We’re very happy to announce support for Hybrid Modern Authentication (HMA) with the next set of cumulative updates (CU) for Exchange 2013 and Exchange 2016, that’s CU8 for Exchange Server 2016, and CU19 for Exchange Server 2013.

What is HMA?

HMA (not HAM, which Word keeps trying to correct it to for me) provides users the ability to access on-premises application using authorization tokens obtained from the cloud. For Exchange (that’s why you’re here right?), this means on-premises mailbox users get the ability to use these tokens (OAuth tokens specifically) for authentication to on-premises Exchange. Sounds thrilling I know, but what exactly are these tokens? And how do users get hold of them?

Rather than repeat many things here, I’m going to suggest you take a break and read the How Hybrid Authentication Really Works post, and if you really want to help boost my YouTube viewing numbers, watch this Ignite session recording too. They will respectively give you a pretty solid grounding in OAuth concepts and to help you understand what HMA is really all about.

See how much space we saved in this post by sending you somewhere else?

If you ignored my advice, the tl’dr version is this: HMA enables Outlook to obtain Access and Refresh OAuth tokens from Azure AD (either directly for password hash sync or Pass-Through Auth identities, or from their own STS for federated identities) and Exchange on-premises will accept them and provide mailbox access.

How users get those tokens, what they have to provide for credentials, is entirely up to you and the capabilities of the identity provider (iDP) – it could be simple username and password, or certificates, or phone auth, or fingerprints, blood, eyeball scanning, the ability to recite poetry, whatever your iDP can do.

Note that the user’s identity has to be present in AAD for this to work, and there is some configuration required that the Exchange Hybrid Configuration Wizard does for us. That’s why we put the H in HMA, you need to be configured Hybrid with Exchange Online for this feature.

It’s also worth knowing that HMA shares many of the same technology as the upcoming Outlook mobile support for Exchange on-premises with Microsoft Enterprise Mobility + Security feature, which as you’ll see from the blog post also requires Hybrid be in place. Once you have that figured out you’ll be able to benefit from both these features with very little additional work.

How Does HMA Work?

The video linked above goes into detail, but I’ll share some details here for anyone without the time to watch it.

Here’s a diagram that explains HMA when the identity is federated.

I think that picture is pretty clear, I spent a lot of time making it pretty clear so I don’t think I need to add much to it other than to say, if it’s not clear, you might want to try reading it again.

Why Should I Enable HMA?

Great question. There are a few good reasons, but mainly this is a security thing.

HMA should be considered ‘more secure’ than the authentication methods previously available in Exchange. That’s a nebulous statement if there ever was one (I could have said it’s more ‘Modern’ but I know you weren’t going to fall for that) but there are a few good arguments as to why that’s true.

When you enable HMA you are essentially outsourcing user authentication to your iDP, Exchange becomes the consumer of the resulting authorization tokens. You can enforce whatever authentication the iDP can do, rather than teach Exchange how to handle things like text messaged based MFA, blood analysis or retina scanning. If your iDP can do that, Exchange can consume the result. Exchange doesn’t care how you authenticated, only that you did, and came away with a token it can consume.

So it’s clearly ‘more secure’ if you choose to enforce authentication types or requirements stronger than those that come free with Exchange, but even if you stick to usernames and passwords it’s also more secure as passwords are no longer being sent from client to server once the user is authenticated (though of course that depends on whether you are using Basic, NTLM or Kerberos). It’s all token based, the tokens have specific lifetimes, and are for specific applications and endpoints.

One other interesting and important benefit to all this is that your auth flow is now exactly the same for both your cloud and on-premises users. Any MFA or Conditional Access policies you have configured are applied the same, regardless of the mailbox location. It’s simpler to stay secure.

HMA also results in an improved user experience as there will be less authentication prompts. Once the user logs in once to AAD they can access any app that uses AAD tokens – that’s anything in O365 and even Skype for Business on-premises configured for HMA (read more about Skype for Business’s HMA support here).

And don’t forget there’s the fact it’s more ‘Modern’. It’s newer and we put the word Modern on it. So it must be better, or at the very least, newer. Excellent, moving on.

Will It Cost Me?

Not if you just want to use free Azure ID’s or Federated identities and do MFA at your iDP. If you want to take advantage of advanced Azure features, then yes, you’ll have to pay for those. But to set this up the tenant admin needs only an Exchange and an Azure license assigned, to run the tools and enable the config.

What do I need to enable HMA?

There are some pre-requisites.

1. The following Identity configurations with AAD are supported
1. Federated Identity with AAD with any on-premises STS supported by Office 365
2. Password Hash Synchronization
3. Pass Through Authentication
2. In all cases, the entire on-premises directory must be synchronized to AAD, and all domains used for logon must be included in the sync configuration.
3. Exchange Server
1. All servers must be Exchange 2013 (CU19+) and/or Exchange 2016 (CU8+)
2. No Exchange 2010 in the environment
3. MAPI over HTTP enabled. It is usually enabled or True for new installs of Exchange 2013 Service Pack 1 and above.
4. OAuth must be enabled on all Virtual Directories used by Outlook (/AutoDiscover, /EWS, /Mapi, /OAB)
4. You must use clients that support ADAL (the client-side library that allows the client to work with OAuth tokens) to use the Modern Auth enabled features. Outlook 2013 requires the EnableADAL registry key be set, Outlook 2016 has this key set by default, Outlook 2016 for Mac works as it is, support for Outlook mobile (iOS and Android) is coming.
5. Ensure AAD Connect between on-premises AD and the O365 tenant has the “Exchange hybrid deployment” setting enabled in the Optional Features settings of Azure AD Connect.
6. Ensure SSL offloading is not being used between the load balancer and Exchange servers.
7. Ensure all user networks can reach AAD efficiently.

Let’s pick a few of those apart.

No Exchange 2010 in the environment. That’s right, if you have E2010 you can’t enable HMA. Why? Because worst case is everyone with a mailbox on E2010 will be cut off from email. You don’t want that. It’s because OAuth happens anonymously upon initial connection. We send the user to AAD to get authenticated before we know where their mailbox is – and if that mailbox is on E2010, when they return with a token we’ll refuse to proxy from E2013/16 to E2010. Game over. Please insert coins.

So we have drawn a line here and are stating no support for E2010, and the HCW won’t let you enable OAuth if E2010 exists. Don’t try and make it work, remember that scene from Ghostbusters, the whole crossing the streams thing? It’ll be like that, but worse.

Next, MAPI/HTTP – you need to be using MAPI/HTTP not RPC/HTTP (Outlook Anywhere). This feature only works with MAPI/HTTP, and anyway, it’s time to get off RPC/HTTP. That’s very old code and as you might know we ended support for its use in O365, so it would be good to switch. It just works.

Then there’s the ‘everyone should be in AAD’ thing. That’s because when you enable HMA, it’s Org wide. It affects every user connecting to Exchange. So, all users trying to access Exchange from a client that support Modern Auth will be sent to AAD. If you only have some users represented in AAD, only those users will be able to auth. The rest will come find you at lunch and make your life a misery. Unless you like misery, I wouldn’t recommend that route.

Needing clients that support Modern Auth clearly, makes sense. And you need to make sure all the Exchange VDirs have OAuth enabled on them. Sounds obvious, and they are enabled by default, but some admins like to tinker… so it’s worth checking, and I’ll explain how later.

SSL offloading works by terminating the SSL/TLS encryption on the load balancer and transmitting the request as HTTP. In the context of OAuth, using SSL offloading has implications because if the audience claim value specifies a HTTPS record, then when Exchange receives the decrypted request over HTTP, the request is considered not valid. By removing SSL offloading, Exchange will not fail the OAuth session due to a change in the audience claim value.

Lastly, the ensuring all user networks can reach AAD comment. This change affects all connectivity from supported clients to Exchange, internal and external. When a user tries to connect to Exchange, whether that server is 10 feet away under the new guys desk or in a datacenter on the other side of the planet the HMA flow will kick in. If the user doesn’t have a valid token the traffic will include a trip to AAD. If you are one of those customers with complex networking in place, consider that.

How do I Enable HMA?

You’ve checked the pre-reqs, and you think you’re good to go. You can do a lot of this up front without impacting clients, I’ll point out where clients begin to see changes, so you can be prepared.

We do recommend trying HMA in your test or lab environment if you can before doing it in production. You are changing auth, it’s something you need to be careful doing, as cutting everyone off from email is never a good thing.

Here’s what to do. First, we have some Azure Active Directory Configuration to do.

You need to register all the URL’s a client might use to connect to on-premises Exchange in AAD, so that AAD can issue tokens for those endpoints. This includes all internal and external namespaces, as AAD will become the default auth method for all connections, internal and external. Here’s a tip – look at the SSL certificates you have on Exchange and make sure all those names are considered for inclusion.

Run the following cmdlets to gather the URL’s you need to add/verify are in AAD.

Get-MapiVirtualDirectory | FL server,*url*
Get-WebServicesVirtualDirectory | FL server,*url*
Get-OABVirtualDirectory | FL server,*url*>

Now you need to ensure all URL’s clients may connect to are listed as https service principal names (SPN’s):

1. Connect to your AAD tenant using these instructions.
2. For Exchange-related URL’s, execute the following command (note the AppId ends …02):

   Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames

   The output will look similar to the following:

   [PS] C:\WINDOWS\system32> Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
   https://autodiscover.contoso.com/
   https://mail.contoso.com/
   00000002-0000-0ff1-ce00-000000000000/*.outlook.com
   00000002-0000-0ff1-ce00-000000000000/outlook.com
   00000002-0000-0ff1-ce00-000000000000/mail.office365.com
   00000002-0000-0ff1-ce00-000000000000/outlook.office365.com
   00000002-0000-0ff1-ce00-000000000000/contoso.com
   00000002-0000-0ff1-ce00-000000000000/autodiscover.contoso.com
   00000002-0000-0ff1-ce00-000000000000/contoso.mail.onmicrosoft.com
   00000002-0000-0ff1-ce00-000000000000/autodiscover.contoso.mail.onmicrosoft.com
   00000002-0000-0ff1-ce00-000000000000/mail.contoso.com
   00000002-0000-0ff1-ce00-000000000000
   

3. If you do not already have your internal and external MAPI/HTTP, EWS, OAB and AutoDiscover https records listed (i.e., https://mail.contoso.com and https://mail.corp.contoso.com), add them using the following command (replacing the fully qualified domain names with the correct namespaces and/or deleting the appropriate addition line if one of the records already exists):

   $x= Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
   $x.ServicePrincipalnames.Add("https://mail.corp.contoso.com/")
   $x.ServicePrincipalnames.Add("https://owa.contoso.com/")
   Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames

4. Repeat step 2 and verify the records were added. We’re looking for https://namespace entries for all the URL’s, not <span class="consoletext"00000002-0000-0ff1-ce00-000000000000/namespace entries.

For example,

[PS] C:\WINDOWS\system32> Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
https://autodiscover.contoso.com/
https://mail.contoso.com/
https://mail.corp.contoso.com
https://owa.contoso.com
00000002-0000-0ff1-ce00-000000000000/*.outlook.com
00000002-0000-0ff1-ce00-000000000000/outlook.com
00000002-0000-0ff1-ce00-000000000000/mail.office365.com
00000002-0000-0ff1-ce00-000000000000/outlook.office365.com
00000002-0000-0ff1-ce00-000000000000/contoso.com
00000002-0000-0ff1-ce00-000000000000/autodiscover.contoso.com
00000002-0000-0ff1-ce00-000000000000/contoso.mail.onmicrosoft.com
00000002-0000-0ff1-ce00-000000000000/autodiscover.contoso.mail.onmicrosoft.com
00000002-0000-0ff1-ce00-000000000000/mail.contoso.com
00000002-0000-0ff1-ce00-000000000000

Then we need to validate the EvoSts authentication provider is present using the Exchange using Exchange Management Shell (this is created by the Hybrid Configuration Wizard):

Get-AuthServer | where {$_.Name -eq "EvoSts"}

If it is not present, please download and execute the latest version of the Hybrid Configuration Wizard. Note that this authentication provider is not created if Exchange 2010 (this includes Edge Transport servers) is detected in the environment.

Now let’s make sure OAuth is properly enabled in Exchange on all the right virtual directories Outlook might use.

Run the following cmdlets (and a tip, don’t use -ADPropertiesOnly as that sometimes tells little white lies, try it and see if you don’t believe me)

Get-MapiVirtualDirectory | FL server,*url*,*auth*
Get-WebServicesVirtualDirectory | FL server,*url*,*oauth*
Get-OABVirtualDirectory | FL server,*url*,*oauth*
Get-AutoDiscoverVirtualDirectory | FL server,*oauth*

You are looking to make sure OAuth is enabled on each of these VDirs, it will look something like this (and the key things to look at are highlighted);

[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl server,*url*,*auth*
Server : EX1
InternalUrl : https://mail.contoso.com/mapi
ExternalUrl : https://mail.contoso.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

[PS] C:\Windows\system32> Get-WebServicesVirtualDirectory | fl server,*url*,*auth*
Server : EX1
InternalNLBBypassUrl :
InternalUrl : https://mail.contoso.com/EWS/Exchange.asmx
ExternalUrl : https://mail.contoso.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

[PS] C:\Windows\system32> Get-OabVirtualDirectory | fl server,*url*,*auth*
Server : EX1
InternalUrl : https://mail.contoso.com/OAB
ExternalUrl : https://mail.contoso.com/OAB
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}

[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl server,*auth*
Server : EX1
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

Once you have checked these over, you might need to add OAuth here and there. It’s important to make sure all the servers are consistent, there’s really nothing harder to troubleshoot than when one server out of ten is wrong…

(Top Nerd Note: I hope you know why we didn’t include *url* in the Get-AutodiscoverVirtualDirectory cmdlet? Answers in the comments section if you do. There are no prizes to be won!)

If you need to add an Auth method, here’s a tip. For all except /Mapi, just set the -OAuthAuthentication property to $True. Done.

But for /Mapi you need add it explicitly, and not using some fancy @Add PowerShell thing you learned in some online course or from that smart guy in the office who tells everyone he doesn’t use ECP as it’s for kids and dogs. Because I've learned too that sometimes that doesn’t always work the way it should.

If you needed to add OAuth to all the Mapi Vdirs in the org, do it like this;

Get-MapiVirtualDirectory | Set-MapiVirtualDirectory -IISAuthenticationMethods Ntlm, OAuth, Negotiate

Up to this point no clients should have been impacted (unless you messed the Vdir auth up, and if you did, you should only have been adding OAuth, not taking others away…you know that now don’t you). So next we start to impact clients – so this is the bit you want to do out of normal business hours. For career reasons.

So, make sure you validate the following:

1. Make sure you have completed the steps above in the Azure AD Configuration section. All the SPN’s you need should be in there.
2. Make sure OAuth is enabled on all virtual directories used by Outlook.
3. Make sure your clients are up to date and HMA capable by validating you have the minimal version as defined in our supportability requirements.
4. Make sure you have communicated what you are doing.
5. Set the EvoSts authentication provider as the default provider (this step affects Outlook 2016 for Mac and native EAS clients that support OAuth right away):

   Set-AuthServer EvoSTS -IsDefaultAuthorizationEndpoint $true

6. Enable the OAuth client feature for Windows Outlook:

   Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

That’s it. All the prep you did means it comes down to two cmdlets. Wield the power wisely.

How do I Know I’m Using HMA?

After HMA is enabled, the next time a client needs to authenticate it will use the new auth flow. Just turning on HMA may not immediately trigger a re-auth for any client.

To test that HMA is working after you have enabled it, restart Outlook. The client should switch to use the Modern Auth flow.

You should see an ADAL generated auth dialog, from Office 365. Once you enter the username you might be redirected to your on-premises IDP, like ADFS (and might not see anything at all if Integrated auth is configured), or you might need to enter a password. You might have to do MFA, it depends on how much stuff you’ve set up in AAD already.

Once you get connected (and I hope you do), check Outlook’s Connection Status dialog (Ctrl-Right Click the Outlook tray icon) you will see the word Bearer in the Authn column – which is the sign that it’s using HMA.

Well done you. Check everyone else is ok before heading home though, eh?

Something Went Wrong. How do I Troubleshoot HMA?

Ah, you’re reading this section. It’s panic time, right? I was thinking of not publishing this section until next year, just for giggles. Mine, not yours. But I didn’t. Here’s what to think about if stuff isn’t working like I said it would.

Firstly, make sure you did ALL the steps above, not some, not just the ones you understood. We’ve all seen it, 10 steps to make something work, and someone picks the steps they do like it’s a buffet.

If you’re sure you’ve done them all, let’s troubleshoot this together.

If you need to simply turn this back off then just run the last two cmdlets we ran again, but setting them to False this time. You might need to run IISReset on Exchange more than once, we cache settings all over the place for performance reasons, but those two will put you back to where you were if all hope is lost (hopefully you still have a chance to capture a trace as detailed in a moment before you do this, as it will help identity what went wrong).

If you aren’t reverting the settings just yet, you clearly want to troubleshoot this a bit.

First thing is – is the client seeing any kind of pop up warning dialog? Are they seeing any certificate errors? Trust or name mismatches, that sort of thing? Anything like that will stop this flow in its tracks. The clients don’t need anything more than trusting the endpoints they need to talk to – Exchange, AAD (login.windows.net and login.microsoftonline.com) and ADFS or your iDP of choice if in use. If they trust the issuer of the certs securing those sites, great. If you have some kind of name translation thing going on somewhere, that might cause a warning, or worse, a silent failure.

Here’s an example of this I saw recently. Exchange was published using Web Application Proxy (WAP). You can do that, but only in pass-through mode. The publishing rule for AutoDiscover in this case was using autodiscover.contoso.com to the outside world, but the WAP publishing rule was set up to forward that traffic to mail.contoso.com on the inside. That causes this to fail, as Outlook heads to AAD to get a token for the resource called https://autodiscover.contoso.com and it does. Then it hands that to WAP, who then forwards to Exchange using the https://mail.contoso.com target URI – the uri used in the token isn’t equal to the uri used by WAP… kaboom. So, don’t do that. But I’ll show you later how an error like that shows up and can be discovered.

