What is Conditional Access Policies in Office 365 / Azure AD?

Azure AD conditional access provides added security when needed. We can set few conditions like when accessing a particular cloud application like Exchange Online, allow the access from Azure AD Domain Joined machines or block the access etc. Conditional access policies are enforced after the first-factor authentication has been completed. We can enable second factor authentication (MFA) for certain users alone or for particular application alone and when the application is accessed from web browser alone. Many conditions can be applied using Azure Conditional Access Policies based on our requirement. It requires EMS E3 license.

 



You have a requirement to enable MFA for On-Premise Exchange OWA and ECP. How you will achieve?

ADFS 2016 supports configuring Azure MFA as an additional authentication option. We can configure Exchange Server ECP & OWA URL to use ADFS authentication and create a relying party trust for ECP & OWA and a Claim Rule configure MFA for On-Premise Exchange.

You have configured MFA for On-Premise Exchange. Explain how the MFA authentication flow works?

If all the configuration done to enable MFA for On-Premise Exchange, then the authentication flow works like below

Users access OWA \ ECP URL -> It hits Exchange Virtual Directory and the authentication option set as ADFS -> User redirected to login ADFS page and user login with AD credential -> Once Authentication Successful, it redirects the users to Azure AD for MFA setup -> Once MFA setup done -> user will be challenged for MFA and then access will be available to user.

How to troubleshoot Outlook slowness for an Office 365 mailbox?

http://superhybridcloud.com/how-to-troubleshoot-outlook-slowness-when-accessing-office-365-mailbox/

What is the use of a Migration endpoint / MRS Proxy endpoint?

To migrate a mailbox from On-Premise Exchange Server to Exchange Online or off boarding the mailbox from Exchange Online to On-Premise requires a migration endpoint which we need to specify during the migration. The migration endpoint contains the connection settings for an on-premises Exchange server that is running the MRS proxy service, which is required to perform remote move migrations to and from Exchange Online.

Also called as MRS Proxy endpoint – Mailbox Replication Service proxy endpoint is required for mailbox moves and it will be enabled in the EWS Virtual Directory settings.

How to check retention policy tags in mails (not at mailbox level)?

We can use MFAMAPI Tool to check the retention policy settings on an email.

We can verify if a Retention Policy was applied to an email using the MFCMapi tool: after logging to the user’s mailbox, right click the folder like Inbox -> Open associated contents table -> Message class: IPM_Configuration_MRM -> PR_ROAMING_XMLSTREAM, and look for the associated policy applied

You have mailbox in Office 365 applied with the 30 day’s retention policy to archive the emails. But mails are not moving to archive mailbox, how you will troubleshoot?

First I will check the mailbox settings to validate the policy assigned properly, then I will check whether the mailbox is assigned with retention policy using MFC MAPI Tool. If Policy assigned, I will run the start-managedfolderassistance against the mailbox and wait for some time for retention action to takes place.

If nothing works, I will raise a support case with Microsoft.

You have initiated a mailbox migration batch with 100 mailboxes to Office 365. But half of the mailbox migrations failed. How you will check it?

Get-MigrationBatch command will help us to get the below status.

  • Status of the migration batch
  • Total number of mailboxes being migrated
  • Number of successfully completed migrations
  • Migration errors
  • Date and time when the migration was started

You are assigned with a task to add full access permission for Senior User in your company on the common mailbox. But that user is unable to expand additional mailbox in outlook, having full access already, how will you troubleshoot further?

To make sure the full access permission available on the common mailbox, I will run the get-mailbox permission command to check the full access permission.

I will validate the access using OWA to open additional mailbox, If it is successful, then

I will check the test email auto configuration tool to validate the XML result is populating the common mailbox under the AlternateMailbox results.

If it is not showing up, I will wait for some time so that Auto discover picks the mailbox permission.

A user mailbox is in Office 365 and he is trying to access his mailbox from Internet. Explain the authentication flow for the mailbox access?

