Office 365 News

Thrive as an enterprise organization in Microsoft Exchange Online
If you could only watch one session then it should be this one. In this session, Jeff Kizner reveals a slew of announcements for Exchange Online. Announcements include; highly requested coexistence features for Exchange hybrid and, new advances in a tenant to tenant migrations. Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.

• Mailbox Plans (4:06 mins)
  • Set-MailboxPlan can now assign a retention policy to a mailbox when the mailbox is provisioned.
  • Set-CASMailboxPlan (new cmdlet) can now configure whether ActiveSync, IMAP, and POP are enabled on a mailbox when it is provisioned in Office 365.
• Client Access Rules (6:52 mins)
  • Additional rule conditions for matching source IP, protocol, recipient filters, or, username
  • Great for only allowing certain protocols from certain locations (e.g. ActiveSync from satellite offices)
  • You can have up to 20 client access rules
  • Best practice to have an “Allow PowerShell” rule in priority 1 (don’t lock yourself out!)
• Creating a custom app for message classification (16:00 mins)
  • Jeff demonstrates a custom app that uses the Outlook On Send feature to take action when a user clicks the send button in Outlook
  • On Send must be enabled in the OwaMailboxPolicy assigned to the user
  • Available since Exchange 2016 CU5
• Hybrid delegation (26:40 mins)
  • Jeff discusses and demos advancements in hybrid delegation (full access, auto-map, send as, send on behalf)
• On-premises policies will come over to Office 365 (46:06 mins)
  • Hybrid wizard will ask you which on-prem policies you want to copy into Office 365 (e.g. OWA, ActiveSync and Retention policies)
  • User’s mailbox, when moved to Office 365, will retain their existing policy assignments
• Hybrid publishing (50:52 mins)
• Hybrid recipient management (54:16 mins)
  • Jeff’s team is working towards allowing admins to make changes to attributes in Office 365 and have those attributes sync back to on-prem. This will remove the need to keep Exchange on-prem for recipient management.
  • Jeff’s team is also looking at changing the source of authority on synchronized objects to Azure Active Directory.
• Migrating data between tenants – mergers and acquisitions (59:33 mins)
  • Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.

Scott Schnoll’s Exchange tips and tricks
Scott provides us with his top tips for Exchange. Topics include:

• Server roles in Exchange 2016 (1:41 mins)
• How Exchange is developed (2:41 mins)
• Exchange 2016 Lifecycle (3:56 mins)
• Changes in Exchange 2016 CU7 (4:51 mins)
  • Forest functional level is now 2008 R2 or higher
• Announcing Exchange 2019 (8:48 mins)
  • Preview shipping mid-2018
  • General release second half of 2018
• Bug in Windows Server 2016 that caused IIS to crash – KB3206632 (10:20 mins)
• iOS11 issue with HTTP/2 (11:22 mins)
  • Microsoft turned off HTTP/2 across all Exchange Online servers
  • Microsoft recommends administrators disable HTTP/2 across all on-premises Exchange servers until Apple resolves this issue
  • Microsoft is working with Apple to help them resolve the issue
• New calendar improvements across all Outlook clients (15:16 mins)
• Administrator configured out of office replies (18:00 mins)
• Message Latency in logs (19:47 mins)
• Running antivirus on the operating system (21:00 mins)
  • Windows Server 2016 comes with a built-in fully-fledged antivirus
  • Make sure to configure antivirus with all path, process and file type exclusions
• Health mailboxes (23:22 mins)
  • Do not alter their AD account in any way
  • Do not alter their password or account lockout settings
  • Do not move or alter their mailboxes in any way
• Stalled mailbox migrations to Office 365 (26:40 mins)
• Protocol Agnostic Workflow (PAW) (30:24 mins)
  • New mailbox migration code in Office 365 that improves stability and throughput
  • Individual users can be removed from a batch
  • Batch completions can be scheduled
  • Better reporting
  • Microsoft will automatically enable this for your tenant but only if your tenant has no active or completed batches
• OAuth (35:26 mins)
• Hybrid license key and hybrid diagnostics wizard (39:20 mins)
• When to decommission Exchange on-premises (42:00 mins)
• PST elimination tools (44:27 mins)
• Deprecation of RPC over HTTPS – Outlook Anywhere (46:32 mins)
• Mailbox encryption coming soon to Office 365. You can encrypt with either:  (53:00 mins)
  • Microsoft managed key
  • Customer provided key
• Using Azure VM for DAG witness (55:04 mins)
• Changes to lagged copy behavior (56:15 mins)
• Recovering an Exchange Server with newer CU (59:58 mins)
  • This is possible and supported
  • Admin version will still show old CU build until you go to a newer CU later on
• New anti-phishing behavior in Office 365 (1:01:09 mins)
• Connecting to Security & Compliance Center via PowerShell (1:07:29 mins)
• Azure Information Protection – AIP (1:08:17 mins)
• Advanced Find in Outlook deprecation and reinstatement (1:12:38 mins)
• New TAP program for migrating public folders to Office 365 Groups (1:13:14 mins)

Modern authentication for Exchange Server on-premises
Greg Taylor discusses two new modern authentication scenarios coming to Exchange on-premises. One scenario which will be available to Exchange 2013 and 2016. And a future scenario that will be available in Exchange 2019. No bunnies were harmed in the delivery of this session.

• Importance of Modern Authentication (2:39 mins)
  • Allows Outlook to authenticate with a token
  • An easier route to enable Outlook for Multi-Factor Authentication (MFA)
  • Relies on strong network connectivity
• Two implementations of modern authentication will ship (7:10 mins)
  • Exchange 2013 / 2016 implementation expected by December 2017
  • Exchange 2019 implementation will ship when new release ships second half 2018
• Overview of how modern authentication works (10:00 mins)
  • Modern auth will only work with MAPI over HTTP.
  • No RPC over HTTP support.
  • Exchange will use modern auth for all client connections, regardless of whether they originate from inside or outside the network.
• Example of modern auth during autodiscover (15:35 mins)
  • Authorization type of “Bearer” is Outlook instructing Exchange that it can do modern authentication
  • Exchange responds to the client with STS authorization URL (for example AD FS)
• Explanation of token exchange (17:46 mins)
  • The access token has a lifetime of 1 hour (default TTL)
  • When the Access token expires the client uses their Refresh token to request a new Access Token (re-authenticate)
  • The refresh token is valid for 14 days (default TTL)
  • Password change:
    • Immediately invalidates the Refresh Token.
    • Access token remains valid for the remainder of its duration (up to 1 hour)
• Deep dive into two versions of on-prem modern auth (23:30 mins)
  • Exchange 2019 will ship with an on-prem implementation of Modern Auth
    • AD FS 2016 required
    • Outlook 2016 / 2019 required
      • Outlook 2013 and older will not work
    • Exchange 2013 / 2016 can be in the organization (no Exchange 2010)
    • Device registration is required
  • Exchange 2013/2016 will ship with a hybrid implementation of Modern Auth
    • Will require hybrid connectivity with Office 365
    • AD FS not required (can just use Password Sync with Azure AD Connect)
    • Exchange HCW must be run to enable OAuth
    • On-prem SPNs registered with Azure AD (configuring this is shown at 39:05 mins)
    • Exchange 2010 is completely unsupported and must be removed from the environment – no coexistence
• OAuth tokens rely on TLS for encryption (32:13 mins)