Assuming certificates are good, we need to get deeper. We need to trace the traffic. The tool I prefer to use for this is Fiddler, but there are others out there that can be used.

Now, Fiddler or the like can capture everything that happens between client and server – and I mean everything. If you are doing Basic auth, Fiddler will capture those creds. So, don’t run a Fiddler trace capturing everything going on and share it with your buddies or Microsoft. We don’t want your password. Use a test account or learn enough about Fiddler to delete the passwords.

I’ll leave it to the Telerik people who create Fiddler to tell you how to install and really use their tool, but I’ll share these few snippets I’ve learned, and how I use it to debug HMA.

Once installed and with the Fiddler root certs in the trusted root store (Fiddler acts as a man-in-the-middle proxy) it will capture traffic from whatever clients you choose. You need to enable HTTPS decryption (Tools, Options, HTTPS), as all our traffic is encased in TLS.

If you have ADFS you can either choose to configure Fiddler to Skip Decryption for the ADFS url, if you don’t want to see what happens at ADFS, but if you do, you will have to relax the security stance of ADFS a bit to allow the traffic to be properly captured. Only do this while capturing the traffic for debug purposes, then reset it back. Start with bypassing decryption for the iDP first, come back to this if you suspect that is the issue.

To set level of extended protection for authentication supported by the federation server to none (off)

Set-AdfsProperties -extendedprotectiontokencheck none

Then to set it back to the default once you have the capture:

Set-AdfsProperties -extendedprotectiontokencheck Allow

Read more about all that clever ADFSstuff here.

Now you run the capture. Start Fiddler first, then start Outlook. I suggest closing all other apps and browsers, so as not to muddy the Fiddling waters. Keep an eye on Fiddler and Outlook, try and log in using Outlook, or repro the issue, then stop tracing (F12).

Now we shall try to figure out what’s going on. I prefer the view where I have the traffic listed in the left hand pane, then on the right the top section is the request, and hte lower right in the response. But you do whatever works for you. But Fiddler shows each frame, then splits each into the Request, and the Response. That’s how you need to orient yourself.

So the flow you’ll see will be something like this;

Client connects to Exchange, sending an empty ‘Bearer‘ header. This is the hint to tell Exchange it can do OAuth but does not yet have a token. If it sends Bearer and a string of gobbledygook, that’s your token.

Here are two examples of this. The header section to look at is Security. This is using Fiddler’s Header view. Do you see how the Security header says just Bearer on the left, but shows Bearer + Token on the right.

Exchange responds with (lower pane of the same packet in Fiddler, raw view), here’s where you can get a token (link to AAD).

If you scroll all the way to the right you’ll see the authorization_uri (AAD)

Normally, Outlook goes to that location, does Auth, gets a token, comes back to Exchange, and then tries to connect using Bearer + Token as above. If it’s accepted, it’s 200’s and beers all round and we’re done.

Where could it go wrong?

Client Failure

Firstly, the client doesn’t send the empty Bearer header. That means isn’t even trying to do Bearer. This could be a few things.

It could be that you are testing with Outlook 2010 which doesn’t support Bearer (so stop trying and upgrade).

Maybe you are using Outlook 2013 but forgot to set the EnableADAL reg keys set? See the link below for those.

But what if this is Outlook 2016, which has EnableADAL set by default and it is still not sending the Header…. Huh?

Most likely cause, someone has been tinkering around in the registry or with GPO’s to set registry keys. I knew a guy who edited the registry once and three days later crashed his car. So, do not tell me you were not warned.

You need to make sure keys are set as per https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910

Outlook2016 for Mac can also have MA disabled (though it’s enabled by default). You can set it back to the default by running this from Terminal:

defaults write com.microsoft.Outlook DisableModernAuth -bool NO

That’s how we deal with the client not sending the Header. Check again and see the Header in all its Header glory.

Auth_URI Failures

Next thing that might happen is the server doesn’t respond with the authorization-uri, or it’s the wrong one.

If there’s no authorization_uri at all then the EvoSts AuthServer does not have IsDefaultAuthorizationEndpoint set to $true. Recheck you ran

Set-AuthServer EvoSts -IsDefaultAuthorizationEndpoint $true

If it comes back, but with some other value than expected, make sure the right AuthServer is set as default, we only support you using AAD for this flow. If you think setting this to your on-premises ADFS endpoint will make this work without AAD… you’re wrong, as you discovered when you tried. If you are thinking of trying it, don’t bother. That’s an Exchange 2019 thing. Oh, did I just let that out of the bag?

If HMA is enabled at the org level, but connections still don’t elicit the authorization_uri you expect it’s likely OAuth isn’t enabled on the Virtual Directory Outlook is trying to connect to. You need to simply make sure you have OAuth enabled on all VDirs, on all servers. Go back to the How Do I Enable section and check those VDirs again.

Now, sometimes that all comes back ok but the client still doesn’t take the bait. If so, check for the following in the response;

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-IIS/8.5 Microsoft-HTTPAPI/2.0
request-id: a8e9dfb4-cb06-4b18-80a0-b110220177e1
Www-Authenticate: Negotiate
Www-Authenticate: NTLM
Www-Authenticate: Basic realm="autodiscover.contoso.com"
X-FEServer: CONTOSOEX16
x-ms-diagnostics: 4000000;reason="Flighting is not enabled for domain 'gregt@contoso.com'.";error_category="oauth_not_available"
X-Powered-By: ASP.NET
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@f31f3647-5d87-4b69-a0b6-73f62aeab14c", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize"
Date: Thu, 13 Jul 2017 18:22:13 GMT
Proxy-Support: Session-Based-Authentication

Now this response is interesting because it says, go get a token (www-authenticate), but in x-ms-diagnostics it says, no, don’t. Is Exchange unsure?

This means OAuth is enabled, but not for Outlook for Windows. So, you ran one of the two commands above (or you ran them both but not enough time has passed for them to kick in)

Verify that the OAuth2ClientProfileEnabled property is set to $true by checking;

(Get-OrganizationConfig).OAuth2ClientProfileEnabled

Other Failures

We have a token, we know OAuth is enabled at the Org level in Exchange, we know all the Vdirs are good. But it still won’t connect. Dang, what now?

Now you’ll have to start to dig into server responses more closely, and start looking for things that look like errors. The errors you’ll see are usually in plain English, though of course that doesn’t mean they make sense. But here are some examples.

Missing SPNs

Client goes to AAD to get a token and get this:

Location: urn:ietf:wg:oauth:2.0:oob?error=invalid_resource&error_description=AADSTS50001%3a+The+application+named+https%3a%2f%2fmail.contoso.com%2f+was+not+found+in+the+tenant+named+contoso.com.++This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.++You+might+have+sent+your+authentication+request+to+the+wrong+tenant.%0d%0aTrace+ID%3a+cf03a6bd-610b-47d5-bf0b-90e59d0e0100%0d%0aCorrelation+ID%3a+87a777b4-fb7b-4d22-a82b-b97fcc2c67d4%0d%0aTimestamp%3a+2017-11-17+23%3a31%3a02Z

Name Mismatches

Here’s one I mentioned earlier. There’s some device between client and server changing the names being used. Tokens are issued for specific uri’s, so when you change the names…

HTTP/1.1 401 Unauthorized
Content-Length: 0
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@8da56bec-0d27-4cac-ab06-52ee2c40ea22,00000004-0000-0ff1-ce00-000000000000@contoso.com,00000003-0000-0ff1-ce00-000000000000@8da56bec-0d27-4cac-ab06-52ee2c40ea22", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token"
Server: Microsoft-IIS/8.5 Microsoft-HTTPAPI/2.0
request-id: 5fdfec03-2389-42b9-bab9-c787a49d09ca
Www-Authenticate: Negotiate
Www-Authenticate: NTLM
Www-Authenticate: Basic realm="mail.contoso.com"
X-FEServer: RGBMSX02
x-ms-diagnostics: 2000003;reason="The hostname component of the audience claim value 'https://autodiscover.contoso.com' is invalid";error_category="invalid_resource"
X-Powered-By: ASP.NET
Date: Thu, 16 Nov 2017 20:37:48 GMT

SSL Offloading

As mentioned in the previous section, tokens are issued for a specific uri and that value includes the protocol value ("https://"). When the load balancer offloads the SSL, the request Exchange will receives comes in via HTTP, resulting in a claim mismatch due to the protocol value being "http://":

Content-Length →0
Date →Thu, 30 Nov 2017 07:52:52 GMT
Server →Microsoft-IIS/8.5
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@00c118a9-2de9-41d3-b39a-81648a7a5e4d", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token"
WWW-Authenticate →Basic realm="mail.contoso.com"
X-FEServer →CTSINPUNDEVMB02
X-Powered-By →ASP.NET
request-id →2323088f-8838-4f97-a88d-559bfcf92866
x-ms-diagnostics →2000003;reason="The hostname component of the audience claim value is invalid. Expected 'https://mail.contoso.com'. Actual 'http://mail.contoso.com'.";error_category="invalid_resource"

Who’s This?

Perhaps you ignored my advice about syncing all your users to AAD?

HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/7.5
request-id: 63b3e26c-e7fe-4c4e-a0fb-26feddcb1a33
Set-Cookie: ClientId=E9459F787DAA4FA880A70B0941F02AC3; expires=Wed, 25-Oct-2017 11:59:16 GMT; path=/; HttpOnly
X-CalculatedBETarget: ex1.contoso.com
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@cc2e9d54-565d-4b36-b7f0-9866c19f9b17"
x-ms-diagnostics: 2000005;reason="The user specified by the user-context in the token does not exist.";error_category="invalid_user"
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Basic realm="mail.contoso.com"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-FEServer: E15
Date: Tue, 25 Oct 2016 11:59:16 GMT
Content-Length: 0

Password Changed?

When the user changes their password they must re-authenticate to get a new Refresh/Access token pair.

HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: f840b3e7-8740-4698-b252-d759825e0300
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: esctx=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz3lyJfwgypqTMzLvXD-deUmtaub0aqU_17uPZe3xCZbgKz8Ws99KNxVJSM0AglTVLUEtzTz8y8wTTavHlEG6on2cOjXqRtbgr2DLezsw_OZ7JP4M42qZfMd1mR0BlTLWI3dSllBFpS9Epvh5Yi0Of5eQkOHL7x97IDk_o1EWB7lEgAA; domain=.login.windows.net; path=/; secure; HttpOnly
Set-Cookie: x-ms-gateway-slice=008; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Thu, 16 Nov 2017 20:36:16 GMT
Content-Length: 605
{"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2017-10-28T17:20:13.2960000Z' and the TokensValidFrom date for this user is '2017-11-16T20:27:45.0000000Z'\r\nTrace ID: f840b3e7-8740-4698-b252-d759825e0300\r\nCorrelation ID: f3fc8b2f-7cf1-4ce8-b34d-5dd41aba0a02\r\nTimestamp: 2017-11-16 20:36:16Z","error_codes":[50173],"timestamp":"2017-11-16 20:36:16Z","trace_id":"f840b3e7-8740-4698-b252-d759825e0300","correlation_id":"f3fc8b2f-7cf1-4ce8-b34d-5dd41aba0a02"}

Unicorn Rampage?

When a Unicorn Rampage has taken place and all tokens are invalidated you’ll see this.

HTTP/1.1 400 Bad Unicorn
Cache-Control: no-cache, no-store, not-bloody-safe
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: f840b3e7-8740-4698-b252-d759825e0300
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: esctx=AQABAAAAAABHh4kmS_aKT5XrjzxRAtHz3lyJfwgypqTMzLvXD-deUmtaub0aqU_17uPZe3xCZbgKz8Ws99KNxVJSM0AglTVLUEtzTz8y8wTTavHlEG6on2cOjXqRtbgr2DLezsw_OZ7JP4M42qZfMd1mR0BlTLWI3dSllBFpS9Epvh5Yi0Of5eQkOHL7x97IDk_o1EWB7lEgAA; domain=.login.windows.net; path=/; secure; HttpOnly
Set-Cookie: x-ms-gateway-slice=008; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Thu, 16 Nov 2017 20:36:16 GMT
Content-Length: 605
{"error":"unicorn_rampage","error_description":"The Unicorns are on a rampage. It’s time go home” '2017-11-16T20:27:45.0000000Z'\r\nTrace ID: f840b3e7-8740-4698-b252-d759825e0300\r\nCorrelation ID: f3fc8b2f-7cf1-4ce8-b34d-5dd41aba0a02\r\nTimestamp: 2017-11-16 20:36:16Z","error_codes":[50173],"timestamp":"2017-11-16 20:36:16Z","trace_id":"f840b3e7-8740-4698-b252-d759825e0300","correlation_id":"f3fc8b2f-7cf1-4ce8-b34d-5dd41aba0a02"}

And so on. You can see there are a few things that can go wrong, but Fiddler is your friend, so use it to debug and look closely and often the answer is staring you right there in the face.

Viewing Tokens

Lastly, and just for fun, if you want to see what an actual, real life Access token looks like, I’ll show you how… calm down, it’s not that exciting.

In Fiddler, in the Request (upper pane), where you see Header + Value (begins ey…), you can right click the value and choose Send to Text Wizard, and set Transform to ‘From Base64’. Or you can copy the entire value and use a web site such as https://jwt.io to transform them into a readable format like this.

{
"aud": "https://autodiscover.contoso.com/",
"iss": "https://sts.windows.net/f31f3647-5d87-4b69-a0b6-73f62aeab14c/",
"acr": "1",
"aio": "ASQA2/8DAAAAn27t2aiyI+heHYucfj0pMmQhcEEYkgRP6+2ox9akUsM=",
"amr": [
"pwd"
],
"appid": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
"appidacr": "0",
"e_exp": 262800,
"enfpolids": [],
"family_name": "Taylor",
"given_name": "Greg",
"ipaddr": “100.100.100.100",
"name": "Greg Taylor (sounds like a cool guy)",
"oid": "7f199a96-50b1-4675-9db0-57b362c5d564",
"onprem_sid": "S-1-5-21-2366433183-230171048-1893555995-1654",
"platf": "3",
"puid": "1003BFFD9ACA40EE",
"scp": "Calendars.ReadWrite Contacts.ReadWrite Files.ReadWrite.All Group.ReadWrite.All Mail.ReadWrite Mail.Send Privilege.ELT Signals-Internal.Read Signals-Internal.ReadWrite Tags.ReadWrite user_impersonation",
"sub": "32Q7MW8A7kNX5dPed4_XkHP4YwuC6rA8yBwnoROnSlU",
"tid": "f31f3647-5d87-4b69-a0b6-73f62aeab14c",
"unique_name": "GregT@contoso.com",
"upn": "GregT@contoso.com",
"ver": "1.0"
}

Fun times, eh? I was just relieved to see my enfpolids claim was empty when I saw that line, that sounds quite worrying and something I was going to ask my doctor about.

Summary

We’ve covered why HMA is great, why it’s more secure, how to get ready for it and how to enable it. And even how to troubleshoot it.

Like all changes it requires careful planning and execution, and particularly when messing with auth, be super careful, please. If people can’t connect, that’s bad.

We’ve been running like this for months inside Microsoft, and we too missed an SPN when we first did it, so it can happen. But if you take your time and do it right, stronger, better and heck, a more Modern auth can be yours.

Good luck

Greg Taylor
Principal PM Manager
Office 365 Customer Experience

Update: Microsoft has identified a condition where Free/Busy lookups from On-Premises to O365 in a hybrid configuration may fail. Please see KB4058297 for additional information and mechanisms to resolve this condition.

The December quarterly release updates for Exchange Server are now available on the download center (links below). In addition to the planned cumulative updates for Exchange Server 2013 and 2016, we have published an update rollup for Exchange Server 2010. These releases include all previously released updates, fixes for customer reported issues and limited new functionality.

Update Rollup 19 for Exchange Server 2010

Update Rollup 19 for Exchange Server 2010 contains a fix for an important issue affecting Exchange Server 2016 and Exchange Server 2010 coexistence. Our deployment guidance states when these versions are deployed together, load balancer VIP’s can (should) be pointed to servers running Exchange Server 2016. Exchange Server 2016 will proxy calls to an appropriate server version based upon where the mailbox being accessed is located. We have become aware of a condition which could allow proxied EWS calls to gain access to mailboxes on the 2010 server to which a user should not have access. This issue, tracked by KB4054456, is resolved in Service Pack 3 Update Rollup 19 for Exchange Server 2010. Customers who have deployed Exchange Server 2010 and 2016 together are encouraged to apply Update Rollup 19 with high priority.

Note: Exchange Server 2010 is in extended support phase of lifecycle. Customers should not expect regular updates to this product. Updates are released on an as needed basis only.

Change in TLS Settings Behavior in Exchange Server 2013 and 2016

The cumulative updates for Exchange Server 2013 and 2016 released today include a change in behavior as it relates to configuring TLS and cryptography settings. Previous cumulative updates would overwrite a customer’s existing configuration. Due to customer feedback, we have changed product behavior to configure TLS and cryptography settings only when a new Exchange server is installed. Applying a cumulative update will no longer overwrite the customer’s existing configuration. In the future, the Exchange team will publish guidance on what we believe customers should use to optimally configure a server. It will be up to customers to ensure their servers are configured to meet their security needs. Exchange SETUP will ensure that our current recommendations are applied automatically when a new Exchange server is installed using current and future cumulative updates.

Note: Customers can always use the latest cumulative update directly to install a newly provisioned server.

Support for Hybrid Modern Authentication

As announced by Greg in his excellent and highly popular blog post, Exchange Server 2013 and 2016 have introduced a spiffy new authentication option. Those of you still running Exchange Server 2010 will have to wait a bit but anyone running Exchange Server 2013 or 2016 will certainly want to have a look at a revolutionary change introduced in these cumulative updates.

Support for .NET Framework 4.7.1

.NET Framework 4.7.1 is now fully supported with Exchange Server 2013 and 2016. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 after applying the December 2017 or March 2018 quarterly release to avoid blocking installation of the June 2018 quarterly releases for Exchange Server 2013 and 2016.