User access Office 365 service like EXO to outlook.office365.com -> EXO redirects the client to authenticate with Azure AD -> Client will reach Azure AD and Azure AD will prompt for user name and the Azure AD authentication end point deduct the UPN of the domain is federated and redirect the User to STS which is the ADFS proxy -> ADFS proxy will proxy the request to ADFS and ADFS will ask the client to authenticate (If client is internal to network, it will take Windows Integrated Authentication to authenticate with AD) -> Once authentication successful in AD, it will send user claims to ADFS -> ADFS will send the SAML token along with user claims to Client -> Client sends the token to Azure AD and it validates \ Trusts the token received from AD and the authentication will be successful -> On successful Authentication, Azure AD will provide an access token and refresh token to Client -> Client will send the access token to EXO and user will be allowed to access the service. Every one hour, refresh token will be presented to EXO to get a new access token.

What will happen to On-Premise Objects when the mailbox migrated to Office 365 and how the On-Premise mailboxes will look in Office 365 \ Exchange Online?

On a Hybrid Exchange environment,

In On-Premise Exchange, User having a Mailbox in On-Premise will appear as Mailbox and the mailbox migrated from On-Premise to Office 365 will be converted remote mailbox object with a remote routing address as alias@domainname.mail.onmicrosoft.com

In Office 365 / Exchange Online, mailbox migrate from On-Premise to Office 365 will appear as a mailbox object and the user’s mailbox in On-Premise exchange will appear as Mail User object once the directory synchronization completed using Azure AD Connect.

A user in On-Premise is trying to see the free busy information of a mailbox in Office 365 and user can see the free busy information. Explain how the free busy information works in both directions.

On-Premise mailbox looking for Free Busy Information of an Office 365 Mailbox (Remote Mailbox object)

On-Premise User starts the free busy query for remote mailbox -> Exchange will see if any intra org connector created that connects to Azure cloud for the remote mailbox remote routing address domain (domainname.mail.onmicrosoft.com) -> Exchange gets a delegation token from Azure -> Exchange initiates a request to Target domains Autodiscover service -> On successful discovery, it initiates a request to EWS -> If EWS request successful, On-Premise Exchange will send the token to EXO to get the user’s free busy information.

Office 365 mailbox looking for Free Busy Information of an On-Premise Mailbox (Mail User object)

Office 365 User starts the free busy query for On-Premise mailbox where the On-Premise mailbox is available as a mail user object in Office 365 -> Office 365 will understand that mailbox not available but has an email domain like office 365 mailbox and it knows it is a On-Premise and the EXO Availability service look if any intra org connector created for that domain -> it will available points to Azure and it connects to Azure Authentication System -> Office 365\Exchange Online gets a delegation token from Azure which will be accepted by On-Premise Exchange -> Office 365\EXO initiates a request to On-Premise Exchange Autodiscover service -> On successful discovery, it initiates a request to EWS -> If EWS request successful -> EXO presents the token to On-Premise Exchange to get the free busy information.

What is Advanced Threat Protection?

Office 365 Advanced Threat Protection helps to prevent the organization from Malicious Attack by have a features like ATP Safe Link and ATP Safe Attachment scanning.

ATP Safe Links can help protect organization by providing time-of-click verification of web addresses (URLs) in email messages. All the URLs in email will be embedded with Microsoft ATP URL. When user click the links, it will be validated whether it is safe and the access will be allowed to the link.

The ATP Safe Attachments feature checks to see if email attachments are malicious, and then takes action to protect your organization when the mail is in transit. All the emails with the attachments will be validated for malicious content and if not malicious then the mail will be delivered to user. There can be 5 to 30 min delay if an email with attachments are scanned for malicious contents.

What is Dynamic Delivery in ATP?

They will be an email delay when the emails with attachments are scanned for malicious contents. Dynamic Delivery eliminates email delays by sending the body of an email message through to the recipient with a placeholder for each email attachment. The placeholder remains until a copy of the attachment is scanned and determined to be safe and it will be updated with the attachment. If malicious, it will be updated as malicious.

