Author Archives: admin

What is Autodiscover service and how it works?

Microsoft Exchange Autodiscover service in Exchange helps the Autodiscover capable outlook clients to configure outlook profile easily by providing minimal input. Users know their user name and password information, by providing those information, other information to configure outlook profile can be retried from Exchange using Autodiscover Service. Autodiscover automatically configures user profile for outlook and mobile devices.

Outlook 2007 and later clients supports Autodiscover to connect Exchange 2007 and above.

How Autodiscover works

Information that are required to configure the outlook profile will be retrieved from Exchange in a XML format and outlook use that information to connect to different services to function properly.

How Autodiscover works when connecting from Internal network.

Note: To locate Autodiscover service, outlook uses LDAP query to Service Connection Point object first (Internal clients) and if it fails it uses DNS query (external clients).

  1. Once user enters the credential (email address and password, where email address considered as a user name), outlook authenticated with AD and queries for Service Connection Point objects to find the Autodiscover Service in Client access server to which it has to contact to get the Autodiscover information in xml format.

SCP object will be created when Exchange client access server installed and new SCP will be created when new CAS servers are installed, SCP will be updated with the servicebindinginformation FQDN of client access server name in the form of https://cas01.learnexchangeserver.com/autodiscover/autodiscover.xml and keyword that tells to which site this CAS server belongs.

  1. Once the client authenticated to active directory,

     

    1. The Autodiscover service information will be obtained from SCP object, for any reason it that fails
    2. Outlook will try the predefined URL like https://autodiscover.learnexchangeserver.com/autodiscover/autodiscover.xml by using DNS
    3. If the above fails, outlook will try the HTTP redirect method, it is same predefined URL, instead of https, http will be used
    4. If the above fails, SRV record lookup will be used which is the last lookup method and if that fails outlook auto configuration will fail.

     

  2. Autodiscover Service in CAS server contacts AD to get the URL and the configured Exchange Services details
  3. Autodiscover Service returns a HTTPS response with XML file that includes connection settings and URLS for available Exchange features
  4. Outlook client uses that information to connect to Exchange.

How Autodiscover works when connecting from Internet.

If the Client Machine is not AD domain joined,

  1. Outlook first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Since the client is in internet, it will not be able to contact Active Directory,
  2. Outlook Client will try to locate the Autodiscover service by DNS queury. For DNS query, outlook uses the right side of the email address, that is, learnexchangeserver.com (domain name first), and check the DNS for two predefined URLs. For example

https://learnexchangeserver.com/autodiscover/autodiscover.xml

https://autodiscover.learnexchangeserver.com/autodiscover/autodiscover.xml

Note: Need to create a DNS record in Internet to connect to your Client Access Server to make it work.

  1. Autodiscover Service in CAS server contacts AD to get the URL and the configured Exchange Services details
  2. Autodiscover Service returns a HTTPS response with XML file that includes connection settings and URLS for available Exchange features
  3. Outlook client uses that information to connect to Exchange.

When outlook clients connect to Autodiscover Service?

Outlook and Exchange Active Sync on mobile device uses Autodiscover for configuring and maintaining server settings for client

Outlook clients automatically connect to the Autodiscover service in the following conditions:

  • When outlook client starts, both opening for the first time and every time it starts
  • Every 60 minutes once
  • Any time that the client’s connection to an Exchange Server fails

What is Access Token and Refresh Token?

When a user successfully authenticates with Office 365 (Azure AD), they are issued both an Access Token and a Refresh Token.

  • The Access Token is very short-lived (valid for around 1 hour).
  • The Refresh Token is longer-lived – in some cases the token may be valid for up to 90 days if It is frequently use and the user hasn’t changed their password

The Access token is what is used to actually gain access to Resources such as Exchange or SharePoint Online. When the Access token expires, the Office client will present the Refresh token to Azure AD and request a new Access Token to use with the resource. The default lifetime for a Refresh Token is 14 days (expires 14 days after issue if not “used”). Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid. Once the Refresh token expires, users will need to sign-in again.

What is an Alternate Login ID?

Alternate Login ID is a feature of Azure AD that allows certain customers (that are synchronizing their directories with Office 365) to use a different value than their on-prem UPN.

What is a soft deleted mailbox and hard deleted mailbox?

A soft-deleted user mailbox is a mailbox that is deleted in the following cases:

  • The user mailbox’s associated Azure active directory user account is soft deleted (the Azure active directory user object is out of scope or in the recycle bin container).
  • The user mailbox’s associated Azure active directory user account is hard deleted but the Exchange Online mailbox is in a litigation hold or eDiscovery hold.
  • The user mailbox’s associated Azure active directory user account has been purged within the last 30 days; which is the retention length Exchange Online will keep the mailbox in a soft deleted state before it is permanently purged and unrecoverable.

