and faster to move to the cloud
In this session, Jeff Kizner discusses all the advancements coming to Exchange hybrid. Topics include:

• Future vision for hybrid (3:30 mins)
• Administration challenges (6:00 mins)
• Organization Configuration Transfer (“OCT”) (7:30 mins)
  • Version 1 released June 2018
  • Performs a one-time transfer of the following objects (and skips any named policy if it exists in the tenant already):
    • Retention policy
    • Retention policy tags
    • OWA mailbox policy
    • Mobile device mailbox policy
    • ActiveSync mailbox policy
• Jeff demos OCT Version 2 (9:00 mins)
  • Hybrid key acquisition built into the hybrid configuration wizard (“HCW”)
  • Tip: Pressing F12 in the HCW gives you easy access to logs & PowerShell
  • Version 2 grants the administrator the ability to resolve conflicting policies
  • Rollback_OCT script available in the logging folder.
    • This gives you the PowerShell to reverse changes made by OCT
  • Version 2 adds the following objects into one-time transfer:
    • DLP policy
    • Organization configuration
    • ActiveSync device access rules
    • ActiveSync organization settings
    • Malware filter policy
    • Policy tips
    • Address lists
• Demo of the new Hybrid Agent (24:15 mins)
  • Designed to establish hybrid with zero inbound connections from the cloud (no firewall, DNS, or, certificate changes required)
  • Utilizes Azure App Proxy technology
  • Demo of free/busy & MRS moves with Exchange on-prem not published over HTTPS 443
  • Demo of the following configuration in Exchange Online
    • Get-OrganizationRelationship shows TargetSharingEpr configured with a Microsoft owned endpoint (not your on-prem endpoint)
    • Get-MigrationEndPoint shows RemoteServerAddress configured with a Microsoft owned endpoint (not your on-prem endpoint)
    • Set-OrganizationRelationship with TargetSharingEpr can override the autodiscover configuration for intra-org sharing
• Hybrid Agent architecture overview (32:50 mins)
  • Hybrid Agent installed on-prem & talks to Hybrid Proxy Service in the cloud
  • Hybrid Agent only needs outbound HTTPS 443 for mailbox moves & HTTP 80 for CRL checks
  • Each hybrid agent gets a unique Hybrid Proxy Service URL
    • URL formed from a randomly generated GUID
    • GUID can only be found in your on-prem logs or your Office 365 tenant
    • GUID combinations are 2 power of 22
    • Hybrid Proxy Service URL is locked down to just the Exchange Online IP addresses
    • Currently available in private preview
• Hybrid Agent – Free/Busy lookups (36:05 mins)
  • Free/busy lookups from on-prem to cloud go directly to the internet
  • Free/busy lookups from cloud to on-prem use Hybrid Agent
• Hybrid Agent – Mailbox migrations (37:05 mins)
  • Always uses the hybrid agent
• Jeff demos setup of the Hybrid Agent (37:20 mins)
  • HCW asks if you want:
    • Classic Hybrid – same hybrid we use today
    • Modern Hybrid – automatically downloads & starts the Hybrid Agent install process
  • Install process
    • Download the agent
    • Install the bits
    • Register agent
      • This generates a certificate for your tenant that can only be used by you
    • Configure agent
      • Certificate valid for 180 days
      • Certificate auto rolled 30 days before expiration
      • Private key is non-exportable
      • Agent identifies a URL to use
    • Validate agent
      • Tests migration endpoint availability
    • Complete configuration
      • Set organization relationship (TargetSharingEpr, etc.)
• Hybrid Agent Version 1 (43:40 mins)
  • Supports hybrid free/busy and mailbox moves only
  • Version 1 for new hybrid setups only
  • Install 3 or more agents for high availability
  • Dedicated servers not required (install the agent on existing Exchange servers)
  • Hybrid Agent can be installed in DMZ but required HTTPS back to Exchange on-prem servers
  • Hybrid Agent will auto-update
• Demo solving hybrid Send As with the Hybrid Agent (49:15 mins)
• Q&A from the audience (55:00 mins)
  • Can we control the updating of the Hybrid Agent?
  • Can we have a PowerShell version of the OCT?
  • What is the scalability of the Hybrid Agent?
  • Can RBAC be integrated into OCT & Hybrid Agent?
  • How can I get rid of Exchange on-prem?
  • Would the Hybrid Agent eliminate the need to keep Office 365 URLs & IPs up to date on our firewall?
  • Does the Hybrid Agent support multi-forest?
  • How does the Hybrid Agent work with organizational sharing of free/busy?
  • When is the Hybrid Agent expected to GA?
  • Do I still need a 3rd-party SSL cert for on-prem Exchange servers in hybrid?
  • Will there be a path from classic to modern hybrid?
  • Will the hybrid agent support multiple geographically dispersed migration endpoints?
  • Are there any advantages to sticking with the classic hybrid?
  • Is the private preview of the Hybrid Agent fully supported?
  • Does the Hybrid Agent remove the requirement to publish Autodiscover on-prem?
  • Will hybrid Send As work in multi-forest?
  • Will hybrid Send As be available in the classic hybrid?
  • Does the Hybrid Agent eliminate all DNS changes I need to make to go to Office 365?