Known unresolved issues in these releases

The following known issues exist in these releases and will be resolved in a future update:

• Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language
• When sending a calendar sharing invitation in OWA, users opening the invitation in OWA may not see the ‘Accept’ button. Using Outlook client, calendar sharing invitations work normally.
• When configuring ‘Offline Settings’ in OWA, users may receive a message to update the application and the OWA session becomes disconnected from the Exchange server.

Release Details

KB articles that describe the fixes in each release are available as follows:

• Exchange Server 2016 Cumulative Update 8 (KB4035145), Download, UM Lang Packs
• Exchange Server 2013 Cumulative Update 19 (KB4037224), Download, UM Lang Packs
• Exchange Server 2010 Update Rollup 19 (KB4035162), Download

None of the updates released today include new Active Directory schema since the September 2017 quarterly updates were released. If upgrading from an older Exchange version or cumulative update, Active Directory schema updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU19, 2016 CU8) or the prior (e.g., 2013 CU18, 2016 CU7) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

In support, I get this question quite frequently: “How do I block users from auto forwarding their mail outside my environment?” There are plenty of good reasons you may not want auto forwarding: you may have HIPAA laws to follow, regulatory compliance or data privacy concerns or simply because it makes you uncomfortable.

A user can set up forwarding in a few different ways:

1. Create an inbox rule to forward using Outlook or Outlook on the web (also sometimes called by OWA, it’s old name). The types of forwarding via this method are: forward, forward as an attachment and redirect.

• In Outlook this is accessed through File > Manage Rules and Alerts
• In OWA this is accessed through Options > Mail > Inbox and sweep rules

2. Set forwarding on their mailbox using OWA options.

• In OWA this is accessed through Options > Mail > Forwarding. Users can select to Stop or Start forwarding and enter the address to forward to. This is set as a “ForwardingSMTPAddress” parameter on the mailbox.

Methods to stop auto forwarding

As an admin, you have a few different ways to prevent forwarding of emails outside of your environment. The main ways I have identified are listed below, along with a brief description of their pros and cons. Select the link to learn more:

Remote Domain

• Pros: Applies to all the above-mentioned types of forwarding a user can set up. Quick and easy to configure.
• Cons: The user is not notified their forwarded message is dropped
• Use If: You have few exceptions to consider and just want an easy blanket option

Transport Rule

• Pros: Allows you more granularity on conditions and actions, reporting is available
• Cons: Does not block the OWA “Start/Stop Forwarding” method
• Use If: You want to be able to notify the user their message was blocked, or if you have complex exceptions you need to allow for

Role Based Access Control (RBAC)

• Pros: In OWA, users simply do not see the option to set forwarding up
• Cons: Does not remove the options in Outlook and does nothing for forwarding that was already set up. It only removes the option to set it up from view; it does not remove any rules already in place and for that matter, it continues to allow those rules to function (though admittedly you could always run a script to null out the parameter).
• Use If: You are a company that primarily uses OWA and have already ensured users do not have forwarding set to begin with.

Remote Domain

You can set up the remote domain option through the Exchange Online Admin Center > Mail Flow > Remote Domains and select the default remote domain. Uncheck the “allow automatic forwarding” box and repeat for any additional remote domains you may have set up that you want to drop auto forwarded messages to.

The downside to this method is that the user is not notified that their forwarded message is dropped. However, as an admin, you would see the drop in a message trace as a failed message with the following Drop reason: “[{LED=250 2.1.5 RESOLVER.MSGTYPE.AF; handled AutoForward addressed to external recipient};{MSG=};{FQDN=};{IP=};{LRT=}]”

Say you have a partner company, and your users may have legitimate reasoning to forward their mail to the partner; you can configure an additional remote domain for the partner domain with different settings.

Transport Rule

To set up a transport rule in Exchange Online Admin Center, navigate to Mail Flow > Rules and select the plus sign to create a new rule. If you are not seeing all options, ensure you select “More options” towards the bottom of the screen. You can add multiple conditions, but the key is to include “the message type is… Auto-forward”. In PowerShell that would be the parameter ‘-MessageTypeMatches AutoForward’ In the image, I have chosen to apply the rule to messages forwarded to all recipients outside the organization and I am rejecting the message with an explanation so the user is informed of the policy.

You can also easily add exceptions here via the “add exception” button if certain senders or recipient domains should be allowed to forward. In addition, you can easily identify the users hitting this rule as well through PowerShell reporting or by the generating an incident report action.

Role Based Access Control (RBAC)

RBAC is the method to remove the forwarding options from user’s view in Outlook on the web. You may want to note that RBAC is cumulative, so if an administrator has an admin role that includes New-Inbox rule with the forwarding parameters, removing it with the steps above will not make it disappear.

If you are less familiar with manipulating RBAC, I would point you to this blog post which does a deeper dive into RBAC in general. This tips and tricks guide is also incredibly handy.

I have already identified the main user role that includes the cmdlets and parameters that need to be removed, however if you would like to find which roles include other commands you could run the following:

Get-ManagementRoleEntry “*\New-InboxRule”

Here are the steps to create a new management role and remove the forwarding options.

1.) Create the new role with parent “MyBaseOptions”

• New-ManagementRole -Parent MyBaseOptions -Name DenyForwarding

2.) Depending on what you want to do, I have 3 sets of sample CMDlets for you:

• Removes ability to create a new inbox rule in Outlook on the web with 3 specified actions: Set-ManagementRoleEntry DenyForwarding\New-InboxRule -RemoveParameter -Parameters ForwardTo, RedirectTo, ForwardAsAttachmentTo
• Removes ability to edit an existing inbox rule to change it to one of specified 3 actions: Set-ManagementRoleEntry DenyForwarding\Set-InboxRule -RemoveParameter -Parameters ForwardTo, RedirectTo, ForwardAsAttachmentTo
• Removes the page in “Forwarding” page in Outlook on the web options: Set-ManagementRoleEntry DenyForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

3.) Create a new policy and add all the management roles, including our new one. You may need to tweak this command some if you already have other custom entries

• New-RoleAssignmentPolicy -Name DenyForwardingRoleAssignmentPolicy -Roles DenyForwarding, MyContactInformation, MyRetentionPolicies,MyMailSubscriptions,MyTextMessaging, MyVoiceMail,MyDistributionGroupMembership, MyDistributionGroups, MyProfileInformation

4.) Lastly, assign your policy to your cloud mailboxes

• Set-Mailbox –Identity user@contoso.com -RoleAssignmentPolicy DenyForwardingRoleAssignmentPolicy

The result (if all of the CMDlets were used):

What do I suggest?

How restrictive do you want to be? What are you worried about in your environment? There’s no one size fits all option. You can implement all three options if you really want. Personally, I like the combination of transport rule + RBAC. This combination covers all bases, yet still allows for exceptions if necessary. In that setup, the forwarding options in Outlook on the Web are completely removed, and if a forwarding Inbox rule in Outlook is created, messages can be blocked with an informational Non-delivery report back to the user.

Special thanks to Ben Winzenz and Tim Heeney for their assistance and review of this content.

Alana Wegfahrt

Out of 7.6 billion people in the world, only 360 million are native English speakers.

Although email has been the earliest and most widely-adopted platform for modern electronic communication, email addresses have only supported a limited subset of Latin characters (mostly due to historical reasons). People who don't read or speak English have been forced to use email addresses containing characters not used in their own language.

Many people have been working together to try to fix this situation. In fact, new email standards to support email address internationalization (RFCs: 6530, 6531,6532, 6533) were published in 2012. However, changes in standards are difficult to implement in the world of technology due to the millions of legacy systems that are still out there. 

Microsoft is pleased to announce that we're joining the effort to adopt the new standards. Office 365 will enable Email Address Internationalization (EAI) support in Q1 2018. As a first step, Office 365 users will be able to send messages to and receive messages from internationalized email addresses. Admins can also use internationalized email addresses in other Office 365 features (for example, mail flow rules that look for EAI addresses, or outbound connectors to Internationalized Domain Name (IDN) domains). But please note that this new release will not support adding EAI addresses for Office 365 users, or IDN domains for Office 365 organizations.  We will continue to evaluate these features as the standards are more widely adopted. We will also keep you posted on the plan to release this to Exchange Enterprise version.

Carolyn Liu

In a previous blog post Ross Smith IV had explained what the Replay Lag Manager is and what it does. It's a great feature that's somewhat underappreciated. We've seen a few support cases that seemed to have been opened out of the misunderstanding of what the Replay Lag Manager is doing. I wanted to cover a real world scenario I had dealt with recently with a customer that I believe will clarify some things.

What is a Replay Lag Manager?

In a nutshell, Replay Lag Manager provides higher availability for Exchange through the automatic invocation of a lagged database copy. To further explain, a lagged database copy is a database that Exchange delays committing changes to for a specified period of time. The Replay Lag Manager was first introduced in Exchange 2013 and is actually enabled by default beginning with Exchange 2016 CU1.

To understand what it is let's look at the Preferred Architecture (PA) in regards to a database layout. The PA uses 4 database copies like the following:

As you can see the 4th copy is a lagged copy. Even though we're showing it in a secondary site, it can exist in any site where a node in the same DAG resides.

The Replay Lag Manager will constantly watch for any of the three things to happen to the copies of DB1. Ross Smith's post does a wonderful job of explaining them and how Exchange will take other factors (i.e. disk IO) into consideration before invoking the lagged copy. In general, a log play down will occur:

• When a low disk space threshold (10,000MB) is reached
• When the lagged DB copy has physical corruption and needs to be page patched
• When there are fewer than three available healthy HA copies for more than 24 hours

A log "play down" essentially means that Replay Lag Manager is going to force that lagged database copy to catch up on all of the changes to make that copy current. By doing this it ensures that Exchange maintains at least 3 copies of each database.

When things are less than perfect…

In the real world we don't always see Exchange setup according to our Preferred Architecture because of environment constraints or business requirements. There was a recent case that was the best example of Lag Replay Manager working in the real world. The customer had over 100 DB's, all with 6 copies each. There were 3 copies in the main site and 3 copies in the Disaster Recovery site with one of those copies at each site being lagged. The DB copies were configured like this for all databases.

As you can see in this particular instance the lagged copy at Site A was being forced to play down while the other copy showed a Replay Queue Length (RQL) of 4919. This case was opened due to the fact that the lagged DB copy at Site A was not lagging.

The customer stated that the DB was lagging fine until recently. However, after a quick check of the Replay Queue Length counter in the Daily Performance Logs it didn't appear to have ever lagged successfully for this copy.

So, what we're seeing is the database has 6 copies, 2 lagged but 1 of those lagged copies isn't lagging. Naturally, you may try removing the lag by setting the -ReplayLagTime to 0 then changing back to 7 (or what it was before). You may even try recreating the database copy thinking something was wrong with it. These still don't cause Exchange to lag this copy.

The next step is to check if it's actually the Replay Lag Manager causing the log play down. You can quickly see this by running the following command specifying the lagged DB\Server Name. On this example will use SERVER3 as the server hosting the lagged copy of DB1.

Get-MailboxDatabaseCopyStatus DB1\SERVER3 | Select Id,ReplayLagStatus
Id                                      : DB1\SERVER3
ReplayLagStatus                         : Enabled:False; PlayDownReason:LagDisabled; ReplaySuspendReason:None;
Percentage:0; Configured:7.00:00:00; MaxDelay:1.00:00:00; Actual:00:01:22

What we see is that the ReplayLagStatus is actually disabled and the PlayDownReason is LagDisabled. That tells us it's disabled but it doesn't really give us more detail as to why..

We can dig further by looking at the Microsoft-Exchange/HighAvailability log and we see a pattern of 3 events. The first event we encounter is the 708 but it doesn't give us any more information than the previous command does.

Time:     11/31/2017 3:32:55 PM
ID:       708
Level:    Information
Source: Microsoft-Exchange-HighAvailability
Machine:  server3.domain.com
Message:  Log Replay for database 'DB1' is replaying logs in the replay lag range. Reason: Replay lag has been disabled. (LogFileAge=00:06:00.8929066, ReasonCode=LagDisabled)

The second event we see has a little more information. At this point we know for sure it's the Replay Lag Manger because of its FastLagPlaydownDesired status.

Time:     11/31/2017 3:32:55 PM
ID:       2001
Level:    Warning
Source: Microsoft-Exchange-HighAvailability
Machine:  server3.domain.com
Message:  Database scanning during passive replay is disabled on 'DB1'. Explanation: FastLagPlaydownDesired.

On the third event we see the 738 which actually explains what's going on here.

Time:     11/30/2017 1:50:15 PM
ID:       738
Level:    Information
Source: Microsoft-Exchange-HighAvailability
Machine:  server3.domain.com
Message:  Replay Lag Manager suppressed a request to disable replay lag for database copy 'DB1\SERVER3' after a suppression interval of 1.00:00:00. Disable Reason: There were database availability check failures for database 'DB1' that may be lowering its availability. Availability Count: 3. Expected Availability Count: 3. Detailed error(s):
SERVER4:
Server 'server4.domain.com' has database copy auto activation policy configuration of 'Blocked'.
SERVER5:
Server 'server5.domain.com' has database copy auto activation policy configuration of 'Blocked'.
SERVER6:
Server 'server6.domain.com' has database copy auto activation policy configuration of 'Blocked'.

The "Availability Count: 3. Expected Availability Count: 3." is a tad confusing but the heart the issue is in the detailed errors below that…

It's Replay Lag Manager doing it… but why?

The entire reason for this blog post comes out of the fact that we've seen the Replay Lag Manager blamed for not letting a lagged copy lag. So, the next step someone will do is to disable it. Please don't do that! It only wants to help!

Let's look at how we can resolve the our above example. The logs are showing that it's expecting 3 copies but there aren't 3 available.  How can that be? They have at least 4 copies of this database available?!? If we run the following command we see a hint at culprit.

Get-mailboxdatabasecopystatus  DB1 | Select Identity,AutoActivationPolicy
Identity          AutoActivationPolicy
--------          --------------------
DB1\SERVER1 Unrestricted
DB1\SERVER2 Unrestricted
DB1\SERVER3 Unrestricted - Lagged Copy (Not lagging)
DB1\SERVER4 Blocked
DB1\SERVER5 Blocked
DB1\SERVER6 Blocked - Lagged Copy (Working)

There it is! There are 6 database copies, however, the copies in Site B are all blocked due to the AutoActivationPolicy. Now things are starting to make sense. In the eyes of the Replay Lag Manager those copies in Site B are not available because Exchange cannot activate them automatically. So, what's happening is the Replay Lag Manager only sees the 2 copies (in the green square below) as available. Therefore, it forces a play down of the logs on the lagged copy to maintain it's 3 available copies.

That explains why the lagged copy at Site A isn't lagging but why is the lagged copy at Site B working fine? This is because from the perspective of that database there are 3 available copies in Site A once that lagged copy was played down.

That's cool… how do I fix it?

There are essentially two ways to resolve this example and allow that lagged copy at Site A to properly lag.

The first way is to revisit the decision to block Auto Activation at Site B. The mindset in this particular instance was that their other site was actually for Disaster Recovery. They wanted some manual intervention if databases needed to fail over to the DR site. That's all well and good but it doesn't allow for a lagged copy at Site A to work properly due to the Replay Lag Manager. The customer did actually end up allowing 1 copy at the DR site (site B in our example) for Auto Activation. To do this you can run the following command:

Set-Mailboxdatabasecopystatus SERVER4\DB1 -AutoActivationPolicy Allowed

The other option here would be to create another database copy at Site A. Obviously, that's going to require a lot more effort and storage. However, doing this would allow for the Replay Lag Manager to resume lagging on the lagged database copy.

I hope this post clarifies some things in regards to the Replay Lag Manager. It's a great feature that will provide some automation in keeping your Exchange databases highly available.

Michael Schatte

We wanted to make you aware that we have now published a KB article on this subject, KB4074871. Please read it here:

Exchange Server guidance to protect against speculative execution side-channel vulnerabilities

The Exchange Team

We are introducing a new parameter that can be called by using the Set-User cmdlet in Exchange Online PowerShell. The feature is focused for customers doing migration of on-premises mailboxes to the cloud and you will be able to use it within three weeks or so (Edit 1/19: we updated this due to slower than expected rollout):

Customers who have Hybrid or on-premises environments with AAD Connect / Dir Sync may have faced the following scenario:

1. User Jon@contoso.com has a mailbox on-premises. Jon is represented as a Mail User in the cloud.
2. You are synchronizing the on-premises directory to the cloud in preparation to migrate to Exchange Online.
3. Due to issues with the on-premises sync or due to a configuration problem, the user Jon@contoso.com does not get the ExchangeGUID synchronized from on-premises to the cloud.
4. If the Exchange GUID is missing from the object in the cloud, assigning an Exchange license to Jon@contoso.com will cause Exchange Online to give the user a mailbox, converting the object from a Mail User to a User Mailbox. (Adding the license is a step required for the migration of the mailbox from on-premises to the cloud.)
5. The end result is the user that has 2 mailboxes: one on-premises and one in the cloud. This is not good. Mail flow issues will follow.

Those doing these types of migrations will know that the ExchangeGUID value is very important as it helps Exchange Online identify that the user has a mailbox on-premises, and if an Exchange license is assigned in the cloud, a new mailbox should not be created.

The immediate fix for this situation is to remove the Exchange License from Jon@contoso.com. This will convert the cloud object for Jon back to a Mail User. Mail flow should be restored at this point.

The problem now is that you have an “unclean” cloud object for Jon. This is because Exchange online keeps pointers that indicate that there used to be a mailbox in the cloud for this user:

PS C:\WINDOWS\system32> Get-User Jon@contoso.com | Select name,*Recipient*
Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails
---- ---------------------------- ------------- --------------------
Jon UserMailbox MailUser MailUser

Re-assigning the license after that will always err on the side of caution and Exchange Online will try to re-connect the (duplicate, temporary) mailbox in the cloud (and mailboxes can be reconnected for 30 days). Therefore Jon’s account in the cloud can’t be licensed in preparation for migration.

Up to now, one of the few options to fix this problem was to delete *only in the cloud* Jon’s object and re-sync it from on-premises. This would delete jon@contoso.com from the cloud – but from all workloads, not only Exchange. This is problematic because Jon could have his OneDrive or SharePoint data in the cloud only and deleting his account means that this will be deleted too. If the account is then re-created, Jon and the tenant admin would have to work to recover to his new account all the data he used to have in OneDrive or SharePoint just because Exchange data needed to be “cleaned up”.