Give a short explanation on SPF, DKIM & DMARC?

SPF, DKIM & DMARC are industry standard email authentication protocol to email spoofing.

SPF (Sender Policy Framework) is a DNS text entry (TXT Record) which shows a list of servers considered or allowed to send mail as their domain name.

DKIM (DomainKeys Identified Mail) is a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process.

DMARC (Domain-based Message Authentication, Reporting and Conformance) An e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks by setting a policy.

What are the Tags available in a SPF Record?

We have below 3 tags to control the authenticated email servers to send emails.

-all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).

~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked as SPF failed).

+all Not recommended, this tag allows any server to send email from your domain.

What are the email protection options available or you implemented in your organization?

  • Anti-Spam and Anti-Malware Protection
  • Advance Threat Protection (Safe Link and Safe Attachment)
  • Anti-Phishing protection to prevent User and Domain Impersonation attacks
  • Anti-Spoof Protection

Share your experience or things that was done by you during the office 365 Migration?

Note: You can share your own experience or something similar to below.

We have started the migration after doing a POC on everything was normal and we started to migrate the mailbox in batches. We are comfortable with the migration and started to increase the mailbox count for migration and we started to see a delay of migration takes long time to complete the Suspend When Ready to Complete stage. We reviewed the EWS throttling policy on the remote moves and we increased the concurrent move to 50 and the server performance was analyzed and later we increased to 100 simultaneous moves (MaxConcurrentMigrations on the Migration Endpoint which is 20 by default) and we are ok with it. Similar to this, we made many analyses to improve the performance of the migration as well as error free migration.

You are assigned with the task to migrate 500 mailboxes to Office 365. Tell me the command that you use to migrate a mailbox to Office 365?

I will check wither the office 365 email domain address (Username@domainname.mail.onmicrosoft.com) added to the exchange On-Premise mailbox that are to be migrated and run the below command to migrate the mailbox.

New-MoveRequest <UserID> -Remote -RemoteHostName “usmail.cognizant.com” -RemoteCredential $Cred -BadItemLimit 20 -TargetDeliveryDomain “domainname.mail.onmicrosoft.com”

$Cred is the account that has permission to move the mailbox to office 365 – Recipient Management Role in On-Premise exchange can move the mailbox.

How will you get to the know the migration status, what you will do if a mailbox migration status showing as CompletedWithWarning?

Get-MoveRequest command can be used to check the migration status and Get-MoveRequestStatistics will provide complete details on migration, like what the migration % completed etc.

If a mailbox migration shows the status as “CompletedWithWarning”, we need to clear the attributes homeMDB, homeMTA, msExchHomeServerName in AD and also the targeting address attribute to be replaced Usersprimarysmtpaddress@domainname.mail.onmicrosoft.com.

How you will validate the ADFS health and Directory Sync status?

Directory Sync Status can be validated by login into AD Connect Server and we can check the Sync Service tool or we can login to portal.azure.com-> Azure AD -> Azure AD Connect -> Azure AD Connect Health status.

ADFS health can be validated by checking the IDP Initiated Sign On page – https://<ServerName>/adfs/ls/IdpInitiatedSignOn.aspx

Explain few limitations in Office 365?

  • ActiveSync(OMA), Blackberry Internet Service(BIS) and Blackberry Enterprise Server (BES) are not available
  • Office 365 users cannot manage Group membership from outlook or Outlook WebApp
  • Mailbox in On-premises cannot be accessed from Office 365 Outlook WebApp
  • Mailbox Folder/Calendar Level Permission cannot be provided for Office 365 Users
  • Send-AS Permission to be manually assigned once the migration completed.

How you will assign Send-AS Permission in Office 365 mailbox?

By default, only the full access mailbox permission will be migrated when a mailbox migrated from On-Premise to Office 365.

Send-AS Permission will be not be migrated automatically and we need to assign the permission once the mailbox migration completed by running the below command

Add-RecipientPermission <Identity> -Trustee <UserID> -AccessRights SendAs

What is Shared SIP Address Space Functionality?