A hard-deleted user mailbox is a mailbox that has been deleted in the following cases:

  • The user mailbox has been soft-deleted for more than 30 days, and the associated Azure active directory user has been hard-deleted. All mailbox content such as emails, contacts and files will be permanently deleted.
  • The user mailbox’s associated Azure active directory user account has been hard-deleted in the Azure active directory. The user mailbox is now soft-deleted in Exchange Online and stays in the soft deleted state for 30 days. If in the 30 days time period a new Azure active directory user is synchronized from the original on-premises recipient account with the same ExchangeGuid or ArchiveGuid, and that new account is licensed for Exchange Online, this will result in a hard deletion of the original user mailbox. All mailbox content such as emails, contacts and files will be permanently deleted.
  • The soft deleted mailbox has been deleted using the Remove-Mailbox -PermanentlyDelete cmdlet in Exchange Management Shell.

How to recover a deleted mailbox in Office 365 / Exchange Online?

Soft deleted mailboxes will be available for 30 days. If the mailbox available in soft deleted state, then we can restore the mailbox.

Your MX record pointed to Exchange Online Protection and you observed that lot email bounced back which was send to an invalid recipient in your organization; you find a solution to stop this, what you will do?

The Directory Based Edge Blocking (DBEB) feature in Exchange Online and Exchange Online Protection (EOP) lets you reject messages for invalid recipients. DBEB lets admins add mail-enabled recipients to Office 365 (Azure AD) and block all messages sent to email addresses that aren’t present in Office 365.

Changing the accepted domain as Authoritative in Exchange Online enable the Directory Based Edge Blocking (DBEB) feature.

What are Accepted Domains and Remote Domains in Exchange Online?

Accepted Domains and Remote Domains are same as On-Premise Exchange. When we add a domain as accepted domain, then the user with that domain can send and receive email.

There are two types of Accepted Domains, Authoritative and Internal Relay. Authoritative option means that email is delivered to email addresses that are listed for recipients in Office 365 for this domain. Emails for unknown recipients are rejected. Internal Relay means that recipients for this domain can be in Office 365 or your own email servers. Email is delivered to known recipients in Office 365 or is relayed to your own email server if Office 365 does not know the recipients.

Remote Domain control the types and the format of messages that your users send to domains outside of your Exchange domain. Here are some of those reasons:

  • Restrict users from forwarding emails to other domains.
  • Reject automatic messages, such as non-delivery reports and out-of-office replies.
  • Send out-of-office replies as those received by people inside your organization.
  • Your users frequently send email to a company that supports limited email formats, and you would like to make sure all emails sent to that organization are sent in a format that they can read.

What are the recipients that are supported in Exchange Online? How to convert a Shared mailbox to User Mailbox?

As like Exchange On-Premise, Exchange Online Supports Users Mailbox, Shared Mailbox, Distribution Group, Mail enabled security group, dynamic distribution group, mail contacts, mail users, Room Mailbox and Equipment Mailbox. We can select the Mailbox in Exchange Online Admin center and we will see an option to convert to Shared Mailbox.

What is clutter?

Clutter is a feature in Office 365 designed to help users focus on the most important messages in their Inbox by moving lower priority messages into a new Clutter folder.

You have a requirement for a set of users to view only a set of recipient address in Address Book. How you will achieve it?

We can create Address book policies to achieve this. Address book policies (ABPs) allow you to segment users into specific groups to provide customized views of your organization’s global address list (GAL). When creating an ABP, you assign a GAL, an offline address book (OAB), a room list, and one or more address lists to the policy. You can then assign the ABP to mailbox users, providing them with access to a customized GAL in Outlook and Outlook Web App. It is same like GAL segmentation to have multiple GAL in On-Premise Exchange.

What are the supported Exchange Online Clients? Questions may be asked each protocols individually.

Exchange Online Supports below clients.

MAPI over HTTP – Outlook client now connect Exchange Online using MAPI over HTTP and not RPC over TCP (formerly known as Outlook Anywhere)

OWA – Outlook on the web is a web-based version of the Outlook email program that is used with Exchange Online. It enables users to access their email, calendar, and contacts through a web browser from wherever they connect to the Internet

Outlook for Mac – Exchange Online supports Microsoft Outlook for Mac, which provides email, calendar, an address book, a task list, and a note list

Outlook for iOS, Android, and Windows Phone – Exchange Online works with Outlook apps available for iOS, Android, and Windows Phone. On any of these devices, use the app store to find the Outlook app

Exchange Active Sync – Exchange Online supports the Microsoft Exchange ActiveSync protocol, which synchronizes mailbox data between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on the go.

POP/IMAP – Exchange Online supports mailbox access through both POP3 and IMAP4 protocols. POP and IMAP access requires encryption-using SSL. POP is enabled by default for all users. Users can view their POP and IMAP connection settings in Outlook on the web

EWS – Applications developed using Exchange Web Services (EWS) or the EWS Managed API let administrators access data stored with Exchange Online from applications that are running on-premises, in Azure, or in other hosted services.