The new parameter in the user cmdlet will allow tenant admin to clean up Exchange Online Jon’s object without having to delete it.

To clean the object, you can run the following command:

PS C:\> Set-User Jon@contoso.com -PermanentlyClearPreviousMailboxInfo
Confirm
Are you sure you want to perform this action?
Delete all existing information about user “Jon@contoso.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY. Do you want to continue?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Executing this leaves you with a clean object that can be re-licensed without causing the 2-mailbox problem. Now you can on-board Jon’s on-premises mailbox following the usual steps. An alternative – a call to support to do the clean-up for you - is also not needed.

Remember, cleaning up the user means that the older associated disconnected (duplicate) cloud mailbox is not recoverable. If you want to keep it or be able to check it’s content, we recommend using Soft Deletion or Inactive Mailboxes to keep the mailbox.

Mario Trigueros Solorio

A while ago I created the “CollectLogsScript” (see my old A better way to collect logs from your Exchange servers blog post) which I have since rebranded to “ExchangeLogCollector”. Seeing that this has proven popular, I have continued to make some major improvements to the script over the years. The script was recently moved over to GitHub to allow people to know and understand what changes I have made so there are no surprises - those of you wanting to see the changes/commits in the branch of code can do so by clicking here. Moving to GitHub also allows the option for someone else to submit issues that they are running into so that they can be addressed. For those looking simply to download the latest version of the script, go to the release page and download the latest ps1 itself.

A recent major improvement that I have made was to enable remote collection from other Exchange servers. This allows the data collection to be done with even more ease and with less admin overhead to collect the data required. This is only able to be done on machines that will allow you to run Invoke-Command remotely against them. From my testing thus far, it appears that machines running on Windows 2008 R2 are not able to do this functionality. If a server fails remote collection, you will still be able to run the script locally on the server without any issues.

When running this script, you’ll always want to be run it from a server that you want to also collect data from or some data will be missing from the data collection – the script will not run properly against a tools machine. Here is what it looks like when you run the script now.

I have added a disclaimer because this script can collect large amounts of data - if you aren’t careful, you can fill up a drive on the server. I still have the logical check to make sure there are at least 15GB free on the specified drive which should be enough in most circumstances – there will always be some variables in play here, but the 15GB free space check is expected to be sufficient. In past versions of the script, I did have a DiskCheckOverride switch that you could use to skip over the check for the disk space, however, with this current version of having the remote option I don’t have that in place till I have some advanced logic in place to allow near zero chance of any drives filling up.

After you have agreed to the disclaimer, the script checks to make sure the servers in the list are up and able to be collected from remotely. Then we do the disk free space check and proceed to collect any Exchange-specific cmdlets as you can’t run Exchange cmdlets within Invoke-Command. If any server fails one of these tests, it will remove them from the list. You will need to collect from any listed servers manually.

After everything has executed locally that we need to, we then send the Invoke-Command to all the servers in the list. You will start to see something like in the image below where we are collecting and zipping up the selected data.

Once we are done collecting data from all the servers, we will proceed to check the actual size of the zipped file from every server and verify we have enough space free to copy the data to the local server. This way, it will be even easier to collect and upload the data.

With the new features that I have added to the script hopefully this makes data collection from an Exchange environment even easier than before. This major improvement moving forward should make it easier for admins to collect data from multiple servers with little to no hassle. This makes all of our jobs easier – ensuring that we collect all the data we need when we need to collect it to resolve issues!

David Paulson

Overview

As the realm of security in technology continues to evolve over time, every so often we say hello to newer and more competent versions of technologies while saying goodbye to their older siblings.

By the time you are reading this article you may have learned Office 365 intends to stop accepting inbound network connections if they are using TLS protocol versions prior to TLS 1.2, and started to wonder how this may affect your on-premises deployments of Exchange Server. For clarity, this does not mean your on-premises deployments must disable TLS 1.0/1.1 by the time Office 365’s change takes place. It only means TLS 1.2 must be enabled and used when communicating with Office 365.

Today, in part 1 of this series we will provide you with the information required to prepare your environments for using TLS 1.2, as well as, what our plans are during the next few weeks.

Part 1: This blog. What you need to be ready for TLS 1.2 being enabled.

ETA: The present, which is now the past

Part 2: Enabling and confirming TLS 1.2 is operational in supported Exchange Server deployments.

ETA: The future, Early/Mid-February 2018

Part 3: Disabling TLS 1.0 and TLS 1.1 as well as how to run a TLS 1.2-only Exchange Server deployment aligned with Office 365’s configuration.

ETA: The future’s future, the next Exchange 2010/2013/2016 updates, est. Mid-March

In addition to the Office 365 announcement, we know there are customers interested in this topic due to the PCI DSS 3.1 that currently has an effective date of June 30^th, 2018. We are seeing an uptick in requests for guidance related to this date and want to assure you we have the guidance underway.

Protocols and Components

TLS versus SSL

Before going further, let us take a moment to clarify TLS and SSL in case they are unfamiliar terms.

In the world of Exchange Servers, it isn’t uncommon to think of the TLS protocol (Transport Layer Security) as being involved only in mail delivery processes ("Transport" kind of indicates that). For the SSL protocol (Secure Socket Layer), we most often speak to it when planning for client namespaces and ensuring we’re able to use HTTPS for a secure HTTP session. For example, during the deployment of a new Exchange organization you may hear, “Did you already get the SSL certificate for the new Exchange namespace?” The S in HTTPS does not stand for SSL, it stands for Secure. What really should be asked in the SSL example above is “Did you already get the certificate to enable HTTPS for the new Exchange namespace?” as HTTPS can (and should) be using a TLS based protocol these days rather than an older SSL protocol. TLS can be thought of as the successor to SSL and can be used anywhere two systems must exchange information over an encrypted network session. The Windows Dev Center does a nice job of summarizing this for us here and here.

Additional Components

In addition to the TLS and SSL protocols, there are many other terms that may be useful to cover, which will become more important in later segments of this blog series.

Schannel

Microsoft Exchange Server relies on the Secure Channel (Schannel) security support provider, which is a Windows component used to provide identity repudiation and in some instances authentication to enable secure, private communications through encryption. One of the roles of Schannel is to implement versions of SSL/TLS protocols to be used during client/server information exchanges. Schannel also plays a part in determining what cipher suite to be used.

Cipher Suites

Cipher Suite selection, in addition to the encryption protocol (TLS/SSL) used to carry out information exchanges, is another significant piece of the overall puzzle. Cipher suites are a collection of algorithms used to determine how information exchanged between two systems will be encrypted for key exchange, bulk encryption, and message authentication. As one may expect, different versions of Windows have supported an ever-evolving list of cipher suites made up of different strengths throughout the course of release. If you are a customer accustomed to configuring applications to only use Federal Information Processing Standards (FIPS) compliant algorithms, then cipher suites are nothing new to you.

WinHTTP

Some components of Microsoft Exchange Server rely on Microsoft Windows HTTP Services (WinHTTP). WinHTTP provides a server-supported, high-level interface to the HTTP/1.1 Internet Protocol. WinHTTP enables Exchange to retrieve enabled encryption levels, specify the security protocol, and interact with server and client certificates when establishing an HTTPS connection.

.NET

Last, but certainly not least, is the Microsoft .NET Framework. .NET is a managed execution environment that includes a common language runtime (CLR) that is used as an execution engine and class library which provides reusable code; a vast majority of the code that makes up Exchange Server is written for the .NET Framework. With the release of Exchange Server 2013, our references to the Information Store now being “managed code” or “managed store” were due to its complete rewrite using .NET Framework. Settings for .NET itself can have an impact on how different protocols are used when applications exchange information with other systems.

There are many components Exchange Server depends on to properly implement all its encryption capabilities. Understanding what those components are, and how every component should align when adjusting cryptography settings will help you better understand the impact to Exchange Server when those changes are carried out.

With those clarifications out of the way let us keep moving on.

How to Prepare

If you would like to prepare your Exchange environments for the upcoming TLS 1.2 configuration guidance, please align yourself by auditing your current deployment against the below set of requirements. No guidance will be provided for versions of Exchange or Windows earlier than what is listed below. By ensuring you are ready for the TLS 1.2 configuration guidance you will minimize the amount of work to enable TLS 1.2 in your environment.

Any update called out as ‘current’ is as of the publishing of this article and may not remain true in the future.

Exchange Server versions

Exchange Server 2016

• Install Cumulative Update (CU) 8 in production and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
• Install the newest version of. NET and associated patches supported by your CU (currently 4.7.1).

Exchange Server 2013

• Install CU19 in production and be ready to upgrade to CU20 after its release if you need to disable TLS 1.0 and TLS 1.1.
• Install the newest version of.NET and associated patches supported by your CU (currently 4.7.1).

Exchange Server 2010

• Install SP3 RU19 in production today and be ready to upgrade to SP3 RU20 in production after its release if you need to disable TLS 1.0 and TLS 1.1.
• Install the latest version of.NET 3.5.1 and patches.

Exchange Server versions older than 2010

• Out of support. There is no path forward and you should be planning a migration to Exchange Online or a modern version of Exchange Server on-premises.

As always you may refer to the Exchange Supportability Matrix if you need information related to what combinations of Exchange, Windows, and .NET Framework are supported operating together.

Windows Server versions

You cannot have an Exchange server without Windows Server, so don't forget to make sure you're in a good place at the operating system level to support using TLS 1.2.

Many of the Schannel, WinHTTP, and. NET Framework updates require registry changes to become effective. After confirming the updates below are installed, please do not make any registry changes unless you already have custom settings you must use. We will cover registry changes for these updates in the next part of this series.

Windows Server 2016

• TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
• Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

Windows Server 2012 R2

• TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP
• Ensure your server is current on Windows Updates.
  • This should include security update KB3161949 for the current version of WinHTTP.
• If you rely on SHA512 certificates; please see KB2973337.

Windows Server 2012

• TLS 1.2 is the default security protocol for Schannel.
• Ensure your server is current on Windows Updates.
  • This should include security update KB3161949 for the current version of WinHTTP.
• If you rely on SHA512 certificates; please see KB2973337.
• Exchange 2010 Installs Only: Install 3154519 for .NET Framework 3.5.1.

Windows Server 2008 R2 SP1

• TLS 1.2 is supported by the OS but is disabled by default.
• Ensure your server is current on Windows updates.
  • This should include security update KB3161949 for the current version of WinHTTP.
  • This should include optional recommended update KB3080079 which adds TLS 1.2 capability to Remote Desktop Services if you intend to connect to 2008 R2 SP1 based Exchange Servers via Remote Desktop. Also install this update on any Windows 7 machines you intend to connect from.
• If you rely on SHA512 certificates; please see KB2973337.
• Exchange 2010 Installs Only: Install 3154518 for .NET Framework 3.5.1.

Windows Server 2008 SP2

• TLS 1.2 is not supported by default.
• Ensure your server is current on Windows updates.
  • This should include optional recommended update KB4019276. This update adds TLS 1.2 capability as a default secure protocol for Schannel.
  • This should include security update KB3161949 for the current version of WinHTTP.
• If you rely on SHA512 certificates; please see KB2973337.
• Exchange 2010 Installs Only: Install 3154517 for .NET Framework 3.5.1.

Why is having current updates helpful?

It may normally go without saying, but by being on a current update you will minimize the risk of encountering any issues while applying a new update as these update paths are tested and well-known prior to the release of the new update. We would like to help you avoid any delay in deploying TLS configuration changes which could arise from battling upgrades from very old Exchange or Windows updates.

In addition, with our December 2017 releases for Exchange Server, we’ve already been making underlying changes to prepare for this eventual moment in TLS' history. Starting with those releases, Exchange setup no longer overwrites the current cryptography settings of the server you're upgrading. If you have previously configured certain cryptography ciphers and their order of presentation, we will no longer reset them to our desired default configuration.

For any new server installations (not an upgrade of an existing server to a new update), Exchange setup will still configure the recommended configuration as of the time the update was originally published. This will also happen if setup is run with /M:RecoverServer as we assume this is the first time Exchange is being installed on the server.

If customers prefer a configuration other than our recommended out-of-the-box configuration, then you will still have to apply those updates after installing Exchange Server for the first time on a server. However, once Exchange is installed your custom cryptography config should remain in place after any future Exchange Server update. The Exchange team will continue to publish guidance on which cryptography settings we believe customers should use to optimally configure an Exchange server.

What else have we been up to?

Historically there were many areas within the Exchange codebase where specific cryptography protocols were hard-coded. Over the last few years we have been systematically updating all these areas and slowly converting components over to use protocols and ciphers as dictated by the underlying operating system and .NET. Progress in making these changes was intentionally done in a slow controlled manner over time to ensure stability of the product was not affected. We believe these changes should make administrators' lives easier by reducing where and how you need to configure cryptography settings for an Exchange Server.

Am I a Server or a Client?

Believe it or not even with Exchange 2016 the acceptance of inbound connections to the Mailbox Server role and the Edge Transport role are not the only purposes a server can have. Exchange Server is often playing the role of a client. Any time Exchange is initiating contact to another system it is effectively a client. Sending mail to another Exchange Server in your org? Client. Contacting O365 for a cross-premises F/B request? Client. Sending mail to a partner organization? Client. Doing a CRL lookup against a CDP so it can show S/MIME certificate status in OWA? Client. Proxying a client request from one Exchange Server to another? Client.

Exchange obviously can also play the role of a server, as defined as the party answering a request from another system. Examples include receiving client connections, receiving inbound e-mail via SMTP, or accepting cross-forest requests from another Exchange org.

Why does this matter? As you move forward with your configuration changes you must take caution to not move too quickly. Stop and take stock of not only what talks to Exchange, but what Exchange talks to as well. This may mean you have to coordinate changes across multiple environments to ensure you do not suffer any impact to service availability. In the next part of the series you will see configuration changes that refer to both Client and Server aspects of the machine. If you miss one setting you may find yourself with a system making outbound connections on older TLS protocols even though it allows incoming connections to only use TLS 1.2. In part 2 of this series we will discuss how to introduce TLS 1.2 into your environment safely while other servers may still be using TLS 1.0 or 1.1.

Call to Action and Review

Should you be preparing to act?

Yes, we recommend all Exchange Server on-premises customers begin the transition towards using TLS 1.2.

Action Items

If you have not already, then please audit your systems for any updates we’ve outlined above as necessary and begin deploying them to prepare yourself for configuring TLS 1.2.

Review

Keep watching this space for additional information on configuring TLS 1.2, and then additional future guidance on deprecating TLS 1.0 and 1.1 from Exchange Servers.

We're continuing to work with our partner teams across Microsoft to provide you with the best set of guidance and you'll continue to hear more from us to help guide you through this transition.

We hope this first post is helpful in your planning and look forward to releasing the other upcoming parts!

A huge debt of gratitude goes to Scott Landry, Brent Alinger, Chris Schrimsher and others for combining numerous efforts of work into this series of postings.

Brian Day

Today, we are announcing the availability of new functionality in Outlook for iOS and Android that simplifies the Exchange on-premises email account set up with Microsoft Intune and other enterprise mobility management (EMM) solutions.  

Now administrators can simply push the account set up details via mobile device management (MDM) to deliver the user and server endpoint details. Users can then easily add their Exchange on-premises email accounts to Outlook for iOS and Android to get up and running virtually instantly.  This new functionality will facilitate large scale deployments of the leading, secure email client which is known to be loved by users and trusted by IT.  

Managing and configuring the Outlook for iOS and Android features such as Focused Inbox or contact synchronization capabilities are not in scope for this release although under consideration for the future.  

This account set up capability supports Intune and other EMM providers that leverage either Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration detail. Devices must be running at minimum iOS 10, or Android enterprise managed devices with Android 5.0+ and the Exchange on-premises accounts must utilize the ActiveSync protocol with Basic Authentication. 

This enhancement was developed specifically to support on-premises Exchange accounts with basic authentication via the ActiveSync protocol and not accounts that support modern authentication (OAuth). Why?  Because Modern Authentication capable accounts (e.g., cloud based accounts such as Office 365 or hybrid on-premises accounts) already support two simplified scenarios for account set up today:

1. A single sign-on experience that automatically finds and authenticates the account.
2. AutoDetect functionality for users to simply enter an email address and then authenticate the account with their credentials to gain access.

For more information, see the following TechNet articles:

1. Easy onboarding of Modern Authentication capable accounts to Outlook for iOS and Android
2. Easy onboarding of Exchange 2016 on-premises accounts using Basic Authentication for Outlook for iOS and Android
3. Easy onboarding of Exchange 2013 on-premises accounts using Basic Authentication for Outlook for iOS and Android

Lexi Torres
Principal Program Manager
Outlook

Hybrid Free/Busy is one of those things that many people do not fully understand. If everything works well, the complexity is hidden from view and people working in various parts of organization can seamlessly work together. But if things go wrong… you will appreciate deeper understanding of what makes it work. This is why we wanted to create the blog post series on the subject.

In this article, we will discuss how Free/Busy works in an Exchange Hybrid configuration. In next blog post, you will learn what we (Microsoft Support) see as the most common problems along with how we go about diagnosing those (often) complex issues. Hope you like reading, because there is a lot to cover!

So, what is Free/Busy? Free/Busy is a feature that allows you to see when others are free (their calendar shows availability), busy (their calendar shows them as busy), or even Out of Office, or Something Else (tentative or working away) so that you can find an appropriate time for your meetings. Calling it all “Free/Busy/OOF/Something-Else” didn’t sound so cool to marketing hence “Free/Busy”. In a Hybrid deployment, we usually have some mailboxes in Exchange On-Premises and some mailboxes in Exchange Online (users are in different premises) and this has to work there too.

One of the most important parts in Hybrid Configurations is the Federation Trust and many features, including Free/Busy can rely upon this.

A quick overview of a hybrid deployment with a focus on Federation Trust components

In Contoso – On-Premises side we have on-premises Exchange Servers and mailboxes.