Shared SIP Address Space or Split Domain in Skype for Business is like having one domain name xyz.com as sip address in Skype for Business On-Premise and Skype for Business Online.

  • Azure Active Directory Connect will be used to synchronize on-premises object to Office 365.
  • Users homed on premises interact with on-premises Skype for Business servers.
  • Users homed online may interact with Skype for Business Online.
  • Users from both environments can communicate with each other.
  • On-premises Active Directory is authoritative. All users should be created in the on-premises Active Directory first, and then synchronized to Azure AD

You are assigned a task to validate whether a user accessed his mailbox yesterday. What you will do?

Azure AD Sign-In Logs will have the sign-in information for the last 30 days. Checking the log will show the required information. On the Azure AD Portal, select the user and then navigate to sign-in logs.

What you know about Azure AD Self Service Password Reset?

Azure AD SSPR allows the user in Hybrid Exchange environment to reset their password from Azure AD Login page, where the password will be changed in Azure AD and using the AD connect Password Writeback feature, the changed password will be written back to On-Premise AD.

What is Multi factor authentication and Password less authentication?

Multi-factor authentication (MFA) is a great way to secure your organization by revalidating the authenticating credential using SMS code or a call. With MFA users get frustrated with the additional layer on top of having to remember their passwords.

Password less authentication methods are more convenient because the password removed and replaced with something you have (Phone or Security Key) plus something you are or something you know (Biometric or PIN)

What is the use of Post Master address in Office 365 and How you will configure it?

The external postmaster address is used as the sender for system-generated messages and notifications to email senders that exist outside your Microsoft Exchange Online organization

We can set the post master address using below command

Set-TransportConfig -ExternalPostmasterAddress postmaster@domainname.com

You are assigned with a task to delete a Office 365 mailbox permanently from a Hybrid Exchange Online environment. How you will do it?

One Senior Associate in your company is looking for an email from external user and it has not reached user mailbox. How you will ensure the mail is delivered to user successfully?

We need to do a message trace from Exchange Online Admin center to see the status of the emails by searching the sender address or recipient email address.

If the mail didn’t hit the Exchange Online environment, we can ask the user to check at sender domain.

If the mail is quarantined because of the transport rules, we can update the user that due to company policy the emails are

Are you using Public folders in your organization? What is the use of it?

Say that you are not using it in your organization and Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share information with other people in your workgroup or organization. Public folders help organize content in a deep hierarchy that’s easy to browse. Instead of Public folders, we use shared mailboxes.

Earlier people used it for Data Archiving and Document Sharing and collaboration but public folders are not designed for that.

You have noticed emails emails from One of your partner company is in office 365

What is a Basic Authentication and Modern Authentication client?

Basic Authentication Clients: Clients or applications that is not a browser-based client that access Office 365 services are Basic authentication clients. Outlook 2013 by default is a basic authentication client and few other clients like EWS clients and EAS clients are Basic authentication clients.

Modern Authentication Clients (OAuth): Modern Authentication uses Active Directory Authentication Library (ADAL) based sign-in for Office clients. ADAL based sign-in supports features like MFA, certificate based authentication and smart card authentication. Outlook 2016 by default is a modern authentication office client, where Outlook 2013 requires an Office update and registry settings modified to act like a Modern Authentication client.

When you try to access an Office 365 service, it will open a web browser and prompts to authenticate which will accept the credential as well as Multi factor authentication if enabled. Basic clients will not support this option and if MFA enabled, basic authentication supported clients cannot prompt the user for MFA authentication and those clients cannot access the service.

What is Authentication and Authorization?

Authentication is the act of challenging the client for valid credential when you are accessing a resource. It is the process of proving who you are by providing your credential. AuthN

Authorization is the act of granting access to authenticated client to do something on the accessed resource. It defines what sort of data that you get access and what you can do with it. AuthZ

Azure AD is the Office 365 Identity service which takes care of Authentication and Authorization. Azure AD using Authentication protocol like OAuth 2.0 and OpenID connect.