Show more session notes

Show less session notes

(watch video)

Deploying Outlook mobile securely in the enterprise
In this session, Ross Smith IV discusses how to secure the Outlook mobile app for Exchange online and on-prem mailboxes using various technologies. Topics include:

• Current Outlook mobile connectivity model for online & on-prem (2:50 mins)
• Future Outlook connectivity model will consolidate all Outlook clients to just 2 protocols (5:10 mins)
  • Proprietary and REST protocols to be replaced by Hx starting EOY
  • Outlook Mac, Outlook Mobile & Windows 10 clients will all use Hx
    • Removes the need of the stateless protocol translator
  • Outlook Windows will continue to use MAPI/HTTP
• ADAL authentication for Exchange online & on-prem mailboxes (7:20 mins)
• Outlook mobile authentication explained (federated identity) (9:00 mins)
  • Required for user-based certificate authentication
• Hybrid modern authentication (HMA) for on-prem mailboxes (11:55 mins)
  • Outlook Mobile only makes connections to Exchange Online
  • MRS syncs data between Exchange online and on-prem with ActiveSync
  • Ability to lock down on-prem ActiveSync to IPs for AutoDetect & Exchange online
• Securing with Conditional Access (16:15 mins)
• Require Outlook mobile as the exclusive messaging client with conditional access (19:30 mins)
  • Utilizes required approved client app
  • Use two conditional access policies
    • 1st policy matches either iOS or Android using modern auth and forces them to use Outlook mobile
    • 2nd policy matches for ActiveSync using basic auth and forces them to use Outlook mobile
    • In this config Exchange online will quarantine basic auth ActiveSync
• Sign-in conditional access (26:50 mins)
  • Requires Azure Identity Protection
  • Can block Outlook mobile access based on leaked credentials or suspicious sign-ins
  • Possible action can force a password reset via SSPR
• InTune MDM (30:25 mins)
  • Android for Enterprise (Android 5.0) is a container for corporate apps & data
  • Isolates corporate and personal data
• InTune App Protection (35:25 mins)
  • Protects the individual apps without enrolling the device
  • Control access to app & data
  • Controls movement of data
  • Selective wipe of the app (by admin, user, or, offline interval)
  • Corporate data encrypted independent of device-level encryption
  • Personal or unmanaged data is untouched
• Application configuration policies (47:00 mins)
  • Allows for the configuration & management of apps (e.g. Outlook mobile email account config)
• New Outlook mobile admin experience in InTune (52:00 mins)
• Securing data in Office 365 (53:30 mins)
  • Lockbox (just in time) for Office 365 engineers
  • TLS 1.2 encryption for data in flight
  • BitLocker for data at rest
  • Service encryption for data at rest in Exchange Online
• Azure Information Protection now Microsoft Information Protection (57:00 mins)
  • Discover & classify sensitive data
  • Apply protection (encryption, restriction, watermarks), governance (retention, deletion, archiving), and monitoring (alerts).
  • Outlook mobile can set & see sensitivity labels
  • Estimated release Q2 2019
• Demo on conditional access policies & user experience (59:00 mins)

Show more session notes

Show less session notes

Last week Microsoft announced the public preview of Exchange 2019. It is expected that Exchange 2019 will ship later this year.

You can download the preview bits using the link below. Please note, that this is preview code and you should not deploy this in production.

Exchange 2019 Public Preview

Server Core supported for Exchange 2019

The biggest announcement is that Exchange 2019 is the first version of Exchange to work on Windows Server Core. The benefit of Server Core is added security. Server core reduces your attack footprint and a smaller footprint means fewer things to secure and keep up to date.

It’s worth noting that from an administrative standpoint Server Core is a bit of a different animal. If you access Server Core via a console or remote session you are only going to see a command line. You will quickly notice that programs that use an MMC, such as Services or Event Viewer, are unavailable. In addition, shell programs such as Windows Explorer, or, Task Manager are also unavailable.

For Exchange, this is not much of an issue because the Exchange Admin Center and Exchange Management Shell can be run remotely from anywhere. For everything else, you will need to use Remote Server Administration Tools or remote PowerShell.  For a list of tools that are directly accessible on Server Core check out the article: What is the Server Core installation option in Windows Server?

For a great write-up on installing Exchange 2019 on Windows Server Core, check out this article from the Exchange Team.

Of course, if you prefer to have the full desktop experience you can still install Exchange 2019 on a server with a GUI.