We also have a federation trust with the Microsoft Federated Gateway (MFG) - now called Azure Authentication System. A Federation trust is not set by default for Exchange On-Premises organizations and we can either create it manually or run the Hybrid Configuration Wizard (HCW) which will do this for us. If you don’t have already a federation trust established on-premises (usually for purposes to share F/B with another on-premises organization) and you plan for a Hybrid deployment, then we strongly recommend you run HCW to automatically create the Federation Trust.

In Contoso – Cloud Side there are Office 365 Exchange Online servers, your Office 365 tenant and mailboxes migrated from on-premises. A Federation trust with the MFG is automatically created for cloud-only-based Exchange organizations whom do not have a Hybrid relationship to an on-premises organization. If you run Get-FederationTrust cmdlet in Exchange Online PowerShell (see here how to connect to Exchange Online PowerShell) you would see two trusts: “WindowsLiveId” (Consumer Instance of Microsoft Federation Gateway) and “MicrosoftOnline” (Business Instance of Microsoft Federation Gateway) .

Note: As a troubleshooting tip, you might want to make sure the Application Identifier is “260563” and the Application Uri is “outlook.com” for both; in case you have a different App ID (292841) and a different App URI (outlook.live.com) for a Cloud trust, this means your tenant has an old reference pointing to MFG and most probably Free/Busy from on-premises to cloud would fail with a quite generic 401 Unauthorized error. If you were to find yourself in a such situation, please open a support case with Microsoft to get it resolved.

About Free/Busy lookup directionality

To guide you to the correct troubleshooting steps we first need to determine what direction Free/Busy queries are failing in. Understanding how Free/Busy works in general and the direction that lookups are failing can greatly simplify the troubleshooting steps.

Simply said, there are 2 possible Free/Busy directions (referring to our example above):

When Joe looks up Jane’s Free/Busy, the Free/Busy direction is On-premises to Cloud.

When Jane looks up Joe’s Free/Busy, the Free/Busy direction is Cloud to On-Premises

Now that you are familiar with the Free/Busy directions, we should take a moment to discuss how it all works.

Let me set the stage for the below diagram: joe@contoso.com has his mailbox in Exchange on-premises and jane@contoso.com has been moved to Exchange Online.

In Exchange on-premises, joe@contoso.com is a Mailbox User. Because Directory Synchronization is a requirement for Hybrid Deployments, joe@contoso.com (mailbox) is synced to the cloud and represented as a Mail Enabled User (MEU) object in Cloud with Target Address (TA) of joe@contoso.com.

jane@contoso.com was once a Mailbox User in Exchange on-premises. Her mailbox was then migrated to Exchange Online. Jane now has a Mailbox User in Exchange Online and is represented as a Remote Mailbox (RM) object in Exchange On-Premises.

Jane has a Primary SMTP address (SMTP: jane@contoso.com) and a secondary smtp address (smtp: jane@contoso.mail.onmicrosoft.com). Notice how we refer to a primary email address (SMTP) and to a secondary email address (smtp). According to TechNet, the difference between primary and secondary addresses is that the primary address serves as the return e-mail address. When mail is received from a recipient, the primary address determines which address the mail appears to have come from. Recipients can receive mail sent to any of the addresses associated with them (primary or secondary).

The Target Address (TA) of the on-premises Remote Mailbox object is represented as jane@tenant.mail.onmicrosoft.com (secondary smtp) and this is crucial for Autodiscover and email routing from on-premises to cloud. A successful Autodiscover query is important in the Free/Busy process as it provides us with the Availability Service URL of the user which is the External EWS URL of an Exchange Organization.

This TechNet article gives us more information on this <domain>.mail.onmicrosoft.com secondary email address:

The wizard (HCW) adds an accepted domain to the on-premises organization for hybrid mail flow and Autodiscover requests for the cloud organization. This domain, referred to as the coexistence domain, is added as a secondary proxy domain (contoso.mail.onmicrosoft.com) to any email address policies which have PrimarySmtpAddress templates for domains selected in the Hybrid Configuration wizard(contoso.com). By default, this domain is <domain>.mail.onmicrosoft.com.

Table below illustrates the hybrid user objects discussed above as well as how to look them up.

• On-premises commands = Exchange Management Shell
• Cloud commands = Exchange Online PowerShell

Typical Hybrid user objects configuration

Now that we understand user objects and their relevant properties, we should come back to Free/Busy directions.

Between the on-premises organization and cloud organization there are bidirectional Organization Relationships and/or bidirectional Intra Organization Connectors (for Exchange 2013 or later) that are created during Hybrid Configuration. The source of these Relationships / Connectors plays an important role in the F/B directionality.

The Free/Busy directions are:

Direction On-premises to Cloud

You are logged in to Outlook on the Web or Outlook on Windows as an on-premises user (joe@contoso.com), you’re your mailbox hosted on your on-premises Exchange server. As an on-premises user you wish to have a meeting with the cloud user (jane@contoso.com) but will first have to check their availability for the meeting. Let’s walk through the process:

1. Joe creates a meeting request and adds Jane as an attendee.

2. The on-premises Exchange server in Contoso determines (usually based on Target Address of the mail-enabled user) that Jane is not a local mailbox and has a different domain name of contoso.mail.onmicrosoft.com set as the Target Address.

3. The Availability Service on the on-premises Exchange server (Client Access Server if Ex2010 or Mailbox Server if 2013/2016) in Contoso then checks to see if there is a path to query Jane’s Free/Busy information for Contoso’s cloud side.

• First, we check if we have an Intra-Organization Connector (1) with the domain name of contoso.mail.onmicrosoft.com (assuming the Exchange server is version 2013 or later).
• If an IOC does not exist, then we look to see if an Organization Relationship (2) is configured by looking for the domain name of contoso.mail.onmicrosoft.com in the list of any existing Organization Relationships.
• If neither an IOC nor an Organization Relationship for the domain contoso.mail.onmicrosoft.com exists, then we look for the domain name contoso.mail.onmicrosoft.com as an Availability Address Space (3).

4. Assuming we would have an Exchange 2010-only environment in the on-premises and we’ve ran HCW successfully, we should expect to see both an Organization Relationship as well as a Federation Trust which combined is the second option from step #3. The Target ApplicationURI in the Contoso on-premises Organization Relationship is set to outlook.com, which is an identifier for the Contoso Cloud organization trust in the Azure Authentication System. A request is then made to the Azure Authentication System for a delegation token that will be accepted by Contoso Cloud Organization.

5. Once the delegation token is received back from the Azure Authentication System, the Exchange server in Contoso on-premises sends an Autodiscover request to Exchange Online, and upon a successful Autodiscover response will send an EWS request to Exchange Online for Jane’s availability information.

6. The Exchange Online server validates the token provided by the Azure Authentication System and once confirmed, returns the requested Free/Busy data for Jane’s mailbox.

Here is a flowchart which illustrates the Free/Busy lookup process:

Direction Cloud to on-premises

You are logged in to Outlook on the Web or Outlook on Windows as a cloud user (jane@contoso.com), whose mailbox is in Exchange Online. Jane wants to have a meeting with an on-premises user (joe@contoso.com), but must first check their availability for the meeting.

1. Jane creates a meeting request and adds Joe as an attendee

2. The Exchange Online servers in Contoso-cloud side organization determine (usually based on target address of a mail-enabled user) that Joe is not a local mailbox and has a domain name of contoso.com set as the target address.

3. The Availability Service on Exchange Online servers checks to see if there is a path for it to find the Free/Busy information for Contoso on-premises side organization.

• First, we check if we have an Intra-Organization Connector (1) with the domain name of contoso.com (assuming the Exchange server is 2013 or later on-premises).
• If an IOC does not exist, then we look to see if an Organization Relationship (2) is configured by looking for the domain name of contoso.com in the list of any existing Organization Relationships.
• If neither an IOC nor an Organization Relationship for the domain contoso.com exists, then we then look for the domain name contoso.com as an Availability Address Space (3).

4. Assuming we would have an Exchange 2010-only environment in the on-premises and we’ve ran HCW successfully, we should expect to see both an Organization Relationship as well as a Federation Trust which combined is the second option from step #3. The Target ApplicationURI in the Contoso Cloud Organization Relationship is set to FYDIBOHF25SPDLT.contoso.com, which is an identifier for the Contoso on-premises organization trust in the Azure Authentication System. A request is then made to the Azure Authentication System for a delegation token which will be accepted by Contoso on-premises organization.

5. Once the delegation token is received back from the Azure Authentication System, the Exchange Online server in Contoso cloud sends an Autodiscover request to the on-premises Exchange Servers and upon receipt of a successful Autodiscover response it will then send an EWS request for Joe’s availability.

6. The Contoso on-premises Exchange server validates the token provided by the Azure Authentication System and once confirmed, returns the requested Free/Busy data for Joe’s mailbox.

Hybrid Free/Busy lookup order

To summarize, the following order would be used when processing for Free/Busy lookups from cloud to on-premises:

1. Look for IntraOrganizationConnector (OAUTH)
2. If there is no IntraOrganizationConnector or if it is disabled, then look for Organization Relationship (DAUTH)
3. If neither of these are found or they’re disabled, then look for Availability Address Space. Availability Address Space is normally only used for Lotus Notes organizations. If Free/Busy lookup is getting all the way down to using the final Availability Address Space option for cloud to on-premises lookups in a hybrid deployment, then this would suggest there are configuration issues which must be repaired.

The order for Free/Busy lookups from on-premises to cloud is almost the same with some exceptions:

1. If we have Exchange 2007 servers in coexistence with Exchange 2010/2013, we use Availability Address Space from Exchange 2007 to Exchange 2010/2013 and then Exchange 2010/2013 will use Org Relationship (Ex2010) or IntraOrganization Connector (Ex2013) to Cloud.
2. If we have Exchange 2010 with Exchange 2013/2016 and OAuth is enabled, Exchange 2010 will use Availability Address Space to Exchange 2013/2016 and then 2013/2016 will use the IntraOrganization Connector to Cloud.
3. If we have Exchange 2010 with Exchange 2013/2016 and OAuth is not enabled, Exchange 2010 will not send the request to the Exchange 2013/2016. Instead Exchange 2010 will use Organization Relationship to Cloud for Free/Busy.

Exchange 2013 Cu5+ and Exchange 2016 organizations without coexisting with legacy Exchange servers will use by default IntraOrganization Connectors from On-Premises to Cloud (normal process)

This table summarizes which components (Get-IntraorganizationConnector / Get-OrganizationRelationship / Get-AvailabilityAddressSpace) are present (YES) or not (NO) in the Exchange Organization depending on the Exchange Server versions on-premises in a Hybrid deployment.

Free/Busy component matrix

Note: OAuth is by default configured by HCW in Exchange 2013 CU5 and above (including Exchange 2016) organizations. If Exchange 2013 / Exchange 2016 servers coexist with Exchange 2010 or older then OAUTH is not configured by default by the HCW but can be manually configured.

Note: Exchange 2013 CU5 is considered old and unlike wine, the finest CU is always the most recent one. You probably have heard about our n and n-1 supported version statement in Hybrid Deployments and can read more about it here and here.

Which Free/Busy lookup method are you using?

I won't go into all the details about the two types of authentication (OAUTH vs DAUTH) in this post, but I recommend reading this blog post at bedtime: Deep Dive: How Hybrid Authentication Really Works. As explained there, OAuth is an open-standards based model which is more preferred to a customized model.

You can quickly determine if you are using OAuth or not by running: Get-IntraOrganizationConnector cmdlet in Exchange Management Shell (for F/B direction On-Premises to Cloud) and in Exchange Online PowerShell (for F/B direction Cloud to On-Premises). If you see Enabled = True, then you are using OAuth or the system should at least be trying to.

Note: We also need to make sure that the Target Domain is present on the Intra Organization Connector or Organization Relationship when deciding if using OAUTH or DAUTH.

I have created two flowcharts to show you the logic of using OAUTH vs DAUTH in a F/B lookup process for each F/B direction.

The user’s setup remains still the same as shown in previous examples and I am reposting the diagram here so that you don’t need to scroll up.

1. Joe’s Exchange server deciding whether to use Oauth or Dauth :

2. Jane’s Exchange Online server deciding whether to use Oauth or Dauth

Now that you know which method is being used (or at least which should be attempted) and we know the direction Free/Busy is failing, we can see if you have everything configured correctly. In most cases these configurations are handled by the HCW and should be accurate and you can re-run the HCW to get things back to a good configuration.

• If Exchange On-Premises > Exchange Online Free/Busy is failing for all users, you would first check Intra Organization Connector or the Organization Relationship from on-premises.
• If Exchange Online > Exchange On-Premises Free/Busy is failing for all users, you would first check Intra Organization Connector or the Organization Relationship from Exchange Online.

Below, you will see a sample of the expected configuration for Intra Organization Connectors and Org Relationships from both sides (on-premises and cloud). This Baseline configuration was documented by my co-worker Ray Fong (Support Escalation Engineer) and I am very happy to have it when I troubleshoot Free/Busy issues.

Exchange Online side

Use this article to connect to Exchange Online PowerShell.

INTRA ORGANIZATION CONNECTOR IN CLOUD

Get-IntraOrganizationConnector | fl TargetAddressDomains,DiscoveryEndpoint,Enabled
TargetAddressDomains : {contoso.com}
DiscoveryEndpoint    : https://autodiscover.contoso.com/autodiscover/autodiscover.svc *
Enabled              : True

Note: In practice, the On-Premises Discovery Endpoint (Autodiscover) is more likely to be found in the format https://mail.contoso.com/autodiscover/autodiscover.svc because of the EWS External URL, so pay attention to this Autodiscover URL and replace it if needed with the autodiscover.yourdomain.tld on the IOC present in the Cloud Side (Reference Set-IntraOrganizationConnector)

Get-IntraOrganizationConfiguration | fl OnPremiseTargetAddresses
OnPremiseTargetAddresses : {contoso.com}

• TargetAddressDomains - This should be your federated domains. Example: contoso.com
  • You can find the domains name by cross-checking Exchange Online's (Get-IntraOrganizationConfiguration).OnPremiseTargetAddresses
• TargetDiscoveryEndpoint - This should be the address of the On-Premises Autodiscover Endpoint. Example: https://autodiscover.contoso.com/autodiscover/autodiscover.svc/.If you paste the URL in IE, you should receive a regular windows authentication security prompt
• Enabled - This must be True.

Exchange On-Premises side (use Exchange Management Shell)

INTRA ORGANIZATION CONNECTOR IN ON-PREM

Get-IntraOrganizationConnector | fl Name,TargetAddressDomains,DiscoveryEndpoint,Enabled
Name                 : ExchangeHybridOnPremisesToOnline
TargetAddressDomains : {contoso.mail.onmicrosoft.com}
DiscoveryEndpoint    : https://outlook.office365.com/autodiscover/autodiscover.svc
Enabled              : True

• TargetAddressDomains - This should be your tenant.mail.onmicroosft.com name. Example: 'contoso.mail.onmicrosoft.com'
• TargetDiscoveryEndpoint - This should be the address of EXO Autodiscover endpoint. Example: https://outlook.office365.com/autodiscover/autodiscover.svc
• Enabled - This must be True.

Exchange Online side

Use this article to connect to Exchange Online PowerShell.

ORGANIZATION RELATIONSHIP IN CLOUD

Get-OrganizationRelationship "Exchange Online to on premises Organization Relationship" | fl DomainNames,FreeBusy*,Target*,Enabled
DomainNames           : {contoso.com}
FreeBusyAccessEnabled : True
FreeBusyAccessLevel   : LimitedDetails
FreeBusyAccessScope   :
TargetApplicationUri  : FYDIBOHF25SPDLT.contoso.com
TargetSharingEpr      :
TargetOwaURL          :
TargetAutodiscoverEpr : https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity
Enabled               : True

• DomainNames - This should be your federated domains. Example: contoso.com
  • You can find the domains name by cross-checking On-Premises' (Get-FederatedOrganizationIdentifier).Domains
• TargetAutodiscoverEPR - This should be the address of the On-Premises Autodiscover Endpoint. Example: https://autodiscover.contoso.com/autodiscover/autodiscover.svc/WSSecurity. If you paste the URL in IE, you should receive a regular windows authentication security prompt
• TargetSharingEPR - Ideally this is blank. If it is set, it should be the On-Premises Exchange servers EWS ExternalUrl endpoint. Example: https://server.contoso.com/EWS/Exchange.asmx
  • You can find the URL by cross-checking On-Prem's Get-WebServicesVirtualDirectory ExternaUrl. If you paste the URL in IE with /WSSecurity at the end (https://server.contoso.com/EWS/Exchange.asmx/WSSecurity), you should receive a regular windows authentication security prompt
• TargetApplicationURI - This must match the ApplicationUrI from On-Prem. Example: FYDIBOHF25SPDLT.contoso.com
  • You can find the value by cross-checking On-Prem's (Get-FederationTrust).ApplicationUri
• FreeBusyAccessEnabled - This must be True.
• FreeBusyAccessLevel - This should be either AvailabilityOnly or LimitedDetails.
  • AvailabilityOnly: Free/Busy access with time only
  • LimitedDetails: Free/Busy access with time, subject, and location
• FreeBusyAccessScope - This is typically blank. The FreeBusyAccessScope parameter specifies a security distribution group in the internal organization that contains users that can have their Free/Busy information accessed by an external organization.
• Enabled - This must be True.