What is OAuth 2.0 and what is the use of it?

OAuth 2.0 is an authentication protocol used by Azure AD and it provides 2 tokens (Access and Refresh tokens) to the client when it successfully authenticates against Azure Active Directory. Access token is a JSON Web Token (JWT), which is valid for 1 hour and a Refresh token valid for 14 days, if it is continuously accessed it will be valid for 90 days.

If we run the Hybrid configuration wizard on a Pure Exchange 2013 and above environment, it enables OAuth.

Explain the Authentication flow for Basic authentication client? Important

Basic Authentication Flow: User access Office 365 service like EXO using a basic client and it prompts the user to enter the credential -> EXO sends the credential to Azure AD using proxy authentication -> Azure AD authentication endpoint find the authentication provider as STS in On-Premise for these kinds of basic auth requests and notify EXO to reach STS and the request will be sent to ADFS Proxy by EXO (Exchange Online) -> ADFS Proxy server proxies the EXO authentication request to ADFS -> ADFS validates the credentials with AD and on successful authentication, AD will provide a logon token and user related information as claim to ADFS -> ADFS sends the information to EXO -> EXO send the logon token received from ADFS to Azure AD and it will authenticated in Azure AD and EXO will be provide an access token by Azure AD which will allow the user to access the service.

Explain the Authentication flow for Modern authentication client? Important

Modern Authentication Flow: User access Office 365 service like EXO using a modern authentication client -> EXO redirects the client to authenticate with Azure AD -> Client will reach Azure AD and the it will prompt for user name and the Azure AD authentication end point deduct the UPN of the domain is federated and redirect the client to STS -> ADFS will ask the client to authenticate (If client is internal to network, it will take Windows Integrated Authentication to authenticate with AD) -> Once authentication successful in AD, it will send user claims to ADFS -> ADFS will send the SAML token along with user claims to Client -> Outlook sends the token to Azure AD and validates the token received from AD and the authentication will be successful -> On successful Authentication, Azure AD will provide an access token and refresh token to Client -> Client will send the access token to EXO and user will be allowed to access the service.

What are the authentication options available for Office 365 / Azure AD?

Below are the authentication or Sign-In options available for Office 365 / Azure AD.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

Explain how the federated authentication option works?

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token to User that will be send back to Azure AD for successful authentication.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

What is Password Hash Synchronization Authentication? And how it works?

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user will be provided security toke to the authenticative the service\application. Switching from one application to other, prompts the user to validate the credential when this sign-in option used.

Explain Pass-through Authentication? And how it works:

If we use the Pass-through authentication, user name the password will be gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

What is Seamless Single Sign-On Authentication and how it works:

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works?

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do a authentication test to find the client is SSO capable and it will send a unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication.

On a hybrid exchange environment, on-premise recipient is set as a moderator and when an office 365 user send an email to that moderated distribution group, on-premise moderator not able to see approve or reject option. What could be the issue and how to fix it?


Approve or Reject option supported only when TNEF settings enabled for the remote domain object. For this scenario, the remote domain object of the company.com in Exchange online to be TNEF enabled.

What is Directory Based Edge Blocking?

The Directory Based Edge Blocking (DBEB) feature in Exchange Online Protection (EOP) lets you reject messages for invalid recipients at the service network perimeter. DBEB lets admins add mail-enabled recipients to Azure Active Directory and block all messages sent to email addresses that aren’t present in Azure Active Directory.

If a message is sent to a valid email address present in Azure Active Directory, the message continues through the rest of the service filtering layers (anti-malware, anti-spam, transport rules). If the address is not present, the service blocks the message before filtering occurs, and a non-delivery report (NDR) is sent to the sender informing them that their message was not delivered.

What is Conditional Mail Routing?

Companies will have requirement like you need to route mail differently depending on who the mail is sent to or from, where it’s being sent, the contents of the message, and so on. For example, if you have multiple sites around the world, you might want to route mail to a specific site. You can do this using connectors and mail flow rules called Conditional Mail Routing.