Blackberry Devices – Office 365 email is available on BlackBerry devices via Exchange ActiveSync

What is Exchange Online Protection and what are the features?

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations.

  • Anti-SPAM Protection
  • Anti-Malware Protection
  • Transport Rules
  • 99.99 SLA
  • Mail Routing
  • Geo Redundant
  • Reporting


What are the Roles / permission delegation option available in Exchange Online?

Exchange Online in Office 365 includes predefined permission like Exchange On-Premise and below are the predefined Role Group available in Exchange Online.

Name

Description

Organization Management

Full permissions to manage Exchange objects and their properties in the Exchange organization. This role group should not be deleted.

Recipient Management

To create, manage, and remove Exchange recipient objects in the Exchange organization.

View-Only Organization Management

Can view recipient and configuration objects and their properties in the Exchange organization.

UM Management

Can manage Unified Messaging organization, server, and recipient configuration.

Help Desk

Can view and manage the configuration for individual recipients and view recipients in an Exchange organization.

Records Management

Can configure compliance features such as retention policy tags, message classifications, transport rules, and more.

Discovery Management

Can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

Hygiene Management

Can manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange.

Security Administrator

It will be a member of the Security Administrators role groups and will inherit the capabilities of that role group.

Security Reader

It will be a member of the Security Reader role groups and will inherit the capabilities of that role group.

Compliance Management

This role group will allow a specified user, responsible for compliance, to properly configure and manage compliance settings within Exchange in accordance with their policy.

Application Impersonation

 Used for read information from mailboxes

HelpdeskAdmins_-1535147493

It will be a member of the View-Only Organization Management role group and will inherit the rights of that group.

TenantAdmins_-1584005308

Inherited from Office 365 Admin. It will be a member of the Organization Management role group and will inherit the capabilities of that role group.

SecurityAdmins_1540177650

 Inherited from Office 365 Admin

ExchangeServiceAdmins_508608274

Inherited from Office 365 Admin. This role group is not manageable through Microsoft Exchange. Members of this role group include Exchange-Online service administrators only.

ComplianceAdmins_1955283545

 Inherited from Office 365 Admin

SecurityReaders_1041794925

 Inherited from Office 365 Admin

 

You have a requirement to enable Online Archive (cloud-based-archive) on Exchange On-Premise user. How you will enable it?

Hybrid Configuration provide option to enable Exchange Online Archive for On-Premise Mailbox. It can be enabled or disabled only from Exchange On-Premise Management Tools. Office 365 Enterprise E3 license required to enable the Online Archive feature. Online Archive shows as an additional mailbox in Outlook and OWA and moving contents from Primary Mailbox to Archive Mailbox either via manual move or through retention policies.

You have a PST for a Senior Person in your company and you migrated the mailbox to Office 365. How you will move the PST to Office 365 Mailbox?

We can use the PST import service tool to migrate the PST directly into Office 365 mailbox.

We will get a SAS URL of the Azure Network share upload the PST file, PST files to be uploaded and a mapping file to be created. PST import job to be created and the job will be run to import the PST files into the mailbox.

What is In-Place hold and Litigation hold?

In-Place hold and Litigation hold is to hold all mailbox data for a user indefinitely or until hold is removed. In-Place hold provides a granular control like what to hold using specific criteria and how long to hold. Litigation hold puts the whole mailbox into hold and also we can specify litigation hold duration.

What is an inactive mailbox in Exchange Online?

If we delete a mailbox or an account deleted in On-Premise then the Exchange Online mailbox data will be available for 30 days, which can be restored. If a mailbox is on hold and the deleted mailbox will be available as inactive mailbox until the litigation hold duration set on that mailbox.

What is the use of Message Record Management feature in Exchange Online?

Messaging records management (MRM) is the records management technology in Exchange Online that helps organizations manage email lifecycle and reduce the legal risks associated with email.

MRM provides the flexibility to implement the records management policy that best meets your organization’s requirements. With a good understanding of MRM, In-Place Archiving, and In-Place Hold, you can meet your goals of managing mailbox storage and meeting regulatory retention requirements.

What is Centralized Mail Transport?

Centralized Mail Transport (CMT) is a Transport feature in Exchange Online Protection. We can enable this when running the Hybrid Configuration Wizard and enabling this will prevent emails sending out to internet via Exchange Online Protection. If the On-Premise Exchange environment is having any compliance solution like DLP and if we want to route office 365 users internet email through on-premise, so that DLP validation can happen then enabling CMT helps.

What is Hybrid Configuration Object? How to identify the feature enabled on Hybrid environment?

Hybrid Configuration Wizard will create a Hybrid configuration object in AD with the desired state configuration. All the information related to Hybrid Configuration will be stored on this Object.

To view the feature enabled, we can run the get-hybridconfiguration cmdlet to see the features.