Exchange On-Premises side (use Exchange Management Shell)

ORGANIZATION RELATIONSHIP IN ON-PREM

Get-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" | fl DomainNames,FreeBusy*,Target*,Enabled
DomainNames           : {contoso.mail.onmicrosoft.com}
FreeBusyAccessEnabled : True
FreeBusyAccessLevel   : LimitedDetails
FreeBusyAccessScope   :
TargetApplicationUri  : Outlook.com
TargetSharingEpr      :
TargetOwaURL          : https://outlook.com/owa/contoso.onmicrosoft.com
TargetAutodiscoverEpr : https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
Enabled               : True

• DomainNames - This should be your tenant.mail.onmicrosoft.com name. Example: contoso.mail.onmicrosoft.com
• TargetAutodiscoverEpr - This should be a valid Exchange Online Autodiscover endpoint. Example: https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity or https://pod51038.outlook.com/autodiscover/autodiscover.svc/WSSecurity [<-- A pod address]
  • You can find the value from TargetAutodiscoverEpr of Get-FederationInformaiton -DomainName tenantname.mail.onmicrosoft.com -BypassAdditionalDomainValidation | fl
• TargetSharingEPR - Ideally this is blank. If it is set, it should be Office 365 EWS endpoint. Example: https://outlook.office365.com/EWS/Exchange.asmx
• TargetApplicationURI - This must be outlook.com if this is for organization relationship of the cloud tenant. For non-cloud organization relationship, this must match (Get-FederationTrust).ApplicationUri of the On-Prem trust of the other organization.
• FreeBusyAccessEnabled - This must be True.
• FreeBusyAccessLevel - This should be either AvailabilityOnly or LimitedDetails.
  • AvailabilityOnly: Free/Busy access with time only
  • LimitedDetails: Free/Busy access with time, subject, and location
• FreeBusyAccessScope - This is typically blank. The FreeBusyAccessScope parameter specifies a security distribution group in the internal organization that contains users that can have their Free/Busy information accessed by an external organization.
• Enabled - This must be True.

Both Autodiscover and EWS virtual directories must be enabled for WSSecurity authentication and/or OAuth.

For example, if using OAuth, you should have OAuth listed as Authentication Methods, whereas if using only DAuth (Exchange 2010 for example), you would see only WSSecurity.

Example of virtual directories authentication methods for an Exchange 2013 Hybrid Organization:

Get-AutodiscoverVirtualDirectory -Server SERVER01 | fl Name,AdminDisplayVersion,*authentication*
Name                          : Autodiscover (Default Web Site)
AdminDisplayVersion           : Version 15.0 (Build 1044.25)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

Get-WebServicesVirtualDirectory -Server server01| fl Name,AdminDisplayVersion,*Authentication*
Name                          : EWS (Default Web Site)
AdminDisplayVersion           : Version 15.0 (Build 1044.25)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

As explained earlier, there are some situations where Free/Busy from on-premises to cloud is going via Availability Address Space. This would be the expected configuration for Availability Address Space in Exchange on-premises (Exchange Management Shell):

Get-AvailabilityAddressSpace contoso.mail.onmicrosoft.com | fl ForestName, UserName, UseServiceAccount, AccessMethod, ProxyUrl, Name
ForestName        : contoso.mail.onmicrosoft.com
UserName          :
UseServiceAccount : True
AccessMethod      : InternalProxy
ProxyUrl          : https://server01.contoso.com/EWS/Exchange.asmx
Name              : contoso.mail.onmicrosoft.com

• ForestName - The should be the tenant.mail.onmicrosoft.com domain name. This should also match the domain name of RemoteRoutingAddress of remote mailboxes. Example: contoso.mail.onmicrosoft.com
• UserName - This should be blank.
• UserServiceAccount - This must be True.
• AccessMethod - This should be InternalProxy.
• ProxyUrl - This should be the Exchange 2013/2016 Exchange Web Services Virtual Directory URL. The address could be the internal FQDN or load balancing EWS URL. Example: https://server01.contoso.com/EWS/Exchange.asmx

We recommend you check the following requirements for inbound/outbound connectivity to and from Exchange servers in a Hybrid Deployment:

• Understanding Federated Delegation
• Office 365 URLs and IP address ranges

If you have read this far – thank you! This concludes the Part 1 of this blog series. Onto troubleshooting next!

Huge thanks to all that contributed to this blog post: Ray Fong, Nino Bilic, Tim Heeney, Greg Taylor and Brian Day.

Mirela Buruiana

Hello Exchange Server followers! In December 2017 it was announced Office 365 planned to discontinue support for TLS 1.0 and TLS 1.1 connections on March 1^st, 2018, and after that time only TLS 1.2 connections would be allowed when interacting with Office 365.

Many of you have been asking for additional detail on what this meant for on-premises deployments in hybrid mode or what happens if you do business with customers whom use Office 365 as their collaboration platform.

We would like to bring to your attention an update on Office 365’s plans to enforce TLS 1.2, which has now been communicated in this KB article (KB4057306). The end of support for TLS 1.0 and TLS 1.1 has been moved from March 1^st, 2018, to October 31^st, 2018 to allow for more time to prepare.

Though this date has been pushed back a bit, we will continue our Exchange Server TLS guidance blog post series soon. We also ask that you continue your preparations for this change, so you are in a position to not be impacted upon its completion.

The Exchange Team

In late December 2017, we announced support for EAI in Q1 2018.

We are happy to announce that EAI is now enabled in Exchange Online and Exchange Online Protection for Office 365. Office 365 users can now send messages to and receive messages from internationalized email addresses.

In addition, we are pleased to announce that EAI is also enabled for outlook.com customers (including hotmail.com, live.com, etc.).

In the meantime, we are working to enable EAI for Exchange Server 2019, the new on-premises version of Exchange that's coming out later this year.

Carolyn Liu

In this second part of the Demystifying Hybrid Free/Busy, we will cover troubleshooting of Hybrid Free/Busy scenarios, more specifically – how and where to find an actual error that will indicate where the problem is. Before venturing forth, please make sure that you have seen Part 1 of this demystifying series!

Here is the graphics we posted in the previous post; use this as a reference for users that we will be referring to when troubleshooting:

Do you really have a Free/Busy issue?

Usually when a user creates a new meeting in Outlook on the web (OWA) or Outlook, clicks on Scheduling Assistant, adds his or her colleague to the meeting, they try to see when the user is available to meet. If they see the hash marks \\\\\\\ instead of seeing if the other user is free or busy, there is an issue.

You can often see an error message by hovering over hash marks, however we usually find that the error is not very specific. Instead we would need to take slightly more advanced steps to diagnose the issues by checking things like the Outlook logs, F12 Network tab, or Fiddler.

Before getting to actual Free/Busy errors it is worthy to know that there is a Free/Busy test on Remote Connectivity Analyzer, Office 365 tab that can help us with some configuration /functional issues.

This Free/Busy test is useful for checking DNS records, Autodiscover and EWS connectivity issues, pre-authentication for Autodiscover or EWS requests. It is, however not a relevant Free/Busy test per se, as it uses Basic authentication and not Federated authentication used in actual Free/Busy lookups. Therefore, don’t be surprised if you see this test as green (successful) but Free/Busy is not working in your Hybrid Organization.

I would also like to mention that there is a Free/Busy troubleshooter in Beta version, incorporated into SARA tool (Microsoft Support and Recovery Assistant for Office 365) which you can download it from here : https://diagnostics.outlook.com/#/

Open SARA and select Outlook, click Next, select I’m having problems with my calendar, input email address and password of the source mailbox (cloud mailbox if direction not working is cloud > on-premises) and then select I can’t see when someone is free or busy.

Due to underlying complexity of it all, this is not a completely reliable way of determining the cause of free/busy issues in Hybrid Deployments, but it is a good start when troubleshooting. This F/B test from SARA covers mostly cloud to cloud scenarios but I recommend it here because it does connectivity and additional checks on tenant, licensing and Autodiscover.

Where can we see actual Free/Busy error message?

First, we need to understand in which direction we have a lookup problem. Please see Part 1 for discussion of directionality. Sources of logs:

• Outlook logs
• OWA F12 Network Tab
• Fiddler – Outlook and OWA

These steps are important in order for us to see the relevant message error for Free/Busy issues. Once we know the error message, it’s much easier to resolve the issue.

OUTLOOK

Note: you will be able to see the Free/Busy error in plain text in Outlook 2010 logs only, if you are using Outlook 2013/2016, you can’t see the error in the Outlook log and you would need to provide the Outlook ETL log containing the error to Microsoft Support to parse it.

You will still be able to use Fiddler to see the Free/Busy error yourself if you have Outlook 2013/2016 or you can use OWA F12 method while reproducing issue in OWA client but that only works if the on-premises Exchange server version is 2013 or above for the Source Mailbox user.

For the Outlook F/B error, we need to first enable Outlook logging and after this we will reproduce issue (\\\\\\). After repro, we will collect Outlook logs.

1. Enable Outlook logging:

Follow this KB article and check the Enable troubleshooting logging (this requires restarting Outlook) option. Restart Outlook.

2. Reproduce the issue for the non-working direction.

Suppose Free/Busy direction not working is cloud to on-premises, logged on as a cloud user, add some on-premises users to a meeting until you see the hash marks (instead of Free/Busy information). You do not need to save or send a meeting request.

Note that if Outlook logging is turned on, you will see the following notification in Outlook:

Example:

In this screenshot, Jane is a cloud user mailbox. Jane logged on to a mailbox using Outlook 2016 and she is creating the meeting (organizer). She adds 3 participants: ex2010mbx1, ex2013mbx1 and Joe – who are all on-premises user mailboxes.

Jane cannot see Free/Busy for any of them.

3. Collect Outlook logs

Outlook 2010: we need the AS.log from %temp%\OlkAS folder (reference here)

Open the AS.log and look for the error.

(click thumbnail to view larger)

Outlook 2013 / 2016: we need Outlook-#####.etl log from %temp%\Outlook Logging folder (reference here). You would need to send the ETL file to Microsoft Support to get it analyzed as we are parsing this log with an internal tool.

You might not know this but Hybrid free/busy support cases are free of charge! Of course, you can still use the other methods (fiddler for Outlook/OWA or browser for OWA) to see Free/Busy error yourself, however we (Support) might ask you additionally to get this log as in the Outlook ETL log we have the best logging for the Free/Busy errors.

OWA / Outlook on the web

Cloud OWA F12 Network tab

You need to login to OWA as the source mailbox, hit F12 (Developer Tools for browser) and select the Network Tab. You would then lookup Free/Busy for the target mailbox (reproduce the issue). Once you see the hashmarks, look for GetUserAvailabilityInternal Action then look at Response Body to see the error message.

Note: The source mailbox needs to be hosted on Exchange 2013 or above in on-premises or in Exchange Online for us to be able to see the error message in OWA using F12. This method will not work for Exchange 2010 source mailboxes.

This is how this could look like in Internet Explorer (similar in other browsers):

(click thumbnail to view larger)

Fiddler – OWA or Outlook

You would need to download and install Fiddler tool and reproduce the Free/Busy issue in OWA or Outlook.

If you reproduce the problem in OWA, you would search for GetUserAvailabilityInternal Action for owa service.svc entry and then look at JSON /Raw tab to see the error message. If the source mailbox is on Exchange 2010 server, this is what you’ll need to do.

OWA View - Fiddler:

(click thumbnail to view larger)

If you are logged in with Outlook, you would search for GetUserAvailabilityResponse, check the Raw tab and you can click on “View in Notepad” button on the right bottom corner.

Outlook view Exchange Online - Fiddler:

(click thumbnail to view larger)

Outlook view Exchange 2010 Source Mailbox - Fiddler

(click thumbnail to view larger)

When troubleshooting Free/Busy issues, the following on-premises logs can be very useful, especially for Cloud to On-Premises Free/Busy direction.

IIS logs Default Web Site (DWS)
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1
Example: C:\inetpub\logs\LogFiles\W3SVC1

Example of Autodiscover and EWS entries with IOC Enabled in IIS W3SVC1 logs:

Autodiscover – OAUTH (autodiscover.svc without /WSSecurity)

2016-01-06 17:45:27 10.0.0.5 POST /autodiscover/autodiscover.svc &CorrelationID=<empty>;&ClientId=QNFNHKEEKYENCJITQQ&cafeReqId=7972d1fc-a9d9-44c6-8851-480d3601cbd7; 443 S2S~00000002-0000-0ff1-ce00-000000000000 132.245.65.28 ASAutoDiscover/CrossForest/EmailDomain//15.01.0361.007 200 0 0 109

EWS – OAUTH (exchange.asmx without /WSSecurity)

2016-01-06 17:45:27 10.0.0.5 POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=WSIVGUUAUWWRFACJBWDA&cafeReqId=6ce8864c-74a0-4ad2-a3dc-7b69e0415403; 443 <unverified>actas1(sip:joe@contoso.com|smtp:joe@contoso.com|upn:joe@contoso.com) 132.245.65.28 ASProxy/CrossForest/EmailDomain//15.01.0361.007 200 0 0 703

Example of EWS entry with Organization Relationship Enabled in IIS W3SVC1 logs:

EWS – DAUTH (exchange.asmx with /WSSecurity)

2016-01-06 18:04:41 10.0.0.5 POST /ews/exchange.asmx/WSSecurity &CorrelationID=<empty>;&ClientId=VOMGJKAWURSVKOXQLBVA&cafeReqId=18fd3a2e-7b1c-4828-8943-6b20912e2e44; 443 - 132.245.65.28 ASProxy/CrossForest/EmailDomain//15.01.0361.007 200 0 0 296

IIS logs Exchange BackEnd (BE)
%SystemDrive%\inetpub\logs\LogFiles\W3SVC2
Example: C:\inetpub\logs\LogFiles\W3SVC2

Example of EWS entry with Organization Relationship Enabled (DAUTH) in IIS W3SVC2 logs:

2016-01-06 18:04:41 fe80::f17f:beef:a5e3:7d3c%25 POST /ews/exchange.asmx/WSSecurity - 444 - fe80::f17f:beef:a5e3:7d3c%25 ASProxy/CrossForest/EmailDomain//15.01.0361.007 200 0 0 93

HTTPProxy logs for Autodiscover
%ExchangeInstallPath%Logging\HttpProxy\Autodiscover
Example: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Autodiscover

Example of Autodiscover entry with Organization Relationship Enabled (DAUTH)

2016-01-06T18:05:20.552Z,bcdfbed5-f11f-4250-a616-e38cb475cd3f,15,0,1104,2,,Autodiscover,autodiscover.contoso.com,/autodiscover/autodiscover.svc /WSSecurity,,,false,,contoso.com,Smtp~joe@contoso.com,ASAutoDiscover/CrossForest/EmailDomain/ /15.01.0361.007,132.245.65.28,exch-2013,200,200,,POST,Proxy,exch-2013.contoso.com,15.00.1104.000,IntraForest,AnchorMailboxHeader-SMTP,[…],BeginRequest=2016-01-06T18:05:20.192Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1941996624;NewConnection=fe80::f17f:beef:a5e3:7d3c%25&0;

HTTPProxy logs for EWS
%ExchangeInstallPath%Logging\HttpProxy\Ews
Example: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews

Example of EWS entry with Organization Relationship Enabled (DAUTH):

2016-01-06T18:04:41.490Z,4757ab2c-8ccc-4d1a-ae39-0780ecc8eabb,15,0,1104,2,{02CD833F-18AB-413A-83CB-0E86F4DA5362},Ews,mail.contoso.com,/ews/exchange.asmx/WSSecurity,,,false,,contoso.com, Smtp~joe@contoso.com,ASProxy/CrossForest/EmailDomain//15.01.0361.007,132.245.65.28,exch-2013,200,200,,POST,Proxy,exch-2013.contoso.com,15.00.1104.000,IntraForest,AnchorMailboxHeader-SMTP,[…],BeginRequest=2016-01-06T18:04:41.380Z;

EWS logs
%ExchangeInstallPath%Logging\Ews
Example: C:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews

Example of EWS entry with Organization Relationship Enabled (DAUTH):

2016-01-06T18:04:41.490Z,4757ab2c-8ccc-4d1a-ae39-0780ecc8eabb,15,0,1104,2,{02CD833F-18AB-413A-83CB-0E86F4DA5362}, External,true,jane@contoso.mail.onmicrosoft.com,, ASProxy/CrossForest/EmailDomain//15.01.0361.007,Target=None;Req=Exchange2012/Exchange2013; ,132.245.65.28,exch-2013,exch-2013.contoso.com,GetUserAvailability,200,12150,,,,,,ebd34d71ac7342c19d947d881db4ad55,f866c73e-6c91-475e-bdec-0428bdeaa423,PrimaryServer; Requester=jane@contoso.mail.onmicrosoft.com; Failures=0

Event Viewer Application logs on Exchange Server
References here and here.

Example of Event ID 4002 for MSExchange Availability:

Log Name: Application
Source: MSExchange Availability
Event ID: 4002
Task Category: Availability Service
Level: Error
Description:
Process 4568: ProxyWebRequest CrossSite from S-1-5-21-391720751-1508397712-925700815-508779 to https://hybrid.contoso.com/ews/exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapException: You have exceeded the available concurrent connections for your account. Try again once your other requests have completed.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

IIS tracing for the error code in the IIS logs
Reference here.

Free/Busy errors and fixes

Ray Fong and I made a table (ATTACHED) with the Free/Busy errors encountered so far in Support and their possible resolutions. We cannot cover all possible scenarios and errors even though we have a good-sized list. This is meant to illustrate ways we can resolve specific errors and these suggestions might not work for you even if you have the same error.

If you know the exact Free/Busy error that you get and checked configuration as discussed in part 1 of this series, this is already a tremendous progress, and this will help us resolve your issue faster.

Of course, you can follow these suggestions on your own as most of the actions are harmless but if you don’t feel confident in troubleshooting on your own or you fear that actions are dangerous or irreversible, please contact us.