How the Mail flow working in Office 365 or Exchange Online Protection?

MX record point towards Office 365 Tenant -> Exchange Online Protection will receive the email and it will do the Recipient validation using Directory Based Edge Blocking, if the recipient is not available email will be dropped -> Anti-Virus scanning will occur, EOP has 3 AV engines -> Recipient resolution will occur like distribution group expansion -> Transport Rule will be applied, if any marked as SPAM using Transport rule then those emails will be quarantined -> Anti-Spam Protection will occur which includes, content scanning, outlook safe sender validation, URL blocking, bulk mail filtering, international spam filtering – > customer delivery pool and then to On-Premise Server.

When you will enable Centralized Mail Transport?

Centralized Mail Transport is a mail routing control in Exchange Online Protection that will always route the emails to On-Premise Exchange server instead of directly sending that to Internet from Office 365.

Companies having DLP solution in On-Premise want to always route the emails from both On-Premise user and Office 365 via DLP solution in On-Premise. If Centralized Mail Routing not enabled, then the email will directly route to internet and compliance requirement will not met. Companied with similar requirement has to enable this feature when running Hybrid Configuration Wizard.

What are Federation mailbox?

Below are the Federation Mailbox which can be configured in On-Premise Exchange, but we cannot manage \ create federated mailbox in Office 365.

Federation Mailboxes are special type of Mailbox used for system related activities like moderation, OAB generation, federation, storing audit logs, discovery searches and migration batches. Five type of mailbox available in Exchange 2013 and above versions.

SystemMailbox{1f05a927-xxxx-xxxx-xxxx-xxxxxxxxxxxx} moderates messages, i.e., it is used for managing approval workflow. For example, an arbitration mailbox is used for handling moderated recipients and distribution group membership approval. The display name for this account is Microsoft Exchange Approval Assistant and is available since Exchange 2010.

SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} is used in the Offline Address Book (OAB) generation process. This arbitration mailbox, with persisted capability of OrganizationCapabilityOABGen, is called an Organization Mailbox. Administrators can create additional Organization Mailboxes for fault tolerance or for serving users in a geographically disbursed Exchange deployment. As such, to list the arbitration mailboxes with persisted capability of OABGen, user the following cmdlet: Get-Mailbox -Arbitration | Where {$_.PersistedCapabilities -match “oab”}. This mailbox is new in Exchange 2013.

SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} holds administrator audit log reports and stores in-place e-discovery search metadata. The display name for this account is Microsoft Exchange. This mailbox is available since Exchange 2010.

FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 used for federation between different Exchange organizations and available since Exchange 2010. Its display name is Microsoft Exchange Federation Mailbox.

Migration.8f3e7716-2011-43e4-96b1-aba62d229136, new in Exchange 2013, holds details of mailboxes being moved in migration batches.

What is Cloud App Discovery?

Cloud App Discovery is feature in Azure AD that provides visibility into which cloud applications are used within an organization. We can assess risk and remediate by looking at the reports based on users, requests and the volume of data exchanged. Identify Top cloud applications used in the organizations and proceed with the Integration.

What is Muti-Factor Authentication (MFA)?

It is method of authentication requiring the use of more than one verification method to authenticate a user. Available options are Mobile Application, Automated Phone call and Text Message. Microsoft planning to decommission the Text Message option by end of 2018.

What is Access Panel?

Access Panel is where users can discover the applications they have access to. Users can login to myapp.microsoft.com to see the access panel. Access Panel allow users to change their password and can edit multi-factor authentication related contact and preference settings. Users can view details about their account.

On a Hybrid Exchange environment, recently an approved change was done on your exchange online environment and Office user complaining they are not receiving emails from a Partner organization. How you will trouble the mail flow?

We have an option to validate the mail flow by validating connectors on the Connectors page in the Exchange admin center. The built-in validation tests that your mail flow from Office 365 reaches:

  • Your organization’s email server
  • A partner organization.

We can use this option to validate the mail flow using this option.