Free/Busy Errors discussed in the attached table:

FB_Errors.FixesV4

• “An internal server error occurred. The operation failed”
• "The remote user mailbox must specify the the explicit local mailbox in the header"
• "An error occurred when verifying security for the message"
• "Unable to connect to the remote server"
• “Autodiscover failed for email address <> with error ‘The request failed with HTTP status 404: Not Found’ ”
• “The request failed with HTTP status 401: Unauthorized - The user specified by the user-context in the token is ambiguous”
• "An existing connection was forcibly closed by the remote host - An unexpected error occurred on a receive "
• "An existing connection was forcibly closed by the remote host - An unexpected error occurred on a send ”
• "Configuration information for forest/domain could not be found in Active Directory"
• "Proxy web request failed.,inner exception: The request failed with HTTP status 401: Unauthorized."
• "The response from the Autodiscover service at 'https://autodiscover/autodiscover.svc/WSSecurity' failed due to an error in user setting 'ExternalEwsUrl'. Error message: InvalidUser."
• “The caller does not have access to free/busy data"
• “The request failed with HTTP status 403: Forbidden (The server denied the specified Uniform Resource Locator (URL). “
• “Unable to resolve e-mail address user@notes.domain.com to an Active Directory object”
• “An error occurred when processing the security tokens in the message.”
• “The cross-organization request for mailbox yyy@contoso.com is not allowed because the requester is from a different organization”
• “The request failed with HTTP status 401: Unauthorized - Microsoft.Exchange.Security.OAuth.OAuth TokenRequestFailedException: Missing signing certificate “
• “The application is missing a linked account for RBAC roles, or the linked account has no RBAC role assignments, or the calling users account is logon disabled”
• “The entered and stored passwords do not match“
• “The password has to be changed.”
• “The password for the account has expired”
• “Provision is needed before federated account can be logged in”
• “The request timed out”
• “The specified member name is either invalid or empty”
• “The result set contains too many calendar entries”
• “The request failed with HTTP status 401: Unauthorized - The token has an invalid signature.”
• “The request failed with HTTP status 401: Unauthorized - Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'XXX’ “
• “Proxy web request failed., inner exception: Response is not well-formed XML “

Thanks to all that contributed to this content: Ray Fong, Nino Bilic, Tim Heeney, Greg Taylor and Brian Day.

Mirela Buruiana

We wanted to post a quick note to let you know that we have announced the retirement of OWA for iPhone, iPad and Android.  To learn more, head over to the Tech Community blog.

Outlook Team

The March quarterly release updates for Exchange Server are now available on the download center (links below). These releases include all previously released updates, fixes for customer reported issues and limited new functionality. Exchange Server 2010 SP3 Update Rollup 20 was released as a security update previously this month as well.

Exchange Server Support for TLS 1.2

With the March 2018 updates, Exchange fully supports TLS 1.2 on all supported Exchange versions. Brian Day has taken on the task of documenting and helping customers de-mystify the complexity involved with transitioning to TLS 1.2. Customers looking to implement TLS 1.2 should definitely review the published guidance before attempting to move to TLS 1.2. While implementing TLS 1.2 support in Exchange, we have chosen to consume and support the version TLS settings provided via the underlying operating system. This should dramatically ease the adoption of newer versions of TLS go forward.

Support for .NET Framework 4.7.1

Reminder that customers should be in the process of moving to .NET Framework 4.7.1. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 after applying March 2018 quarterly release to avoid blocking installation of the June 2018 quarterly releases for Exchange Server 2013 and 2016.

Release Details

KB articles that describe the fixes in each release are available as follows:

• Exchange Server 2016 Cumulative Update 9 (KB4055222), Download, UM Lang Packs
• Exchange Server 2013 Cumulative Update 20 (KB4055221), Download, UM Lang Packs

None of the updates released today include new Active Directory schema since the September 2017 quarterly updates were released. If upgrading from an older Exchange version or cumulative update, Active Directory schema updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU19, 2016 CU8) or the prior (e.g., 2013 CU18, 2016 CU7) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

Overview

In part 2 of our Exchange Server TLS Guidance series we focus on enabling and confirming TLS 1.2 can be used by your Exchange Servers for incoming and outgoing connections, as well as identifying any incoming connection which is not utilizing TLS 1.2. The ability to identify these incoming connections will vary by Windows Server OS version and other factors. Part 2 will not cover disabling TLS 1.0 or TLS 1.1, nor disabling older cipher suites from being used. Part 3 of the TLS guidance series will go into detail on those topics.

Assumption

For Part 2 of our TLS guidance series we assume you have already audited your on-premises Exchange Servers and applied all updates called out in Part 1: Getting Ready for TLS 1.2. Please perform the activities called out in part 1 if you have not prior to moving forward with any configurations outlined in part 2.

Enabling TLS 1.2

The method used to enable TLS 1.2 varies by the version of the Windows Server operating system. Some versions of Windows Server have TLS 1.2 enabled by default while others do not. Our steps will, regardless of the OS’ default state, configure TLS 1.2 so it is enabled and available for incoming (Server) connections and outgoing (Client) connections.

From part 1 you should be familiar with the various components Exchange Server relies on such as Schannel, WinHTTP and .NET. Unless stated otherwise the same registry paths are used across all supported Windows Server operating systems.

Enable TLS 1.2 for Schannel

All Windows Server versions

TLS protocols are enabled or disabled in Windows Schannel by editing the Windows Registry. Each protocol version can be enabled or disabled independently. You don't need to enable or disable one protocol version to enable or disable another protocol version.

The Enabled DWORD registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, the operating system’s default value will be used. We recommend configuring the value to have a consistent state across your servers.

The DisabledByDefault DWORD registry value defines whether the protocol version is used by default. This setting only applies when the application doesn't explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be available for use by default. If the value is set to 1, the protocol version will not be available for use by default. If the value is not defined, the operating system’s default value will be used. We recommend configuring the value to have a consistent state across your servers.

For example; consider what would happen if TLS 1.2’s values were set to a combination of Enabled and DisabledByDefault both set to a value of 1. In this example an application could only use TLS 1.2 if the application specifically called for TLS 1.2. If the application did not specifically call for TLS 1.2, then it would not be able to use TLS 1.2 as even though the protocol is enabled, it is not in the default list of available protocols.

To enable TLS 1.2 for both server (inbound) and client (outbound) connections on an Exchange Server please perform the following.

1. From Notepad.exe, create a text file named TLS12-Enable.reg.
2. Copy and paste the following text into the file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

3. Save TLS12-Enable.reg.
4. Double-click the TLS12-Enable.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart the machine for the changes to take effect.

Enable TLS 1.2 for .NET 3.5

This step is only required for Exchange Server 2010 installations where .NET 3.5 is relied upon. Exchange Server 2013 or later installations may skip this step unless you have additional applications on the server utilizing .NET 3.5 which must be able to use TLS 1.2.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 3.5. If the value is set to 0, then .NET Framework 3.5 will default to using SSL 3.0 or TLS 1.0. If the value is set to 1, then .NET Framework 3.5 will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0. By configuring .NET Framework 3.5 to inherit its values from Schannel we gain the ability to use TLS 1.2.

1. From Notepad.exe, create a text file named NET35-UseSchannelDefaults.reg.
2. Copy, and then paste the following text.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

3. Save the NET35-UseSchannelDefaults.reg file.
4. Double-click the NET35-UseSchannelDefaults.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart your computer for the change to take effect.

Enable TLS 1.2 for .NET 4.x

This step is only required for Exchange Server 2013 or later installations where .NET 4.x is relied upon.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.

1. From Notepad.exe, create a text file named NET4X-UseSchannelDefaults.reg.
2. Copy, and then paste the following text.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

3. Save the NET4X-UseSchannelDefaults.reg file.
4. Double-click the NET4X-UseSchannelDefaults.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart your computer for the change to take effect.

Note: When configuring a system for TLS 1.2, you can make the Schannel and .NET registry keys at the same time and reboot the server once.

Validating TLS 1.2 is in use and identifying older incoming connections.

Once TLS 1.2 has been enabled it may be helpful to validate your work was successful and the system is able to negotiate TLS 1.2 for inbound (server) connections and outbound (client) connections. We will provide a few methods for validating this.

HTTP Based Protocols

Many protocols used in Exchange Server are HTTP based, and therefore traverse the IIS processes on the Exchange server. MAPI/HTTP, Outlook Anywhere, Exchange Web Services, Exchange ActiveSync, REST, OWA & EAC, Offline Address Book downloads, and Autodiscover are examples of HTTP based protocols used by Exchange Server.

Windows Server 2016 and Windows Server 2012 R2

The IIS team has added capabilities to Windows Server 2016 and Windows Server 2012 R2 to log custom fields related to encryption protocol versions and ciphers. We recommend reviewing the following blog for documentation on how to enable these custom fields and begin parsing logs for information on incoming connections in your environment related to HTTP based protocols.

https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

Windows Server 2008 through 2012

Unfortunately, the IIS custom fields mentioned above do not exist for Windows Server 2008 SP2 through Windows Server 2012. You may have to rely on alternate methods to validate TLS 1.2 is in use on these versions of Windows Server for HTTP based protocols. Your load balancer or firewall logs may be able to provide this information. Please request guidance from your vendors to determine if their logs may provide this information.

Message Headers (Exchange Server 2016 Only)

Message header data in Exchange Server 2016 provides the protocol negotiated and used when the sending and receiving host exchanged a piece of mail. While this is a more manual method of checking how mail arrived it can be used for testing between specific systems in a pinch.

Example when viewing message header data via Message Header Analyzer at https://testconnectivity.microsoft.com

Mail Flow via SMTP Logging

SMTP Logs in Exchange 2010 through Exchange 2016 will contain the encryption protocol and other encryption related information used during the exchange of email between two systems.

When the server is the SMTP receiving system, the following strings exist in the log depending on the version of TLS used.

• TLS protocol SP_PROT_TLS1_0_SERVER
• TLS protocol SP_PROT_TLS1_1_SERVER
• TLS protocol SP_PROT_TLS1_2_SERVER

When the server is the SMTP sending system, the following strings exist in the log depending on the version of TLS used.

• TLS protocol SP_PROT-TLS1_0_CLIENT
• TLS protocol SP_PROT-TLS1_1_CLIENT
• TLS protocol SP_PROT-TLS1_2_CLIENT

Example entries from Exchange Server 2010

A server sending mail to another system using TLS 1.2:

2018-02-22T13:53:10.494Z,<CONNECTORNAME>,08D578EB9C3F6C39,28,10.0.0.240:15443,192.168.1.42:25,*,,"TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"

A server receiving mail from another system using TLS 1.2:

2018-02-22T13:50:37.681Z,SERVERNAME\CONNECTORNAME Internet,07C578BB0E912319,22,10.0.0.241:25,192.168.1.102:63767,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 256 bits"

POP/IMAP

No logging exists which will expose the encryption protocol version used for POP & IMAP clients. To capture this information, you may need to capture netmon logs from your server or inspect traffic as it flows through your load balancer or firewall where HTTPS bridging is taking place.

Source IP Obfuscation and identifying clients using older TLS protocol versions.

In many deployments by the time client connections reach the Exchange Server, the source IP of the incoming client connection has been replaced with the IP address of your load balancer or firewall. While you are still able to identify if TLS 1.2 is being used by these connections and validate your servers are operating properly, you may be unable to identify exactly what machine is responsible for the incoming client connection if it is still using older TLS protocol versions. In this scenario you may need to request guidance from the vendor of your load balancer of firewall to be able to parse the logs of those devices to find the true IP of the incoming connection, so you may ensure those machines are also properly updated and configured.

Additional Considerations

There are many more considerations beyond Exchange Server when making any changes to cryptography settings within an environment. Considerations such as (but not limited to):

• Do your Domain Controllers and Global Catalog servers support TLS 1.2?
• Do partner applications (such as, but not limited to, SharePoint, Lync, Skype, etc...) support TLS 1.2?
• Have you updated older Windows 7 desktops using Outlook to support TLS 1.2 over WinHTTP?
• Do your load balancers support TLS 1.2 being used?
• Do your desktop, mobile, and browser applications support TLS 1.2?
• Do devices such as multi-function printers support TLS 1.2?
• Do your third-party or custom in-house applications that integrate with Exchange Server or Office 356 support TLS 1.2?

The point to take home here is while we can provide guidance for interacting with Office 365, Exchange Server, and other Microsoft products - we cannot guarantee everything in your environment will be unaffected. As such we strongly recommend any steps you take to transition to TLS 1.2 and away from older security protocols are first performed in labs which simulate your production environments before you slowly start rolling them out in production.

Action Items

Configure your Exchange Servers so they can use TLS 1.2 for incoming and outgoing connections using the steps provided and validate the protocol is actively being used.

Start identifying incoming connections using older versions of TLS after TLS 1.2 has been enabled and make plans for those clients if you intend to disable older TLS protocol versions. Remember, a “client” in these terms could be another server device but when we see it as an incoming connection to an Exchange Server we consider the host initiating the connection to be operating in the role of a client.

Deploy the latest releases for Exchange 2010, Exchange 2013, and Exchange 2016 released in March 2018. These releases are the first to support turning off TLS 1.0 and TLS 1.1. Guidance on how to do this will be made available in Part 3 of this blog post series.

Review

With proper execution, you will be able to enable the TLS 1.2 protocol on any Exchange Server running an Exchange Server Cumulative or Update Rollup released after September 1, 2017 installed on OS’es as far back as Windows Server 2008 SP2. With all your Exchange Servers able to use TLS 1.2 for incoming and outgoing connections you should be well prepared for the eventual sunsetting of older TLS protocols. Equally important is understanding what incoming connections in your environment are not utilizing TLS 1.2 now that it is available and building a plan for each of those systems if you intend to disable the older TLS protocols.

Brian Day
Senior Program Manager
Office 365 Customer Experience

We’re announcing a new architecture for Exchange Server and Office 365 hybrid customers that unlocks Enterprise Mobility + Security (EMS) capabilities for Outlook for iOS and Android. With Hybrid Modern Authentication, Exchange customers can combine the power of Outlook with Azure Conditional Access and Intune App Protection Policies to securely manage corporate messaging on mobile devices.

Once Exchange customers with servers on-premises establish a hybrid configuration with the Microsoft Cloud and enable Hybrid Modern Authentication with Office 365, Outlook for iOS and Android authenticates against Azure Active Directory and synchronizes the mailbox data in Exchange Online – the Outlook mobile client never connects with the on-premises Exchange environment – unlocking the power of Office 365, Outlook for iOS and Android and Enterprise Mobility + Security (EMS).

Architected in the Microsoft Cloud, Outlook for iOS and Android is fully integrated with Azure Active Directory and Microsoft Intune. This means that organizations can enforce conditional access as well as application and device management policies while experiencing the richness of Outlook for iOS and Android.

Now Exchange Server customers with hybrid modern authentication can use the cloud-backed capabilities of Outlook such as Focused Inbox, Intelligent Search and enhanced time management to achieve more on their mobile device.

A few capabilities of EMS include:

• Selective wipe—Remove corporate email data and leave personal data intact to facilitate a “bring your own device” (BYOD) approach to phones and tablets.
• App restriction policies—Restrict actions such as cut, copy, paste and “save as” between Intune-managed apps and personal apps on a device to reduce the risk of corporate data loss. App restriction policies are available for use on both mobile device management (MDM) enrolled devices and on unmanaged devices, through Intune’s App Protection policies.
• Conditional access—Ensure that your corporate email can only be accessed on phones and tablets that meet secure access policies set by IT such as device or app management policy enforcement or Multi Factor Authentication (MFA) user scenarios. And with Azure Identity Protection capabilities of EMS, you can ensure these conditional access policies grant or deny access based on risks associated with each unique identity.

For the initial roll out, Exchange Server customers can contact their Microsoft account team, customer sales and services (CSS) or technical account managers to initiate the set up and deployment process for this enterprise mobility and security solution with Outlook for iOS and Android.

For more technical information and licensing requirements, see Using Hybrid Modern Authentication with Outlook for iOS and Android.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

In recent months we’ve been receiving quite a few questions from customers regarding auto-expanding archives. I’d like to clear up some of the misconceptions and answer some of the most frequently asked questions we get on this subject. Think of this as a FAQ on the subject.

Before we get going, I strongly advise folks to understand Message Records Management concepts like retention policies and tags. For example - there have been a few cases that we saw where customers enabled auto-expanding archives, but no archiving policies have been configured for the user.

What are auto-expanding archives?

It’s essentially a component that provides our customers the ability to grow their mailbox archives over the normal 100GB quota limit.

Much of the core concepts are covered in Overview of unlimited archiving in Office 365 and Enable unlimited archiving in Office 365 - Admin Help.

Let’s look at a simple picture to demonstrate this at a high level:

The user’s primary mailbox has an archive mailbox (the main archive) associated with it. The main archive is expanded with additional storage as content is moved to the archive mailbox either by the user or as part of an archival policy on the mailbox.

What are the licensing requirements for auto-expanding archives?

Auto-expanding archives are supported under the following service plans (EDU organizations included):

• Exchange Online Plan 2
• Exchange Online Archiving addon
• Office 365 Enterprise E3/E5

The above service plans contain the following capabilities we check on the mailbox:

• BPOS_S_ArchiveAddOn,
• BPOS_S_Archive,
• BPOS_S_Enterprise

PS C:\> Get-Mailbox testing1|select PersistedCapabilities
PersistedCapabilities
---------------------
{BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}

The supported recipient types are:

• SharedMailbox, or
• UserMailbox, or
• MailUser

When can I expect the archive to expand?

We have a few values that we track on the Main Archive within this feature. The important value for our customers is essentially called the transition threshold. This is the size threshold of the main archive at which we will start provisioning new auxiliary archives (“Additional storage” in the illustration above) and start moving content from the main archive to the auxiliary archive. This threshold size is currently 90GB.

Why do I need to wait 30 days for expansion to take place?

This question comes up a lot and can be confusing, but technically, archives are expanded as soon as the managed folder assistant is able to successfully run on the main archive that has reached the transition size (90GB).

The 30-day period is the retention period for data that has been moved from the main archive to the auxiliary archive. We call this data ghosted content within the archive mailbox location and we keep a copy for 30 days to provide us (and you) with a safety net in the service in case we run into any issues during the data move from main archive to the auxiliary archive.

After that period expires we flush the data in the main archive to release the space.

Will the archive immediately expand when it reaches the threshold?

Expansion does not occur in real-time, in other words we only check if a mailbox should be expanded when managed folder assistant runs on the main archive. Managed folder assistant is expected to process the mailbox successfully within 7 days (it might be sooner depending on service load) or – you can initiate managed folder assistant on the main archive manually. The below is an example:

PS C:\> Get-Mailbox testing1|select -ExpandProperty MailboxLocations
1;b2b6421a-8bb0-4a91-9504-73cf42af570f;MainArchive;namprd00.prod.outlook.com;e4811b9b-4a10-4575-bb21-db3d32a9f4c2
1;df788e2e-cdaf-44fa-bc52-b7ef9f9bb40c;Primary;namprd00.prod.outlook.com;3128bfb0-76a7-4492-9de2-4924c8b8e443
1; ab7b6054-eab4-4ea4-bb71-58dc6c8bacc1;AuxArchive;namprd00.prod.outlook.com; 76d35997-4d27-402c-aa3e-ffcd3f898faf
PS C:\> Start-ManagedFolderAssistant b2b6421a-8bb0-4a91-9504-73cf42af570f

What happens if the archive has reached the quota limit and I enable auto-expansion?

In the past, if a mailbox under litigation hold was enabled for auto-expanding archive we would not increase the archive and recoverable items quotas above 100GB.

We have seen many cases where customers would enable auto-expanding archives on a mailbox that has already reached the archive quota limit and expect expansion to occur immediately. This puts a lot of pressure on the mailbox since there isn't any buffer to allow the expansion to complete successfully.

We have recently made some changes where we now increase the archive quota and recoverable items quota to 110GB if the mailbox is under litigation hold and auto-expanding archive is being enabled on the mailbox level.

If you enabled auto-expanding at the org level and/or mailbox level prior to this change, but the archive and recoverable items quotas are still 100GB, you can re-enable auto-expanding archives on the mailbox to get the additional 10GB increase. This will have no other effect on the archive when you run Enable-Mailbox and any quotas above 110GB will not be affected.

Let's look at a quick example of a mailbox under litigation hold that was enabled for auto-expanding archive prior to the change mentioned above:

PS C:\> Get-mailbox testing1|select archivequota,recoverableitemsquota
ArchiveQuota RecoverableItemsQuota
------------ ---------------------
100 GB (107,374,182,400 bytes) 100 GB (107,374,182,400 bytes)
PS C:\> enable-mailbox testing1 -AutoExpandingArchive
WARNING: Auto-expanding Archive is already enabled for 'testing1'.
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
Testing1 Testing1 co2pr00mb0198 99 GB (106,300,440,576 bytes)
PS C:\> get-mailbox testing1|select archivequota,recoverableitemsquota
ArchiveQuota RecoverableItemsQuota
------------ ---------------------
110 GB (118,111,600,640 bytes) 110 GB (118,111,600,640 bytes)

As you can see, after re-enabling auto-expanding archive, the quotas received an additional 10GB increase.

How do quotas work when a mailbox is enabled for auto-expanding archives?

Quotas seem to be a subject of confusion when auto-expanding archives are in the mix, so I want to focus a little bit on this topic.

The Archive and Recoverable Items quotas are essentially ignored for the aggregate size of all locations for the archive. We do however, still utilize and enforce the archive and recoverable items quotas to ensure each mailbox location does not grow out of control; we essentially keep the size of each location within the quota threshold.

If we look at the current mailbox example, each mailbox location for the archive (Main Archive and Aux Archive) will not grow past the Archive and Recoverable items quota limit which is set at 100GB and 30GB. But the aggregate size over all the auxiliary archives can go past the 100GB and 30GB values.

PS C:\> get-mailbox testing1 |select RecoverableItemsQuota,ArchiveQuota,ArchiveWarningQuota
RecoverableItemsQuota ArchiveQuota ArchiveWarningQuota
--------------------- ------------ -------------------
30 GB (32,212,254,720 bytes) 100 GB (107,374,182,400 bytes) 90 GB (96,636,764,160 bytes)

We don’t increase the recoverable items quota in this case since the mailbox is not on any hold and recoverable items are removed after the RetainDeletedItemsFor period (default 14 days).

The behavior for customers that have mailboxes on litigation hold will be a little different. In this scenario we increase the recoverable items and archive quotas to 110GB as seen below at the mailbox level (not the organization level). The mailbox was on litigation hold prior to enabling auto-expanding archives on the mailbox, so we increased the quotas to 110GB for recoverable items and archive quotas.

PS C:\> Get-mailbox testing2 |select RecoverableItemsQuota,ArchiveQuota,ArchiveWarningQuota
RecoverableItemsQuota ArchiveQuota ArchiveWarningQuota
--------------------- ------------ -------------------
110 GB (118,111,600,640 bytes) 110 GB (118,111,600,640 bytes) 100 GB (107,374,182,400 bytes)

Now let’s look at the aggregate item size of a mailbox with quite a lot of data. Here we can see that the TotalDeletedItemSize is way above the 110GB recoverable items quota for the mailbox, so expansion is working great.

PS C:\> Get-mailbox TheWhale|select RecoverableItemsQuota,ArchiveQuota,ArchiveWarningQuota
RecoverableItemsQuota ArchiveQuota ArchiveWarningQuota
--------------------- ------------ -------------------
110 GB (118,111,600,640 bytes) 110 GB (118,111,600,640 bytes) 100 GB (107,374,182,400 bytes)
PS C:\> Get-MailboxStatistics TheWhale -Archive |select TotalItemSize,TotalDeletedItemSize
TotalItemSize TotalDeletedItemSize
------------- --------------------
393 GB (421,964,016,454 bytes) 724 GB (777,408,505,123 bytes)

Let’s look at TotalDeletedItemSize for the individual mailbox locations for the main archive and the auxiliary archive.

PS C:\> Get-MailboxStatistics e7d87e1c-b39f-493f-8e56-9d271d6d23ea |select TotalDeletedItemSize
TotalDeletedItemSize
--------------------
102.6 GB (110,125,981,616 bytes)

We can see that the main archive mailbox location is currently sitting at 102.6GB and below we see one of the auxiliary archives is at 53.75GB.

PS C:\> Get-MailboxStatistics 62928e39-bc01-4763-84f5-84ac314ea5e1 |select TotalDeletedItemSize
TotalDeletedItemSize
--------------------
53.75 GB (57,714,208,258 bytes)

This mailbox will get another auxiliary expansion location assigned to it soon and content will then start to move into that new location.

The main archive in this mailbox also now contains 51.63GB of ghosted content that will be flushed within 30 days to release the space within the main archive. If you recall, we keep the content that we move to a new auxiliary location in the main archive for 30 days as a safety net.

The most recent auxiliary archive provisioned for this mailbox was mailbox guid 62928e39-bc01-4763-84f5-84ac314ea5e1. Let’s see what content was moved and is now marked as ghosted content in the main archive (e7d87e1c-b39f-493f-8e56-9d271d6d23ea).

PS C:\> Get-MailboxFolderStatistics e7d87e1c-b39f-493f-8e56-9d271d6d23ea|?{$_.LastMovedTimeStamp -and $_.Foldersize -gt 0}|select FolderSize,LastMovedTimeStamp,Contentmailboxguid
FolderSize LastMovedTimeStamp ContentMailboxGuid
---------- ------------------ ------------------
15.74 GB (16,900,662,851 bytes) 3/29/2018 2:24:04 PM 62928e39-bc01-4763-84f5-84ac314ea5e1
898.9 KB (920,440 bytes) 3/29/2018 2:24:04 PM 62928e39-bc01-4763-84f5-84ac314ea5e1
28.4 GB (30,495,702,247 bytes) 3/29/2018 2:24:05 PM 62928e39-bc01-4763-84f5-84ac314ea5e1
7.485 GB (8,037,032,197 bytes) 3/29/2018 2:24:05 PM 62928e39-bc01-4763-84f5-84ac314ea5e1

We can see the 51.63GB that are marked as ghosted content since we have a LastMovedTimeStamp of 3/29/2018 and a ContentMailboxGuid associated with the folders – which is the newly provisioned auxiliary location 62928e39-bc01-4763-84f5-84ac314ea5e1. This content will be flushed within approximately 30 days.

How much content is being moved to auxiliary archives during the transition?

These numbers can change as the service evolves, but right now we will move 50% of the occupied size in the main archive. If you have 100GB in the Main Archive at the point where Managed Folder Assistant processes the main archive, we will expand and provision a new auxiliary archive and move about 50GB into that auxiliary archive. We only move 50% to cater for additional folder growth in those folders that have been moved.

How is the transition size calculated?

Well, we simply look at how much occupied space the main archive is utilizing. Occupied space is essentially any folder in the main archive that is movable or type DeletedItems or RecoverableItems (folders marked green below).

You may notice that the DeletedItems and RecoverableItems folder types are not movable. For these folders we create movable folders under the root of the folders and move the content to those newly created folders to get picked up by managed folder assistant. All of this happens in the background, so you don’t have to worry about it.

Folders that do not fall into those categories are not taken into consideration during expansion. So please do not move 10’s of GB into the /Top of Information Store or the /Archive folders – we don’t cater for those… yet.

PS C:\> Get-MailboxFolderStatistics b2b6421a-8bb0-4a91-9504-73cf42af570f|select folderpath,movable,*type*
FolderPath Movable FolderType
---------- ------- ----------
/Top of Information Store False Root
/Archive False Archive
/Calendar True User Created
/Calendar/United States holidays True User Created
/Clutter False Clutter
/Deleted Items False DeletedItems
/Drafts True User Created
/ExternalContacts False ExternalContacts
/Files False Files
/Inbox True User Created
/PersonMetadata True User Created
/Sent Items True User Created
/Recoverable Items False RecoverableItemsRoot
/Calendar Logging False CalendarLogging
/Deletions False RecoverableItemsDeletions
/DiscoveryHolds False RecoverableItemsDiscoveryHolds
/Purges False RecoverableItemsPurges
/Versions False RecoverableItemsVersions

Can I ingest more than 100GB into the archive via a third party tool?

This is quite a tricky one for us. We don’t officially support bulk ingestion of more than 100GB into the archive at any one given time. There is currently work on going to provide solutions for these scenarios in the future, but we don’t have any timelines to share right now.

Since there are multiple ingestion scenarios we suggest that you contact Microsoft so that we can understand your situation and advise you on the best way forward for your ingestion project.

Special thanks to the following folks for reviewing and providing valuable input:

• Gagandeep Kohli – Snr Software Engineer
• David Santamaria – Snr Escalations Engineer
• Angela Taylor – Snr Program Manager

That’s all we have for now, I hope this helps you understand this feature a little better. The component team is working hard to continually improve the feature as we grow in the service and find unique scenarios that our customers use.

Michael Hall
Snr. Service Engineer

On January 14, 2020, Exchange Server 2010 will reach end of support. If you haven’t already begun your migration from Exchange 2010 to Office 365 or Exchange 2016, now’s the time to start your planning.

What does end of support mean?

Exchange Server, like almost all Microsoft products, has a support lifecycle during which we provide new features, bug fixes, security fixes, and so on. This lifecycle typically lasts 10 years from the date of the product’s initial release, and the end of this lifecycle is known as the product’s end of support. When Exchange 2010 reaches its end of support on January 14, 2020, Microsoft will no longer provide:

• Technical support for problems that may occur
• Bug fixes for issues that are discovered and that may impact the stability and usability of the server
• Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches
• Time zone updates

Installations of Exchange 2010 will continue to run after this date. However, because of the changes listed above, we strongly recommend that you migrate from Exchange 2010 as soon as possible.

For more information about Office 2010 servers nearing the end of support, see Resources to help upgrade Office 2010 clients and servers.

What are my options?

With Exchange 2010 reaching its end of support, this is a great time to explore your options and prepare a migration plan. You can:

• Migrate to Office 365 using cutover, express, or hybrid migration
• Migrate your Exchange 2010 servers to a Exchange Server 2016 on your on-premises servers

The following sections explore each option in more detail.

Migrate to Office 365

Migrating your email to Office 365 is your best and simplest option to help you retire your Exchange 2010 deployment. With a migration to Office 365, you can make a single hop from old technology to our latest offering. Office 365 receives new features and experiences first and you and your users can usually start using them right away. Upgrading to a new version of Exchange – you’re always on the latest version of Exchange in Office 365.

How should I migrate to Office 365?

Depending on your organization, you have a few options that will help you get to Office 365. When choosing a migration option, you need to consider a few things like the number of seats or mailboxes you need to move, how long you want the migration to last, and whether you need a seamless integration between your on-premises installation and Office 365 during the migration. This table below shows your migration options and the most important factors that’ll determine which method you’ll use.

The following sections give you an overview of these methods.

Cutover Migration

A cutover migration is one where, at a pre-selected date and time, you’ll migrate all your mailboxes, distribution groups, contacts, and so on, to Office 365. When you’ve finished, you’ll shut down your on-premises Exchange servers and start using Office 365 exclusively.

The cutover migration method is great for small organizations that don’t have very many mailboxes, want to get to Office 365 quickly, and don’t want to deal with some of the complexities of the other methods. But it’s also somewhat limited because it should be completed in a week or less and because it requires users to reconfigure their Outlook profiles. While cutover migration can handle up to 2,000 mailboxes, we strongly recommend you migrate a maximum of 150 mailboxes with this method. If you try to migrate more than 150 mailboxes, you could run out of time to transfer all the mailboxes before your deadline, and your IT support staff may get overwhelmed helping users reconfigure Outlook.

If you’re thinking about doing a cutover migration, here are a few things to consider:

• Office 365 will need to connect to your Exchange 2010 servers using Outlook Anywhere over TCP port 443
• All on-premises mailboxes will be moved to Office 365
• You’ll need an on-premises administrator account that has access to read the contents of your users’ mailboxes
• The Exchange 2010 accepted domains that you want to use in Office 365 need to be added as verified domains in the service
• Between the time you start the migration and when you begin the completion phase, Office 365 will periodically synchronize the Office 365 and on-premises mailboxes. This lets you complete the migration without worrying about email being left behind in your on-premises mailboxes
• Users will receive new temporary passwords for their Office 365 account that they’ll need to change when they log in to their mailboxes for the first time
• You’ll need an Office 365 license that includes Exchange Online for each user mailbox you migrate
• Users will need to set up a new Outlook profile on each of their devices and download their email again

Express Migration

An express migration is one where you have a few hundred mailboxes that you want to migrate to Office 365, can complete the migration within a couple weeks, and don’t need any of the advanced hybrid migration features like shared Free/Busy calendar information.

Express migration is great for organizations that need to take more time to migrate their mailboxes to Office 365, but still plan to complete the migration within a couple weeks. You get some benefits of the more advanced full hybrid migration without many of the complexities. You can control how many, and which, mailboxes are migrated at a given time. Office 365 mailboxes will be created with the username and passwords of their on-premises accounts and, unlike cutover migrations, your users won't need to recreate their Outlook profiles.

If you’re thinking about doing a staged migration, here are a few things to consider:

• Office 365 will need to connect to your Exchange 2010 servers using Outlook Anywhere over TCP port 443
• You'll need to perform a one-time directory synchronization between your on-premises Active Directory servers and Office 365
• Users will be able to log in to their Office 365 mailbox using the same username and password they were using when their mailbox was migrated
• You’ll need an Office 365 license that includes Exchange Online for each user mailbox you migrate
• Users don’t need to set up a new Outlook profile on most of their devices (some older Android phones might need a new profile) and won’t need to re-download their email

Full Hybrid Migration

A full hybrid migration is one where your organization has many hundreds, up to tens of thousands, of mailboxes and you want to move some or all of them to Office 365. Because these migrations are typically longer-term, hybrid migrations make it possible to:

• Show on-premises users the free/busy calendar information for users in Office 365, and vice versa
• See a unified Global Address List (GAL) that contains recipients from both on-premises and Office 365
• View full Outlook recipient cards for all users, regardless of whether they're on-premises or in Office 365
• Users will be able to log in to their Office 365 mailbox using the same username and password they were using before their mailbox was migrated
• Users don’t need to set up a new Outlook profile on most of their devices (some older Android phones might need a new profile) and won’t need to re-download their email
• Secure email communication between on-premises Exchange servers and Office 365 using TLS and certificates
• Treat messages sent between on-premises Exchange servers and Office 365 as internal, enabling them to:
  • Be properly evaluated and processed by transport and compliance agents targeting internal messages
  • Bypass anti-spam filters

Full hybrid migrations are best for organizations that expect to stay in a hybrid configuration for many months or more. You’ll get the features listed earlier in this section, plus directory synchronization, better integrated compliance features, and the ability to move mailboxes to and from Office 365 using online mailbox moves. Office 365 becomes an extension of your on-premises organization.

If you’re thinking about doing a full hybrid migration, there are a few things to consider. Full hybrid migrations aren’t suited to all types of organizations. Due to the complexity of full hybrid migrations, organizations with less than a few hundred mailboxes don't typically see benefits that justify the effort and cost needed to set one up. If this sounds like your organization, we strongly recommend that you consider Cutover or Express Migrations instead.

Migrate to Exchange Server 2016

While we strongly believe that you can achieve the best value and user experience by migrating to Office 365, we also understand that some organizations need to keep their email on-premises. This could be because of regulatory requirements, to guarantee data isn’t stored in a datacenter located in another country, and so on. If you choose to keep your email on-premises, you can migrate your Exchange 2010 environment to Exchange 2016. Exchange 2016 includes the features and advancements included with previous releases of Exchange, and it most closely matches the experience available with Office 365 (although some features are available only in Office 365).

Migration path to Exchange 2016

Here are the general phases for migrating to Exchange 2016:

• Install Exchange 2016 into your existing Exchange 2010 organization
• Move services and other infrastructure to Exchange 2016
• Move mailboxes and public folders to Exchange 2016
• Decommission remaining Exchange 2010 servers

Version coexistence

When migrating to Exchange 2016, you can install into an existing Exchange 2010 organization. This enables you to install one or more Exchange 2016 servers and perform your migration.

Server hardware

Server hardware requirements have changed from Exchange 2010. You’ll need to make sure the hardware you’re going to use is compatible. You can find out more about hardware requirements here.

How do I migrate to Exchange 2016?

If you’ve decided that you want to keep your email on-premises, you can use the following resources to help you with your migration:

• Exchange Deployment Assistant
• Active Directory schema changes for Exchange 2016
• System requirements for Exchange 2016
• Prerequisites for Exchange 2016

What if I need help?

If you’re migrating to Office 365, you might be eligible to use our Microsoft FastTrack service. FastTrack provides best practices, tools, and resources to make your migration to Office 365 as seamless as possible. Best of all, you’ll have a real support engineer that will walk you through your migration, from planning and design all the way to migrating your last mailbox. If you want to know more about FastTrack, take a look at Microsoft FastTrack.

If you run into any problems during your migration to Office 365 and you aren’t using FastTrack, or your migration to a newer version of Exchange Server, we’re here to help. Here are some resources you can use:

• Technical Community
• Customer Support

Exchange Team